--- /dev/null
+From 292eb4690f4907348ecfd5084d4bc8e873351b88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:15:02 +0000
+Subject: afs: Fix dynamic root lookup DNS check
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ]
+
+In the afs dynamic root directory, the ->lookup() function does a DNS check
+on the cell being asked for and if the DNS upcall reports an error it will
+report an error back to userspace (typically ENOENT).
+
+However, if a failed DNS upcall returns a new-style result, it will return
+a valid result, with the status field set appropriately to indicate the
+type of failure - and in that case, dns_query() doesn't return an error and
+we let stat() complete with no error - which can cause confusion in
+userspace as subsequent calls that trigger d_automount then fail with
+ENOENT.
+
+Fix this by checking the status result from a valid dns_query() and
+returning an error if it indicates a failure.
+
+Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index cec7d8e5ad0c9..10905a53d5b27 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -114,6 +114,7 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ struct afs_net *net = afs_d2net(dentry);
+ const char *name = dentry->d_name.name;
+ size_t len = dentry->d_name.len;
++ char *result = NULL;
+ int ret;
+
+ /* Names prefixed with a dot are R/W mounts. */
+@@ -131,9 +132,22 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ }
+
+ ret = dns_query(net->net, "afsdb", name, len, "srv=1",
+- NULL, NULL, false);
+- if (ret == -ENODATA || ret == -ENOKEY)
++ &result, NULL, false);
++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0)
+ ret = -ENOENT;
++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) {
++ struct dns_server_list_v1_header *v1 = (void *)result;
++
++ if (v1->hdr.zero == 0 &&
++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST &&
++ v1->hdr.version == 1 &&
++ (v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD))
++ return -ENOENT;
++
++ }
++
++ kfree(result);
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7f321cd1157bb104913d03084067077f94a57850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 15:09:31 +0000
+Subject: afs: Fix overwriting of result of DNS query
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ]
+
+In afs_update_cell(), ret is the result of the DNS lookup and the errors
+are to be handled by a switch - however, the value gets clobbered in
+between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
+fails.
+
+Fix this by moving the setting of -ENOMEM into the error handling for
+OOM failure. Further, only do it if we don't have an alternative error
+to return.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE. Based
+on a patch from Anastasia Belova [1].
+
+Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Anastasia Belova <abelova@astralinux.ru>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+cc: lvc-project@linuxtesting.org
+Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1]
+Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index 988c2ac7cecec..926cb1188eba6 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -409,10 +409,12 @@ static int afs_update_cell(struct afs_cell *cell)
+ if (ret == -ENOMEM)
+ goto out_wake;
+
+- ret = -ENOMEM;
+ vllist = afs_alloc_vlserver_list(0);
+- if (!vllist)
++ if (!vllist) {
++ if (ret >= 0)
++ ret = -ENOMEM;
+ goto out_wake;
++ }
+
+ switch (ret) {
+ case -ENODATA:
+--
+2.43.0
+
--- /dev/null
+From cc461f90de18a6541d11e5af5ec97e4397b8de8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:08:57 +0000
+Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ]
+
+Fix the afs dynamic root's d_delete function to always delete unused
+dentries rather than only deleting them if they're positive. With things
+as they stand upstream, negative dentries stemming from failed DNS lookups
+stick around preventing retries.
+
+Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 8081d68004d05..cec7d8e5ad0c9 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -252,20 +252,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return 1;
+ }
+
+-/*
+- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't
+- * sleep)
+- * - called from dput() when d_count is going to 0.
+- * - return 1 to request dentry be unhashed, 0 otherwise
+- */
+-static int afs_dynroot_d_delete(const struct dentry *dentry)
+-{
+- return d_really_is_positive(dentry);
+-}
+-
+ const struct dentry_operations afs_dynroot_dentry_operations = {
+ .d_revalidate = afs_dynroot_d_revalidate,
+- .d_delete = afs_dynroot_d_delete,
++ .d_delete = always_delete_dentry,
+ .d_release = afs_d_release,
+ .d_automount = afs_d_automount,
+ };
+--
+2.43.0
+
--- /dev/null
+From 512a0275b4f301b3d4e8123fe97cb82e702cf1ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 13:57:31 +0000
+Subject: afs: Fix use-after-free due to get/remove race in volume tree
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ]
+
+When an afs_volume struct is put, its refcount is reduced to 0 before
+the cell->volume_lock is taken and the volume removed from the
+cell->volumes tree.
+
+Unfortunately, this means that the lookup code can race and see a volume
+with a zero ref in the tree, resulting in a use-after-free:
+
+ refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
+ ...
+ RIP: 0010:refcount_warn_saturate+0x7a/0xda
+ ...
+ Call Trace:
+ afs_get_volume+0x3d/0x55
+ afs_create_volume+0x126/0x1de
+ afs_validate_fc+0xfe/0x130
+ afs_get_tree+0x20/0x2e5
+ vfs_get_tree+0x1d/0xc9
+ do_new_mount+0x13b/0x22e
+ do_mount+0x5d/0x8a
+ __do_sys_mount+0x100/0x12a
+ do_syscall_64+0x3a/0x94
+ entry_SYSCALL_64_after_hwframe+0x62/0x6a
+
+Fix this by:
+
+ (1) When putting, use a flag to indicate if the volume has been removed
+ from the tree and skip the rb_erase if it has.
+
+ (2) When looking up, use a conditional ref increment and if it fails
+ because the refcount is 0, replace the node in the tree and set the
+ removal flag.
+
+Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/internal.h | 2 ++
+ fs/afs/volume.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 5041eae64423a..c4bf8439bc9c9 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -586,6 +586,7 @@ struct afs_volume {
+ #define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */
+ #define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */
+ #define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */
++#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */
+ #ifdef CONFIG_AFS_FSCACHE
+ struct fscache_volume *cache; /* Caching cookie */
+ #endif
+@@ -1513,6 +1514,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *,
+ extern struct afs_volume *afs_create_volume(struct afs_fs_context *);
+ extern int afs_activate_volume(struct afs_volume *);
+ extern void afs_deactivate_volume(struct afs_volume *);
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason);
+ extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace);
+ extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace);
+ extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *);
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index 29d483c802813..115c081a8e2ce 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -32,8 +32,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell,
+ } else if (p->vid > volume->vid) {
+ pp = &(*pp)->rb_right;
+ } else {
+- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert);
+- goto found;
++ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) {
++ volume = p;
++ goto found;
++ }
++
++ set_bit(AFS_VOLUME_RM_TREE, &volume->flags);
++ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes);
+ }
+ }
+
+@@ -56,7 +61,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume)
+ afs_volume_trace_remove);
+ write_seqlock(&cell->volume_lock);
+ hlist_del_rcu(&volume->proc_link);
+- rb_erase(&volume->cell_node, &cell->volumes);
++ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags))
++ rb_erase(&volume->cell_node, &cell->volumes);
+ write_sequnlock(&cell->volume_lock);
+ }
+ }
+@@ -231,6 +237,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume)
+ _leave(" [destroyed]");
+ }
+
++/*
++ * Try to get a reference on a volume record.
++ */
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason)
++{
++ int r;
++
++ if (__refcount_inc_not_zero(&volume->ref, &r)) {
++ trace_afs_volume(volume->vid, r + 1, reason);
++ return true;
++ }
++ return false;
++}
++
+ /*
+ * Get a reference on a volume record.
+ */
+--
+2.43.0
+
--- /dev/null
+From 516be30019e2ff53ab35a1c395477a68bf14237f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 12:16:04 -0600
+Subject: ARM: dts: dra7: Fix DRA7 L3 NoC node register size
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 1e5caee2ba8f1426e8098afb4ca38dc40a0ca71b ]
+
+This node can access any part of the L3 configuration registers space,
+including CLK1 and CLK2 which are 0x800000 offset. Restore this area
+size to include these areas.
+
+Fixes: 7f2659ce657e ("ARM: dts: Move dra7 l3 noc to a separate node")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Message-ID: <20231113181604.546444-1-afd@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/ti/omap/dra7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/ti/omap/dra7.dtsi b/arch/arm/boot/dts/ti/omap/dra7.dtsi
+index 3f3e52e3b3752..6509c742fb58c 100644
+--- a/arch/arm/boot/dts/ti/omap/dra7.dtsi
++++ b/arch/arm/boot/dts/ti/omap/dra7.dtsi
+@@ -147,7 +147,7 @@
+
+ l3-noc@44000000 {
+ compatible = "ti,dra7-l3-noc";
+- reg = <0x44000000 0x1000>,
++ reg = <0x44000000 0x1000000>,
+ <0x45000000 0x1000>;
+ interrupts-extended = <&crossbar_mpu GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>,
+ <&wakeupgen GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.43.0
+
--- /dev/null
+From 7b2cb62c1ffafb62105c7d0578718c818e22f730 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 22:52:37 +0800
+Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in
+ omap_soc_device_init
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ]
+
+kasprintf() returns a pointer to dynamically allocated memory which can
+be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger
+the null pointer dereference issue, such as in 'soc_info_show'.
+
+And when 'soc_device_register' fails, it's necessary to release
+'soc_dev_attr->family' to avoid memory leaks.
+
+Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Message-ID: <20231123145237.609442-1-chentao@kylinos.cn>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/id.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c
+index 98999aa8cc0c0..7f387706368a6 100644
+--- a/arch/arm/mach-omap2/id.c
++++ b/arch/arm/mach-omap2/id.c
+@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void)
+
+ soc_dev_attr->machine = soc_name;
+ soc_dev_attr->family = omap_get_family();
++ if (!soc_dev_attr->family) {
++ kfree(soc_dev_attr);
++ return;
++ }
+ soc_dev_attr->revision = soc_rev;
+ soc_dev_attr->custom_attr_group = omap_soc_groups[0];
+
+ soc_dev = soc_device_register(soc_dev_attr);
+ if (IS_ERR(soc_dev)) {
++ kfree(soc_dev_attr->family);
+ kfree(soc_dev_attr);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From 43e59a1ad33fb3c80b726b5bd603ecc0bbe89063 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Oct 2023 15:40:09 +0800
+Subject: arm64: dts: allwinner: h616: update emac for Orange Pi Zero 3
+
+From: Chukun Pan <amadeus@jmu.edu.cn>
+
+[ Upstream commit b9622937d95809ef89904583191571a9fa326402 ]
+
+The current emac setting is not suitable for Orange Pi Zero 3,
+move it back to Orange Pi Zero 2 DT. Also update phy mode and
+delay values for emac on Orange Pi Zero 3.
+With these changes, Ethernet now looks stable.
+
+Fixes: 322bf103204b ("arm64: dts: allwinner: h616: Split Orange Pi Zero 2 DT")
+Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
+Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Link: https://lore.kernel.org/r/20231029074009.7820-2-amadeus@jmu.edu.cn
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi | 3 ---
+ arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts | 3 +++
+ arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts | 2 ++
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi
+index 15290e6892fca..fc7315b944065 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi
++++ b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero.dtsi
+@@ -68,10 +68,7 @@
+ &emac0 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&ext_rgmii_pins>;
+- phy-mode = "rgmii";
+ phy-handle = <&ext_rgmii_phy>;
+- allwinner,rx-delay-ps = <3100>;
+- allwinner,tx-delay-ps = <700>;
+ status = "okay";
+ };
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts
+index d83852e72f063..b5d713926a341 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts
++++ b/arch/arm64/boot/dts/allwinner/sun50i-h616-orangepi-zero2.dts
+@@ -13,6 +13,9 @@
+ };
+
+ &emac0 {
++ allwinner,rx-delay-ps = <3100>;
++ allwinner,tx-delay-ps = <700>;
++ phy-mode = "rgmii";
+ phy-supply = <®_dcdce>;
+ };
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts b/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts
+index 00fe28caac939..b3b1b8692125f 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts
++++ b/arch/arm64/boot/dts/allwinner/sun50i-h618-orangepi-zero3.dts
+@@ -13,6 +13,8 @@
+ };
+
+ &emac0 {
++ allwinner,tx-delay-ps = <700>;
++ phy-mode = "rgmii-rxid";
+ phy-supply = <®_dldo1>;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 53a14e49ad585b4a56b729b656e65859da243c6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Nov 2023 01:46:05 +0000
+Subject: Bluetooth: Fix deadlock in vhci_send_frame
+
+From: Ying Hsu <yinghsu@chromium.org>
+
+[ Upstream commit 769bf60e17ee1a56a81e7c031192c3928312c52e ]
+
+syzbot found a potential circular dependency leading to a deadlock:
+ -> #3 (&hdev->req_lock){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ hci_dev_do_close+0x3f/0x9f net/bluetooth/hci_core.c:551
+ hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
+ rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
+ rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
+ vfs_write+0x277/0xcf5 fs/read_write.c:594
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+ -> #2 (rfkill_global_mutex){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ rfkill_register+0x30/0x7e3 net/rfkill/core.c:1045
+ hci_register_dev+0x48f/0x96d net/bluetooth/hci_core.c:2622
+ __vhci_create_device drivers/bluetooth/hci_vhci.c:341 [inline]
+ vhci_create_device+0x3ad/0x68f drivers/bluetooth/hci_vhci.c:374
+ vhci_get_user drivers/bluetooth/hci_vhci.c:431 [inline]
+ vhci_write+0x37b/0x429 drivers/bluetooth/hci_vhci.c:511
+ call_write_iter include/linux/fs.h:2109 [inline]
+ new_sync_write fs/read_write.c:509 [inline]
+ vfs_write+0xaa8/0xcf5 fs/read_write.c:596
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+ -> #1 (&data->open_mutex){+.+.}-{3:3}:
+ __mutex_lock_common+0x1b6/0x1bc2 kernel/locking/mutex.c:599
+ __mutex_lock kernel/locking/mutex.c:732 [inline]
+ mutex_lock_nested+0x17/0x1c kernel/locking/mutex.c:784
+ vhci_send_frame+0x68/0x9c drivers/bluetooth/hci_vhci.c:75
+ hci_send_frame+0x1cc/0x2ff net/bluetooth/hci_core.c:2989
+ hci_sched_acl_pkt net/bluetooth/hci_core.c:3498 [inline]
+ hci_sched_acl net/bluetooth/hci_core.c:3583 [inline]
+ hci_tx_work+0xb94/0x1a60 net/bluetooth/hci_core.c:3654
+ process_one_work+0x901/0xfb8 kernel/workqueue.c:2310
+ worker_thread+0xa67/0x1003 kernel/workqueue.c:2457
+ kthread+0x36a/0x430 kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+
+ -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
+ check_prev_add kernel/locking/lockdep.c:3053 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3172 [inline]
+ validate_chain kernel/locking/lockdep.c:3787 [inline]
+ __lock_acquire+0x2d32/0x77fa kernel/locking/lockdep.c:5011
+ lock_acquire+0x273/0x4d5 kernel/locking/lockdep.c:5622
+ __flush_work+0xee/0x19f kernel/workqueue.c:3090
+ hci_dev_close_sync+0x32f/0x1113 net/bluetooth/hci_sync.c:4352
+ hci_dev_do_close+0x47/0x9f net/bluetooth/hci_core.c:553
+ hci_rfkill_set_block+0x130/0x1ac net/bluetooth/hci_core.c:935
+ rfkill_set_block+0x1e6/0x3b8 net/rfkill/core.c:345
+ rfkill_fop_write+0x2d8/0x672 net/rfkill/core.c:1274
+ vfs_write+0x277/0xcf5 fs/read_write.c:594
+ ksys_write+0x19b/0x2bd fs/read_write.c:650
+ do_syscall_x64 arch/x86/entry/common.c:55 [inline]
+ do_syscall_64+0x51/0xba arch/x86/entry/common.c:93
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+This change removes the need for acquiring the open_mutex in
+vhci_send_frame, thus eliminating the potential deadlock while
+maintaining the required packet ordering.
+
+Fixes: 92d4abd66f70 ("Bluetooth: vhci: Fix race when opening vhci device")
+Signed-off-by: Ying Hsu <yinghsu@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_vhci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
+index f3892e9ce800f..572d68d52965f 100644
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -11,6 +11,7 @@
+ #include <linux/module.h>
+ #include <asm/unaligned.h>
+
++#include <linux/atomic.h>
+ #include <linux/kernel.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+@@ -44,6 +45,7 @@ struct vhci_data {
+ bool wakeup;
+ __u16 msft_opcode;
+ bool aosp_capable;
++ atomic_t initialized;
+ };
+
+ static int vhci_open_dev(struct hci_dev *hdev)
+@@ -75,11 +77,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
+
+ memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
+
+- mutex_lock(&data->open_mutex);
+ skb_queue_tail(&data->readq, skb);
+- mutex_unlock(&data->open_mutex);
+
+- wake_up_interruptible(&data->read_wait);
++ if (atomic_read(&data->initialized))
++ wake_up_interruptible(&data->read_wait);
+ return 0;
+ }
+
+@@ -464,7 +465,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
+ skb_put_u8(skb, 0xff);
+ skb_put_u8(skb, opcode);
+ put_unaligned_le16(hdev->id, skb_put(skb, 2));
+- skb_queue_tail(&data->readq, skb);
++ skb_queue_head(&data->readq, skb);
++ atomic_inc(&data->initialized);
+
+ wake_up_interruptible(&data->read_wait);
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 86206b1d4d83416d395b9bea45ff656ee88a855d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Oct 2023 16:26:23 -0700
+Subject: Bluetooth: Fix not notifying when connection encryption changes
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f67eabffb57d0bee379994a18ec5f462b2cbdf86 ]
+
+Some layers such as SMP depend on getting notified about encryption
+changes immediately as they only allow certain PDU to be transmitted
+over an encrypted link which may cause SMP implementation to reject
+valid PDUs received thus causing pairing to fail when it shouldn't.
+
+Fixes: 7aca0ac4792e ("Bluetooth: Wait for HCI_OP_WRITE_AUTH_PAYLOAD_TO to complete")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index f6d3150bcbb03..da756cbf62206 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -820,8 +820,6 @@ static u8 hci_cc_write_auth_payload_timeout(struct hci_dev *hdev, void *data,
+ if (!rp->status)
+ conn->auth_payload_timeout = get_unaligned_le16(sent + 2);
+
+- hci_encrypt_cfm(conn, 0);
+-
+ unlock:
+ hci_dev_unlock(hdev);
+
+@@ -3683,12 +3681,8 @@ static void hci_encrypt_change_evt(struct hci_dev *hdev, void *data,
+ cp.handle = cpu_to_le16(conn->handle);
+ cp.timeout = cpu_to_le16(hdev->auth_payload_timeout);
+ if (hci_send_cmd(conn->hdev, HCI_OP_WRITE_AUTH_PAYLOAD_TO,
+- sizeof(cp), &cp)) {
++ sizeof(cp), &cp))
+ bt_dev_err(hdev, "write auth payload timeout failed");
+- goto notify;
+- }
+-
+- goto unlock;
+ }
+
+ notify:
+--
+2.43.0
+
--- /dev/null
+From 58d187c40c61a080e3b8345a44a2318ad89262a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 17:22:29 -0500
+Subject: Bluetooth: hci_core: Fix hci_conn_hash_lookup_cis
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 50efc63d1a7a7b9a6ed21adae1b9a7123ec8abc0 ]
+
+hci_conn_hash_lookup_cis shall always match the requested CIG and CIS
+ids even when they are unset as otherwise it result in not being able
+to bind/connect different sockets to the same address as that would
+result in having multiple sockets mapping to the same hci_conn which
+doesn't really work and prevents BAP audio configuration such as
+AC 6(i) when CIG and CIS are left unset.
+
+Fixes: c14516faede3 ("Bluetooth: hci_conn: Fix not matching by CIS ID")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 7fa95b72e5c85..22ce39a2aa7bc 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1227,11 +1227,11 @@ static inline struct hci_conn *hci_conn_hash_lookup_cis(struct hci_dev *hdev,
+ continue;
+
+ /* Match CIG ID if set */
+- if (cig != BT_ISO_QOS_CIG_UNSET && cig != c->iso_qos.ucast.cig)
++ if (cig != c->iso_qos.ucast.cig)
+ continue;
+
+ /* Match CIS ID if set */
+- if (id != BT_ISO_QOS_CIS_UNSET && id != c->iso_qos.ucast.cis)
++ if (id != c->iso_qos.ucast.cis)
+ continue;
+
+ /* Match destination address if set */
+--
+2.43.0
+
--- /dev/null
+From 7201279848404429b9c3d1082a1eed27708019db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 23:17:44 +0100
+Subject: Bluetooth: hci_event: shut up a false-positive warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit a5812c68d849505ea657f653446512b85887f813 ]
+
+Turning on -Wstringop-overflow globally exposed a misleading compiler
+warning in bluetooth:
+
+net/bluetooth/hci_event.c: In function 'hci_cc_read_class_of_dev':
+net/bluetooth/hci_event.c:524:9: error: 'memcpy' writing 3 bytes into a
+region of size 0 overflows the destination [-Werror=stringop-overflow=]
+ 524 | memcpy(hdev->dev_class, rp->dev_class, 3);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The problem here is the check for hdev being NULL in bt_dev_dbg() that
+leads the compiler to conclude that hdev->dev_class might be an invalid
+pointer access.
+
+Add another explicit check for the same condition to make sure gcc sees
+this cannot happen.
+
+Fixes: a9de9248064b ("[Bluetooth] Switch from OGF+OCF to using only opcodes")
+Fixes: 1b56c90018f0 ("Makefile: Enable -Wstringop-overflow globally")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index da756cbf62206..3661f8cdbab70 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -516,6 +516,9 @@ static u8 hci_cc_read_class_of_dev(struct hci_dev *hdev, void *data,
+ {
+ struct hci_rp_read_class_of_dev *rp = data;
+
++ if (WARN_ON(!hdev))
++ return HCI_ERROR_UNSPECIFIED;
++
+ bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
+
+ if (rp->status)
+--
+2.43.0
+
--- /dev/null
+From f488b2ee6ed5108be49f716cd5cb1e03c5dec711 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 13:31:38 -0800
+Subject: bnxt_en: do not map packet buffers twice
+
+From: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+
+[ Upstream commit 23c93c3b6275a59f2a685f4a693944b53c31df4e ]
+
+Remove double-mapping of DMA buffers as it can prevent page pool entries
+from being freed. Mapping is managed by page pool infrastructure and
+was previously managed by the driver in __bnxt_alloc_rx_page before
+allowing the page pool infrastructure to manage it.
+
+Fixes: 578fcfd26e2a ("bnxt_en: Let the page pool manage the DMA mapping")
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: David Wei <dw@davidwei.uk>
+Link: https://lore.kernel.org/r/20231214213138.98095-1-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+index 96f5ca778c67d..8cb9a99154aad 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+@@ -59,7 +59,6 @@ struct bnxt_sw_tx_bd *bnxt_xmit_bd(struct bnxt *bp,
+ for (i = 0; i < num_frags ; i++) {
+ skb_frag_t *frag = &sinfo->frags[i];
+ struct bnxt_sw_tx_bd *frag_tx_buf;
+- struct pci_dev *pdev = bp->pdev;
+ dma_addr_t frag_mapping;
+ int frag_len;
+
+@@ -73,16 +72,10 @@ struct bnxt_sw_tx_bd *bnxt_xmit_bd(struct bnxt *bp,
+ txbd = &txr->tx_desc_ring[TX_RING(prod)][TX_IDX(prod)];
+
+ frag_len = skb_frag_size(frag);
+- frag_mapping = skb_frag_dma_map(&pdev->dev, frag, 0,
+- frag_len, DMA_TO_DEVICE);
+-
+- if (unlikely(dma_mapping_error(&pdev->dev, frag_mapping)))
+- return NULL;
+-
+- dma_unmap_addr_set(frag_tx_buf, mapping, frag_mapping);
+-
+ flags = frag_len << TX_BD_LEN_SHIFT;
+ txbd->tx_bd_len_flags_type = cpu_to_le32(flags);
++ frag_mapping = page_pool_get_dma_addr(skb_frag_page(frag)) +
++ skb_frag_off(frag);
+ txbd->tx_bd_haddr = cpu_to_le64(frag_mapping);
+
+ len = frag_len;
+--
+2.43.0
+
--- /dev/null
+From fcdd3e4c99cec46ec935976379c7b8c1b8fd4527 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Dec 2023 10:01:38 -0800
+Subject: bpf: syzkaller found null ptr deref in unix_bpf proto add
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 8d6650646ce49e9a5b8c5c23eb94f74b1749f70f ]
+
+I added logic to track the sock pair for stream_unix sockets so that we
+ensure lifetime of the sock matches the time a sockmap could reference
+the sock (see fixes tag). I forgot though that we allow af_unix unconnected
+sockets into a sock{map|hash} map.
+
+This is problematic because previous fixed expected sk_pair() to exist
+and did not NULL check it. Because unconnected sockets have a NULL
+sk_pair this resulted in the NULL ptr dereference found by syzkaller.
+
+BUG: KASAN: null-ptr-deref in unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
+Write of size 4 at addr 0000000000000080 by task syz-executor360/5073
+Call Trace:
+ <TASK>
+ ...
+ sock_hold include/net/sock.h:777 [inline]
+ unix_stream_bpf_update_proto+0x72/0x430 net/unix/unix_bpf.c:171
+ sock_map_init_proto net/core/sock_map.c:190 [inline]
+ sock_map_link+0xb87/0x1100 net/core/sock_map.c:294
+ sock_map_update_common+0xf6/0x870 net/core/sock_map.c:483
+ sock_map_update_elem_sys+0x5b6/0x640 net/core/sock_map.c:577
+ bpf_map_update_value+0x3af/0x820 kernel/bpf/syscall.c:167
+
+We considered just checking for the null ptr and skipping taking a ref
+on the NULL peer sock. But, if the socket is then connected() after
+being added to the sockmap we can cause the original issue again. So
+instead this patch blocks adding af_unix sockets that are not in the
+ESTABLISHED state.
+
+Reported-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+e8030702aefd3444fb9e@syzkaller.appspotmail.com
+Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
+Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20231201180139.328529-2-john.fastabend@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 5 +++++
+ net/core/sock_map.c | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 7753354d59c0b..1b7ca8f35dd60 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2798,6 +2798,11 @@ static inline bool sk_is_tcp(const struct sock *sk)
+ return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP;
+ }
+
++static inline bool sk_is_stream_unix(const struct sock *sk)
++{
++ return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
++}
++
+ /**
+ * sk_eat_skb - Release a skb if it is no longer needed
+ * @sk: socket to eat this skb from
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 4292c2ed18286..27d733c0f65e1 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -536,6 +536,8 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
+ {
+ if (sk_is_tcp(sk))
+ return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
++ if (sk_is_stream_unix(sk))
++ return (1 << sk->sk_state) & TCPF_ESTABLISHED;
+ return true;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5708519256ed2fec5a6fb8e23082e3e6fbaf4879 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 21:04:04 +0800
+Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ]
+
+In the error handling of 'offset > adapter->ring_size', the
+tx_ring->tx_buffer allocated by kzalloc should be freed,
+instead of 'goto failed' instantly.
+
+Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+index 5935be190b9e2..5f2a6fcba9670 100644
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter)
+ netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n",
+ offset, adapter->ring_size);
+ err = -1;
+- goto failed;
++ goto free_buffer;
+ }
+
+ return 0;
++free_buffer:
++ kfree(tx_ring->tx_buffer);
++ tx_ring->tx_buffer = NULL;
+ failed:
+ if (adapter->ring_vir_addr != NULL) {
+ dma_free_coherent(&pdev->dev, adapter->ring_size,
+--
+2.43.0
+
--- /dev/null
+From 156a1d520568749d8c9761676e3b28af7d8114aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 13:19:28 -0800
+Subject: ice: alter feature support check for SRIOV and LAG
+
+From: Dave Ertman <david.m.ertman@intel.com>
+
+[ Upstream commit 4d50fcdc2476eef94c14c6761073af5667bb43b6 ]
+
+Previously, the ice driver had support for using a handler for bonding
+netdev events to ensure that conflicting features were not allowed to be
+activated at the same time. While this was still in place, additional
+support was added to specifically support SRIOV and LAG together. These
+both utilized the netdev event handler, but the SRIOV and LAG feature was
+behind a capabilities feature check to make sure the current NVM has
+support.
+
+The exclusion part of the event handler should be removed since there are
+users who have custom made solutions that depend on the non-exclusion of
+features.
+
+Wrap the creation/registration and cleanup of the event handler and
+associated structs in the probe flow with a feature check so that the
+only systems that support the full implementation of LAG features will
+initialize support. This will leave other systems unhindered with
+functionality as it existed before any LAG code was added.
+
+Fixes: bb52f42acef6 ("ice: Add driver support for firmware changes for LAG")
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lag.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lag.c b/drivers/net/ethernet/intel/ice/ice_lag.c
+index d86e2460b5a4d..23e197c3d02a7 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lag.c
++++ b/drivers/net/ethernet/intel/ice/ice_lag.c
+@@ -1963,6 +1963,8 @@ int ice_init_lag(struct ice_pf *pf)
+ int n, err;
+
+ ice_lag_init_feature_support_flag(pf);
++ if (!ice_is_feature_supported(pf, ICE_F_SRIOV_LAG))
++ return 0;
+
+ pf->lag = kzalloc(sizeof(*lag), GFP_KERNEL);
+ if (!pf->lag)
+--
+2.43.0
+
--- /dev/null
+From 2509d14c00daac3d748dac92e74b92ccfdb1f205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Dec 2023 10:29:01 +0100
+Subject: ice: Fix PF with enabled XDP going no-carrier after reset
+
+From: Larysa Zaremba <larysa.zaremba@intel.com>
+
+[ Upstream commit f5728a418945ba53e2fdf38a6e5c5a2670965e85 ]
+
+Commit 6624e780a577fc596788 ("ice: split ice_vsi_setup into smaller
+functions") has refactored a bunch of code involved in PFR. In this
+process, TC queue number adjustment for XDP was lost. Bring it back.
+
+Lack of such adjustment causes interface to go into no-carrier after a
+reset, if XDP program is attached, with the following message:
+
+ice 0000:b1:00.0: Failed to set LAN Tx queue context, error: -22
+ice 0000:b1:00.0 ens801f0np0: Failed to open VSI 0x0006 on switch 0x0001
+ice 0000:b1:00.0: enable VSI failed, err -22, VSI index 0, type ICE_VSI_PF
+ice 0000:b1:00.0: PF VSI rebuild failed: -22
+ice 0000:b1:00.0: Rebuild failed, unload and reload driver
+
+Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions")
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 8dbf7a381e49b..a66c3b6ccec1e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2384,6 +2384,9 @@ static int ice_vsi_cfg_tc_lan(struct ice_pf *pf, struct ice_vsi *vsi)
+ } else {
+ max_txqs[i] = vsi->alloc_txq;
+ }
++
++ if (vsi->type == ICE_VSI_PF)
++ max_txqs[i] += vsi->num_xdp_txq;
+ }
+
+ dev_dbg(dev, "vsi->tc_cfg.ena_tc = %d\n", vsi->tc_cfg.ena_tc);
+--
+2.43.0
+
--- /dev/null
+From a2cbc5ab7174c5d2d4c7dffb664733452215e4cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 17:58:06 +0100
+Subject: ice: fix theoretical out-of-bounds access in ethtool link modes
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit 91f9181c738101a276d9da333e0ab665ad806e6d ]
+
+To map phy types reported by the hardware to ethtool link mode bits,
+ice uses two lookup tables (phy_type_low_lkup, phy_type_high_lkup).
+The "low" table has 64 elements to cover every possible bit the hardware
+may report, but the "high" table has only 13. If the hardware reports a
+higher bit in phy_types_high, the driver would access memory beyond the
+lookup table's end.
+
+Instead of iterating through all 64 bits of phy_types_{low,high}, use
+the sizes of the respective lookup tables.
+
+Fixes: 9136e1f1e5c3 ("ice: refactor PHY type to ethtool link mode")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index ad4d4702129f0..9be13e9840917 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -1757,14 +1757,14 @@ ice_phy_type_to_ethtool(struct net_device *netdev,
+ linkmode_zero(ks->link_modes.supported);
+ linkmode_zero(ks->link_modes.advertising);
+
+- for (i = 0; i < BITS_PER_TYPE(u64); i++) {
++ for (i = 0; i < ARRAY_SIZE(phy_type_low_lkup); i++) {
+ if (phy_types_low & BIT_ULL(i))
+ ice_linkmode_set_bit(&phy_type_low_lkup[i], ks,
+ req_speeds, advert_phy_type_lo,
+ i);
+ }
+
+- for (i = 0; i < BITS_PER_TYPE(u64); i++) {
++ for (i = 0; i < ARRAY_SIZE(phy_type_high_lkup); i++) {
+ if (phy_types_high & BIT_ULL(i))
+ ice_linkmode_set_bit(&phy_type_high_lkup[i], ks,
+ req_speeds, advert_phy_type_hi,
+--
+2.43.0
+
--- /dev/null
+From cce5c9515d63c1413870568e654f6a6dc6922c68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Dec 2023 12:19:05 -0800
+Subject: ice: stop trashing VF VSI aggregator node ID information
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 7d881346121a97756f34e00e6296a5d63f001f7f ]
+
+When creating new VSIs, they are assigned into an aggregator node in the
+scheduler tree. Information about which aggregator node a VSI is assigned
+into is maintained by the vsi->agg_node structure. In ice_vsi_decfg(), this
+information is being destroyed, by overwriting the valid flag and the
+agg_id field to zero.
+
+For VF VSIs, this breaks the aggregator node configuration replay, which
+depends on this information. This results in VFs being inserted into the
+default aggregator node. The resulting configuration will have unexpected
+Tx bandwidth sharing behavior.
+
+This was broken by commit 6624e780a577 ("ice: split ice_vsi_setup into
+smaller functions"), which added the block to reset the agg_node data.
+
+The vsi->agg_node structure is not managed by the scheduler code, but is
+instead a wrapper around an aggregator node ID that is tracked at the VSI
+layer. Its been around for a long time, and its primary purpose was for
+handling VFs. The SR-IOV VF reset flow does not make use of the standard VSI
+rebuild/replay logic, and uses vsi->agg_node as part of its handling to
+rebuild the aggregator node configuration.
+
+The logic for aggregator nodes stretches back to early ice driver code from
+commit b126bd6bcd67 ("ice: create scheduler aggregator node config and move
+VSIs")
+
+The logic in ice_vsi_decfg() which trashes the ice_agg_node data is clearly
+wrong. It destroys information that is necessary for handling VF reset,. It
+is also not the correct way to actually remove a VSI from an aggregator
+node. For that, we need to implement logic in the scheduler code. Further,
+non-VF VSIs properly replay their aggregator configuration using existing
+scheduler replay logic.
+
+To fix the VF replay logic, remove this broken aggregator node cleanup
+logic. This is the simplest way to immediately fix this.
+
+This ensures that VFs will have proper aggregate configuration after a
+reset. This is especially important since VFs often perform resets as part
+of their reconfiguration flows. Without fixing this, VFs will be placed in
+the default aggregator node and Tx bandwidth will not be shared in the
+expected and configured manner.
+
+Fixes: 6624e780a577 ("ice: split ice_vsi_setup into smaller functions")
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 73bbf06a76db9..8dbf7a381e49b 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2633,10 +2633,6 @@ void ice_vsi_decfg(struct ice_vsi *vsi)
+ if (vsi->type == ICE_VSI_VF &&
+ vsi->agg_node && vsi->agg_node->valid)
+ vsi->agg_node->num_vsis--;
+- if (vsi->agg_node) {
+- vsi->agg_node->valid = false;
+- vsi->agg_node->agg_id = 0;
+- }
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 215ee067340a31c0ea47bcc9226458e3811be125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Dec 2023 00:41:55 +0000
+Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
+ expiry
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ]
+
+If a key has an expiration time, then when that time passes, the key is
+left around for a certain amount of time before being collected (5 mins by
+default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a
+problem for DNS keys because we want to redo the DNS lookup immediately at
+that point.
+
+Fix this by allowing key types to be marked such that keys of that type
+don't have this extra period, but are reclaimed as soon as they expire and
+turn this on for dns_resolver-type keys. To make this easier to handle,
+key->expiry is changed to be permanent if TIME64_MAX rather than 0.
+
+Furthermore, give such new-style negative DNS results a 1s default expiry
+if no other expiry time is set rather than allowing it to stick around
+indefinitely. This shouldn't be zero as ls will follow a failing stat call
+immediately with a second with AT_SYMLINK_NOFOLLOW added.
+
+Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Wang Lei <wang840925@gmail.com>
+cc: Jeff Layton <jlayton@redhat.com>
+cc: Steve French <smfrench@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: linux-afs@lists.infradead.org
+cc: linux-cifs@vger.kernel.org
+cc: linux-nfs@vger.kernel.org
+cc: ceph-devel@vger.kernel.org
+cc: keyrings@vger.kernel.org
+cc: netdev@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/key-type.h | 1 +
+ net/dns_resolver/dns_key.c | 10 +++++++++-
+ security/keys/gc.c | 31 +++++++++++++++++++++----------
+ security/keys/internal.h | 11 ++++++++++-
+ security/keys/key.c | 15 +++++----------
+ security/keys/proc.c | 2 +-
+ 6 files changed, 47 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/key-type.h b/include/linux/key-type.h
+index 7d985a1dfe4af..5caf3ce823733 100644
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -73,6 +73,7 @@ struct key_type {
+
+ unsigned int flags;
+ #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */
++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */
+
+ /* vet a description */
+ int (*vet_description)(const char *description);
+diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
+index 01e54b46ae0b9..2a6d363763a2b 100644
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache;
+ static int
+ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ {
++ const struct dns_server_list_v1_header *v1;
+ const struct dns_payload_header *bin;
+ struct user_key_payload *upayload;
+ unsigned long derrno;
+@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ return -EINVAL;
+ }
+
++ v1 = (const struct dns_server_list_v1_header *)bin;
++ if ((v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
++ if (prep->expiry == TIME64_MAX)
++ prep->expiry = ktime_get_real_seconds() + 1;
++ }
++
+ result_len = datalen;
+ goto store_result;
+ }
+@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key,
+
+ struct key_type key_type_dns_resolver = {
+ .name = "dns_resolver",
+- .flags = KEY_TYPE_NET_DOMAIN,
++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP,
+ .preparse = dns_resolver_preparse,
+ .free_preparse = dns_resolver_free_preparse,
+ .instantiate = generic_key_instantiate,
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 3c90807476eb0..eaddaceda14ea 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at)
+ }
+ }
+
++/*
++ * Set the expiration time on a key.
++ */
++void key_set_expiry(struct key *key, time64_t expiry)
++{
++ key->expiry = expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ key_schedule_gc(expiry);
++ }
++}
++
+ /*
+ * Schedule a dead links collection run.
+ */
+@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work)
+ static u8 gc_state; /* Internal persistent state */
+ #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
+ #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
+-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */
+ #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
+ #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
+ #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
+@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work)
+
+ struct rb_node *cursor;
+ struct key *key;
+- time64_t new_timer, limit;
++ time64_t new_timer, limit, expiry;
+
+ kenter("[%lx,%x]", key_gc_flags, gc_state);
+
+ limit = ktime_get_real_seconds();
+- if (limit > key_gc_delay)
+- limit -= key_gc_delay;
+- else
+- limit = key_gc_delay;
+
+ /* Work out what we're going to be doing in this pass */
+ gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
+ gc_state <<= 1;
+ if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
+- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
++ gc_state |= KEY_GC_REAPING_LINKS;
+
+ if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
+ gc_state |= KEY_GC_REAPING_DEAD_1;
+@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work)
+ }
+ }
+
+- if (gc_state & KEY_GC_SET_TIMER) {
+- if (key->expiry > limit && key->expiry < new_timer) {
++ expiry = key->expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry > limit && expiry < new_timer) {
+ kdebug("will expire %x in %lld",
+ key_serial(key), key->expiry - limit);
+ new_timer = key->expiry;
+@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work)
+ */
+ kdebug("pass complete");
+
+- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {
++ if (new_timer != TIME64_MAX) {
+ new_timer += key_gc_delay;
+ key_schedule_gc(new_timer);
+ }
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 3c1e7122076b9..ec2ec335b6133 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -174,6 +174,7 @@ extern unsigned key_gc_delay;
+ extern void keyring_gc(struct key *keyring, time64_t limit);
+ extern void keyring_restriction_gc(struct key *keyring,
+ struct key_type *dead_type);
++void key_set_expiry(struct key *key, time64_t expiry);
+ extern void key_schedule_gc(time64_t gc_at);
+ extern void key_schedule_gc_links(void);
+ extern void key_gc_keytype(struct key_type *ktype);
+@@ -222,10 +223,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
+ */
+ static inline bool key_is_dead(const struct key *key, time64_t limit)
+ {
++ time64_t expiry = key->expiry;
++
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry <= limit)
++ return true;
++ }
++
+ return
+ key->flags & ((1 << KEY_FLAG_DEAD) |
+ (1 << KEY_FLAG_INVALIDATED)) ||
+- (key->expiry > 0 && key->expiry <= limit) ||
+ key->domain_tag->removed;
+ }
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index 5c0c7df833f8a..5f103b2713c64 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
+ key->uid = uid;
+ key->gid = gid;
+ key->perm = perm;
++ key->expiry = TIME64_MAX;
+ key->restrict_link = restrict_link;
+ key->last_used_at = ktime_get_real_seconds();
+
+@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key,
+ if (authkey)
+ key_invalidate(authkey);
+
+- if (prep->expiry != TIME64_MAX) {
+- key->expiry = prep->expiry;
+- key_schedule_gc(prep->expiry + key_gc_delay);
+- }
++ key_set_expiry(key, prep->expiry);
+ }
+ }
+
+@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key,
+ atomic_inc(&key->user->nikeys);
+ mark_key_instantiated(key, -error);
+ notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
+- key->expiry = ktime_get_real_seconds() + timeout;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, ktime_get_real_seconds() + timeout);
+
+ if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
+ awaken = 1;
+@@ -722,16 +719,14 @@ struct key_type *key_type_lookup(const char *type)
+
+ void key_set_timeout(struct key *key, unsigned timeout)
+ {
+- time64_t expiry = 0;
++ time64_t expiry = TIME64_MAX;
+
+ /* make the changes with the locks held to prevent races */
+ down_write(&key->sem);
+
+ if (timeout > 0)
+ expiry = ktime_get_real_seconds() + timeout;
+-
+- key->expiry = expiry;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, expiry);
+
+ up_write(&key->sem);
+ }
+diff --git a/security/keys/proc.c b/security/keys/proc.c
+index d0cde6685627f..4f4e2c1824f18 100644
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+
+ /* come up with a suitable timeout value */
+ expiry = READ_ONCE(key->expiry);
+- if (expiry == 0) {
++ if (expiry == TIME64_MAX) {
+ memcpy(xbuf, "perm", 5);
+ } else if (now >= expiry) {
+ memcpy(xbuf, "expd", 5);
+--
+2.43.0
+
--- /dev/null
+From f7adf19ca88c8f5507cc968c7919db7bfd909c79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 12:53:31 +0000
+Subject: net: check dev->gso_max_size in gso_features_check()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
+
+Some drivers might misbehave if TSO packets get too big.
+
+GVE for instance uses a 16bit field in its TX descriptor,
+and will do bad things if a packet is bigger than 2^16 bytes.
+
+Linux TCP stack honors dev->gso_max_size, but there are
+other ways for too big packets to reach an ndo_start_xmit()
+handler : virtio_net, af_packet, GRO...
+
+Add a generic check in gso_features_check() and fallback
+to GSO when needed.
+
+gso_max_size was added in the blamed commit.
+
+Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 9bf90b2a75b6a..e480afb50d4c1 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3500,6 +3500,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > READ_ONCE(dev->gso_max_segs))
+ return features & ~NETIF_F_GSO_MASK;
+
++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
++ return features & ~NETIF_F_GSO_MASK;
++
+ if (!skb_shinfo(skb)->gso_type) {
+ skb_warn_bad_offload(skb);
+ return features & ~NETIF_F_GSO_MASK;
+--
+2.43.0
+
--- /dev/null
+From f87a74362d97119bc5f47e0717b2d5bac3b31de8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 15:52:18 +0800
+Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and
+ vlan_vids_del_by_dev()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
+
+I got the below warning trace:
+
+WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
+CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
+Call Trace:
+ rtnl_dellink
+ rtnetlink_rcv_msg
+ netlink_rcv_skb
+ netlink_unicast
+ netlink_sendmsg
+ __sock_sendmsg
+ ____sys_sendmsg
+ ___sys_sendmsg
+ __sys_sendmsg
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+It can be repoduced via:
+
+ ip netns add ns1
+ ip netns exec ns1 ip link add bond0 type bond mode 0
+ ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ ip netns exec ns1 ip link set bond_slave_1 master bond0
+[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
+[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
+[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
+[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
+[5] ip netns exec ns1 ip link del veth2
+ ip netns del ns1
+
+This is all caused by command [1] turning off the rx-vlan-filter function
+of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
+incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
+[2] [3] add the same vid to slave and master respectively, causing
+command [4] to empty slave->vlan_info. The following command [5] triggers
+this problem.
+
+To fix this problem, we should add VLAN_FILTER feature checks in
+vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
+addition or deletion of vlan_vid information.
+
+Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 0beb44f2fe1f0..f001582345052 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -407,6 +407,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ return 0;
+
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ err = vlan_vid_add(dev, vid_info->proto, vid_info->vid);
+ if (err)
+ goto unwind;
+@@ -417,6 +419,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ list_for_each_entry_continue_reverse(vid_info,
+ &vlan_info->vid_list,
+ list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ }
+
+@@ -436,8 +440,11 @@ void vlan_vids_del_by_dev(struct net_device *dev,
+ if (!vlan_info)
+ return;
+
+- list_for_each_entry(vid_info, &vlan_info->vid_list, list)
++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
++ }
+ }
+ EXPORT_SYMBOL(vlan_vids_del_by_dev);
+
+--
+2.43.0
+
--- /dev/null
+From 6471b5ff6f3293b719e553af91333fef2962e397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Dec 2023 16:37:40 +0100
+Subject: net: ethernet: mtk_wed: fix possible NULL pointer dereference in
+ mtk_wed_wo_queue_tx_clean()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 7cb8cd4daacfea646cf8b5925ca2c66c98b18480 ]
+
+In order to avoid a NULL pointer dereference, check entry->buf pointer before running
+skb_free_frag in mtk_wed_wo_queue_tx_clean routine.
+
+Fixes: 799684448e3e ("net: ethernet: mtk_wed: introduce wed wo support")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/3c1262464d215faa8acebfc08869798c81c96f4a.1702827359.git.lorenzo@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_wed_wo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_wed_wo.c b/drivers/net/ethernet/mediatek/mtk_wed_wo.c
+index 3bd51a3d66500..ae44ad5f8ce8a 100644
+--- a/drivers/net/ethernet/mediatek/mtk_wed_wo.c
++++ b/drivers/net/ethernet/mediatek/mtk_wed_wo.c
+@@ -291,6 +291,9 @@ mtk_wed_wo_queue_tx_clean(struct mtk_wed_wo *wo, struct mtk_wed_wo_queue *q)
+ for (i = 0; i < q->n_desc; i++) {
+ struct mtk_wed_wo_queue_entry *entry = &q->entry[i];
+
++ if (!entry->buf)
++ continue;
++
+ dma_unmap_single(wo->hw->dev, entry->addr, entry->len,
+ DMA_TO_DEVICE);
+ skb_free_frag(entry->buf);
+--
+2.43.0
+
--- /dev/null
+From e7fbea123f2a76ff03c6c2161c69b4d7e53242f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 20:02:43 -0700
+Subject: net/ipv6: Revert remove expired routes with a separated list of
+ routes
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit dade3f6a1e4e35a5ae916d5e78b3229ec34c78ec ]
+
+This reverts commit 3dec89b14d37ee635e772636dad3f09f78f1ab87.
+
+The commit has some race conditions given how expires is managed on a
+fib6_info in relation to gc start, adding the entry to the gc list and
+setting the timer value leading to UAF. Revert the commit and try again
+in a later release.
+
+Fixes: 3dec89b14d37 ("net/ipv6: Remove expired routes with a separated list of routes")
+Cc: Kui-Feng Lee <thinker.li@gmail.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231219030243.25687-1-dsahern@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip6_fib.h | 64 +++++++++----------------------------------
+ net/ipv6/ip6_fib.c | 55 ++++---------------------------------
+ net/ipv6/route.c | 6 ++--
+ 3 files changed, 22 insertions(+), 103 deletions(-)
+
+diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
+index 1ba9f4ddf2f6d..9ba6413fd2e3e 100644
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -179,9 +179,6 @@ struct fib6_info {
+
+ refcount_t fib6_ref;
+ unsigned long expires;
+-
+- struct hlist_node gc_link;
+-
+ struct dst_metrics *fib6_metrics;
+ #define fib6_pmtu fib6_metrics->metrics[RTAX_MTU-1]
+
+@@ -250,6 +247,19 @@ static inline bool fib6_requires_src(const struct fib6_info *rt)
+ return rt->fib6_src.plen > 0;
+ }
+
++static inline void fib6_clean_expires(struct fib6_info *f6i)
++{
++ f6i->fib6_flags &= ~RTF_EXPIRES;
++ f6i->expires = 0;
++}
++
++static inline void fib6_set_expires(struct fib6_info *f6i,
++ unsigned long expires)
++{
++ f6i->expires = expires;
++ f6i->fib6_flags |= RTF_EXPIRES;
++}
++
+ static inline bool fib6_check_expired(const struct fib6_info *f6i)
+ {
+ if (f6i->fib6_flags & RTF_EXPIRES)
+@@ -257,11 +267,6 @@ static inline bool fib6_check_expired(const struct fib6_info *f6i)
+ return false;
+ }
+
+-static inline bool fib6_has_expires(const struct fib6_info *f6i)
+-{
+- return f6i->fib6_flags & RTF_EXPIRES;
+-}
+-
+ /* Function to safely get fn->fn_sernum for passed in rt
+ * and store result in passed in cookie.
+ * Return true if we can get cookie safely
+@@ -383,7 +388,6 @@ struct fib6_table {
+ struct inet_peer_base tb6_peers;
+ unsigned int flags;
+ unsigned int fib_seq;
+- struct hlist_head tb6_gc_hlist; /* GC candidates */
+ #define RT6_TABLE_HAS_DFLT_ROUTER BIT(0)
+ };
+
+@@ -500,48 +504,6 @@ void fib6_gc_cleanup(void);
+
+ int fib6_init(void);
+
+-/* fib6_info must be locked by the caller, and fib6_info->fib6_table can be
+- * NULL.
+- */
+-static inline void fib6_set_expires_locked(struct fib6_info *f6i,
+- unsigned long expires)
+-{
+- struct fib6_table *tb6;
+-
+- tb6 = f6i->fib6_table;
+- f6i->expires = expires;
+- if (tb6 && !fib6_has_expires(f6i))
+- hlist_add_head(&f6i->gc_link, &tb6->tb6_gc_hlist);
+- f6i->fib6_flags |= RTF_EXPIRES;
+-}
+-
+-/* fib6_info must be locked by the caller, and fib6_info->fib6_table can be
+- * NULL. If fib6_table is NULL, the fib6_info will no be inserted into the
+- * list of GC candidates until it is inserted into a table.
+- */
+-static inline void fib6_set_expires(struct fib6_info *f6i,
+- unsigned long expires)
+-{
+- spin_lock_bh(&f6i->fib6_table->tb6_lock);
+- fib6_set_expires_locked(f6i, expires);
+- spin_unlock_bh(&f6i->fib6_table->tb6_lock);
+-}
+-
+-static inline void fib6_clean_expires_locked(struct fib6_info *f6i)
+-{
+- if (fib6_has_expires(f6i))
+- hlist_del_init(&f6i->gc_link);
+- f6i->fib6_flags &= ~RTF_EXPIRES;
+- f6i->expires = 0;
+-}
+-
+-static inline void fib6_clean_expires(struct fib6_info *f6i)
+-{
+- spin_lock_bh(&f6i->fib6_table->tb6_lock);
+- fib6_clean_expires_locked(f6i);
+- spin_unlock_bh(&f6i->fib6_table->tb6_lock);
+-}
+-
+ struct ipv6_route_iter {
+ struct seq_net_private p;
+ struct fib6_walker w;
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index 7772f42ff2b94..4fc2cae0d116c 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -160,8 +160,6 @@ struct fib6_info *fib6_info_alloc(gfp_t gfp_flags, bool with_fib6_nh)
+ INIT_LIST_HEAD(&f6i->fib6_siblings);
+ refcount_set(&f6i->fib6_ref, 1);
+
+- INIT_HLIST_NODE(&f6i->gc_link);
+-
+ return f6i;
+ }
+
+@@ -248,7 +246,6 @@ static struct fib6_table *fib6_alloc_table(struct net *net, u32 id)
+ net->ipv6.fib6_null_entry);
+ table->tb6_root.fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO;
+ inet_peer_base_init(&table->tb6_peers);
+- INIT_HLIST_HEAD(&table->tb6_gc_hlist);
+ }
+
+ return table;
+@@ -1060,8 +1057,6 @@ static void fib6_purge_rt(struct fib6_info *rt, struct fib6_node *fn,
+ lockdep_is_held(&table->tb6_lock));
+ }
+ }
+-
+- fib6_clean_expires_locked(rt);
+ }
+
+ /*
+@@ -1123,10 +1118,9 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
+ if (!(iter->fib6_flags & RTF_EXPIRES))
+ return -EEXIST;
+ if (!(rt->fib6_flags & RTF_EXPIRES))
+- fib6_clean_expires_locked(iter);
++ fib6_clean_expires(iter);
+ else
+- fib6_set_expires_locked(iter,
+- rt->expires);
++ fib6_set_expires(iter, rt->expires);
+
+ if (rt->fib6_pmtu)
+ fib6_metric_set(iter, RTAX_MTU,
+@@ -1485,10 +1479,6 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
+ if (rt->nh)
+ list_add(&rt->nh_list, &rt->nh->f6i_list);
+ __fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net));
+-
+- if (fib6_has_expires(rt))
+- hlist_add_head(&rt->gc_link, &table->tb6_gc_hlist);
+-
+ fib6_start_gc(info->nl_net, rt);
+ }
+
+@@ -2291,8 +2281,9 @@ static void fib6_flush_trees(struct net *net)
+ * Garbage collection
+ */
+
+-static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
++static int fib6_age(struct fib6_info *rt, void *arg)
+ {
++ struct fib6_gc_args *gc_args = arg;
+ unsigned long now = jiffies;
+
+ /*
+@@ -2300,7 +2291,7 @@ static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
+ * Routes are expired even if they are in use.
+ */
+
+- if (fib6_has_expires(rt) && rt->expires) {
++ if (rt->fib6_flags & RTF_EXPIRES && rt->expires) {
+ if (time_after(now, rt->expires)) {
+ RT6_TRACE("expiring %p\n", rt);
+ return -1;
+@@ -2317,40 +2308,6 @@ static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
+ return 0;
+ }
+
+-static void fib6_gc_table(struct net *net,
+- struct fib6_table *tb6,
+- struct fib6_gc_args *gc_args)
+-{
+- struct fib6_info *rt;
+- struct hlist_node *n;
+- struct nl_info info = {
+- .nl_net = net,
+- .skip_notify = false,
+- };
+-
+- hlist_for_each_entry_safe(rt, n, &tb6->tb6_gc_hlist, gc_link)
+- if (fib6_age(rt, gc_args) == -1)
+- fib6_del(rt, &info);
+-}
+-
+-static void fib6_gc_all(struct net *net, struct fib6_gc_args *gc_args)
+-{
+- struct fib6_table *table;
+- struct hlist_head *head;
+- unsigned int h;
+-
+- rcu_read_lock();
+- for (h = 0; h < FIB6_TABLE_HASHSZ; h++) {
+- head = &net->ipv6.fib_table_hash[h];
+- hlist_for_each_entry_rcu(table, head, tb6_hlist) {
+- spin_lock_bh(&table->tb6_lock);
+- fib6_gc_table(net, table, gc_args);
+- spin_unlock_bh(&table->tb6_lock);
+- }
+- }
+- rcu_read_unlock();
+-}
+-
+ void fib6_run_gc(unsigned long expires, struct net *net, bool force)
+ {
+ struct fib6_gc_args gc_args;
+@@ -2366,7 +2323,7 @@ void fib6_run_gc(unsigned long expires, struct net *net, bool force)
+ net->ipv6.sysctl.ip6_rt_gc_interval;
+ gc_args.more = 0;
+
+- fib6_gc_all(net, &gc_args);
++ fib6_clean_all(net, fib6_age, &gc_args);
+ now = jiffies;
+ net->ipv6.ip6_rt_last_gc = now;
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 9c687b357e6a4..56525b5b95a2b 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3763,10 +3763,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
+ rt->dst_nocount = true;
+
+ if (cfg->fc_flags & RTF_EXPIRES)
+- fib6_set_expires_locked(rt, jiffies +
+- clock_t_to_jiffies(cfg->fc_expires));
++ fib6_set_expires(rt, jiffies +
++ clock_t_to_jiffies(cfg->fc_expires));
+ else
+- fib6_clean_expires_locked(rt);
++ fib6_clean_expires(rt);
+
+ if (cfg->fc_protocol == RTPROT_UNSPEC)
+ cfg->fc_protocol = RTPROT_BOOT;
+--
+2.43.0
+
--- /dev/null
+From f7ba325e48e47386f80cd4163f5bd1f2d3bb8c5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 12:33:53 -0800
+Subject: net: mana: select PAGE_POOL
+
+From: Yury Norov <yury.norov@gmail.com>
+
+[ Upstream commit 340943fbff3d8faa44d2223ca04917df28786a07 ]
+
+Mana uses PAGE_POOL API. x86_64 defconfig doesn't select it:
+
+ld: vmlinux.o: in function `mana_create_page_pool.isra.0':
+mana_en.c:(.text+0x9ae36f): undefined reference to `page_pool_create'
+ld: vmlinux.o: in function `mana_get_rxfrag':
+mana_en.c:(.text+0x9afed1): undefined reference to `page_pool_alloc_pages'
+make[3]: *** [/home/yury/work/linux/scripts/Makefile.vmlinux:37: vmlinux] Error 1
+make[2]: *** [/home/yury/work/linux/Makefile:1154: vmlinux] Error 2
+make[1]: *** [/home/yury/work/linux/Makefile:234: __sub-make] Error 2
+make[1]: Leaving directory '/home/yury/work/build-linux-x86_64'
+make: *** [Makefile:234: __sub-make] Error 2
+
+So we need to select it explicitly.
+
+Signed-off-by: Yury Norov <yury.norov@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter")
+Link: https://lore.kernel.org/r/20231215203353.635379-1-yury.norov@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig
+index 090e6b9832431..01eb7445ead95 100644
+--- a/drivers/net/ethernet/microsoft/Kconfig
++++ b/drivers/net/ethernet/microsoft/Kconfig
+@@ -20,6 +20,7 @@ config MICROSOFT_MANA
+ depends on PCI_MSI && X86_64
+ depends on PCI_HYPERV
+ select AUXILIARY_BUS
++ select PAGE_POOL
+ help
+ This driver supports Microsoft Azure Network Adapter (MANA).
+ So far, the driver is only supported on X86_64.
+--
+2.43.0
+
--- /dev/null
+From 77ec4b4fbdfd8473a3847f2f003403041d052515 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 11:30:34 +0200
+Subject: net/mlx5: Fix fw tracer first block check
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ]
+
+While handling new traces, to verify it is not the first block being
+written, last_timestamp is checked. But instead of checking it is non
+zero it is verified to be zero. Fix to verify last_timestamp is not
+zero.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Feras Daoud <ferasda@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index ad789349c06e6..85d3bfa0780c6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -718,7 +718,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work)
+
+ while (block_timestamp > tracer->last_timestamp) {
+ /* Check block override if it's not the first block */
+- if (!tracer->last_timestamp) {
++ if (tracer->last_timestamp) {
+ u64 *ts_event;
+ /* To avoid block override be the HW in case of buffer
+ * wraparound, the time stamp of the previous block
+--
+2.43.0
+
--- /dev/null
+From 2649807704e6748ba789c0233b1a5317ced2ae1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 15:22:22 +0200
+Subject: net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 04ad04e4fdd10f92ef4f2b3f6227ec9824682197 ]
+
+Currently the destination rep pointer is only used for comparisons or to
+obtain vport number from it. Since it is used both during flow creation and
+deletion it may point to representor of another eswitch instance which can
+be deallocated during driver unload even when there are rules pointing to
+it[0]. Refactor the code to store vport number and 'valid' flag instead of
+the representor pointer.
+
+[0]:
+[176805.886303] ==================================================================
+[176805.889433] BUG: KASAN: slab-use-after-free in esw_cleanup_dests+0x390/0x440 [mlx5_core]
+[176805.892981] Read of size 2 at addr ffff888155090aa0 by task modprobe/27280
+
+[176805.895462] CPU: 3 PID: 27280 Comm: modprobe Tainted: G B 6.6.0-rc3+ #1
+[176805.896771] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+[176805.898514] Call Trace:
+[176805.899026] <TASK>
+[176805.899519] dump_stack_lvl+0x33/0x50
+[176805.900221] print_report+0xc2/0x610
+[176805.900893] ? mlx5_chains_put_table+0x33d/0x8d0 [mlx5_core]
+[176805.901897] ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
+[176805.902852] kasan_report+0xac/0xe0
+[176805.903509] ? esw_cleanup_dests+0x390/0x440 [mlx5_core]
+[176805.904461] esw_cleanup_dests+0x390/0x440 [mlx5_core]
+[176805.905223] __mlx5_eswitch_del_rule+0x1ae/0x460 [mlx5_core]
+[176805.906044] ? esw_cleanup_dests+0x440/0x440 [mlx5_core]
+[176805.906822] ? xas_find_conflict+0x420/0x420
+[176805.907496] ? down_read+0x11e/0x200
+[176805.908046] mlx5e_tc_rule_unoffload+0xc4/0x2a0 [mlx5_core]
+[176805.908844] mlx5e_tc_del_fdb_flow+0x7da/0xb10 [mlx5_core]
+[176805.909597] mlx5e_flow_put+0x4b/0x80 [mlx5_core]
+[176805.910275] mlx5e_delete_flower+0x5b4/0xb70 [mlx5_core]
+[176805.911010] tc_setup_cb_reoffload+0x27/0xb0
+[176805.911648] fl_reoffload+0x62d/0x900 [cls_flower]
+[176805.912313] ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
+[176805.913151] ? __fl_put+0x230/0x230 [cls_flower]
+[176805.913768] ? filter_irq_stacks+0x90/0x90
+[176805.914335] ? kasan_save_stack+0x1e/0x40
+[176805.914893] ? kasan_set_track+0x21/0x30
+[176805.915484] ? kasan_save_free_info+0x27/0x40
+[176805.916105] tcf_block_playback_offloads+0x79/0x1f0
+[176805.916773] ? mlx5e_rep_indr_block_unbind+0xd0/0xd0 [mlx5_core]
+[176805.917647] tcf_block_unbind+0x12d/0x330
+[176805.918239] tcf_block_offload_cmd.isra.0+0x24e/0x320
+[176805.918953] ? tcf_block_bind+0x770/0x770
+[176805.919551] ? _raw_read_unlock_irqrestore+0x30/0x30
+[176805.920236] ? mutex_lock+0x7d/0xd0
+[176805.920735] ? mutex_unlock+0x80/0xd0
+[176805.921255] tcf_block_offload_unbind+0xa5/0x120
+[176805.921909] __tcf_block_put+0xc2/0x2d0
+[176805.922467] ingress_destroy+0xf4/0x3d0 [sch_ingress]
+[176805.923178] __qdisc_destroy+0x9d/0x280
+[176805.923741] dev_shutdown+0x1c6/0x330
+[176805.924295] unregister_netdevice_many_notify+0x6ef/0x1500
+[176805.925034] ? netdev_freemem+0x50/0x50
+[176805.925610] ? _raw_spin_lock_irq+0x7b/0xd0
+[176805.926235] ? _raw_spin_lock_bh+0xe0/0xe0
+[176805.926849] unregister_netdevice_queue+0x1e0/0x280
+[176805.927592] ? unregister_netdevice_many+0x10/0x10
+[176805.928275] unregister_netdev+0x18/0x20
+[176805.928835] mlx5e_vport_rep_unload+0xc0/0x200 [mlx5_core]
+[176805.929608] mlx5_esw_offloads_unload_rep+0x9d/0xc0 [mlx5_core]
+[176805.930492] mlx5_eswitch_unload_vf_vports+0x108/0x1a0 [mlx5_core]
+[176805.931422] ? mlx5_eswitch_unload_sf_vport+0x50/0x50 [mlx5_core]
+[176805.932304] ? rwsem_down_write_slowpath+0x11f0/0x11f0
+[176805.932987] mlx5_eswitch_disable_sriov+0x6f9/0xa60 [mlx5_core]
+[176805.933807] ? mlx5_core_disable_hca+0xe1/0x130 [mlx5_core]
+[176805.934576] ? mlx5_eswitch_disable_locked+0x580/0x580 [mlx5_core]
+[176805.935463] mlx5_device_disable_sriov+0x138/0x490 [mlx5_core]
+[176805.936308] mlx5_sriov_disable+0x8c/0xb0 [mlx5_core]
+[176805.937063] remove_one+0x7f/0x210 [mlx5_core]
+[176805.937711] pci_device_remove+0x96/0x1c0
+[176805.938289] device_release_driver_internal+0x361/0x520
+[176805.938981] ? kobject_put+0x5c/0x330
+[176805.939553] driver_detach+0xd7/0x1d0
+[176805.940101] bus_remove_driver+0x11f/0x290
+[176805.943847] pci_unregister_driver+0x23/0x1f0
+[176805.944505] mlx5_cleanup+0xc/0x20 [mlx5_core]
+[176805.945189] __x64_sys_delete_module+0x2b3/0x450
+[176805.945837] ? module_flags+0x300/0x300
+[176805.946377] ? dput+0xc2/0x830
+[176805.946848] ? __kasan_record_aux_stack+0x9c/0xb0
+[176805.947555] ? __call_rcu_common.constprop.0+0x46c/0xb50
+[176805.948338] ? fpregs_assert_state_consistent+0x1d/0xa0
+[176805.949055] ? exit_to_user_mode_prepare+0x30/0x120
+[176805.949713] do_syscall_64+0x3d/0x90
+[176805.950226] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+[176805.950904] RIP: 0033:0x7f7f42c3f5ab
+[176805.951462] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48
+[176805.953710] RSP: 002b:00007fff07dc9d08 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
+[176805.954691] RAX: ffffffffffffffda RBX: 000055b6e91c01e0 RCX: 00007f7f42c3f5ab
+[176805.955691] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6e91c0248
+[176805.956662] RBP: 000055b6e91c01e0 R08: 0000000000000000 R09: 0000000000000000
+[176805.957601] R10: 00007f7f42d9eac0 R11: 0000000000000206 R12: 000055b6e91c0248
+[176805.958593] R13: 0000000000000000 R14: 000055b6e91bfb38 R15: 0000000000000000
+[176805.959599] </TASK>
+
+[176805.960324] Allocated by task 20490:
+[176805.960893] kasan_save_stack+0x1e/0x40
+[176805.961463] kasan_set_track+0x21/0x30
+[176805.962019] __kasan_kmalloc+0x77/0x90
+[176805.962554] esw_offloads_init+0x1bb/0x480 [mlx5_core]
+[176805.963318] mlx5_eswitch_init+0xc70/0x15c0 [mlx5_core]
+[176805.964092] mlx5_init_one_devl_locked+0x366/0x1230 [mlx5_core]
+[176805.964902] probe_one+0x6f7/0xc90 [mlx5_core]
+[176805.965541] local_pci_probe+0xd7/0x180
+[176805.966075] pci_device_probe+0x231/0x6f0
+[176805.966631] really_probe+0x1d4/0xb50
+[176805.967179] __driver_probe_device+0x18d/0x450
+[176805.967810] driver_probe_device+0x49/0x120
+[176805.968431] __driver_attach+0x1fb/0x490
+[176805.968976] bus_for_each_dev+0xed/0x170
+[176805.969560] bus_add_driver+0x21a/0x570
+[176805.970124] driver_register+0x133/0x460
+[176805.970684] 0xffffffffa0678065
+[176805.971180] do_one_initcall+0x92/0x2b0
+[176805.971744] do_init_module+0x22d/0x720
+[176805.972318] load_module+0x58c3/0x63b0
+[176805.972847] init_module_from_file+0xd2/0x130
+[176805.973441] __x64_sys_finit_module+0x389/0x7c0
+[176805.974045] do_syscall_64+0x3d/0x90
+[176805.974556] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+[176805.975566] Freed by task 27280:
+[176805.976077] kasan_save_stack+0x1e/0x40
+[176805.976655] kasan_set_track+0x21/0x30
+[176805.977221] kasan_save_free_info+0x27/0x40
+[176805.977834] ____kasan_slab_free+0x11a/0x1b0
+[176805.978505] __kmem_cache_free+0x163/0x2d0
+[176805.979113] esw_offloads_cleanup_reps+0xb8/0x120 [mlx5_core]
+[176805.979963] mlx5_eswitch_cleanup+0x182/0x270 [mlx5_core]
+[176805.980763] mlx5_cleanup_once+0x9a/0x1e0 [mlx5_core]
+[176805.981477] mlx5_uninit_one+0xa9/0x180 [mlx5_core]
+[176805.982196] remove_one+0x8f/0x210 [mlx5_core]
+[176805.982868] pci_device_remove+0x96/0x1c0
+[176805.983461] device_release_driver_internal+0x361/0x520
+[176805.984169] driver_detach+0xd7/0x1d0
+[176805.984702] bus_remove_driver+0x11f/0x290
+[176805.985261] pci_unregister_driver+0x23/0x1f0
+[176805.985847] mlx5_cleanup+0xc/0x20 [mlx5_core]
+[176805.986483] __x64_sys_delete_module+0x2b3/0x450
+[176805.987126] do_syscall_64+0x3d/0x90
+[176805.987665] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+[176805.988667] Last potentially related work creation:
+[176805.989305] kasan_save_stack+0x1e/0x40
+[176805.989839] __kasan_record_aux_stack+0x9c/0xb0
+[176805.990443] kvfree_call_rcu+0x84/0xa30
+[176805.990973] clean_xps_maps+0x265/0x6e0
+[176805.991547] netif_reset_xps_queues.part.0+0x3f/0x80
+[176805.992226] unregister_netdevice_many_notify+0xfcf/0x1500
+[176805.992966] unregister_netdevice_queue+0x1e0/0x280
+[176805.993638] unregister_netdev+0x18/0x20
+[176805.994205] mlx5e_remove+0xba/0x1e0 [mlx5_core]
+[176805.994872] auxiliary_bus_remove+0x52/0x70
+[176805.995490] device_release_driver_internal+0x361/0x520
+[176805.996196] bus_remove_device+0x1e1/0x3d0
+[176805.996767] device_del+0x390/0x980
+[176805.997270] mlx5_rescan_drivers_locked.part.0+0x130/0x540 [mlx5_core]
+[176805.998195] mlx5_unregister_device+0x77/0xc0 [mlx5_core]
+[176805.998989] mlx5_uninit_one+0x41/0x180 [mlx5_core]
+[176805.999719] remove_one+0x8f/0x210 [mlx5_core]
+[176806.000387] pci_device_remove+0x96/0x1c0
+[176806.000938] device_release_driver_internal+0x361/0x520
+[176806.001612] unbind_store+0xd8/0xf0
+[176806.002108] kernfs_fop_write_iter+0x2c0/0x440
+[176806.002748] vfs_write+0x725/0xba0
+[176806.003294] ksys_write+0xed/0x1c0
+[176806.003823] do_syscall_64+0x3d/0x90
+[176806.004357] entry_SYSCALL_64_after_hwframe+0x46/0xb0
+
+[176806.005317] The buggy address belongs to the object at ffff888155090a80
+ which belongs to the cache kmalloc-64 of size 64
+[176806.006774] The buggy address is located 32 bytes inside of
+ freed 64-byte region [ffff888155090a80, ffff888155090ac0)
+
+[176806.008773] The buggy address belongs to the physical page:
+[176806.009480] page:00000000a407e0e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155090
+[176806.010633] flags: 0x200000000000800(slab|node=0|zone=2)
+[176806.011352] page_type: 0xffffffff()
+[176806.011905] raw: 0200000000000800 ffff888100042640 ffffea000422b1c0 dead000000000004
+[176806.012949] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
+[176806.013933] page dumped because: kasan: bad access detected
+
+[176806.014935] Memory state around the buggy address:
+[176806.015601] ffff888155090980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[176806.016568] ffff888155090a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[176806.017497] >ffff888155090a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[176806.018438] ^
+[176806.019007] ffff888155090b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[176806.020001] ffff888155090b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[176806.020996] ==================================================================
+
+Fixes: a508728a4c8b ("net/mlx5e: VF tunnel RX traffic offloading")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../mellanox/mlx5/core/en/tc/act/mirred.c | 5 +++--
+ .../mellanox/mlx5/core/en/tc_tun_encap.c | 3 ++-
+ .../net/ethernet/mellanox/mlx5/core/eswitch.h | 3 ++-
+ .../mellanox/mlx5/core/eswitch_offloads.c | 19 +++++++++----------
+ .../mlx5/core/eswitch_offloads_termtbl.c | 4 ++--
+ 5 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c
+index f63402c480280..1b418095b79a3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc/act/mirred.c
+@@ -197,7 +197,7 @@ parse_mirred_encap(struct mlx5e_tc_act_parse_state *parse_state,
+ }
+ esw_attr->dests[esw_attr->out_count].flags |= MLX5_ESW_DEST_ENCAP;
+ esw_attr->out_count++;
+- /* attr->dests[].rep is resolved when we handle encap */
++ /* attr->dests[].vport is resolved when we handle encap */
+
+ return 0;
+ }
+@@ -270,7 +270,8 @@ parse_mirred(struct mlx5e_tc_act_parse_state *parse_state,
+
+ out_priv = netdev_priv(out_dev);
+ rpriv = out_priv->ppriv;
+- esw_attr->dests[esw_attr->out_count].rep = rpriv->rep;
++ esw_attr->dests[esw_attr->out_count].vport_valid = true;
++ esw_attr->dests[esw_attr->out_count].vport = rpriv->rep->vport;
+ esw_attr->dests[esw_attr->out_count].mdev = out_priv->mdev;
+
+ esw_attr->out_count++;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index b10e40e1a9c14..f1d1e1542e81b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -1064,7 +1064,8 @@ int mlx5e_tc_tun_encap_dests_set(struct mlx5e_priv *priv,
+
+ out_priv = netdev_priv(encap_dev);
+ rpriv = out_priv->ppriv;
+- esw_attr->dests[out_index].rep = rpriv->rep;
++ esw_attr->dests[out_index].vport_valid = true;
++ esw_attr->dests[out_index].vport = rpriv->rep->vport;
+ esw_attr->dests[out_index].mdev = out_priv->mdev;
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+index b674b57d05aad..b4eb17141edf3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.h
+@@ -526,7 +526,8 @@ struct mlx5_esw_flow_attr {
+ u8 total_vlan;
+ struct {
+ u32 flags;
+- struct mlx5_eswitch_rep *rep;
++ bool vport_valid;
++ u16 vport;
+ struct mlx5_pkt_reformat *pkt_reformat;
+ struct mlx5_core_dev *mdev;
+ struct mlx5_termtbl_handle *termtbl;
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index 9bd5609cf6597..b0455134c98ef 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -287,10 +287,9 @@ static void esw_put_dest_tables_loop(struct mlx5_eswitch *esw, struct mlx5_flow_
+ for (i = from; i < to; i++)
+ if (esw_attr->dests[i].flags & MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE)
+ mlx5_chains_put_table(chains, 0, 1, 0);
+- else if (mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].rep->vport,
++ else if (mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].vport,
+ esw_attr->dests[i].mdev))
+- mlx5_esw_indir_table_put(esw, esw_attr->dests[i].rep->vport,
+- false);
++ mlx5_esw_indir_table_put(esw, esw_attr->dests[i].vport, false);
+ }
+
+ static bool
+@@ -358,8 +357,8 @@ esw_is_indir_table(struct mlx5_eswitch *esw, struct mlx5_flow_attr *attr)
+ * this criteria.
+ */
+ for (i = esw_attr->split_count; i < esw_attr->out_count; i++) {
+- if (esw_attr->dests[i].rep &&
+- mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].rep->vport,
++ if (esw_attr->dests[i].vport_valid &&
++ mlx5_esw_indir_table_needed(esw, attr, esw_attr->dests[i].vport,
+ esw_attr->dests[i].mdev)) {
+ result = true;
+ } else {
+@@ -388,7 +387,7 @@ esw_setup_indir_table(struct mlx5_flow_destination *dest,
+ dest[*i].type = MLX5_FLOW_DESTINATION_TYPE_FLOW_TABLE;
+
+ dest[*i].ft = mlx5_esw_indir_table_get(esw, attr,
+- esw_attr->dests[j].rep->vport, false);
++ esw_attr->dests[j].vport, false);
+ if (IS_ERR(dest[*i].ft)) {
+ err = PTR_ERR(dest[*i].ft);
+ goto err_indir_tbl_get;
+@@ -432,11 +431,11 @@ static bool esw_setup_uplink_fwd_ipsec_needed(struct mlx5_eswitch *esw,
+ int attr_idx)
+ {
+ if (esw->offloads.ft_ipsec_tx_pol &&
+- esw_attr->dests[attr_idx].rep &&
+- esw_attr->dests[attr_idx].rep->vport == MLX5_VPORT_UPLINK &&
++ esw_attr->dests[attr_idx].vport_valid &&
++ esw_attr->dests[attr_idx].vport == MLX5_VPORT_UPLINK &&
+ /* To be aligned with software, encryption is needed only for tunnel device */
+ (esw_attr->dests[attr_idx].flags & MLX5_ESW_DEST_ENCAP_VALID) &&
+- esw_attr->dests[attr_idx].rep != esw_attr->in_rep &&
++ esw_attr->dests[attr_idx].vport != esw_attr->in_rep->vport &&
+ esw_same_vhca_id(esw_attr->dests[attr_idx].mdev, esw->dev))
+ return true;
+
+@@ -469,7 +468,7 @@ esw_setup_dest_fwd_vport(struct mlx5_flow_destination *dest, struct mlx5_flow_ac
+ int attr_idx, int dest_idx, bool pkt_reformat)
+ {
+ dest[dest_idx].type = MLX5_FLOW_DESTINATION_TYPE_VPORT;
+- dest[dest_idx].vport.num = esw_attr->dests[attr_idx].rep->vport;
++ dest[dest_idx].vport.num = esw_attr->dests[attr_idx].vport;
+ if (MLX5_CAP_ESW(esw->dev, merged_eswitch)) {
+ dest[dest_idx].vport.vhca_id =
+ MLX5_CAP_GEN(esw_attr->dests[attr_idx].mdev, vhca_id);
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+index edd9102583144..40bdc677f051d 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads_termtbl.c
+@@ -233,8 +233,8 @@ mlx5_eswitch_termtbl_required(struct mlx5_eswitch *esw,
+
+ /* hairpin */
+ for (i = esw_attr->split_count; i < esw_attr->out_count; i++)
+- if (!esw_attr->dest_int_port && esw_attr->dests[i].rep &&
+- esw_attr->dests[i].rep->vport == MLX5_VPORT_UPLINK)
++ if (!esw_attr->dest_int_port && esw_attr->dests[i].vport_valid &&
++ esw_attr->dests[i].vport == MLX5_VPORT_UPLINK)
+ return true;
+
+ return false;
+--
+2.43.0
+
--- /dev/null
+From c3cc1a935ea3290fb361e47b3e745c80b6fbb577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 15:00:21 -0800
+Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit ad436b9c1270c40554e274f067f1b78fcc06a004 ]
+
+snprintf returns the length of the formatted string, excluding the trailing
+null, without accounting for truncation. This means that is the return
+value is greater than or equal to the size parameter, the fw_version string
+was truncated.
+
+Reported-by: David Laight <David.Laight@ACULAB.COM>
+Closes: https://lore.kernel.org/netdev/81cae734ee1b4cde9b380a9a31006c1a@AcuMS.aculab.com/
+Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
+Fixes: 41e63c2baa11 ("net/mlx5e: Check return value of snprintf writing to fw_version buffer")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 7c66bd73ddfa2..38263d5c98b34 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -49,7 +49,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv,
+ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
+- if (count == sizeof(drvinfo->fw_version))
++ if (count >= sizeof(drvinfo->fw_version))
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev));
+--
+2.43.0
+
--- /dev/null
+From e6f2012cbb5ca81318d93bbc048533c1e3e02e0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 15:00:22 -0800
+Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer
+ used by representors
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ]
+
+snprintf returns the length of the formatted string, excluding the trailing
+null, without accounting for truncation. This means that is the return
+value is greater than or equal to the size parameter, the fw_version string
+was truncated.
+
+Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
+Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 007cb167cabc9..751d3ffcd2f6c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -78,7 +78,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
+- if (count == sizeof(drvinfo->fw_version))
++ if (count >= sizeof(drvinfo->fw_version))
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev));
+--
+2.43.0
+
--- /dev/null
+From 9e27462f02dce5469cfc3ba06c173b5a4724f33d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 04:53:32 +0200
+Subject: net/mlx5e: Decrease num_block_tc when unblock tc offload
+
+From: Chris Mi <cmi@nvidia.com>
+
+[ Upstream commit be86106fd74a145f24c56c9bc18d658e8fe6d4f4 ]
+
+The cited commit increases num_block_tc when unblock tc offload.
+Actually should decrease it.
+
+Fixes: c8e350e62fc5 ("net/mlx5e: Make TC and IPsec offloads mutually exclusive on a netdev")
+Signed-off-by: Chris Mi <cmi@nvidia.com>
+Reviewed-by: Jianbo Liu <jianbol@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+index 03f69c485a006..81e6aa6434cf2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c
+@@ -1866,7 +1866,7 @@ static int mlx5e_ipsec_block_tc_offload(struct mlx5_core_dev *mdev)
+
+ static void mlx5e_ipsec_unblock_tc_offload(struct mlx5_core_dev *mdev)
+ {
+- mdev->num_block_tc++;
++ mdev->num_block_tc--;
+ }
+
+ int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry)
+--
+2.43.0
+
--- /dev/null
+From 9178e89034961b28070a41f8d899c7f4745b998d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 17:40:53 +0800
+Subject: net/mlx5e: fix a potential double-free in fs_udp_create_groups
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit e75efc6466ae289e599fb12a5a86545dff245c65 ]
+
+When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
+fs_udp_create_groups() will free ft->g. However, its caller
+fs_udp_create_table() will free ft->g again through calling
+mlx5e_destroy_flow_table(), which will lead to a double-free.
+Fix this by setting ft->g to NULL in fs_udp_create_groups().
+
+Fixes: 1c80bd684388 ("net/mlx5e: Introduce Flow Steering UDP API")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+index be83ad9db82a4..e1283531e0b81 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+@@ -154,6 +154,7 @@ static int fs_udp_create_groups(struct mlx5e_flow_table *ft, enum fs_udp_type ty
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in || !ft->g) {
+ kfree(ft->g);
++ ft->g = NULL;
+ kvfree(in);
+ return -ENOMEM;
+ }
+--
+2.43.0
+
--- /dev/null
+From 73d7143365c14dbfd8317ebcb51ab00d17d38584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Dec 2023 00:01:26 -0800
+Subject: net/mlx5e: Fix a race in command alloc flow
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit 8f5100da56b3980276234e812ce98d8f075194cd ]
+
+Fix a cmd->ent use after free due to a race on command entry.
+Such race occurs when one of the commands releases its last refcount and
+frees its index and entry while another process running command flush
+flow takes refcount to this command entry. The process which handles
+commands flush may see this command as needed to be flushed if the other
+process allocated a ent->idx but didn't set ent to cmd->ent_arr in
+cmd_work_handler(). Fix it by moving the assignment of cmd->ent_arr into
+the spin lock.
+
+[70013.081955] BUG: KASAN: use-after-free in mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.081967] Write of size 4 at addr ffff88880b1510b4 by task kworker/26:1/1433361
+[70013.081968]
+[70013.082028] Workqueue: events aer_isr
+[70013.082053] Call Trace:
+[70013.082067] dump_stack+0x8b/0xbb
+[70013.082086] print_address_description+0x6a/0x270
+[70013.082102] kasan_report+0x179/0x2c0
+[70013.082173] mlx5_cmd_trigger_completions+0x1e2/0x4c0 [mlx5_core]
+[70013.082267] mlx5_cmd_flush+0x80/0x180 [mlx5_core]
+[70013.082304] mlx5_enter_error_state+0x106/0x1d0 [mlx5_core]
+[70013.082338] mlx5_try_fast_unload+0x2ea/0x4d0 [mlx5_core]
+[70013.082377] remove_one+0x200/0x2b0 [mlx5_core]
+[70013.082409] pci_device_remove+0xf3/0x280
+[70013.082439] device_release_driver_internal+0x1c3/0x470
+[70013.082453] pci_stop_bus_device+0x109/0x160
+[70013.082468] pci_stop_and_remove_bus_device+0xe/0x20
+[70013.082485] pcie_do_fatal_recovery+0x167/0x550
+[70013.082493] aer_isr+0x7d2/0x960
+[70013.082543] process_one_work+0x65f/0x12d0
+[70013.082556] worker_thread+0x87/0xb50
+[70013.082571] kthread+0x2e9/0x3a0
+[70013.082592] ret_from_fork+0x1f/0x40
+
+The logical relationship of this error is as follows:
+
+ aer_recover_work | ent->work
+-------------------------------------------+------------------------------
+aer_recover_work_func |
+|- pcie_do_recovery |
+ |- report_error_detected |
+ |- mlx5_pci_err_detected |cmd_work_handler
+ |- mlx5_enter_error_state | |- cmd_alloc_index
+ |- enter_error_state | |- lock cmd->alloc_lock
+ |- mlx5_cmd_flush | |- clear_bit
+ |- mlx5_cmd_trigger_completions| |- unlock cmd->alloc_lock
+ |- lock cmd->alloc_lock |
+ |- vector = ~dev->cmd.vars.bitmask
+ |- for_each_set_bit |
+ |- cmd_ent_get(cmd->ent_arr[i]) (UAF)
+ |- unlock cmd->alloc_lock | |- cmd->ent_arr[ent->idx]=ent
+
+The cmd->ent_arr[ent->idx] assignment and the bit clearing are not
+protected by the cmd->alloc_lock in cmd_work_handler().
+
+Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler")
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+index c22b0ad0c8701..7013e1c8741a3 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -156,15 +156,18 @@ static u8 alloc_token(struct mlx5_cmd *cmd)
+ return token;
+ }
+
+-static int cmd_alloc_index(struct mlx5_cmd *cmd)
++static int cmd_alloc_index(struct mlx5_cmd *cmd, struct mlx5_cmd_work_ent *ent)
+ {
+ unsigned long flags;
+ int ret;
+
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+ ret = find_first_bit(&cmd->vars.bitmask, cmd->vars.max_reg_cmds);
+- if (ret < cmd->vars.max_reg_cmds)
++ if (ret < cmd->vars.max_reg_cmds) {
+ clear_bit(ret, &cmd->vars.bitmask);
++ ent->idx = ret;
++ cmd->ent_arr[ent->idx] = ent;
++ }
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+
+ return ret < cmd->vars.max_reg_cmds ? ret : -ENOMEM;
+@@ -977,7 +980,7 @@ static void cmd_work_handler(struct work_struct *work)
+ sem = ent->page_queue ? &cmd->vars.pages_sem : &cmd->vars.sem;
+ down(sem);
+ if (!ent->page_queue) {
+- alloc_ret = cmd_alloc_index(cmd);
++ alloc_ret = cmd_alloc_index(cmd, ent);
+ if (alloc_ret < 0) {
+ mlx5_core_err_rl(dev, "failed to allocate command entry\n");
+ if (ent->callback) {
+@@ -992,15 +995,14 @@ static void cmd_work_handler(struct work_struct *work)
+ up(sem);
+ return;
+ }
+- ent->idx = alloc_ret;
+ } else {
+ ent->idx = cmd->vars.max_reg_cmds;
+ spin_lock_irqsave(&cmd->alloc_lock, flags);
+ clear_bit(ent->idx, &cmd->vars.bitmask);
++ cmd->ent_arr[ent->idx] = ent;
+ spin_unlock_irqrestore(&cmd->alloc_lock, flags);
+ }
+
+- cmd->ent_arr[ent->idx] = ent;
+ lay = get_inst(cmd, ent->idx);
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+--
+2.43.0
+
--- /dev/null
+From 5c5b97a88c463423b701c67edb5e0996ad7132f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 17:08:17 +0300
+Subject: net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 86d5922679f3b6d02a64df66cdd777fdd4ea5c0d ]
+
+Preserve the error code if esw_add_restore_rule() fails. Don't return
+success.
+
+Fixes: 6702782845a5 ("net/mlx5e: TC, Set CT miss to the specific ct action instance")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 1bead98f73bf5..2cfbacf77535c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -5734,8 +5734,10 @@ int mlx5e_tc_action_miss_mapping_get(struct mlx5e_priv *priv, struct mlx5_flow_a
+
+ esw = priv->mdev->priv.eswitch;
+ attr->act_id_restore_rule = esw_add_restore_rule(esw, *act_miss_mapping);
+- if (IS_ERR(attr->act_id_restore_rule))
++ if (IS_ERR(attr->act_id_restore_rule)) {
++ err = PTR_ERR(attr->act_id_restore_rule);
+ goto err_rule;
++ }
+
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 821de6c1755897fa3dc38a317581d630be2585c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 17:08:57 +0300
+Subject: net/mlx5e: Fix error codes in alloc_branch_attr()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit d792e5f7f19b95f5ce41ac49df5ead4d280238f4 ]
+
+Set the error code if set_branch_dest_ft() fails.
+
+Fixes: ccbe33003b10 ("net/mlx5e: TC, Don't offload post action rule if not supported")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index 2cfbacf77535c..25e44ee5121a9 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -3776,7 +3776,8 @@ alloc_branch_attr(struct mlx5e_tc_flow *flow,
+ break;
+ case FLOW_ACTION_ACCEPT:
+ case FLOW_ACTION_PIPE:
+- if (set_branch_dest_ft(flow->priv, attr))
++ err = set_branch_dest_ft(flow->priv, attr);
++ if (err)
+ goto out_err;
+ break;
+ case FLOW_ACTION_JUMP:
+@@ -3786,7 +3787,8 @@ alloc_branch_attr(struct mlx5e_tc_flow *flow,
+ goto out_err;
+ }
+ *jump_count = cond->extval;
+- if (set_branch_dest_ft(flow->priv, attr))
++ err = set_branch_dest_ft(flow->priv, attr);
++ if (err)
+ goto out_err;
+ break;
+ default:
+--
+2.43.0
+
--- /dev/null
+From 92a982b437d410a3653e0077ae56aa366d6123fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 01:25:21 +0000
+Subject: net/mlx5e: Fix overrun reported by coverity
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit da75fa542873e5f7d7f615566c0b00042d8a0437 ]
+
+Coverity Scan reports the following issue. But it's impossible that
+mlx5_get_dev_index returns 7 for PF, even if the index is calculated
+from PCI FUNC ID. So add the checking to make coverity slience.
+
+CID 610894 (#2 of 2): Out-of-bounds write (OVERRUN)
+Overrunning array esw->fdb_table.offloads.peer_miss_rules of 4 8-byte
+elements at element index 7 (byte offset 63) using index
+mlx5_get_dev_index(peer_dev) (which evaluates to 7).
+
+Fixes: 9bee385a6e39 ("net/mlx5: E-switch, refactor FDB miss rule add/remove")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+index bb8bcb448ae90..9bd5609cf6597 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -1177,9 +1177,9 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
+ struct mlx5_flow_handle *flow;
+ struct mlx5_flow_spec *spec;
+ struct mlx5_vport *vport;
++ int err, pfindex;
+ unsigned long i;
+ void *misc;
+- int err;
+
+ if (!MLX5_VPORT_MANAGER(esw->dev) && !mlx5_core_is_ecpf_esw_manager(esw->dev))
+ return 0;
+@@ -1255,7 +1255,15 @@ static int esw_add_fdb_peer_miss_rules(struct mlx5_eswitch *esw,
+ flows[vport->index] = flow;
+ }
+ }
+- esw->fdb_table.offloads.peer_miss_rules[mlx5_get_dev_index(peer_dev)] = flows;
++
++ pfindex = mlx5_get_dev_index(peer_dev);
++ if (pfindex >= MLX5_MAX_PORTS) {
++ esw_warn(esw->dev, "Peer dev index(%d) is over the max num defined(%d)\n",
++ pfindex, MLX5_MAX_PORTS);
++ err = -EINVAL;
++ goto add_ec_vf_flow_err;
++ }
++ esw->fdb_table.offloads.peer_miss_rules[pfindex] = flows;
+
+ kvfree(spec);
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From f0aae8f7d926c7f7112e1d58f98d2ffa5d01aaae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 01:46:56 -0800
+Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ]
+
+Out_sz that the size of out buffer is calculated using query_nic_vport
+_context_in structure when driver query the MAC list. However query_nic
+_vport_context_in structure is smaller than query_nic_vport_context_out.
+When allowed_list_size is greater than 96, calling ether_addr_copy() will
+trigger an slab-out-of-bounds.
+
+[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461
+[ 1170.055870]
+[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
+[ 1170.055936] Call Trace:
+[ 1170.055949] dump_stack+0x8b/0xbb
+[ 1170.055958] print_address_description+0x6a/0x270
+[ 1170.055961] kasan_report+0x179/0x2c0
+[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core]
+[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core]
+[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core]
+[ 1170.056381] process_one_work+0x65f/0x12d0
+[ 1170.056383] worker_thread+0x87/0xb50
+[ 1170.056390] kthread+0x2e9/0x3a0
+[ 1170.056394] ret_from_fork+0x1f/0x40
+
+Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists")
+Cc: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+index 5a31fb47ffa58..21753f3278685 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+@@ -277,7 +277,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
+ req_list_size = max_list_size;
+ }
+
+- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) +
++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) +
+ req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout);
+
+ out = kvzalloc(out_sz, GFP_KERNEL);
+--
+2.43.0
+
--- /dev/null
+From e6b24fcd3b69ea2bf1495aaa6d84b0079be19a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 16:11:20 +0200
+Subject: net/mlx5e: XDP, Drop fragmented packets larger than MTU size
+
+From: Carolina Jubran <cjubran@nvidia.com>
+
+[ Upstream commit bcaf109f794744c14da0e9123b31d1f4571b0a35 ]
+
+XDP transmits fragmented packets that are larger than MTU size instead of
+dropping those packets. The drop check that checks whether a packet is larger
+than MTU is comparing MTU size against the linear part length only.
+
+Adjust the drop check to compare MTU size against both linear and non-linear
+part lengths to avoid transmitting fragmented packets larger than MTU size.
+
+Fixes: 39a1665d16a2 ("net/mlx5e: Implement sending multi buffer XDP frames")
+Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+index 8bed17d8fe564..b723ff5e5249c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+@@ -493,6 +493,7 @@ mlx5e_xmit_xdp_frame(struct mlx5e_xdpsq *sq, struct mlx5e_xmit_data *xdptxd,
+ dma_addr_t dma_addr = xdptxd->dma_addr;
+ u32 dma_len = xdptxd->len;
+ u16 ds_cnt, inline_hdr_sz;
++ unsigned int frags_size;
+ u8 num_wqebbs = 1;
+ int num_frags = 0;
+ bool inline_ok;
+@@ -503,8 +504,9 @@ mlx5e_xmit_xdp_frame(struct mlx5e_xdpsq *sq, struct mlx5e_xmit_data *xdptxd,
+
+ inline_ok = sq->min_inline_mode == MLX5_INLINE_MODE_NONE ||
+ dma_len >= MLX5E_XDP_MIN_INLINE;
++ frags_size = xdptxd->has_frags ? xdptxdf->sinfo->xdp_frags_size : 0;
+
+- if (unlikely(!inline_ok || sq->hw_mtu < dma_len)) {
++ if (unlikely(!inline_ok || sq->hw_mtu < dma_len + frags_size)) {
+ stats->err++;
+ return false;
+ }
+--
+2.43.0
+
--- /dev/null
+From 1a0ca8058b9608e68e17a40362f398c52aeed9f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 02:09:01 +0200
+Subject: net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and
+ above
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 52eda4641d041667fa059f4855c5f88dcebd8afe ]
+
+There is a typo in the driver due to which we report incorrect TX RMON
+counters for the 256-511 octet bucket and all the other buckets larger
+than that.
+
+Bug found with the selftest at
+https://patchwork.kernel.org/project/netdevbpf/patch/20231211223346.2497157-9-tobias@waldekranz.com/
+
+Fixes: e32036e1ae7b ("net: mscc: ocelot: add support for all sorts of standardized counters present in DSA")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20231214000902.545625-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c
+index 5c55197c7327d..f29fa37263dae 100644
+--- a/drivers/net/ethernet/mscc/ocelot_stats.c
++++ b/drivers/net/ethernet/mscc/ocelot_stats.c
+@@ -582,10 +582,10 @@ static void ocelot_port_rmon_stats_cb(struct ocelot *ocelot, int port, void *pri
+ rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_64];
+ rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_65_127];
+ rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_128_255];
+- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_128_255];
+- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_256_511];
+- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_512_1023];
+- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1024_1526];
++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_256_511];
++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_512_1023];
++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_1024_1526];
++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_1527_MAX];
+ }
+
+ static void ocelot_port_pmac_rmon_stats_cb(struct ocelot *ocelot, int port,
+--
+2.43.0
+
--- /dev/null
+From 3bf8796fb4aa73eb5f1257f252c4ea9cf68702fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 02:09:02 +0200
+Subject: net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and
+ above
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 70f010da00f90415296f93fb47a561977eae41cb ]
+
+The typo from ocelot_port_rmon_stats_cb() was also carried over to
+ocelot_port_pmac_rmon_stats_cb() as well, leading to incorrect TX RMON
+stats for the pMAC too.
+
+Fixes: ab3f97a9610a ("net: mscc: ocelot: export ethtool MAC Merge stats for Felix VSC9959")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20231214000902.545625-2-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_stats.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_stats.c b/drivers/net/ethernet/mscc/ocelot_stats.c
+index f29fa37263dae..c018783757fb2 100644
+--- a/drivers/net/ethernet/mscc/ocelot_stats.c
++++ b/drivers/net/ethernet/mscc/ocelot_stats.c
+@@ -610,10 +610,10 @@ static void ocelot_port_pmac_rmon_stats_cb(struct ocelot *ocelot, int port,
+ rmon_stats->hist_tx[0] = s[OCELOT_STAT_TX_PMAC_64];
+ rmon_stats->hist_tx[1] = s[OCELOT_STAT_TX_PMAC_65_127];
+ rmon_stats->hist_tx[2] = s[OCELOT_STAT_TX_PMAC_128_255];
+- rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_PMAC_128_255];
+- rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_PMAC_256_511];
+- rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_PMAC_512_1023];
+- rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_PMAC_1024_1526];
++ rmon_stats->hist_tx[3] = s[OCELOT_STAT_TX_PMAC_256_511];
++ rmon_stats->hist_tx[4] = s[OCELOT_STAT_TX_PMAC_512_1023];
++ rmon_stats->hist_tx[5] = s[OCELOT_STAT_TX_PMAC_1024_1526];
++ rmon_stats->hist_tx[6] = s[OCELOT_STAT_TX_PMAC_1527_MAX];
+ }
+
+ void ocelot_port_get_rmon_stats(struct ocelot *ocelot, int port,
+--
+2.43.0
+
--- /dev/null
+From 1d3525fa6b674e5fffdb6d376ef040c4b5b18a42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Dec 2023 00:05:35 +0000
+Subject: net: phy: skip LED triggers on PHYs on SFP modules
+
+From: Daniel Golle <daniel@makrotopia.org>
+
+[ Upstream commit b1dfc0f76231bbf395c59d20a2070684620d5d0f ]
+
+Calling led_trigger_register() when attaching a PHY located on an SFP
+module potentially (and practically) leads into a deadlock.
+Fix this by not calling led_trigger_register() for PHYs localted on SFP
+modules as such modules actually never got any LEDs.
+
+======================================================
+WARNING: possible circular locking dependency detected
+6.7.0-rc4-next-20231208+ #0 Tainted: G O
+------------------------------------------------------
+kworker/u8:2/43 is trying to acquire lock:
+ffffffc08108c4e8 (triggers_list_lock){++++}-{3:3}, at: led_trigger_register+0x4c/0x1a8
+
+but task is already holding lock:
+ffffff80c5c6f318 (&sfp->sm_mutex){+.+.}-{3:3}, at: cleanup_module+0x2ba8/0x3120 [sfp]
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #3 (&sfp->sm_mutex){+.+.}-{3:3}:
+ __mutex_lock+0x88/0x7a0
+ mutex_lock_nested+0x20/0x28
+ cleanup_module+0x2ae0/0x3120 [sfp]
+ sfp_register_bus+0x5c/0x9c
+ sfp_register_socket+0x48/0xd4
+ cleanup_module+0x271c/0x3120 [sfp]
+ platform_probe+0x64/0xb8
+ really_probe+0x17c/0x3c0
+ __driver_probe_device+0x78/0x164
+ driver_probe_device+0x3c/0xd4
+ __driver_attach+0xec/0x1f0
+ bus_for_each_dev+0x60/0xa0
+ driver_attach+0x20/0x28
+ bus_add_driver+0x108/0x208
+ driver_register+0x5c/0x118
+ __platform_driver_register+0x24/0x2c
+ init_module+0x28/0xa7c [sfp]
+ do_one_initcall+0x70/0x2ec
+ do_init_module+0x54/0x1e4
+ load_module+0x1b78/0x1c8c
+ __do_sys_init_module+0x1bc/0x2cc
+ __arm64_sys_init_module+0x18/0x20
+ invoke_syscall.constprop.0+0x4c/0xdc
+ do_el0_svc+0x3c/0xbc
+ el0_svc+0x34/0x80
+ el0t_64_sync_handler+0xf8/0x124
+ el0t_64_sync+0x150/0x154
+
+-> #2 (rtnl_mutex){+.+.}-{3:3}:
+ __mutex_lock+0x88/0x7a0
+ mutex_lock_nested+0x20/0x28
+ rtnl_lock+0x18/0x20
+ set_device_name+0x30/0x130
+ netdev_trig_activate+0x13c/0x1ac
+ led_trigger_set+0x118/0x234
+ led_trigger_write+0x104/0x17c
+ sysfs_kf_bin_write+0x64/0x80
+ kernfs_fop_write_iter+0x128/0x1b4
+ vfs_write+0x178/0x2a4
+ ksys_write+0x58/0xd4
+ __arm64_sys_write+0x18/0x20
+ invoke_syscall.constprop.0+0x4c/0xdc
+ do_el0_svc+0x3c/0xbc
+ el0_svc+0x34/0x80
+ el0t_64_sync_handler+0xf8/0x124
+ el0t_64_sync+0x150/0x154
+
+-> #1 (&led_cdev->trigger_lock){++++}-{3:3}:
+ down_write+0x4c/0x13c
+ led_trigger_write+0xf8/0x17c
+ sysfs_kf_bin_write+0x64/0x80
+ kernfs_fop_write_iter+0x128/0x1b4
+ vfs_write+0x178/0x2a4
+ ksys_write+0x58/0xd4
+ __arm64_sys_write+0x18/0x20
+ invoke_syscall.constprop.0+0x4c/0xdc
+ do_el0_svc+0x3c/0xbc
+ el0_svc+0x34/0x80
+ el0t_64_sync_handler+0xf8/0x124
+ el0t_64_sync+0x150/0x154
+
+-> #0 (triggers_list_lock){++++}-{3:3}:
+ __lock_acquire+0x12a0/0x2014
+ lock_acquire+0x100/0x2ac
+ down_write+0x4c/0x13c
+ led_trigger_register+0x4c/0x1a8
+ phy_led_triggers_register+0x9c/0x214
+ phy_attach_direct+0x154/0x36c
+ phylink_attach_phy+0x30/0x60
+ phylink_sfp_connect_phy+0x140/0x510
+ sfp_add_phy+0x34/0x50
+ init_module+0x15c/0xa7c [sfp]
+ cleanup_module+0x1d94/0x3120 [sfp]
+ cleanup_module+0x2bb4/0x3120 [sfp]
+ process_one_work+0x1f8/0x4ec
+ worker_thread+0x1e8/0x3d8
+ kthread+0x104/0x110
+ ret_from_fork+0x10/0x20
+
+other info that might help us debug this:
+
+Chain exists of:
+ triggers_list_lock --> rtnl_mutex --> &sfp->sm_mutex
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&sfp->sm_mutex);
+ lock(rtnl_mutex);
+ lock(&sfp->sm_mutex);
+ lock(triggers_list_lock);
+
+ *** DEADLOCK ***
+
+4 locks held by kworker/u8:2/43:
+ #0: ffffff80c000f938 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x150/0x4ec
+ #1: ffffffc08214bde8 ((work_completion)(&(&sfp->timeout)->work)){+.+.}-{0:0}, at: process_one_work+0x150/0x4ec
+ #2: ffffffc0810902f8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x18/0x20
+ #3: ffffff80c5c6f318 (&sfp->sm_mutex){+.+.}-{3:3}, at: cleanup_module+0x2ba8/0x3120 [sfp]
+
+stack backtrace:
+CPU: 0 PID: 43 Comm: kworker/u8:2 Tainted: G O 6.7.0-rc4-next-20231208+ #0
+Hardware name: Bananapi BPI-R4 (DT)
+Workqueue: events_power_efficient cleanup_module [sfp]
+Call trace:
+ dump_backtrace+0xa8/0x10c
+ show_stack+0x14/0x1c
+ dump_stack_lvl+0x5c/0xa0
+ dump_stack+0x14/0x1c
+ print_circular_bug+0x328/0x430
+ check_noncircular+0x124/0x134
+ __lock_acquire+0x12a0/0x2014
+ lock_acquire+0x100/0x2ac
+ down_write+0x4c/0x13c
+ led_trigger_register+0x4c/0x1a8
+ phy_led_triggers_register+0x9c/0x214
+ phy_attach_direct+0x154/0x36c
+ phylink_attach_phy+0x30/0x60
+ phylink_sfp_connect_phy+0x140/0x510
+ sfp_add_phy+0x34/0x50
+ init_module+0x15c/0xa7c [sfp]
+ cleanup_module+0x1d94/0x3120 [sfp]
+ cleanup_module+0x2bb4/0x3120 [sfp]
+ process_one_work+0x1f8/0x4ec
+ worker_thread+0x1e8/0x3d8
+ kthread+0x104/0x110
+ ret_from_fork+0x10/0x20
+
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Fixes: 01e5b728e9e4 ("net: phy: Add a binding for PHY LEDs")
+Link: https://lore.kernel.org/r/102a9dce38bdf00215735d04cd4704458273ad9c.1702339354.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index 2ce74593d6e4a..a42df2c1bd043 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1548,7 +1548,8 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev,
+ goto error;
+
+ phy_resume(phydev);
+- phy_led_triggers_register(phydev);
++ if (!phydev->is_on_sfp_module)
++ phy_led_triggers_register(phydev);
+
+ /**
+ * If the external phy used by current mac interface is managed by
+@@ -1817,7 +1818,8 @@ void phy_detach(struct phy_device *phydev)
+ }
+ phydev->phylink = NULL;
+
+- phy_led_triggers_unregister(phydev);
++ if (!phydev->is_on_sfp_module)
++ phy_led_triggers_unregister(phydev);
+
+ if (phydev->mdio.dev.driver)
+ module_put(phydev->mdio.dev.driver->owner);
+--
+2.43.0
+
--- /dev/null
+From d9e938c38f35a26935647a8ad3921ef912ad4117 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 14:09:22 +0900
+Subject: net: Return error from sk_stream_wait_connect() if sk_wait_event()
+ fails
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit cac23b7d7627915d967ce25436d7aae26e88ed06 ]
+
+The following NULL pointer dereference issue occurred:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+<...>
+RIP: 0010:ccid_hc_tx_send_packet net/dccp/ccid.h:166 [inline]
+RIP: 0010:dccp_write_xmit+0x49/0x140 net/dccp/output.c:356
+<...>
+Call Trace:
+ <TASK>
+ dccp_sendmsg+0x642/0x7e0 net/dccp/proto.c:801
+ inet_sendmsg+0x63/0x90 net/ipv4/af_inet.c:846
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x83/0xe0 net/socket.c:745
+ ____sys_sendmsg+0x443/0x510 net/socket.c:2558
+ ___sys_sendmsg+0xe5/0x150 net/socket.c:2612
+ __sys_sendmsg+0xa6/0x120 net/socket.c:2641
+ __do_sys_sendmsg net/socket.c:2650 [inline]
+ __se_sys_sendmsg net/socket.c:2648 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2648
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x43/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+sk_wait_event() returns an error (-EPIPE) if disconnect() is called on the
+socket waiting for the event. However, sk_stream_wait_connect() returns
+success, i.e. zero, even if sk_wait_event() returns -EPIPE, so a function
+that waits for a connection with sk_stream_wait_connect() may misbehave.
+
+In the case of the above DCCP issue, dccp_sendmsg() is waiting for the
+connection. If disconnect() is called in concurrently, the above issue
+occurs.
+
+This patch fixes the issue by returning error from sk_stream_wait_connect()
+if sk_wait_event() fails.
+
+Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reported-by: syzbot+c71bc336c5061153b502@syzkaller.appspotmail.com
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/stream.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/stream.c b/net/core/stream.c
+index 96fbcb9bbb30a..b16dfa568a2d5 100644
+--- a/net/core/stream.c
++++ b/net/core/stream.c
+@@ -79,7 +79,7 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p)
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk->sk_write_pending--;
+ } while (!done);
+- return 0;
++ return done < 0 ? done : 0;
+ }
+ EXPORT_SYMBOL(sk_stream_wait_connect);
+
+--
+2.43.0
+
--- /dev/null
+From 984c9ba7a586ff79a984797d64fe18c5915f9d7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 15:27:47 +0000
+Subject: net/rose: fix races in rose_kill_by_device()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
+
+syzbot found an interesting netdev refcounting issue in
+net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
+
+Problem is that rose_kill_by_device() can change rose->device
+while other threads do not expect the pointer to be changed.
+
+We have to first collect sockets in a temporary array,
+then perform the changes while holding the socket
+lock and rose_list_lock spinlock (in this order)
+
+Change rose_release() to also acquire rose_list_lock
+before releasing the netdev refcount.
+
+[1]
+
+[ 1185.055088][ T7889] ref_tracker: reference already released.
+[ 1185.061476][ T7889] ref_tracker: allocated in:
+[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
+[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
+[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
+[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
+[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.089835][ T7889] ref_tracker: freed in:
+[ 1185.094088][ T7889] rose_release+0x2f5/0x570
+[ 1185.098629][ T7889] __sock_release+0xae/0x260
+[ 1185.103262][ T7889] sock_close+0x1c/0x20
+[ 1185.107453][ T7889] __fput+0x270/0xbb0
+[ 1185.111467][ T7889] task_work_run+0x14d/0x240
+[ 1185.116085][ T7889] get_signal+0x106f/0x2790
+[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
+[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
+[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
+[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
+[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.148085][ T7889] ------------[ cut here ]------------
+
+WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Modules linked in:
+CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
+RSP: 0018:ffffc90004917850 EFLAGS: 00010202
+RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
+RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
+RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
+R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
+R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
+FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+netdev_tracker_free include/linux/netdevice.h:4127 [inline]
+netdev_put include/linux/netdevice.h:4144 [inline]
+netdev_put include/linux/netdevice.h:4140 [inline]
+rose_kill_by_device net/rose/af_rose.c:195 [inline]
+rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
+notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
+call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
+call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
+call_netdevice_notifiers net/core/dev.c:2019 [inline]
+__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
+dev_change_flags+0x122/0x170 net/core/dev.c:8682
+dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
+dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
+sock_do_ioctl+0x198/0x270 net/socket.c:1234
+sock_ioctl+0x22e/0x6b0 net/socket.c:1339
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7f0a7147cba9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
+RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
+RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
+</TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 4a5c2dc8dd7a9..42e8b9e37516b 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -182,21 +182,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
+ */
+ static void rose_kill_by_device(struct net_device *dev)
+ {
+- struct sock *s;
++ struct sock *sk, *array[16];
++ struct rose_sock *rose;
++ bool rescan;
++ int i, cnt;
+
++start:
++ rescan = false;
++ cnt = 0;
+ spin_lock_bh(&rose_list_lock);
+- sk_for_each(s, &rose_list) {
+- struct rose_sock *rose = rose_sk(s);
++ sk_for_each(sk, &rose_list) {
++ rose = rose_sk(sk);
++ if (rose->device == dev) {
++ if (cnt == ARRAY_SIZE(array)) {
++ rescan = true;
++ break;
++ }
++ sock_hold(sk);
++ array[cnt++] = sk;
++ }
++ }
++ spin_unlock_bh(&rose_list_lock);
+
++ for (i = 0; i < cnt; i++) {
++ sk = array[cnt];
++ rose = rose_sk(sk);
++ lock_sock(sk);
++ spin_lock_bh(&rose_list_lock);
+ if (rose->device == dev) {
+- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
+ if (rose->neighbour)
+ rose->neighbour->use--;
+ netdev_put(rose->device, &rose->dev_tracker);
+ rose->device = NULL;
+ }
++ spin_unlock_bh(&rose_list_lock);
++ release_sock(sk);
++ sock_put(sk);
++ cond_resched();
+ }
+- spin_unlock_bh(&rose_list_lock);
++ if (rescan)
++ goto start;
+ }
+
+ /*
+@@ -656,7 +682,10 @@ static int rose_release(struct socket *sock)
+ break;
+ }
+
++ spin_lock_bh(&rose_list_lock);
+ netdev_put(rose->device, &rose->dev_tracker);
++ rose->device = NULL;
++ spin_unlock_bh(&rose_list_lock);
+ sock->sk = NULL;
+ release_sock(sk);
+ sock_put(sk);
+--
+2.43.0
+
--- /dev/null
+From 8227564c2fa603094bba064bd6110cfeaf1295bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 11:30:38 +0000
+Subject: net: sched: ife: fix potential use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
+
+ife_decode() calls pskb_may_pull() two times, we need to reload
+ifehdr after the second one, or risk use-after-free as reported
+by syzbot:
+
+BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
+
+CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+print_address_description mm/kasan/report.c:364 [inline]
+print_report+0xc4/0x620 mm/kasan/report.c:475
+kasan_report+0xda/0x110 mm/kasan/report.c:588
+__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+tcf_ife_decode net/sched/act_ife.c:739 [inline]
+tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7fe9acc7cae9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
+RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
+R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
+</TASK>
+
+Allocated by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+____kasan_kmalloc mm/kasan/common.c:374 [inline]
+__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
+kasan_kmalloc include/linux/kasan.h:198 [inline]
+__do_kmalloc_node mm/slab_common.c:1007 [inline]
+__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Freed by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
+____kasan_slab_free mm/kasan/common.c:236 [inline]
+____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
+kasan_slab_free include/linux/kasan.h:164 [inline]
+slab_free_hook mm/slub.c:1800 [inline]
+slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
+slab_free mm/slub.c:3809 [inline]
+__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
+skb_kfree_head net/core/skbuff.c:950 [inline]
+skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
+pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
+__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
+pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
+pskb_may_pull include/linux/skbuff.h:2693 [inline]
+ife_decode+0x394/0x4f0 net/ife/ife.c:82
+tcf_ife_decode net/sched/act_ife.c:727 [inline]
+tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+The buggy address belongs to the object at ffff88802d730000
+which belongs to the cache kmalloc-8k of size 8192
+The buggy address is located 164 bytes inside of
+freed 8192-byte region [ffff88802d730000, ffff88802d732000)
+
+The buggy address belongs to the physical page:
+page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
+head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
+set_page_owner include/linux/page_owner.h:31 [inline]
+post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
+prep_new_page mm/page_alloc.c:1551 [inline]
+get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
+__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
+alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
+alloc_slab_page mm/slub.c:1870 [inline]
+allocate_slab mm/slub.c:2017 [inline]
+new_slab+0x283/0x3c0 mm/slub.c:2070
+___slab_alloc+0x979/0x1500 mm/slub.c:3223
+__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
+__slab_alloc_node mm/slub.c:3375 [inline]
+slab_alloc_node mm/slub.c:3468 [inline]
+__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
+__do_kmalloc_node mm/slab_common.c:1006 [inline]
+__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+page last free stack trace:
+reset_page_owner include/linux/page_owner.h:24 [inline]
+free_pages_prepare mm/page_alloc.c:1144 [inline]
+free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
+free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
+__unfreeze_partials+0x226/0x240 mm/slub.c:2655
+qlink_free mm/kasan/quarantine.c:168 [inline]
+qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
+__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
+kasan_slab_alloc include/linux/kasan.h:188 [inline]
+slab_post_alloc_hook mm/slab.h:763 [inline]
+slab_alloc_node mm/slub.c:3478 [inline]
+slab_alloc mm/slub.c:3486 [inline]
+__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
+kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
+alloc_inode_sb include/linux/fs.h:2937 [inline]
+ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
+alloc_inode+0x5d/0x220 fs/inode.c:261
+new_inode_pseudo fs/inode.c:1006 [inline]
+new_inode+0x22/0x260 fs/inode.c:1032
+__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
+ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
+vfs_symlink fs/namei.c:4464 [inline]
+vfs_symlink+0x3e5/0x620 fs/namei.c:4448
+do_symlinkat+0x25f/0x310 fs/namei.c:4490
+__do_sys_symlinkat fs/namei.c:4506 [inline]
+__se_sys_symlinkat fs/namei.c:4503 [inline]
+__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+
+Fixes: d57493d6d1be ("net: sched: ife: check on metadata length")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Alexander Aring <aahringo@redhat.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ife/ife.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ife/ife.c b/net/ife/ife.c
+index 13bbf8cb6a396..be05b690b9ef2 100644
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
+ if (unlikely(!pskb_may_pull(skb, total_pull)))
+ return NULL;
+
++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);
+ skb_set_mac_header(skb, total_pull);
+ __skb_pull(skb, total_pull);
+ *metalen = ifehdrln - IFE_METAHDRLEN;
+--
+2.43.0
+
--- /dev/null
+From 9eab68c6bfc63814820678ffd33bd39d1d23a737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Dec 2023 23:40:44 +0530
+Subject: octeontx2-pf: Fix graceful exit during PFC configuration failure
+
+From: Suman Ghosh <sumang@marvell.com>
+
+[ Upstream commit 8c97ab5448f2096daba11edf8d18a44e1eb6f31d ]
+
+During PFC configuration failure the code was not handling a graceful
+exit. This patch fixes the same and add proper code for a graceful exit.
+
+Fixes: 99c969a83d82 ("octeontx2-pf: Add egress PFC support")
+Signed-off-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/octeontx2/nic/otx2_dcbnl.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+index bfddbff7bcdfb..28fb643d2917f 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_dcbnl.c
+@@ -399,9 +399,10 @@ static int otx2_dcbnl_ieee_getpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ {
+ struct otx2_nic *pfvf = netdev_priv(dev);
++ u8 old_pfc_en;
+ int err;
+
+- /* Save PFC configuration to interface */
++ old_pfc_en = pfvf->pfc_en;
+ pfvf->pfc_en = pfc->pfc_en;
+
+ if (pfvf->hw.tx_queues >= NIX_PF_PFC_PRIO_MAX)
+@@ -411,13 +412,17 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+ * supported by the tx queue configuration
+ */
+ err = otx2_check_pfc_config(pfvf);
+- if (err)
++ if (err) {
++ pfvf->pfc_en = old_pfc_en;
+ return err;
++ }
+
+ process_pfc:
+ err = otx2_config_priority_flow_ctrl(pfvf);
+- if (err)
++ if (err) {
++ pfvf->pfc_en = old_pfc_en;
+ return err;
++ }
+
+ /* Request Per channel Bpids */
+ if (pfc->pfc_en)
+@@ -425,6 +430,12 @@ static int otx2_dcbnl_ieee_setpfc(struct net_device *dev, struct ieee_pfc *pfc)
+
+ err = otx2_pfc_txschq_update(pfvf);
+ if (err) {
++ if (pfc->pfc_en)
++ otx2_nix_config_bp(pfvf, false);
++
++ otx2_pfc_txschq_stop(pfvf);
++ pfvf->pfc_en = old_pfc_en;
++ otx2_config_priority_flow_ctrl(pfvf);
+ dev_err(pfvf->dev, "%s failed to update TX schedulers\n", __func__);
+ return err;
+ }
+--
+2.43.0
+
--- /dev/null
+From acdc5c572764fe0b037148bfef72d96c4b15c282 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 17:16:50 -0800
+Subject: platform/x86/intel/pmc: Fix hang in pmc_core_send_ltr_ignore()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rajvi Jingar <rajvi.jingar@linux.intel.com>
+
+[ Upstream commit fbcf67ce5a9e2831c14bdfb895be05213e611724 ]
+
+For input value 0, PMC stays unassigned which causes crash while trying
+to access PMC for register read/write. Include LTR index 0 in pmc_index
+and ltr_index calculation.
+
+Fixes: 2bcef4529222 ("platform/x86:intel/pmc: Enable debugfs multiple PMC support")
+Signed-off-by: Rajvi Jingar <rajvi.jingar@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20231216011650.1973941-1-rajvi.jingar@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/pmc/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel/pmc/core.c b/drivers/platform/x86/intel/pmc/core.c
+index 84c175b9721a0..e95d3011b9997 100644
+--- a/drivers/platform/x86/intel/pmc/core.c
++++ b/drivers/platform/x86/intel/pmc/core.c
+@@ -472,7 +472,7 @@ int pmc_core_send_ltr_ignore(struct pmc_dev *pmcdev, u32 value)
+ * is based on the contiguous indexes from ltr_show output.
+ * pmc index and ltr index needs to be calculated from it.
+ */
+- for (pmc_index = 0; pmc_index < ARRAY_SIZE(pmcdev->pmcs) && ltr_index > 0; pmc_index++) {
++ for (pmc_index = 0; pmc_index < ARRAY_SIZE(pmcdev->pmcs) && ltr_index >= 0; pmc_index++) {
+ pmc = pmcdev->pmcs[pmc_index];
+
+ if (!pmc)
+--
+2.43.0
+
--- /dev/null
+From 6282059e655e1883e53a5a02267afea741d6f2a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 17:55:33 +0100
+Subject: reset: Fix crash when freeing non-existent optional resets
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ]
+
+When obtaining one or more optional resets, non-existent resets are
+stored as NULL pointers, and all related error and cleanup paths need to
+take this into account.
+
+Currently only reset_control_put() and reset_control_bulk_put()
+get this right. All of __reset_control_bulk_get(),
+of_reset_control_array_get(), and reset_control_array_put() lack the
+proper checking, causing NULL pointer dereferences on failure or
+release.
+
+Fix this by moving the existing check from reset_control_bulk_put() to
+__reset_control_put_internal(), so it applies to all callers.
+The double check in reset_control_put() doesn't hurt.
+
+Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets")
+Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/reset/core.c b/drivers/reset/core.c
+index f0a076e94118f..92cc13ef3e566 100644
+--- a/drivers/reset/core.c
++++ b/drivers/reset/core.c
+@@ -807,6 +807,9 @@ static void __reset_control_put_internal(struct reset_control *rstc)
+ {
+ lockdep_assert_held(&reset_list_mutex);
+
++ if (IS_ERR_OR_NULL(rstc))
++ return;
++
+ kref_put(&rstc->refcnt, __reset_control_release);
+ }
+
+@@ -1017,11 +1020,8 @@ EXPORT_SYMBOL_GPL(reset_control_put);
+ void reset_control_bulk_put(int num_rstcs, struct reset_control_bulk_data *rstcs)
+ {
+ mutex_lock(&reset_list_mutex);
+- while (num_rstcs--) {
+- if (IS_ERR_OR_NULL(rstcs[num_rstcs].rstc))
+- continue;
++ while (num_rstcs--)
+ __reset_control_put_internal(rstcs[num_rstcs].rstc);
+- }
+ mutex_unlock(&reset_list_mutex);
+ }
+ EXPORT_SYMBOL_GPL(reset_control_bulk_put);
+--
+2.43.0
+
--- /dev/null
+From 6f98586f0f2ba9c581e49eaa15646e5c26b005ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:51:52 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header in update funcs"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 66ca8d4deca09bce3fc7bcf8ea7997fa1a51c33c ]
+
+This reverts commit 3a4aa3cb83563df942be49d145ee3b7ddf17d6bb.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 3a4aa3cb8356 ("net/mlx5e: fix double free of encap_header in update funcs")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/en/tc_tun.c | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 668da5c70e63d..8bca696b6658c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -403,12 +403,16 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv4_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -422,10 +426,6 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -669,12 +669,16 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv6_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -688,10 +692,6 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From cf8793ef1bf5b4cbffcc4f1e3108e38ef0da1958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:52:28 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ]
+
+This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 8bca696b6658c..00a04fdd756f5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -300,6 +300,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv4_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -319,8 +322,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -567,6 +568,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv6_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -586,8 +590,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From d1fe8368841f9b9e06f4a01c543858dbf141ad91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 15:03:15 +0100
+Subject: s390/vx: fix save/restore of fpu kernel context
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ]
+
+The KERNEL_FPR mask only contains a flag for the first eight vector
+registers. However floating point registers overlay parts of the first
+sixteen vector registers.
+
+This could lead to vector register corruption if a kernel fpu context uses
+any of the vector registers 8 to 15 and is interrupted or calls a
+KERNEL_FPR context. If that context uses also vector registers 8 to 15,
+their contents will be corrupted on return.
+
+Luckily this is currently not a real bug, since the kernel has only one
+KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating
+point registers 0 to 2.
+
+Fix this by using the correct bits for KERNEL_FPR.
+
+Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/fpu/api.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h
+index b714ed0ef6885..9acf48e53a87f 100644
+--- a/arch/s390/include/asm/fpu/api.h
++++ b/arch/s390/include/asm/fpu/api.h
+@@ -79,7 +79,7 @@ static inline int test_fp_ctl(u32 fpc)
+ #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31)
+
+ #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH)
+-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7)
++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW)
+
+ struct kernel_fpu;
+
+--
+2.43.0
+
drm-update-file-owner-during-use.patch
drm-fix-fd-ownership-check-in-drm_master_check_perm.patch
spi-spi-imx-correctly-configure-burst-length-when-us.patch
+arm64-dts-allwinner-h616-update-emac-for-orange-pi-z.patch
+arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch
+arm-omap2-fix-null-pointer-dereference-and-memory-le.patch
+reset-fix-crash-when-freeing-non-existent-optional-r.patch
+s390-vx-fix-save-restore-of-fpu-kernel-context.patch
+platform-x86-intel-pmc-fix-hang-in-pmc_core_send_ltr.patch
+sunrpc-revert-5f7fc5d69f6e92ec0b38774c387f5cf7812c58.patch
+wifi-ieee80211-don-t-require-protected-vendor-action.patch
+wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch
+wifi-mac80211-check-if-the-existing-link-config-rema.patch
+wifi-mac80211-don-t-re-add-debugfs-during-reconfig.patch
+wifi-mac80211-check-defragmentation-succeeded.patch
+wifi-mac80211-mesh-check-element-parsing-succeeded.patch
+wifi-mac80211-mesh_plink-fix-matches_local-logic.patch
+ice-fix-theoretical-out-of-bounds-access-in-ethtool-.patch
+bpf-syzkaller-found-null-ptr-deref-in-unix_bpf-proto.patch
+revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch
+revert-net-mlx5e-fix-double-free-of-encap_header.patch
+net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch
+net-mlx5e-fix-a-race-in-command-alloc-flow.patch
+net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch
+net-mlx5e-fix-overrun-reported-by-coverity.patch
+net-mlx5e-decrease-num_block_tc-when-unblock-tc-offl.patch
+net-mlx5e-xdp-drop-fragmented-packets-larger-than-mt.patch
+net-mlx5-fix-fw-tracer-first-block-check.patch
+net-mlx5-refactor-mlx5_flow_destination-rep-pointer-.patch
+net-mlx5e-fix-error-code-in-mlx5e_tc_action_miss_map.patch
+net-mlx5e-fix-error-codes-in-alloc_branch_attr.patch
+net-mlx5e-correct-snprintf-truncation-handling-for-f.patch
+net-mlx5e-correct-snprintf-truncation-handling-for-f.patch-13064
+net-mscc-ocelot-fix-emac-tx-rmon-stats-for-bucket-25.patch
+net-mscc-ocelot-fix-pmac-tx-rmon-stats-for-bucket-25.patch
+octeontx2-pf-fix-graceful-exit-during-pfc-configurat.patch
+net-return-error-from-sk_stream_wait_connect-if-sk_w.patch
+net-sched-ife-fix-potential-use-after-free.patch
+ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch
+net-rose-fix-races-in-rose_kill_by_device.patch
+bluetooth-fix-not-notifying-when-connection-encrypti.patch
+bluetooth-fix-deadlock-in-vhci_send_frame.patch
+bluetooth-hci_event-shut-up-a-false-positive-warning.patch
+bluetooth-hci_core-fix-hci_conn_hash_lookup_cis.patch
+bnxt_en-do-not-map-packet-buffers-twice.patch
+net-phy-skip-led-triggers-on-phys-on-sfp-modules.patch
+ice-stop-trashing-vf-vsi-aggregator-node-id-informat.patch
+ice-alter-feature-support-check-for-sriov-and-lag.patch
+ice-fix-pf-with-enabled-xdp-going-no-carrier-after-r.patch
+net-mana-select-page_pool.patch
+net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch
+afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch
+afs-fix-dynamic-root-lookup-dns-check.patch
+net-ethernet-mtk_wed-fix-possible-null-pointer-deref.patch
+net-ipv6-revert-remove-expired-routes-with-a-separat.patch
+net-check-dev-gso_max_size-in-gso_features_check.patch
+keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch
+afs-fix-overwriting-of-result-of-dns-query.patch
+afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch
--- /dev/null
+From 1f7f52ecb95d59c2a9f314a77c4936177a5791bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 17:05:40 -0500
+Subject: SUNRPC: Revert 5f7fc5d69f6e92ec0b38774c387f5cf7812c5806
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit bd018b98ba84ca0c80abac1ef23ce726a809e58c ]
+
+Guillaume says:
+> I believe commit 5f7fc5d69f6e ("SUNRPC: Resupply rq_pages from
+> node-local memory") in Linux 6.5+ is incorrect. It passes
+> unconditionally rq_pool->sp_id as the NUMA node.
+>
+> While the comment in the svc_pool declaration in sunrpc/svc.h says
+> that sp_id is also the NUMA node id, it might not be the case if
+> the svc is created using svc_create_pooled(). svc_created_pooled()
+> can use the per-cpu pool mode therefore in this case sp_id would
+> be the cpu id.
+
+Fix this by reverting now. At a later point this minor optimization,
+and the deceptive labeling of the sp_id field, can be revisited.
+
+Reported-by: Guillaume Morin <guillaume@morinfr.org>
+Closes: https://lore.kernel.org/linux-nfs/ZYC9rsno8qYggVt9@bender.morinfr.org/T/#u
+Fixes: 5f7fc5d69f6e ("SUNRPC: Resupply rq_pages from node-local memory")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/svc_xprt.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
+index 4cfe9640df481..5cfe5c7408b74 100644
+--- a/net/sunrpc/svc_xprt.c
++++ b/net/sunrpc/svc_xprt.c
+@@ -666,9 +666,8 @@ static bool svc_alloc_arg(struct svc_rqst *rqstp)
+ }
+
+ for (filled = 0; filled < pages; filled = ret) {
+- ret = alloc_pages_bulk_array_node(GFP_KERNEL,
+- rqstp->rq_pool->sp_id,
+- pages, rqstp->rq_pages);
++ ret = alloc_pages_bulk_array(GFP_KERNEL, pages,
++ rqstp->rq_pages);
+ if (ret > filled)
+ /* Made progress, don't sleep yet */
+ continue;
+--
+2.43.0
+
--- /dev/null
+From dad70659065731a236aa22154158f18313cbbaf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Dec 2023 22:37:57 +0100
+Subject: wifi: ieee80211: don't require protected vendor action frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 98fb9b9680c9f3895ced02d6a73e27f5d7b5892b ]
+
+For vendor action frames, whether a protected one should be
+used or not is clearly up to the individual vendor and frame,
+so even though a protected dual is defined, it may not get
+used. Thus, don't require protection for vendor action frames
+when they're used in a connection.
+
+Since we obviously don't process frames unknown to the kernel
+in the kernel, it may makes sense to invert this list to have
+all the ones the kernel processes and knows to be requiring
+protection, but that'd be a different change.
+
+Fixes: 91535613b609 ("wifi: mac80211: don't drop all unprotected public action frames")
+Reported-by: Jouni Malinen <j@w1.fi>
+Link: https://msgid.link/20231206223801.f6a2cf4e67ec.Ifa6acc774bd67801d3dafb405278f297683187aa@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ieee80211.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
+index b24fb80782c5a..2b0a73cb7cbb0 100644
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -4381,7 +4381,8 @@ ieee80211_is_protected_dual_of_public_action(struct sk_buff *skb)
+ action != WLAN_PUB_ACTION_LOC_TRACK_NOTI &&
+ action != WLAN_PUB_ACTION_FTM_REQUEST &&
+ action != WLAN_PUB_ACTION_FTM_RESPONSE &&
+- action != WLAN_PUB_ACTION_FILS_DISCOVERY;
++ action != WLAN_PUB_ACTION_FILS_DISCOVERY &&
++ action != WLAN_PUB_ACTION_VENDOR_SPECIFIC;
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 80d2ea04c84ad33fb96559413833d90772e923a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 18:32:02 +0200
+Subject: wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a4754182dc936b97ec7e9f6b08cdf7ed97ef9069 ]
+
+Evidently I had only looked at all the ones in rx.c, and missed this.
+Add bh-disable to this use of the rxq->lock as well.
+
+Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI")
+Reported-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231208183100.e79ad3dae649.I8f19713c4383707f8be7fc20ff5cc1ecf12429bb@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index 583d1011963ec..2e23ccd7d7938 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -3088,7 +3088,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ struct iwl_rxq *rxq = &trans_pcie->rxq[0];
+ u32 i, r, j, rb_len = 0;
+
+- spin_lock(&rxq->lock);
++ spin_lock_bh(&rxq->lock);
+
+ r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF;
+
+@@ -3112,7 +3112,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ *data = iwl_fw_error_next_data(*data);
+ }
+
+- spin_unlock(&rxq->lock);
++ spin_unlock_bh(&rxq->lock);
+
+ return rb_len;
+ }
+--
+2.43.0
+
--- /dev/null
+From cea2dde262894559c1151f0dd3d1595b5e6637d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:30 +0200
+Subject: wifi: mac80211: check defragmentation succeeded
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 98849ba2aa9db46e62720fb686a9d63ed9887806 ]
+
+We need to check that cfg80211_defragment_element()
+didn't return an error, since it can fail due to bad
+input, and we didn't catch that before.
+
+Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.8595a6b67fc0.I1225edd8f98355e007f96502e358e476c7971d8c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 0c9198997482b..73f8df03d159c 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5805,7 +5805,7 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
+ {
+ const struct ieee80211_multi_link_elem *ml;
+ const struct element *sub;
+- size_t ml_len;
++ ssize_t ml_len;
+ unsigned long removed_links = 0;
+ u16 link_removal_timeout[IEEE80211_MLD_MAX_NUM_LINKS] = {};
+ u8 link_id;
+@@ -5821,6 +5821,8 @@ static void ieee80211_ml_reconfiguration(struct ieee80211_sub_if_data *sdata,
+ elems->scratch + elems->scratch_len -
+ elems->scratch_pos,
+ WLAN_EID_FRAGMENT);
++ if (ml_len < 0)
++ return;
+
+ elems->ml_reconf = (const void *)elems->scratch_pos;
+ elems->ml_reconf_len = ml_len;
+--
+2.43.0
+
--- /dev/null
+From c1c8666fb0cc19eb9e7ee72687fac7bae54b903d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 20:17:47 +0800
+Subject: wifi: mac80211: check if the existing link config remains unchanged
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit c1393c132b906fbdf91f6d1c9eb2ef7a00cce64e ]
+
+[Syz report]
+WARNING: CPU: 1 PID: 5067 at net/mac80211/rate.c:48 rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
+Modules linked in:
+CPU: 1 PID: 5067 Comm: syz-executor413 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:rate_control_rate_init+0x540/0x690 net/mac80211/rate.c:48
+Code: 48 c7 c2 00 46 0c 8c be 08 03 00 00 48 c7 c7 c0 45 0c 8c c6 05 70 79 0b 05 01 e8 1b a0 6f f7 e9 e0 fd ff ff e8 61 b3 8f f7 90 <0f> 0b 90 e9 36 ff ff ff e8 53 b3 8f f7 e8 5e 0b 78 f7 31 ff 89 c3
+RSP: 0018:ffffc90003c57248 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffff888016bc4000 RCX: ffffffff89f7d519
+RDX: ffff888076d43b80 RSI: ffffffff89f7d6df RDI: 0000000000000005
+RBP: ffff88801daaae20 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000001
+R13: 0000000000000000 R14: ffff888020030e20 R15: ffff888078f08000
+FS: 0000555556b94380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000005fdeb8 CR3: 0000000076d22000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sta_apply_auth_flags.constprop.0+0x4b7/0x510 net/mac80211/cfg.c:1674
+ sta_apply_parameters+0xaf1/0x16c0 net/mac80211/cfg.c:2002
+ ieee80211_add_station+0x3fa/0x6c0 net/mac80211/cfg.c:2068
+ rdev_add_station net/wireless/rdev-ops.h:201 [inline]
+ nl80211_new_station+0x13ba/0x1a70 net/wireless/nl80211.c:7603
+ genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972
+ genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
+ genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067
+ netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2545
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
+ netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
+ netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1368
+ netlink_sendmsg+0x93c/0xe40 net/netlink/af_netlink.c:1910
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0xd5/0x180 net/socket.c:745
+ ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584
+ ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638
+ __sys_sendmsg+0x117/0x1e0 net/socket.c:2667
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+[Analysis]
+It is inappropriate to make a link configuration change judgment on an
+non-existent and non new link.
+
+[Fix]
+Quickly exit when there is a existent link and the link configuration has not
+changed.
+
+Fixes: b303835dabe0 ("wifi: mac80211: accept STA changes without link changes")
+Reported-and-tested-by: syzbot+62d7eef57b09bfebcd84@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Link: https://msgid.link/tencent_DE67FF86DB92ED465489A36ECD2EDDCC8C06@qq.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 715da615f0359..f7cb50b0dd4ed 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1806,10 +1806,10 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ lockdep_is_held(&local->sta_mtx));
+
+ /*
+- * If there are no changes, then accept a link that doesn't exist,
++ * If there are no changes, then accept a link that exist,
+ * unless it's a new link.
+ */
+- if (params->link_id < 0 && !new_link &&
++ if (params->link_id >= 0 && !new_link &&
+ !params->link_mac && !params->txpwr_set &&
+ !params->supported_rates_len &&
+ !params->ht_capa && !params->vht_capa &&
+--
+2.43.0
+
--- /dev/null
+From 4fdbad6c97044e0924c19eeacb0b9e087e748bea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:19 +0200
+Subject: wifi: mac80211: don't re-add debugfs during reconfig
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 63bafd9d5421959b2124dd940ed8d7462d99f449 ]
+
+If we're doing reconfig, then we cannot add the debugfs
+files that are already there from before the reconfig.
+Skip that in drv_change_sta_links() during reconfig.
+
+Fixes: d2caad527c19 ("wifi: mac80211: add API to show the link STAs in debugfs")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Reviewed-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.88a950f43e16.Id71181780994649219685887c0fcad33d387cc78@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/driver-ops.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
+index aa37a1410f377..f8af0c3d405ae 100644
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+ * Copyright 2015 Intel Deutschland GmbH
+- * Copyright (C) 2022 Intel Corporation
++ * Copyright (C) 2022-2023 Intel Corporation
+ */
+ #include <net/mac80211.h>
+ #include "ieee80211_i.h"
+@@ -564,6 +564,10 @@ int drv_change_sta_links(struct ieee80211_local *local,
+ if (ret)
+ return ret;
+
++ /* during reconfig don't add it to debugfs again */
++ if (local->in_reconfig)
++ return 0;
++
+ for_each_set_bit(link_id, &links_to_add, IEEE80211_MLD_MAX_NUM_LINKS) {
+ link_sta = rcu_dereference_protected(info->link[link_id],
+ lockdep_is_held(&local->sta_mtx));
+--
+2.43.0
+
--- /dev/null
+From 296b8a010a62ae0ac012ef39c762d6278b6b9138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:32 +0200
+Subject: wifi: mac80211: mesh: check element parsing succeeded
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 1fc4a3eec50d726f4663ad3c0bb0158354d6647a ]
+
+ieee802_11_parse_elems() can return NULL, so we must
+check for the return value.
+
+Fixes: 5d24828d05f3 ("mac80211: always allocate struct ieee802_11_elems")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.93dea364f3d3.Ie87781c6c48979fb25a744b90af4a33dc2d83a28@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index a1e526419e9d2..5c8a3ff0ae0cc 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1243,6 +1243,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
+ return;
+ }
+ elems = ieee802_11_parse_elems(baseaddr, len - baselen, true, NULL);
+- mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
+- kfree(elems);
++ if (elems) {
++ mesh_process_plink_frame(sdata, mgmt, elems, rx_status);
++ kfree(elems);
++ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 55117cbfab71eb4cfbafae1fbbd21d5704665bd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:31 +0200
+Subject: wifi: mac80211: mesh_plink: fix matches_local logic
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
+
+During refactoring the "else" here got lost, add it back.
+
+Fixes: c99a89edb106 ("mac80211: factor out plink event gathering")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index 5c8a3ff0ae0cc..cc62c2a01f54f 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1064,8 +1064,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_OPEN:
+ if (!matches_local)
+ event = OPN_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = OPN_IGNR;
+ else
+ event = OPN_ACPT;
+@@ -1073,9 +1073,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_CONFIRM:
+ if (!matches_local)
+ event = CNF_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- sta->mesh->llid != llid ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ sta->mesh->llid != llid ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = CNF_IGNR;
+ else
+ event = CNF_ACPT;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
