--- /dev/null
+From 27d5a931b12a4272b2282e028603137f3978ec74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 22:27:47 +0300
+Subject: bluetooth/hci: disallow setting handle bigger than
+ HCI_CONN_HANDLE_MAX
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 1cc18c2ab2e8c54c355ea7c0423a636e415a0c23 ]
+
+Syzbot hit warning in hci_conn_del() caused by freeing handle that was
+not allocated using ida allocator.
+
+This is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by
+hci_le_big_sync_established_evt(), which makes code think it's unset
+connection.
+
+Add same check for handle upper bound as in hci_conn_set_handle() to
+prevent warning.
+
+Link: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474
+Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com
+Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 08ae30fd31551..baca48ce8d0c6 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -904,8 +904,8 @@ static int hci_conn_hash_alloc_unset(struct hci_dev *hdev)
+ U16_MAX, GFP_ATOMIC);
+ }
+
+-struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
+- u8 role, u16 handle)
++static struct hci_conn *__hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
++ u8 role, u16 handle)
+ {
+ struct hci_conn *conn;
+
+@@ -1046,7 +1046,16 @@ struct hci_conn *hci_conn_add_unset(struct hci_dev *hdev, int type,
+ if (unlikely(handle < 0))
+ return ERR_PTR(-ECONNREFUSED);
+
+- return hci_conn_add(hdev, type, dst, role, handle);
++ return __hci_conn_add(hdev, type, dst, role, handle);
++}
++
++struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst,
++ u8 role, u16 handle)
++{
++ if (handle > HCI_CONN_HANDLE_MAX)
++ return ERR_PTR(-EINVAL);
++
++ return __hci_conn_add(hdev, type, dst, role, handle);
+ }
+
+ static void hci_conn_cleanup_child(struct hci_conn *conn, u8 reason)
+--
+2.43.0
+
--- /dev/null
+From f2d0e11b8ecfaf66c1642fc9f1b0f5976fc2956b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 12:04:30 -0400
+Subject: Bluetooth: hci_event: Fix setting of unicast qos interval
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit ac65ecccae802417ce42e857defacad60e4b8329 ]
+
+qos->ucast interval reffers to the SDU interval, and should not
+be set to the interval value reported by the LE CIS Established
+event since the latter reffers to the ISO interval. These two
+interval are not the same thing:
+
+BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 6, Part G
+
+Isochronous interval:
+The time between two consecutive BIS or CIS events (designated
+ISO_Interval in the Link Layer)
+
+SDU interval:
+The nominal time between two consecutive SDUs that are sent or
+received by the upper layer.
+
+So this instead uses the following formula from the spec to calculate
+the resulting SDU interface:
+
+BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G
+page 3075:
+
+Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) ×
+ISO_Interval + SDU_Interval_C_To_P
+Transport_Latency_P_To_C = CIG_Sync_Delay + (FT_P_To_C) ×
+ISO_Interval + SDU_Interval_P_To_C
+
+Link: https://github.com/bluez/bluez/issues/823
+Fixes: 2be22f1941d5 ("Bluetooth: hci_event: Fix parsing of CIS Established Event")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 1ed734a7fb313..0b3a76fcfedf5 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6661,6 +6661,7 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
+ struct bt_iso_qos *qos;
+ bool pending = false;
+ u16 handle = __le16_to_cpu(ev->handle);
++ u32 c_sdu_interval, p_sdu_interval;
+
+ bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
+
+@@ -6685,12 +6686,25 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
+
+ pending = test_and_clear_bit(HCI_CONN_CREATE_CIS, &conn->flags);
+
+- /* Convert ISO Interval (1.25 ms slots) to SDU Interval (us) */
+- qos->ucast.in.interval = le16_to_cpu(ev->interval) * 1250;
+- qos->ucast.out.interval = qos->ucast.in.interval;
++ /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G
++ * page 3075:
++ * Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) ×
++ * ISO_Interval + SDU_Interval_C_To_P
++ * ...
++ * SDU_Interval = (CIG_Sync_Delay + (FT) x ISO_Interval) -
++ * Transport_Latency
++ */
++ c_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
++ (ev->c_ft * le16_to_cpu(ev->interval) * 1250)) -
++ get_unaligned_le24(ev->c_latency);
++ p_sdu_interval = (get_unaligned_le24(ev->cig_sync_delay) +
++ (ev->p_ft * le16_to_cpu(ev->interval) * 1250)) -
++ get_unaligned_le24(ev->p_latency);
+
+ switch (conn->role) {
+ case HCI_ROLE_SLAVE:
++ qos->ucast.in.interval = c_sdu_interval;
++ qos->ucast.out.interval = p_sdu_interval;
+ /* Convert Transport Latency (us) to Latency (msec) */
+ qos->ucast.in.latency =
+ DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
+@@ -6704,6 +6718,8 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data,
+ qos->ucast.out.phy = ev->p_phy;
+ break;
+ case HCI_ROLE_MASTER:
++ qos->ucast.in.interval = p_sdu_interval;
++ qos->ucast.out.interval = c_sdu_interval;
+ /* Convert Transport Latency (us) to Latency (msec) */
+ qos->ucast.out.latency =
+ DIV_ROUND_CLOSEST(get_unaligned_le24(ev->c_latency),
+--
+2.43.0
+
--- /dev/null
+From 6ea3f2d38e091727c050a2d6afd1c8fbdf40bd61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 19:09:37 +0800
+Subject: Bluetooth: Ignore too large handle values in BIG
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 015d79c96d62cd8a4a359fcf5be40d58088c936b ]
+
+hci_le_big_sync_established_evt is necessary to filter out cases where the
+handle value is belonging to ida id range, otherwise ida will be erroneously
+released in hci_conn_cleanup.
+
+Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique")
+Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 0b3a76fcfedf5..eb59f418eb6dc 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6910,6 +6910,10 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
+
+ bis = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!bis) {
++ if (handle > HCI_CONN_HANDLE_MAX) {
++ bt_dev_dbg(hdev, "ignore too large handle %u", handle);
++ continue;
++ }
+ bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
+ HCI_ROLE_SLAVE, handle);
+ if (IS_ERR(bis))
+--
+2.43.0
+
--- /dev/null
+From f3028552b5ea6e3c4bc9165618b2d4931f12ba87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 13:33:24 +0300
+Subject: Bluetooth: ISO: Check socket flag instead of hcon
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 596b6f081336e77764ca35cfeab66d0fcdbe544e ]
+
+This fixes the following Smatch static checker warning:
+
+net/bluetooth/iso.c:1364 iso_sock_recvmsg()
+error: we previously assumed 'pi->conn->hcon' could be null (line 1359)
+
+net/bluetooth/iso.c
+1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+1348 size_t len, int flags)
+1349 {
+1350 struct sock *sk = sock->sk;
+1351 struct iso_pinfo *pi = iso_pi(sk);
+1352
+1353 BT_DBG("sk %p", sk);
+1354
+1355 if (test_and_clear_bit(BT_SK_DEFER_SETUP,
+ &bt_sk(sk)->flags)) {
+1356 lock_sock(sk);
+1357 switch (sk->sk_state) {
+1358 case BT_CONNECT2:
+1359 if (pi->conn->hcon &&
+ ^^^^^^^^^^^^^^ If ->hcon is NULL
+
+1360 test_bit(HCI_CONN_PA_SYNC,
+ &pi->conn->hcon->flags)) {
+1361 iso_conn_big_sync(sk);
+1362 sk->sk_state = BT_LISTEN;
+1363 } else {
+--> 1364 iso_conn_defer_accept(pi->conn->hcon);
+ ^^^^^^^^^^^^^^
+ then we're toast
+
+1365 sk->sk_state = BT_CONFIG;
+1366 }
+1367 release_sock(sk);
+1368 return 0;
+1369 case BT_CONNECTED:
+1370 if (test_bit(BT_SK_PA_SYNC,
+
+Fixes: fbdc4bc47268 ("Bluetooth: ISO: Use defer setup to separate PA sync and BIG sync")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 00c0d8413c638..dd33400c21822 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1356,8 +1356,7 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ lock_sock(sk);
+ switch (sk->sk_state) {
+ case BT_CONNECT2:
+- if (pi->conn->hcon &&
+- test_bit(HCI_CONN_PA_SYNC, &pi->conn->hcon->flags)) {
++ if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
+ iso_conn_big_sync(sk);
+ sk->sk_state = BT_LISTEN;
+ } else {
+--
+2.43.0
+
--- /dev/null
+From 00860914e52309ed5a5dd515c70481ff50f7b07e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 11:01:12 -0700
+Subject: bnxt_en: Fix the resource check condition for RSS contexts
+
+From: Pavan Chebbi <pavan.chebbi@broadcom.com>
+
+[ Upstream commit 5d350dc3429b3eb6f2b1b8ccb78ed4ec6c4d4a4f ]
+
+While creating a new RSS context, bnxt_rfs_capable() currently
+makes a strict check to see if the required VNICs are already
+available. If the current VNICs are not what is required,
+either too many or not enough, it will call the firmware to
+reserve the exact number required.
+
+There is a bug in the firmware when the driver tries to
+relinquish some reserved VNICs and RSS contexts. It will
+cause the default VNIC to lose its RSS configuration and
+cause receive packets to be placed incorrectly.
+
+Workaround this problem by skipping the resource reduction.
+The driver will not reduce the VNIC and RSS context reservations
+when a context is deleted. The resources will be available for
+use when new contexts are created later.
+
+Potentially, this workaround can cause us to run out of VNIC
+and RSS contexts if there are a lot of VF functions creating
+and deleting RSS contexts. In the future, we will conditionally
+disable this workaround when the firmware fix is available.
+
+Fixes: 438ba39b25fe ("bnxt_en: Improve RSS context reservation infrastructure")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Link: https://lore.kernel.org/netdev/20240625010210.2002310-1-kuba@kernel.org/
+Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240703180112.78590-1-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 0fab62a56f3b3..2b7936b3fb3ef 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -12436,7 +12436,11 @@ static bool bnxt_rfs_capable(struct bnxt *bp)
+ if (!BNXT_NEW_RM(bp))
+ return true;
+
+- if (hwr.vnic == bp->hw_resc.resv_vnics &&
++ /* Do not reduce VNIC and RSS ctx reservations. There is a FW
++ * issue that will mess up the default VNIC if we reduce the
++ * reservations.
++ */
++ if (hwr.vnic <= bp->hw_resc.resv_vnics &&
+ hwr.rss_ctx <= bp->hw_resc.resv_rsscos_ctxs)
+ return true;
+
+--
+2.43.0
+
--- /dev/null
+From 5cd123634f63f4c819381ed46b7c5eb177c52757 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 14:55:55 +0100
+Subject: bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
+
+From: Sam Sun <samsun1006219@gmail.com>
+
+[ Upstream commit e271ff53807e8f2c628758290f0e499dbe51cb3d ]
+
+In function bond_option_arp_ip_targets_set(), if newval->string is an
+empty string, newval->string+1 will point to the byte after the
+string, causing an out-of-bound read.
+
+BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
+Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
+CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:364 [inline]
+ print_report+0xc1/0x5e0 mm/kasan/report.c:475
+ kasan_report+0xbe/0xf0 mm/kasan/report.c:588
+ strlen+0x7d/0xa0 lib/string.c:418
+ __fortify_strlen include/linux/fortify-string.h:210 [inline]
+ in4_pton+0xa3/0x3f0 net/core/utils.c:130
+ bond_option_arp_ip_targets_set+0xc2/0x910
+drivers/net/bonding/bond_options.c:1201
+ __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
+ __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
+ bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
+ bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
+ dev_attr_store+0x54/0x80 drivers/base/core.c:2366
+ sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
+ kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
+ call_write_iter include/linux/fs.h:2020 [inline]
+ new_sync_write fs/read_write.c:491 [inline]
+ vfs_write+0x96a/0xd80 fs/read_write.c:584
+ ksys_write+0x122/0x250 fs/read_write.c:637
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+---[ end trace ]---
+
+Fix it by adding a check of string length before using it.
+
+Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
+Signed-off-by: Yue Sun <samsun1006219@gmail.com>
+Signed-off-by: Simon Horman <horms@kernel.org>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20240702-bond-oob-v6-1-2dfdba195c19@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_options.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index 4cdbc7e084f4b..fea1d87a97539 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1214,9 +1214,9 @@ static int bond_option_arp_ip_targets_set(struct bonding *bond,
+ __be32 target;
+
+ if (newval->string) {
+- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
+- netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
+- &target);
++ if (strlen(newval->string) < 1 ||
++ !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
++ netdev_err(bond->dev, "invalid ARP target specified\n");
+ return ret;
+ }
+ if (newval->string[0] == '+')
+--
+2.43.0
+
--- /dev/null
+From a64f6af9eeef6eb0016d95705c9ceb844e00f049 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jun 2024 15:10:53 +0930
+Subject: btrfs: always do the basic checks for btrfs_qgroup_inherit structure
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 724d8042cef84496ddb4492dc120291f997ae26b ]
+
+[BUG]
+Syzbot reports the following regression detected by KASAN:
+
+ BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277
+ Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171
+
+ CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277
+ create_pending_snapshot+0x1359/0x29b0 fs/btrfs/transaction.c:1854
+ create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1922
+ btrfs_commit_transaction+0xf20/0x3740 fs/btrfs/transaction.c:2382
+ create_snapshot+0x6a1/0x9e0 fs/btrfs/ioctl.c:875
+ btrfs_mksubvol+0x58f/0x710 fs/btrfs/ioctl.c:1029
+ btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1075
+ __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1340
+ btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 fs/btrfs/ioctl.c:1422
+ btrfs_ioctl+0x99e/0xc60
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7fcbf1992509
+ RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509
+ RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003
+ RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660
+ R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e
+ </TASK>
+
+And it also pinned it down to commit b5357cb268c4 ("btrfs: qgroup: do not
+check qgroup inherit if qgroup is disabled").
+
+[CAUSE]
+That offending commit skips the whole qgroup inherit check if qgroup is
+not enabled.
+
+But that also skips the very basic checks like
+num_ref_copies/num_excl_copies and the structure size checks.
+
+Meaning if a qgroup enable/disable race is happening at the background,
+and we pass a btrfs_qgroup_inherit structure when the qgroup is
+disabled, the check would be completely skipped.
+
+Then at the time of transaction commitment, qgroup is re-enabled and
+btrfs_qgroup_inherit() is going to use the incorrect structure and
+causing the above KASAN error.
+
+[FIX]
+Make btrfs_qgroup_check_inherit() only skip the source qgroup checks.
+So that even if invalid btrfs_qgroup_inherit structure is passed in, we
+can still reject invalid ones no matter if qgroup is enabled or not.
+
+Furthermore we do already have an extra safety inside
+btrfs_qgroup_inherit(), which would just ignore invalid qgroup sources,
+so even if we only skip the qgroup source check we're still safe.
+
+Reported-by: syzbot+a0d1f7e26910be4dc171@syzkaller.appspotmail.com
+Fixes: b5357cb268c4 ("btrfs: qgroup: do not check qgroup inherit if qgroup is disabled")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index 1167899a16d05..4caa078d972a3 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3065,8 +3065,6 @@ int btrfs_qgroup_check_inherit(struct btrfs_fs_info *fs_info,
+ struct btrfs_qgroup_inherit *inherit,
+ size_t size)
+ {
+- if (!btrfs_qgroup_enabled(fs_info))
+- return 0;
+ if (inherit->flags & ~BTRFS_QGROUP_INHERIT_FLAGS_SUPP)
+ return -EOPNOTSUPP;
+ if (size < sizeof(*inherit) || size > PAGE_SIZE)
+@@ -3090,6 +3088,14 @@ int btrfs_qgroup_check_inherit(struct btrfs_fs_info *fs_info,
+ if (size != struct_size(inherit, qgroups, inherit->num_qgroups))
+ return -EINVAL;
+
++ /*
++ * Skip the inherit source qgroups check if qgroup is not enabled.
++ * Qgroup can still be later enabled causing problems, but in that case
++ * btrfs_qgroup_inherit() would just ignore those invalid ones.
++ */
++ if (!btrfs_qgroup_enabled(fs_info))
++ return 0;
++
+ /*
+ * Now check all the remaining qgroups, they should all:
+ *
+--
+2.43.0
+
--- /dev/null
+From c71a2e794fe4334d7bf079e9434d59b75bf02b91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 19:35:30 +0200
+Subject: drm/fbdev-generic: Fix framebuffer on big endian devices
+
+From: Thomas Huth <thuth@redhat.com>
+
+[ Upstream commit 740b8dad05bee39e1e3b926f05bb4a8274b8ba49 ]
+
+Starting with kernel 6.7, the framebuffer text console is not working
+anymore with the virtio-gpu device on s390x hosts. Such big endian fb
+devices are usinga different pixel ordering than little endian devices,
+e.g. DRM_FORMAT_BGRX8888 instead of DRM_FORMAT_XRGB8888.
+
+This used to work fine as long as drm_client_buffer_addfb() was still
+calling drm_mode_addfb() which called drm_driver_legacy_fb_format()
+internally to get the right format. But drm_client_buffer_addfb() has
+recently been reworked to call drm_mode_addfb2() instead with the
+format value that has been passed to it as a parameter (see commit
+6ae2ff23aa43 ("drm/client: Convert drm_client_buffer_addfb() to drm_mode_addfb2()").
+
+That format parameter is determined in drm_fbdev_generic_helper_fb_probe()
+via the drm_mode_legacy_fb_format() function - which only generates
+formats suitable for little endian devices. So to fix this issue
+switch to drm_driver_legacy_fb_format() here instead to take the
+device endianness into consideration.
+
+Fixes: 6ae2ff23aa43 ("drm/client: Convert drm_client_buffer_addfb() to drm_mode_addfb2()")
+Closes: https://issues.redhat.com/browse/RHEL-45158
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240627173530.460615-1-thuth@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_fbdev_generic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_fbdev_generic.c b/drivers/gpu/drm/drm_fbdev_generic.c
+index b4659cd6285ab..cbb7418b789f8 100644
+--- a/drivers/gpu/drm/drm_fbdev_generic.c
++++ b/drivers/gpu/drm/drm_fbdev_generic.c
+@@ -84,7 +84,8 @@ static int drm_fbdev_generic_helper_fb_probe(struct drm_fb_helper *fb_helper,
+ sizes->surface_width, sizes->surface_height,
+ sizes->surface_bpp);
+
+- format = drm_mode_legacy_fb_format(sizes->surface_bpp, sizes->surface_depth);
++ format = drm_driver_legacy_fb_format(dev, sizes->surface_bpp,
++ sizes->surface_depth);
+ buffer = drm_client_framebuffer_create(client, sizes->surface_width,
+ sizes->surface_height, format);
+ if (IS_ERR(buffer))
+--
+2.43.0
+
--- /dev/null
+From 394bec343c7c47ac6c2977ed36d66aff80cf5fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 14:05:37 -0700
+Subject: drm/xe/mcr: Avoid clobbering DSS steering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matt Roper <matthew.d.roper@intel.com>
+
+[ Upstream commit 1f006470284598060ca1307355352934400b37ca ]
+
+A couple copy/paste mistakes in the code that selects steering targets
+for OADDRM and INSTANCE0 unintentionally clobbered the steering target
+for DSS ranges in some cases.
+
+The OADDRM/INSTANCE0 values were also not assigned as intended, although
+that mistake wound up being harmless since the desired values for those
+specific ranges were '0' which the kzalloc of the GT structure should
+have already taken care of implicitly.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240626210536.1620176-2-matthew.d.roper@intel.com
+(cherry picked from commit 4f82ac6102788112e599a6074d2c1f2afce923df)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_gt_mcr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_gt_mcr.c b/drivers/gpu/drm/xe/xe_gt_mcr.c
+index a7ab9ba645f99..c78fbb9bc5fc7 100644
+--- a/drivers/gpu/drm/xe/xe_gt_mcr.c
++++ b/drivers/gpu/drm/xe/xe_gt_mcr.c
+@@ -315,7 +315,7 @@ static void init_steering_oaddrm(struct xe_gt *gt)
+ else
+ gt->steering[OADDRM].group_target = 1;
+
+- gt->steering[DSS].instance_target = 0; /* unused */
++ gt->steering[OADDRM].instance_target = 0; /* unused */
+ }
+
+ static void init_steering_sqidi_psmi(struct xe_gt *gt)
+@@ -330,8 +330,8 @@ static void init_steering_sqidi_psmi(struct xe_gt *gt)
+
+ static void init_steering_inst0(struct xe_gt *gt)
+ {
+- gt->steering[DSS].group_target = 0; /* unused */
+- gt->steering[DSS].instance_target = 0; /* unused */
++ gt->steering[INSTANCE0].group_target = 0; /* unused */
++ gt->steering[INSTANCE0].instance_target = 0; /* unused */
+ }
+
+ static const struct {
+--
+2.43.0
+
--- /dev/null
+From fca8a864e485dd73f4d951573ffb7d44aace05ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 13:17:53 -0700
+Subject: e1000e: Fix S0ix residency on corporate systems
+
+From: Dima Ruinskiy <dima.ruinskiy@intel.com>
+
+[ Upstream commit c93a6f62cb1bd097aef2e4588648a420d175eee2 ]
+
+On vPro systems, the configuration of the I219-LM to achieve power
+gating and S0ix residency is split between the driver and the CSME FW.
+It was discovered that in some scenarios, where the network cable is
+connected and then disconnected, S0ix residency is not always reached.
+This was root-caused to a subset of I219-LM register writes that are not
+performed by the CSME FW. Therefore, the driver should perform these
+register writes on corporate setups, regardless of the CSME FW state.
+
+This was discovered on Meteor Lake systems; however it is likely to
+appear on other platforms as well.
+
+Fixes: cc23f4f0b6b9 ("e1000e: Add support for Meteor Lake")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218589
+Signed-off-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240628201754.2744221-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 132 ++++++++++-----------
+ 1 file changed, 66 insertions(+), 66 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 3692fce201959..334f652c60601 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -6363,49 +6363,49 @@ static void e1000e_s0ix_entry_flow(struct e1000_adapter *adapter)
+ mac_data |= E1000_EXTCNF_CTRL_GATE_PHY_CFG;
+ ew32(EXTCNF_CTRL, mac_data);
+
+- /* Enable the Dynamic Power Gating in the MAC */
+- mac_data = er32(FEXTNVM7);
+- mac_data |= BIT(22);
+- ew32(FEXTNVM7, mac_data);
+-
+ /* Disable disconnected cable conditioning for Power Gating */
+ mac_data = er32(DPGFR);
+ mac_data |= BIT(2);
+ ew32(DPGFR, mac_data);
+
+- /* Don't wake from dynamic Power Gating with clock request */
+- mac_data = er32(FEXTNVM12);
+- mac_data |= BIT(12);
+- ew32(FEXTNVM12, mac_data);
+-
+- /* Ungate PGCB clock */
+- mac_data = er32(FEXTNVM9);
+- mac_data &= ~BIT(28);
+- ew32(FEXTNVM9, mac_data);
+-
+- /* Enable K1 off to enable mPHY Power Gating */
+- mac_data = er32(FEXTNVM6);
+- mac_data |= BIT(31);
+- ew32(FEXTNVM6, mac_data);
+-
+- /* Enable mPHY power gating for any link and speed */
+- mac_data = er32(FEXTNVM8);
+- mac_data |= BIT(9);
+- ew32(FEXTNVM8, mac_data);
+-
+ /* Enable the Dynamic Clock Gating in the DMA and MAC */
+ mac_data = er32(CTRL_EXT);
+ mac_data |= E1000_CTRL_EXT_DMA_DYN_CLK_EN;
+ ew32(CTRL_EXT, mac_data);
+-
+- /* No MAC DPG gating SLP_S0 in modern standby
+- * Switch the logic of the lanphypc to use PMC counter
+- */
+- mac_data = er32(FEXTNVM5);
+- mac_data |= BIT(7);
+- ew32(FEXTNVM5, mac_data);
+ }
+
++ /* Enable the Dynamic Power Gating in the MAC */
++ mac_data = er32(FEXTNVM7);
++ mac_data |= BIT(22);
++ ew32(FEXTNVM7, mac_data);
++
++ /* Don't wake from dynamic Power Gating with clock request */
++ mac_data = er32(FEXTNVM12);
++ mac_data |= BIT(12);
++ ew32(FEXTNVM12, mac_data);
++
++ /* Ungate PGCB clock */
++ mac_data = er32(FEXTNVM9);
++ mac_data &= ~BIT(28);
++ ew32(FEXTNVM9, mac_data);
++
++ /* Enable K1 off to enable mPHY Power Gating */
++ mac_data = er32(FEXTNVM6);
++ mac_data |= BIT(31);
++ ew32(FEXTNVM6, mac_data);
++
++ /* Enable mPHY power gating for any link and speed */
++ mac_data = er32(FEXTNVM8);
++ mac_data |= BIT(9);
++ ew32(FEXTNVM8, mac_data);
++
++ /* No MAC DPG gating SLP_S0 in modern standby
++ * Switch the logic of the lanphypc to use PMC counter
++ */
++ mac_data = er32(FEXTNVM5);
++ mac_data |= BIT(7);
++ ew32(FEXTNVM5, mac_data);
++
+ /* Disable the time synchronization clock */
+ mac_data = er32(FEXTNVM7);
+ mac_data |= BIT(31);
+@@ -6498,33 +6498,6 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter)
+ } else {
+ /* Request driver unconfigure the device from S0ix */
+
+- /* Disable the Dynamic Power Gating in the MAC */
+- mac_data = er32(FEXTNVM7);
+- mac_data &= 0xFFBFFFFF;
+- ew32(FEXTNVM7, mac_data);
+-
+- /* Disable mPHY power gating for any link and speed */
+- mac_data = er32(FEXTNVM8);
+- mac_data &= ~BIT(9);
+- ew32(FEXTNVM8, mac_data);
+-
+- /* Disable K1 off */
+- mac_data = er32(FEXTNVM6);
+- mac_data &= ~BIT(31);
+- ew32(FEXTNVM6, mac_data);
+-
+- /* Disable Ungate PGCB clock */
+- mac_data = er32(FEXTNVM9);
+- mac_data |= BIT(28);
+- ew32(FEXTNVM9, mac_data);
+-
+- /* Cancel not waking from dynamic
+- * Power Gating with clock request
+- */
+- mac_data = er32(FEXTNVM12);
+- mac_data &= ~BIT(12);
+- ew32(FEXTNVM12, mac_data);
+-
+ /* Cancel disable disconnected cable conditioning
+ * for Power Gating
+ */
+@@ -6537,13 +6510,6 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter)
+ mac_data &= 0xFFF7FFFF;
+ ew32(CTRL_EXT, mac_data);
+
+- /* Revert the lanphypc logic to use the internal Gbe counter
+- * and not the PMC counter
+- */
+- mac_data = er32(FEXTNVM5);
+- mac_data &= 0xFFFFFF7F;
+- ew32(FEXTNVM5, mac_data);
+-
+ /* Enable the periodic inband message,
+ * Request PCIe clock in K1 page770_17[10:9] =01b
+ */
+@@ -6581,6 +6547,40 @@ static void e1000e_s0ix_exit_flow(struct e1000_adapter *adapter)
+ mac_data &= ~BIT(31);
+ mac_data |= BIT(0);
+ ew32(FEXTNVM7, mac_data);
++
++ /* Disable the Dynamic Power Gating in the MAC */
++ mac_data = er32(FEXTNVM7);
++ mac_data &= 0xFFBFFFFF;
++ ew32(FEXTNVM7, mac_data);
++
++ /* Disable mPHY power gating for any link and speed */
++ mac_data = er32(FEXTNVM8);
++ mac_data &= ~BIT(9);
++ ew32(FEXTNVM8, mac_data);
++
++ /* Disable K1 off */
++ mac_data = er32(FEXTNVM6);
++ mac_data &= ~BIT(31);
++ ew32(FEXTNVM6, mac_data);
++
++ /* Disable Ungate PGCB clock */
++ mac_data = er32(FEXTNVM9);
++ mac_data |= BIT(28);
++ ew32(FEXTNVM9, mac_data);
++
++ /* Cancel not waking from dynamic
++ * Power Gating with clock request
++ */
++ mac_data = er32(FEXTNVM12);
++ mac_data &= ~BIT(12);
++ ew32(FEXTNVM12, mac_data);
++
++ /* Revert the lanphypc logic to use the internal Gbe counter
++ * and not the PMC counter
++ */
++ mac_data = er32(FEXTNVM5);
++ mac_data &= 0xFFFFFF7F;
++ ew32(FEXTNVM5, mac_data);
+ }
+
+ static int e1000e_pm_freeze(struct device *dev)
+--
+2.43.0
+
--- /dev/null
+From 1a9dc7a58560622daf10af515734c8042c8857c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jun 2024 09:19:49 +0800
+Subject: gpio: mmio: do not calculate bgpio_bits via "ngpios"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shiji Yang <yangshiji66@outlook.com>
+
+[ Upstream commit f07798d7bb9c46d17d80103fb772fd2c75d47919 ]
+
+bgpio_bits must be aligned with the data bus width. For example, on a
+32 bit big endian system and we only have 16 GPIOs. If we only assume
+bgpio_bits=16 we can never control the GPIO because the base address
+is the lowest address.
+
+low address high address
+-------------------------------------------------
+| byte3 | byte2 | byte1 | byte0 |
+-------------------------------------------------
+| NaN | NaN | gpio8-15 | gpio0-7 |
+-------------------------------------------------
+
+Fixes: 55b2395e4e92 ("gpio: mmio: handle "ngpios" properly in bgpio_init()")
+Fixes: https://github.com/openwrt/openwrt/issues/15739
+Reported-by: Mark Mentovai <mark@mentovai.com>
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+Suggested-By: Mark Mentovai <mark@mentovai.com>
+Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
+Tested-by: Lóránd Horváth <lorand.horvath82@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/TYCP286MB089577B47D70F0AB25ABA6F5BCD52@TYCP286MB0895.JPNP286.PROD.OUTLOOK.COM
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-mmio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-mmio.c b/drivers/gpio/gpio-mmio.c
+index 71e1af7c21847..d89e78f0ead31 100644
+--- a/drivers/gpio/gpio-mmio.c
++++ b/drivers/gpio/gpio-mmio.c
+@@ -619,8 +619,6 @@ int bgpio_init(struct gpio_chip *gc, struct device *dev,
+ ret = gpiochip_get_ngpios(gc, dev);
+ if (ret)
+ gc->ngpio = gc->bgpio_bits;
+- else
+- gc->bgpio_bits = roundup_pow_of_two(round_up(gc->ngpio, 8));
+
+ ret = bgpio_setup_io(gc, dat, set, clr, flags);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From f3ef6e70008ddae1349a4c02d2c442652a577cf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 11:26:09 -0700
+Subject: gpiolib: of: add polarity quirk for TSC2005
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit f8d76c2c313c56d5cb894a243dff4550f048278d ]
+
+DTS for Nokia N900 incorrectly specifies "active high" polarity for
+the reset line, while the chip documentation actually specifies it as
+"active low". In the past the driver fudged gpiod API and inverted
+the logic internally, but it was changed in d0d89493bff8.
+
+Fixes: d0d89493bff8 ("Input: tsc2004/5 - switch to using generic device properties")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/ZoWXwYtwgJIxi-hD@google.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-of.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
+index 7db35cbde8e92..5c4442200118a 100644
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -212,6 +212,14 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np,
+ * for the property.
+ */
+ { "lantiq,pci-xway", "gpio-reset", false },
++#endif
++#if IS_ENABLED(CONFIG_TOUCHSCREEN_TSC2005)
++ /*
++ * DTS for Nokia N900 incorrectly specified "active high"
++ * polarity for the reset line, while the chip actually
++ * treats it as "active low".
++ */
++ { "ti,tsc2005", "reset-gpios", false },
+ #endif
+ };
+ unsigned int i;
+--
+2.43.0
+
--- /dev/null
+From 8307de6509eb44ded2e089af02fb5c0df25cbb11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 10:38:50 -0700
+Subject: gpiolib: of: fix lookup quirk for MIPS Lantiq
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 3645ffaf2b334abaf5f53e5ca0f47465d91e69d2 ]
+
+As it turns out, there is a large number of out-of-tree DTSes (in
+OpenWrt project) that used to specify incorrect (active high) polarity
+for the Lantiq reset GPIO, so to keep compatibility while they are
+being updated a quirk for force the polarity low is needed. Luckily
+these old DTSes used nonstandard name for the property ("gpio-reset" vs
+"reset-gpios") so the quirk will not hurt if there are any new devices
+that need inverted polarity as they can specify the right polarity in
+their DTS when using the standard "reset-gpios" property.
+
+Additionally the condition to enable the transition from standard to
+non-standard reset GPIO property name was inverted and the replacement
+name for the property was not correct. Fix this as well.
+
+Fixes: fbbbcd177a27 ("gpiolib: of: add quirk for locating reset lines with legacy bindings")
+Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API")
+Reported-by: Martin Schiller <ms@dev.tdt.de>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/ZoLpqv1PN08xHioh@google.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-of.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
+index cb0cefaec37e8..7db35cbde8e92 100644
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -202,6 +202,16 @@ static void of_gpio_try_fixup_polarity(const struct device_node *np,
+ * helper, and be consistent with what other drivers do.
+ */
+ { "qi,lb60", "rb-gpios", true },
++#endif
++#if IS_ENABLED(CONFIG_PCI_LANTIQ)
++ /*
++ * According to the PCI specification, the RST# pin is an
++ * active-low signal. However, most of the device trees that
++ * have been widely used for a long time incorrectly describe
++ * reset GPIO as active-high, and were also using wrong name
++ * for the property.
++ */
++ { "lantiq,pci-xway", "gpio-reset", false },
+ #endif
+ };
+ unsigned int i;
+@@ -504,9 +514,9 @@ static struct gpio_desc *of_find_gpio_rename(struct device_node *np,
+ { "reset", "reset-n-io", "marvell,nfc-uart" },
+ { "reset", "reset-n-io", "mrvl,nfc-uart" },
+ #endif
+-#if !IS_ENABLED(CONFIG_PCI_LANTIQ)
++#if IS_ENABLED(CONFIG_PCI_LANTIQ)
+ /* MIPS Lantiq PCI */
+- { "reset", "gpios-reset", "lantiq,pci-xway" },
++ { "reset", "gpio-reset", "lantiq,pci-xway" },
+ #endif
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From dbd58e3adf3dbe456afcc04aa9bd1d4df4047a10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 10:14:55 -0700
+Subject: ice: Don't process extts if PTP is disabled
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 996422e3230e41468f652d754fefd1bdbcd4604e ]
+
+The ice_ptp_extts_event() function can race with ice_ptp_release() and
+result in a NULL pointer dereference which leads to a kernel panic.
+
+Panic occurs because the ice_ptp_extts_event() function calls
+ptp_clock_event() with a NULL pointer. The ice driver has already
+released the PTP clock by the time the interrupt for the next external
+timestamp event occurs.
+
+To fix this, modify the ice_ptp_extts_event() function to check the
+PTP state and bail early if PTP is not ready.
+
+Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20240702171459.2606611-3-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index ee741a1d13cf0..e983e56b342b7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -1578,6 +1578,10 @@ void ice_ptp_extts_event(struct ice_pf *pf)
+ u8 chan, tmr_idx;
+ u32 hi, lo;
+
++ /* Don't process timestamp events if PTP is not ready */
++ if (pf->ptp.state != ICE_PTP_READY)
++ return;
++
+ tmr_idx = hw->func_caps.ts_func_info.tmr_index_owned;
+ /* Event time is captured by one of the two matched registers
+ * GLTSYN_EVNT_L: 32 LSB of sampled time event
+--
+2.43.0
+
--- /dev/null
+From dde4d25f3395a045aa700ea539510355d16f8fb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 10:14:54 -0700
+Subject: ice: Fix improper extts handling
+
+From: Milena Olech <milena.olech@intel.com>
+
+[ Upstream commit 00d3b4f54582d4e4a02cda5886bb336eeab268cc ]
+
+Extts events are disabled and enabled by the application ts2phc.
+However, in case where the driver is removed when the application is
+running, a specific extts event remains enabled and can cause a kernel
+crash.
+As a side effect, when the driver is reloaded and application is started
+again, remaining extts event for the channel from a previous run will
+keep firing and the message "extts on unexpected channel" might be
+printed to the user.
+
+To avoid that, extts events shall be disabled when PTP is released.
+
+Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Co-developed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Milena Olech <milena.olech@intel.com>
+Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20240702171459.2606611-2-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 105 ++++++++++++++++++-----
+ drivers/net/ethernet/intel/ice/ice_ptp.h | 8 ++
+ 2 files changed, 91 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index c11eba07283c6..ee741a1d13cf0 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -1603,27 +1603,24 @@ void ice_ptp_extts_event(struct ice_pf *pf)
+ /**
+ * ice_ptp_cfg_extts - Configure EXTTS pin and channel
+ * @pf: Board private structure
+- * @ena: true to enable; false to disable
+ * @chan: GPIO channel (0-3)
+- * @gpio_pin: GPIO pin
+- * @extts_flags: request flags from the ptp_extts_request.flags
++ * @config: desired EXTTS configuration.
++ * @store: If set to true, the values will be stored
++ *
++ * Configure an external timestamp event on the requested channel.
+ */
+-static int
+-ice_ptp_cfg_extts(struct ice_pf *pf, bool ena, unsigned int chan, u32 gpio_pin,
+- unsigned int extts_flags)
++static void ice_ptp_cfg_extts(struct ice_pf *pf, unsigned int chan,
++ struct ice_extts_channel *config, bool store)
+ {
+ u32 func, aux_reg, gpio_reg, irq_reg;
+ struct ice_hw *hw = &pf->hw;
+ u8 tmr_idx;
+
+- if (chan > (unsigned int)pf->ptp.info.n_ext_ts)
+- return -EINVAL;
+-
+ tmr_idx = hw->func_caps.ts_func_info.tmr_index_owned;
+
+ irq_reg = rd32(hw, PFINT_OICR_ENA);
+
+- if (ena) {
++ if (config->ena) {
+ /* Enable the interrupt */
+ irq_reg |= PFINT_OICR_TSYN_EVNT_M;
+ aux_reg = GLTSYN_AUX_IN_0_INT_ENA_M;
+@@ -1632,9 +1629,9 @@ ice_ptp_cfg_extts(struct ice_pf *pf, bool ena, unsigned int chan, u32 gpio_pin,
+ #define GLTSYN_AUX_IN_0_EVNTLVL_FALLING_EDGE BIT(1)
+
+ /* set event level to requested edge */
+- if (extts_flags & PTP_FALLING_EDGE)
++ if (config->flags & PTP_FALLING_EDGE)
+ aux_reg |= GLTSYN_AUX_IN_0_EVNTLVL_FALLING_EDGE;
+- if (extts_flags & PTP_RISING_EDGE)
++ if (config->flags & PTP_RISING_EDGE)
+ aux_reg |= GLTSYN_AUX_IN_0_EVNTLVL_RISING_EDGE;
+
+ /* Write GPIO CTL reg.
+@@ -1655,9 +1652,47 @@ ice_ptp_cfg_extts(struct ice_pf *pf, bool ena, unsigned int chan, u32 gpio_pin,
+
+ wr32(hw, PFINT_OICR_ENA, irq_reg);
+ wr32(hw, GLTSYN_AUX_IN(chan, tmr_idx), aux_reg);
+- wr32(hw, GLGEN_GPIO_CTL(gpio_pin), gpio_reg);
++ wr32(hw, GLGEN_GPIO_CTL(config->gpio_pin), gpio_reg);
+
+- return 0;
++ if (store)
++ memcpy(&pf->ptp.extts_channels[chan], config, sizeof(*config));
++}
++
++/**
++ * ice_ptp_disable_all_extts - Disable all EXTTS channels
++ * @pf: Board private structure
++ */
++static void ice_ptp_disable_all_extts(struct ice_pf *pf)
++{
++ struct ice_extts_channel extts_cfg = {};
++ int i;
++
++ for (i = 0; i < pf->ptp.info.n_ext_ts; i++) {
++ if (pf->ptp.extts_channels[i].ena) {
++ extts_cfg.gpio_pin = pf->ptp.extts_channels[i].gpio_pin;
++ extts_cfg.ena = false;
++ ice_ptp_cfg_extts(pf, i, &extts_cfg, false);
++ }
++ }
++
++ synchronize_irq(pf->oicr_irq.virq);
++}
++
++/**
++ * ice_ptp_enable_all_extts - Enable all EXTTS channels
++ * @pf: Board private structure
++ *
++ * Called during reset to restore user configuration.
++ */
++static void ice_ptp_enable_all_extts(struct ice_pf *pf)
++{
++ int i;
++
++ for (i = 0; i < pf->ptp.info.n_ext_ts; i++) {
++ if (pf->ptp.extts_channels[i].ena)
++ ice_ptp_cfg_extts(pf, i, &pf->ptp.extts_channels[i],
++ false);
++ }
+ }
+
+ /**
+@@ -1814,7 +1849,6 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+ struct ptp_clock_request *rq, int on)
+ {
+ struct ice_pf *pf = ptp_info_to_pf(info);
+- struct ice_perout_channel clk_cfg = {0};
+ bool sma_pres = false;
+ unsigned int chan;
+ u32 gpio_pin;
+@@ -1825,6 +1859,9 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+
+ switch (rq->type) {
+ case PTP_CLK_REQ_PEROUT:
++ {
++ struct ice_perout_channel clk_cfg = {};
++
+ chan = rq->perout.index;
+ if (sma_pres) {
+ if (chan == ice_pin_desc_e810t[SMA1].chan)
+@@ -1852,7 +1889,11 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+
+ err = ice_ptp_cfg_clkout(pf, chan, &clk_cfg, true);
+ break;
++ }
+ case PTP_CLK_REQ_EXTTS:
++ {
++ struct ice_extts_channel extts_cfg = {};
++
+ chan = rq->extts.index;
+ if (sma_pres) {
+ if (chan < ice_pin_desc_e810t[SMA2].chan)
+@@ -1868,9 +1909,13 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+ gpio_pin = chan;
+ }
+
+- err = ice_ptp_cfg_extts(pf, !!on, chan, gpio_pin,
+- rq->extts.flags);
+- break;
++ extts_cfg.flags = rq->extts.flags;
++ extts_cfg.gpio_pin = gpio_pin;
++ extts_cfg.ena = !!on;
++
++ ice_ptp_cfg_extts(pf, chan, &extts_cfg, true);
++ return 0;
++ }
+ default:
+ return -EOPNOTSUPP;
+ }
+@@ -1888,21 +1933,31 @@ static int ice_ptp_gpio_enable_e823(struct ptp_clock_info *info,
+ struct ptp_clock_request *rq, int on)
+ {
+ struct ice_pf *pf = ptp_info_to_pf(info);
+- struct ice_perout_channel clk_cfg = {0};
+ int err;
+
+ switch (rq->type) {
+ case PTP_CLK_REQ_PPS:
++ {
++ struct ice_perout_channel clk_cfg = {};
++
+ clk_cfg.gpio_pin = PPS_PIN_INDEX;
+ clk_cfg.period = NSEC_PER_SEC;
+ clk_cfg.ena = !!on;
+
+ err = ice_ptp_cfg_clkout(pf, PPS_CLK_GEN_CHAN, &clk_cfg, true);
+ break;
++ }
+ case PTP_CLK_REQ_EXTTS:
+- err = ice_ptp_cfg_extts(pf, !!on, rq->extts.index,
+- TIME_SYNC_PIN_INDEX, rq->extts.flags);
+- break;
++ {
++ struct ice_extts_channel extts_cfg = {};
++
++ extts_cfg.flags = rq->extts.flags;
++ extts_cfg.gpio_pin = TIME_SYNC_PIN_INDEX;
++ extts_cfg.ena = !!on;
++
++ ice_ptp_cfg_extts(pf, rq->extts.index, &extts_cfg, true);
++ return 0;
++ }
+ default:
+ return -EOPNOTSUPP;
+ }
+@@ -2745,6 +2800,10 @@ static int ice_ptp_rebuild_owner(struct ice_pf *pf)
+ ice_ptp_restart_all_phy(pf);
+ }
+
++ /* Re-enable all periodic outputs and external timestamp events */
++ ice_ptp_enable_all_clkout(pf);
++ ice_ptp_enable_all_extts(pf);
++
+ return 0;
+ }
+
+@@ -3300,6 +3359,8 @@ void ice_ptp_release(struct ice_pf *pf)
+
+ ice_ptp_release_tx_tracker(pf, &pf->ptp.port.tx);
+
++ ice_ptp_disable_all_extts(pf);
++
+ kthread_cancel_delayed_work_sync(&pf->ptp.work);
+
+ ice_ptp_port_phy_stop(&pf->ptp.port);
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h
+index 3af20025043a6..f1171cdd93c86 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.h
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.h
+@@ -33,6 +33,12 @@ struct ice_perout_channel {
+ u64 start_time;
+ };
+
++struct ice_extts_channel {
++ bool ena;
++ u32 gpio_pin;
++ u32 flags;
++};
++
+ /* The ice hardware captures Tx hardware timestamps in the PHY. The timestamp
+ * is stored in a buffer of registers. Depending on the specific hardware,
+ * this buffer might be shared across multiple PHY ports.
+@@ -226,6 +232,7 @@ enum ice_ptp_state {
+ * @ext_ts_irq: the external timestamp IRQ in use
+ * @kworker: kwork thread for handling periodic work
+ * @perout_channels: periodic output data
++ * @extts_channels: channels for external timestamps
+ * @info: structure defining PTP hardware capabilities
+ * @clock: pointer to registered PTP clock device
+ * @tstamp_config: hardware timestamping configuration
+@@ -249,6 +256,7 @@ struct ice_ptp {
+ u8 ext_ts_irq;
+ struct kthread_worker *kworker;
+ struct ice_perout_channel perout_channels[GLTSYN_TGT_H_IDX_MAX];
++ struct ice_extts_channel extts_channels[GLTSYN_TGT_H_IDX_MAX];
+ struct ptp_clock_info info;
+ struct ptp_clock *clock;
+ struct hwtstamp_config tstamp_config;
+--
+2.43.0
+
--- /dev/null
+From 2bbdb344e4e674712a902e62324a406daec6e2d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 10:14:56 -0700
+Subject: ice: Reject pin requests with unsupported flags
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit be2a9d12e6dad894b27361c06ea3752d67a45b49 ]
+
+The driver receives requests for configuring pins via the .enable
+callback of the PTP clock object. These requests come into the driver
+with flags which modify the requested behavior from userspace. Current
+implementation in ice does not reject flags that it doesn't support.
+This causes the driver to incorrectly apply requests with such flags as
+PTP_PEROUT_DUTY_CYCLE, or any future flags added by the kernel which it
+is not yet aware of.
+
+Fix this by properly validating flags in both ice_ptp_cfg_perout and
+ice_ptp_cfg_extts. Ensure that we check by bit-wise negating supported
+flags rather than just checking and rejecting known un-supported flags.
+This is preferable, as it ensures better compatibility with future
+kernels.
+
+Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20240702171459.2606611-4-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ptp.c | 38 ++++++++++++++----------
+ drivers/net/ethernet/intel/ice/ice_ptp.h | 1 +
+ 2 files changed, 23 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
+index e983e56b342b7..f46d879c62d26 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
+@@ -1612,14 +1612,23 @@ void ice_ptp_extts_event(struct ice_pf *pf)
+ * @store: If set to true, the values will be stored
+ *
+ * Configure an external timestamp event on the requested channel.
++ *
++ * Return: 0 on success, -EOPNOTUSPP on unsupported flags
+ */
+-static void ice_ptp_cfg_extts(struct ice_pf *pf, unsigned int chan,
+- struct ice_extts_channel *config, bool store)
++static int ice_ptp_cfg_extts(struct ice_pf *pf, unsigned int chan,
++ struct ice_extts_channel *config, bool store)
+ {
+ u32 func, aux_reg, gpio_reg, irq_reg;
+ struct ice_hw *hw = &pf->hw;
+ u8 tmr_idx;
+
++ /* Reject requests with unsupported flags */
++ if (config->flags & ~(PTP_ENABLE_FEATURE |
++ PTP_RISING_EDGE |
++ PTP_FALLING_EDGE |
++ PTP_STRICT_FLAGS))
++ return -EOPNOTSUPP;
++
+ tmr_idx = hw->func_caps.ts_func_info.tmr_index_owned;
+
+ irq_reg = rd32(hw, PFINT_OICR_ENA);
+@@ -1660,6 +1669,8 @@ static void ice_ptp_cfg_extts(struct ice_pf *pf, unsigned int chan,
+
+ if (store)
+ memcpy(&pf->ptp.extts_channels[chan], config, sizeof(*config));
++
++ return 0;
+ }
+
+ /**
+@@ -1717,6 +1728,9 @@ static int ice_ptp_cfg_clkout(struct ice_pf *pf, unsigned int chan,
+ u32 func, val, gpio_pin;
+ u8 tmr_idx;
+
++ if (config && config->flags & ~PTP_PEROUT_PHASE)
++ return -EOPNOTSUPP;
++
+ tmr_idx = hw->func_caps.ts_func_info.tmr_index_owned;
+
+ /* 0. Reset mode & out_en in AUX_OUT */
+@@ -1856,7 +1870,6 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+ bool sma_pres = false;
+ unsigned int chan;
+ u32 gpio_pin;
+- int err;
+
+ if (ice_is_feature_supported(pf, ICE_F_SMA_CTRL))
+ sma_pres = true;
+@@ -1885,14 +1898,14 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+ clk_cfg.gpio_pin = chan;
+ }
+
++ clk_cfg.flags = rq->perout.flags;
+ clk_cfg.period = ((rq->perout.period.sec * NSEC_PER_SEC) +
+ rq->perout.period.nsec);
+ clk_cfg.start_time = ((rq->perout.start.sec * NSEC_PER_SEC) +
+ rq->perout.start.nsec);
+ clk_cfg.ena = !!on;
+
+- err = ice_ptp_cfg_clkout(pf, chan, &clk_cfg, true);
+- break;
++ return ice_ptp_cfg_clkout(pf, chan, &clk_cfg, true);
+ }
+ case PTP_CLK_REQ_EXTTS:
+ {
+@@ -1917,14 +1930,11 @@ ice_ptp_gpio_enable_e810(struct ptp_clock_info *info,
+ extts_cfg.gpio_pin = gpio_pin;
+ extts_cfg.ena = !!on;
+
+- ice_ptp_cfg_extts(pf, chan, &extts_cfg, true);
+- return 0;
++ return ice_ptp_cfg_extts(pf, chan, &extts_cfg, true);
+ }
+ default:
+ return -EOPNOTSUPP;
+ }
+-
+- return err;
+ }
+
+ /**
+@@ -1937,19 +1947,18 @@ static int ice_ptp_gpio_enable_e823(struct ptp_clock_info *info,
+ struct ptp_clock_request *rq, int on)
+ {
+ struct ice_pf *pf = ptp_info_to_pf(info);
+- int err;
+
+ switch (rq->type) {
+ case PTP_CLK_REQ_PPS:
+ {
+ struct ice_perout_channel clk_cfg = {};
+
++ clk_cfg.flags = rq->perout.flags;
+ clk_cfg.gpio_pin = PPS_PIN_INDEX;
+ clk_cfg.period = NSEC_PER_SEC;
+ clk_cfg.ena = !!on;
+
+- err = ice_ptp_cfg_clkout(pf, PPS_CLK_GEN_CHAN, &clk_cfg, true);
+- break;
++ return ice_ptp_cfg_clkout(pf, PPS_CLK_GEN_CHAN, &clk_cfg, true);
+ }
+ case PTP_CLK_REQ_EXTTS:
+ {
+@@ -1959,14 +1968,11 @@ static int ice_ptp_gpio_enable_e823(struct ptp_clock_info *info,
+ extts_cfg.gpio_pin = TIME_SYNC_PIN_INDEX;
+ extts_cfg.ena = !!on;
+
+- ice_ptp_cfg_extts(pf, rq->extts.index, &extts_cfg, true);
+- return 0;
++ return ice_ptp_cfg_extts(pf, rq->extts.index, &extts_cfg, true);
+ }
+ default:
+ return -EOPNOTSUPP;
+ }
+-
+- return err;
+ }
+
+ /**
+diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h
+index f1171cdd93c86..e2af9749061ca 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ptp.h
++++ b/drivers/net/ethernet/intel/ice/ice_ptp.h
+@@ -29,6 +29,7 @@ enum ice_ptp_pin_e810t {
+ struct ice_perout_channel {
+ bool ena;
+ u32 gpio_pin;
++ u32 flags;
+ u64 period;
+ u64 start_time;
+ };
+--
+2.43.0
+
--- /dev/null
+From da853c1216990c492313ed4ce109982e372b576b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 10:14:57 -0700
+Subject: ice: use proper macro for testing bit
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 7829ee78490ddb29993cc7893384a04b8cc7436c ]
+
+Do not use _test_bit() macro for testing bit. The proper macro for this
+is one without underline.
+
+_test_bit() is what test_bit() was prior to const-optimization. It
+directly calls arch_test_bit(), i.e. the arch-specific implementation
+(or the generic one). It's strictly _internal_ and shouldn't be used
+anywhere outside the actual test_bit() macro.
+
+test_bit() is a wrapper which checks whether the bitmap and the bit
+number are compile-time constants and if so, it calls the optimized
+function which evaluates this call to a compile-time constant as well.
+If either of them is not a compile-time constant, it just calls _test_bit().
+test_bit() is the actual function to use anywhere in the kernel.
+
+IOW, calling _test_bit() avoids potential compile-time optimizations.
+
+The sensors is not a compile-time constant, thus most probably there
+are no object code changes before and after the patch.
+But anyway, we shouldn't call internal wrappers instead of
+the actual API.
+
+Fixes: 4da71a77fc3b ("ice: read internal temperature sensor")
+Acked-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20240702171459.2606611-5-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_hwmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_hwmon.c b/drivers/net/ethernet/intel/ice/ice_hwmon.c
+index e4c2c1bff6c08..b7aa6812510a4 100644
+--- a/drivers/net/ethernet/intel/ice/ice_hwmon.c
++++ b/drivers/net/ethernet/intel/ice/ice_hwmon.c
+@@ -96,7 +96,7 @@ static bool ice_is_internal_reading_supported(struct ice_pf *pf)
+
+ unsigned long sensors = pf->hw.dev_caps.supported_sensors;
+
+- return _test_bit(ICE_SENSOR_SUPPORT_E810_INT_TEMP_BIT, &sensors);
++ return test_bit(ICE_SENSOR_SUPPORT_E810_INT_TEMP_BIT, &sensors);
+ };
+
+ void ice_hwmon_init(struct ice_pf *pf)
+--
+2.43.0
+
--- /dev/null
+From 54ba53c1911190e1f3e02d0feeee0f8224a6c589 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 18:16:49 +0900
+Subject: inet_diag: Initialize pad field in struct inet_diag_req_v2
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ]
+
+KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
+sockets uses the pad field in struct inet_diag_req_v2 for the
+underlying protocol. This field corresponds to the sdiag_raw_protocol
+field in struct inet_diag_req_raw.
+
+inet_diag_get_exact_compat() converts inet_diag_req to
+inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
+occurs when raw_lookup() accesses the sdiag_raw_protocol field.
+
+Fix this by initializing the pad field in
+inet_diag_get_exact_compat(). Also, do the same fix in
+inet_diag_dump_compat() to avoid the similar issue in the future.
+
+[1]
+BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
+BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
+ raw_lookup net/ipv4/raw_diag.c:49 [inline]
+ raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
+ raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
+ inet_diag_cmd_exact+0x7d9/0x980
+ inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
+ inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
+ sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
+ netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
+ sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
+ netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
+ netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
+ netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x332/0x3d0 net/socket.c:745
+ ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
+ ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
+ __sys_sendmsg net/socket.c:2668 [inline]
+ __do_sys_sendmsg net/socket.c:2677 [inline]
+ __se_sys_sendmsg net/socket.c:2675 [inline]
+ __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
+ x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was stored to memory at:
+ raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
+ raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
+ inet_diag_cmd_exact+0x7d9/0x980
+ inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
+ inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
+ sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
+ netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
+ sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
+ netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
+ netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
+ netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x332/0x3d0 net/socket.c:745
+ ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
+ ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
+ __sys_sendmsg net/socket.c:2668 [inline]
+ __do_sys_sendmsg net/socket.c:2677 [inline]
+ __se_sys_sendmsg net/socket.c:2675 [inline]
+ __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
+ x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Local variable req.i created at:
+ inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
+ inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
+ sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
+
+CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+
+Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_diag.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
+index 7adace541fe29..9712cdb8087c2 100644
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -1383,6 +1383,7 @@ static int inet_diag_dump_compat(struct sk_buff *skb,
+ req.sdiag_family = AF_UNSPEC; /* compatibility */
+ req.sdiag_protocol = inet_diag_type2proto(cb->nlh->nlmsg_type);
+ req.idiag_ext = rc->idiag_ext;
++ req.pad = 0;
+ req.idiag_states = rc->idiag_states;
+ req.id = rc->id;
+
+@@ -1398,6 +1399,7 @@ static int inet_diag_get_exact_compat(struct sk_buff *in_skb,
+ req.sdiag_family = rc->idiag_family;
+ req.sdiag_protocol = inet_diag_type2proto(nlh->nlmsg_type);
+ req.idiag_ext = rc->idiag_ext;
++ req.pad = 0;
+ req.idiag_states = rc->idiag_states;
+ req.id = rc->id;
+
+--
+2.43.0
+
--- /dev/null
+From 5824fb543ce81b9789f2d4d7e8630a82ac518e3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 18:35:47 +0200
+Subject: KVM: s390: fix LPSWEY handling
+
+From: Christian Borntraeger <borntraeger@linux.ibm.com>
+
+[ Upstream commit 4c6abb7f7b349f00c0f7ed5045bf67759c012892 ]
+
+in rare cases, e.g. for injecting a machine check we do intercept all
+load PSW instructions via ICTL_LPSW. With facility 193 a new variant
+LPSWEY was added. KVM needs to handle that as well.
+
+Fixes: a3efa8429266 ("KVM: s390: gen_facilities: allow facilities 165, 193, 194 and 196")
+Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Message-ID: <20240628163547.2314-1-borntraeger@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/kvm_host.h | 1 +
+ arch/s390/kvm/kvm-s390.c | 1 +
+ arch/s390/kvm/kvm-s390.h | 15 +++++++++++++++
+ arch/s390/kvm/priv.c | 32 ++++++++++++++++++++++++++++++++
+ 4 files changed, 49 insertions(+)
+
+diff --git a/arch/s390/include/asm/kvm_host.h b/arch/s390/include/asm/kvm_host.h
+index 95990461888fc..9281063636a73 100644
+--- a/arch/s390/include/asm/kvm_host.h
++++ b/arch/s390/include/asm/kvm_host.h
+@@ -427,6 +427,7 @@ struct kvm_vcpu_stat {
+ u64 instruction_io_other;
+ u64 instruction_lpsw;
+ u64 instruction_lpswe;
++ u64 instruction_lpswey;
+ u64 instruction_pfmf;
+ u64 instruction_ptff;
+ u64 instruction_sck;
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index 82e9631cd9efb..54b5b2565df8d 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -132,6 +132,7 @@ const struct _kvm_stats_desc kvm_vcpu_stats_desc[] = {
+ STATS_DESC_COUNTER(VCPU, instruction_io_other),
+ STATS_DESC_COUNTER(VCPU, instruction_lpsw),
+ STATS_DESC_COUNTER(VCPU, instruction_lpswe),
++ STATS_DESC_COUNTER(VCPU, instruction_lpswey),
+ STATS_DESC_COUNTER(VCPU, instruction_pfmf),
+ STATS_DESC_COUNTER(VCPU, instruction_ptff),
+ STATS_DESC_COUNTER(VCPU, instruction_sck),
+diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h
+index 111eb5c747840..bf8534218af3d 100644
+--- a/arch/s390/kvm/kvm-s390.h
++++ b/arch/s390/kvm/kvm-s390.h
+@@ -138,6 +138,21 @@ static inline u64 kvm_s390_get_base_disp_s(struct kvm_vcpu *vcpu, u8 *ar)
+ return (base2 ? vcpu->run->s.regs.gprs[base2] : 0) + disp2;
+ }
+
++static inline u64 kvm_s390_get_base_disp_siy(struct kvm_vcpu *vcpu, u8 *ar)
++{
++ u32 base1 = vcpu->arch.sie_block->ipb >> 28;
++ s64 disp1;
++
++ /* The displacement is a 20bit _SIGNED_ value */
++ disp1 = sign_extend64(((vcpu->arch.sie_block->ipb & 0x0fff0000) >> 16) +
++ ((vcpu->arch.sie_block->ipb & 0xff00) << 4), 19);
++
++ if (ar)
++ *ar = base1;
++
++ return (base1 ? vcpu->run->s.regs.gprs[base1] : 0) + disp1;
++}
++
+ static inline void kvm_s390_get_base_disp_sse(struct kvm_vcpu *vcpu,
+ u64 *address1, u64 *address2,
+ u8 *ar_b1, u8 *ar_b2)
+diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c
+index 1be19cc9d73c1..1a49b89706f86 100644
+--- a/arch/s390/kvm/priv.c
++++ b/arch/s390/kvm/priv.c
+@@ -797,6 +797,36 @@ static int handle_lpswe(struct kvm_vcpu *vcpu)
+ return 0;
+ }
+
++static int handle_lpswey(struct kvm_vcpu *vcpu)
++{
++ psw_t new_psw;
++ u64 addr;
++ int rc;
++ u8 ar;
++
++ vcpu->stat.instruction_lpswey++;
++
++ if (!test_kvm_facility(vcpu->kvm, 193))
++ return kvm_s390_inject_program_int(vcpu, PGM_OPERATION);
++
++ if (vcpu->arch.sie_block->gpsw.mask & PSW_MASK_PSTATE)
++ return kvm_s390_inject_program_int(vcpu, PGM_PRIVILEGED_OP);
++
++ addr = kvm_s390_get_base_disp_siy(vcpu, &ar);
++ if (addr & 7)
++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
++
++ rc = read_guest(vcpu, addr, ar, &new_psw, sizeof(new_psw));
++ if (rc)
++ return kvm_s390_inject_prog_cond(vcpu, rc);
++
++ vcpu->arch.sie_block->gpsw = new_psw;
++ if (!is_valid_psw(&vcpu->arch.sie_block->gpsw))
++ return kvm_s390_inject_program_int(vcpu, PGM_SPECIFICATION);
++
++ return 0;
++}
++
+ static int handle_stidp(struct kvm_vcpu *vcpu)
+ {
+ u64 stidp_data = vcpu->kvm->arch.model.cpuid;
+@@ -1462,6 +1492,8 @@ int kvm_s390_handle_eb(struct kvm_vcpu *vcpu)
+ case 0x61:
+ case 0x62:
+ return handle_ri(vcpu);
++ case 0x71:
++ return handle_lpswey(vcpu);
+ default:
+ return -EOPNOTSUPP;
+ }
+--
+2.43.0
+
--- /dev/null
+From 32dcd7c99149cce761ad3385bfd38d0327984adf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 14:40:10 +0300
+Subject: mac802154: fix time calculation in ieee802154_configure_durations()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 07aa33988ad92fef79056f5ec30b9a0e4364b616 ]
+
+Since 'symbol_duration' of 'struct wpan_phy' is in nanoseconds but
+'lifs_period' and 'sifs_period' are both in microseconds, fix time
+calculation in 'ieee802154_configure_durations()' and use convenient
+'NSEC_PER_USEC' in 'ieee802154_setup_wpan_phy_pib()' as well.
+Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 781830c800dd ("net: mac802154: Set durations automatically")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Message-ID: <20240508114010.219527-1-dmantipov@yandex.ru>
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac802154/main.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac802154/main.c b/net/mac802154/main.c
+index 9ab7396668d22..21b7c3b280b45 100644
+--- a/net/mac802154/main.c
++++ b/net/mac802154/main.c
+@@ -161,8 +161,10 @@ void ieee802154_configure_durations(struct wpan_phy *phy,
+ }
+
+ phy->symbol_duration = duration;
+- phy->lifs_period = (IEEE802154_LIFS_PERIOD * phy->symbol_duration) / NSEC_PER_SEC;
+- phy->sifs_period = (IEEE802154_SIFS_PERIOD * phy->symbol_duration) / NSEC_PER_SEC;
++ phy->lifs_period =
++ (IEEE802154_LIFS_PERIOD * phy->symbol_duration) / NSEC_PER_USEC;
++ phy->sifs_period =
++ (IEEE802154_SIFS_PERIOD * phy->symbol_duration) / NSEC_PER_USEC;
+ }
+ EXPORT_SYMBOL(ieee802154_configure_durations);
+
+@@ -184,10 +186,10 @@ static void ieee802154_setup_wpan_phy_pib(struct wpan_phy *wpan_phy)
+ * Should be done when all drivers sets this value.
+ */
+
+- wpan_phy->lifs_period =
+- (IEEE802154_LIFS_PERIOD * wpan_phy->symbol_duration) / 1000;
+- wpan_phy->sifs_period =
+- (IEEE802154_SIFS_PERIOD * wpan_phy->symbol_duration) / 1000;
++ wpan_phy->lifs_period = (IEEE802154_LIFS_PERIOD *
++ wpan_phy->symbol_duration) / NSEC_PER_USEC;
++ wpan_phy->sifs_period = (IEEE802154_SIFS_PERIOD *
++ wpan_phy->symbol_duration) / NSEC_PER_USEC;
+ }
+
+ int ieee802154_register_hw(struct ieee802154_hw *hw)
+--
+2.43.0
+
--- /dev/null
+From 8ca2457daaadd358f51ec7a8e8e39ffab21ff71c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 23:32:51 +0300
+Subject: mlxsw: core_linecards: Fix double memory deallocation in case of
+ invalid INI file
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 8ce34dccbe8fa7d2ef86f2d8e7db2a9b67cabfc3 ]
+
+In case of invalid INI file mlxsw_linecard_types_init() deallocates memory
+but doesn't reset pointer to NULL and returns 0. In case of any error
+occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init()
+calls mlxsw_linecard_types_fini() which performs memory deallocation again.
+
+Add pointer reset to NULL.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: b217127e5e4e ("mlxsw: core_linecards: Add line card objects and implement provisioning")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Link: https://patch.msgid.link/20240703203251.8871-1-amishin@t-argos.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_linecards.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+index 025e0db983feb..b032d5a4b3b84 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_linecards.c
+@@ -1484,6 +1484,7 @@ static int mlxsw_linecard_types_init(struct mlxsw_core *mlxsw_core,
+ vfree(types_info->data);
+ err_data_alloc:
+ kfree(types_info);
++ linecards->types_info = NULL;
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 24126a0c65544734bfde36d0ece2fb2d12652ad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 13:00:08 +0300
+Subject: net: allow skb_datagram_iter to be called from any context
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit d2d30a376d9cc94c6fb730c58b3e5b7426ecb6de ]
+
+We only use the mapping in a single context, so kmap_local is sufficient
+and cheaper. Make sure to use skb_frag_foreach_page as skb frags may
+contain compound pages and we need to map page by page.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202406161539.b5ff7b20-oliver.sang@intel.com
+Fixes: 950fcaecd5cc ("datagram: consolidate datagram copy to iter helpers")
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Link: https://patch.msgid.link/20240626100008.831849-1-sagi@grimberg.me
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/datagram.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/net/core/datagram.c b/net/core/datagram.c
+index a8b625abe242c..cb72923acc21c 100644
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -435,15 +435,22 @@ static int __skb_datagram_iter(const struct sk_buff *skb, int offset,
+
+ end = start + skb_frag_size(frag);
+ if ((copy = end - offset) > 0) {
+- struct page *page = skb_frag_page(frag);
+- u8 *vaddr = kmap(page);
++ u32 p_off, p_len, copied;
++ struct page *p;
++ u8 *vaddr;
+
+ if (copy > len)
+ copy = len;
+- n = INDIRECT_CALL_1(cb, simple_copy_to_iter,
+- vaddr + skb_frag_off(frag) + offset - start,
+- copy, data, to);
+- kunmap(page);
++
++ skb_frag_foreach_page(frag,
++ skb_frag_off(frag) + offset - start,
++ copy, p, p_off, p_len, copied) {
++ vaddr = kmap_local_page(p);
++ n = INDIRECT_CALL_1(cb, simple_copy_to_iter,
++ vaddr + p_off, p_len, data, to);
++ kunmap_local(vaddr);
++ }
++
+ offset += n;
+ if (n != copy)
+ goto short_copy;
+--
+2.43.0
+
--- /dev/null
+From 5dca5c3d8f04a4a5adb2ca4d5b462bab4c5f8d39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 21:02:37 +0300
+Subject: net/mlx5: E-switch, Create ingress ACL when needed
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit b20c2fb45470d0c7a603613c9cfa5d45720e17f2 ]
+
+Currently, ingress acl is used for three features. It is created only
+when vport metadata match and prio tag are enabled. But active-backup
+lag mode also uses it. It is independent of vport metadata match and
+prio tag. And vport metadata match can be disabled using the
+following devlink command:
+
+ # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \
+ value false cmode runtime
+
+If ingress acl is not created, will hit panic when creating drop rule
+for active-backup lag mode. If always create it, there will be about
+5% performance degradation.
+
+Fix it by creating ingress acl when needed. If esw_port_metadata is
+true, ingress acl exists, then create drop rule using existing
+ingress acl. If esw_port_metadata is false, create ingress acl and
+then create drop rule.
+
+Fixes: 1749c4c51c16 ("net/mlx5: E-switch, add drop rule support to ingress ACL")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/esw/acl/ingress_ofld.c | 37 +++++++++++++++----
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+index 50d2ea3239798..a436ce895e45a 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/esw/acl/ingress_ofld.c
+@@ -6,6 +6,9 @@
+ #include "helper.h"
+ #include "ofld.h"
+
++static int
++acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport);
++
+ static bool
+ esw_acl_ingress_prio_tag_enabled(struct mlx5_eswitch *esw,
+ const struct mlx5_vport *vport)
+@@ -123,18 +126,31 @@ static int esw_acl_ingress_src_port_drop_create(struct mlx5_eswitch *esw,
+ {
+ struct mlx5_flow_act flow_act = {};
+ struct mlx5_flow_handle *flow_rule;
++ bool created = false;
+ int err = 0;
+
++ if (!vport->ingress.acl) {
++ err = acl_ingress_ofld_setup(esw, vport);
++ if (err)
++ return err;
++ created = true;
++ }
++
+ flow_act.action = MLX5_FLOW_CONTEXT_ACTION_DROP;
+ flow_act.fg = vport->ingress.offloads.drop_grp;
+ flow_rule = mlx5_add_flow_rules(vport->ingress.acl, NULL, &flow_act, NULL, 0);
+ if (IS_ERR(flow_rule)) {
+ err = PTR_ERR(flow_rule);
+- goto out;
++ goto err_out;
+ }
+
+ vport->ingress.offloads.drop_rule = flow_rule;
+-out:
++
++ return 0;
++err_out:
++ /* Only destroy ingress acl created in this function. */
++ if (created)
++ esw_acl_ingress_ofld_cleanup(esw, vport);
+ return err;
+ }
+
+@@ -299,16 +315,12 @@ static void esw_acl_ingress_ofld_groups_destroy(struct mlx5_vport *vport)
+ }
+ }
+
+-int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw,
+- struct mlx5_vport *vport)
++static int
++acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport)
+ {
+ int num_ftes = 0;
+ int err;
+
+- if (!mlx5_eswitch_vport_match_metadata_enabled(esw) &&
+- !esw_acl_ingress_prio_tag_enabled(esw, vport))
+- return 0;
+-
+ esw_acl_ingress_allow_rule_destroy(vport);
+
+ if (mlx5_eswitch_vport_match_metadata_enabled(esw))
+@@ -347,6 +359,15 @@ int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw,
+ return err;
+ }
+
++int esw_acl_ingress_ofld_setup(struct mlx5_eswitch *esw, struct mlx5_vport *vport)
++{
++ if (!mlx5_eswitch_vport_match_metadata_enabled(esw) &&
++ !esw_acl_ingress_prio_tag_enabled(esw, vport))
++ return 0;
++
++ return acl_ingress_ofld_setup(esw, vport);
++}
++
+ void esw_acl_ingress_ofld_cleanup(struct mlx5_eswitch *esw,
+ struct mlx5_vport *vport)
+ {
+--
+2.43.0
+
--- /dev/null
+From f777f4b8126caf59d59604d44ffcf4d3a7859f23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 21:02:38 +0300
+Subject: net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 1da839eab6dbc26b95bfcd1ed1a4d1aaa5c144a3 ]
+
+In the cited commit, mqprio_rl cleanup and free are mistakenly removed
+in mlx5e_priv_cleanup(), and it causes the leakage of host memory and
+firmware SCHEDULING_ELEMENT objects while changing eswitch mode. So,
+add them back.
+
+Fixes: 0bb7228f7096 ("net/mlx5e: Fix mqprio_rl handling on devlink reload")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 981a3e058840d..cab1770aa476c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5732,6 +5732,11 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
+ kfree(priv->htb_qos_sq_stats[i]);
+ kvfree(priv->htb_qos_sq_stats);
+
++ if (priv->mqprio_rl) {
++ mlx5e_mqprio_rl_cleanup(priv->mqprio_rl);
++ mlx5e_mqprio_rl_free(priv->mqprio_rl);
++ }
++
+ memset(priv, 0, sizeof(*priv));
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 31b0c181c229ea6d5271cb490759033495d4e992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 21:02:40 +0300
+Subject: net/mlx5e: Approximate IPsec per-SA payload data bytes count
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit e562f2d46d27576dd4108c1c4a67d501a5936e31 ]
+
+ConnectX devices lack ability to count payload data byte size which is
+needed for SA to return to libreswan for rekeying.
+
+As a solution let's approximate that by decreasing headers size from
+total size counted by flow steering. The calculation doesn't take into
+account any other headers which can be in the packet (e.g. IP extensions).
+
+Fixes: 5a6cddb89b51 ("net/mlx5e: Update IPsec per SA packets/bytes count")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index 2a10428d820ae..3d274599015be 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -994,6 +994,7 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x)
+ u64 auth_packets = 0, auth_bytes = 0;
+ u64 success_packets, success_bytes;
+ u64 packets, bytes, lastuse;
++ size_t headers;
+
+ lockdep_assert(lockdep_is_held(&x->lock) ||
+ lockdep_is_held(&dev_net(x->xso.real_dev)->xfrm.xfrm_cfg_mutex) ||
+@@ -1026,9 +1027,20 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x)
+ mlx5_fc_query_cached(ipsec_rule->fc, &bytes, &packets, &lastuse);
+ success_packets = packets - auth_packets - trailer_packets - replay_packets;
+ x->curlft.packets += success_packets;
++ /* NIC counts all bytes passed through flow steering and doesn't have
++ * an ability to count payload data size which is needed for SA.
++ *
++ * To overcome HW limitestion, let's approximate the payload size
++ * by removing always available headers.
++ */
++ headers = sizeof(struct ethhdr);
++ if (sa_entry->attrs.family == AF_INET)
++ headers += sizeof(struct iphdr);
++ else
++ headers += sizeof(struct ipv6hdr);
+
+ success_bytes = bytes - auth_bytes - trailer_bytes - replay_bytes;
+- x->curlft.bytes += success_bytes;
++ x->curlft.bytes += success_bytes - headers * success_packets;
+ }
+
+ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
+--
+2.43.0
+
--- /dev/null
+From 72cb148ef0efa920f21379123747166bd38c8429 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 21:02:39 +0300
+Subject: net/mlx5e: Present succeeded IPsec SA bytes and packet
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 2d9dac5559f8cc4318e6b0d3c5b71984f462620b ]
+
+IPsec SA statistics presents successfully decrypted and encrypted
+packet and bytes, and not total handled by this SA. So update the
+calculation logic to take into account failures.
+
+Fixes: 6fb7f9408779 ("net/mlx5e: Connect mlx5 IPsec statistics with XFRM core")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en_accel/ipsec.c | 36 ++++++++++++-------
+ 1 file changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index c54fd01ea635a..2a10428d820ae 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -989,6 +989,10 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x)
+ struct mlx5e_ipsec_sa_entry *sa_entry = to_ipsec_sa_entry(x);
+ struct mlx5e_ipsec_rule *ipsec_rule = &sa_entry->ipsec_rule;
+ struct net *net = dev_net(x->xso.dev);
++ u64 trailer_packets = 0, trailer_bytes = 0;
++ u64 replay_packets = 0, replay_bytes = 0;
++ u64 auth_packets = 0, auth_bytes = 0;
++ u64 success_packets, success_bytes;
+ u64 packets, bytes, lastuse;
+
+ lockdep_assert(lockdep_is_held(&x->lock) ||
+@@ -999,26 +1003,32 @@ static void mlx5e_xfrm_update_stats(struct xfrm_state *x)
+ return;
+
+ if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_IN) {
+- mlx5_fc_query_cached(ipsec_rule->auth.fc, &bytes, &packets, &lastuse);
+- x->stats.integrity_failed += packets;
+- XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR, packets);
+-
+- mlx5_fc_query_cached(ipsec_rule->trailer.fc, &bytes, &packets, &lastuse);
+- XFRM_ADD_STATS(net, LINUX_MIB_XFRMINHDRERROR, packets);
++ mlx5_fc_query_cached(ipsec_rule->auth.fc, &auth_bytes,
++ &auth_packets, &lastuse);
++ x->stats.integrity_failed += auth_packets;
++ XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR, auth_packets);
++
++ mlx5_fc_query_cached(ipsec_rule->trailer.fc, &trailer_bytes,
++ &trailer_packets, &lastuse);
++ XFRM_ADD_STATS(net, LINUX_MIB_XFRMINHDRERROR, trailer_packets);
+ }
+
+ if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
+ return;
+
+- mlx5_fc_query_cached(ipsec_rule->fc, &bytes, &packets, &lastuse);
+- x->curlft.packets += packets;
+- x->curlft.bytes += bytes;
+-
+ if (sa_entry->attrs.dir == XFRM_DEV_OFFLOAD_IN) {
+- mlx5_fc_query_cached(ipsec_rule->replay.fc, &bytes, &packets, &lastuse);
+- x->stats.replay += packets;
+- XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR, packets);
++ mlx5_fc_query_cached(ipsec_rule->replay.fc, &replay_bytes,
++ &replay_packets, &lastuse);
++ x->stats.replay += replay_packets;
++ XFRM_ADD_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR, replay_packets);
+ }
++
++ mlx5_fc_query_cached(ipsec_rule->fc, &bytes, &packets, &lastuse);
++ success_packets = packets - auth_packets - trailer_packets - replay_packets;
++ x->curlft.packets += success_packets;
++
++ success_bytes = bytes - auth_bytes - trailer_bytes - replay_bytes;
++ x->curlft.bytes += success_bytes;
+ }
+
+ static int mlx5e_xfrm_validate_policy(struct mlx5_core_dev *mdev,
+--
+2.43.0
+
--- /dev/null
+From b883da18c6250e9e071a1ca4ba3afe36f9b2022d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 11:15:38 -0700
+Subject: net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from
+ __netif_rx()
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+[ Upstream commit e15a5d821e5192a3769d846079bc9aa380139baf ]
+
+The following is emitted when using idxd (DSA) dmanegine as the data
+mover for ntb_transport that ntb_netdev uses.
+
+[74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526
+[74412.556784] caller is netif_rx_internal+0x42/0x130
+[74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5
+[74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024
+[74412.581699] Call Trace:
+[74412.584514] <TASK>
+[74412.586933] dump_stack_lvl+0x55/0x70
+[74412.591129] check_preemption_disabled+0xc8/0xf0
+[74412.596374] netif_rx_internal+0x42/0x130
+[74412.600957] __netif_rx+0x20/0xd0
+[74412.604743] ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]
+[74412.610985] ntb_complete_rxc+0xed/0x140 [ntb_transport]
+[74412.617010] ntb_rx_copy_callback+0x53/0x80 [ntb_transport]
+[74412.623332] idxd_dma_complete_txd+0xe3/0x160 [idxd]
+[74412.628963] idxd_wq_thread+0x1a6/0x2b0 [idxd]
+[74412.634046] irq_thread_fn+0x21/0x60
+[74412.638134] ? irq_thread+0xa8/0x290
+[74412.642218] irq_thread+0x1a0/0x290
+[74412.646212] ? __pfx_irq_thread_fn+0x10/0x10
+[74412.651071] ? __pfx_irq_thread_dtor+0x10/0x10
+[74412.656117] ? __pfx_irq_thread+0x10/0x10
+[74412.660686] kthread+0x100/0x130
+[74412.664384] ? __pfx_kthread+0x10/0x10
+[74412.668639] ret_from_fork+0x31/0x50
+[74412.672716] ? __pfx_kthread+0x10/0x10
+[74412.676978] ret_from_fork_asm+0x1a/0x30
+[74412.681457] </TASK>
+
+The cause is due to the idxd driver interrupt completion handler uses
+threaded interrupt and the threaded handler is not hard or soft interrupt
+context. However __netif_rx() can only be called from interrupt context.
+Change the call to netif_rx() in order to allow completion via normal
+context for dmaengine drivers that utilize threaded irq handling.
+
+While the following commit changed from netif_rx() to __netif_rx(),
+baebdf48c360 ("net: dev: Makes sure netif_rx() can be invoked in any context."),
+the change should've been a noop instead. However, the code precedes this
+fix should've been using netif_rx_ni() or netif_rx_any_context().
+
+Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
+Reported-by: Jerry Dai <jerry.dai@intel.com>
+Tested-by: Jerry Dai <jerry.dai@intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://patch.msgid.link/20240701181538.3799546-1-dave.jiang@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ntb_netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
+index 536bd6564f8b8..dade51cf599c6 100644
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -119,7 +119,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data,
+ skb->protocol = eth_type_trans(skb, ndev);
+ skb->ip_summed = CHECKSUM_NONE;
+
+- if (__netif_rx(skb) == NET_RX_DROP) {
++ if (netif_rx(skb) == NET_RX_DROP) {
+ ndev->stats.rx_errors++;
+ ndev->stats.rx_dropped++;
+ } else {
+--
+2.43.0
+
--- /dev/null
+From b2df1bbbe055ad1373dc9976ce7b76b321543d34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 10:03:22 +0200
+Subject: net: phy: aquantia: add missing include guards
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit 219343755eae6536d1fcb9184e6253ade4906aac ]
+
+The header is missing the include guards so add them.
+
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Fixes: fb470f70fea7 ("net: phy: aquantia: add hwmon support")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Link: https://patch.msgid.link/20240701080322.9569-1-brgl@bgdev.pl
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/aquantia/aquantia.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/phy/aquantia/aquantia.h b/drivers/net/phy/aquantia/aquantia.h
+index 1c19ae74ad2b4..4830b25e6c7d3 100644
+--- a/drivers/net/phy/aquantia/aquantia.h
++++ b/drivers/net/phy/aquantia/aquantia.h
+@@ -6,6 +6,9 @@
+ * Author: Heiner Kallweit <hkallweit1@gmail.com>
+ */
+
++#ifndef AQUANTIA_H
++#define AQUANTIA_H
++
+ #include <linux/device.h>
+ #include <linux/phy.h>
+
+@@ -120,3 +123,5 @@ static inline int aqr_hwmon_probe(struct phy_device *phydev) { return 0; }
+ #endif
+
+ int aqr_firmware_load(struct phy_device *phydev);
++
++#endif /* AQUANTIA_H */
+--
+2.43.0
+
--- /dev/null
+From daafb9646ff6b3595911bd2b722c6b3e8e5cf231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 05:06:17 +0200
+Subject: net: phy: phy_device: Fix PHY LED blinking code comment
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit d3dcb084c70727be4a2f61bd94796e66147cfa35 ]
+
+Fix copy-paste error in the code comment. The code refers to
+LED blinking configuration, not brightness configuration. It
+was likely copied from comment above this one which does
+refer to brightness configuration.
+
+Fixes: 4e901018432e ("net: phy: phy_device: Call into the PHY driver to set LED blinking")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20240626030638.512069-1-marex@denx.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/phy.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/phy.h b/include/linux/phy.h
+index 3f68b8239bb11..a62d86bce1b63 100644
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -1121,7 +1121,7 @@ struct phy_driver {
+ u8 index, enum led_brightness value);
+
+ /**
+- * @led_blink_set: Set a PHY LED brightness. Index indicates
++ * @led_blink_set: Set a PHY LED blinking. Index indicates
+ * which of the PHYs led should be configured to blink. Delays
+ * are in milliseconds and if both are zero then a sensible
+ * default should be chosen. The call should adjust the
+--
+2.43.0
+
--- /dev/null
+From 33c47a3e7e22ff343e98fc57b8cad019a3be6729 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 17:08:37 -0400
+Subject: net: rswitch: Avoid use-after-free in rswitch_poll()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radu Rendec <rrendec@redhat.com>
+
+[ Upstream commit 9a0c28efeec6383ef22e97437616b920e7320b67 ]
+
+The use-after-free is actually in rswitch_tx_free(), which is inlined in
+rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the
+same pointer, the skb is first freed using dev_kfree_skb_any(), then the
+value in skb->len is used to update the interface statistics.
+
+Let's move around the instructions to use skb->len before the skb is
+freed.
+
+This bug is trivial to reproduce using KFENCE. It will trigger a splat
+every few packets. A simple ARP request or ICMP echo request is enough.
+
+Fixes: 271e015b9153 ("net: rswitch: Add unmap_addrs instead of dma address in each desc")
+Signed-off-by: Radu Rendec <rrendec@redhat.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://patch.msgid.link/20240702210838.2703228-1-rrendec@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index dcab638c57fe8..24c90d8f5a442 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -871,13 +871,13 @@ static void rswitch_tx_free(struct net_device *ndev)
+ dma_rmb();
+ skb = gq->skbs[gq->dirty];
+ if (skb) {
++ rdev->ndev->stats.tx_packets++;
++ rdev->ndev->stats.tx_bytes += skb->len;
+ dma_unmap_single(ndev->dev.parent,
+ gq->unmap_addrs[gq->dirty],
+ skb->len, DMA_TO_DEVICE);
+ dev_kfree_skb_any(gq->skbs[gq->dirty]);
+ gq->skbs[gq->dirty] = NULL;
+- rdev->ndev->stats.tx_packets++;
+- rdev->ndev->stats.tx_bytes += skb->len;
+ }
+ desc->desc.die_dt = DT_EEMPTY;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5a889ed039083f9cb19fa1ecff76e5a3c236ef44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 16:19:36 +0800
+Subject: net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only
+
+From: Furong Xu <0x1207@gmail.com>
+
+[ Upstream commit 8eb301bd7b0f45d36e663ecbe59b7c80b9863950 ]
+
+Commit 750011e239a5 ("net: stmmac: Add support for HW-accelerated VLAN
+stripping") enables MAC level VLAN tag stripping for all MAC cores, but
+leaves set_hw_vlan_mode() and rx_hw_vlan() un-implemented for both gmac
+and xgmac.
+
+On gmac and xgmac, ethtool reports rx-vlan-offload is on, both MAC and
+driver do nothing about VLAN packets actually, although VLAN works well.
+
+Driver level stripping should be used on gmac and xgmac for now.
+
+Fixes: 750011e239a5 ("net: stmmac: Add support for HW-accelerated VLAN stripping")
+Signed-off-by: Furong Xu <0x1207@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 7c6fb14b55550..39e8340446c71 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7662,9 +7662,10 @@ int stmmac_dvr_probe(struct device *device,
+ #ifdef STMMAC_VLAN_TAG_USED
+ /* Both mac100 and gmac support receive VLAN tag detection */
+ ndev->features |= NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX;
+- ndev->hw_features |= NETIF_F_HW_VLAN_CTAG_RX;
+- priv->hw->hw_vlan_en = true;
+-
++ if (priv->plat->has_gmac4) {
++ ndev->hw_features |= NETIF_F_HW_VLAN_CTAG_RX;
++ priv->hw->hw_vlan_en = true;
++ }
+ if (priv->dma_cap.vlhash) {
+ ndev->features |= NETIF_F_HW_VLAN_CTAG_FILTER;
+ ndev->features |= NETIF_F_HW_VLAN_STAG_FILTER;
+--
+2.43.0
+
--- /dev/null
+From ff9707f603993c9e5138fe7f4c308d7a6014273f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 15:14:15 +0800
+Subject: net: txgbe: add extra handle for MSI/INTx into thread irq handle
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit 1e1fa1723eb3a293d7d0b1c1a9ad8774c1ef0aa0 ]
+
+Rename original txgbe_misc_irq_handle() to txgbe_misc_irq_thread_fn()
+since it is the handle thread to wake up. And add the primary handler
+to deal the case of MSI/INTx, because there is a schedule NAPI poll.
+
+Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/wangxun/txgbe/txgbe_irq.c | 44 ++++++++++++++++---
+ 1 file changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
+index 1490fd6ddbdf9..a4cf682dca650 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
+@@ -111,6 +111,36 @@ static const struct irq_domain_ops txgbe_misc_irq_domain_ops = {
+ };
+
+ static irqreturn_t txgbe_misc_irq_handle(int irq, void *data)
++{
++ struct wx_q_vector *q_vector;
++ struct txgbe *txgbe = data;
++ struct wx *wx = txgbe->wx;
++ u32 eicr;
++
++ if (wx->pdev->msix_enabled)
++ return IRQ_WAKE_THREAD;
++
++ eicr = wx_misc_isb(wx, WX_ISB_VEC0);
++ if (!eicr) {
++ /* shared interrupt alert!
++ * the interrupt that we masked before the ICR read.
++ */
++ if (netif_running(wx->netdev))
++ txgbe_irq_enable(wx, true);
++ return IRQ_NONE; /* Not our interrupt */
++ }
++ wx->isb_mem[WX_ISB_VEC0] = 0;
++ if (!(wx->pdev->msi_enabled))
++ wr32(wx, WX_PX_INTA, 1);
++
++ /* would disable interrupts here but it is auto disabled */
++ q_vector = wx->q_vector[0];
++ napi_schedule_irqoff(&q_vector->napi);
++
++ return IRQ_WAKE_THREAD;
++}
++
++static irqreturn_t txgbe_misc_irq_thread_fn(int irq, void *data)
+ {
+ struct txgbe *txgbe = data;
+ struct wx *wx = txgbe->wx;
+@@ -157,6 +187,7 @@ void txgbe_free_misc_irq(struct txgbe *txgbe)
+
+ int txgbe_setup_misc_irq(struct txgbe *txgbe)
+ {
++ unsigned long flags = IRQF_ONESHOT;
+ struct wx *wx = txgbe->wx;
+ int hwirq, err;
+
+@@ -170,14 +201,17 @@ int txgbe_setup_misc_irq(struct txgbe *txgbe)
+ irq_create_mapping(txgbe->misc.domain, hwirq);
+
+ txgbe->misc.chip = txgbe_irq_chip;
+- if (wx->pdev->msix_enabled)
++ if (wx->pdev->msix_enabled) {
+ txgbe->misc.irq = wx->msix_entry->vector;
+- else
++ } else {
+ txgbe->misc.irq = wx->pdev->irq;
++ if (!wx->pdev->msi_enabled)
++ flags |= IRQF_SHARED;
++ }
+
+- err = request_threaded_irq(txgbe->misc.irq, NULL,
+- txgbe_misc_irq_handle,
+- IRQF_ONESHOT,
++ err = request_threaded_irq(txgbe->misc.irq, txgbe_misc_irq_handle,
++ txgbe_misc_irq_thread_fn,
++ flags,
+ wx->netdev->name, txgbe);
+ if (err)
+ goto del_misc_irq;
+--
+2.43.0
+
--- /dev/null
+From b2c5640427d36f1f1c89abe95d15d08fc478da5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 15:14:16 +0800
+Subject: net: txgbe: free isb resources at the right time
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit 935124dd5883b5de68dc5a94f582480a10643dc9 ]
+
+When using MSI/INTx interrupt, the shared interrupts are still being
+handled in the device remove routine, before free IRQs. So isb memory
+is still read after it is freed. Thus move wx_free_isb_resources()
+from txgbe_close() to txgbe_remove(). And fix the improper isb free
+action in txgbe_open() error handling path.
+
+Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_lib.c | 4 +++-
+ drivers/net/ethernet/wangxun/ngbe/ngbe_main.c | 2 ++
+ drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 7 ++++---
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+index bf02bd0f08407..88e5e390770b5 100644
+--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+@@ -2028,6 +2028,9 @@ int wx_setup_isb_resources(struct wx *wx)
+ {
+ struct pci_dev *pdev = wx->pdev;
+
++ if (wx->isb_mem)
++ return 0;
++
+ wx->isb_mem = dma_alloc_coherent(&pdev->dev,
+ sizeof(u32) * 4,
+ &wx->isb_dma,
+@@ -2387,7 +2390,6 @@ static void wx_free_all_tx_resources(struct wx *wx)
+
+ void wx_free_resources(struct wx *wx)
+ {
+- wx_free_isb_resources(wx);
+ wx_free_all_rx_resources(wx);
+ wx_free_all_tx_resources(wx);
+ }
+diff --git a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c
+index e894e01d030d1..af30ca0312b81 100644
+--- a/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c
++++ b/drivers/net/ethernet/wangxun/ngbe/ngbe_main.c
+@@ -387,6 +387,7 @@ static int ngbe_open(struct net_device *netdev)
+ err_free_irq:
+ wx_free_irq(wx);
+ err_free_resources:
++ wx_free_isb_resources(wx);
+ wx_free_resources(wx);
+ return err;
+ }
+@@ -408,6 +409,7 @@ static int ngbe_close(struct net_device *netdev)
+
+ ngbe_down(wx);
+ wx_free_irq(wx);
++ wx_free_isb_resources(wx);
+ wx_free_resources(wx);
+ phylink_disconnect_phy(wx->phylink);
+ wx_control_hw(wx, false);
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+index 76b5672c0a177..ca74d9422065a 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+@@ -296,7 +296,7 @@ static int txgbe_open(struct net_device *netdev)
+
+ err = txgbe_request_queue_irqs(wx);
+ if (err)
+- goto err_free_isb;
++ goto err_free_resources;
+
+ /* Notify the stack of the actual queue counts. */
+ err = netif_set_real_num_tx_queues(netdev, wx->num_tx_queues);
+@@ -313,8 +313,8 @@ static int txgbe_open(struct net_device *netdev)
+
+ err_free_irq:
+ wx_free_irq(wx);
+-err_free_isb:
+- wx_free_isb_resources(wx);
++err_free_resources:
++ wx_free_resources(wx);
+ err_reset:
+ txgbe_reset(wx);
+
+@@ -729,6 +729,7 @@ static void txgbe_remove(struct pci_dev *pdev)
+
+ txgbe_remove_phy(txgbe);
+ txgbe_free_misc_irq(txgbe);
++ wx_free_isb_resources(wx);
+
+ pci_release_selected_regions(pdev,
+ pci_select_bars(pdev, IORESOURCE_MEM));
+--
+2.43.0
+
--- /dev/null
+From e5e8a6da23d6e8d3c70ecbc72b7455581f501566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 15:14:13 +0800
+Subject: net: txgbe: initialize num_q_vectors for MSI/INTx interrupts
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit 7c36711a2cd8059c2d24f5e5c1d76e8ea2d5613c ]
+
+When using MSI/INTx interrupts, wx->num_q_vectors is uninitialized.
+Thus there will be kernel panic in wx_alloc_q_vectors() to allocate
+queue vectors.
+
+Fixes: 3f703186113f ("net: libwx: Add irq flow functions")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_lib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+index 07ba3a270a14f..b62b191cc146a 100644
+--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+@@ -1686,6 +1686,7 @@ static int wx_set_interrupt_capability(struct wx *wx)
+ }
+
+ pdev->irq = pci_irq_vector(pdev, 0);
++ wx->num_q_vectors = 1;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From f87f115ef45172cb887e509de14c0d44ecb1be4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 15:14:14 +0800
+Subject: net: txgbe: remove separate irq request for MSI and INTx
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+[ Upstream commit bd07a98178462e7a02ed2bf7dec90a00944c1da5 ]
+
+When using MSI or INTx interrupts, request_irq() for pdev->irq will
+conflict with request_threaded_irq() for txgbe->misc.irq, to cause
+system crash. So remove txgbe_request_irq() for MSI/INTx case, and
+rename txgbe_request_msix_irqs() since it only request for queue irqs.
+
+Add wx->misc_irq_domain to determine whether the driver creates an IRQ
+domain and threaded request the IRQs.
+
+Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_hw.c | 1 +
+ drivers/net/ethernet/wangxun/libwx/wx_lib.c | 5 +-
+ drivers/net/ethernet/wangxun/libwx/wx_type.h | 1 +
+ .../net/ethernet/wangxun/txgbe/txgbe_irq.c | 80 ++-----------------
+ .../net/ethernet/wangxun/txgbe/txgbe_irq.h | 2 +-
+ .../net/ethernet/wangxun/txgbe/txgbe_main.c | 2 +-
+ 6 files changed, 15 insertions(+), 76 deletions(-)
+
+diff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c
+index c09a6f7445754..db640ea63f034 100644
+--- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c
+@@ -1959,6 +1959,7 @@ int wx_sw_init(struct wx *wx)
+ }
+
+ bitmap_zero(wx->state, WX_STATE_NBITS);
++ wx->misc_irq_domain = false;
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/wangxun/libwx/wx_lib.c b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+index b62b191cc146a..bf02bd0f08407 100644
+--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+@@ -1997,7 +1997,8 @@ void wx_free_irq(struct wx *wx)
+ int vector;
+
+ if (!(pdev->msix_enabled)) {
+- free_irq(pdev->irq, wx);
++ if (!wx->misc_irq_domain)
++ free_irq(pdev->irq, wx);
+ return;
+ }
+
+@@ -2012,7 +2013,7 @@ void wx_free_irq(struct wx *wx)
+ free_irq(entry->vector, q_vector);
+ }
+
+- if (wx->mac.type == wx_mac_em)
++ if (!wx->misc_irq_domain)
+ free_irq(wx->msix_entry->vector, wx);
+ }
+ EXPORT_SYMBOL(wx_free_irq);
+diff --git a/drivers/net/ethernet/wangxun/libwx/wx_type.h b/drivers/net/ethernet/wangxun/libwx/wx_type.h
+index 5aaf7b1fa2db9..0df7f5712b6f7 100644
+--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h
++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h
+@@ -1058,6 +1058,7 @@ struct wx {
+ dma_addr_t isb_dma;
+ u32 *isb_mem;
+ u32 isb_tag[WX_ISB_MAX];
++ bool misc_irq_domain;
+
+ #define WX_MAX_RETA_ENTRIES 128
+ #define WX_RSS_INDIR_TBL_MAX 64
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
+index b3e3605d1edb3..1490fd6ddbdf9 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
+@@ -27,57 +27,19 @@ void txgbe_irq_enable(struct wx *wx, bool queues)
+ }
+
+ /**
+- * txgbe_intr - msi/legacy mode Interrupt Handler
+- * @irq: interrupt number
+- * @data: pointer to a network interface device structure
+- **/
+-static irqreturn_t txgbe_intr(int __always_unused irq, void *data)
+-{
+- struct wx_q_vector *q_vector;
+- struct wx *wx = data;
+- struct pci_dev *pdev;
+- u32 eicr;
+-
+- q_vector = wx->q_vector[0];
+- pdev = wx->pdev;
+-
+- eicr = wx_misc_isb(wx, WX_ISB_VEC0);
+- if (!eicr) {
+- /* shared interrupt alert!
+- * the interrupt that we masked before the ICR read.
+- */
+- if (netif_running(wx->netdev))
+- txgbe_irq_enable(wx, true);
+- return IRQ_NONE; /* Not our interrupt */
+- }
+- wx->isb_mem[WX_ISB_VEC0] = 0;
+- if (!(pdev->msi_enabled))
+- wr32(wx, WX_PX_INTA, 1);
+-
+- wx->isb_mem[WX_ISB_MISC] = 0;
+- /* would disable interrupts here but it is auto disabled */
+- napi_schedule_irqoff(&q_vector->napi);
+-
+- /* re-enable link(maybe) and non-queue interrupts, no flush.
+- * txgbe_poll will re-enable the queue interrupts
+- */
+- if (netif_running(wx->netdev))
+- txgbe_irq_enable(wx, false);
+-
+- return IRQ_HANDLED;
+-}
+-
+-/**
+- * txgbe_request_msix_irqs - Initialize MSI-X interrupts
++ * txgbe_request_queue_irqs - Initialize MSI-X queue interrupts
+ * @wx: board private structure
+ *
+- * Allocate MSI-X vectors and request interrupts from the kernel.
++ * Allocate MSI-X queue vectors and request interrupts from the kernel.
+ **/
+-static int txgbe_request_msix_irqs(struct wx *wx)
++int txgbe_request_queue_irqs(struct wx *wx)
+ {
+ struct net_device *netdev = wx->netdev;
+ int vector, err;
+
++ if (!wx->pdev->msix_enabled)
++ return 0;
++
+ for (vector = 0; vector < wx->num_q_vectors; vector++) {
+ struct wx_q_vector *q_vector = wx->q_vector[vector];
+ struct msix_entry *entry = &wx->msix_q_entries[vector];
+@@ -110,34 +72,6 @@ static int txgbe_request_msix_irqs(struct wx *wx)
+ return err;
+ }
+
+-/**
+- * txgbe_request_irq - initialize interrupts
+- * @wx: board private structure
+- *
+- * Attempt to configure interrupts using the best available
+- * capabilities of the hardware and kernel.
+- **/
+-int txgbe_request_irq(struct wx *wx)
+-{
+- struct net_device *netdev = wx->netdev;
+- struct pci_dev *pdev = wx->pdev;
+- int err;
+-
+- if (pdev->msix_enabled)
+- err = txgbe_request_msix_irqs(wx);
+- else if (pdev->msi_enabled)
+- err = request_irq(wx->pdev->irq, &txgbe_intr, 0,
+- netdev->name, wx);
+- else
+- err = request_irq(wx->pdev->irq, &txgbe_intr, IRQF_SHARED,
+- netdev->name, wx);
+-
+- if (err)
+- wx_err(wx, "request_irq failed, Error %d\n", err);
+-
+- return err;
+-}
+-
+ static int txgbe_request_gpio_irq(struct txgbe *txgbe)
+ {
+ txgbe->gpio_irq = irq_find_mapping(txgbe->misc.domain, TXGBE_IRQ_GPIO);
+@@ -256,6 +190,8 @@ int txgbe_setup_misc_irq(struct txgbe *txgbe)
+ if (err)
+ goto free_gpio_irq;
+
++ wx->misc_irq_domain = true;
++
+ return 0;
+
+ free_gpio_irq:
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.h b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.h
+index b77945e7a0f26..e6285b94625ea 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.h
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.h
+@@ -2,6 +2,6 @@
+ /* Copyright (c) 2015 - 2024 Beijing WangXun Technology Co., Ltd. */
+
+ void txgbe_irq_enable(struct wx *wx, bool queues);
+-int txgbe_request_irq(struct wx *wx);
++int txgbe_request_queue_irqs(struct wx *wx);
+ void txgbe_free_misc_irq(struct txgbe *txgbe);
+ int txgbe_setup_misc_irq(struct txgbe *txgbe);
+diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+index 8c7a74981b907..76b5672c0a177 100644
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+@@ -294,7 +294,7 @@ static int txgbe_open(struct net_device *netdev)
+
+ wx_configure(wx);
+
+- err = txgbe_request_irq(wx);
++ err = txgbe_request_queue_irqs(wx);
+ if (err)
+ goto err_free_isb;
+
+--
+2.43.0
+
--- /dev/null
+From 8f85f608dfda467e344ea21c65844b34e849c9b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 16:08:14 +0200
+Subject: netfilter: nf_tables: unconditionally flush pending work before
+ notifier
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 9f6958ba2e902f9820c594869bd710ba74b7c4c0 ]
+
+syzbot reports:
+
+KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831
+KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530
+KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
+Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45
+[..]
+Workqueue: events nf_tables_trans_destroy_work
+Call Trace:
+ nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]
+ nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]
+ nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
+
+Problem is that the notifier does a conditional flush, but its possible
+that the table-to-be-removed is still referenced by transactions being
+processed by the worker, so we need to flush unconditionally.
+
+We could make the flush_work depend on whether we found a table to delete
+in nf-next to avoid the flush for most cases.
+
+AFAICS this problem is only exposed in nf-next, with
+commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"),
+with this commit applied there is an unconditional fetch of
+table->family which is whats triggering the above splat.
+
+Fixes: 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier")
+Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index faa77b031d1f3..0f77ba3306c23 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -11479,8 +11479,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
+
+ gc_seq = nft_gc_seq_begin(nft_net);
+
+- if (!list_empty(&nf_tables_destroy_list))
+- nf_tables_trans_destroy_flush_work();
++ nf_tables_trans_destroy_flush_work();
+ again:
+ list_for_each_entry(table, &nft_net->tables, list) {
+ if (nft_table_has_owner(table) &&
+--
+2.43.0
+
--- /dev/null
+From ea5b22cf1a46fadc3313a7c4c09196ec3a08deaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 10:33:16 +0800
+Subject: riscv: kexec: Avoid deadlock in kexec crash path
+
+From: Song Shuai <songshuaishuai@tinylab.org>
+
+[ Upstream commit c562ba719df570c986caf0941fea2449150bcbc4 ]
+
+If the kexec crash code is called in the interrupt context, the
+machine_kexec_mask_interrupts() function will trigger a deadlock while
+trying to acquire the irqdesc spinlock and then deactivate irqchip in
+irq_set_irqchip_state() function.
+
+Unlike arm64, riscv only requires irq_eoi handler to complete EOI and
+keeping irq_set_irqchip_state() will only leave this possible deadlock
+without any use. So we simply remove it.
+
+Link: https://lore.kernel.org/linux-riscv/20231208111015.173237-1-songshuaishuai@tinylab.org/
+Fixes: b17d19a5314a ("riscv: kexec: Fixup irq controller broken in kexec crash path")
+Signed-off-by: Song Shuai <songshuaishuai@tinylab.org>
+Reviewed-by: Ryo Takakura <takakura@valinux.co.jp>
+Link: https://lore.kernel.org/r/20240626023316.539971-1-songshuaishuai@tinylab.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/machine_kexec.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/arch/riscv/kernel/machine_kexec.c b/arch/riscv/kernel/machine_kexec.c
+index ed9cad20c039d..3c830a6f7ef46 100644
+--- a/arch/riscv/kernel/machine_kexec.c
++++ b/arch/riscv/kernel/machine_kexec.c
+@@ -121,20 +121,12 @@ static void machine_kexec_mask_interrupts(void)
+
+ for_each_irq_desc(i, desc) {
+ struct irq_chip *chip;
+- int ret;
+
+ chip = irq_desc_get_chip(desc);
+ if (!chip)
+ continue;
+
+- /*
+- * First try to remove the active state. If this
+- * fails, try to EOI the interrupt.
+- */
+- ret = irq_set_irqchip_state(i, IRQCHIP_STATE_ACTIVE, false);
+-
+- if (ret && irqd_irq_inprogress(&desc->irq_data) &&
+- chip->irq_eoi)
++ if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
+ chip->irq_eoi(&desc->irq_data);
+
+ if (chip->irq_mask)
+--
+2.43.0
+
--- /dev/null
+From 6053cf6495ee91d257571ab27549c1e277d3c62d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 18:37:38 +0200
+Subject: s390/vfio_ccw: Fix target addresses of TIC CCWs
+
+From: Eric Farman <farman@linux.ibm.com>
+
+[ Upstream commit 2ae157ec497d93c639a60e730e21ec9c66fa9a6e ]
+
+The processing of a Transfer-In-Channel (TIC) CCW requires locating
+the target of the CCW in the channel program, and updating the
+address to reflect what will actually be sent to hardware.
+
+An error exists where the 64-bit virtual address is truncated to
+32-bits (variable "cda") when performing this math. Since s390
+addresses of that size are 31-bits, this leaves that additional
+bit enabled such that the resulting I/O triggers a channel
+program check. This shows up occasionally when booting a KVM
+guest from a passthrough DASD device:
+
+ ..snip...
+ Interrupt Response Block Data:
+ : 0x0000000000003990
+ Function Ctrl : [Start]
+ Activity Ctrl :
+ Status Ctrl : [Alert] [Primary] [Secondary] [Status-Pending]
+ Device Status :
+ Channel Status : [Program-Check]
+ cpa=: 0x00000000008d0018
+ prev_ccw=: 0x0000000000000000
+ this_ccw=: 0x0000000000000000
+ ...snip...
+ dasd-ipl: Failed to run IPL1 channel program
+
+The channel program address of "0x008d0018" in the IRB doesn't
+look wrong, but tracing the CCWs shows the offending bit enabled:
+
+ ccw=0x0000012e808d0000 cda=00a0b030
+ ccw=0x0000012e808d0008 cda=00a0b038
+ ccw=0x0000012e808d0010 cda=808d0008
+ ccw=0x0000012e808d0018 cda=00a0b040
+
+Fix the calculation of the TIC CCW's data address such that it points
+to a valid 31-bit address regardless of the input address.
+
+Fixes: bd36cfbbb9e1 ("s390/vfio_ccw_cp: use new address translation helpers")
+Signed-off-by: Eric Farman <farman@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240628163738.3643513-1-farman@linux.ibm.com
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/cio/vfio_ccw_cp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/s390/cio/vfio_ccw_cp.c b/drivers/s390/cio/vfio_ccw_cp.c
+index 6e5c508b1e07c..5f6e102256276 100644
+--- a/drivers/s390/cio/vfio_ccw_cp.c
++++ b/drivers/s390/cio/vfio_ccw_cp.c
+@@ -490,13 +490,14 @@ static int ccwchain_fetch_tic(struct ccw1 *ccw,
+ struct channel_program *cp)
+ {
+ struct ccwchain *iter;
+- u32 cda, ccw_head;
++ u32 offset, ccw_head;
+
+ list_for_each_entry(iter, &cp->ccwchain_list, next) {
+ ccw_head = iter->ch_iova;
+ if (is_cpa_within_range(ccw->cda, ccw_head, iter->ch_len)) {
+- cda = (u64)iter->ch_ccw + dma32_to_u32(ccw->cda) - ccw_head;
+- ccw->cda = u32_to_dma32(cda);
++ /* Calculate offset of TIC target */
++ offset = dma32_to_u32(ccw->cda) - ccw_head;
++ ccw->cda = virt_to_dma32((void *)iter->ch_ccw + offset);
+ return 0;
+ }
+ }
+@@ -914,7 +915,7 @@ void cp_update_scsw(struct channel_program *cp, union scsw *scsw)
+ * in the ioctl directly. Path status changes etc.
+ */
+ list_for_each_entry(chain, &cp->ccwchain_list, next) {
+- ccw_head = (u32)(u64)chain->ch_ccw;
++ ccw_head = dma32_to_u32(virt_to_dma32(chain->ch_ccw));
+ /*
+ * On successful execution, cpa points just beyond the end
+ * of the chain.
+--
+2.43.0
+
--- /dev/null
+From a18fb48558b7e9fb7d091ee225b367b828f3eed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 22:53:48 +0000
+Subject: selftests: fix OOM in msg_zerocopy selftest
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ]
+
+In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg
+on a socket with MSG_ZEROCOPY flag, and it will recv the notifications
+until the socket is not writable. Typically, it will start the receiving
+process after around 30+ sendmsgs. However, as the introduction of commit
+dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is
+always writable and does not get any chance to run recv notifications.
+The selftest always exits with OUT_OF_MEMORY because the memory used by
+opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a
+different value to trigger OOM on older kernels too.
+
+Thus, we introduce "cfg_notification_limit" to force sender to receive
+notifications after some number of sendmsgs.
+
+Fixes: 07b65c5b31ce ("test: add msg_zerocopy test")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Signed-off-by: Xiaochun Lu <xiaochun.lu@bytedance.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/msg_zerocopy.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c
+index bdc03a2097e85..926556febc83c 100644
+--- a/tools/testing/selftests/net/msg_zerocopy.c
++++ b/tools/testing/selftests/net/msg_zerocopy.c
+@@ -85,6 +85,7 @@ static bool cfg_rx;
+ static int cfg_runtime_ms = 4200;
+ static int cfg_verbose;
+ static int cfg_waittime_ms = 500;
++static int cfg_notification_limit = 32;
+ static bool cfg_zerocopy;
+
+ static socklen_t cfg_alen;
+@@ -95,6 +96,7 @@ static char payload[IP_MAXPACKET];
+ static long packets, bytes, completions, expected_completions;
+ static int zerocopied = -1;
+ static uint32_t next_completion;
++static uint32_t sends_since_notify;
+
+ static unsigned long gettimeofday_ms(void)
+ {
+@@ -208,6 +210,7 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy, int domain)
+ error(1, errno, "send");
+ if (cfg_verbose && ret != len)
+ fprintf(stderr, "send: ret=%u != %u\n", ret, len);
++ sends_since_notify++;
+
+ if (len) {
+ packets++;
+@@ -460,6 +463,7 @@ static bool do_recv_completion(int fd, int domain)
+ static void do_recv_completions(int fd, int domain)
+ {
+ while (do_recv_completion(fd, domain)) {}
++ sends_since_notify = 0;
+ }
+
+ /* Wait for all remaining completions on the errqueue */
+@@ -549,6 +553,9 @@ static void do_tx(int domain, int type, int protocol)
+ else
+ do_sendmsg(fd, &msg, cfg_zerocopy, domain);
+
++ if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit)
++ do_recv_completions(fd, domain);
++
+ while (!do_poll(fd, POLLOUT)) {
+ if (cfg_zerocopy)
+ do_recv_completions(fd, domain);
+@@ -708,7 +715,7 @@ static void parse_opts(int argc, char **argv)
+
+ cfg_payload_len = max_payload_len;
+
+- while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) {
++ while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) {
+ switch (c) {
+ case '4':
+ if (cfg_family != PF_UNSPEC)
+@@ -736,6 +743,9 @@ static void parse_opts(int argc, char **argv)
+ if (cfg_ifindex == 0)
+ error(1, errno, "invalid iface: %s", optarg);
+ break;
++ case 'l':
++ cfg_notification_limit = strtoul(optarg, NULL, 0);
++ break;
+ case 'm':
+ cfg_cork_mixed = true;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 2d9ab75894a8143bfb609e03035b7c8d6315ef0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 22:53:49 +0000
+Subject: selftests: make order checking verbose in msg_zerocopy selftest
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ]
+
+We find that when lock debugging is on, notifications may not come in
+order. Thus, we have order checking outputs managed by cfg_verbose, to
+avoid too many outputs in this case.
+
+Fixes: 07b65c5b31ce ("test: add msg_zerocopy test")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Signed-off-by: Xiaochun Lu <xiaochun.lu@bytedance.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/msg_zerocopy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c
+index 926556febc83c..7ea5fb28c93db 100644
+--- a/tools/testing/selftests/net/msg_zerocopy.c
++++ b/tools/testing/selftests/net/msg_zerocopy.c
+@@ -438,7 +438,7 @@ static bool do_recv_completion(int fd, int domain)
+ /* Detect notification gaps. These should not happen often, if at all.
+ * Gaps can occur due to drops, reordering and retransmissions.
+ */
+- if (lo != next_completion)
++ if (cfg_verbose && lo != next_completion)
+ fprintf(stderr, "gap: %u..%u does not append to %u\n",
+ lo, hi, next_completion);
+ next_completion = hi + 1;
+--
+2.43.0
+
vhost-release-worker-mutex-during-flushes.patch
vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch
virtio-pci-check-if-is_avq-is-null.patch
+mac802154-fix-time-calculation-in-ieee802154_configu.patch
+wifi-cfg80211-restrict-nl80211_attr_txq_quantum-valu.patch
+net-phy-phy_device-fix-phy-led-blinking-code-comment.patch
+wifi-mac80211-fix-bss_changed_unsol_bcast_probe_resp.patch
+upstream-tcp-fix-dsack-undo-in-fast-recovery-to-call.patch
+net-mlx5-e-switch-create-ingress-acl-when-needed.patch
+net-mlx5e-add-mqprio_rl-cleanup-and-free-in-mlx5e_pr.patch
+net-mlx5e-present-succeeded-ipsec-sa-bytes-and-packe.patch
+net-mlx5e-approximate-ipsec-per-sa-payload-data-byte.patch
+bluetooth-hci_event-fix-setting-of-unicast-qos-inter.patch
+bluetooth-ignore-too-large-handle-values-in-big.patch
+bluetooth-iso-check-socket-flag-instead-of-hcon.patch
+bluetooth-hci-disallow-setting-handle-bigger-than-hc.patch
+tcp_metrics-validate-source-addr-length.patch
+kvm-s390-fix-lpswey-handling.patch
+e1000e-fix-s0ix-residency-on-corporate-systems.patch
+gpiolib-of-fix-lookup-quirk-for-mips-lantiq.patch
+net-allow-skb_datagram_iter-to-be-called-from-any-co.patch
+net-txgbe-initialize-num_q_vectors-for-msi-intx-inte.patch
+net-txgbe-remove-separate-irq-request-for-msi-and-in.patch
+net-txgbe-add-extra-handle-for-msi-intx-into-thread-.patch
+net-txgbe-free-isb-resources-at-the-right-time.patch
+btrfs-always-do-the-basic-checks-for-btrfs_qgroup_in.patch
+net-phy-aquantia-add-missing-include-guards.patch
+net-ntb_netdev-move-ntb_netdev_rx_handler-to-call-ne.patch
+drm-fbdev-generic-fix-framebuffer-on-big-endian-devi.patch
+net-stmmac-enable-hw-accelerated-vlan-stripping-for-.patch
+s390-vfio_ccw-fix-target-addresses-of-tic-ccws.patch
+gpio-mmio-do-not-calculate-bgpio_bits-via-ngpios.patch
+wifi-wilc1000-fix-ies_len-type-in-connect-path.patch
+riscv-kexec-avoid-deadlock-in-kexec-crash-path.patch
+netfilter-nf_tables-unconditionally-flush-pending-wo.patch
+net-rswitch-avoid-use-after-free-in-rswitch_poll.patch
+bonding-fix-out-of-bounds-read-in-bond_option_arp_ip.patch
+ice-fix-improper-extts-handling.patch
+ice-don-t-process-extts-if-ptp-is-disabled.patch
+ice-reject-pin-requests-with-unsupported-flags.patch
+ice-use-proper-macro-for-testing-bit.patch
+selftests-fix-oom-in-msg_zerocopy-selftest.patch
+selftests-make-order-checking-verbose-in-msg_zerocop.patch
+drm-xe-mcr-avoid-clobbering-dss-steering.patch
+tcp-don-t-flag-tcp_sk-sk-rx_opt.saw_unknown-for-tcp-.patch
+inet_diag-initialize-pad-field-in-struct-inet_diag_r.patch
+mlxsw-core_linecards-fix-double-memory-deallocation-.patch
+bnxt_en-fix-the-resource-check-condition-for-rss-con.patch
+gpiolib-of-add-polarity-quirk-for-tsc2005.patch
--- /dev/null
+From 9261800398d0d019e1665d789d6b1007b20ebcfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 20:35:08 -0700
+Subject: tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 4b74726c01b7a0b5e1029e1e9247fd81590da726 ]
+
+When we process segments with TCP AO, we don't check it in
+tcp_parse_options(). Thus, opt_rx->saw_unknown is set to 1,
+which unconditionally triggers the BPF TCP option parser.
+
+Let's avoid the unnecessary BPF invocation.
+
+Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Dmitry Safonov <0x7f454c46@gmail.com>
+Link: https://patch.msgid.link/20240703033508.6321-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 77109976fe836..7b692bcb61d4a 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4220,6 +4220,13 @@ void tcp_parse_options(const struct net *net,
+ * checked (see tcp_v{4,6}_rcv()).
+ */
+ break;
++#endif
++#ifdef CONFIG_TCP_AO
++ case TCPOPT_AO:
++ /* TCP AO has already been checked
++ * (see tcp_inbound_ao_hash()).
++ */
++ break;
+ #endif
+ case TCPOPT_FASTOPEN:
+ tcp_parse_fastopen_option(
+--
+2.43.0
+
--- /dev/null
+From 829e92a99951e4d6e6892334090178fde457968d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 14:25:00 -0700
+Subject: tcp_metrics: validate source addr length
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ]
+
+I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4
+is at least 4 bytes long, and the policy doesn't have an entry
+for this attribute at all (neither does it for IPv6 but v6 is
+manually validated).
+
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Fixes: 3e7013ddf55a ("tcp: metrics: Allow selective get/del of tcp-metrics based on src IP")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_metrics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
+index c2a925538542b..e0883ba709b0b 100644
+--- a/net/ipv4/tcp_metrics.c
++++ b/net/ipv4/tcp_metrics.c
+@@ -619,6 +619,7 @@ static const struct nla_policy tcp_metrics_nl_policy[TCP_METRICS_ATTR_MAX + 1] =
+ [TCP_METRICS_ATTR_ADDR_IPV4] = { .type = NLA_U32, },
+ [TCP_METRICS_ATTR_ADDR_IPV6] = { .type = NLA_BINARY,
+ .len = sizeof(struct in6_addr), },
++ [TCP_METRICS_ATTR_SADDR_IPV4] = { .type = NLA_U32, },
+ /* Following attributes are not received for GET/DEL,
+ * we keep them for reference
+ */
+--
+2.43.0
+
--- /dev/null
+From 43c969b8d719be99eea3ee05dcfa357ac7bd866a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 22:42:27 -0400
+Subject: UPSTREAM: tcp: fix DSACK undo in fast recovery to call
+ tcp_try_to_open()
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ]
+
+In some production workloads we noticed that connections could
+sometimes close extremely prematurely with ETIMEDOUT after
+transmitting only 1 TLP and RTO retransmission (when we would normally
+expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection
+closes with ETIMEDOUT).
+
+From tracing we determined that these workloads can suffer from a
+scenario where in fast recovery, after some retransmits, a DSACK undo
+can happen at a point where the scoreboard is totally clear (we have
+retrans_out == sacked_out == lost_out == 0). In such cases, calling
+tcp_try_keep_open() means that we do not execute any code path that
+clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can
+remain erroneously set to the start time of the undone fast recovery,
+even after the fast recovery is undone. If minutes or hours elapse,
+and then a TLP/RTO/RTO sequence occurs, then the start_ts value in
+retransmits_timed_out() (which is from tp->retrans_stamp) will be
+erroneously ancient (left over from the fast recovery undone via
+DSACKs). Thus this ancient tp->retrans_stamp value can cause the
+connection to die very prematurely with ETIMEDOUT via
+tcp_write_err().
+
+The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to
+call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures
+that if no retransmits are in flight at the time of DSACK undo in fast
+recovery then we properly zero retrans_stamp. Note that calling
+tcp_try_to_open() is more consistent with other loss recovery
+behavior, since normal fast recovery (CA_Recovery) and RTO recovery
+(CA_Loss) both normally end when tp->snd_una meets or exceeds
+tp->high_seq and then in tcp_fastretrans_alert() the "default" switch
+case executes tcp_try_to_open(). Also note that by inspection this
+change to call tcp_try_to_open() implies at least one other nice bug
+fix, where now an ECE-marked DSACK that causes an undo will properly
+invoke tcp_enter_cwr() rather than ignoring the ECE mark.
+
+Fixes: c7d9d6a185a7 ("tcp: undo on DSACK during recovery")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 0953c915bb4de..77109976fe836 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3074,7 +3074,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
+ return;
+
+ if (tcp_try_undo_dsack(sk))
+- tcp_try_keep_open(sk);
++ tcp_try_to_open(sk, flag);
+
+ tcp_identify_packet_loss(sk, ack_flag);
+ if (icsk->icsk_ca_state != TCP_CA_Recovery) {
+--
+2.43.0
+
--- /dev/null
+From 98fde3a08d82d88ea7185c71d61b9eed3d881789 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 16:08:00 +0000
+Subject: wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d1cba2ea8121e7fdbe1328cea782876b1dd80993 ]
+
+syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM
+to 2^31.
+
+We had a similar issue in sch_fq, fixed with commit
+d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")
+
+watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
+Modules linked in:
+irq event stamp: 131135
+ hardirqs last enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
+ hardirqs last enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
+ hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
+ hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
+ softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]
+ softirqs last enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
+ softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
+CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+Workqueue: mld mld_ifc_work
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __list_del include/linux/list.h:195 [inline]
+ pc : __list_del_entry include/linux/list.h:218 [inline]
+ pc : list_move_tail include/linux/list.h:310 [inline]
+ pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
+ pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
+ lr : __list_del_entry include/linux/list.h:218 [inline]
+ lr : list_move_tail include/linux/list.h:310 [inline]
+ lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
+ lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854
+sp : ffff800093d36700
+x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000
+x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0
+x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0
+x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0
+x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8
+x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff
+x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000
+x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc
+x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470
+Call trace:
+ __list_del include/linux/list.h:195 [inline]
+ __list_del_entry include/linux/list.h:218 [inline]
+ list_move_tail include/linux/list.h:310 [inline]
+ fq_tin_dequeue include/net/fq_impl.h:112 [inline]
+ ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
+ wake_tx_push_queue net/mac80211/util.c:294 [inline]
+ ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315
+ drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
+ schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
+ ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664
+ ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966
+ ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062
+ __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338
+ ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532
+ __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4917 [inline]
+ xmit_one net/core/dev.c:3531 [inline]
+ dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547
+ __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341
+ dev_queue_xmit include/linux/netdevice.h:3091 [inline]
+ neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip6_finish_output2+0x104c/0x1ee8 net/ipv6/ip6_output.c:137
+ ip6_finish_output+0x428/0x7a0 net/ipv6/ip6_output.c:222
+ NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ ip6_output+0x270/0x594 net/ipv6/ip6_output.c:243
+ dst_output include/net/dst.h:450 [inline]
+ NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:314
+ mld_sendpack+0x7b4/0x10f4 net/ipv6/mcast.c:1818
+ mld_send_cr net/ipv6/mcast.c:2119 [inline]
+ mld_ifc_work+0x840/0xd0c net/ipv6/mcast.c:2650
+ process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267
+ process_scheduled_works kernel/workqueue.c:3348 [inline]
+ worker_thread+0x938/0xef4 kernel/workqueue.c:3429
+ kthread+0x288/0x310 kernel/kthread.c:388
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
+
+Fixes: 52539ca89f36 ("cfg80211: Expose TXQ stats and parameters to userspace")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240615160800.250667-1-edumazet@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 65c416e8d25eb..c9866db2ea468 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -468,6 +468,10 @@ static const struct netlink_range_validation nl80211_punct_bitmap_range = {
+ .max = 0xffff,
+ };
+
++static const struct netlink_range_validation q_range = {
++ .max = INT_MAX,
++};
++
+ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+ [0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
+ [NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
+@@ -754,7 +758,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+
+ [NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
+ [NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
+- [NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
++ [NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
+ [NL80211_ATTR_HE_CAPABILITY] =
+ NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
+ NL80211_HE_MAX_CAPABILITY_LEN),
+--
+2.43.0
+
--- /dev/null
+From 8ab8e923a7745a8f7c37d1038e10e2df02182c2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 10:42:56 +0200
+Subject: wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 816c6bec09ed5b90a58a1e12d5a606c5b6e23f47 ]
+
+Fix the definition of BSS_CHANGED_UNSOL_BCAST_PROBE_RESP so that
+not all higher bits get set, 1<<31 is a signed variable, so when
+we do
+
+ u64 changed = BSS_CHANGED_UNSOL_BCAST_PROBE_RESP;
+
+we get sign expansion, so the value is 0xffff'ffff'8000'0000 and
+that's clearly not desired. Use BIT_ULL() to make it unsigned as
+well as the right type for the change flags.
+
+Fixes: 178e9d6adc43 ("wifi: mac80211: fix unsolicited broadcast probe config")
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20240627104257.06174d291db2.Iba0d642916eb78a61f8ab2cc5ca9280783d9c1db@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 2d7f87bc5324b..baaff7bc09119 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -395,7 +395,7 @@ enum ieee80211_bss_change {
+ BSS_CHANGED_HE_OBSS_PD = 1<<28,
+ BSS_CHANGED_HE_BSS_COLOR = 1<<29,
+ BSS_CHANGED_FILS_DISCOVERY = 1<<30,
+- BSS_CHANGED_UNSOL_BCAST_PROBE_RESP = 1<<31,
++ BSS_CHANGED_UNSOL_BCAST_PROBE_RESP = BIT_ULL(31),
+ BSS_CHANGED_MLD_VALID_LINKS = BIT_ULL(33),
+ BSS_CHANGED_MLD_TTLM = BIT_ULL(34),
+
+--
+2.43.0
+
--- /dev/null
+From 6d7c0f8d78d03a323af6a014ba4fa251b7f26c22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 18:23:20 +0200
+Subject: wifi: wilc1000: fix ies_len type in connect path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jozef Hopko <jozef.hopko@altana.com>
+
+[ Upstream commit 39ab8fff623053a50951b659e5f6b72343d7d78c ]
+
+Commit 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
+made sure that the IEs data was manipulated under the relevant RCU section.
+Unfortunately, while doing so, the commit brought a faulty implicit cast
+from int to u8 on the ies_len variable, making the parsing fail to be
+performed correctly if the IEs block is larger than 255 bytes. This failure
+can be observed with Access Points appending a lot of IEs TLVs in their
+beacon frames (reproduced with a Pixel phone acting as an Access Point,
+which brough 273 bytes of IE data in my testing environment).
+
+Fix IEs parsing by removing this undesired implicit cast.
+
+Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
+Signed-off-by: Jozef Hopko <jozef.hopko@altana.com>
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Acked-by: Ajay Singh <ajay.kathat@microchip.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240701-wilc_fix_ies_data-v1-1-7486cbacf98a@bootlin.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/microchip/wilc1000/hif.c b/drivers/net/wireless/microchip/wilc1000/hif.c
+index f1085ccb7eedc..7719e4f3e2a23 100644
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -382,7 +382,8 @@ wilc_parse_join_bss_param(struct cfg80211_bss *bss,
+ struct ieee80211_p2p_noa_attr noa_attr;
+ const struct cfg80211_bss_ies *ies;
+ struct wilc_join_bss_param *param;
+- u8 rates_len = 0, ies_len;
++ u8 rates_len = 0;
++ int ies_len;
+ int ret;
+
+ param = kzalloc(sizeof(*param), GFP_KERNEL);
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
