--- /dev/null
+From dee2371c7849d5fbdf35123f5ef0cf1ccce706e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:08 -0700
+Subject: af_unix: Fix data race around sk->sk_err.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ]
+
+As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be
+read locklessly by unix_dgram_sendmsg().
+
+Let's use READ_ONCE() for sk_err as well.
+
+Note that the writer side is marked by commit cc04410af7de ("af_unix:
+annotate lockless accesses to sk->sk_err").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index a971385a95d92..fcb998dc2dc68 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2317,7 +2317,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ break;
+ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+- if (sk->sk_err)
++ if (READ_ONCE(sk->sk_err))
+ break;
+ timeo = schedule_timeout(timeo);
+ }
+--
+2.40.1
+
--- /dev/null
+From f28afac504ba587fb662ec78ad6c9002be43e9a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:06 -0700
+Subject: af_unix: Fix data-race around unix_tot_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ]
+
+unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
+unix_release_sock() reads it locklessly.
+
+Let's use READ_ONCE() for unix_tot_inflight.
+
+Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
+annote lockless accesses to unix_tot_inflight & gc_in_progress")
+
+BUG: KCSAN: data-race in unix_inflight / unix_release_sock
+
+write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
+ unix_inflight+0x130/0x180 net/unix/scm.c:64
+ unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:747
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2547
+ __sys_sendmsg+0x94/0x140 net/socket.c:2576
+ __do_sys_sendmsg net/socket.c:2585 [inline]
+ __se_sys_sendmsg net/socket.c:2583 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
+ unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
+ unix_release+0x59/0x80 net/unix/af_unix.c:1058
+ __sock_release+0x7d/0x170 net/socket.c:653
+ sock_close+0x19/0x30 net/socket.c:1385
+ __fput+0x179/0x5e0 fs/file_table.c:321
+ ____fput+0x15/0x20 fs/file_table.c:349
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+value changed: 0x00000000 -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 8d941cbba5cb7..237488b1b58b6 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -587,7 +587,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ * What the above comment does talk about? --ANK(980817)
+ */
+
+- if (unix_tot_inflight)
++ if (READ_ONCE(unix_tot_inflight))
+ unix_gc(); /* Garbage collect fds */
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 53eadec008d40c910d7f2e63a42de439200c9651 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:07 -0700
+Subject: af_unix: Fix data-races around sk->sk_shutdown.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ]
+
+sk->sk_shutdown is changed under unix_state_lock(sk), but
+unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly.
+
+ sock_alloc_send_pskb
+ `- sock_wait_for_wmem
+
+Let's use READ_ONCE() there.
+
+Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix:
+Fix data races around sk->sk_shutdown.").
+
+BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock
+
+write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1:
+ unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631
+ unix_release+0x59/0x80 net/unix/af_unix.c:1053
+ __sock_release+0x7d/0x170 net/socket.c:654
+ sock_close+0x19/0x30 net/socket.c:1386
+ __fput+0x2a3/0x680 fs/file_table.c:384
+ ____fput+0x15/0x20 fs/file_table.c:412
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0:
+ sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767
+ unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x00 -> 0x03
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index e2d45631c15d7..a971385a95d92 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2315,7 +2315,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf))
+ break;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+ if (sk->sk_err)
+ break;
+@@ -2345,7 +2345,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ goto failure;
+
+ err = -EPIPE;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ goto failure;
+
+ if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf))
+--
+2.40.1
+
--- /dev/null
+From c18a17aa7ffed51bf634e6a5cf151a42b14960b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:05 -0700
+Subject: af_unix: Fix data-races around user->unix_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ]
+
+user->unix_inflight is changed under spin_lock(unix_gc_lock),
+but too_many_unix_fds() reads it locklessly.
+
+Let's annotate the write/read accesses to user->unix_inflight.
+
+BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
+
+write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
+ unix_inflight+0x157/0x180 net/unix/scm.c:66
+ unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
+ too_many_unix_fds net/unix/scm.c:101 [inline]
+ unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x000000000000000c -> 0x000000000000000d
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/scm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/scm.c b/net/unix/scm.c
+index aa27a02478dc1..e8e2a00bb0f58 100644
+--- a/net/unix/scm.c
++++ b/net/unix/scm.c
+@@ -63,7 +63,7 @@ void unix_inflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
+ }
+- user->unix_inflight++;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -84,7 +84,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
+ }
+- user->unix_inflight--;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -98,7 +98,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
+ {
+ struct user_struct *user = current_user();
+
+- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return false;
+ }
+--
+2.40.1
+
--- /dev/null
+From f4e84fd0dfc1036afe2b941455b95df472627b98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 09:29:03 +0000
+Subject: backlight: gpio_backlight: Drop output GPIO direction check for
+ initial power state
+
+From: Ying Liu <victor.liu@nxp.com>
+
+[ Upstream commit fe1328b5b2a087221e31da77e617f4c2b70f3b7f ]
+
+So, let's drop output GPIO direction check and only check GPIO value to set
+the initial power state.
+
+Fixes: 706dc68102bc ("backlight: gpio: Explicitly set the direction of the GPIO")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://lore.kernel.org/r/20230721093342.1532531-1-victor.liu@nxp.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/gpio_backlight.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/gpio_backlight.c b/drivers/video/backlight/gpio_backlight.c
+index 5c5c99f7979e3..30ec5b6845335 100644
+--- a/drivers/video/backlight/gpio_backlight.c
++++ b/drivers/video/backlight/gpio_backlight.c
+@@ -87,8 +87,7 @@ static int gpio_backlight_probe(struct platform_device *pdev)
+ /* Not booted with device tree or no phandle link to the node */
+ bl->props.power = def_value ? FB_BLANK_UNBLANK
+ : FB_BLANK_POWERDOWN;
+- else if (gpiod_get_direction(gbl->gpiod) == 0 &&
+- gpiod_get_value_cansleep(gbl->gpiod) == 0)
++ else if (gpiod_get_value_cansleep(gbl->gpiod) == 0)
+ bl->props.power = FB_BLANK_POWERDOWN;
+ else
+ bl->props.power = FB_BLANK_UNBLANK;
+--
+2.40.1
+
--- /dev/null
+From 2cb6b6b543cdf4a5f778dd13ed89adc31a09c064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jul 2023 18:35:16 -0700
+Subject: drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit a90c367e5af63880008e21dd199dac839e0e9e0f ]
+
+Drop intel_vgpu_reset_gtt() as it no longer has any callers. In addition
+to eliminating dead code, this eliminates the last possible scenario where
+__kvmgt_protect_table_find() can be reached without holding vgpu_lock.
+Requiring vgpu_lock to be held when calling __kvmgt_protect_table_find()
+will allow a protecting the gfn hash with vgpu_lock without too much fuss.
+
+No functional change intended.
+
+Fixes: ba25d977571e ("drm/i915/gvt: Do not destroy ppgtt_mm during vGPU D3->D0.")
+Reviewed-by: Yan Zhao <yan.y.zhao@intel.com>
+Tested-by: Yongwei Ma <yongwei.ma@intel.com>
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: https://lore.kernel.org/r/20230729013535.1070024-11-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/gtt.c | 18 ------------------
+ drivers/gpu/drm/i915/gvt/gtt.h | 1 -
+ 2 files changed, 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
+index 2029f8521a5dc..0d31a0db305d5 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.c
++++ b/drivers/gpu/drm/i915/gvt/gtt.c
+@@ -2870,24 +2870,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old)
+ ggtt_invalidate(gvt->gt);
+ }
+
+-/**
+- * intel_vgpu_reset_gtt - reset the all GTT related status
+- * @vgpu: a vGPU
+- *
+- * This function is called from vfio core to reset reset all
+- * GTT related status, including GGTT, PPGTT, scratch page.
+- *
+- */
+-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu)
+-{
+- /* Shadow pages are only created when there is no page
+- * table tracking data, so remove page tracking data after
+- * removing the shadow pages.
+- */
+- intel_vgpu_destroy_all_ppgtt_mm(vgpu);
+- intel_vgpu_reset_ggtt(vgpu, true);
+-}
+-
+ /**
+ * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries
+ * @gvt: intel gvt device
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h
+index b0e173f2d9904..89ffb52cafa04 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.h
++++ b/drivers/gpu/drm/i915/gvt/gtt.h
+@@ -215,7 +215,6 @@ void intel_vgpu_reset_ggtt(struct intel_vgpu *vgpu, bool invalidate_old);
+ void intel_vgpu_invalidate_ppgtt(struct intel_vgpu *vgpu);
+
+ int intel_gvt_init_gtt(struct intel_gvt *gvt);
+-void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu);
+ void intel_gvt_clean_gtt(struct intel_gvt *gvt);
+
+ struct intel_vgpu_mm *intel_gvt_find_ppgtt_mm(struct intel_vgpu *vgpu,
+--
+2.40.1
+
--- /dev/null
+From 698b78e313bd8910f7d396332b01fc3c1164e043 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Oct 2020 12:53:08 +0800
+Subject: drm/i915/gvt: Save/restore HW status to support GVT suspend/resume
+
+From: Colin Xu <colin.xu@intel.com>
+
+[ Upstream commit 5f60b12edcd0c2e83650a6f9aa4a969bd9fc5732 ]
+
+This patch save/restore necessary GVT info during i915 suspend/resume so
+that GVT enabled QEMU VM can continue running.
+
+Only GGTT and fence regs are saved/restored now. GVT will save GGTT
+entries on each host_entry update, restore the saved dirty entries
+and re-init fence regs in resume routine.
+
+V2:
+- Change kzalloc/kfree to vzalloc/vfree since the space allocated
+from kmalloc may not enough for all saved GGTT entries.
+- Keep gvt suspend/resume wrapper in intel_gvt.h/intel_gvt.c and
+move the actual implementation to gvt.h/gvt.c. (zhenyu)
+- Check gvt config on and active with intel_gvt_active(). (zhenyu)
+
+V3: (zhenyu)
+- Incorrect copy length. Should be num entries * entry size.
+- Use memcpy_toio()/memcpy_fromio() instead of memcpy for iomem.
+- Add F_PM_SAVE flags to indicate which MMIOs to save/restore for PM.
+
+V4:
+Rebase.
+
+V5:
+Fail intel_gvt_save_ggtt as -ENOMEM if fail to alloc memory to save
+ggtt. Free allocated ggtt_entries on failure.
+
+V6:
+Save host entry to per-vGPU gtt.ggtt_mm on each host_entry update.
+
+V7:
+Restore GGTT entry based on present bit.
+Split fence restore and mmio restore in different functions.
+
+Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Signed-off-by: Hang Yuan <hang.yuan@linux.intel.com>
+Signed-off-by: Colin Xu <colin.xu@intel.com>
+Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20201027045308.158955-1-colin.xu@intel.com
+Stable-dep-of: a90c367e5af6 ("drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gvt/gtt.c | 64 +++++++++++++++++++++++++++++
+ drivers/gpu/drm/i915/gvt/gtt.h | 4 ++
+ drivers/gpu/drm/i915/gvt/gvt.c | 9 ++++
+ drivers/gpu/drm/i915/gvt/gvt.h | 3 ++
+ drivers/gpu/drm/i915/gvt/handlers.c | 44 ++++++++++++++++++--
+ drivers/gpu/drm/i915/gvt/mmio.h | 4 ++
+ drivers/gpu/drm/i915/intel_gvt.c | 15 +++++++
+ drivers/gpu/drm/i915/intel_gvt.h | 5 +++
+ 8 files changed, 145 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.c b/drivers/gpu/drm/i915/gvt/gtt.c
+index 0201f9b5f87e7..2029f8521a5dc 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.c
++++ b/drivers/gpu/drm/i915/gvt/gtt.c
+@@ -636,9 +636,18 @@ static void ggtt_set_host_entry(struct intel_vgpu_mm *mm,
+ struct intel_gvt_gtt_entry *entry, unsigned long index)
+ {
+ struct intel_gvt_gtt_pte_ops *pte_ops = mm->vgpu->gvt->gtt.pte_ops;
++ unsigned long offset = index;
+
+ GEM_BUG_ON(mm->type != INTEL_GVT_MM_GGTT);
+
++ if (vgpu_gmadr_is_aperture(mm->vgpu, index << I915_GTT_PAGE_SHIFT)) {
++ offset -= (vgpu_aperture_gmadr_base(mm->vgpu) >> PAGE_SHIFT);
++ mm->ggtt_mm.host_ggtt_aperture[offset] = entry->val64;
++ } else if (vgpu_gmadr_is_hidden(mm->vgpu, index << I915_GTT_PAGE_SHIFT)) {
++ offset -= (vgpu_hidden_gmadr_base(mm->vgpu) >> PAGE_SHIFT);
++ mm->ggtt_mm.host_ggtt_hidden[offset] = entry->val64;
++ }
++
+ pte_ops->set_entry(NULL, entry, index, false, 0, mm->vgpu);
+ }
+
+@@ -1953,6 +1962,21 @@ static struct intel_vgpu_mm *intel_vgpu_create_ggtt_mm(struct intel_vgpu *vgpu)
+ return ERR_PTR(-ENOMEM);
+ }
+
++ mm->ggtt_mm.host_ggtt_aperture = vzalloc((vgpu_aperture_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64));
++ if (!mm->ggtt_mm.host_ggtt_aperture) {
++ vfree(mm->ggtt_mm.virtual_ggtt);
++ vgpu_free_mm(mm);
++ return ERR_PTR(-ENOMEM);
++ }
++
++ mm->ggtt_mm.host_ggtt_hidden = vzalloc((vgpu_hidden_sz(vgpu) >> PAGE_SHIFT) * sizeof(u64));
++ if (!mm->ggtt_mm.host_ggtt_hidden) {
++ vfree(mm->ggtt_mm.host_ggtt_aperture);
++ vfree(mm->ggtt_mm.virtual_ggtt);
++ vgpu_free_mm(mm);
++ return ERR_PTR(-ENOMEM);
++ }
++
+ return mm;
+ }
+
+@@ -1980,6 +2004,8 @@ void _intel_vgpu_mm_release(struct kref *mm_ref)
+ invalidate_ppgtt_mm(mm);
+ } else {
+ vfree(mm->ggtt_mm.virtual_ggtt);
++ vfree(mm->ggtt_mm.host_ggtt_aperture);
++ vfree(mm->ggtt_mm.host_ggtt_hidden);
+ }
+
+ vgpu_free_mm(mm);
+@@ -2861,3 +2887,41 @@ void intel_vgpu_reset_gtt(struct intel_vgpu *vgpu)
+ intel_vgpu_destroy_all_ppgtt_mm(vgpu);
+ intel_vgpu_reset_ggtt(vgpu, true);
+ }
++
++/**
++ * intel_gvt_restore_ggtt - restore all vGPU's ggtt entries
++ * @gvt: intel gvt device
++ *
++ * This function is called at driver resume stage to restore
++ * GGTT entries of every vGPU.
++ *
++ */
++void intel_gvt_restore_ggtt(struct intel_gvt *gvt)
++{
++ struct intel_vgpu *vgpu;
++ struct intel_vgpu_mm *mm;
++ int id;
++ gen8_pte_t pte;
++ u32 idx, num_low, num_hi, offset;
++
++ /* Restore dirty host ggtt for all vGPUs */
++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) {
++ mm = vgpu->gtt.ggtt_mm;
++
++ num_low = vgpu_aperture_sz(vgpu) >> PAGE_SHIFT;
++ offset = vgpu_aperture_gmadr_base(vgpu) >> PAGE_SHIFT;
++ for (idx = 0; idx < num_low; idx++) {
++ pte = mm->ggtt_mm.host_ggtt_aperture[idx];
++ if (pte & _PAGE_PRESENT)
++ write_pte64(vgpu->gvt->gt->ggtt, offset + idx, pte);
++ }
++
++ num_hi = vgpu_hidden_sz(vgpu) >> PAGE_SHIFT;
++ offset = vgpu_hidden_gmadr_base(vgpu) >> PAGE_SHIFT;
++ for (idx = 0; idx < num_hi; idx++) {
++ pte = mm->ggtt_mm.host_ggtt_hidden[idx];
++ if (pte & _PAGE_PRESENT)
++ write_pte64(vgpu->gvt->gt->ggtt, offset + idx, pte);
++ }
++ }
++}
+diff --git a/drivers/gpu/drm/i915/gvt/gtt.h b/drivers/gpu/drm/i915/gvt/gtt.h
+index 52d0d88abd86a..b0e173f2d9904 100644
+--- a/drivers/gpu/drm/i915/gvt/gtt.h
++++ b/drivers/gpu/drm/i915/gvt/gtt.h
+@@ -164,6 +164,9 @@ struct intel_vgpu_mm {
+ } ppgtt_mm;
+ struct {
+ void *virtual_ggtt;
++ /* Save/restore for PM */
++ u64 *host_ggtt_aperture;
++ u64 *host_ggtt_hidden;
+ struct list_head partial_pte_list;
+ } ggtt_mm;
+ };
+@@ -280,5 +283,6 @@ int intel_vgpu_emulate_ggtt_mmio_write(struct intel_vgpu *vgpu,
+ unsigned int off, void *p_data, unsigned int bytes);
+
+ void intel_vgpu_destroy_all_ppgtt_mm(struct intel_vgpu *vgpu);
++void intel_gvt_restore_ggtt(struct intel_gvt *gvt);
+
+ #endif /* _GVT_GTT_H_ */
+diff --git a/drivers/gpu/drm/i915/gvt/gvt.c b/drivers/gpu/drm/i915/gvt/gvt.c
+index 5c9ef8e58a087..87f22a88925ce 100644
+--- a/drivers/gpu/drm/i915/gvt/gvt.c
++++ b/drivers/gpu/drm/i915/gvt/gvt.c
+@@ -405,6 +405,15 @@ int intel_gvt_init_device(struct drm_i915_private *i915)
+ return ret;
+ }
+
++int
++intel_gvt_pm_resume(struct intel_gvt *gvt)
++{
++ intel_gvt_restore_fence(gvt);
++ intel_gvt_restore_mmio(gvt);
++ intel_gvt_restore_ggtt(gvt);
++ return 0;
++}
++
+ int
+ intel_gvt_register_hypervisor(struct intel_gvt_mpt *m)
+ {
+diff --git a/drivers/gpu/drm/i915/gvt/gvt.h b/drivers/gpu/drm/i915/gvt/gvt.h
+index a81cf0f01e78e..b3d6355dd797d 100644
+--- a/drivers/gpu/drm/i915/gvt/gvt.h
++++ b/drivers/gpu/drm/i915/gvt/gvt.h
+@@ -255,6 +255,8 @@ struct intel_gvt_mmio {
+ #define F_CMD_ACCESS (1 << 3)
+ /* This reg has been accessed by a VM */
+ #define F_ACCESSED (1 << 4)
++/* This reg requires save & restore during host PM suspend/resume */
++#define F_PM_SAVE (1 << 5)
+ /* This reg could be accessed by unaligned address */
+ #define F_UNALIGN (1 << 6)
+ /* This reg is in GVT's mmio save-restor list and in hardware
+@@ -685,6 +687,7 @@ void intel_gvt_debugfs_remove_vgpu(struct intel_vgpu *vgpu);
+ void intel_gvt_debugfs_init(struct intel_gvt *gvt);
+ void intel_gvt_debugfs_clean(struct intel_gvt *gvt);
+
++int intel_gvt_pm_resume(struct intel_gvt *gvt);
+
+ #include "trace.h"
+ #include "mpt.h"
+diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c
+index 606e6c315fe24..55ce7aaabf893 100644
+--- a/drivers/gpu/drm/i915/gvt/handlers.c
++++ b/drivers/gpu/drm/i915/gvt/handlers.c
+@@ -3135,9 +3135,10 @@ static int init_skl_mmio_info(struct intel_gvt *gvt)
+ MMIO_DFH(TRVATTL3PTRDW(2), D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL);
+ MMIO_DFH(TRVATTL3PTRDW(3), D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL);
+ MMIO_DFH(TRVADR, D_SKL_PLUS, F_CMD_ACCESS, NULL, NULL);
+- MMIO_DFH(TRTTE, D_SKL_PLUS, F_CMD_ACCESS,
+- NULL, gen9_trtte_write);
+- MMIO_DH(_MMIO(0x4dfc), D_SKL_PLUS, NULL, gen9_trtt_chicken_write);
++ MMIO_DFH(TRTTE, D_SKL_PLUS, F_CMD_ACCESS | F_PM_SAVE,
++ NULL, gen9_trtte_write);
++ MMIO_DFH(_MMIO(0x4dfc), D_SKL_PLUS, F_PM_SAVE,
++ NULL, gen9_trtt_chicken_write);
+
+ MMIO_D(_MMIO(0x46430), D_SKL_PLUS);
+
+@@ -3686,3 +3687,40 @@ int intel_vgpu_mmio_reg_rw(struct intel_vgpu *vgpu, unsigned int offset,
+ intel_vgpu_default_mmio_read(vgpu, offset, pdata, bytes) :
+ intel_vgpu_default_mmio_write(vgpu, offset, pdata, bytes);
+ }
++
++void intel_gvt_restore_fence(struct intel_gvt *gvt)
++{
++ struct intel_vgpu *vgpu;
++ int i, id;
++
++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) {
++ mmio_hw_access_pre(gvt->gt);
++ for (i = 0; i < vgpu_fence_sz(vgpu); i++)
++ intel_vgpu_write_fence(vgpu, i, vgpu_vreg64(vgpu, fence_num_to_offset(i)));
++ mmio_hw_access_post(gvt->gt);
++ }
++}
++
++static inline int mmio_pm_restore_handler(struct intel_gvt *gvt,
++ u32 offset, void *data)
++{
++ struct intel_vgpu *vgpu = data;
++ struct drm_i915_private *dev_priv = gvt->gt->i915;
++
++ if (gvt->mmio.mmio_attribute[offset >> 2] & F_PM_SAVE)
++ I915_WRITE(_MMIO(offset), vgpu_vreg(vgpu, offset));
++
++ return 0;
++}
++
++void intel_gvt_restore_mmio(struct intel_gvt *gvt)
++{
++ struct intel_vgpu *vgpu;
++ int id;
++
++ idr_for_each_entry(&(gvt)->vgpu_idr, vgpu, id) {
++ mmio_hw_access_pre(gvt->gt);
++ intel_gvt_for_each_tracked_mmio(gvt, mmio_pm_restore_handler, vgpu);
++ mmio_hw_access_post(gvt->gt);
++ }
++}
+diff --git a/drivers/gpu/drm/i915/gvt/mmio.h b/drivers/gpu/drm/i915/gvt/mmio.h
+index cc4812648bf4a..9e862dc73579b 100644
+--- a/drivers/gpu/drm/i915/gvt/mmio.h
++++ b/drivers/gpu/drm/i915/gvt/mmio.h
+@@ -104,4 +104,8 @@ int intel_vgpu_mmio_reg_rw(struct intel_vgpu *vgpu, unsigned int offset,
+
+ int intel_vgpu_mask_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
+ void *p_data, unsigned int bytes);
++
++void intel_gvt_restore_fence(struct intel_gvt *gvt);
++void intel_gvt_restore_mmio(struct intel_gvt *gvt);
++
+ #endif
+diff --git a/drivers/gpu/drm/i915/intel_gvt.c b/drivers/gpu/drm/i915/intel_gvt.c
+index 99fe8aef1c67f..4e70c1a9ef2ed 100644
+--- a/drivers/gpu/drm/i915/intel_gvt.c
++++ b/drivers/gpu/drm/i915/intel_gvt.c
+@@ -24,6 +24,7 @@
+ #include "i915_drv.h"
+ #include "i915_vgpu.h"
+ #include "intel_gvt.h"
++#include "gvt/gvt.h"
+
+ /**
+ * DOC: Intel GVT-g host support
+@@ -147,3 +148,17 @@ void intel_gvt_driver_remove(struct drm_i915_private *dev_priv)
+
+ intel_gvt_clean_device(dev_priv);
+ }
++
++/**
++ * intel_gvt_resume - GVT resume routine wapper
++ *
++ * @dev_priv: drm i915 private *
++ *
++ * This function is called at the i915 driver resume stage to restore required
++ * HW status for GVT so that vGPU can continue running after resumed.
++ */
++void intel_gvt_resume(struct drm_i915_private *dev_priv)
++{
++ if (intel_gvt_active(dev_priv))
++ intel_gvt_pm_resume(dev_priv->gvt);
++}
+diff --git a/drivers/gpu/drm/i915/intel_gvt.h b/drivers/gpu/drm/i915/intel_gvt.h
+index 502fad8a8652c..d7d3fb6186fdd 100644
+--- a/drivers/gpu/drm/i915/intel_gvt.h
++++ b/drivers/gpu/drm/i915/intel_gvt.h
+@@ -33,6 +33,7 @@ int intel_gvt_init_device(struct drm_i915_private *dev_priv);
+ void intel_gvt_clean_device(struct drm_i915_private *dev_priv);
+ int intel_gvt_init_host(void);
+ void intel_gvt_sanitize_options(struct drm_i915_private *dev_priv);
++void intel_gvt_resume(struct drm_i915_private *dev_priv);
+ #else
+ static inline int intel_gvt_init(struct drm_i915_private *dev_priv)
+ {
+@@ -46,6 +47,10 @@ static inline void intel_gvt_driver_remove(struct drm_i915_private *dev_priv)
+ static inline void intel_gvt_sanitize_options(struct drm_i915_private *dev_priv)
+ {
+ }
++
++static inline void intel_gvt_resume(struct drm_i915_private *dev_priv)
++{
++}
+ #endif
+
+ #endif /* _INTEL_GVT_H_ */
+--
+2.40.1
+
--- /dev/null
+From ac2a1f2eaf8c3e25c21c8f0665f7c7be2fe13c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Aug 2023 20:33:17 +0300
+Subject: idr: fix param name in idr_alloc_cyclic() doc
+
+From: Ariel Marcovitch <arielmarcovitch@gmail.com>
+
+[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ]
+
+The relevant parameter is 'start' and not 'nextid'
+
+Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext")
+Signed-off-by: Ariel Marcovitch <arielmarcovitch@gmail.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/idr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/idr.c b/lib/idr.c
+index 7ecdfdb5309e7..13f2758c23773 100644
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc);
+ * @end: The maximum ID (exclusive).
+ * @gfp: Memory allocation flags.
+ *
+- * Allocates an unused ID in the range specified by @nextid and @end. If
++ * Allocates an unused ID in the range specified by @start and @end. If
+ * @end is <= 0, it is treated as one larger than %INT_MAX. This allows
+ * callers to use @start + N as @end as long as N is within integer range.
+ * The search for an unused ID will start at the last ID allocated and will
+--
+2.40.1
+
--- /dev/null
+From 4fc3fe521d3cf36b7fdb8b05ad46975e3b633525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:58 +0200
+Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igb devices can use as low as 64 descriptors.
+This change will unify igb with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h
+index e6d2800a8abc5..da0e3897e6831 100644
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -34,11 +34,11 @@ struct igb_adapter;
+ /* TX/RX descriptor defines */
+ #define IGB_DEFAULT_TXD 256
+ #define IGB_DEFAULT_TX_WORK 128
+-#define IGB_MIN_TXD 80
++#define IGB_MIN_TXD 64
+ #define IGB_MAX_TXD 4096
+
+ #define IGB_DEFAULT_RXD 256
+-#define IGB_MIN_RXD 80
++#define IGB_MIN_RXD 64
+ #define IGB_MAX_RXD 4096
+
+ #define IGB_DEFAULT_ITR 3 /* dynamic */
+--
+2.40.1
+
--- /dev/null
+From a6788d663e9c78793c424a559e3c6755be767af7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 14:19:13 +0200
+Subject: igb: disable virtualization features on 82580
+
+From: Corinna Vinschen <vinschen@redhat.com>
+
+[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ]
+
+Disable virtualization features on 82580 just as on i210/i211.
+This avoids that virt functions are acidentally called on 82850.
+
+Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices")
+Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 1143800c889ac..01176c86be125 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3857,8 +3857,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter)
+ struct pci_dev *pdev = adapter->pdev;
+ struct e1000_hw *hw = &adapter->hw;
+
+- /* Virtualization features not supported on i210 family. */
+- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211))
++ /* Virtualization features not supported on i210 and 82580 family. */
++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) ||
++ (hw->mac.type == e1000_82580))
+ return;
+
+ /* Of the below we really only want the effect of getting
+--
+2.40.1
+
--- /dev/null
+From 79a2a358e89c4d31ba2788db086d8153c12ae203 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:57 +0200
+Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igbvf devices can use as low as 64 descriptors.
+This change will unify igbvf with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h
+index 975eb47ee04df..b39fca9827dc2 100644
+--- a/drivers/net/ethernet/intel/igbvf/igbvf.h
++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h
+@@ -39,11 +39,11 @@ enum latency_range {
+ /* Tx/Rx descriptor defines */
+ #define IGBVF_DEFAULT_TXD 256
+ #define IGBVF_MAX_TXD 4096
+-#define IGBVF_MIN_TXD 80
++#define IGBVF_MIN_TXD 64
+
+ #define IGBVF_DEFAULT_RXD 256
+ #define IGBVF_MAX_RXD 4096
+-#define IGBVF_MIN_RXD 80
++#define IGBVF_MIN_RXD 64
+
+ #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */
+ #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */
+--
+2.40.1
+
--- /dev/null
+From baa5878e1cd553f38fac3bcaf1bc7096ae7c00e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:56 +0200
+Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igc devices can use as low as 64 descriptors.
+This change will unify igc with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 33f64c80335d3..31af08ceb36b9 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -319,11 +319,11 @@ static inline u32 igc_rss_type(const union igc_adv_rx_desc *rx_desc)
+ /* TX/RX descriptor defines */
+ #define IGC_DEFAULT_TXD 256
+ #define IGC_DEFAULT_TX_WORK 128
+-#define IGC_MIN_TXD 80
++#define IGC_MIN_TXD 64
+ #define IGC_MAX_TXD 4096
+
+ #define IGC_DEFAULT_RXD 256
+-#define IGC_MIN_RXD 80
++#define IGC_MIN_RXD 64
+ #define IGC_MAX_RXD 4096
+
+ /* Supported Rx Buffer Sizes */
+--
+2.40.1
+
--- /dev/null
+From 65fbda4f9d9aa2b1ab6b9b09b481d3bf7ed5abf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 13:40:46 +0000
+Subject: ip_tunnels: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ]
+
+syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1]
+
+This can run from multiple cpus without mutual exclusion.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+[1]
+BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x0000000000018830 -> 0x0000000000018831
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
+
+Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 1ddd401a8981f..58d8e6260aa13 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -455,15 +455,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len)
+ tstats->tx_packets++;
+ u64_stats_update_end(&tstats->syncp);
+ put_cpu_ptr(tstats);
++ return;
++ }
++
++ if (pkt_len < 0) {
++ DEV_STATS_INC(dev, tx_errors);
++ DEV_STATS_INC(dev, tx_aborted_errors);
+ } else {
+- struct net_device_stats *err_stats = &dev->stats;
+-
+- if (pkt_len < 0) {
+- err_stats->tx_errors++;
+- err_stats->tx_aborted_errors++;
+- } else {
+- err_stats->tx_dropped++;
+- }
++ DEV_STATS_INC(dev, tx_dropped);
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 0f7bb78e9c6641c32cbf62d712695dadcff3502b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:55:20 +0000
+Subject: ipv4: annotate data-races around fi->fib_dead
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ]
+
+syzbot complained about a data-race in fib_table_lookup() [1]
+
+Add appropriate annotations to document it.
+
+[1]
+BUG: KCSAN: data-race in fib_release_info / fib_table_lookup
+
+write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0:
+fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281
+fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777
+fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106
+fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317
+fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448
+notifier_call_chain kernel/notifier.c:93 [inline]
+blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388
+__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432
+inet_del_ifa net/ipv4/devinet.c:469 [inline]
+inetdev_destroy net/ipv4/devinet.c:322 [inline]
+inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606
+notifier_call_chain kernel/notifier.c:93 [inline]
+raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1962 [inline]
+call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037
+dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673
+do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837
+rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177
+rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445
+netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549
+rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914
+sock_sendmsg_nosec net/socket.c:725 [inline]
+sock_sendmsg net/socket.c:748 [inline]
+sock_write_iter+0x1aa/0x230 net/socket.c:1129
+do_iter_write+0x4b4/0x7b0 fs/read_write.c:860
+vfs_writev+0x1a8/0x320 fs/read_write.c:933
+do_writev+0xf8/0x220 fs/read_write.c:976
+__do_sys_writev fs/read_write.c:1049 [inline]
+__se_sys_writev fs/read_write.c:1046 [inline]
+__x64_sys_writev+0x45/0x50 fs/read_write.c:1046
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1:
+fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585
+fib_lookup include/net/ip_fib.h:383 [inline]
+ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751
+ip_route_output_key_hash net/ipv4/route.c:2641 [inline]
+__ip_route_output_key include/net/route.h:134 [inline]
+ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869
+send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61
+wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
+wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
+wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
+wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
+process_one_work+0x434/0x860 kernel/workqueue.c:2600
+worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0
+
+Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_semantics.c | 5 ++++-
+ net/ipv4/fib_trie.c | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 4e94796ccdbd1..ed20d6ac10dc2 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -278,7 +278,8 @@ void fib_release_info(struct fib_info *fi)
+ hlist_del(&nexthop_nh->nh_hash);
+ } endfor_nexthops(fi)
+ }
+- fi->fib_dead = 1;
++ /* Paired with READ_ONCE() from fib_table_lookup() */
++ WRITE_ONCE(fi->fib_dead, 1);
+ fib_info_put(fi);
+ }
+ spin_unlock_bh(&fib_info_lock);
+@@ -1599,6 +1600,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+ link_it:
+ ofi = fib_find_info(fi);
+ if (ofi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ ofi->fib_treeref++;
+@@ -1637,6 +1639,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+
+ failure:
+ if (fi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index d11fb16234a6a..456240d2adc11 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1534,7 +1534,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
+ }
+ if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos)
+ continue;
+- if (fi->fib_dead)
++ /* Paired with WRITE_ONCE() in fib_release_info() */
++ if (READ_ONCE(fi->fib_dead))
+ continue;
+ if (fa->fa_info->fib_scope < flp->flowi4_scope)
+ continue;
+--
+2.40.1
+
--- /dev/null
+From 54a1949646cf264e32e441334ec438c27877c792 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 10:03:30 +0200
+Subject: ipv4: ignore dst hint for multipath routes
+
+From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+
+[ Upstream commit 6ac66cb03ae306c2e288a9be18226310529f5b25 ]
+
+Route hints when the nexthop is part of a multipath group causes packets
+in the same receive batch to be sent to the same nexthop irrespective of
+the multipath hash of the packet. So, do not extract route hint for
+packets whose destination is part of a multipath group.
+
+A new SKB flag IPSKB_MULTIPATH is introduced for this purpose, set the
+flag when route is looked up in ip_mkroute_input() and use it in
+ip_extract_route_hint() to check for the existence of the flag.
+
+Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive")
+Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip.h | 1 +
+ net/ipv4/ip_input.c | 3 ++-
+ net/ipv4/route.c | 1 +
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/ip.h b/include/net/ip.h
+index 8d1173577fb5c..9be2efe00f2c0 100644
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -56,6 +56,7 @@ struct inet_skb_parm {
+ #define IPSKB_FRAG_PMTU BIT(6)
+ #define IPSKB_L3SLAVE BIT(7)
+ #define IPSKB_NOPOLICY BIT(8)
++#define IPSKB_MULTIPATH BIT(9)
+
+ u16 frag_max_size;
+ };
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index eccd7897e7aa6..372579686162b 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -566,7 +566,8 @@ static void ip_sublist_rcv_finish(struct list_head *head)
+ static struct sk_buff *ip_extract_route_hint(const struct net *net,
+ struct sk_buff *skb, int rt_type)
+ {
+- if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST)
++ if (fib4_has_custom_rules(net) || rt_type == RTN_BROADCAST ||
++ IPCB(skb)->flags & IPSKB_MULTIPATH)
+ return NULL;
+
+ return skb;
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 374647693d7ac..3ddeb4fc0d08a 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2066,6 +2066,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
+ int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys);
+
+ fib_select_multipath(res, h);
++ IPCB(skb)->flags |= IPSKB_MULTIPATH;
+ }
+ #endif
+
+--
+2.40.1
+
--- /dev/null
+From b7e5b43a814fd1eb0921e6214e82a77c4ac9f5b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 02:07:08 +0900
+Subject: kcm: Destroy mutex in kcm_exit_net()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ]
+
+kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially
+needed if CONFIG_DEBUG_MUTEXES is enabled.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 32b516ab9c475..71608a6def988 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1982,6 +1982,8 @@ static __net_exit void kcm_exit_net(struct net *net)
+ * that all multiplexors and psocks have been destroyed.
+ */
+ WARN_ON(!list_empty(&knet->mux_list));
++
++ mutex_destroy(&knet->mutex);
+ }
+
+ static struct pernet_operations kcm_net_ops = {
+--
+2.40.1
+
--- /dev/null
+From 4c94458c53b99ba78d95a5dcca2b2cf3fa396151 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 17:59:14 +0800
+Subject: kconfig: fix possible buffer overflow
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ]
+
+Buffer 'new_argv' is accessed without bound check after accessing with
+bound check via 'new_argc' index.
+
+Fixes: e298f3b49def ("kconfig: add built-in function support")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/preprocess.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c
+index 748da578b418c..d1f5bcff4b62d 100644
+--- a/scripts/kconfig/preprocess.c
++++ b/scripts/kconfig/preprocess.c
+@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[])
+
+ p++;
+ }
++
++ if (new_argc >= FUNCTION_MAX_ARGS)
++ pperror("too many function arguments");
+ new_argv[new_argc++] = prev;
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From 3fed057784702a805b47c0aa3ad014f65f5e18e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 00:53:36 +0300
+Subject: net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software
+ and offload
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 954ad9bf13c4f95a4958b5f8433301f2ab99e1f5 ]
+
+More careful measurement of the tc-cbs bandwidth shows that the stream
+bandwidth (effectively idleslope) increases, there is a larger and
+larger discrepancy between the rate limit obtained by the software
+Qdisc, and the rate limit obtained by its offloaded counterpart.
+
+The discrepancy becomes so large, that e.g. at an idleslope of 40000
+(40Mbps), the offloaded cbs does not actually rate limit anything, and
+traffic will pass at line rate through a 100 Mbps port.
+
+The reason for the discrepancy is that the hardware documentation I've
+been following is incorrect. UM11040.pdf (for SJA1105P/Q/R/S) states
+about IDLE_SLOPE that it is "the rate (in unit of bytes/sec) at which
+the credit counter is increased".
+
+Cross-checking with UM10944.pdf (for SJA1105E/T) and UM11107.pdf
+(for SJA1110), the wording is different: "This field specifies the
+value, in bytes per second times link speed, by which the credit counter
+is increased".
+
+So there's an extra scaling for link speed that the driver is currently
+not accounting for, and apparently (empirically), that link speed is
+expressed in Kbps.
+
+I've pondered whether to pollute the sja1105_mac_link_up()
+implementation with CBS shaper reprogramming, but I don't think it is
+worth it. IMO, the UAPI exposed by tc-cbs requires user space to
+recalculate the sendslope anyway, since the formula for that depends on
+port_transmit_rate (see man tc-cbs), which is not an invariant from tc's
+perspective.
+
+So we use the offload->sendslope and offload->idleslope to deduce the
+original port_transmit_rate from the CBS formula, and use that value to
+scale the offload->sendslope and offload->idleslope to values that the
+hardware understands.
+
+Some numerical data points:
+
+ 40Mbps stream, max interfering frame size 1500, port speed 100M
+ ---------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 40000 sendslope -60000 locredit -900 hicredit 600
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 600 600
+ credit_lo 900 900
+ send_slope 7500000 75
+ idle_slope 5000000 50
+
+ 40Mbps stream, max interfering frame size 1500, port speed 1G
+ -------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 40000 sendslope -960000 locredit -1440 hicredit 60
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 60 60
+ credit_lo 1440 1440
+ send_slope 120000000 120
+ idle_slope 5000000 5
+
+ 5.12Mbps stream, max interfering frame size 1522, port speed 100M
+ -----------------------------------------------------------------
+
+ tc-cbs parameters:
+ idleslope 5120 sendslope -94880 locredit -1444 hicredit 77
+
+ which result in hardware values:
+
+ Before (doesn't work) After (works)
+ credit_hi 77 77
+ credit_lo 1444 1444
+ send_slope 11860000 118
+ idle_slope 640000 6
+
+Tested on SJA1105T, SJA1105S and SJA1110A, at 1Gbps and 100Mbps.
+
+Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
+Reported-by: Yanan Yang <yanan.yang@nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index c03d76c108686..4c0ee13126e4f 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1725,6 +1725,7 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ {
+ struct sja1105_private *priv = ds->priv;
+ struct sja1105_cbs_entry *cbs;
++ s64 port_transmit_rate_kbps;
+ int index;
+
+ if (!offload->enable)
+@@ -1742,9 +1743,17 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ */
+ cbs->credit_hi = offload->hicredit;
+ cbs->credit_lo = abs(offload->locredit);
+- /* User space is in kbits/sec, hardware in bytes/sec */
+- cbs->idle_slope = offload->idleslope * BYTES_PER_KBIT;
+- cbs->send_slope = abs(offload->sendslope * BYTES_PER_KBIT);
++ /* User space is in kbits/sec, while the hardware in bytes/sec times
++ * link speed. Since the given offload->sendslope is good only for the
++ * current link speed anyway, and user space is likely to reprogram it
++ * when that changes, don't even bother to track the port's link speed,
++ * but deduce the port transmit rate from idleslope - sendslope.
++ */
++ port_transmit_rate_kbps = offload->idleslope - offload->sendslope;
++ cbs->idle_slope = div_s64(offload->idleslope * BYTES_PER_KBIT,
++ port_transmit_rate_kbps);
++ cbs->send_slope = div_s64(abs(offload->sendslope * BYTES_PER_KBIT),
++ port_transmit_rate_kbps);
+ /* Convert the negative values from 64-bit 2's complement
+ * to 32-bit 2's complement (for the case of 0x80000000 whose
+ * negative is still negative).
+--
+2.40.1
+
--- /dev/null
+From 1430563fb3d76f118184df9ee917df20ba9a995d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 00:53:37 +0300
+Subject: net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too
+ many times
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 894cafc5c62ccced758077bd4e970dc714c42637 ]
+
+After running command [2] too many times in a row:
+
+[1] $ tc qdisc add dev sw2p0 root handle 1: mqprio num_tc 8 \
+ map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
+[2] $ tc qdisc replace dev sw2p0 parent 1:1 cbs offload 1 \
+ idleslope 120000 sendslope -880000 locredit -1320 hicredit 180
+
+(aka more than priv->info->num_cbs_shapers times)
+
+we start seeing the following error message:
+
+Error: Specified device failed to setup cbs hardware offload.
+
+This comes from the fact that ndo_setup_tc(TC_SETUP_QDISC_CBS) presents
+the same API for the qdisc create and replace cases, and the sja1105
+driver fails to distinguish between the 2. Thus, it always thinks that
+it must allocate the same shaper for a {port, queue} pair, when it may
+instead have to replace an existing one.
+
+Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index 4c0ee13126e4f..4362fe0f346d2 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1691,6 +1691,18 @@ static void sja1105_bridge_leave(struct dsa_switch *ds, int port,
+
+ #define BYTES_PER_KBIT (1000LL / 8)
+
++static int sja1105_find_cbs_shaper(struct sja1105_private *priv,
++ int port, int prio)
++{
++ int i;
++
++ for (i = 0; i < priv->info->num_cbs_shapers; i++)
++ if (priv->cbs[i].port == port && priv->cbs[i].prio == prio)
++ return i;
++
++ return -1;
++}
++
+ static int sja1105_find_unused_cbs_shaper(struct sja1105_private *priv)
+ {
+ int i;
+@@ -1731,9 +1743,14 @@ static int sja1105_setup_tc_cbs(struct dsa_switch *ds, int port,
+ if (!offload->enable)
+ return sja1105_delete_cbs_shaper(priv, port, offload->queue);
+
+- index = sja1105_find_unused_cbs_shaper(priv);
+- if (index < 0)
+- return -ENOSPC;
++ /* The user may be replacing an existing shaper */
++ index = sja1105_find_cbs_shaper(priv, port, offload->queue);
++ if (index < 0) {
++ /* That isn't the case - see if we can allocate a new one */
++ index = sja1105_find_unused_cbs_shaper(priv);
++ if (index < 0)
++ return -ENOSPC;
++ }
+
+ cbs = &priv->cbs[index];
+ cbs->port = port;
+--
+2.40.1
+
--- /dev/null
+From 8039bf933c603d1af5672bdaa2fde0395ab3434d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:17 +0800
+Subject: net: hns3: fix the port information display when sfp is absent
+
+From: Yisen Zhuang <yisen.zhuang@huawei.com>
+
+[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ]
+
+When sfp is absent or unidentified, the port type should be
+displayed as PORT_OTHERS, rather than PORT_FIBRE.
+
+Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type")
+Signed-off-by: Yisen Zhuang <yisen.zhuang@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index cd0d7a546957a..d35f4b2b480e6 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -704,7 +704,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev,
+ hns3_get_ksettings(h, cmd);
+ break;
+ case HNAE3_MEDIA_TYPE_FIBER:
+- if (module_type == HNAE3_MODULE_TYPE_CR)
++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN)
++ cmd->base.port = PORT_OTHER;
++ else if (module_type == HNAE3_MODULE_TYPE_CR)
+ cmd->base.port = PORT_DA;
+ else
+ cmd->base.port = PORT_FIBRE;
+--
+2.40.1
+
--- /dev/null
+From 6b644c15e541d8c5599a239eef9776eaa2a76f15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 22:41:27 -0600
+Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
+
+From: Alex Henrie <alexhenrie24@gmail.com>
+
+[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ]
+
+The existing code incorrectly casted a negative value (the result of a
+subtraction) to an unsigned value without checking. For example, if
+/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred
+lifetime would jump to 4 billion seconds. On my machine and network the
+shortest lifetime that avoided underflow was 3 seconds.
+
+Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR")
+Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 9b414681500a5..0eafe26c05f77 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1359,7 +1359,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, bool block)
+ * idev->desync_factor if it's larger
+ */
+ cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft);
+- max_desync_factor = min_t(__u32,
++ max_desync_factor = min_t(long,
+ idev->cnf.max_desync_factor,
+ cnf_temp_preferred_lft - regen_advance);
+
+--
+2.40.1
+
--- /dev/null
+From 5fd56ac5e556e7abf3a68831409bb36b0e6963b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 10:12:44 +0000
+Subject: net: read sk->sk_family once in sk_mc_loop()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ]
+
+syzbot is playing with IPV6_ADDRFORM quite a lot these days,
+and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
+
+We have many more similar issues to fix.
+
+WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260
+Modules linked in:
+CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+Workqueue: events_power_efficient gc_worker
+RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782
+Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48
+RSP: 0018:ffffc90000388530 EFLAGS: 00010246
+RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980
+RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011
+RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65
+R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000
+R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000
+FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<IRQ>
+[<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83
+[<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
+[<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342
+[<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline]
+[<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415
+[<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
+[<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247
+[<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599
+[<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline]
+[<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683
+[<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
+
+Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 742356cfd07c4..e2d45631c15d7 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -690,7 +690,8 @@ bool sk_mc_loop(struct sock *sk)
+ return false;
+ if (!sk)
+ return true;
+- switch (sk->sk_family) {
++ /* IPV6_ADDRFORM can change sk->sk_family under us. */
++ switch (READ_ONCE(sk->sk_family)) {
+ case AF_INET:
+ return inet_sk(sk)->mc_loop;
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.40.1
+
--- /dev/null
+From 51982e792f6c52f3b9b2615f86819c5b1ebd7634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 12:35:41 +0000
+Subject: net/sched: fq_pie: avoid stalls in fq_pie_timer()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8c21ab1bae945686c602c5bfa4e3f3352c2452c5 ]
+
+When setting a high number of flows (limit being 65536),
+fq_pie_timer() is currently using too much time as syzbot reported.
+
+Add logic to yield the cpu every 2048 flows (less than 150 usec
+on debug kernels).
+It should also help by not blocking qdisc fast paths for too long.
+Worst case (65536 flows) would need 31 jiffies for a complete scan.
+
+Relevant extract from syzbot report:
+
+rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.
+rcu: blocking rcu_node structures (internal RCU debug):
+Sending NMI from CPU 1 to CPUs 0:
+NMI backtrace for cpu 0
+CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
+RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236
+Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 <a9> 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8b
+RSP: 0018:ffffc90000007bb8 EFLAGS: 00000206
+RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0
+RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <NMI>
+ </NMI>
+ <IRQ>
+ pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415
+ fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387
+ call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
+
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Link: https://lore.kernel.org/lkml/00000000000017ad3f06040bf394@google.com/
+Reported-by: syzbot+e46fbd5289363464bc13@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230829123541.3745013-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_fq_pie.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
+index 4f6b5b6fba3ed..a5b63158f081c 100644
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -61,6 +61,7 @@ struct fq_pie_sched_data {
+ struct pie_params p_params;
+ u32 ecn_prob;
+ u32 flows_cnt;
++ u32 flows_cursor;
+ u32 quantum;
+ u32 memory_limit;
+ u32 new_flow_count;
+@@ -378,21 +379,31 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt,
+ static void fq_pie_timer(struct timer_list *t)
+ {
+ struct fq_pie_sched_data *q = from_timer(q, t, adapt_timer);
++ unsigned long next, tupdate;
+ struct Qdisc *sch = q->sch;
+ spinlock_t *root_lock; /* to lock qdisc for probability calculations */
+- u32 idx;
++ int max_cnt, i;
+
+ root_lock = qdisc_lock(qdisc_root_sleeping(sch));
+ spin_lock(root_lock);
+
+- for (idx = 0; idx < q->flows_cnt; idx++)
+- pie_calculate_probability(&q->p_params, &q->flows[idx].vars,
+- q->flows[idx].backlog);
+-
+- /* reset the timer to fire after 'tupdate' jiffies. */
+- if (q->p_params.tupdate)
+- mod_timer(&q->adapt_timer, jiffies + q->p_params.tupdate);
++ /* Limit this expensive loop to 2048 flows per round. */
++ max_cnt = min_t(int, q->flows_cnt - q->flows_cursor, 2048);
++ for (i = 0; i < max_cnt; i++) {
++ pie_calculate_probability(&q->p_params,
++ &q->flows[q->flows_cursor].vars,
++ q->flows[q->flows_cursor].backlog);
++ q->flows_cursor++;
++ }
+
++ tupdate = q->p_params.tupdate;
++ next = 0;
++ if (q->flows_cursor >= q->flows_cnt) {
++ q->flows_cursor = 0;
++ next = tupdate;
++ }
++ if (tupdate)
++ mod_timer(&q->adapt_timer, jiffies + next);
+ spin_unlock(root_lock);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From f5ab5d42e2ffca7a805a7619c4ca34a6ff800f2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:22:37 -0400
+Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
+
+From: valis <sec@valis.email>
+
+[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ]
+
+When the plug qdisc is used as a class of the qfq qdisc it could trigger a
+UAF. This issue can be reproduced with following commands:
+
+ tc qdisc add dev lo root handle 1: qfq
+ tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
+ tc qdisc add dev lo parent 1:1 handle 2: plug
+ tc filter add dev lo parent 1: basic classid 1:1
+ ping -c1 127.0.0.1
+
+and boom:
+
+[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0
+[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
+[ 285.355903]
+[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4
+[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+[ 285.358376] Call Trace:
+[ 285.358773] <IRQ>
+[ 285.359109] dump_stack_lvl+0x44/0x60
+[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0
+[ 285.360611] kasan_report+0x10c/0x120
+[ 285.361195] ? qfq_dequeue+0xa7/0x7f0
+[ 285.361780] qfq_dequeue+0xa7/0x7f0
+[ 285.362342] __qdisc_run+0xf1/0x970
+[ 285.362903] net_tx_action+0x28e/0x460
+[ 285.363502] __do_softirq+0x11b/0x3de
+[ 285.364097] do_softirq.part.0+0x72/0x90
+[ 285.364721] </IRQ>
+[ 285.365072] <TASK>
+[ 285.365422] __local_bh_enable_ip+0x77/0x90
+[ 285.366079] __dev_queue_xmit+0x95f/0x1550
+[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10
+[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10
+[ 285.368259] ? __build_skb_around+0x129/0x190
+[ 285.368960] ? ip_generic_getfrag+0x12c/0x170
+[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10
+[ 285.370390] ? csum_partial+0x8/0x20
+[ 285.370961] ? raw_getfrag+0xe5/0x140
+[ 285.371559] ip_finish_output2+0x539/0xa40
+[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10
+[ 285.372954] ip_output+0x113/0x1e0
+[ 285.373512] ? __pfx_ip_output+0x10/0x10
+[ 285.374130] ? icmp_out_count+0x49/0x60
+[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10
+[ 285.375457] ip_push_pending_frames+0xf3/0x100
+[ 285.376173] raw_sendmsg+0xef5/0x12d0
+[ 285.376760] ? do_syscall_64+0x40/0x90
+[ 285.377359] ? __static_call_text_end+0x136578/0x136578
+[ 285.378173] ? do_syscall_64+0x40/0x90
+[ 285.378772] ? kasan_enable_current+0x11/0x20
+[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10
+[ 285.380137] ? __sock_create+0x13e/0x270
+[ 285.380673] ? __sys_socket+0xf3/0x180
+[ 285.381174] ? __x64_sys_socket+0x3d/0x50
+[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.382425] ? __rcu_read_unlock+0x48/0x70
+[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380
+[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10
+[ 285.384295] ? preempt_count_sub+0x14/0xc0
+[ 285.384844] ? __list_del_entry_valid+0x76/0x140
+[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0
+[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10
+[ 285.386645] ? release_sock+0xa0/0xd0
+[ 285.387148] ? preempt_count_sub+0x14/0xc0
+[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0
+[ 285.388341] ? aa_sk_perm+0x177/0x390
+[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10
+[ 285.389441] ? check_stack_object+0x22/0x70
+[ 285.390032] ? inet_send_prepare+0x2f/0x120
+[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10
+[ 285.391172] sock_sendmsg+0xcc/0xe0
+[ 285.391667] __sys_sendto+0x190/0x230
+[ 285.392168] ? __pfx___sys_sendto+0x10/0x10
+[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30
+[ 285.393328] ? set_normalized_timespec64+0x57/0x70
+[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40
+[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160
+[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10
+[ 285.395908] ? _copy_to_user+0x3e/0x60
+[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.397734] ? do_syscall_64+0x71/0x90
+[ 285.398258] __x64_sys_sendto+0x74/0x90
+[ 285.398786] do_syscall_64+0x64/0x90
+[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.400605] ? do_syscall_64+0x71/0x90
+[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.401807] RIP: 0033:0x495726
+[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
+[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
+[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
+[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
+[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
+[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
+[ 285.410403] </TASK>
+[ 285.410704]
+[ 285.410929] Allocated by task 144:
+[ 285.411402] kasan_save_stack+0x1e/0x40
+[ 285.411926] kasan_set_track+0x21/0x30
+[ 285.412442] __kasan_slab_alloc+0x55/0x70
+[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0
+[ 285.413567] __alloc_skb+0x1b4/0x230
+[ 285.414060] __ip_append_data+0x17f7/0x1b60
+[ 285.414633] ip_append_data+0x97/0xf0
+[ 285.415144] raw_sendmsg+0x5a8/0x12d0
+[ 285.415640] sock_sendmsg+0xcc/0xe0
+[ 285.416117] __sys_sendto+0x190/0x230
+[ 285.416626] __x64_sys_sendto+0x74/0x90
+[ 285.417145] do_syscall_64+0x64/0x90
+[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.418306]
+[ 285.418531] Freed by task 144:
+[ 285.418960] kasan_save_stack+0x1e/0x40
+[ 285.419469] kasan_set_track+0x21/0x30
+[ 285.419988] kasan_save_free_info+0x27/0x40
+[ 285.420556] ____kasan_slab_free+0x109/0x1a0
+[ 285.421146] kmem_cache_free+0x1c2/0x450
+[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870
+[ 285.422333] __netif_receive_skb_one_core+0x97/0x140
+[ 285.423003] process_backlog+0x100/0x2f0
+[ 285.423537] __napi_poll+0x5c/0x2d0
+[ 285.424023] net_rx_action+0x2be/0x560
+[ 285.424510] __do_softirq+0x11b/0x3de
+[ 285.425034]
+[ 285.425254] The buggy address belongs to the object at ffff8880bad31280
+[ 285.425254] which belongs to the cache skbuff_head_cache of size 224
+[ 285.426993] The buggy address is located 40 bytes inside of
+[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
+[ 285.428572]
+[ 285.428798] The buggy address belongs to the physical page:
+[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31
+[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1)
+[ 285.431447] page_type: 0xffffffff()
+[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
+[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+[ 285.433562] page dumped because: kasan: bad access detected
+[ 285.434144]
+[ 285.434320] Memory state around the buggy address:
+[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 285.436777] ^
+[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.438126] ==================================================================
+[ 285.438662] Disabling lock debugging due to kernel taint
+
+Fix this by:
+1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a
+function compatible with non-work-conserving qdiscs
+2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: valis <sec@valis.email>
+Signed-off-by: valis <sec@valis.email>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_plug.c | 2 +-
+ net/sched/sch_qfq.c | 22 +++++++++++++++++-----
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c
+index cbc2ebca4548c..339990bb59817 100644
+--- a/net/sched/sch_plug.c
++++ b/net/sched/sch_plug.c
+@@ -210,7 +210,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = {
+ .priv_size = sizeof(struct plug_sched_data),
+ .enqueue = plug_enqueue,
+ .dequeue = plug_dequeue,
+- .peek = qdisc_peek_head,
++ .peek = qdisc_peek_dequeued,
+ .init = plug_init,
+ .change = plug_change,
+ .reset = qdisc_reset_queue,
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index d5a1e4b237b18..ebf9f473c9392 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -979,10 +979,13 @@ static void qfq_update_eligible(struct qfq_sched *q)
+ }
+
+ /* Dequeue head packet of the head class in the DRR queue of the aggregate. */
+-static void agg_dequeue(struct qfq_aggregate *agg,
+- struct qfq_class *cl, unsigned int len)
++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg,
++ struct qfq_class *cl, unsigned int len)
+ {
+- qdisc_dequeue_peeked(cl->qdisc);
++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc);
++
++ if (!skb)
++ return NULL;
+
+ cl->deficit -= (int) len;
+
+@@ -992,6 +995,8 @@ static void agg_dequeue(struct qfq_aggregate *agg,
+ cl->deficit += agg->lmax;
+ list_move_tail(&cl->alist, &agg->active);
+ }
++
++ return skb;
+ }
+
+ static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
+@@ -1137,11 +1142,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
+ if (!skb)
+ return NULL;
+
+- qdisc_qstats_backlog_dec(sch, skb);
+ sch->q.qlen--;
++
++ skb = agg_dequeue(in_serv_agg, cl, len);
++
++ if (!skb) {
++ sch->q.qlen++;
++ return NULL;
++ }
++
++ qdisc_qstats_backlog_dec(sch, skb);
+ qdisc_bstats_update(sch, skb);
+
+- agg_dequeue(in_serv_agg, cl, len);
+ /* If lmax is lowered, through qfq_change_class, for a class
+ * owning pending packets with larger size than the new value
+ * of lmax, then the following condition may hold.
+--
+2.40.1
+
--- /dev/null
+From d9a8903f2b281a996b0df040ae6afe8f4b28b115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 10:50:20 -0300
+Subject: netfilter: nfnetlink_osf: avoid OOB read
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ]
+
+The opt_num field is controlled by user mode and is not currently
+validated inside the kernel. An attacker can take advantage of this to
+trigger an OOB read and potentially leak information.
+
+BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+Read of size 2 at addr ffff88804bc64272 by task poc/6431
+
+CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
+Call Trace:
+ nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+ nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
+ nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:214
+ nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
+ nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
+ [..]
+
+Also add validation to genre, subtype and version fields.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Lucas Leong <wmliang@infosec.exchange>
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 9dbaa5ce24e51..573a372e760f4 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
+
+ f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
+
++ if (f->opt_num > ARRAY_SIZE(f->opt))
++ return -EINVAL;
++
++ if (!memchr(f->genre, 0, MAXGENRELEN) ||
++ !memchr(f->subtype, 0, MAXGENRELEN) ||
++ !memchr(f->version, 0, MAXGENRELEN))
++ return -EINVAL;
++
+ kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
+ if (!kf)
+ return -ENOMEM;
+--
+2.40.1
+
--- /dev/null
+From 609366315a3590a8b48720d42b2e6dc66434f2f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 18:22:14 -0300
+Subject: perf annotate bpf: Don't enclose non-debug code with an assert()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ]
+
+In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we
+started using NDEBUG=1 when DEBUG=1 isn't present, so code that is
+enclosed with assert() is not called.
+
+In dd317df072071903 ("perf build: Make binutil libraries opt in") we
+stopped linking against binutils-devel, for licensing reasons.
+
+Recently people asked me why annotation of BPF programs wasn't working,
+i.e. this:
+
+ $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb
+
+was returning:
+
+ case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF:
+ scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation");
+
+This was on a fedora rpm, so its new enough that I had to try to test by
+rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me.
+
+This combination made this libopcode function not to be called:
+
+ assert(bfd_check_format(bfdf, bfd_object));
+
+Changing it to:
+
+ if (!bfd_check_format(bfdf, bfd_object))
+ abort();
+
+Made it work, looking at this "check" function made me realize it
+changes the 'bfdf' internal state, i.e. we better call it.
+
+So stop using assert() on it, just call it and abort if it fails.
+
+Probably it is better to propagate the error, etc, but it seems it is
+unlikely to fail from the usage done so far and we really need to stop
+using libopcodes, so do the quick fix above and move on.
+
+With it we have BPF annotation back working when built with
+BUILD_NONDISTRO=1:
+
+ ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head
+ No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found
+ Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period]
+ bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb
+ Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) {
+ nop
+ 33.33 xchg %ax,%ax
+ push %rbp
+ mov %rsp,%rbp
+ sub $0x180,%rsp
+ push %rbx
+ push %r13
+ ⬢[acme@toolbox perf-tools-next]$
+
+Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mohamed Mahmoud <mmahmoud@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Dave Tucker <datucker@redhat.com>
+Cc: Derek Barbosa <debarbos@redhat.com>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index 3081894547883..c9078cee6be01 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1718,8 +1718,11 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ perf_exe(tpath, sizeof(tpath));
+
+ bfdf = bfd_openr(tpath, NULL);
+- assert(bfdf);
+- assert(bfd_check_format(bfdf, bfd_object));
++ if (bfdf == NULL)
++ abort();
++
++ if (!bfd_check_format(bfdf, bfd_object))
++ abort();
+
+ s = open_memstream(&buf, &buf_size);
+ if (!s) {
+@@ -1767,7 +1770,8 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ #else
+ disassemble = disassembler(bfdf);
+ #endif
+- assert(disassemble);
++ if (disassemble == NULL)
++ abort();
+
+ fflush(s);
+ do {
+--
+2.40.1
+
--- /dev/null
+From 9703d18081794a23fe26f8f54398d93787251b37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 09:11:21 -0300
+Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ]
+
+While debugging a segfault on 'perf lock contention' without an
+available perf.data file I noticed that it was basically calling:
+
+ perf_session__delete(ERR_PTR(-1))
+
+Resulting in:
+
+ (gdb) run lock contention
+ Starting program: /root/bin/perf lock contention
+ [Thread debugging using libthread_db enabled]
+ Using host libthread_db library "/lib64/libthread_db.so.1".
+ failed to open perf.data: No such file or directory (try 'perf record' first)
+ Initializing perf session failed
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ 2858 if (!session->auxtrace)
+ (gdb) p session
+ $1 = (struct perf_session *) 0xffffffffffffffff
+ (gdb) bt
+ #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300
+ #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161
+ #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604
+ #4 0x0000000000501466 in run_builtin (p=0xe597a8 <commands+552>, argc=2, argv=0x7fffffffe200) at perf.c:322
+ #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375
+ #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419
+ #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535
+ (gdb)
+
+So just set it to NULL after using PTR_ERR(session) to decode the error
+as perf_session__delete(NULL) is supported.
+
+The same problem was found in 'perf top' after an audit of all
+perf_session__new() failure handling.
+
+Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jeremie Galarneau <jeremie.galarneau@efficios.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Mamatha Inamdar <mamatha4@linux.vnet.ibm.com>
+Cc: Mukesh Ojha <mojha@codeaurora.org>
+Cc: Nageswara R Sastry <rnsastry@linux.vnet.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Shawn Landden <shawn@git.icu>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index 7c64134472c77..ee30372f77133 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1743,6 +1743,7 @@ int cmd_top(int argc, const char **argv)
+ top.session = perf_session__new(NULL, false, NULL);
+ if (IS_ERR(top.session)) {
+ status = PTR_ERR(top.session);
++ top.session = NULL;
+ goto out_delete_evlist;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 25286d13ddb5a5bf8462ee432b3184a0fff2465b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 17:52:57 +0200
+Subject: pwm: lpc32xx: Remove handling of PWM channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ]
+
+Because LPC32xx PWM controllers have only a single output which is
+registered as the only PWM device/channel per controller, it is known in
+advance that pwm->hwpwm value is always 0. On basis of this fact
+simplify the code by removing operations with pwm->hwpwm, there is no
+controls which require channel number as input.
+
+Even though I wasn't aware at the time when I forward ported that patch,
+this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL
+before devm_pwmchip_add() is called.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered")
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpc32xx.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c
+index 522f862eca526..504a8f506195a 100644
+--- a/drivers/pwm/pwm-lpc32xx.c
++++ b/drivers/pwm/pwm-lpc32xx.c
+@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ if (duty_cycles > 255)
+ duty_cycles = 255;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~0xFFFF;
+ val |= (period_cycles << 8) | duty_cycles;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+ if (ret)
+ return ret;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val |= PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+ struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip);
+ u32 val;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ clk_disable_unprepare(lpc32xx->clk);
+ }
+@@ -121,9 +121,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev)
+ lpc32xx->chip.base = -1;
+
+ /* If PWM is disabled, configure the output to the default value */
+- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_PIN_LEVEL;
+- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ ret = pwmchip_add(&lpc32xx->chip);
+ if (ret < 0) {
+--
+2.40.1
+
--- /dev/null
+From e710993df8526e828c8ba11e4d8aa9acf40fb42c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:59:59 +0300
+Subject: s390/zcrypt: don't leak memory if dev_set_name() fails
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ]
+
+When dev_set_name() fails, zcdn_create() doesn't free the newly
+allocated resources. Do it.
+
+Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
+index 3b9eda311c273..b518009715eeb 100644
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -399,6 +399,7 @@ static int zcdn_create(const char *name)
+ ZCRYPT_NAME "_%d", (int) MINOR(devt));
+ nodename[sizeof(nodename)-1] = '\0';
+ if (dev_set_name(&zcdndev->device, nodename)) {
++ kfree(zcdndev);
+ rc = -EINVAL;
+ goto unlockout;
+ }
+--
+2.40.1
+
--- /dev/null
+From 02f4bbf0acb194a92605611fdc8d4219c260edc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:45:19 +0000
+Subject: sctp: annotate data-races around sk->sk_wmem_queued
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ]
+
+sk->sk_wmem_queued can be read locklessly from sctp_poll()
+
+Use sk_wmem_queued_add() when the field is changed,
+and add READ_ONCE() annotations in sctp_writeable()
+and sctp_assocs_seq_show()
+
+syzbot reported:
+
+BUG: KCSAN: data-race in sctp_poll / sctp_wfree
+
+read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0:
+sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147
+skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988
+skb_release_all net/core/skbuff.c:1000 [inline]
+__kfree_skb+0x16/0x140 net/core/skbuff.c:1016
+consume_skb+0x57/0x180 net/core/skbuff.c:1232
+sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline]
+sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530
+sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128
+sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515
+sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381
+sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline]
+sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline]
+sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169
+sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051
+sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80
+sctp_rcv+0x116e/0x1340 net/sctp/input.c:243
+sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120
+ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
+ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
+dst_input include/net/dst.h:468 [inline]
+ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
+__netif_receive_skb_one_core net/core/dev.c:5452 [inline]
+__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
+process_backlog+0x21f/0x380 net/core/dev.c:5894
+__napi_poll+0x60/0x3b0 net/core/dev.c:6460
+napi_poll net/core/dev.c:6527 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6660
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1:
+sctp_writeable net/sctp/socket.c:9304 [inline]
+sctp_poll+0x265/0x410 net/sctp/socket.c:8671
+sock_poll+0x253/0x270 net/socket.c:1374
+vfs_poll include/linux/poll.h:88 [inline]
+do_pollfd fs/select.c:873 [inline]
+do_poll fs/select.c:921 [inline]
+do_sys_poll+0x636/0xc00 fs/select.c:1015
+__do_sys_ppoll fs/select.c:1121 [inline]
+__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101
+__x64_sys_ppoll+0x67/0x80 fs/select.c:1101
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00019e80 -> 0x0000cc80
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/proc.c | 2 +-
+ net/sctp/socket.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/sctp/proc.c b/net/sctp/proc.c
+index 982a87b3e11f8..963b94517ec20 100644
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -284,7 +284,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
+ assoc->init_retries, assoc->shutdown_retries,
+ assoc->rtx_data_chunks,
+ refcount_read(&sk->sk_wmem_alloc),
+- sk->sk_wmem_queued,
++ READ_ONCE(sk->sk_wmem_queued),
+ sk->sk_sndbuf,
+ sk->sk_rcvbuf);
+ seq_printf(seq, "\n");
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index fa4d31b507f29..68d53e3f0d07a 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -68,7 +68,7 @@
+ #include <net/sctp/stream_sched.h>
+
+ /* Forward declarations for internal helper functions. */
+-static bool sctp_writeable(struct sock *sk);
++static bool sctp_writeable(const struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ size_t msg_len);
+@@ -138,7 +138,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk)
+
+ refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc);
+ asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk);
+- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk));
+ sk_mem_charge(sk, chunk->skb->truesize);
+ }
+
+@@ -8900,7 +8900,7 @@ static void sctp_wfree(struct sk_buff *skb)
+ struct sock *sk = asoc->base.sk;
+
+ sk_mem_uncharge(sk, skb->truesize);
+- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk)));
+ asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
+ WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
+ &sk->sk_wmem_alloc));
+@@ -9055,9 +9055,9 @@ void sctp_write_space(struct sock *sk)
+ * UDP-style sockets or TCP-style sockets, this code should work.
+ * - Daisy
+ */
+-static bool sctp_writeable(struct sock *sk)
++static bool sctp_writeable(const struct sock *sk)
+ {
+- return sk->sk_sndbuf > sk->sk_wmem_queued;
++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued);
+ }
+
+ /* Wait for an association to go into ESTABLISHED state. If timeout is 0,
+--
+2.40.1
+
soc-qcom-qmi_encdec-restrict-string-length-in-decode.patch
nfs-fix-a-potential-data-corruption.patch
nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch
+kconfig-fix-possible-buffer-overflow.patch
+backlight-gpio_backlight-drop-output-gpio-direction-.patch
+perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch
+x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch
+perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch
+watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch
+pwm-lpc32xx-remove-handling-of-pwm-channels.patch
+net-sched-fq_pie-avoid-stalls-in-fq_pie_timer.patch
+sctp-annotate-data-races-around-sk-sk_wmem_queued.patch
+ipv4-annotate-data-races-around-fi-fib_dead.patch
+net-read-sk-sk_family-once-in-sk_mc_loop.patch
+drm-i915-gvt-save-restore-hw-status-to-support-gvt-s.patch
+drm-i915-gvt-drop-unused-helper-intel_vgpu_reset_gtt.patch
+ipv4-ignore-dst-hint-for-multipath-routes.patch
+igb-disable-virtualization-features-on-82580.patch
+veth-fixing-transmit-return-status-for-dropped-packe.patch
+net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch
+af_unix-fix-data-races-around-user-unix_inflight.patch
+af_unix-fix-data-race-around-unix_tot_inflight.patch
+af_unix-fix-data-races-around-sk-sk_shutdown.patch
+af_unix-fix-data-race-around-sk-sk_err.patch
+net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch
+kcm-destroy-mutex-in-kcm_exit_net.patch
+igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch
+igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch
+igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch
+s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
+idr-fix-param-name-in-idr_alloc_cyclic-doc.patch
+ip_tunnels-use-dev_stats_inc.patch
+net-dsa-sja1105-fix-bandwidth-discrepancy-between-tc.patch
+net-dsa-sja1105-fix-enospc-when-replacing-the-same-t.patch
+netfilter-nfnetlink_osf-avoid-oob-read.patch
+net-hns3-fix-the-port-information-display-when-sfp-i.patch
+sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch
--- /dev/null
+From 04c2dd38a370d8a23e5bf05ae6d6e72014289418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 14:07:42 +0200
+Subject: sh: boards: Fix CEU buffer size passed to
+ dma_declare_coherent_memory()
+
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+
+[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ]
+
+In all these cases, the last argument to dma_declare_coherent_memory() is
+the buffer end address, but the expected value should be the size of the
+reserved region.
+
+Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver")
+Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver")
+Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver")
+Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver")
+Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver")
+Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/boards/mach-ap325rxa/setup.c | 2 +-
+ arch/sh/boards/mach-ecovec24/setup.c | 6 ++----
+ arch/sh/boards/mach-kfr2r09/setup.c | 2 +-
+ arch/sh/boards/mach-migor/setup.c | 2 +-
+ arch/sh/boards/mach-se/7724/setup.c | 6 ++----
+ 5 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c
+index bac8a058ebd7c..05bd42dde107b 100644
+--- a/arch/sh/boards/mach-ap325rxa/setup.c
++++ b/arch/sh/boards/mach-ap325rxa/setup.c
+@@ -530,7 +530,7 @@ static int __init ap325rxa_devices_setup(void)
+ device_initialize(&ap325rxa_ceu_device.dev);
+ dma_declare_coherent_memory(&ap325rxa_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&ap325rxa_ceu_device);
+
+diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c
+index bab91a99124e1..9730a992dab33 100644
+--- a/arch/sh/boards/mach-ecovec24/setup.c
++++ b/arch/sh/boards/mach-ecovec24/setup.c
+@@ -1454,15 +1454,13 @@ static int __init arch_setup(void)
+ device_initialize(&ecovec_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[0]);
+
+ device_initialize(&ecovec_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[1]);
+
+ gpiod_add_lookup_table(&cn12_power_gpiod_table);
+diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c
+index eeb5ce341efdd..4a1caa3e7cf5a 100644
+--- a/arch/sh/boards/mach-kfr2r09/setup.c
++++ b/arch/sh/boards/mach-kfr2r09/setup.c
+@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void)
+ device_initialize(&kfr2r09_ceu_device.dev);
+ dma_declare_coherent_memory(&kfr2r09_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&kfr2r09_ceu_device);
+
+diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c
+index 6703a2122c0d6..bd4ccd9f8dd06 100644
+--- a/arch/sh/boards/mach-migor/setup.c
++++ b/arch/sh/boards/mach-migor/setup.c
+@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void)
+ device_initialize(&migor_ceu_device.dev);
+ dma_declare_coherent_memory(&migor_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&migor_ceu_device);
+
+diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c
+index 8d6541ba01865..edc7712e4a804 100644
+--- a/arch/sh/boards/mach-se/7724/setup.c
++++ b/arch/sh/boards/mach-se/7724/setup.c
+@@ -940,15 +940,13 @@ static int __init devices_setup(void)
+ device_initialize(&ms7724se_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[0]);
+
+ device_initialize(&ms7724se_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[1]);
+
+ return platform_add_devices(ms7724se_devices,
+--
+2.40.1
+
--- /dev/null
+From 9a9a239564824ea6558d7a37248a50a483c4845e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:09:21 +0800
+Subject: veth: Fixing transmit return status for dropped packets
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ]
+
+The veth_xmit function returns NETDEV_TX_OK even when packets are dropped.
+This behavior leads to incorrect calculations of statistics counts, as
+well as things like txq->trans_start updates.
+
+Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.")
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 4ba86fa4d6497..743716ebebdb9 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -285,6 +285,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct veth_priv *rcv_priv, *priv = netdev_priv(dev);
+ struct veth_rq *rq = NULL;
++ int ret = NETDEV_TX_OK;
+ struct net_device *rcv;
+ int length = skb->len;
+ bool rcv_xdp = false;
+@@ -311,6 +312,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ } else {
+ drop:
+ atomic64_inc(&priv->dropped);
++ ret = NET_XMIT_DROP;
+ }
+
+ if (rcv_xdp)
+@@ -318,7 +320,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ rcu_read_unlock();
+
+- return NETDEV_TX_OK;
++ return ret;
+ }
+
+ static u64 veth_stats_tx(struct net_device *dev, u64 *packets, u64 *bytes)
+--
+2.40.1
+
--- /dev/null
+From 15048bbb6637072056aca54521517a8ddf718f10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 17:32:20 +0530
+Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
+
+From: Raag Jadav <raag.jadav@intel.com>
+
+[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ]
+
+When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver
+needs to be loaded manually, for the lack of module alias.
+This causes unintended resets in cases where watchdog timer is
+set-up by bootloader and the driver is not explicitly loaded.
+Add MODULE_ALIAS() to load the driver automatically at boot and
+avoid this issue.
+
+Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support")
+Signed-off-by: Raag Jadav <raag.jadav@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/intel-mid_wdt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c
+index 9b2173f765c8c..fb7fae750181b 100644
+--- a/drivers/watchdog/intel-mid_wdt.c
++++ b/drivers/watchdog/intel-mid_wdt.c
+@@ -203,3 +203,4 @@ module_platform_driver(mid_wdt_driver);
+ MODULE_AUTHOR("David Cohen <david.a.cohen@linux.intel.com>");
+ MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("platform:intel_mid_wdt");
+--
+2.40.1
+
--- /dev/null
+From aa01f78002c4e80ff04cd090e44da59c2c35bbd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 13:18:52 -0700
+Subject: x86/virt: Drop unnecessary check on extended CPUID level in
+ cpu_has_svm()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ]
+
+Drop the explicit check on the extended CPUID level in cpu_has_svm(), the
+kernel's cached CPUID info will leave the entire SVM leaf unset if said
+leaf is not supported by hardware. Prior to using cached information,
+the check was needed to avoid false positives due to Intel's rather crazy
+CPUID behavior of returning the values of the maximum supported leaf if
+the specified leaf is unsupported.
+
+Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()")
+Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/virtext.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h
+index 8eefa3386d8ce..331474296e6f1 100644
+--- a/arch/x86/include/asm/virtext.h
++++ b/arch/x86/include/asm/virtext.h
+@@ -95,12 +95,6 @@ static inline int cpu_has_svm(const char **msg)
+ return 0;
+ }
+
+- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) {
+- if (msg)
+- *msg = "can't execute cpuid_8000000a";
+- return 0;
+- }
+-
+ if (!boot_cpu_has(X86_FEATURE_SVM)) {
+ if (msg)
+ *msg = "svm not available";
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
