--- /dev/null
+From 99c1f95f1481bcaebb57b0f1e953bb55b56efa96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:10:04 +0000
+Subject: af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f91a5b8089389eb408501af2762f168c3aaa7b79 ]
+
+Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
+by syzbot.
+
+Rework vlan_get_protocol_dgram() to not touch skb at all,
+so that it can be used from many cpus on the same skb.
+
+Add a const qualifier to skb argument.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a8ccd05 len:29 put:14 head:ffff88807fc8e400 data:ffff88807fc8e3f4 tail:0x11 end:0x140 dev:<NULL>
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:206 !
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 UID: 0 PID: 5892 Comm: syz-executor883 Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
+ RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
+Code: 0b 8d 48 c7 c6 86 d5 25 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 5a 69 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
+RSP: 0018:ffffc900038d7638 EFLAGS: 00010282
+RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 609ffd18ea660600
+RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
+RBP: ffff88802483c8d0 R08: ffffffff817f0a8c R09: 1ffff9200071ae60
+R10: dffffc0000000000 R11: fffff5200071ae61 R12: 0000000000000140
+R13: ffff88807fc8e400 R14: ffff88807fc8e3f4 R15: 0000000000000011
+FS: 00007fbac5e006c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fbac5e00d58 CR3: 000000001238e000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ skb_push+0xe5/0x100 net/core/skbuff.c:2636
+ vlan_get_protocol_dgram+0x165/0x290 net/packet/af_packet.c:585
+ packet_recvmsg+0x948/0x1ef0 net/packet/af_packet.c:3552
+ sock_recvmsg_nosec net/socket.c:1033 [inline]
+ sock_recvmsg+0x22f/0x280 net/socket.c:1055
+ ____sys_recvmsg+0x1c6/0x480 net/socket.c:2803
+ ___sys_recvmsg net/socket.c:2845 [inline]
+ do_recvmmsg+0x426/0xab0 net/socket.c:2940
+ __sys_recvmmsg net/socket.c:3014 [inline]
+ __do_sys_recvmmsg net/socket.c:3037 [inline]
+ __se_sys_recvmmsg net/socket.c:3030 [inline]
+ __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3030
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading")
+Reported-by: syzbot+74f70bb1cb968bf09e4f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c5.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Chengen Du <chengen.du@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20241230161004.2681892-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_vlan.h | 16 +++++++++++++---
+ net/packet/af_packet.c | 16 ++++------------
+ 2 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
+index 4e7e72f3da5b..b3dae069bcd9 100644
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -574,13 +574,16 @@ static inline int vlan_get_tag(const struct sk_buff *skb, u16 *vlan_tci)
+ * vlan_get_protocol - get protocol EtherType.
+ * @skb: skbuff to query
+ * @type: first vlan protocol
++ * @mac_offset: MAC offset
+ * @depth: buffer to store length of eth and vlan tags in bytes
+ *
+ * Returns the EtherType of the packet, regardless of whether it is
+ * vlan encapsulated (normal or hardware accelerated) or not.
+ */
+-static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+- int *depth)
++static inline __be16 __vlan_get_protocol_offset(const struct sk_buff *skb,
++ __be16 type,
++ int mac_offset,
++ int *depth)
+ {
+ unsigned int vlan_depth = skb->mac_len, parse_depth = VLAN_MAX_DEPTH;
+
+@@ -599,7 +602,8 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+ do {
+ struct vlan_hdr vhdr, *vh;
+
+- vh = skb_header_pointer(skb, vlan_depth, sizeof(vhdr), &vhdr);
++ vh = skb_header_pointer(skb, mac_offset + vlan_depth,
++ sizeof(vhdr), &vhdr);
+ if (unlikely(!vh || !--parse_depth))
+ return 0;
+
+@@ -614,6 +618,12 @@ static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
+ return type;
+ }
+
++static inline __be16 __vlan_get_protocol(const struct sk_buff *skb, __be16 type,
++ int *depth)
++{
++ return __vlan_get_protocol_offset(skb, type, 0, depth);
++}
++
+ /**
+ * vlan_get_protocol - get protocol EtherType.
+ * @skb: skbuff to query
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 4938926137b2..b1cf6a069e63 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -522,21 +522,13 @@ static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev)
+ return ntohs(vh->h_vlan_TCI);
+ }
+
+-static __be16 vlan_get_protocol_dgram(struct sk_buff *skb)
++static __be16 vlan_get_protocol_dgram(const struct sk_buff *skb)
+ {
+ __be16 proto = skb->protocol;
+
+- if (unlikely(eth_type_vlan(proto))) {
+- u8 *skb_orig_data = skb->data;
+- int skb_orig_len = skb->len;
+-
+- skb_push(skb, skb->data - skb_mac_header(skb));
+- proto = __vlan_get_protocol(skb, proto, NULL);
+- if (skb_orig_data != skb->data) {
+- skb->data = skb_orig_data;
+- skb->len = skb_orig_len;
+- }
+- }
++ if (unlikely(eth_type_vlan(proto)))
++ proto = __vlan_get_protocol_offset(skb, proto,
++ skb_mac_offset(skb), NULL);
+
+ return proto;
+ }
+--
+2.39.5
+
--- /dev/null
+From d2f56827f5fd50a30aca21c01e47cac437e3b56c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:10:03 +0000
+Subject: af_packet: fix vlan_get_tci() vs MSG_PEEK
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 77ee7a6d16b6ec07b5c3ae2b6b60a24c1afbed09 ]
+
+Blamed commit forgot MSG_PEEK case, allowing a crash [1] as found
+by syzbot.
+
+Rework vlan_get_tci() to not touch skb at all,
+so that it can be used from many cpus on the same skb.
+
+Add a const qualifier to skb argument.
+
+[1]
+skbuff: skb_under_panic: text:ffffffff8a8da482 len:32 put:14 head:ffff88807a1d5800 data:ffff88807a1d5810 tail:0x14 end:0x140 dev:<NULL>
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:206 !
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 0 UID: 0 PID: 5880 Comm: syz-executor172 Not tainted 6.13.0-rc3-syzkaller-00762-g9268abe611b0 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+ RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
+ RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
+Code: 0b 8d 48 c7 c6 9e 6c 26 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 3a 5a 79 f7 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
+RSP: 0018:ffffc90003baf5b8 EFLAGS: 00010286
+RAX: 0000000000000087 RBX: dffffc0000000000 RCX: 8565c1eec37aa000
+RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
+RBP: ffff88802616fb50 R08: ffffffff817f0a4c R09: 1ffff92000775e50
+R10: dffffc0000000000 R11: fffff52000775e51 R12: 0000000000000140
+R13: ffff88807a1d5800 R14: ffff88807a1d5810 R15: 0000000000000014
+FS: 00007fa03261f6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd65753000 CR3: 0000000031720000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ skb_push+0xe5/0x100 net/core/skbuff.c:2636
+ vlan_get_tci+0x272/0x550 net/packet/af_packet.c:565
+ packet_recvmsg+0x13c9/0x1ef0 net/packet/af_packet.c:3616
+ sock_recvmsg_nosec net/socket.c:1044 [inline]
+ sock_recvmsg+0x22f/0x280 net/socket.c:1066
+ ____sys_recvmsg+0x1c6/0x480 net/socket.c:2814
+ ___sys_recvmsg net/socket.c:2856 [inline]
+ do_recvmmsg+0x426/0xab0 net/socket.c:2951
+ __sys_recvmmsg net/socket.c:3025 [inline]
+ __do_sys_recvmmsg net/socket.c:3048 [inline]
+ __se_sys_recvmmsg net/socket.c:3041 [inline]
+ __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3041
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+
+Fixes: 79eecf631c14 ("af_packet: Handle outgoing VLAN packets without hardware offloading")
+Reported-by: syzbot+8400677f3fd43f37d3bc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c485.050a0220.2f3838.04c6.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Chengen Du <chengen.du@canonical.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20241230161004.2681892-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 88bc4a21dda4..4938926137b2 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -492,10 +492,8 @@ static void *packet_current_frame(struct packet_sock *po,
+ return packet_lookup_frame(po, rb, rb->head, status);
+ }
+
+-static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev)
++static u16 vlan_get_tci(const struct sk_buff *skb, struct net_device *dev)
+ {
+- u8 *skb_orig_data = skb->data;
+- int skb_orig_len = skb->len;
+ struct vlan_hdr vhdr, *vh;
+ unsigned int header_len;
+
+@@ -516,12 +514,8 @@ static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev)
+ else
+ return 0;
+
+- skb_push(skb, skb->data - skb_mac_header(skb));
+- vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr);
+- if (skb_orig_data != skb->data) {
+- skb->data = skb_orig_data;
+- skb->len = skb_orig_len;
+- }
++ vh = skb_header_pointer(skb, skb_mac_offset(skb) + header_len,
++ sizeof(vhdr), &vhdr);
+ if (unlikely(!vh))
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From ad34257a12d173ca02b6af894e22b30310c9074e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Dec 2024 11:32:42 +0530
+Subject: ALSA: usb-audio: US16x08: Initialize array before use
+
+From: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+
+[ Upstream commit b06a6187ef983f501e93faa56209169752d3bde3 ]
+
+Initialize meter_urb array before use in mixer_us16x08.c.
+
+CID 1410197: (#1 of 1): Uninitialized scalar variable (UNINIT)
+uninit_use_in_call: Using uninitialized value *meter_urb when
+calling get_meter_levels_from_urb.
+
+Coverity Link:
+https://scan7.scan.coverity.com/#/project-view/52849/11354?selectedIssue=1410197
+
+Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
+Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+Link: https://patch.msgid.link/20241229060240.1642-1-tanyaagarwal25699@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_us16x08.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
+index c6c834ac83ac..eb59a59dcdbf 100644
+--- a/sound/usb/mixer_us16x08.c
++++ b/sound/usb/mixer_us16x08.c
+@@ -687,7 +687,7 @@ static int snd_us16x08_meter_get(struct snd_kcontrol *kcontrol,
+ struct usb_mixer_elem_info *elem = kcontrol->private_data;
+ struct snd_usb_audio *chip = elem->head.mixer->chip;
+ struct snd_us16x08_meter_store *store = elem->private_data;
+- u8 meter_urb[64];
++ u8 meter_urb[64] = {0};
+
+ switch (kcontrol->private_value) {
+ case 0: {
+--
+2.39.5
+
--- /dev/null
+From d6e80b9315719d2f70ed393c78c025970c2d5abb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2020 14:35:07 +0300
+Subject: drm: bridge: adv7511: Enable SPDIF DAI
+
+From: Bogdan Togorean <bogdan.togorean@analog.com>
+
+[ Upstream commit f7f436b99364a3904387eba613fc69853cc2f220 ]
+
+ADV7511 support I2S or SPDIF as audio input interfaces. This commit
+enable support for SPDIF.
+
+Signed-off-by: Bogdan Togorean <bogdan.togorean@analog.com>
+Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
+Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200413113513.86091-1-bogdan.togorean@analog.com
+Stable-dep-of: 902806baf3c1 ("drm/bridge: adv7511_audio: Update Audio InfoFrame properly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+index d05b3033b510..f101dd2819b5 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+@@ -121,6 +121,9 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data,
+ audio_source = ADV7511_AUDIO_SOURCE_I2S;
+ i2s_format = ADV7511_I2S_FORMAT_LEFT_J;
+ break;
++ case HDMI_SPDIF:
++ audio_source = ADV7511_AUDIO_SOURCE_SPDIF;
++ break;
+ default:
+ return -EINVAL;
+ }
+@@ -177,11 +180,21 @@ static int audio_startup(struct device *dev, void *data)
+ /* use Audio infoframe updated info */
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1),
+ BIT(5), 0);
++ /* enable SPDIF receiver */
++ if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF)
++ regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG,
++ BIT(7), BIT(7));
++
+ return 0;
+ }
+
+ static void audio_shutdown(struct device *dev, void *data)
+ {
++ struct adv7511 *adv7511 = dev_get_drvdata(dev);
++
++ if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF)
++ regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG,
++ BIT(7), 0);
+ }
+
+ static int adv7511_hdmi_i2s_get_dai_id(struct snd_soc_component *component,
+@@ -215,6 +228,7 @@ static const struct hdmi_codec_pdata codec_data = {
+ .ops = &adv7511_codec_ops,
+ .max_i2s_channels = 2,
+ .i2s = 1,
++ .spdif = 1,
+ };
+
+ int adv7511_audio_init(struct device *dev, struct adv7511 *adv7511)
+--
+2.39.5
+
--- /dev/null
+From 781bf7474b9bc59be28292a1bd9c7351805eff0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 08:40:29 +0100
+Subject: drm/bridge: adv7511_audio: Update Audio InfoFrame properly
+
+From: Stefan Ekenberg <stefan.ekenberg@axis.com>
+
+[ Upstream commit 902806baf3c1e8383c1fe3ff0b6042b8cb5c2707 ]
+
+AUDIO_UPDATE bit (Bit 5 of MAIN register 0x4A) needs to be set to 1
+while updating Audio InfoFrame information and then set to 0 when done.
+Otherwise partially updated Audio InfoFrames could be sent out. Two
+cases where this rule were not followed are fixed:
+ - In adv7511_hdmi_hw_params() make sure AUDIO_UPDATE bit is updated
+ before/after setting ADV7511_REG_AUDIO_INFOFRAME.
+ - In audio_startup() use the correct register for clearing
+ AUDIO_UPDATE bit.
+
+The problem with corrupted audio infoframes were discovered by letting
+a HDMI logic analyser check the output of ADV7535.
+
+Note that this patchs replaces writing REG_GC(1) with
+REG_INFOFRAME_UPDATE. Bit 5 of REG_GC(1) is positioned within field
+GC_PP[3:0] and that field doesn't control audio infoframe and is read-
+only. My conclusion therefore was that the author if this code meant to
+clear bit 5 of REG_INFOFRAME_UPDATE from the very beginning.
+
+Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
+Fixes: 53c515befe28 ("drm/bridge: adv7511: Add Audio support")
+Signed-off-by: Stefan Ekenberg <stefan.ekenberg@axis.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241119-adv7511-audio-info-frame-v4-1-4ae68e76c89c@axis.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/adv7511/adv7511_audio.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+index f101dd2819b5..0a1ac11e2e4f 100644
+--- a/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_audio.c
+@@ -147,7 +147,16 @@ int adv7511_hdmi_hw_params(struct device *dev, void *data,
+ ADV7511_AUDIO_CFG3_LEN_MASK, len);
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_I2C_FREQ_ID_CFG,
+ ADV7511_I2C_FREQ_ID_CFG_RATE_MASK, rate << 4);
+- regmap_write(adv7511->regmap, 0x73, 0x1);
++
++ /* send current Audio infoframe values while updating */
++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
++ BIT(5), BIT(5));
++
++ regmap_write(adv7511->regmap, ADV7511_REG_AUDIO_INFOFRAME(0), 0x1);
++
++ /* use Audio infoframe updated info */
++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
++ BIT(5), 0);
+
+ return 0;
+ }
+@@ -178,8 +187,9 @@ static int audio_startup(struct device *dev, void *data)
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(0),
+ BIT(7) | BIT(6), BIT(7));
+ /* use Audio infoframe updated info */
+- regmap_update_bits(adv7511->regmap, ADV7511_REG_GC(1),
++ regmap_update_bits(adv7511->regmap, ADV7511_REG_INFOFRAME_UPDATE,
+ BIT(5), 0);
++
+ /* enable SPDIF receiver */
+ if (adv7511->audio_source == ADV7511_AUDIO_SOURCE_SPDIF)
+ regmap_update_bits(adv7511->regmap, ADV7511_REG_AUDIO_CONFIG,
+--
+2.39.5
+
--- /dev/null
+From 141c1fe31feaf455ef8446df7d90fb38625bdb31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Oct 2019 23:35:30 +0000
+Subject: IB/mlx5: Introduce and use mlx5_core_is_vf()
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit e53a9d26cf80565cfb7172fc52a0dfac73613a0f ]
+
+Instead of deciding a given device is virtual function or
+not based on a device is PF or not, use already defined
+MLX5_COREDEV_VF by introducing an helper API mlx5_core_is_vf().
+
+This enables to clearly identify PF, VF and non virtual functions.
+
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Vu Pham <vuhuong@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 2 +-
+ include/linux/mlx5/driver.h | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 6698032af87d..5e00acb9bb31 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1034,7 +1034,7 @@ static int mlx5_ib_query_device(struct ib_device *ibdev,
+ if (MLX5_CAP_GEN(mdev, cd))
+ props->device_cap_flags |= IB_DEVICE_CROSS_CHANNEL;
+
+- if (!mlx5_core_is_pf(mdev))
++ if (mlx5_core_is_vf(mdev))
+ props->device_cap_flags |= IB_DEVICE_VIRTUAL_FUNCTION;
+
+ if (mlx5_ib_port_link_layer(ibdev, 1) ==
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 18fd0a030584..9744d9a2d71e 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1132,6 +1132,11 @@ static inline bool mlx5_core_is_pf(const struct mlx5_core_dev *dev)
+ return dev->coredev_type == MLX5_COREDEV_PF;
+ }
+
++static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev)
++{
++ return dev->coredev_type == MLX5_COREDEV_VF;
++}
++
+ static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev)
+ {
+ return dev->caps.embedded_cpu;
+--
+2.39.5
+
--- /dev/null
+From e9cf36dcde7d7bf24a3941e426aafb379084fcf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 16:28:49 +0000
+Subject: ila: serialize calls to nf_register_net_hooks()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 260466b576bca0081a7d4acecc8e93687aa22d0e ]
+
+syzbot found a race in ila_add_mapping() [1]
+
+commit 031ae72825ce ("ila: call nf_unregister_net_hooks() sooner")
+attempted to fix a similar issue.
+
+Looking at the syzbot repro, we have concurrent ILA_CMD_ADD commands.
+
+Add a mutex to make sure at most one thread is calling nf_register_net_hooks().
+
+[1]
+ BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ BUG: KASAN: slab-use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
+Read of size 4 at addr ffff888028f40008 by task dhcpcd/5501
+
+CPU: 1 UID: 0 PID: 5501 Comm: dhcpcd Not tainted 6.13.0-rc4-syzkaller-00054-gd6ef8b40d075 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xc3/0x620 mm/kasan/report.c:489
+ kasan_report+0xd9/0x110 mm/kasan/report.c:602
+ rht_key_hashfn include/linux/rhashtable.h:159 [inline]
+ __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
+ rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+ rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
+ ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:127 [inline]
+ ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline]
+ ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:185
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
+ nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
+ __netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5672
+ __netif_receive_skb+0x1d/0x160 net/core/dev.c:5785
+ process_backlog+0x443/0x15f0 net/core/dev.c:6117
+ __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6883
+ napi_poll net/core/dev.c:6952 [inline]
+ net_rx_action+0xa94/0x1010 net/core/dev.c:7074
+ handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
+ __do_softirq kernel/softirq.c:595 [inline]
+ invoke_softirq kernel/softirq.c:435 [inline]
+ __irq_exit_rcu+0x109/0x170 kernel/softirq.c:662
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
+ sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
+
+Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility")
+Reported-by: syzbot+47e761d22ecf745f72b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/6772c9ae.050a0220.2f3838.04c7.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Florian Westphal <fw@strlen.de>
+Cc: Tom Herbert <tom@herbertland.com>
+Link: https://patch.msgid.link/20241230162849.2795486-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ila/ila_xlat.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c
+index 1a0f580da652..5ca527110d02 100644
+--- a/net/ipv6/ila/ila_xlat.c
++++ b/net/ipv6/ila/ila_xlat.c
+@@ -201,6 +201,8 @@ static const struct nf_hook_ops ila_nf_hook_ops[] = {
+ },
+ };
+
++static DEFINE_MUTEX(ila_mutex);
++
+ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp)
+ {
+ struct ila_net *ilan = net_generic(net, ila_net_id);
+@@ -208,16 +210,20 @@ static int ila_add_mapping(struct net *net, struct ila_xlat_params *xp)
+ spinlock_t *lock = ila_get_lock(ilan, xp->ip.locator_match);
+ int err = 0, order;
+
+- if (!ilan->xlat.hooks_registered) {
++ if (!READ_ONCE(ilan->xlat.hooks_registered)) {
+ /* We defer registering net hooks in the namespace until the
+ * first mapping is added.
+ */
+- err = nf_register_net_hooks(net, ila_nf_hook_ops,
+- ARRAY_SIZE(ila_nf_hook_ops));
++ mutex_lock(&ila_mutex);
++ if (!ilan->xlat.hooks_registered) {
++ err = nf_register_net_hooks(net, ila_nf_hook_ops,
++ ARRAY_SIZE(ila_nf_hook_ops));
++ if (!err)
++ WRITE_ONCE(ilan->xlat.hooks_registered, true);
++ }
++ mutex_unlock(&ila_mutex);
+ if (err)
+ return err;
+-
+- ilan->xlat.hooks_registered = true;
+ }
+
+ ila = kzalloc(sizeof(*ila), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From 745f93d1576527297dd4cff91d64a33d44ed6a33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 20:07:20 -0500
+Subject: net: llc: reset skb->transport_header
+
+From: Antonio Pastor <antonio.pastor@gmail.com>
+
+[ Upstream commit a024e377efed31ecfb39210bed562932321345b3 ]
+
+802.2+LLC+SNAP frames received by napi_complete_done with GRO and DSA
+have skb->transport_header set two bytes short, or pointing 2 bytes
+before network_header & skb->data. As snap_rcv expects transport_header
+to point to SNAP header (OID:PID) after LLC processing advances offset
+over LLC header (llc_rcv & llc_fixup_skb), code doesn't find a match
+and packet is dropped.
+
+Between napi_complete_done and snap_rcv, transport_header is not used
+until __netif_receive_skb_core, where originally it was being reset.
+Commit fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
+only does so if not set, on the assumption the value was set correctly
+by GRO (and also on assumption that "network stacks usually reset the
+transport header anyway"). Afterwards it is moved forward by
+llc_fixup_skb.
+
+Locally generated traffic shows up at __netif_receive_skb_core with no
+transport_header set and is processed without issue. On a setup with
+GRO but no DSA, transport_header and network_header are both set to
+point to skb->data which is also correct.
+
+As issue is LLC specific, to avoid impacting non-LLC traffic, and to
+follow up on original assumption made on previous code change,
+llc_fixup_skb to reset the offset after skb pull. llc_fixup_skb
+assumes the LLC header is at skb->data, and by definition SNAP header
+immediately follows.
+
+Fixes: fda55eca5a33 ("net: introduce skb_transport_header_was_set()")
+Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241225010723.2830290-1-antonio.pastor@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/llc/llc_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
+index f4fb309185ce..4229c349651d 100644
+--- a/net/llc/llc_input.c
++++ b/net/llc/llc_input.c
+@@ -124,8 +124,8 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
+ if (unlikely(!pskb_may_pull(skb, llc_len)))
+ return 0;
+
+- skb->transport_header += llc_len;
+ skb_pull(skb, llc_len);
++ skb_reset_transport_header(skb);
+ if (skb->protocol == htons(ETH_P_802_2)) {
+ __be16 pdulen;
+ s32 data_size;
+--
+2.39.5
+
--- /dev/null
+From 4d7aefbcba7ce77bf7e359935708c581d72919d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Nov 2020 15:03:36 -0800
+Subject: net/mlx5: Make API mlx5_core_is_ecpf accept const pointer
+
+From: Parav Pandit <parav@nvidia.com>
+
+[ Upstream commit 3b1e58aa832ed537289be6a51a2015309688a90c ]
+
+Subsequent patch implements helper API which has mlx5_core_dev
+as const pointer, make its caller API too const *.
+
+Signed-off-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Bodong Wang <bodong@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Stable-dep-of: e05feab22fd7 ("RDMA/mlx5: Enforce same type port association for multiport RoCE")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mlx5/driver.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 9744d9a2d71e..882197037654 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1137,7 +1137,7 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev)
+ return dev->coredev_type == MLX5_COREDEV_VF;
+ }
+
+-static inline bool mlx5_core_is_ecpf(struct mlx5_core_dev *dev)
++static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev)
+ {
+ return dev->caps.embedded_cpu;
+ }
+--
+2.39.5
+
--- /dev/null
+From cd603ec8bfec76d16942b5f0b194cbad72b84467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Dec 2024 00:29:20 +0100
+Subject: netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ]
+
+Access to genmask field in struct nft_set_ext results in unaligned
+atomic read:
+
+[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
+[ 72.131036] Mem abort info:
+[ 72.131213] ESR = 0x0000000096000021
+[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 72.132209] SET = 0, FnV = 0
+[ 72.133216] EA = 0, S1PTW = 0
+[ 72.134080] FSC = 0x21: alignment fault
+[ 72.135593] Data abort info:
+[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
+[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
+[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
++pte=0068000102bb7707
+[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
+[...]
+[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2
+[ 72.170509] Tainted: [E]=UNSIGNED_MODULE
+[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
+[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
+[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
+[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
+[ 72.172546] sp : ffff800081f2bce0
+[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
+[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
+[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
+[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
+[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
+[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
+[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
+[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
+[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
+[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
+[ 72.176207] Call trace:
+[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
+[ 72.176653] process_one_work+0x178/0x3d0
+[ 72.176831] worker_thread+0x200/0x3f0
+[ 72.176995] kthread+0xe8/0xf8
+[ 72.177130] ret_from_fork+0x10/0x20
+[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
+[ 72.177557] ---[ end trace 0000000000000000 ]---
+
+Align struct nft_set_ext to word size to address this and
+documentation it.
+
+pahole reports that this increases the size of elements for rhash and
+pipapo in 8 bytes on x86_64.
+
+Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index c50dee30a70c..92551a765a44 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -571,15 +571,18 @@ struct nft_set_ext_tmpl {
+ /**
+ * struct nft_set_ext - set extensions
+ *
+- * @genmask: generation mask
++ * @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT)
+ * @offset: offsets of individual extension types
+ * @data: beginning of extension data
++ *
++ * This structure must be aligned to word size, otherwise atomic bitops
++ * on genmask field can cause alignment failure on some archs.
+ */
+ struct nft_set_ext {
+ u8 genmask;
+ u8 offset[NFT_SET_EXT_NUM];
+ char data[];
+-};
++} __aligned(BITS_PER_LONG / 8);
+
+ static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
+ {
+--
+2.39.5
+
--- /dev/null
+From 7a130d28e82f2bc826f41255df8bf1da70ad8e4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2020 07:59:14 -0600
+Subject: netfilter: Replace zero-length array with flexible-array member
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+[ Upstream commit 6daf14140129d30207ed6a0a69851fa6a3636bda ]
+
+The current codebase makes use of the zero-length array language
+extension to the C90 standard, but the preferred mechanism to declare
+variable-length types such as these ones is a flexible array member[1][2],
+introduced in C99:
+
+struct foo {
+ int stuff;
+ struct boo array[];
+};
+
+By making use of the mechanism above, we will get a compiler warning
+in case the flexible array does not occur last in the structure, which
+will help us prevent some kind of undefined behavior bugs from being
+inadvertently introduced[3] to the codebase from now on.
+
+Also, notice that, dynamic memory allocations won't be affected by
+this change:
+
+"Flexible array members have incomplete type, and so the sizeof operator
+may not be applied. As a quirk of the original implementation of
+zero-length arrays, sizeof evaluates to zero."[1]
+
+Lastly, fix checkpatch.pl warning
+WARNING: __aligned(size) is preferred over __attribute__((aligned(size)))
+in net/bridge/netfilter/ebtables.c
+
+This issue was found with the help of Coccinelle.
+
+[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
+[2] https://github.com/KSPP/linux/issues/21
+[3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour")
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 542ed8145e6f ("netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter/ipset/ip_set.h | 2 +-
+ include/linux/netfilter/x_tables.h | 8 ++++----
+ include/linux/netfilter_arp/arp_tables.h | 2 +-
+ include/linux/netfilter_bridge/ebtables.h | 2 +-
+ include/linux/netfilter_ipv4/ip_tables.h | 2 +-
+ include/linux/netfilter_ipv6/ip6_tables.h | 2 +-
+ include/net/netfilter/nf_conntrack_extend.h | 2 +-
+ include/net/netfilter/nf_conntrack_timeout.h | 2 +-
+ include/net/netfilter/nf_tables.h | 6 +++---
+ include/uapi/linux/netfilter_bridge/ebt_among.h | 2 +-
+ net/bridge/netfilter/ebtables.c | 2 +-
+ net/ipv4/netfilter/arp_tables.c | 4 ++--
+ net/ipv4/netfilter/ip_tables.c | 4 ++--
+ net/ipv6/netfilter/ip6_tables.c | 4 ++--
+ net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
+ net/netfilter/ipset/ip_set_bitmap_port.c | 2 +-
+ net/netfilter/ipset/ip_set_hash_gen.h | 4 ++--
+ net/netfilter/nfnetlink_acct.c | 2 +-
+ net/netfilter/xt_hashlimit.c | 2 +-
+ net/netfilter/xt_recent.c | 4 ++--
+ 21 files changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
+index 35342fb48866..ef6a9d082c2c 100644
+--- a/include/linux/netfilter/ipset/ip_set.h
++++ b/include/linux/netfilter/ipset/ip_set.h
+@@ -98,7 +98,7 @@ struct ip_set_counter {
+
+ struct ip_set_comment_rcu {
+ struct rcu_head rcu;
+- char str[0];
++ char str[];
+ };
+
+ struct ip_set_comment {
+diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
+index 04e7f5630509..e66ef9bf6ff3 100644
+--- a/include/linux/netfilter/x_tables.h
++++ b/include/linux/netfilter/x_tables.h
+@@ -264,7 +264,7 @@ struct xt_table_info {
+ unsigned int stacksize;
+ void ***jumpstack;
+
+- unsigned char entries[0] __aligned(8);
++ unsigned char entries[] __aligned(8);
+ };
+
+ int xt_register_target(struct xt_target *target);
+@@ -464,7 +464,7 @@ struct compat_xt_entry_match {
+ } kernel;
+ u_int16_t match_size;
+ } u;
+- unsigned char data[0];
++ unsigned char data[];
+ };
+
+ struct compat_xt_entry_target {
+@@ -480,7 +480,7 @@ struct compat_xt_entry_target {
+ } kernel;
+ u_int16_t target_size;
+ } u;
+- unsigned char data[0];
++ unsigned char data[];
+ };
+
+ /* FIXME: this works only on 32 bit tasks
+@@ -494,7 +494,7 @@ struct compat_xt_counters {
+ struct compat_xt_counters_info {
+ char name[XT_TABLE_MAXNAMELEN];
+ compat_uint_t num_counters;
+- struct compat_xt_counters counters[0];
++ struct compat_xt_counters counters[];
+ };
+
+ struct _compat_xt_align {
+diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
+index 6988cf9ffe3a..26a13294318c 100644
+--- a/include/linux/netfilter_arp/arp_tables.h
++++ b/include/linux/netfilter_arp/arp_tables.h
+@@ -68,7 +68,7 @@ struct compat_arpt_entry {
+ __u16 next_offset;
+ compat_uint_t comefrom;
+ struct compat_xt_counters counters;
+- unsigned char elems[0];
++ unsigned char elems[];
+ };
+
+ static inline struct xt_entry_target *
+diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
+index f0d846df3a42..a18fb73a2b77 100644
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -85,7 +85,7 @@ struct ebt_table_info {
+ /* room to maintain the stack used for jumping from and into udc */
+ struct ebt_chainstack **chainstack;
+ char *entries;
+- struct ebt_counter counters[0] ____cacheline_aligned;
++ struct ebt_counter counters[] ____cacheline_aligned;
+ };
+
+ struct ebt_table {
+diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
+index e9e1ed74cdf1..b394bd4f68a3 100644
+--- a/include/linux/netfilter_ipv4/ip_tables.h
++++ b/include/linux/netfilter_ipv4/ip_tables.h
+@@ -76,7 +76,7 @@ struct compat_ipt_entry {
+ __u16 next_offset;
+ compat_uint_t comefrom;
+ struct compat_xt_counters counters;
+- unsigned char elems[0];
++ unsigned char elems[];
+ };
+
+ /* Helper functions */
+diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
+index 78ab959c4575..8225f7821a29 100644
+--- a/include/linux/netfilter_ipv6/ip6_tables.h
++++ b/include/linux/netfilter_ipv6/ip6_tables.h
+@@ -43,7 +43,7 @@ struct compat_ip6t_entry {
+ __u16 next_offset;
+ compat_uint_t comefrom;
+ struct compat_xt_counters counters;
+- unsigned char elems[0];
++ unsigned char elems[];
+ };
+
+ static inline struct xt_entry_target *
+diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
+index 112a6f40dfaf..d0e87120d2f4 100644
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -46,7 +46,7 @@ struct nf_ct_ext {
+ struct rcu_head rcu;
+ u8 offset[NF_CT_EXT_NUM];
+ u8 len;
+- char data[0];
++ char data[];
+ };
+
+ static inline bool __nf_ct_ext_exist(const struct nf_ct_ext *ext, u8 id)
+diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
+index 6dd72396f534..659b0ea25b4d 100644
+--- a/include/net/netfilter/nf_conntrack_timeout.h
++++ b/include/net/netfilter/nf_conntrack_timeout.h
+@@ -14,7 +14,7 @@
+ struct nf_ct_timeout {
+ __u16 l3num;
+ const struct nf_conntrack_l4proto *l4proto;
+- char data[0];
++ char data[];
+ };
+
+ struct ctnl_timeout {
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 648aac42dfec..c50dee30a70c 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -226,7 +226,7 @@ int nft_parse_register_store(const struct nft_ctx *ctx,
+ */
+ struct nft_userdata {
+ u8 len;
+- unsigned char data[0];
++ unsigned char data[];
+ };
+
+ /**
+@@ -578,7 +578,7 @@ struct nft_set_ext_tmpl {
+ struct nft_set_ext {
+ u8 genmask;
+ u8 offset[NFT_SET_EXT_NUM];
+- char data[0];
++ char data[];
+ };
+
+ static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
+@@ -1357,7 +1357,7 @@ struct nft_trans {
+ int msg_type;
+ bool put_net;
+ struct nft_ctx ctx;
+- char data[0];
++ char data[];
+ };
+
+ struct nft_trans_rule {
+diff --git a/include/uapi/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
+index 9acf757bc1f7..73b26a280c4f 100644
+--- a/include/uapi/linux/netfilter_bridge/ebt_among.h
++++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
+@@ -40,7 +40,7 @@ struct ebt_mac_wormhash_tuple {
+ struct ebt_mac_wormhash {
+ int table[257];
+ int poolsize;
+- struct ebt_mac_wormhash_tuple pool[0];
++ struct ebt_mac_wormhash_tuple pool[];
+ };
+
+ #define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \
+diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
+index f6853fc0fcc0..9d07cf277759 100644
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1581,7 +1581,7 @@ struct compat_ebt_entry_mwt {
+ compat_uptr_t ptr;
+ } u;
+ compat_uint_t match_size;
+- compat_uint_t data[0] __attribute__ ((aligned (__alignof__(struct compat_ebt_replace))));
++ compat_uint_t data[] __aligned(__alignof__(struct compat_ebt_replace));
+ };
+
+ /* account for possible padding between match_size and ->data */
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index a6f2e5bf7045..c62c9713e7dd 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1057,7 +1057,7 @@ struct compat_arpt_replace {
+ u32 underflow[NF_ARP_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters;
+- struct compat_arpt_entry entries[0];
++ struct compat_arpt_entry entries[];
+ };
+
+ static inline void compat_release_entry(struct compat_arpt_entry *e)
+@@ -1385,7 +1385,7 @@ static int compat_copy_entries_to_user(unsigned int total_size,
+ struct compat_arpt_get_entries {
+ char name[XT_TABLE_MAXNAMELEN];
+ compat_uint_t size;
+- struct compat_arpt_entry entrytable[0];
++ struct compat_arpt_entry entrytable[];
+ };
+
+ static int compat_get_entries(struct net *net,
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 0076449eea35..c21ba5e62fff 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1211,7 +1211,7 @@ struct compat_ipt_replace {
+ u32 underflow[NF_INET_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters; /* struct xt_counters * */
+- struct compat_ipt_entry entries[0];
++ struct compat_ipt_entry entries[];
+ };
+
+ static int
+@@ -1564,7 +1564,7 @@ compat_do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user,
+ struct compat_ipt_get_entries {
+ char name[XT_TABLE_MAXNAMELEN];
+ compat_uint_t size;
+- struct compat_ipt_entry entrytable[0];
++ struct compat_ipt_entry entrytable[];
+ };
+
+ static int
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 41268612bdd4..010a70402828 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1228,7 +1228,7 @@ struct compat_ip6t_replace {
+ u32 underflow[NF_INET_NUMHOOKS];
+ u32 num_counters;
+ compat_uptr_t counters; /* struct xt_counters * */
+- struct compat_ip6t_entry entries[0];
++ struct compat_ip6t_entry entries[];
+ };
+
+ static int
+@@ -1574,7 +1574,7 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
+ struct compat_ip6t_get_entries {
+ char name[XT_TABLE_MAXNAMELEN];
+ compat_uint_t size;
+- struct compat_ip6t_entry entrytable[0];
++ struct compat_ip6t_entry entrytable[];
+ };
+
+ static int
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
+index e758b8120020..8fb170c7327f 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
+@@ -46,7 +46,7 @@ struct bitmap_ip {
+ u8 netmask; /* subnet netmask */
+ struct timer_list gc; /* garbage collection */
+ struct ip_set *set; /* attached to this ip_set */
+- unsigned char extensions[0] /* data extensions */
++ unsigned char extensions[] /* data extensions */
+ __aligned(__alignof__(u64));
+ };
+
+diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+index ae7cdc0d0f29..ebbcb9a16fe9 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
++++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+@@ -49,7 +49,7 @@ struct bitmap_ipmac {
+ size_t memsize; /* members size */
+ struct timer_list gc; /* garbage collector */
+ struct ip_set *set; /* attached to this ip_set */
+- unsigned char extensions[0] /* MAC + data extensions */
++ unsigned char extensions[] /* MAC + data extensions */
+ __aligned(__alignof__(u64));
+ };
+
+diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
+index d4a14750f5c4..1993f2783774 100644
+--- a/net/netfilter/ipset/ip_set_bitmap_port.c
++++ b/net/netfilter/ipset/ip_set_bitmap_port.c
+@@ -37,7 +37,7 @@ struct bitmap_port {
+ size_t memsize; /* members size */
+ struct timer_list gc; /* garbage collection */
+ struct ip_set *set; /* attached to this ip_set */
+- unsigned char extensions[0] /* data extensions */
++ unsigned char extensions[] /* data extensions */
+ __aligned(__alignof__(u64));
+ };
+
+diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
+index 4346cae25a4a..30b8b3fad150 100644
+--- a/net/netfilter/ipset/ip_set_hash_gen.h
++++ b/net/netfilter/ipset/ip_set_hash_gen.h
+@@ -76,7 +76,7 @@ struct hbucket {
+ DECLARE_BITMAP(used, AHASH_MAX_TUNED);
+ u8 size; /* size of the array */
+ u8 pos; /* position of the first free entry */
+- unsigned char value[0] /* the array of the values */
++ unsigned char value[] /* the array of the values */
+ __aligned(__alignof__(u64));
+ };
+
+@@ -109,7 +109,7 @@ struct htable {
+ u8 htable_bits; /* size of hash table == 2^htable_bits */
+ u32 maxelem; /* Maxelem per region */
+ struct ip_set_region *hregion; /* Region locks and ext sizes */
+- struct hbucket __rcu *bucket[0]; /* hashtable buckets */
++ struct hbucket __rcu *bucket[]; /* hashtable buckets */
+ };
+
+ #define hbucket(h, i) ((h)->bucket[i])
+diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
+index 4b46421c5e17..ed4bde3c8850 100644
+--- a/net/netfilter/nfnetlink_acct.c
++++ b/net/netfilter/nfnetlink_acct.c
+@@ -33,7 +33,7 @@ struct nf_acct {
+ refcount_t refcnt;
+ char name[NFACCT_NAME_MAX];
+ struct rcu_head rcu_head;
+- char data[0];
++ char data[];
+ };
+
+ struct nfacct_filter {
+diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
+index 8c835ad63729..9c5cfd74a0ee 100644
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -132,7 +132,7 @@ struct xt_hashlimit_htable {
+ const char *name;
+ struct net *net;
+
+- struct hlist_head hash[0]; /* hashtable itself */
++ struct hlist_head hash[]; /* hashtable itself */
+ };
+
+ static int
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index 6fc0deb11aff..dae284e0ed15 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -71,7 +71,7 @@ struct recent_entry {
+ u_int8_t ttl;
+ u_int8_t index;
+ u_int16_t nstamps;
+- unsigned long stamps[0];
++ unsigned long stamps[];
+ };
+
+ struct recent_table {
+@@ -82,7 +82,7 @@ struct recent_table {
+ unsigned int entries;
+ u8 nstamps_max_mask;
+ struct list_head lru_list;
+- struct list_head iphash[0];
++ struct list_head iphash[];
+ };
+
+ struct recent_net {
+--
+2.39.5
+
--- /dev/null
+From b6f5f8b3161a61d19851364fd051d9a2331ed15e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2024 08:23:07 +0000
+Subject: netrom: check buffer length before accessing it
+
+From: Ilya Shchipletsov <rabbelkin@mail.ru>
+
+[ Upstream commit a4fd163aed2edd967a244499754dec991d8b4c7d ]
+
+Syzkaller reports an uninit value read from ax25cmp when sending raw message
+through ieee802154 implementation.
+
+=====================================================
+BUG: KMSAN: uninit-value in ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
+ ax25cmp+0x3a5/0x460 net/ax25/ax25_addr.c:119
+ nr_dev_get+0x20e/0x450 net/netrom/nr_route.c:601
+ nr_route_frame+0x1a2/0xfc0 net/netrom/nr_route.c:774
+ nr_xmit+0x5a/0x1c0 net/netrom/nr_dev.c:144
+ __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4954 [inline]
+ xmit_one net/core/dev.c:3548 [inline]
+ dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
+ __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
+ dev_queue_xmit include/linux/netdevice.h:3134 [inline]
+ raw_sendmsg+0x654/0xc10 net/ieee802154/socket.c:299
+ ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+ __sys_sendmsg net/socket.c:2667 [inline]
+ __do_sys_sendmsg net/socket.c:2676 [inline]
+ __se_sys_sendmsg net/socket.c:2674 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:651
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
+ sock_alloc_send_skb include/net/sock.h:1884 [inline]
+ raw_sendmsg+0x36d/0xc10 net/ieee802154/socket.c:282
+ ieee802154_sock_sendmsg+0x91/0xc0 net/ieee802154/socket.c:96
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
+ __sys_sendmsg net/socket.c:2667 [inline]
+ __do_sys_sendmsg net/socket.c:2676 [inline]
+ __se_sys_sendmsg net/socket.c:2674 [inline]
+ __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 0 PID: 5037 Comm: syz-executor166 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
+=====================================================
+
+This issue occurs because the skb buffer is too small, and it's actual
+allocation is aligned. This hides an actual issue, which is that nr_route_frame
+does not validate the buffer size before using it.
+
+Fix this issue by checking skb->len before accessing any fields in skb->data.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Co-developed-by: Nikita Marushkin <hfggklm@gmail.com>
+Signed-off-by: Nikita Marushkin <hfggklm@gmail.com>
+Signed-off-by: Ilya Shchipletsov <rabbelkin@mail.ru>
+Link: https://patch.msgid.link/20241219082308.3942-1-rabbelkin@mail.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_route.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
+index 85e4637dc8ab..e1a682690154 100644
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -751,6 +751,12 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25)
+ int ret;
+ struct sk_buff *skbn;
+
++ /*
++ * Reject malformed packets early. Check that it contains at least 2
++ * addresses and 1 byte more for Time-To-Live
++ */
++ if (skb->len < 2 * sizeof(ax25_address) + 1)
++ return 0;
+
+ nr_src = (ax25_address *)(skb->data + 0);
+ nr_dest = (ax25_address *)(skb->data + 7);
+--
+2.39.5
+
--- /dev/null
+From 2a517d09709763514d7ce942a9b7f4cb68f21c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 14:09:28 +0530
+Subject: RDMA/bnxt_re: Add check for path mtu in modify_qp
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 798653a0ee30d3cd495099282751c0f248614ae7 ]
+
+When RDMA app configures path MTU, add a check in modify_qp verb
+to make sure that it doesn't go beyond interface MTU. If this
+check fails, driver will fail the modify_qp verb.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/20241211083931.968831-3-kalesh-anakkur.purayil@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 26 +++++++++++++-----------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index eca36da7f9d4..d0ed8e14e3da 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -1852,18 +1852,20 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr,
+ }
+ }
+
+- if (qp_attr_mask & IB_QP_PATH_MTU) {
+- qp->qplib_qp.modify_flags |=
+- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
+- qp->qplib_qp.path_mtu = __from_ib_mtu(qp_attr->path_mtu);
+- qp->qplib_qp.mtu = ib_mtu_enum_to_int(qp_attr->path_mtu);
+- } else if (qp_attr->qp_state == IB_QPS_RTR) {
+- qp->qplib_qp.modify_flags |=
+- CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
+- qp->qplib_qp.path_mtu =
+- __from_ib_mtu(iboe_get_mtu(rdev->netdev->mtu));
+- qp->qplib_qp.mtu =
+- ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->mtu));
++ if (qp_attr->qp_state == IB_QPS_RTR) {
++ enum ib_mtu qpmtu;
++
++ qpmtu = iboe_get_mtu(rdev->netdev->mtu);
++ if (qp_attr_mask & IB_QP_PATH_MTU) {
++ if (ib_mtu_enum_to_int(qp_attr->path_mtu) >
++ ib_mtu_enum_to_int(qpmtu))
++ return -EINVAL;
++ qpmtu = qp_attr->path_mtu;
++ }
++
++ qp->qplib_qp.modify_flags |= CMDQ_MODIFY_QP_MODIFY_MASK_PATH_MTU;
++ qp->qplib_qp.path_mtu = __from_ib_mtu(qpmtu);
++ qp->qplib_qp.mtu = ib_mtu_enum_to_int(qpmtu);
+ }
+
+ if (qp_attr_mask & IB_QP_TIMEOUT) {
+--
+2.39.5
+
--- /dev/null
+From 6ca4fcee741c9e0b022241329fcce4cefaa809db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Nov 2020 05:13:06 -0800
+Subject: RDMA/bnxt_re: Fix max_qp_wrs reported
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit c63e1c4dfc33d1bdae395ee8fbcbfad4830b12c0 ]
+
+While creating qps, the driver adds one extra entry to the sq size passed
+by the ULPs in order to avoid queue full condition. When ULPs creates QPs
+with max_qp_wr reported, driver creates QP with 1 more than the max_wqes
+supported by HW. Create QP fails in this case. To avoid this error, reduce
+1 entry in max_qp_wqes and report it to the stack.
+
+Link: https://lore.kernel.org/r/1606741986-16477-1-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Devesh Sharma <devesh.sharma@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+index 079aaaaffec7..f623f881a95b 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+@@ -118,7 +118,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
+ * 128 WQEs needs to be reserved for the HW (8916). Prevent
+ * reporting the max number
+ */
+- attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS;
++ attr->max_qp_wqes -= BNXT_QPLIB_RESERVED_QP_WRS + 1;
+ attr->max_qp_sges = bnxt_qplib_is_chip_gen_p5(rcfw->res->cctx) ?
+ 6 : sb->max_sge;
+ attr->max_cq = le32_to_cpu(sb->max_cq);
+--
+2.39.5
+
--- /dev/null
+From eca3b2e8e91fc533dc4e9a6ad5fa72bd73ce8000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 14:09:31 +0530
+Subject: RDMA/bnxt_re: Fix reporting hw_ver in query_device
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 7179fe0074a3c962e43a9e51169304c4911989ed ]
+
+Driver currently populates subsystem_device id in the
+"hw_ver" field of ib_attr structure in query_device.
+
+Updated to populate PCI revision ID.
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Reviewed-by: Preethi G <preethi.gurusiddalingeswaraswamy@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Link: https://patch.msgid.link/20241211083931.968831-6-kalesh-anakkur.purayil@broadcom.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+index d0ed8e14e3da..563a0f37810d 100644
+--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+@@ -137,7 +137,7 @@ int bnxt_re_query_device(struct ib_device *ibdev,
+
+ ib_attr->vendor_id = rdev->en_dev->pdev->vendor;
+ ib_attr->vendor_part_id = rdev->en_dev->pdev->device;
+- ib_attr->hw_ver = rdev->en_dev->pdev->subsystem_device;
++ ib_attr->hw_ver = rdev->en_dev->pdev->revision;
+ ib_attr->max_qp = dev_attr->max_qp;
+ ib_attr->max_qp_wr = dev_attr->max_qp_wqes;
+ ib_attr->device_cap_flags =
+--
+2.39.5
+
--- /dev/null
+From 63aebbe3300520a78874e47a0ef8d454dfc6f537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 15:45:37 +0200
+Subject: RDMA/mlx5: Enforce same type port association for multiport RoCE
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit e05feab22fd7dabcd6d272c4e2401ec1acdfdb9b ]
+
+Different core device types such as PFs and VFs shouldn't be affiliated
+together since they have different capabilities, fix that by enforcing
+type check before doing the affiliation.
+
+Fixes: 32f69e4be269 ("{net, IB}/mlx5: Manage port association for multiport RoCE")
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/88699500f690dff1c1852c1ddb71f8a1cc8b956e.1733233480.git.leonro@nvidia.com
+Reviewed-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 6 ++++--
+ include/linux/mlx5/driver.h | 6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index 5e00acb9bb31..fb5a1b4abcbc 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -5980,7 +5980,8 @@ static int mlx5_ib_init_multiport_master(struct mlx5_ib_dev *dev)
+ list_for_each_entry(mpi, &mlx5_ib_unaffiliated_port_list,
+ list) {
+ if (dev->sys_image_guid == mpi->sys_image_guid &&
+- (mlx5_core_native_port_num(mpi->mdev) - 1) == i) {
++ (mlx5_core_native_port_num(mpi->mdev) - 1) == i &&
++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev)) {
+ bound = mlx5_ib_bind_slave_port(dev, mpi);
+ }
+
+@@ -6874,7 +6875,8 @@ static void *mlx5_ib_add_slave_port(struct mlx5_core_dev *mdev)
+
+ mutex_lock(&mlx5_ib_multiport_mutex);
+ list_for_each_entry(dev, &mlx5_ib_dev_list, ib_dev_list) {
+- if (dev->sys_image_guid == mpi->sys_image_guid)
++ if (dev->sys_image_guid == mpi->sys_image_guid &&
++ mlx5_core_same_coredev_type(dev->mdev, mpi->mdev))
+ bound = mlx5_ib_bind_slave_port(dev, mpi);
+
+ if (bound) {
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 882197037654..ddcbc910d909 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -1137,6 +1137,12 @@ static inline bool mlx5_core_is_vf(const struct mlx5_core_dev *dev)
+ return dev->coredev_type == MLX5_COREDEV_VF;
+ }
+
++static inline bool mlx5_core_same_coredev_type(const struct mlx5_core_dev *dev1,
++ const struct mlx5_core_dev *dev2)
++{
++ return dev1->coredev_type == dev2->coredev_type;
++}
++
+ static inline bool mlx5_core_is_ecpf(const struct mlx5_core_dev *dev)
+ {
+ return dev->caps.embedded_cpu;
+--
+2.39.5
+
ipv6-prevent-possible-uaf-in-ip6_xmit.patch
selinux-ignore-unknown-extended-permissions.patch
drivers-hv-util-avoid-accessing-a-ringbuffer-not-ini.patch
+ib-mlx5-introduce-and-use-mlx5_core_is_vf.patch
+net-mlx5-make-api-mlx5_core_is_ecpf-accept-const-poi.patch
+rdma-mlx5-enforce-same-type-port-association-for-mul.patch
+rdma-bnxt_re-add-check-for-path-mtu-in-modify_qp.patch
+rdma-bnxt_re-fix-reporting-hw_ver-in-query_device.patch
+rdma-bnxt_re-fix-max_qp_wrs-reported.patch
+drm-bridge-adv7511-enable-spdif-dai.patch
+drm-bridge-adv7511_audio-update-audio-infoframe-prop.patch
+netrom-check-buffer-length-before-accessing-it.patch
+netfilter-replace-zero-length-array-with-flexible-ar.patch
+netfilter-nft_set_hash-unaligned-atomic-read-on-stru.patch
+net-llc-reset-skb-transport_header.patch
+alsa-usb-audio-us16x08-initialize-array-before-use.patch
+af_packet-fix-vlan_get_tci-vs-msg_peek.patch
+af_packet-fix-vlan_get_protocol_dgram-vs-msg_peek.patch
+ila-serialize-calls-to-nf_register_net_hooks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
