--- /dev/null
+From 698b70a319d48b971d4a6b8f9892a4304bfde549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2024 15:42:09 -0500
+Subject: Bluetooth: hci_sync: Fix not setting Random Address when required
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c2994b008492db033d40bd767be1620229a3035e ]
+
+This fixes errors such as the following when Own address type is set to
+Random Address but it has not been programmed yet due to either be
+advertising or connecting:
+
+< HCI Command: LE Set Exte.. (0x08|0x0041) plen 13
+ Own address type: Random (0x03)
+ Filter policy: Ignore not in accept list (0x01)
+ PHYs: 0x05
+ Entry 0: LE 1M
+ Type: Passive (0x00)
+ Interval: 60.000 msec (0x0060)
+ Window: 30.000 msec (0x0030)
+ Entry 1: LE Coded
+ Type: Passive (0x00)
+ Interval: 180.000 msec (0x0120)
+ Window: 90.000 msec (0x0090)
+> HCI Event: Command Complete (0x0e) plen 4
+ LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1
+ Status: Success (0x00)
+< HCI Command: LE Set Exten.. (0x08|0x0042) plen 6
+ Extended scan: Enabled (0x01)
+ Filter duplicates: Enabled (0x01)
+ Duration: 0 msec (0x0000)
+ Period: 0.00 sec (0x0000)
+> HCI Event: Command Complete (0x0e) plen 4
+ LE Set Extended Scan Enable (0x08|0x0042) ncmd 1
+ Status: Invalid HCI Command Parameters (0x12)
+
+Fixes: c45074d68a9b ("Bluetooth: Fix not generating RPA when required")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index b7a7b2afaa04..c6108e68f5a9 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1006,9 +1006,9 @@ static bool adv_use_rpa(struct hci_dev *hdev, uint32_t flags)
+
+ static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa)
+ {
+- /* If we're advertising or initiating an LE connection we can't
+- * go ahead and change the random address at this time. This is
+- * because the eventual initiator address used for the
++ /* If a random_addr has been set we're advertising or initiating an LE
++ * connection we can't go ahead and change the random address at this
++ * time. This is because the eventual initiator address used for the
+ * subsequently created connection will be undefined (some
+ * controllers use the new address and others the one we had
+ * when the operation started).
+@@ -1016,8 +1016,9 @@ static int hci_set_random_addr_sync(struct hci_dev *hdev, bdaddr_t *rpa)
+ * In this kind of scenario skip the update and let the random
+ * address be updated at the next cycle.
+ */
+- if (hci_dev_test_flag(hdev, HCI_LE_ADV) ||
+- hci_lookup_le_connect(hdev)) {
++ if (bacmp(&hdev->random_addr, BDADDR_ANY) &&
++ (hci_dev_test_flag(hdev, HCI_LE_ADV) ||
++ hci_lookup_le_connect(hdev))) {
+ bt_dev_dbg(hdev, "Deferring random address update");
+ hci_dev_set_flag(hdev, HCI_RPA_EXPIRED);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 89879e7cfeb3b30b078ce9216b38f510db4265a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2025 20:38:47 -0800
+Subject: bnxt_en: Fix possible memory leak when hwrm_req_replace fails
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit c8dafb0e4398dacc362832098a04b97da3b0395b ]
+
+When hwrm_req_replace() fails, the driver is not invoking bnxt_req_drop()
+which could cause a memory leak.
+
+Fixes: bbf33d1d9805 ("bnxt_en: update all firmware calls to use the new APIs")
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20250104043849.3482067-2-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+index 2e54bf4fc7a7..c0f67db641c3 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -252,7 +252,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, unsigned int ulp_id,
+
+ rc = hwrm_req_replace(bp, req, fw_msg->msg, fw_msg->msg_len);
+ if (rc)
+- return rc;
++ goto drop_req;
+
+ hwrm_req_timeout(bp, req, fw_msg->timeout);
+ resp = hwrm_req_hold(bp, req);
+@@ -264,6 +264,7 @@ static int bnxt_send_msg(struct bnxt_en_dev *edev, unsigned int ulp_id,
+
+ memcpy(fw_msg->resp, resp, resp_len);
+ }
++drop_req:
+ hwrm_req_drop(bp, req);
+ return rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6cef5b467704c3a86ff189e2d1571b213edf8476 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2025 14:53:27 +0530
+Subject: cxgb4: Avoid removal of uninserted tid
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit 4c1224501e9d6c5fd12d83752f1c1b444e0e3418 ]
+
+During ARP failure, tid is not inserted but _c4iw_free_ep()
+attempts to remove tid which results in error.
+This patch fixes the issue by avoiding removal of uninserted tid.
+
+Fixes: 59437d78f088 ("cxgb4/chtls: fix ULD connection failures due to wrong TID base")
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://patch.msgid.link/20250103092327.1011925-1-anumula@chelsio.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 7ce112b95b62..c09240a5693b 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -1800,7 +1800,10 @@ void cxgb4_remove_tid(struct tid_info *t, unsigned int chan, unsigned int tid,
+ struct adapter *adap = container_of(t, struct adapter, tids);
+ struct sk_buff *skb;
+
+- WARN_ON(tid_out_of_range(&adap->tids, tid));
++ if (tid_out_of_range(&adap->tids, tid)) {
++ dev_err(adap->pdev_dev, "tid %d out of range\n", tid);
++ return;
++ }
+
+ if (t->tid_tab[tid - adap->tids.tid_base]) {
+ t->tid_tab[tid - adap->tids.tid_base] = NULL;
+--
+2.39.5
+
--- /dev/null
+From 2fda5bf49fc75b59f069ef3ba78d6ccef77ce68c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 14:22:18 +0100
+Subject: ice: fix incorrect PHY settings for 100 GB/s
+
+From: Przemyslaw Korba <przemyslaw.korba@intel.com>
+
+[ Upstream commit 6c5b989116083a98f45aada548ff54e7a83a9c2d ]
+
+ptp4l application reports too high offset when ran on E823 device
+with a 100GB/s link. Those values cannot go under 100ns, like in a
+working case when using 100 GB/s cable.
+
+This is due to incorrect frequency settings on the PHY clocks for
+100 GB/s speed. Changes are introduced to align with the internal
+hardware documentation, and correctly initialize frequency in PHY
+clocks with the frequency values that are in our HW spec.
+
+To reproduce the issue run ptp4l as a Time Receiver on E823 device,
+and observe the offset, which will never approach values seen
+in the PTP working case.
+
+Reproduction output:
+ptp4l -i enp137s0f3 -m -2 -s -f /etc/ptp4l_8275.conf
+ptp4l[5278.775]: master offset 12470 s2 freq +41288 path delay -3002
+ptp4l[5278.837]: master offset 10525 s2 freq +39202 path delay -3002
+ptp4l[5278.900]: master offset -24840 s2 freq -20130 path delay -3002
+ptp4l[5278.963]: master offset 10597 s2 freq +37908 path delay -3002
+ptp4l[5279.025]: master offset 8883 s2 freq +36031 path delay -3002
+ptp4l[5279.088]: master offset 7267 s2 freq +34151 path delay -3002
+ptp4l[5279.150]: master offset 5771 s2 freq +32316 path delay -3002
+ptp4l[5279.213]: master offset 4388 s2 freq +30526 path delay -3002
+ptp4l[5279.275]: master offset -30434 s2 freq -28485 path delay -3002
+ptp4l[5279.338]: master offset -28041 s2 freq -27412 path delay -3002
+ptp4l[5279.400]: master offset 7870 s2 freq +31118 path delay -3002
+
+Fixes: 3a7496234d17 ("ice: implement basic E822 PTP support")
+Reviewed-by: Milena Olech <milena.olech@intel.com>
+Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp_consts.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
+index 4109aa3b2fcd..87ce20540f57 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
++++ b/drivers/net/ethernet/intel/ice/ice_ptp_consts.h
+@@ -359,9 +359,9 @@ const struct ice_vernier_info_e822 e822_vernier[NUM_ICE_PTP_LNK_SPD] = {
+ /* rx_desk_rsgb_par */
+ 644531250, /* 644.53125 MHz Reed Solomon gearbox */
+ /* tx_desk_rsgb_pcs */
+- 644531250, /* 644.53125 MHz Reed Solomon gearbox */
++ 390625000, /* 390.625 MHz Reed Solomon gearbox */
+ /* rx_desk_rsgb_pcs */
+- 644531250, /* 644.53125 MHz Reed Solomon gearbox */
++ 390625000, /* 390.625 MHz Reed Solomon gearbox */
+ /* tx_fixed_delay */
+ 1620,
+ /* pmd_adj_divisor */
+--
+2.39.5
+
--- /dev/null
+From 6d7de904e3b2064ad494b10a2d876b520bab0e65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 19:27:12 +0100
+Subject: ieee802154: ca8210: Add missing check for kfifo_alloc() in
+ ca8210_probe()
+
+From: Keisuke Nishimura <keisuke.nishimura@inria.fr>
+
+[ Upstream commit 2c87309ea741341c6722efdf1fb3f50dd427c823 ]
+
+ca8210_test_interface_init() returns the result of kfifo_alloc(),
+which can be non-zero in case of an error. The caller, ca8210_probe(),
+should check the return value and do error-handling if it fails.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Keisuke Nishimura <keisuke.nishimura@inria.fr>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/20241029182712.318271-1-keisuke.nishimura@inria.fr
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/ca8210.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
+index c2201e0adc46..1659bbffdb91 100644
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -3078,7 +3078,11 @@ static int ca8210_probe(struct spi_device *spi_device)
+ spi_set_drvdata(priv->spi, priv);
+ if (IS_ENABLED(CONFIG_IEEE802154_CA8210_DEBUGFS)) {
+ cascoda_api_upstream = ca8210_test_int_driver_write;
+- ca8210_test_interface_init(priv);
++ ret = ca8210_test_interface_init(priv);
++ if (ret) {
++ dev_crit(&spi_device->dev, "ca8210_test_interface_init failed\n");
++ goto error;
++ }
+ } else {
+ cascoda_api_upstream = NULL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4a033f1bd2a068700515b2e6749e20e4d849fb6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 20:23:00 -0500
+Subject: net: 802: LLC+SNAP OID:PID lookup on start of skb data
+
+From: Antonio Pastor <antonio.pastor@gmail.com>
+
+[ Upstream commit 1e9b0e1c550c42c13c111d1a31e822057232abc4 ]
+
+802.2+LLC+SNAP frames received by napi_complete_done() with GRO and DSA
+have skb->transport_header set two bytes short, or pointing 2 bytes
+before network_header & skb->data. This was an issue as snap_rcv()
+expected offset to point to SNAP header (OID:PID), causing packet to
+be dropped.
+
+A fix at llc_fixup_skb() (a024e377efed) resets transport_header for any
+LLC consumers that may care about it, and stops SNAP packets from being
+dropped, but doesn't fix the problem which is that LLC and SNAP should
+not use transport_header offset.
+
+Ths patch eliminates the use of transport_header offset for SNAP lookup
+of OID:PID so that SNAP does not rely on the offset at all.
+The offset is reset after pull for any SNAP packet consumers that may
+(but shouldn't) use it.
+
+Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
+Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250103012303.746521-1-antonio.pastor@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/802/psnap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/802/psnap.c b/net/802/psnap.c
+index 1406bfdbda13..dbd9647f2ef1 100644
+--- a/net/802/psnap.c
++++ b/net/802/psnap.c
+@@ -55,11 +55,11 @@ static int snap_rcv(struct sk_buff *skb, struct net_device *dev,
+ goto drop;
+
+ rcu_read_lock();
+- proto = find_snap_client(skb_transport_header(skb));
++ proto = find_snap_client(skb->data);
+ if (proto) {
+ /* Pass the frame on. */
+- skb->transport_header += 5;
+ skb_pull_rcsum(skb, 5);
++ skb_reset_transport_header(skb);
+ rc = proto->rcvfunc(skb, dev, &snap_packet_type, orig_dev);
+ }
+ rcu_read_unlock();
+--
+2.39.5
+
--- /dev/null
+From e526c88c77e58ff9018ecd16eae32c74ffeb6567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:38 +0800
+Subject: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 2cf246143519ecc11dab754385ec42d78b6b6a05 ]
+
+Currently, HIP08 devices does not register the ptp devices, so the
+hdev->ptp is NULL. But the tx process would still try to set hardware time
+stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash.
+
+[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
+...
+[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge]
+[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge]
+[ 128.292938] sp : ffff800059b93140
+[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280
+[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080
+[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001
+[ 128.315969] x23: 0000000000000000 x22: 0000000000000194
+[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000
+[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000
+[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24
+[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000
+[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368
+[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02
+[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0
+[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000
+[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff
+[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294
+[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080
+[ 128.390626] Call trace:
+[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge]
+[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3]
+[ 128.405468] xmit_one.constprop.0+0xc4/0x200
+[ 128.410600] dev_hard_start_xmit+0x54/0xf0
+[ 128.415556] sch_direct_xmit+0xe8/0x634
+[ 128.420246] __dev_queue_xmit+0x224/0xc70
+[ 128.425101] dev_queue_xmit+0x1c/0x40
+[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch]
+[ 128.435409] do_output+0x60/0x17c [openvswitch]
+[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch]
+[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch]
+[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch]
+[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch]
+[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch]
+[ 128.471460] xmit_one.constprop.0+0xc4/0x200
+[ 128.476561] dev_hard_start_xmit+0x54/0xf0
+[ 128.481489] __dev_queue_xmit+0x968/0xc70
+[ 128.486330] dev_queue_xmit+0x1c/0x40
+[ 128.490856] ip_finish_output2+0x250/0x570
+[ 128.495810] __ip_finish_output+0x170/0x1e0
+[ 128.500832] ip_finish_output+0x3c/0xf0
+[ 128.505504] ip_output+0xbc/0x160
+[ 128.509654] ip_send_skb+0x58/0xd4
+[ 128.513892] udp_send_skb+0x12c/0x354
+[ 128.518387] udp_sendmsg+0x7a8/0x9c0
+[ 128.522793] inet_sendmsg+0x4c/0x8c
+[ 128.527116] __sock_sendmsg+0x48/0x80
+[ 128.531609] __sys_sendto+0x124/0x164
+[ 128.536099] __arm64_sys_sendto+0x30/0x5c
+[ 128.540935] invoke_syscall+0x50/0x130
+[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124
+[ 128.551205] do_el0_svc+0x34/0xdc
+[ 128.555347] el0_svc+0x20/0x30
+[ 128.559227] el0_sync_handler+0xb8/0xc0
+[ 128.563883] el0_sync+0x160/0x180
+
+Fixes: 0bf5eb788512 ("net: hns3: add support for PTP")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+index 0f06f95b09bc..8802cdd6403e 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+@@ -70,6 +70,9 @@ bool hclge_ptp_set_tx_info(struct hnae3_handle *handle, struct sk_buff *skb)
+ struct hclge_dev *hdev = vport->back;
+ struct hclge_ptp *ptp = hdev->ptp;
+
++ if (!ptp)
++ return false;
++
+ if (!test_bit(HCLGE_PTP_FLAG_TX_EN, &ptp->flags) ||
+ test_and_set_bit(HCLGE_STATE_PTP_TX_HANDLING, &hdev->state)) {
+ ptp->tx_skipped++;
+--
+2.39.5
+
--- /dev/null
+From 713c2d2cfa899a00d72784c1d0812c7aa2cd56d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:33 +0800
+Subject: net: hns3: fix missing features due to dev->features configuration
+ too early
+
+From: Hao Lan <lanhao@huawei.com>
+
+[ Upstream commit 662ecfc46690e92cf630f51b5d4bbbcffe102980 ]
+
+Currently, the netdev->features is configured in hns3_nic_set_features.
+As a result, __netdev_update_features considers that there is no feature
+difference, and the procedures of the real features are missing.
+
+Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver")
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 0377a056aaec..52e205be4ec2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -2455,7 +2455,6 @@ static int hns3_nic_set_features(struct net_device *netdev,
+ return ret;
+ }
+
+- netdev->features = features;
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f2ac81ac141cb8be6a90312e52f7e38c2e82973b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:36 +0800
+Subject: net: hns3: initialize reset_timer before hclgevf_misc_irq_init()
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit d1c2e2961ab460ac2433ff8ad46000582abc573c ]
+
+Currently the misc irq is initialized before reset_timer setup. But
+it will access the reset_timer in the irq handler. So initialize
+the reset_timer earlier.
+
+Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index aebb104f4c29..89560484bf46 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2307,6 +2307,7 @@ static void hclgevf_state_init(struct hclgevf_dev *hdev)
+ clear_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state);
+
+ INIT_DELAYED_WORK(&hdev->service_task, hclgevf_service_task);
++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0);
+
+ mutex_init(&hdev->mbx_resp.mbx_mutex);
+ sema_init(&hdev->reset_sem, 1);
+@@ -3005,7 +3006,6 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev)
+ HCLGEVF_DRIVER_NAME);
+
+ hclgevf_task_schedule(hdev, round_jiffies_relative(HZ));
+- timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0);
+
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From 6da1c148558087b44baa5612c175ec41546ebb71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:34 +0800
+Subject: net: hns3: Resolved the issue that the debugfs query result is
+ inconsistent.
+
+From: Hao Lan <lanhao@huawei.com>
+
+[ Upstream commit 2758f18a83ef283d50c0566d3f672621cc658a1a ]
+
+This patch modifies the implementation of debugfs:
+When the user process stops unexpectedly, not all data of the file system
+is read. In this case, the save_buf pointer is not released. When the user
+process is called next time, save_buf is used to copy the cached data
+to the user space. As a result, the queried data is inconsistent. To solve
+this problem, determine whether the function is invoked for the first time
+based on the value of *ppos. If *ppos is 0, obtain the actual data.
+
+Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process")
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: Guangwei Zhang <zhangwangwei6@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+index d2603cfc122c..87720a74341b 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+@@ -1279,8 +1279,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
+
+ /* save the buffer addr until the last read operation */
+ *save_buf = read_buf;
++ }
+
+- /* get data ready for the first time to read */
++ /* get data ready for the first time to read */
++ if (!*ppos) {
+ ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd,
+ read_buf, hns3_dbg_cmd[index].buf_len);
+ if (ret)
+--
+2.39.5
+
--- /dev/null
+From 8ee1a82437de809a641a9d83be604ec117373cf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 11:00:09 +0800
+Subject: net/mlx5: Fix variable not being completed when function returns
+
+From: Chenguang Zhao <zhaochenguang@kylinos.cn>
+
+[ Upstream commit 0e2909c6bec9048f49d0c8e16887c63b50b14647 ]
+
+When cmd_alloc_index(), fails cmd_work_handler() needs
+to complete ent->slotted before returning early.
+Otherwise the task which issued the command may hang:
+
+ mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocate command entry
+ INFO: task kworker/13:2:4055883 blocked for more than 120 seconds.
+ Not tainted 4.19.90-25.44.v2101.ky10.aarch64 #1
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ kworker/13:2 D 0 4055883 2 0x00000228
+ Workqueue: events mlx5e_tx_dim_work [mlx5_core]
+ Call trace:
+ __switch_to+0xe8/0x150
+ __schedule+0x2a8/0x9b8
+ schedule+0x2c/0x88
+ schedule_timeout+0x204/0x478
+ wait_for_common+0x154/0x250
+ wait_for_completion+0x28/0x38
+ cmd_exec+0x7a0/0xa00 [mlx5_core]
+ mlx5_cmd_exec+0x54/0x80 [mlx5_core]
+ mlx5_core_modify_cq+0x6c/0x80 [mlx5_core]
+ mlx5_core_modify_cq_moderation+0xa0/0xb8 [mlx5_core]
+ mlx5e_tx_dim_work+0x54/0x68 [mlx5_core]
+ process_one_work+0x1b0/0x448
+ worker_thread+0x54/0x468
+ kthread+0x134/0x138
+ ret_from_fork+0x10/0x18
+
+Fixes: 485d65e13571 ("net/mlx5: Add a timeout to acquire the command queue semaphore")
+Signed-off-by: Chenguang Zhao <zhaochenguang@kylinos.cn>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Acked-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20250108030009.68520-1-zhaochenguang@kylinos.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index 4a1eb6cd699c..6dbb4021fd2f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -1003,6 +1003,7 @@ static void cmd_work_handler(struct work_struct *work)
+ complete(&ent->done);
+ }
+ up(&cmd->vars.sem);
++ complete(&ent->slotted);
+ return;
+ }
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 05e7d0fd02a53afbc04462eb87cdbe09d83e7a41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2025 10:45:46 +0000
+Subject: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a039e54397c6a75b713b9ce7894a62e06956aa92 ]
+
+syzbot found that TCA_FLOW_RSHIFT attribute was not validated.
+Right shitfing a 32bit integer is undefined for large shift values.
+
+UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23
+shift exponent 9445 is too large for 32-bit type 'u32' (aka 'unsigned int')
+CPU: 1 UID: 0 PID: 54 Comm: kworker/u8:3 Not tainted 6.13.0-rc3-syzkaller-00180-g4f619d518db9 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:231 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468
+ flow_classify+0x24d5/0x25b0 net/sched/cls_flow.c:329
+ tc_classify include/net/tc_wrapper.h:197 [inline]
+ __tcf_classify net/sched/cls_api.c:1771 [inline]
+ tcf_classify+0x420/0x1160 net/sched/cls_api.c:1867
+ sfb_classify net/sched/sch_sfb.c:260 [inline]
+ sfb_enqueue+0x3ad/0x18b0 net/sched/sch_sfb.c:318
+ dev_qdisc_enqueue+0x4b/0x290 net/core/dev.c:3793
+ __dev_xmit_skb net/core/dev.c:3889 [inline]
+ __dev_queue_xmit+0xf0e/0x3f50 net/core/dev.c:4400
+ dev_queue_xmit include/linux/netdevice.h:3168 [inline]
+ neigh_hh_output include/net/neighbour.h:523 [inline]
+ neigh_output include/net/neighbour.h:537 [inline]
+ ip_finish_output2+0xd41/0x1390 net/ipv4/ip_output.c:236
+ iptunnel_xmit+0x55d/0x9b0 net/ipv4/ip_tunnel_core.c:82
+ udp_tunnel_xmit_skb+0x262/0x3b0 net/ipv4/udp_tunnel_core.c:173
+ geneve_xmit_skb drivers/net/geneve.c:916 [inline]
+ geneve_xmit+0x21dc/0x2d00 drivers/net/geneve.c:1039
+ __netdev_start_xmit include/linux/netdevice.h:5002 [inline]
+ netdev_start_xmit include/linux/netdevice.h:5011 [inline]
+ xmit_one net/core/dev.c:3590 [inline]
+ dev_hard_start_xmit+0x27a/0x7d0 net/core/dev.c:3606
+ __dev_queue_xmit+0x1b73/0x3f50 net/core/dev.c:4434
+
+Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier")
+Reported-by: syzbot+1dbb57d994e54aaa04d2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6777bf49.050a0220.178762.0040.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250103104546.3714168-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/cls_flow.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
+index 014cd3de7b5d..7657d86ad142 100644
+--- a/net/sched/cls_flow.c
++++ b/net/sched/cls_flow.c
+@@ -354,7 +354,8 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = {
+ [TCA_FLOW_KEYS] = { .type = NLA_U32 },
+ [TCA_FLOW_MODE] = { .type = NLA_U32 },
+ [TCA_FLOW_BASECLASS] = { .type = NLA_U32 },
+- [TCA_FLOW_RSHIFT] = { .type = NLA_U32 },
++ [TCA_FLOW_RSHIFT] = NLA_POLICY_MAX(NLA_U32,
++ 31 /* BITS_PER_U32 - 1 */),
+ [TCA_FLOW_ADDEND] = { .type = NLA_U32 },
+ [TCA_FLOW_MASK] = { .type = NLA_U32 },
+ [TCA_FLOW_XOR] = { .type = NLA_U32 },
+--
+2.39.5
+
--- /dev/null
+From cae372154fb5dd03c272718114a0c3e1e90bd8c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 22:56:33 +0100
+Subject: netfilter: conntrack: clamp maximum hashtable size to INT_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit b541ba7d1f5a5b7b3e2e22dc9e40e18a7d6dbc13 ]
+
+Use INT_MAX as maximum size for the conntrack hashtable. Otherwise, it
+is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when
+resizing hashtable because __GFP_NOWARN is unset. See:
+
+ 0708a0afe291 ("mm: Consider __GFP_NOWARN flag for oversized kvmalloc() calls")
+
+Note: hashtable resize is only possible from init_netns.
+
+Fixes: 9cc1c73ad666 ("netfilter: conntrack: avoid integer overflow when resizing")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index 024f93fc8c0b..b7b2ed05ac50 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -2591,12 +2591,15 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
+ struct hlist_nulls_head *hash;
+ unsigned int nr_slots, i;
+
+- if (*sizep > (UINT_MAX / sizeof(struct hlist_nulls_head)))
++ if (*sizep > (INT_MAX / sizeof(struct hlist_nulls_head)))
+ return NULL;
+
+ BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
+ nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
+
++ if (nr_slots > (INT_MAX / sizeof(struct hlist_nulls_head)))
++ return NULL;
++
+ hash = kvcalloc(nr_slots, sizeof(struct hlist_nulls_head), GFP_KERNEL);
+
+ if (hash && nulls)
+--
+2.39.5
+
--- /dev/null
+From d43ccc9c3761dfd41fdd81449f2a82d4ee1edfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 13:01:13 +0100
+Subject: netfilter: nf_tables: imbalance in flowtable binding
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 13210fc63f353fe78584048079343413a3cdf819 ]
+
+All these cases cause imbalance between BIND and UNBIND calls:
+
+- Delete an interface from a flowtable with multiple interfaces
+
+- Add a (device to a) flowtable with --check flag
+
+- Delete a netns containing a flowtable
+
+- In an interactive nft session, create a table with owner flag and
+ flowtable inside, then quit.
+
+Fix it by calling FLOW_BLOCK_UNBIND when unregistering hooks, then
+remove late FLOW_BLOCK_UNBIND call when destroying flowtable.
+
+Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Tested-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 07bcf9b7d779..8176533c50ab 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7979,6 +7979,7 @@ static void nft_unregister_flowtable_hook(struct net *net,
+ }
+
+ static void __nft_unregister_flowtable_net_hooks(struct net *net,
++ struct nft_flowtable *flowtable,
+ struct list_head *hook_list,
+ bool release_netdev)
+ {
+@@ -7986,6 +7987,8 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net,
+
+ list_for_each_entry_safe(hook, next, hook_list, list) {
+ nf_unregister_net_hook(net, &hook->ops);
++ flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
++ FLOW_BLOCK_UNBIND);
+ if (release_netdev) {
+ list_del(&hook->list);
+ kfree_rcu(hook, rcu);
+@@ -7994,9 +7997,10 @@ static void __nft_unregister_flowtable_net_hooks(struct net *net,
+ }
+
+ static void nft_unregister_flowtable_net_hooks(struct net *net,
++ struct nft_flowtable *flowtable,
+ struct list_head *hook_list)
+ {
+- __nft_unregister_flowtable_net_hooks(net, hook_list, false);
++ __nft_unregister_flowtable_net_hooks(net, flowtable, hook_list, false);
+ }
+
+ static int nft_register_flowtable_net_hooks(struct net *net,
+@@ -8618,8 +8622,6 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
+
+ flowtable->data.type->free(&flowtable->data);
+ list_for_each_entry_safe(hook, next, &flowtable->hook_list, list) {
+- flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
+- FLOW_BLOCK_UNBIND);
+ list_del_rcu(&hook->list);
+ kfree_rcu(hook, rcu);
+ }
+@@ -9902,6 +9904,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+ &nft_trans_flowtable_hooks(trans),
+ NFT_MSG_DELFLOWTABLE);
+ nft_unregister_flowtable_net_hooks(net,
++ nft_trans_flowtable(trans),
+ &nft_trans_flowtable_hooks(trans));
+ } else {
+ list_del_rcu(&nft_trans_flowtable(trans)->list);
+@@ -9910,6 +9913,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
+ &nft_trans_flowtable(trans)->hook_list,
+ NFT_MSG_DELFLOWTABLE);
+ nft_unregister_flowtable_net_hooks(net,
++ nft_trans_flowtable(trans),
+ &nft_trans_flowtable(trans)->hook_list);
+ }
+ break;
+@@ -10140,11 +10144,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
+ case NFT_MSG_NEWFLOWTABLE:
+ if (nft_trans_flowtable_update(trans)) {
+ nft_unregister_flowtable_net_hooks(net,
++ nft_trans_flowtable(trans),
+ &nft_trans_flowtable_hooks(trans));
+ } else {
+ nft_use_dec_restore(&trans->ctx.table->use);
+ list_del_rcu(&nft_trans_flowtable(trans)->list);
+ nft_unregister_flowtable_net_hooks(net,
++ nft_trans_flowtable(trans),
+ &nft_trans_flowtable(trans)->hook_list);
+ }
+ break;
+@@ -10685,7 +10691,8 @@ static void __nft_release_hook(struct net *net, struct nft_table *table)
+ list_for_each_entry(chain, &table->chains, list)
+ __nf_tables_unregister_hook(net, table, chain, true);
+ list_for_each_entry(flowtable, &table->flowtables, list)
+- __nft_unregister_flowtable_net_hooks(net, &flowtable->hook_list,
++ __nft_unregister_flowtable_net_hooks(net, flowtable,
++ &flowtable->hook_list,
+ true);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 97a8e648132b36b31eb634ae3b18f6d812d8a5f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2025 13:01:05 +0100
+Subject: sched: sch_cake: add bounds checks to host bulk flow fairness counts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 737d4d91d35b5f7fa5bb442651472277318b0bfd ]
+
+Even though we fixed a logic error in the commit cited below, syzbot
+still managed to trigger an underflow of the per-host bulk flow
+counters, leading to an out of bounds memory access.
+
+To avoid any such logic errors causing out of bounds memory accesses,
+this commit factors out all accesses to the per-host bulk flow counters
+to a series of helpers that perform bounds-checking before any
+increments and decrements. This also has the benefit of improving
+readability by moving the conditional checks for the flow mode into
+these helpers, instead of having them spread out throughout the
+code (which was the cause of the original logic error).
+
+As part of this change, the flow quantum calculation is consolidated
+into a helper function, which means that the dithering applied to the
+ost load scaling is now applied both in the DRR rotation and when a
+sparse flow's quantum is first initiated. The only user-visible effect
+of this is that the maximum packet size that can be sent while a flow
+stays sparse will now vary with +/- one byte in some cases. This should
+not make a noticeable difference in practice, and thus it's not worth
+complicating the code to preserve the old behaviour.
+
+Fixes: 546ea84d07e3 ("sched: sch_cake: fix bulk flow accounting logic for host fairness")
+Reported-by: syzbot+f63600d288bfb7057424@syzkaller.appspotmail.com
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Dave Taht <dave.taht@gmail.com>
+Link: https://patch.msgid.link/20250107120105.70685-1-toke@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cake.c | 140 +++++++++++++++++++++++--------------------
+ 1 file changed, 75 insertions(+), 65 deletions(-)
+
+diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
+index eee9ebad35a5..12dd4d41605c 100644
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -643,6 +643,63 @@ static bool cake_ddst(int flow_mode)
+ return (flow_mode & CAKE_FLOW_DUAL_DST) == CAKE_FLOW_DUAL_DST;
+ }
+
++static void cake_dec_srchost_bulk_flow_count(struct cake_tin_data *q,
++ struct cake_flow *flow,
++ int flow_mode)
++{
++ if (likely(cake_dsrc(flow_mode) &&
++ q->hosts[flow->srchost].srchost_bulk_flow_count))
++ q->hosts[flow->srchost].srchost_bulk_flow_count--;
++}
++
++static void cake_inc_srchost_bulk_flow_count(struct cake_tin_data *q,
++ struct cake_flow *flow,
++ int flow_mode)
++{
++ if (likely(cake_dsrc(flow_mode) &&
++ q->hosts[flow->srchost].srchost_bulk_flow_count < CAKE_QUEUES))
++ q->hosts[flow->srchost].srchost_bulk_flow_count++;
++}
++
++static void cake_dec_dsthost_bulk_flow_count(struct cake_tin_data *q,
++ struct cake_flow *flow,
++ int flow_mode)
++{
++ if (likely(cake_ddst(flow_mode) &&
++ q->hosts[flow->dsthost].dsthost_bulk_flow_count))
++ q->hosts[flow->dsthost].dsthost_bulk_flow_count--;
++}
++
++static void cake_inc_dsthost_bulk_flow_count(struct cake_tin_data *q,
++ struct cake_flow *flow,
++ int flow_mode)
++{
++ if (likely(cake_ddst(flow_mode) &&
++ q->hosts[flow->dsthost].dsthost_bulk_flow_count < CAKE_QUEUES))
++ q->hosts[flow->dsthost].dsthost_bulk_flow_count++;
++}
++
++static u16 cake_get_flow_quantum(struct cake_tin_data *q,
++ struct cake_flow *flow,
++ int flow_mode)
++{
++ u16 host_load = 1;
++
++ if (cake_dsrc(flow_mode))
++ host_load = max(host_load,
++ q->hosts[flow->srchost].srchost_bulk_flow_count);
++
++ if (cake_ddst(flow_mode))
++ host_load = max(host_load,
++ q->hosts[flow->dsthost].dsthost_bulk_flow_count);
++
++ /* The get_random_u16() is a way to apply dithering to avoid
++ * accumulating roundoff errors
++ */
++ return (q->flow_quantum * quantum_div[host_load] +
++ get_random_u16()) >> 16;
++}
++
+ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb,
+ int flow_mode, u16 flow_override, u16 host_override)
+ {
+@@ -789,10 +846,8 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb,
+ allocate_dst = cake_ddst(flow_mode);
+
+ if (q->flows[outer_hash + k].set == CAKE_SET_BULK) {
+- if (allocate_src)
+- q->hosts[q->flows[reduced_hash].srchost].srchost_bulk_flow_count--;
+- if (allocate_dst)
+- q->hosts[q->flows[reduced_hash].dsthost].dsthost_bulk_flow_count--;
++ cake_dec_srchost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode);
++ cake_dec_dsthost_bulk_flow_count(q, &q->flows[outer_hash + k], flow_mode);
+ }
+ found:
+ /* reserve queue for future packets in same flow */
+@@ -817,9 +872,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb,
+ q->hosts[outer_hash + k].srchost_tag = srchost_hash;
+ found_src:
+ srchost_idx = outer_hash + k;
+- if (q->flows[reduced_hash].set == CAKE_SET_BULK)
+- q->hosts[srchost_idx].srchost_bulk_flow_count++;
+ q->flows[reduced_hash].srchost = srchost_idx;
++
++ if (q->flows[reduced_hash].set == CAKE_SET_BULK)
++ cake_inc_srchost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode);
+ }
+
+ if (allocate_dst) {
+@@ -840,9 +896,10 @@ static u32 cake_hash(struct cake_tin_data *q, const struct sk_buff *skb,
+ q->hosts[outer_hash + k].dsthost_tag = dsthost_hash;
+ found_dst:
+ dsthost_idx = outer_hash + k;
+- if (q->flows[reduced_hash].set == CAKE_SET_BULK)
+- q->hosts[dsthost_idx].dsthost_bulk_flow_count++;
+ q->flows[reduced_hash].dsthost = dsthost_idx;
++
++ if (q->flows[reduced_hash].set == CAKE_SET_BULK)
++ cake_inc_dsthost_bulk_flow_count(q, &q->flows[reduced_hash], flow_mode);
+ }
+ }
+
+@@ -1855,10 +1912,6 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+
+ /* flowchain */
+ if (!flow->set || flow->set == CAKE_SET_DECAYING) {
+- struct cake_host *srchost = &b->hosts[flow->srchost];
+- struct cake_host *dsthost = &b->hosts[flow->dsthost];
+- u16 host_load = 1;
+-
+ if (!flow->set) {
+ list_add_tail(&flow->flowchain, &b->new_flows);
+ } else {
+@@ -1868,18 +1921,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ flow->set = CAKE_SET_SPARSE;
+ b->sparse_flow_count++;
+
+- if (cake_dsrc(q->flow_mode))
+- host_load = max(host_load, srchost->srchost_bulk_flow_count);
+-
+- if (cake_ddst(q->flow_mode))
+- host_load = max(host_load, dsthost->dsthost_bulk_flow_count);
+-
+- flow->deficit = (b->flow_quantum *
+- quantum_div[host_load]) >> 16;
++ flow->deficit = cake_get_flow_quantum(b, flow, q->flow_mode);
+ } else if (flow->set == CAKE_SET_SPARSE_WAIT) {
+- struct cake_host *srchost = &b->hosts[flow->srchost];
+- struct cake_host *dsthost = &b->hosts[flow->dsthost];
+-
+ /* this flow was empty, accounted as a sparse flow, but actually
+ * in the bulk rotation.
+ */
+@@ -1887,12 +1930,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ b->sparse_flow_count--;
+ b->bulk_flow_count++;
+
+- if (cake_dsrc(q->flow_mode))
+- srchost->srchost_bulk_flow_count++;
+-
+- if (cake_ddst(q->flow_mode))
+- dsthost->dsthost_bulk_flow_count++;
+-
++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode);
++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode);
+ }
+
+ if (q->buffer_used > q->buffer_max_used)
+@@ -1949,13 +1988,11 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ {
+ struct cake_sched_data *q = qdisc_priv(sch);
+ struct cake_tin_data *b = &q->tins[q->cur_tin];
+- struct cake_host *srchost, *dsthost;
+ ktime_t now = ktime_get();
+ struct cake_flow *flow;
+ struct list_head *head;
+ bool first_flow = true;
+ struct sk_buff *skb;
+- u16 host_load;
+ u64 delay;
+ u32 len;
+
+@@ -2055,11 +2092,6 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ q->cur_flow = flow - b->flows;
+ first_flow = false;
+
+- /* triple isolation (modified DRR++) */
+- srchost = &b->hosts[flow->srchost];
+- dsthost = &b->hosts[flow->dsthost];
+- host_load = 1;
+-
+ /* flow isolation (DRR++) */
+ if (flow->deficit <= 0) {
+ /* Keep all flows with deficits out of the sparse and decaying
+@@ -2071,11 +2103,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ b->sparse_flow_count--;
+ b->bulk_flow_count++;
+
+- if (cake_dsrc(q->flow_mode))
+- srchost->srchost_bulk_flow_count++;
+-
+- if (cake_ddst(q->flow_mode))
+- dsthost->dsthost_bulk_flow_count++;
++ cake_inc_srchost_bulk_flow_count(b, flow, q->flow_mode);
++ cake_inc_dsthost_bulk_flow_count(b, flow, q->flow_mode);
+
+ flow->set = CAKE_SET_BULK;
+ } else {
+@@ -2087,19 +2116,7 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ }
+ }
+
+- if (cake_dsrc(q->flow_mode))
+- host_load = max(host_load, srchost->srchost_bulk_flow_count);
+-
+- if (cake_ddst(q->flow_mode))
+- host_load = max(host_load, dsthost->dsthost_bulk_flow_count);
+-
+- WARN_ON(host_load > CAKE_QUEUES);
+-
+- /* The get_random_u16() is a way to apply dithering to avoid
+- * accumulating roundoff errors
+- */
+- flow->deficit += (b->flow_quantum * quantum_div[host_load] +
+- get_random_u16()) >> 16;
++ flow->deficit += cake_get_flow_quantum(b, flow, q->flow_mode);
+ list_move_tail(&flow->flowchain, &b->old_flows);
+
+ goto retry;
+@@ -2123,11 +2140,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ if (flow->set == CAKE_SET_BULK) {
+ b->bulk_flow_count--;
+
+- if (cake_dsrc(q->flow_mode))
+- srchost->srchost_bulk_flow_count--;
+-
+- if (cake_ddst(q->flow_mode))
+- dsthost->dsthost_bulk_flow_count--;
++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode);
++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode);
+
+ b->decaying_flow_count++;
+ } else if (flow->set == CAKE_SET_SPARSE ||
+@@ -2145,12 +2159,8 @@ static struct sk_buff *cake_dequeue(struct Qdisc *sch)
+ else if (flow->set == CAKE_SET_BULK) {
+ b->bulk_flow_count--;
+
+- if (cake_dsrc(q->flow_mode))
+- srchost->srchost_bulk_flow_count--;
+-
+- if (cake_ddst(q->flow_mode))
+- dsthost->dsthost_bulk_flow_count--;
+-
++ cake_dec_srchost_bulk_flow_count(b, flow, q->flow_mode);
++ cake_dec_dsthost_bulk_flow_count(b, flow, q->flow_mode);
+ } else
+ b->decaying_flow_count--;
+
+--
+2.39.5
+
exfat-fix-the-infinite-loop-in-__exfat_free_cluster.patch
scripts-sorttable-fix-orc_sort_cmp-to-maintain-symme.patch
asoc-mediatek-disable-buffer-pre-allocation.patch
+ieee802154-ca8210-add-missing-check-for-kfifo_alloc-.patch
+net-802-llc-snap-oid-pid-lookup-on-start-of-skb-data.patch
+tcp-dccp-complete-lockless-accesses-to-sk-sk_max_ack.patch
+tcp-dccp-allow-a-connection-when-sk_max_ack_backlog-.patch
+net_sched-cls_flow-validate-tca_flow_rshift-attribut.patch
+bnxt_en-fix-possible-memory-leak-when-hwrm_req_repla.patch
+cxgb4-avoid-removal-of-uninserted-tid.patch
+ice-fix-incorrect-phy-settings-for-100-gb-s.patch
+tls-fix-tls_sw_sendmsg-error-handling.patch
+bluetooth-hci_sync-fix-not-setting-random-address-wh.patch
+tcp-annotate-data-race-around-sk-sk_mark-in-tcp_v4_s.patch
+net-hns3-fix-missing-features-due-to-dev-features-co.patch
+net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch
+net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch
+net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch
+netfilter-nf_tables-imbalance-in-flowtable-binding.patch
+netfilter-conntrack-clamp-maximum-hashtable-size-to-.patch
+sched-sch_cake-add-bounds-checks-to-host-bulk-flow-f.patch
+net-mlx5-fix-variable-not-being-completed-when-funct.patch
--- /dev/null
+From 3d818b251f438acecddecb38a55ebf34b0806a2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2025 11:14:39 +0100
+Subject: tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 80fb40baba19e25a1b6f3ecff6fc5c0171806bde ]
+
+This is a follow-up to 3c5b4d69c358 ("net: annotate data-races around
+sk->sk_mark"). sk->sk_mark can be read and written without holding
+the socket lock. IPv6 equivalent is already covered with READ_ONCE()
+annotation in tcp_v6_send_response().
+
+Fixes: 3c5b4d69c358 ("net: annotate data-races around sk->sk_mark")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/f459d1fc44f205e13f6d8bdca2c8bfb9902ffac9.1736244569.git.daniel@iogearbox.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 984435cb1013..805b1a9eca1c 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -832,7 +832,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
+ sock_net_set(ctl_sk, net);
+ if (sk) {
+ ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ?
+- inet_twsk(sk)->tw_mark : sk->sk_mark;
++ inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark);
+ ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ?
+ inet_twsk(sk)->tw_priority : sk->sk_priority;
+ transmit_time = tcp_transmit_time(sk);
+--
+2.39.5
+
--- /dev/null
+From 7e4468e5438b8cd4c128607f20b9ac3b545b680b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 17:14:26 +0000
+Subject: tcp/dccp: allow a connection when sk_max_ack_backlog is zero
+
+From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+
+[ Upstream commit 3479c7549fb1dfa7a1db4efb7347c7b8ef50de4b ]
+
+If the backlog of listen() is set to zero, sk_acceptq_is_full() allows
+one connection to be made, but inet_csk_reqsk_queue_is_full() does not.
+When the net.ipv4.tcp_syncookies is zero, inet_csk_reqsk_queue_is_full()
+will cause an immediate drop before the sk_acceptq_is_full() check in
+tcp_conn_request(), resulting in no connection can be made.
+
+This patch tries to keep consistent with 64a146513f8f ("[NET]: Revert
+incorrect accept queue backlog changes.").
+
+Link: https://lore.kernel.org/netdev/20250102080258.53858-1-kuniyu@amazon.com/
+Fixes: ef547f2ac16b ("tcp: remove max_qlen_log")
+Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250102171426.915276-1-dzq.aishenghu0@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_connection_sock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
+index 1611fb656ea9..7649d4901f0c 100644
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -281,7 +281,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk)
+
+ static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk)
+ {
+- return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog);
++ return inet_csk_reqsk_queue_len(sk) > READ_ONCE(sk->sk_max_ack_backlog);
+ }
+
+ bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req);
+--
+2.39.5
+
--- /dev/null
+From 74f3cb5b6b933532aa92491f06f58753c6854bed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Mar 2024 17:05:21 +0800
+Subject: tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 9a79c65f00e2b036e17af3a3a607d7d732b7affb ]
+
+Since commit 099ecf59f05b ("net: annotate lockless accesses to
+sk->sk_max_ack_backlog") decided to handle the sk_max_ack_backlog
+locklessly, there is one more function mostly called in TCP/DCCP
+cases. So this patch completes it:)
+
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240331090521.71965-1-kerneljasonxing@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 3479c7549fb1 ("tcp/dccp: allow a connection when sk_max_ack_backlog is zero")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_connection_sock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
+index 4242f863f560..1611fb656ea9 100644
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -281,7 +281,7 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk)
+
+ static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk)
+ {
+- return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog;
++ return inet_csk_reqsk_queue_len(sk) >= READ_ONCE(sk->sk_max_ack_backlog);
+ }
+
+ bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req);
+--
+2.39.5
+
--- /dev/null
+From ce8bd9fda4136e6987c0e4cf7e02648dd311ec8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 10:29:45 -0500
+Subject: tls: Fix tls_sw_sendmsg error handling
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit b341ca51d2679829d26a3f6a4aa9aee9abd94f92 ]
+
+We've noticed that NFS can hang when using RPC over TLS on an unstable
+connection, and investigation shows that the RPC layer is stuck in a tight
+loop attempting to transmit, but forever getting -EBADMSG back from the
+underlying network. The loop begins when tcp_sendmsg_locked() returns
+-EPIPE to tls_tx_records(), but that error is converted to -EBADMSG when
+calling the socket's error reporting handler.
+
+Instead of converting errors from tcp_sendmsg_locked(), let's pass them
+along in this path. The RPC layer handles -EPIPE by reconnecting the
+transport, which prevents the endless attempts to transmit on a broken
+connection.
+
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
+Link: https://patch.msgid.link/9594185559881679d81f071b181a10eb07cd079f.1736004079.git.bcodding@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 348abadbc2d8..5310441240e7 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -452,7 +452,7 @@ int tls_tx_records(struct sock *sk, int flags)
+
+ tx_err:
+ if (rc < 0 && rc != -EAGAIN)
+- tls_err_abort(sk, -EBADMSG);
++ tls_err_abort(sk, rc);
+
+ return rc;
+ }
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
