--- /dev/null
+From b242c43a4039149bd54b2662bcebbdded8ce500e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 14:02:11 +0800
+Subject: ASoC: imx-audmix: Fix return error with devm_clk_get()
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit b19a5733de255cabba5feecabf6e900638b582d1 ]
+
+The devm_clk_get() can return -EPROBE_DEFER error,
+modify the error code to be -EINVAL is not correct, which
+cause the -EPROBE_DEFER error is not correctly handled.
+
+This patch is to fix the return error code.
+
+Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/1694757731-18308-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-audmix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c
+index d991e457060c7..0363255c39ea9 100644
+--- a/sound/soc/fsl/imx-audmix.c
++++ b/sound/soc/fsl/imx-audmix.c
+@@ -320,7 +320,7 @@ static int imx_audmix_probe(struct platform_device *pdev)
+ if (IS_ERR(priv->cpu_mclk)) {
+ ret = PTR_ERR(priv->cpu_mclk);
+ dev_err(&cpu_pdev->dev, "failed to get DAI mclk1: %d\n", ret);
+- return -EINVAL;
++ return ret;
+ }
+
+ priv->audmix_pdev = audmix_pdev;
+--
+2.40.1
+
--- /dev/null
+From fda9267d63e671896af83572414ac30f2c1d375c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 11:05:04 +0200
+Subject: ASoC: meson: spdifin: start hw on dai probe
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit aedf323b66b2b875137422ecb7d2525179759076 ]
+
+For spdif input to report the locked rate correctly, even when no capture
+is running, the HW and reference clock must be started as soon as
+the dai is probed.
+
+Fixes: 5ce5658375e6 ("ASoC: meson: add axg spdif input")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20230907090504.12700-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-spdifin.c | 49 ++++++++++++-----------------------
+ 1 file changed, 17 insertions(+), 32 deletions(-)
+
+diff --git a/sound/soc/meson/axg-spdifin.c b/sound/soc/meson/axg-spdifin.c
+index d0d09f945b489..7aaded1fc376b 100644
+--- a/sound/soc/meson/axg-spdifin.c
++++ b/sound/soc/meson/axg-spdifin.c
+@@ -112,34 +112,6 @@ static int axg_spdifin_prepare(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int axg_spdifin_startup(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+- int ret;
+-
+- ret = clk_prepare_enable(priv->refclk);
+- if (ret) {
+- dev_err(dai->dev,
+- "failed to enable spdifin reference clock\n");
+- return ret;
+- }
+-
+- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN,
+- SPDIFIN_CTRL0_EN);
+-
+- return 0;
+-}
+-
+-static void axg_spdifin_shutdown(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+-
+- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0);
+- clk_disable_unprepare(priv->refclk);
+-}
+-
+ static void axg_spdifin_write_mode_param(struct regmap *map, int mode,
+ unsigned int val,
+ unsigned int num_per_reg,
+@@ -251,25 +223,38 @@ static int axg_spdifin_dai_probe(struct snd_soc_dai *dai)
+ ret = axg_spdifin_sample_mode_config(dai, priv);
+ if (ret) {
+ dev_err(dai->dev, "mode configuration failed\n");
+- clk_disable_unprepare(priv->pclk);
+- return ret;
++ goto pclk_err;
+ }
+
++ ret = clk_prepare_enable(priv->refclk);
++ if (ret) {
++ dev_err(dai->dev,
++ "failed to enable spdifin reference clock\n");
++ goto pclk_err;
++ }
++
++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN,
++ SPDIFIN_CTRL0_EN);
++
+ return 0;
++
++pclk_err:
++ clk_disable_unprepare(priv->pclk);
++ return ret;
+ }
+
+ static int axg_spdifin_dai_remove(struct snd_soc_dai *dai)
+ {
+ struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+
++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0);
++ clk_disable_unprepare(priv->refclk);
+ clk_disable_unprepare(priv->pclk);
+ return 0;
+ }
+
+ static const struct snd_soc_dai_ops axg_spdifin_ops = {
+ .prepare = axg_spdifin_prepare,
+- .startup = axg_spdifin_startup,
+- .shutdown = axg_spdifin_shutdown,
+ };
+
+ static int axg_spdifin_iec958_info(struct snd_kcontrol *kcontrol,
+--
+2.40.1
+
--- /dev/null
+From 1e409a540871dbd4b7e0ef513e92ed44ac58c075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 17:36:10 +0200
+Subject: bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit edc0140cc3b7b91874ebe70eb7d2a851e8817ccc ]
+
+bnxt_poll_nitroa0() invokes bnxt_rx_pkt() which can run a XDP program
+which in turn can return XDP_REDIRECT. bnxt_rx_pkt() is also used by
+__bnxt_poll_work() which flushes (xdp_do_flush()) the packets after each
+round. bnxt_poll_nitroa0() lacks this feature.
+xdp_do_flush() should be invoked before leaving the NAPI callback.
+
+Invoke xdp_do_flush() after a redirect in bnxt_poll_nitroa0() NAPI.
+
+Cc: Michael Chan <michael.chan@broadcom.com>
+Fixes: f18c2b77b2e4e ("bnxt_en: optimized XDP_REDIRECT support")
+Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 931bb40ac05b5..4cb22e4060520 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2520,6 +2520,7 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+ struct rx_cmp_ext *rxcmp1;
+ u32 cp_cons, tmp_raw_cons;
+ u32 raw_cons = cpr->cp_raw_cons;
++ bool flush_xdp = false;
+ u32 rx_pkts = 0;
+ u8 event = 0;
+
+@@ -2554,6 +2555,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+ rx_pkts++;
+ else if (rc == -EBUSY) /* partial completion */
+ break;
++ if (event & BNXT_REDIRECT_EVENT)
++ flush_xdp = true;
+ } else if (unlikely(TX_CMP_TYPE(txcmp) ==
+ CMPL_BASE_TYPE_HWRM_DONE)) {
+ bnxt_hwrm_handler(bp, txcmp);
+@@ -2573,6 +2576,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+
+ if (event & BNXT_AGG_EVENT)
+ bnxt_db_write(bp, &rxr->rx_agg_db, rxr->rx_agg_prod);
++ if (flush_xdp)
++ xdp_do_flush();
+
+ if (!bnxt_has_work(bp, cpr) && rx_pkts < budget) {
+ napi_complete_done(napi, rx_pkts);
+--
+2.40.1
+
--- /dev/null
+From 78c400ffa977e7e69050aaf85fe7f3866a78e2c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 15:28:14 +0200
+Subject: bpf: Avoid deadlock when using queue and stack maps from NMI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit a34a9f1a19afe9c60ca0ea61dfeee63a1c2baac8 ]
+
+Sysbot discovered that the queue and stack maps can deadlock if they are
+being used from a BPF program that can be called from NMI context (such as
+one that is attached to a perf HW counter event). To fix this, add an
+in_nmi() check and use raw_spin_trylock() in NMI context, erroring out if
+grabbing the lock fails.
+
+Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
+Reported-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Tested-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Co-developed-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20230911132815.717240-1-toke@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/queue_stack_maps.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
+index f9c734aaa9902..ef95b796a0fa3 100644
+--- a/kernel/bpf/queue_stack_maps.c
++++ b/kernel/bpf/queue_stack_maps.c
+@@ -103,7 +103,12 @@ static int __queue_map_get(struct bpf_map *map, void *value, bool delete)
+ int err = 0;
+ void *ptr;
+
+- raw_spin_lock_irqsave(&qs->lock, flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, flags);
++ }
+
+ if (queue_stack_map_is_empty(qs)) {
+ memset(value, 0, qs->map.value_size);
+@@ -133,7 +138,12 @@ static int __stack_map_get(struct bpf_map *map, void *value, bool delete)
+ void *ptr;
+ u32 index;
+
+- raw_spin_lock_irqsave(&qs->lock, flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, flags);
++ }
+
+ if (queue_stack_map_is_empty(qs)) {
+ memset(value, 0, qs->map.value_size);
+@@ -198,7 +208,12 @@ static int queue_stack_map_push_elem(struct bpf_map *map, void *value,
+ if (flags & BPF_NOEXIST || flags > BPF_EXIST)
+ return -EINVAL;
+
+- raw_spin_lock_irqsave(&qs->lock, irq_flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, irq_flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, irq_flags);
++ }
+
+ if (queue_stack_map_is_full(qs)) {
+ if (!replace) {
+--
+2.40.1
+
--- /dev/null
+From 70e8b871c4e8cb6b21d9e4f766428a08c5117f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 19:00:35 +0000
+Subject: dccp: fix dccp_v4_err()/dccp_v6_err() again
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6af289746a636f71f4c0535a9801774118486c7a ]
+
+dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr",
+not in the "byte 7" as Jann claimed.
+
+We need to make sure the ICMP messages are big enough,
+using more standard ways (no more assumptions).
+
+syzbot reported:
+BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
+BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]
+BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
+pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
+pskb_may_pull include/linux/skbuff.h:2681 [inline]
+dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
+icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867
+icmpv6_rcv+0x19d5/0x30d0
+ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
+ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
+NF_HOOK include/linux/netfilter.h:304 [inline]
+ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
+ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
+dst_input include/net/dst.h:468 [inline]
+ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
+NF_HOOK include/linux/netfilter.h:304 [inline]
+ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
+__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
+__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
+netif_receive_skb_internal net/core/dev.c:5723 [inline]
+netif_receive_skb+0x58/0x660 net/core/dev.c:5782
+tun_rx_batched+0x83b/0x920
+tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002
+tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+call_write_iter include/linux/fs.h:1985 [inline]
+new_sync_write fs/read_write.c:491 [inline]
+vfs_write+0x8ef/0x15c0 fs/read_write.c:584
+ksys_write+0x20f/0x4c0 fs/read_write.c:637
+__do_sys_write fs/read_write.c:649 [inline]
+__se_sys_write fs/read_write.c:646 [inline]
+__x64_sys_write+0x93/0xd0 fs/read_write.c:646
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
+slab_alloc_node mm/slub.c:3478 [inline]
+kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
+kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
+__alloc_skb+0x318/0x740 net/core/skbuff.c:650
+alloc_skb include/linux/skbuff.h:1286 [inline]
+alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313
+sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795
+tun_alloc_skb drivers/net/tun.c:1531 [inline]
+tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846
+tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+call_write_iter include/linux/fs.h:1985 [inline]
+new_sync_write fs/read_write.c:491 [inline]
+vfs_write+0x8ef/0x15c0 fs/read_write.c:584
+ksys_write+0x20f/0x4c0 fs/read_write.c:637
+__do_sys_write fs/read_write.c:649 [inline]
+__se_sys_write fs/read_write.c:646 [inline]
+__x64_sys_write+0x93/0xd0 fs/read_write.c:646
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+
+Fixes: 977ad86c2a1b ("dccp: Fix out of bounds access in DCCP error handler")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jann Horn <jannh@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv4.c | 9 ++-------
+ net/dccp/ipv6.c | 9 ++-------
+ 2 files changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index 1490ba960365e..b44e46dc8e040 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -250,13 +250,8 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info)
+ int err;
+ struct net *net = dev_net(skb->dev);
+
+- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+- * which is in byte 7 of the dccp header.
+- * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
+- *
+- * Later on, we want to access the sequence number fields, which are
+- * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+- */
++ if (!pskb_may_pull(skb, offset + sizeof(*dh)))
++ return -EINVAL;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index c9f11f86266c0..0ddf64845a06c 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -83,13 +83,8 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+ __u64 seq;
+ struct net *net = dev_net(skb->dev);
+
+- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+- * which is in byte 7 of the dccp header.
+- * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
+- *
+- * Later on, we want to access the sequence number fields, which are
+- * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+- */
++ if (!pskb_may_pull(skb, offset + sizeof(*dh)))
++ return -EINVAL;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+--
+2.40.1
+
--- /dev/null
+From 16c572ef0646f8b0fa19fbf81b302de8a03127f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Sep 2023 14:30:44 -0400
+Subject: Fix up backport of 136191703038 ("interconnect: Teach lockdep about
+ icc_bw_lock order")
+
+Add a missing include to fix the following build error:
+
+drivers/interconnect/core.c: In function 'icc_init':
+drivers/interconnect/core.c:1148:9: error: implicit declaration of function 'fs_reclaim_acquire' [-Werror=implicit-function-declaration]
+ 1148 | fs_reclaim_acquire(GFP_KERNEL);
+ | ^~~~~~~~~~~~~~~~~~
+drivers/interconnect/core.c:1150:9: error: implicit declaration of function 'fs_reclaim_release' [-Werror=implicit-function-declaration]
+ 1150 | fs_reclaim_release(GFP_KERNEL);
+ | ^~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/interconnect/core.c b/drivers/interconnect/core.c
+index ab654b33f5d24..b7c41bd7409cd 100644
+--- a/drivers/interconnect/core.c
++++ b/drivers/interconnect/core.c
+@@ -13,6 +13,7 @@
+ #include <linux/interconnect.h>
+ #include <linux/interconnect-provider.h>
+ #include <linux/list.h>
++#include <linux/sched/mm.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
+ #include <linux/slab.h>
+--
+2.40.1
+
--- /dev/null
+From 0b5a8d44b9fdf130a22a20781c2be973e3f8afb2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Apr 2022 14:07:14 +0200
+Subject: i40e: Add VF VLAN pruning
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit c87c938f62d8f1f7c24620859d67f2e3eca23afc ]
+
+VFs by default are able to see all tagged traffic regardless of trust
+and VLAN filters configured.
+
+Add new private flag vf-vlan-pruning that allows changing of default
+VF behavior for tagged traffic. When the flag is turned on
+untrusted VF will only be able to receive untagged traffic
+or traffic with VLAN tags it has created interfaces for
+
+The flag is off by default and can only be changed if
+there are no VFs spawned on the PF. This flag will only be effective
+when no PVID is set on VF and VF is not trusted.
+Add new function that computes the correct VLAN ID for VF VLAN filters
+based on trust, PVID, vf-vlan-prune-disable flag and current VLAN ID.
+
+Testing Hints:
+
+Test 1: vf-vlan-pruning == off
+==============================
+1. Set the private flag
+> ethtool --set-priv-flag eth0 vf-vlan-pruning off (default setting)
+2. Use scapy to send any VLAN tagged traffic and make sure the VF
+receives all VLAN tagged traffic that matches its destination MAC
+filters (unicast, multicast, and broadcast).
+
+Test 2: vf-vlan-pruning == on
+==============================
+1. Set the private flag
+> ethtool --set-priv-flag eth0 vf-vlan-pruning on
+2. Use scapy to send any VLAN tagged traffic and make sure the VF does
+not receive any VLAN tagged traffic that matches its destination MAC
+filters (unicast, multicast, and broadcast).
+3. Add a VLAN filter on the VF netdev
+> ip link add link eth0v0 name vlan10 type vlan id 10
+4. Bring the VLAN netdev up
+> ip link set vlan10 up
+4. Use scapy to send traffic with VLAN 10, VLAN 11 (anything not VLAN
+10), and untagged traffic. Make sure the VF only receives VLAN 10
+and untagged traffic when the link partner is sending.
+
+Test 3: vf-vlan-pruning == off && VF is in a port VLAN
+==============================
+1. Set the private flag
+> ethtool --set-priv-flag eth0 vf-vlan-pruning off (default setting)
+2. Create a VF
+> echo 1 > sriov_numvfs
+3. Put the VF in a port VLAN
+> ip link set eth0 vf 0 vlan 10
+4. Use scapy to send traffic with VLAN 10 and VLAN 11 (anything not VLAN
+10) and make sure the VF only receives untagged traffic when the link
+partner is sending VLAN 10 tagged traffic as the VLAN tag is expected
+to be stripped by HW for port VLANs and not visible to the VF.
+
+Test 4: Change vf-vlan-pruning while VFs are created
+==============================
+echo 0 > sriov_numvfs
+ethtool --set-priv-flag eth0 vf-vlan-pruning off
+echo 1 > sriov_numvfs
+ethtool --set-priv-flag eth0 vf-vlan-pruning on (expect failure)
+
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: d0d362ffa33d ("i40e: Fix VF VLAN offloading when port VLAN is configured")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e.h | 1 +
+ .../net/ethernet/intel/i40e/i40e_ethtool.c | 9 ++
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 135 +++++++++++++++++-
+ .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 +-
+ 4 files changed, 147 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
+index a42ca847c8f86..b76e6f94edb05 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e.h
++++ b/drivers/net/ethernet/intel/i40e/i40e.h
+@@ -566,6 +566,7 @@ struct i40e_pf {
+ #define I40E_FLAG_DISABLE_FW_LLDP BIT(24)
+ #define I40E_FLAG_RS_FEC BIT(25)
+ #define I40E_FLAG_BASE_R_FEC BIT(26)
++#define I40E_FLAG_VF_VLAN_PRUNING BIT(27)
+ /* TOTAL_PORT_SHUTDOWN
+ * Allows to physically disable the link on the NIC's port.
+ * If enabled, (after link down request from the OS)
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+index d124cb947ffa5..d0b9ee756b306 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -451,6 +451,8 @@ static const struct i40e_priv_flags i40e_gstrings_priv_flags[] = {
+ I40E_PRIV_FLAG("disable-fw-lldp", I40E_FLAG_DISABLE_FW_LLDP, 0),
+ I40E_PRIV_FLAG("rs-fec", I40E_FLAG_RS_FEC, 0),
+ I40E_PRIV_FLAG("base-r-fec", I40E_FLAG_BASE_R_FEC, 0),
++ I40E_PRIV_FLAG("vf-vlan-pruning",
++ I40E_FLAG_VF_VLAN_PRUNING, 0),
+ };
+
+ #define I40E_PRIV_FLAGS_STR_LEN ARRAY_SIZE(i40e_gstrings_priv_flags)
+@@ -5293,6 +5295,13 @@ static int i40e_set_priv_flags(struct net_device *dev, u32 flags)
+ return -EOPNOTSUPP;
+ }
+
++ if ((changed_flags & I40E_FLAG_VF_VLAN_PRUNING) &&
++ pf->num_alloc_vfs) {
++ dev_warn(&pf->pdev->dev,
++ "Changing vf-vlan-pruning flag while VF(s) are active is not supported\n");
++ return -EOPNOTSUPP;
++ }
++
+ if ((changed_flags & new_flags &
+ I40E_FLAG_LINK_DOWN_ON_CLOSE_ENABLED) &&
+ (new_flags & I40E_FLAG_MFP_ENABLED))
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
+index d3f3874220a31..76bb1d0de8d1c 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -1426,6 +1426,114 @@ static int i40e_correct_mac_vlan_filters(struct i40e_vsi *vsi,
+ return 0;
+ }
+
++/**
++ * i40e_get_vf_new_vlan - Get new vlan id on a vf
++ * @vsi: the vsi to configure
++ * @new_mac: new mac filter to be added
++ * @f: existing mac filter, replaced with new_mac->f if new_mac is not NULL
++ * @vlan_filters: the number of active VLAN filters
++ * @trusted: flag if the VF is trusted
++ *
++ * Get new VLAN id based on current VLAN filters, trust, PVID
++ * and vf-vlan-prune-disable flag.
++ *
++ * Returns the value of the new vlan filter or
++ * the old value if no new filter is needed.
++ */
++static s16 i40e_get_vf_new_vlan(struct i40e_vsi *vsi,
++ struct i40e_new_mac_filter *new_mac,
++ struct i40e_mac_filter *f,
++ int vlan_filters,
++ bool trusted)
++{
++ s16 pvid = le16_to_cpu(vsi->info.pvid);
++ struct i40e_pf *pf = vsi->back;
++ bool is_any;
++
++ if (new_mac)
++ f = new_mac->f;
++
++ if (pvid && f->vlan != pvid)
++ return pvid;
++
++ is_any = (trusted ||
++ !(pf->flags & I40E_FLAG_VF_VLAN_PRUNING));
++
++ if ((vlan_filters && f->vlan == I40E_VLAN_ANY) ||
++ (!is_any && !vlan_filters && f->vlan == I40E_VLAN_ANY) ||
++ (is_any && !vlan_filters && f->vlan == 0)) {
++ if (is_any)
++ return I40E_VLAN_ANY;
++ else
++ return 0;
++ }
++
++ return f->vlan;
++}
++
++/**
++ * i40e_correct_vf_mac_vlan_filters - Correct non-VLAN VF filters if necessary
++ * @vsi: the vsi to configure
++ * @tmp_add_list: list of filters ready to be added
++ * @tmp_del_list: list of filters ready to be deleted
++ * @vlan_filters: the number of active VLAN filters
++ * @trusted: flag if the VF is trusted
++ *
++ * Correct VF VLAN filters based on current VLAN filters, trust, PVID
++ * and vf-vlan-prune-disable flag.
++ *
++ * In case of memory allocation failure return -ENOMEM. Otherwise, return 0.
++ *
++ * This function is only expected to be called from within
++ * i40e_sync_vsi_filters.
++ *
++ * NOTE: This function expects to be called while under the
++ * mac_filter_hash_lock
++ */
++static int i40e_correct_vf_mac_vlan_filters(struct i40e_vsi *vsi,
++ struct hlist_head *tmp_add_list,
++ struct hlist_head *tmp_del_list,
++ int vlan_filters,
++ bool trusted)
++{
++ struct i40e_mac_filter *f, *add_head;
++ struct i40e_new_mac_filter *new_mac;
++ struct hlist_node *h;
++ int bkt, new_vlan;
++
++ hlist_for_each_entry(new_mac, tmp_add_list, hlist) {
++ new_mac->f->vlan = i40e_get_vf_new_vlan(vsi, new_mac, NULL,
++ vlan_filters, trusted);
++ }
++
++ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) {
++ new_vlan = i40e_get_vf_new_vlan(vsi, NULL, f, vlan_filters,
++ trusted);
++ if (new_vlan != f->vlan) {
++ add_head = i40e_add_filter(vsi, f->macaddr, new_vlan);
++ if (!add_head)
++ return -ENOMEM;
++ /* Create a temporary i40e_new_mac_filter */
++ new_mac = kzalloc(sizeof(*new_mac), GFP_ATOMIC);
++ if (!new_mac)
++ return -ENOMEM;
++ new_mac->f = add_head;
++ new_mac->state = add_head->state;
++
++ /* Add the new filter to the tmp list */
++ hlist_add_head(&new_mac->hlist, tmp_add_list);
++
++ /* Put the original filter into the delete list */
++ f->state = I40E_FILTER_REMOVE;
++ hash_del(&f->hlist);
++ hlist_add_head(&f->hlist, tmp_del_list);
++ }
++ }
++
++ vsi->has_vlan_filter = !!vlan_filters;
++ return 0;
++}
++
+ /**
+ * i40e_rm_default_mac_filter - Remove the default MAC filter set by NVM
+ * @vsi: the PF Main VSI - inappropriate for any other VSI
+@@ -2483,10 +2591,14 @@ int i40e_sync_vsi_filters(struct i40e_vsi *vsi)
+ vlan_filters++;
+ }
+
+- retval = i40e_correct_mac_vlan_filters(vsi,
+- &tmp_add_list,
+- &tmp_del_list,
+- vlan_filters);
++ if (vsi->type != I40E_VSI_SRIOV)
++ retval = i40e_correct_mac_vlan_filters
++ (vsi, &tmp_add_list, &tmp_del_list,
++ vlan_filters);
++ else
++ retval = i40e_correct_vf_mac_vlan_filters
++ (vsi, &tmp_add_list, &tmp_del_list,
++ vlan_filters, pf->vf[vsi->vf_id].trusted);
+
+ hlist_for_each_entry(new, &tmp_add_list, hlist)
+ netdev_hw_addr_refcnt(new->f, vsi->netdev, 1);
+@@ -2915,8 +3027,21 @@ int i40e_add_vlan_all_mac(struct i40e_vsi *vsi, s16 vid)
+ int bkt;
+
+ hash_for_each_safe(vsi->mac_filter_hash, bkt, h, f, hlist) {
+- if (f->state == I40E_FILTER_REMOVE)
++ /* If we're asked to add a filter that has been marked for
++ * removal, it is safe to simply restore it to active state.
++ * __i40e_del_filter will have simply deleted any filters which
++ * were previously marked NEW or FAILED, so if it is currently
++ * marked REMOVE it must have previously been ACTIVE. Since we
++ * haven't yet run the sync filters task, just restore this
++ * filter to the ACTIVE state so that the sync task leaves it
++ * in place.
++ */
++ if (f->state == I40E_FILTER_REMOVE && f->vlan == vid) {
++ f->state = I40E_FILTER_ACTIVE;
++ continue;
++ } else if (f->state == I40E_FILTER_REMOVE) {
+ continue;
++ }
+ add_f = i40e_add_filter(vsi, f->macaddr, vid);
+ if (!add_f) {
+ dev_info(&vsi->back->pdev->dev,
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index 46758bbcb04f4..ce9aa22f82d92 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -4372,6 +4372,7 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ /* duplicate request, so just return success */
+ goto error_pvid;
+
++ i40e_vlan_stripping_enable(vsi);
+ i40e_vc_reset_vf(vf, true);
+ /* During reset the VF got a new VSI, so refresh a pointer. */
+ vsi = pf->vsi[vf->lan_vsi_idx];
+@@ -4387,7 +4388,7 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ * MAC addresses deleted.
+ */
+ if ((!(vlan_id || qos) ||
+- vlanprio != le16_to_cpu(vsi->info.pvid)) &&
++ vlanprio != le16_to_cpu(vsi->info.pvid)) &&
+ vsi->info.pvid) {
+ ret = i40e_add_vlan_all_mac(vsi, I40E_VLAN_ANY);
+ if (ret) {
+@@ -4750,6 +4751,11 @@ int i40e_ndo_set_vf_trust(struct net_device *netdev, int vf_id, bool setting)
+ goto out;
+
+ vf->trusted = setting;
++
++ /* request PF to sync mac/vlan filters for the VF */
++ set_bit(__I40E_MACVLAN_SYNC_PENDING, pf->state);
++ pf->vsi[vf->lan_vsi_idx]->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
++
+ i40e_vc_reset_vf(vf, true);
+ dev_info(&pf->pdev->dev, "VF %u is now %strusted\n",
+ vf_id, setting ? "" : "un");
+--
+2.40.1
+
--- /dev/null
+From 19eda476676e942c8c71dc8a746ca9511203f797 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 17:44:57 +0200
+Subject: i40e: Fix VF VLAN offloading when port VLAN is configured
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit d0d362ffa33da4acdcf7aee2116ceef8c8fef658 ]
+
+If port VLAN is configured on a VF then any other VLANs on top of this VF
+are broken.
+
+During i40e_ndo_set_vf_port_vlan() call the i40e driver reset the VF and
+iavf driver asks PF (using VIRTCHNL_OP_GET_VF_RESOURCES) for VF capabilities
+but this reset occurs too early, prior setting of vf->info.pvid field
+and because this field can be zero during i40e_vc_get_vf_resources_msg()
+then VIRTCHNL_VF_OFFLOAD_VLAN capability is reported to iavf driver.
+
+This is wrong because iavf driver should not report VLAN offloading
+capability when port VLAN is configured as i40e does not support QinQ
+offloading.
+
+Fix the issue by moving VF reset after setting of vf->port_vlan_id
+field.
+
+Without this patch:
+$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
+$ ip link set enp2s0f0 vf 0 vlan 3
+$ ip link set enp2s0f0v0 up
+$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4
+$ ip link set vlan4 up
+...
+$ ethtool -k enp2s0f0v0 | grep vlan-offload
+rx-vlan-offload: on
+tx-vlan-offload: on
+$ dmesg -l err | grep iavf
+[1292500.742914] iavf 0000:02:02.0: Failed to add VLAN filter, error IAVF_ERR_INVALID_QP_ID
+
+With this patch:
+$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
+$ ip link set enp2s0f0 vf 0 vlan 3
+$ ip link set enp2s0f0v0 up
+$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4
+$ ip link set vlan4 up
+...
+$ ethtool -k enp2s0f0v0 | grep vlan-offload
+rx-vlan-offload: off [requested on]
+tx-vlan-offload: off [requested on]
+$ dmesg -l err | grep iavf
+
+Fixes: f9b4b6278d51 ("i40e: Reset the VF upon conflicting VLAN configuration")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index ce9aa22f82d92..7950b18cb7a41 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -4373,9 +4373,7 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ goto error_pvid;
+
+ i40e_vlan_stripping_enable(vsi);
+- i40e_vc_reset_vf(vf, true);
+- /* During reset the VF got a new VSI, so refresh a pointer. */
+- vsi = pf->vsi[vf->lan_vsi_idx];
++
+ /* Locked once because multiple functions below iterate list */
+ spin_lock_bh(&vsi->mac_filter_hash_lock);
+
+@@ -4461,6 +4459,10 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ */
+ vf->port_vlan_id = le16_to_cpu(vsi->info.pvid);
+
++ i40e_vc_reset_vf(vf, true);
++ /* During reset the VF got a new VSI, so refresh a pointer. */
++ vsi = pf->vsi[vf->lan_vsi_idx];
++
+ ret = i40e_config_vf_promiscuous_mode(vf, vsi->id, allmulti, alluni);
+ if (ret) {
+ dev_err(&pf->pdev->dev, "Unable to config vf promiscuous mode\n");
+--
+2.40.1
+
--- /dev/null
+From 9a192631dd77235ace468f918cd52c54e1d4132f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Aug 2023 14:59:40 +0200
+Subject: iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set
+
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+
+[ Upstream commit c8de44b577eb540e8bfea55afe1d0904bb571b7a ]
+
+Prevent schedule operations for adminq during device remove and when
+__IAVF_IN_REMOVE_TASK flag is set. Currently, the iavf_down function
+adds operations for adminq that shouldn't be processed when the device
+is in the __IAVF_REMOVE state.
+
+Reproduction:
+
+echo 4 > /sys/bus/pci/devices/0000:17:00.0/sriov_numvfs
+ip link set dev ens1f0 vf 0 trust on
+ip link set dev ens1f0 vf 1 trust on
+ip link set dev ens1f0 vf 2 trust on
+ip link set dev ens1f0 vf 3 trust on
+
+ip link set dev ens1f0 vf 0 mac 00:22:33:44:55:66
+ip link set dev ens1f0 vf 1 mac 00:22:33:44:55:67
+ip link set dev ens1f0 vf 2 mac 00:22:33:44:55:68
+ip link set dev ens1f0 vf 3 mac 00:22:33:44:55:69
+
+echo 0000:17:02.0 > /sys/bus/pci/devices/0000\:17\:02.0/driver/unbind
+echo 0000:17:02.1 > /sys/bus/pci/devices/0000\:17\:02.1/driver/unbind
+echo 0000:17:02.2 > /sys/bus/pci/devices/0000\:17\:02.2/driver/unbind
+echo 0000:17:02.3 > /sys/bus/pci/devices/0000\:17\:02.3/driver/unbind
+sleep 10
+echo 0000:17:02.0 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.1 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.2 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.3 > /sys/bus/pci/drivers/iavf/bind
+
+modprobe vfio-pci
+echo 8086 154c > /sys/bus/pci/drivers/vfio-pci/new_id
+
+qemu-system-x86_64 -accel kvm -m 4096 -cpu host \
+-drive file=centos9.qcow2,if=none,id=virtio-disk0 \
+-device virtio-blk-pci,drive=virtio-disk0,bootindex=0 -smp 4 \
+-device vfio-pci,host=17:02.0 -net none \
+-device vfio-pci,host=17:02.1 -net none \
+-device vfio-pci,host=17:02.2 -net none \
+-device vfio-pci,host=17:02.3 -net none \
+-daemonize -vnc :5
+
+Current result:
+There is a probability that the mac of VF in guest is inconsistent with
+it in host
+
+Expected result:
+When passthrough NIC VF to guest, the VF in guest should always get
+the same mac as it in host.
+
+Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage")
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index a87f4f1ae6845..41b8ff0d4df5e 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1142,7 +1142,8 @@ void iavf_down(struct iavf_adapter *adapter)
+ iavf_clear_fdir_filters(adapter);
+ iavf_clear_adv_rss_conf(adapter);
+
+- if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED)) {
++ if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) &&
++ !(test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section))) {
+ /* cancel any current operation */
+ adapter->current_op = VIRTCHNL_OP_UNKNOWN;
+ /* Schedule operations to close down the HW. Don't wait
+--
+2.40.1
+
--- /dev/null
+From b9a714a327393b17d9a90a3793a3ad8c6d1f562a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 10:03:31 -0700
+Subject: igc: Expose tx-usecs coalesce setting to user
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+[ Upstream commit 1703b2e0de653b459ca6230be32ce7f2ea0ae7ee ]
+
+When users attempt to obtain the coalesce setting using the
+ethtool command, current code always returns 0 for tx-usecs.
+This is because I225/6 always uses a queue pair setting, hence
+tx_coalesce_usecs does not return a value during the
+igc_ethtool_get_coalesce() callback process. The pair queue
+condition checking in igc_ethtool_get_coalesce() is removed by
+this patch so that the user gets information of the value of tx-usecs.
+
+Even if i225/6 is using queue pair setting, there is no harm in
+notifying the user of the tx-usecs. The implementation of the current
+code may have previously been a copy of the legacy code i210.
+Since I225 has the queue pair setting enabled, tx-usecs will always adhere
+to the user-set rx-usecs value. An error message will appear when the user
+attempts to set the tx-usecs value for the input parameters because,
+by default, they should only set the rx-usecs value.
+
+This patch also adds the helper function to get the
+previous rx coalesce value similar to tx coalesce.
+
+How to test:
+User can get the coalesce value using ethtool command.
+
+Example command:
+Get: ethtool -c <interface>
+
+Previous output:
+
+rx-usecs: 3
+rx-frames: n/a
+rx-usecs-irq: n/a
+rx-frames-irq: n/a
+
+tx-usecs: 0
+tx-frames: n/a
+tx-usecs-irq: n/a
+tx-frames-irq: n/a
+
+New output:
+
+rx-usecs: 3
+rx-frames: n/a
+rx-usecs-irq: n/a
+rx-frames-irq: n/a
+
+tx-usecs: 3
+tx-frames: n/a
+tx-usecs-irq: n/a
+tx-frames-irq: n/a
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230919170331.1581031-1-anthony.l.nguyen@intel.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 31 ++++++++++++--------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index 859ddc07fbbfe..17cb4c13d0020 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -861,6 +861,18 @@ static void igc_ethtool_get_stats(struct net_device *netdev,
+ spin_unlock(&adapter->stats64_lock);
+ }
+
++static int igc_ethtool_get_previous_rx_coalesce(struct igc_adapter *adapter)
++{
++ return (adapter->rx_itr_setting <= 3) ?
++ adapter->rx_itr_setting : adapter->rx_itr_setting >> 2;
++}
++
++static int igc_ethtool_get_previous_tx_coalesce(struct igc_adapter *adapter)
++{
++ return (adapter->tx_itr_setting <= 3) ?
++ adapter->tx_itr_setting : adapter->tx_itr_setting >> 2;
++}
++
+ static int igc_ethtool_get_coalesce(struct net_device *netdev,
+ struct ethtool_coalesce *ec,
+ struct kernel_ethtool_coalesce *kernel_coal,
+@@ -868,17 +880,8 @@ static int igc_ethtool_get_coalesce(struct net_device *netdev,
+ {
+ struct igc_adapter *adapter = netdev_priv(netdev);
+
+- if (adapter->rx_itr_setting <= 3)
+- ec->rx_coalesce_usecs = adapter->rx_itr_setting;
+- else
+- ec->rx_coalesce_usecs = adapter->rx_itr_setting >> 2;
+-
+- if (!(adapter->flags & IGC_FLAG_QUEUE_PAIRS)) {
+- if (adapter->tx_itr_setting <= 3)
+- ec->tx_coalesce_usecs = adapter->tx_itr_setting;
+- else
+- ec->tx_coalesce_usecs = adapter->tx_itr_setting >> 2;
+- }
++ ec->rx_coalesce_usecs = igc_ethtool_get_previous_rx_coalesce(adapter);
++ ec->tx_coalesce_usecs = igc_ethtool_get_previous_tx_coalesce(adapter);
+
+ return 0;
+ }
+@@ -903,8 +906,12 @@ static int igc_ethtool_set_coalesce(struct net_device *netdev,
+ ec->tx_coalesce_usecs == 2)
+ return -EINVAL;
+
+- if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) && ec->tx_coalesce_usecs)
++ if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) &&
++ ec->tx_coalesce_usecs != igc_ethtool_get_previous_tx_coalesce(adapter)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Queue Pair mode enabled, both Rx and Tx coalescing controlled by rx-usecs");
+ return -EINVAL;
++ }
+
+ /* If ITR is disabled, disable DMAC */
+ if (ec->rx_coalesce_usecs == 0) {
+--
+2.40.1
+
--- /dev/null
+From 40791e0e293682146831d563a7df7c58d6f912b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 11:06:15 -0700
+Subject: igc: Fix infinite initialization loop with early XDP redirect
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit cb47b1f679c4d83a5fa5f1852e472f844e41a3da ]
+
+When an XDP redirect happens before the link is ready, that
+transmission will not finish and will timeout, causing an adapter
+reset. If the redirects do not stop, the adapter will not stop
+resetting.
+
+Wait for the driver to signal that there's a carrier before allowing
+transmissions to proceed.
+
+Previous code was relying that when __IGC_DOWN is cleared, the NIC is
+ready to transmit as all the queues are ready, what happens is that
+the carrier presence will only be signaled later, after the watchdog
+workqueue has a chance to run. And during this interval (between
+clearing __IGC_DOWN and the watchdog running) if any transmission
+happens the timeout is emitted (detected by igc_tx_timeout()) which
+causes the reset, with the potential for the infinite loop.
+
+Fixes: 4ff320361092 ("igc: Add support for XDP_REDIRECT action")
+Reported-by: Ferenc Fejes <ferenc.fejes@ericsson.com>
+Closes: https://lore.kernel.org/netdev/0caf33cf6adb3a5bf137eeaa20e89b167c9986d5.camel@ericsson.com/
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Ferenc Fejes <ferenc.fejes@ericsson.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index a8c24a1c12b43..6185566fbb98c 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6271,7 +6271,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+ struct igc_ring *ring;
+ int i, drops;
+
+- if (unlikely(test_bit(__IGC_DOWN, &adapter->state)))
++ if (unlikely(!netif_carrier_ok(dev)))
+ return -ENETDOWN;
+
+ if (unlikely(flags & ~XDP_XMIT_FLAGS_MASK))
+--
+2.40.1
+
--- /dev/null
+From 1a7cdefea68193762d727a59434102477ead6d6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 18:02:52 -0400
+Subject: ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
+
+From: David Christensen <drc@linux.vnet.ibm.com>
+
+[ Upstream commit 8f6b846b0a86c3cbae8a25b772651cfc2270ad0a ]
+
+The ionic device supports a maximum buffer length of 16 bits (see
+ionic_rxq_desc or ionic_rxq_sg_elem). When adding new buffers to
+the receive rings, the function ionic_rx_fill() uses 16bit math when
+calculating the number of pages to allocate for an RX descriptor,
+given the interface's MTU setting. If the system PAGE_SIZE >= 64KB,
+and the buf_info->page_offset is 0, the remain_len value will never
+decrement from the original MTU value and the frag_len value will
+always be 0, causing additional pages to be allocated as scatter-
+gather elements unnecessarily.
+
+A similar math issue exists in ionic_rx_frags(), but no failures
+have been observed here since a 64KB page should not normally
+require any scatter-gather elements at any legal Ethernet MTU size.
+
+Fixes: 4b0a7539a372 ("ionic: implement Rx page reuse")
+Signed-off-by: David Christensen <drc@linux.vnet.ibm.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 +
+ drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
+index 922bb6c9e01d5..676c58dc19817 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
+@@ -174,6 +174,7 @@ typedef void (*ionic_desc_cb)(struct ionic_queue *q,
+ struct ionic_desc_info *desc_info,
+ struct ionic_cq_info *cq_info, void *cb_arg);
+
++#define IONIC_MAX_BUF_LEN ((u16)-1)
+ #define IONIC_PAGE_SIZE PAGE_SIZE
+ #define IONIC_PAGE_SPLIT_SZ (PAGE_SIZE / 2)
+ #define IONIC_PAGE_GFP_MASK (GFP_ATOMIC | __GFP_NOWARN |\
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+index 376f97b4008bb..6604f5862f892 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+@@ -151,7 +151,8 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q,
+ return NULL;
+ }
+
+- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE - buf_info->page_offset));
+ len -= frag_len;
+
+ dma_sync_single_for_cpu(dev,
+@@ -388,7 +389,8 @@ void ionic_rx_fill(struct ionic_queue *q)
+
+ /* fill main descriptor - buf[0] */
+ desc->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
+- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE - buf_info->page_offset));
+ desc->len = cpu_to_le16(frag_len);
+ remain_len -= frag_len;
+ buf_info++;
+@@ -407,7 +409,9 @@ void ionic_rx_fill(struct ionic_queue *q)
+ }
+
+ sg_elem->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
+- frag_len = min_t(u16, remain_len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, remain_len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE -
++ buf_info->page_offset));
+ sg_elem->len = cpu_to_le16(frag_len);
+ remain_len -= frag_len;
+ buf_info++;
+--
+2.40.1
+
--- /dev/null
+From b9105a29366e34762370af5e1ef10fbe96e58fcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 22:12:57 -0700
+Subject: ipv4: fix null-deref in ipv4_link_failure
+
+From: Kyle Zeng <zengyhkyle@gmail.com>
+
+[ Upstream commit 0113d9c9d1ccc07f5a3710dac4aa24b6d711278c ]
+
+Currently, we assume the skb is associated with a device before calling
+__ip_options_compile, which is not always the case if it is re-routed by
+ipvs.
+When skb->dev is NULL, dev_net(skb->dev) will become null-dereference.
+This patch adds a check for the edge case and switch to use the net_device
+from the rtable when skb->dev is NULL.
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Suggested-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Cc: Vadim Fedorenko <vfedorenko@novek.ru>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index bc6240d327a8f..968cc4aa6e96c 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1220,6 +1220,7 @@ EXPORT_INDIRECT_CALLABLE(ipv4_dst_check);
+
+ static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ {
++ struct net_device *dev;
+ struct ip_options opt;
+ int res;
+
+@@ -1237,7 +1238,8 @@ static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
+
+ rcu_read_lock();
+- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ dev = skb->dev ? skb->dev : skb_rtable(skb)->dst.dev;
++ res = __ip_options_compile(dev_net(dev), &opt, skb, NULL);
+ rcu_read_unlock();
+
+ if (res)
+--
+2.40.1
+
--- /dev/null
+From 3a38391ef588c8a09cb17ac3fd39db696f7d5f2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 12:46:27 +0200
+Subject: locking/seqlock: Do the lockdep annotation before locking in
+ do_write_seqcount_begin_nested()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 41b43b6c6e30a832c790b010a06772e793bca193 ]
+
+It was brought up by Tetsuo that the following sequence:
+
+ write_seqlock_irqsave()
+ printk_deferred_enter()
+
+could lead to a deadlock if the lockdep annotation within
+write_seqlock_irqsave() triggers.
+
+The problem is that the sequence counter is incremented before the lockdep
+annotation is performed. The lockdep splat would then attempt to invoke
+printk() but the reader side, of the same seqcount, could have a
+tty_port::lock acquired waiting for the sequence number to become even again.
+
+The other lockdep annotations come before the actual locking because "we
+want to see the locking error before it happens". There is no reason why
+seqcount should be different here.
+
+Do the lockdep annotation first then perform the locking operation (the
+sequence increment).
+
+Fixes: 1ca7d67cf5d5a ("seqcount: Add lockdep functionality to seqcount/seqlock structures")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20230920104627._DTHgPyA@linutronix.de
+
+Closes: https://lore.kernel.org/20230621130641.-5iueY1I@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/seqlock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index 37ded6b8fee61..2c5d0102315d2 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -516,8 +516,8 @@ do { \
+
+ static inline void do_write_seqcount_begin_nested(seqcount_t *s, int subclass)
+ {
+- do_raw_write_seqcount_begin(s);
+ seqcount_acquire(&s->dep_map, subclass, 0, _RET_IP_);
++ do_raw_write_seqcount_begin(s);
+ }
+
+ /**
+--
+2.40.1
+
--- /dev/null
+From 7a7bb0005708cb863d5d65334b73087ffc61b244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 09:13:51 +0000
+Subject: net: bridge: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 44bdb313da57322c9b3c108eb66981c6ec6509f4 ]
+
+syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
+This function can run from multiple cpus without mutual exclusion.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+Handles updates to dev->stats.tx_dropped while we are at it.
+
+[1]
+BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
+
+read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
+br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
+br_nf_hook_thresh+0x1ed/0x220
+br_nf_pre_routing_finish_ipv6+0x50f/0x540
+NF_HOOK include/linux/netfilter.h:304 [inline]
+br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
+br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
+nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
+nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
+br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
+__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
+__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
+process_backlog+0x21f/0x380 net/core/dev.c:5965
+__napi_poll+0x60/0x3b0 net/core/dev.c:6527
+napi_poll net/core/dev.c:6594 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6727
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
+br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
+br_nf_hook_thresh+0x1ed/0x220
+br_nf_pre_routing_finish_ipv6+0x50f/0x540
+NF_HOOK include/linux/netfilter.h:304 [inline]
+br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
+br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
+nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
+nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
+br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
+__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
+__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
+process_backlog+0x21f/0x380 net/core/dev.c:5965
+__napi_poll+0x60/0x3b0 net/core/dev.c:6527
+napi_poll net/core/dev.c:6594 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6727
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+do_softirq+0x5e/0x90 kernel/softirq.c:454
+__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
+__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
+_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
+spin_unlock_bh include/linux/spinlock.h:396 [inline]
+batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
+batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
+process_one_work kernel/workqueue.c:2630 [inline]
+process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
+worker_thread+0x525/0x730 kernel/workqueue.c:2784
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x00000000000d7190 -> 0x00000000000d7191
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
+
+Fixes: 1c29fc4989bc ("[BRIDGE]: keep track of received multicast packets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: bridge@lists.linux-foundation.org
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_forward.c | 4 ++--
+ net/bridge/br_input.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index 3d69ad5463a9f..011bd3c59da19 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -124,7 +124,7 @@ static int deliver_clone(const struct net_bridge_port *prev,
+
+ skb = skb_clone(skb, GFP_ATOMIC);
+ if (!skb) {
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return -ENOMEM;
+ }
+
+@@ -263,7 +263,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+
+ skb = skb_copy(skb, GFP_ATOMIC);
+ if (!skb) {
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return;
+ }
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index 6743c8a0fe8e1..54bfcdf692732 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -146,12 +146,12 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ if ((mdst && mdst->host_joined) ||
+ br_multicast_is_router(brmctx, skb)) {
+ local_rcv = true;
+- br->dev->stats.multicast++;
++ DEV_STATS_INC(br->dev, multicast);
+ }
+ mcast_hit = true;
+ } else {
+ local_rcv = true;
+- br->dev->stats.multicast++;
++ DEV_STATS_INC(br->dev, multicast);
+ }
+ break;
+ case BR_PKT_UNICAST:
+--
+2.40.1
+
--- /dev/null
+From 92d83cb634478dfa0809d666a3e4bce63c6f076b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 09:39:05 +0300
+Subject: net/core: Fix ETH_P_1588 flow dissector
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3 ]
+
+When a PTP ethernet raw frame with a size of more than 256 bytes followed
+by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation
+is wrong. For example: hdr->message_length takes the wrong value (0xffff)
+and it does not replicate real header length. In this case, 'nhoff' value
+was overridden and the PTP header was badly dissected. This leads to a
+kernel crash.
+
+net/core: flow_dissector
+net/core flow dissector nhoff = 0x0000000e
+net/core flow dissector hdr->message_length = 0x0000ffff
+net/core flow dissector nhoff = 0x0001000d (u16 overflow)
+...
+skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88
+skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Using the size of the ptp_header struct will allow the corrected
+calculation of the nhoff value.
+
+net/core flow dissector nhoff = 0x0000000e
+net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)
+...
+skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff
+skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Kernel trace:
+[ 74.984279] ------------[ cut here ]------------
+[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!
+[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1
+[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023
+[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130
+[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
+[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
+[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
+[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
+[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
+[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
+[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
+[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
+[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
+[ 75.121980] PKRU: 55555554
+[ 75.125035] Call Trace:
+[ 75.127792] <IRQ>
+[ 75.130063] ? eth_get_headlen+0xa4/0xc0
+[ 75.134472] igc_process_skb_fields+0xcd/0x150
+[ 75.139461] igc_poll+0xc80/0x17b0
+[ 75.143272] __napi_poll+0x27/0x170
+[ 75.147192] net_rx_action+0x234/0x280
+[ 75.151409] __do_softirq+0xef/0x2f4
+[ 75.155424] irq_exit_rcu+0xc7/0x110
+[ 75.159432] common_interrupt+0xb8/0xd0
+[ 75.163748] </IRQ>
+[ 75.166112] <TASK>
+[ 75.168473] asm_common_interrupt+0x22/0x40
+[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350
+[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1
+[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202
+[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f
+[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20
+[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001
+[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980
+[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000
+[ 75.245635] ? cpuidle_enter_state+0xc7/0x350
+[ 75.250518] cpuidle_enter+0x29/0x40
+[ 75.254539] do_idle+0x1d9/0x260
+[ 75.258166] cpu_startup_entry+0x19/0x20
+[ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb
+[ 75.268259] </TASK>
+[ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs
+[ 75.342736] ---[ end trace 3785f9f360400e3a ]---
+[ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130
+[ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
+[ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
+[ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
+[ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
+[ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
+[ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
+[ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
+[ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
+[ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
+[ 75.443410] PKRU: 55555554
+[ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt
+[ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+Fixes: 4f1cc51f3488 ("net: flow_dissector: Parse PTP L2 packet header")
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 2596a54c2fe71..a1efbd0f2ad32 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1278,7 +1278,7 @@ bool __skb_flow_dissect(const struct net *net,
+ break;
+ }
+
+- nhoff += ntohs(hdr->message_length);
++ nhoff += sizeof(struct ptp_header);
+ fdret = FLOW_DISSECT_RET_OUT_GOOD;
+ break;
+ }
+--
+2.40.1
+
--- /dev/null
+From 067c9ec47f0494ce29238d5a763ab8ddc5b2e725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 17:36:09 +0200
+Subject: net: ena: Flush XDP packets on error.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 6f411fb5ca9419090bee6a0a46425e0a5060b734 ]
+
+xdp_do_flush() should be invoked before leaving the NAPI poll function
+after a XDP-redirect. This is not the case if the driver leaves via
+the error path (after having a redirect in one of its previous
+iterations).
+
+Invoke xdp_do_flush() also in the error path.
+
+Cc: Arthur Kiyanovski <akiyano@amazon.com>
+Cc: David Arinzon <darinzon@amazon.com>
+Cc: Noam Dagan <ndagan@amazon.com>
+Cc: Saeed Bishara <saeedb@amazon.com>
+Cc: Shay Agroskin <shayagr@amazon.com>
+Fixes: a318c70ad152b ("net: ena: introduce XDP redirect implementation")
+Acked-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index f3673be4fc087..3eba01de95259 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1788,6 +1788,9 @@ static int ena_clean_rx_irq(struct ena_ring *rx_ring, struct napi_struct *napi,
+ return work_done;
+
+ error:
++ if (xdp_flags & ENA_XDP_REDIRECT)
++ xdp_do_flush();
++
+ adapter = netdev_priv(rx_ring->netdev);
+
+ if (rc == -ENOSPC) {
+--
+2.40.1
+
--- /dev/null
+From 5975d95ac8cc3d3d75bbfa8c60f2a9ff74dd1c45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:40 +0800
+Subject: net: hns3: add 5ms delay before clear firmware reset irq source
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 0770063096d5da4a8e467b6e73c1646a75589628 ]
+
+Currently the reset process in hns3 and firmware watchdog init process is
+asynchronous. we think firmware watchdog initialization is completed
+before hns3 clear the firmware interrupt source. However, firmware
+initialization may not complete early.
+
+so we add delay before hns3 clear firmware interrupt source and 5 ms delay
+is enough to avoid second firmware reset interrupt.
+
+Fixes: c1a81619d73a ("net: hns3: Add mailbox interrupt handling to PF driver")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 0f522daf8e3ab..ca59e1cd992e5 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -3391,9 +3391,14 @@ static u32 hclge_check_event_cause(struct hclge_dev *hdev, u32 *clearval)
+ static void hclge_clear_event_cause(struct hclge_dev *hdev, u32 event_type,
+ u32 regclr)
+ {
++#define HCLGE_IMP_RESET_DELAY 5
++
+ switch (event_type) {
+ case HCLGE_VECTOR0_EVENT_PTP:
+ case HCLGE_VECTOR0_EVENT_RST:
++ if (regclr == BIT(HCLGE_VECTOR0_IMPRESET_INT_B))
++ mdelay(HCLGE_IMP_RESET_DELAY);
++
+ hclge_write_dev(&hdev->hw, HCLGE_MISC_RESET_STS_REG, regclr);
+ break;
+ case HCLGE_VECTOR0_EVENT_MBX:
+--
+2.40.1
+
--- /dev/null
+From 4afbdef3269c824ea649bd639d6a951e3b15ceba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:39 +0800
+Subject: net: hns3: fix fail to delete tc flower rules during reset issue
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 1a7be66e4685b8541546222c305cce9710718a88 ]
+
+Firmware does not respond driver commands during reset
+Therefore, rule will fail to delete while the firmware is resetting
+
+So, if failed to delete rule, set rule state to TO_DEL,
+and the rule will be deleted when periodic task being scheduled.
+
+Fixes: 0205ec041ec6 ("net: hns3: add support for hw tc offload of tc flower")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 998ee681b1171..0f522daf8e3ab 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -7546,6 +7546,12 @@ static int hclge_del_cls_flower(struct hnae3_handle *handle,
+ ret = hclge_fd_tcam_config(hdev, HCLGE_FD_STAGE_1, true, rule->location,
+ NULL, false);
+ if (ret) {
++ /* if tcam config fail, set rule state to TO_DEL,
++ * so the rule will be deleted when periodic
++ * task being scheduled.
++ */
++ hclge_update_fd_list(hdev, HCLGE_FD_TO_DEL, rule->location, NULL);
++ set_bit(HCLGE_STATE_FD_TBL_CHANGED, &hdev->state);
+ spin_unlock_bh(&hdev->fd_rule_lock);
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From c75d88d8cfe21580b456f87538a7e56d0cdca6f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:37 +0800
+Subject: net: hns3: fix GRE checksum offload issue
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit f9f651261130cdcb7adc9a3e365b356bc2749ab3 ]
+
+The device_version V3 hardware can't offload the checksum for IP in GRE
+packets, but can do it for NvGRE. So default to disable the checksum and
+GSO offload for GRE, but keep the ability to enable it when only using
+NvGRE.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 3693ff55197dd..fde1ff3580458 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3156,6 +3156,15 @@ static void hns3_set_default_feature(struct net_device *netdev)
+ NETIF_F_HW_TC);
+
+ netdev->hw_enc_features |= netdev->vlan_features | NETIF_F_TSO_MANGLEID;
++
++ /* The device_version V3 hardware can't offload the checksum for IP in
++ * GRE packets, but can do it for NvGRE. So default to disable the
++ * checksum and GSO offload for GRE.
++ */
++ if (ae_dev->dev_version > HNAE3_DEVICE_VERSION_V2) {
++ netdev->features &= ~NETIF_F_GSO_GRE;
++ netdev->features &= ~NETIF_F_GSO_GRE_CSUM;
++ }
+ }
+
+ static int hns3_alloc_buffer(struct hns3_enet_ring *ring,
+--
+2.40.1
+
--- /dev/null
+From 8266d6520092624b1bc39212498f741cd7cfe0df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:38 +0800
+Subject: net: hns3: only enable unicast promisc when mac table full
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit f2ed304922a55690529bcca59678dd92d7466ce8 ]
+
+Currently, the driver will enable unicast promisc for the function
+once configure mac address fail. It's unreasonable when the failure
+is caused by using same mac address with other functions. So only
+enable unicast promisc when mac table full.
+
+Fixes: c631c696823c ("net: hns3: refactor the promisc mode setting")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index a415760505ab4..998ee681b1171 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -8967,7 +8967,7 @@ static void hclge_update_overflow_flags(struct hclge_vport *vport,
+ if (mac_type == HCLGE_MAC_ADDR_UC) {
+ if (is_all_added)
+ vport->overflow_promisc_flags &= ~HNAE3_OVERFLOW_UPE;
+- else
++ else if (hclge_is_umv_space_full(vport, true))
+ vport->overflow_promisc_flags |= HNAE3_OVERFLOW_UPE;
+ } else {
+ if (is_all_added)
+--
+2.40.1
+
--- /dev/null
+From 931460e236e828d8eeb7fd4d4ec7b3cd46667442 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 16:56:23 +0300
+Subject: net: rds: Fix possible NULL-pointer dereference
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit f1d95df0f31048f1c59092648997686e3f7d9478 ]
+
+In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists
+before dereferencing it as rdma_set_service_type() argument
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: fd261ce6a30e ("rds: rdma: update rdma transport for tos")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/rdma_transport.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c
+index a9e4ff948a7d6..f71f073fd27ac 100644
+--- a/net/rds/rdma_transport.c
++++ b/net/rds/rdma_transport.c
+@@ -86,11 +86,13 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id,
+ break;
+
+ case RDMA_CM_EVENT_ADDR_RESOLVED:
+- rdma_set_service_type(cm_id, conn->c_tos);
+- rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32);
+- /* XXX do we need to clean up if this fails? */
+- ret = rdma_resolve_route(cm_id,
+- RDS_RDMA_RESOLVE_TIMEOUT_MS);
++ if (conn) {
++ rdma_set_service_type(cm_id, conn->c_tos);
++ rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32);
++ /* XXX do we need to clean up if this fails? */
++ ret = rdma_resolve_route(cm_id,
++ RDS_RDMA_RESOLVE_TIMEOUT_MS);
++ }
+ break;
+
+ case RDMA_CM_EVENT_ROUTE_RESOLVED:
+--
+2.40.1
+
--- /dev/null
+From f548f5fc12060efc8b637ce8874adca6000ca921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 20:04:45 +0200
+Subject: netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+ IPSET_CMD_SWAP
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+[ Upstream commit 7433b6d2afd512d04398c73aa984d1e285be125b ]
+
+Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP
+in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a
+wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it.
+
+The race is caused by using the wrong reference counter, i.e. the ref counter instead
+of ref_netlink.
+
+Fixes: 24e227896bbf ("netfilter: ipset: Add schedule point in call_ad().")
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Closes: https://lore.kernel.org/netfilter-devel/ZPZqetxOmH+w%2Fmyc@westworld/#r
+Tested-by: Kyle Zeng <zengyhkyle@gmail.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index c911fc09f363c..33869db42bb6b 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -682,6 +682,14 @@ __ip_set_put(struct ip_set *set)
+ /* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need
+ * a separate reference counter
+ */
++static void
++__ip_set_get_netlink(struct ip_set *set)
++{
++ write_lock_bh(&ip_set_ref_lock);
++ set->ref_netlink++;
++ write_unlock_bh(&ip_set_ref_lock);
++}
++
+ static void
+ __ip_set_put_netlink(struct ip_set *set)
+ {
+@@ -1695,11 +1703,11 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
+
+ do {
+ if (retried) {
+- __ip_set_get(set);
++ __ip_set_get_netlink(set);
+ nfnl_unlock(NFNL_SUBSYS_IPSET);
+ cond_resched();
+ nfnl_lock(NFNL_SUBSYS_IPSET);
+- __ip_set_put(set);
++ __ip_set_put_netlink(set);
+ }
+
+ ip_set_lock(set);
+--
+2.40.1
+
--- /dev/null
+From 0fb869ed2d0d8eb57f40feb5f988061ac50caff3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 15:18:11 +0200
+Subject: netfilter: nf_tables: disable toggling dormant table state more than
+ once
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 ]
+
+nft -f -<<EOF
+add table ip t
+add table ip t { flags dormant; }
+add chain ip t c { type filter hook input priority 0; }
+add table ip t
+EOF
+
+Triggers a splat from nf core on next table delete because we lose
+track of right hook register state:
+
+WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
+RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
+ nf_unregister_net_hook+0xb4/0xf0
+ __nf_tables_unregister_hook+0x160/0x1d0
+[..]
+
+The above should have table in *active* state, but in fact no
+hooks were registered.
+
+Reject on/off/on games rather than attempting to fix this.
+
+Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
+Reported-by: "Lee, Cherie-Anne" <cherie.lee@starlabs.sg>
+Cc: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Cc: info@starlabs.sg
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 56098859d5b44..2f7d8e0e47de8 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1159,6 +1159,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
+ flags & NFT_TABLE_F_OWNER))
+ return -EOPNOTSUPP;
+
++ /* No dormant off/on/off/on games in single transaction */
++ if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
++ return -EINVAL;
++
+ trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
+ sizeof(struct nft_trans_table));
+ if (trans == NULL)
+--
+2.40.1
+
--- /dev/null
+From 2e8edb2ea100ea010be83d46a2ac56ad3e509e24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Sep 2023 19:04:45 +0200
+Subject: netfilter: nf_tables: disallow element removal on anonymous sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 ]
+
+Anonymous sets need to be populated once at creation and then they are
+bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound
+anonymous set before commit phase"), otherwise transaction reports
+EINVAL.
+
+Userspace does not need to delete elements of anonymous sets that are
+not yet bound, reject this with EOPNOTSUPP.
+
+From flush command path, skip anonymous sets, they are expected to be
+bound already. Otherwise, EINVAL is hit at the end of this transaction
+for unbound sets.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4dadb0eebf614..56098859d5b44 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1358,8 +1358,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ if (!nft_is_active_next(ctx->net, set))
+ continue;
+
+- if (nft_set_is_anonymous(set) &&
+- !list_empty(&set->bindings))
++ if (nft_set_is_anonymous(set))
+ continue;
+
+ err = nft_delset(ctx, set);
+@@ -6752,8 +6751,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+
+- if (!list_empty(&set->bindings) &&
+- (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
++ if (nft_set_is_anonymous(set))
++ return -EOPNOTSUPP;
++
++ if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
+ return -EBUSY;
+
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+--
+2.40.1
+
--- /dev/null
+From 8783908c3100e897a0124e1f063ea8a55ded2865 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:19 -0700
+Subject: platform/x86: intel_scu_ipc: Check status after timeout in
+ busy_loop()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit e0b4ab3bb92bda8d12f55842614362989d5b2cb3 ]
+
+It's possible for the polling loop in busy_loop() to get scheduled away
+for a long time.
+
+ status = ipc_read_status(scu); // status = IPC_STATUS_BUSY
+ <long time scheduled away>
+ if (!(status & IPC_STATUS_BUSY))
+
+If this happens, then the status bit could change while the task is
+scheduled away and this function would never read the status again after
+timing out. Instead, the function will return -ETIMEDOUT when it's
+possible that scheduling didn't work out and the status bit was cleared.
+Bit polling code should always check the bit being polled one more time
+after the timeout in case this happens.
+
+Fix this by reading the status once more after the while loop breaks.
+The readl_poll_timeout() macro implements all of this, and it is
+shorter, so use that macro here to consolidate code and fix this.
+
+There were some concerns with using readl_poll_timeout() because it uses
+timekeeping, and timekeeping isn't running early on or during the late
+stages of system suspend or early stages of system resume, but an audit
+of the code concluded that this code isn't called during those times so
+it is safe to use the macro.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Fixes: e7b7ab3847c9 ("platform/x86: intel_scu_ipc: Sleeping is fine when polling")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-2-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index e7a3e34028178..96675bea88b10 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -19,6 +19,7 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/io.h>
++#include <linux/iopoll.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
+
+@@ -232,19 +233,15 @@ static inline u32 ipc_data_readl(struct intel_scu_ipc_dev *scu, u32 offset)
+ /* Wait till scu status is busy */
+ static inline int busy_loop(struct intel_scu_ipc_dev *scu)
+ {
+- unsigned long end = jiffies + IPC_TIMEOUT;
+-
+- do {
+- u32 status;
+-
+- status = ipc_read_status(scu);
+- if (!(status & IPC_STATUS_BUSY))
+- return (status & IPC_STATUS_ERR) ? -EIO : 0;
++ u8 status;
++ int err;
+
+- usleep_range(50, 100);
+- } while (time_before(jiffies, end));
++ err = readx_poll_timeout(ipc_read_status, scu, status, !(status & IPC_STATUS_BUSY),
++ 100, jiffies_to_usecs(IPC_TIMEOUT));
++ if (err)
++ return err;
+
+- return -ETIMEDOUT;
++ return (status & IPC_STATUS_ERR) ? -EIO : 0;
+ }
+
+ /* Wait till ipc ioc interrupt is received or timeout in 10 HZ */
+--
+2.40.1
+
--- /dev/null
+From 50a3864d73eee58e5b3ed1e3516b2ad5b2040649 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:20 -0700
+Subject: platform/x86: intel_scu_ipc: Check status upon timeout in
+ ipc_wait_for_interrupt()
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 427fada620733e6474d783ae6037a66eae42bf8c ]
+
+It's possible for the completion in ipc_wait_for_interrupt() to timeout,
+simply because the interrupt was delayed in being processed. A timeout
+in itself is not an error. This driver should check the status register
+upon a timeout to ensure that scheduling or interrupt processing delays
+don't affect the outcome of the IPC return value.
+
+ CPU0 SCU
+ ---- ---
+ ipc_wait_for_interrupt()
+ wait_for_completion_timeout(&scu->cmd_complete)
+ [TIMEOUT] status[IPC_STATUS_BUSY]=0
+
+Fix this problem by reading the status bit in all cases, regardless of
+the timeout. If the completion times out, we'll assume the problem was
+that the IPC_STATUS_BUSY bit was still set, but if the status bit is
+cleared in the meantime we know that we hit some scheduling delay and we
+should just check the error bit.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-3-swboyd@chromium.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 96675bea88b10..be97cfae4b0f3 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -249,10 +249,12 @@ static inline int ipc_wait_for_interrupt(struct intel_scu_ipc_dev *scu)
+ {
+ int status;
+
+- if (!wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT))
+- return -ETIMEDOUT;
++ wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT);
+
+ status = ipc_read_status(scu);
++ if (status & IPC_STATUS_BUSY)
++ return -ETIMEDOUT;
++
+ if (status & IPC_STATUS_ERR)
+ return -EIO;
+
+--
+2.40.1
+
--- /dev/null
+From 0e887f54ac2ee5e45bb0a64f674a76c422cecd75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:21 -0700
+Subject: platform/x86: intel_scu_ipc: Don't override scu in
+ intel_scu_ipc_dev_simple_command()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit efce78584e583226e9a1f6cb2fb555d6ff47c3e7 ]
+
+Andy discovered this bug during patch review. The 'scu' argument to this
+function shouldn't be overridden by the function itself. It doesn't make
+any sense. Looking at the commit history, we see that commit
+f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API")
+removed the setting of the scu to ipcdev in other functions, but not
+this one. That was an oversight. Remove this line so that we stop
+overriding the scu instance that is used by this function.
+
+Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Closes: https://lore.kernel.org/r/ZPjdZ3xNmBEBvNiS@smile.fi.intel.com
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-4-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index be97cfae4b0f3..dfe010f1ee084 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -444,7 +444,6 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd,
+ mutex_unlock(&ipclock);
+ return -ENODEV;
+ }
+- scu = ipcdev;
+ cmdval = sub << 12 | cmd;
+ ipc_command(scu, cmdval);
+ err = intel_scu_ipc_check_status(scu);
+--
+2.40.1
+
--- /dev/null
+From dab768bb89fbad4590afa42e31ae7d2d8303a65f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:22 -0700
+Subject: platform/x86: intel_scu_ipc: Fail IPC send if still busy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 85e654c9f722853a595fa941dca60c157b707b86 ]
+
+It's possible for interrupts to get significantly delayed to the point
+that callers of intel_scu_ipc_dev_command() and friends can call the
+function once, hit a timeout, and call it again while the interrupt
+still hasn't been processed. This driver will get seriously confused if
+the interrupt is finally processed after the second IPC has been sent
+with ipc_command(). It won't know which IPC has been completed. This
+could be quite disastrous if calling code assumes something has happened
+upon return from intel_scu_ipc_dev_simple_command() when it actually
+hasn't.
+
+Let's avoid this scenario by simply returning -EBUSY in this case.
+Hopefully higher layers will know to back off or fail gracefully when
+this happens. It's all highly unlikely anyway, but it's better to be
+correct here as we have no way to know which IPC the status register is
+telling us about if we send a second IPC while the previous IPC is still
+processing.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-5-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 40 +++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index dfe010f1ee084..189c5460edd81 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -266,6 +266,24 @@ static int intel_scu_ipc_check_status(struct intel_scu_ipc_dev *scu)
+ return scu->irq > 0 ? ipc_wait_for_interrupt(scu) : busy_loop(scu);
+ }
+
++static struct intel_scu_ipc_dev *intel_scu_ipc_get(struct intel_scu_ipc_dev *scu)
++{
++ u8 status;
++
++ if (!scu)
++ scu = ipcdev;
++ if (!scu)
++ return ERR_PTR(-ENODEV);
++
++ status = ipc_read_status(scu);
++ if (status & IPC_STATUS_BUSY) {
++ dev_dbg(&scu->dev, "device is busy\n");
++ return ERR_PTR(-EBUSY);
++ }
++
++ return scu;
++}
++
+ /* Read/Write power control(PMIC in Langwell, MSIC in PenWell) registers */
+ static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data,
+ u32 count, u32 op, u32 id)
+@@ -279,11 +297,10 @@ static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data,
+ memset(cbuf, 0, sizeof(cbuf));
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
+
+ for (nc = 0; nc < count; nc++, offset += 2) {
+@@ -438,12 +455,12 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd,
+ int err;
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
++
+ cmdval = sub << 12 | cmd;
+ ipc_command(scu, cmdval);
+ err = intel_scu_ipc_check_status(scu);
+@@ -483,11 +500,10 @@ int intel_scu_ipc_dev_command_with_size(struct intel_scu_ipc_dev *scu, int cmd,
+ return -EINVAL;
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
+
+ memcpy(inbuf, in, inlen);
+--
+2.40.1
+
--- /dev/null
+From 40917e9373039f228b21ea4e318fa7e8c0e26711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 11:26:01 +0530
+Subject: powerpc/perf/hv-24x7: Update domain value check
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 4ff3ba4db5943cac1045e3e4a3c0463ea10f6930 ]
+
+Valid domain value is in range 1 to HV_PERF_DOMAIN_MAX. Current code has
+check for domain value greater than or equal to HV_PERF_DOMAIN_MAX. But
+the check for domain value 0 is missing.
+
+Fix this issue by adding check for domain value 0.
+
+Before:
+ # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1
+ Using CPUID 00800200
+ Control descriptor is not initialized
+ Error:
+ The sys_perf_event_open() syscall returned with 5 (Input/output error) for
+ event (hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/).
+ /bin/dmesg | grep -i perf may provide additional information.
+
+ Result from dmesg:
+ [ 37.819387] hv-24x7: hcall failed: [0 0x60040000 0x100 0] => ret
+ 0xfffffffffffffffc (-4) detail=0x2000000 failing ix=0
+
+After:
+ # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1
+ Using CPUID 00800200
+ Control descriptor is not initialized
+ Warning:
+ hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ event is not supported by the kernel.
+ failed to read counter hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/
+
+Fixes: ebd4a5a3ebd9 ("powerpc/perf/hv-24x7: Minor improvements")
+Reported-by: Krishan Gopal Sarawast <krishang@linux.vnet.ibm.com>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Tested-by: Disha Goel <disgoel@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230825055601.360083-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-24x7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/perf/hv-24x7.c b/arch/powerpc/perf/hv-24x7.c
+index 1816f560a4652..284ccc90fb11c 100644
+--- a/arch/powerpc/perf/hv-24x7.c
++++ b/arch/powerpc/perf/hv-24x7.c
+@@ -1431,7 +1431,7 @@ static int h_24x7_event_init(struct perf_event *event)
+ }
+
+ domain = event_get_domain(event);
+- if (domain >= HV_PERF_DOMAIN_MAX) {
++ if (domain == 0 || domain >= HV_PERF_DOMAIN_MAX) {
+ pr_devel("invalid domain %d\n", domain);
+ return -EINVAL;
+ }
+--
+2.40.1
+
--- /dev/null
+From 787fafdf366387f8ea8ec5696c5171bd29f3466d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 16:16:25 +0200
+Subject: selftests: tls: swap the TX and RX sockets in some tests
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit c326ca98446e0ae4fee43a40acf79412b74cfedb ]
+
+tls.sendmsg_large and tls.sendmsg_multiple are trying to send through
+the self->cfd socket (only configured with TLS_RX) and to receive through
+the self->fd socket (only configured with TLS_TX), so they're not using
+kTLS at all. Swap the sockets.
+
+Fixes: 7f657d5bf507 ("selftests: tls: add selftests for TLS sockets")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
+index 97fceb9be9ed3..3bdb093731358 100644
+--- a/tools/testing/selftests/net/tls.c
++++ b/tools/testing/selftests/net/tls.c
+@@ -441,11 +441,11 @@ TEST_F(tls, sendmsg_large)
+
+ msg.msg_iov = &vec;
+ msg.msg_iovlen = 1;
+- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), send_len);
++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), send_len);
+ }
+
+ while (recvs++ < sends) {
+- EXPECT_NE(recv(self->fd, mem, send_len, 0), -1);
++ EXPECT_NE(recv(self->cfd, mem, send_len, 0), -1);
+ }
+
+ free(mem);
+@@ -474,9 +474,9 @@ TEST_F(tls, sendmsg_multiple)
+ msg.msg_iov = vec;
+ msg.msg_iovlen = iov_len;
+
+- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), total_len);
++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), total_len);
+ buf = malloc(total_len);
+- EXPECT_NE(recv(self->fd, buf, total_len, 0), -1);
++ EXPECT_NE(recv(self->cfd, buf, total_len, 0), -1);
+ for (i = 0; i < iov_len; i++) {
+ EXPECT_EQ(memcmp(test_strs[i], buf + len_cmp,
+ strlen(test_strs[i])),
+--
+2.40.1
+
netfilter-nft_set_pipapo-stop-gc-iteration-if-gc-tra.patch
netfilter-nft_set_hash-try-later-when-gc-hits-eagain.patch
netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch
+asoc-meson-spdifin-start-hw-on-dai-probe.patch
+netfilter-nf_tables-disallow-element-removal-on-anon.patch
+bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch
+selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch
+net-core-fix-eth_p_1588-flow-dissector.patch
+asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch
+iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch
+i40e-add-vf-vlan-pruning.patch
+i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch
+ionic-fix-16bit-math-issue-when-page_size-64kb.patch
+igc-fix-infinite-initialization-loop-with-early-xdp-.patch
+ipv4-fix-null-deref-in-ipv4_link_failure.patch
+powerpc-perf-hv-24x7-update-domain-value-check.patch
+dccp-fix-dccp_v4_err-dccp_v6_err-again.patch
+platform-x86-intel_scu_ipc-check-status-after-timeou.patch
+platform-x86-intel_scu_ipc-check-status-upon-timeout.patch
+platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch
+platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch
+x86-srso-fix-srso_show_state-side-effect.patch
+x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch
+net-hns3-fix-gre-checksum-offload-issue.patch
+net-hns3-only-enable-unicast-promisc-when-mac-table-.patch
+net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch
+net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch
+net-bridge-use-dev_stats_inc.patch
+team-fix-null-ptr-deref-when-team-device-type-is-cha.patch
+net-rds-fix-possible-null-pointer-dereference.patch
+netfilter-nf_tables-disable-toggling-dormant-table-s.patch
+netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch
+locking-seqlock-do-the-lockdep-annotation-before-loc.patch
+net-ena-flush-xdp-packets-on-error.patch
+bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch
+igc-expose-tx-usecs-coalesce-setting-to-user.patch
+fix-up-backport-of-136191703038-interconnect-teach-l.patch
--- /dev/null
+From 623c68f955985ec3002836c98f0409b8a455bdc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 20:30:11 +0800
+Subject: team: fix null-ptr-deref when team device type is changed
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 492032760127251e5540a5716a70996bacf2a3fd ]
+
+Get a null-ptr-deref bug as follows with reproducer [1].
+
+BUG: kernel NULL pointer dereference, address: 0000000000000228
+...
+RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
+...
+Call Trace:
+ <TASK>
+ ? __die+0x24/0x70
+ ? page_fault_oops+0x82/0x150
+ ? exc_page_fault+0x69/0x150
+ ? asm_exc_page_fault+0x26/0x30
+ ? vlan_dev_hard_header+0x35/0x140 [8021q]
+ ? vlan_dev_hard_header+0x8e/0x140 [8021q]
+ neigh_connected_output+0xb2/0x100
+ ip6_finish_output2+0x1cb/0x520
+ ? nf_hook_slow+0x43/0xc0
+ ? ip6_mtu+0x46/0x80
+ ip6_finish_output+0x2a/0xb0
+ mld_sendpack+0x18f/0x250
+ mld_ifc_work+0x39/0x160
+ process_one_work+0x1e6/0x3f0
+ worker_thread+0x4d/0x2f0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0xe5/0x120
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+
+[1]
+$ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
+$ ip link add name t-dummy type dummy
+$ ip link add link t-dummy name t-dummy.100 type vlan id 100
+$ ip link add name t-nlmon type nlmon
+$ ip link set t-nlmon master team0
+$ ip link set t-nlmon nomaster
+$ ip link set t-dummy up
+$ ip link set team0 up
+$ ip link set t-dummy.100 down
+$ ip link set t-dummy.100 master team0
+
+When enslave a vlan device to team device and team device type is changed
+from non-ether to ether, header_ops of team device is changed to
+vlan_header_ops. That is incorrect and will trigger null-ptr-deref
+for vlan->real_dev in vlan_dev_hard_header() because team device is not
+a vlan device.
+
+Cache eth_header_ops in team_setup(), then assign cached header_ops to
+header_ops of team net device when its type is changed from non-ether
+to ether to fix the bug.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Suggested-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 10 +++++++++-
+ include/linux/if_team.h | 2 ++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index f99df92d211e2..44275094906c0 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2122,7 +2122,12 @@ static const struct ethtool_ops team_ethtool_ops = {
+ static void team_setup_by_port(struct net_device *dev,
+ struct net_device *port_dev)
+ {
+- dev->header_ops = port_dev->header_ops;
++ struct team *team = netdev_priv(dev);
++
++ if (port_dev->type == ARPHRD_ETHER)
++ dev->header_ops = team->header_ops_cache;
++ else
++ dev->header_ops = port_dev->header_ops;
+ dev->type = port_dev->type;
+ dev->hard_header_len = port_dev->hard_header_len;
+ dev->needed_headroom = port_dev->needed_headroom;
+@@ -2169,8 +2174,11 @@ static int team_dev_type_check_change(struct net_device *dev,
+
+ static void team_setup(struct net_device *dev)
+ {
++ struct team *team = netdev_priv(dev);
++
+ ether_setup(dev);
+ dev->max_mtu = ETH_MAX_MTU;
++ team->header_ops_cache = dev->header_ops;
+
+ dev->netdev_ops = &team_netdev_ops;
+ dev->ethtool_ops = &team_ethtool_ops;
+diff --git a/include/linux/if_team.h b/include/linux/if_team.h
+index 5dd1657947b75..762c77d13e7dd 100644
+--- a/include/linux/if_team.h
++++ b/include/linux/if_team.h
+@@ -189,6 +189,8 @@ struct team {
+ struct net_device *dev; /* associated netdevice */
+ struct team_pcpu_stats __percpu *pcpu_stats;
+
++ const struct header_ops *header_ops_cache;
++
+ struct mutex lock; /* used for overall locking, e.g. port lists write */
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From a9c6d4187abc74dee98b1e6566b0d928120bb64a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:48 -0700
+Subject: x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 01b057b2f4cc2d905a0bd92195657dbd9a7005ab ]
+
+If the user has requested no SRSO mitigation, other mitigations can use
+the lighter-weight SBPB instead of IBPB.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/b20820c3cfd1003171135ec8d762a0b957348497.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 78a57737f1ba1..6322a08edbba5 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2414,7 +2414,7 @@ static void __init srso_select_mitigation(void)
+
+ switch (srso_cmd) {
+ case SRSO_CMD_OFF:
+- return;
++ goto pred_cmd;
+
+ case SRSO_CMD_MICROCODE:
+ if (has_microcode) {
+--
+2.40.1
+
--- /dev/null
+From 29cc9e3da821774dcc2980c380692ec865abb491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:45 -0700
+Subject: x86/srso: Fix srso_show_state() side effect
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit a8cf700c17d9ca6cb8ee7dc5c9330dbac3948237 ]
+
+Reading the 'spec_rstack_overflow' sysfs file can trigger an unnecessary
+MSR write, and possibly even a (handled) exception if the microcode
+hasn't been updated.
+
+Avoid all that by just checking X86_FEATURE_IBPB_BRTYPE instead, which
+gets set by srso_select_mitigation() if the updated microcode exists.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/27d128899cb8aee9eb2b57ddc996742b0c1d776b.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 0d2c5fe841414..78a57737f1ba1 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2692,7 +2692,7 @@ static ssize_t srso_show_state(char *buf)
+
+ return sysfs_emit(buf, "%s%s\n",
+ srso_strings[srso_mitigation],
+- (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));
++ boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode");
+ }
+
+ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr,
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
