--- /dev/null
+From 1f171291c0642fba94d688debf8b11d268168163 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:17:52 +0800
+Subject: hsr: Fix uninit-value access in fill_frame_info()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 484b4833c604c0adcf19eac1ca14b60b757355b5 ]
+
+Syzbot reports the following uninit-value access problem.
+
+=====================================================
+BUG: KMSAN: uninit-value in fill_frame_info net/hsr/hsr_forward.c:601 [inline]
+BUG: KMSAN: uninit-value in hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
+ fill_frame_info net/hsr/hsr_forward.c:601 [inline]
+ hsr_forward_skb+0x9bd/0x30f0 net/hsr/hsr_forward.c:616
+ hsr_dev_xmit+0x192/0x330 net/hsr/hsr_device.c:223
+ __netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+ xmit_one net/core/dev.c:3544 [inline]
+ dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3560
+ __dev_queue_xmit+0x34d0/0x52a0 net/core/dev.c:4340
+ dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+ packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
+ packet_snd net/packet/af_packet.c:3087 [inline]
+ packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ __sys_sendto+0x781/0xa30 net/socket.c:2176
+ __do_sys_sendto net/socket.c:2188 [inline]
+ __se_sys_sendto net/socket.c:2184 [inline]
+ __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+Uninit was created at:
+ slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
+ kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
+ __alloc_skb+0x318/0x740 net/core/skbuff.c:644
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6299
+ sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2794
+ packet_alloc_skb net/packet/af_packet.c:2936 [inline]
+ packet_snd net/packet/af_packet.c:3030 [inline]
+ packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ sock_sendmsg net/socket.c:753 [inline]
+ __sys_sendto+0x781/0xa30 net/socket.c:2176
+ __do_sys_sendto net/socket.c:2188 [inline]
+ __se_sys_sendto net/socket.c:2184 [inline]
+ __ia32_sys_sendto+0x11f/0x1c0 net/socket.c:2184
+ do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
+ __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
+ do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
+ entry_SYSENTER_compat_after_hwframe+0x70/0x82
+
+It is because VLAN not yet supported in hsr driver. Return error
+when protocol is ETH_P_8021Q in fill_frame_info() now to fix it.
+
+Fixes: 451d8123f897 ("net: prp: add packet handling support")
+Reported-by: syzbot+bf7e6250c7ce248f3ec9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=bf7e6250c7ce248f3ec9
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index 629daacc96071..b71dab630a873 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -594,6 +594,7 @@ static int fill_frame_info(struct hsr_frame_info *frame,
+ proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto;
+ /* FIXME: */
+ netdev_warn_once(skb->dev, "VLAN not yet supported");
++ return -EINVAL;
+ }
+
+ frame->is_from_san = false;
+--
+2.40.1
+
--- /dev/null
+From f97f930ad5cdd7d84f36ef12873886c9ac1d735a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 15:42:13 +0000
+Subject: ipv6: fix ip6_sock_set_addr_preferences() typo
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8cdd9f1aaedf823006449faa4e540026c692ac43 ]
+
+ip6_sock_set_addr_preferences() second argument should be an integer.
+
+SUNRPC attempts to set IPV6_PREFER_SRC_PUBLIC were
+translated to IPV6_PREFER_SRC_TMP
+
+Fixes: 18d5ad623275 ("ipv6: add ip6_sock_set_addr_preferences")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Chuck Lever <chuck.lever@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230911154213.713941-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ipv6.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index e4ceef687c1c2..8ced112167599 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -1322,7 +1322,7 @@ static inline int __ip6_sock_set_addr_preferences(struct sock *sk, int val)
+ return 0;
+ }
+
+-static inline int ip6_sock_set_addr_preferences(struct sock *sk, bool val)
++static inline int ip6_sock_set_addr_preferences(struct sock *sk, int val)
+ {
+ int ret;
+
+--
+2.40.1
+
--- /dev/null
+From 0031bc8af9f275c515962c73462583941ada89b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Mar 2023 16:54:54 -0700
+Subject: ipv6: Remove in6addr_any alternatives.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 8cdc3223e78c43e1b60ea1c536a103e32fdca3c5 ]
+
+Some code defines the IPv6 wildcard address as a local variable and
+use it with memcmp() or ipv6_addr_equal().
+
+Let's use in6addr_any and ipv6_addr_any() instead.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: aa99e5f87bd5 ("tcp: Fix bind() regression for v4-mapped-v6 wildcard address.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 5 ++---
+ include/net/ip6_fib.h | 9 +++------
+ include/trace/events/fib.h | 5 ++---
+ include/trace/events/fib6.h | 5 +----
+ net/ethtool/ioctl.c | 10 +++++-----
+ net/ipv4/inet_hashtables.c | 11 ++++-------
+ 6 files changed, 17 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+index 72b61f66df37a..cd15d36b1507e 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+@@ -97,7 +97,6 @@ int mlx5e_tc_set_attr_rx_tun(struct mlx5e_tc_flow *flow,
+ #if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+ else if (ip_version == 6) {
+ int ipv6_size = MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6);
+- struct in6_addr zerov6 = {};
+
+ daddr = MLX5_ADDR_OF(fte_match_param, spec->match_value,
+ outer_headers.dst_ipv4_dst_ipv6.ipv6_layout.ipv6);
+@@ -105,8 +104,8 @@ int mlx5e_tc_set_attr_rx_tun(struct mlx5e_tc_flow *flow,
+ outer_headers.src_ipv4_src_ipv6.ipv6_layout.ipv6);
+ memcpy(&tun_attr->dst_ip.v6, daddr, ipv6_size);
+ memcpy(&tun_attr->src_ip.v6, saddr, ipv6_size);
+- if (!memcmp(&tun_attr->dst_ip.v6, &zerov6, sizeof(zerov6)) ||
+- !memcmp(&tun_attr->src_ip.v6, &zerov6, sizeof(zerov6)))
++ if (ipv6_addr_any(&tun_attr->dst_ip.v6) ||
++ ipv6_addr_any(&tun_attr->src_ip.v6))
+ return 0;
+ }
+ #endif
+diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
+index a92f6eb853068..fa4e6af382e2a 100644
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -472,13 +472,10 @@ void rt6_get_prefsrc(const struct rt6_info *rt, struct in6_addr *addr)
+ rcu_read_lock();
+
+ from = rcu_dereference(rt->from);
+- if (from) {
++ if (from)
+ *addr = from->fib6_prefsrc.addr;
+- } else {
+- struct in6_addr in6_zero = {};
+-
+- *addr = in6_zero;
+- }
++ else
++ *addr = in6addr_any;
+
+ rcu_read_unlock();
+ }
+diff --git a/include/trace/events/fib.h b/include/trace/events/fib.h
+index c2300c407f583..76297ecd4935c 100644
+--- a/include/trace/events/fib.h
++++ b/include/trace/events/fib.h
+@@ -36,7 +36,6 @@ TRACE_EVENT(fib_table_lookup,
+ ),
+
+ TP_fast_assign(
+- struct in6_addr in6_zero = {};
+ struct net_device *dev;
+ struct in6_addr *in6;
+ __be32 *p32;
+@@ -74,7 +73,7 @@ TRACE_EVENT(fib_table_lookup,
+ *p32 = nhc->nhc_gw.ipv4;
+
+ in6 = (struct in6_addr *)__entry->gw6;
+- *in6 = in6_zero;
++ *in6 = in6addr_any;
+ } else if (nhc->nhc_gw_family == AF_INET6) {
+ p32 = (__be32 *) __entry->gw4;
+ *p32 = 0;
+@@ -87,7 +86,7 @@ TRACE_EVENT(fib_table_lookup,
+ *p32 = 0;
+
+ in6 = (struct in6_addr *)__entry->gw6;
+- *in6 = in6_zero;
++ *in6 = in6addr_any;
+ }
+ ),
+
+diff --git a/include/trace/events/fib6.h b/include/trace/events/fib6.h
+index 6e821eb794503..4d3e607b3cdec 100644
+--- a/include/trace/events/fib6.h
++++ b/include/trace/events/fib6.h
+@@ -68,11 +68,8 @@ TRACE_EVENT(fib6_table_lookup,
+ strcpy(__entry->name, "-");
+ }
+ if (res->f6i == net->ipv6.fib6_null_entry) {
+- struct in6_addr in6_zero = {};
+-
+ in6 = (struct in6_addr *)__entry->gw;
+- *in6 = in6_zero;
+-
++ *in6 = in6addr_any;
+ } else if (res->nh) {
+ in6 = (struct in6_addr *)__entry->gw;
+ *in6 = res->nh->fib_nh_gw6;
+diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
+index 940c0e27be735..e31d1247b9f08 100644
+--- a/net/ethtool/ioctl.c
++++ b/net/ethtool/ioctl.c
+@@ -27,6 +27,7 @@
+ #include <linux/net.h>
+ #include <linux/pm_runtime.h>
+ #include <net/devlink.h>
++#include <net/ipv6.h>
+ #include <net/xdp_sock_drv.h>
+ #include <net/flow_offload.h>
+ #include <linux/ethtool_netlink.h>
+@@ -3090,7 +3091,6 @@ struct ethtool_rx_flow_rule *
+ ethtool_rx_flow_rule_create(const struct ethtool_rx_flow_spec_input *input)
+ {
+ const struct ethtool_rx_flow_spec *fs = input->fs;
+- static struct in6_addr zero_addr = {};
+ struct ethtool_rx_flow_match *match;
+ struct ethtool_rx_flow_rule *flow;
+ struct flow_action_entry *act;
+@@ -3196,20 +3196,20 @@ ethtool_rx_flow_rule_create(const struct ethtool_rx_flow_spec_input *input)
+
+ v6_spec = &fs->h_u.tcp_ip6_spec;
+ v6_m_spec = &fs->m_u.tcp_ip6_spec;
+- if (memcmp(v6_m_spec->ip6src, &zero_addr, sizeof(zero_addr))) {
++ if (!ipv6_addr_any((struct in6_addr *)v6_m_spec->ip6src)) {
+ memcpy(&match->key.ipv6.src, v6_spec->ip6src,
+ sizeof(match->key.ipv6.src));
+ memcpy(&match->mask.ipv6.src, v6_m_spec->ip6src,
+ sizeof(match->mask.ipv6.src));
+ }
+- if (memcmp(v6_m_spec->ip6dst, &zero_addr, sizeof(zero_addr))) {
++ if (!ipv6_addr_any((struct in6_addr *)v6_m_spec->ip6dst)) {
+ memcpy(&match->key.ipv6.dst, v6_spec->ip6dst,
+ sizeof(match->key.ipv6.dst));
+ memcpy(&match->mask.ipv6.dst, v6_m_spec->ip6dst,
+ sizeof(match->mask.ipv6.dst));
+ }
+- if (memcmp(v6_m_spec->ip6src, &zero_addr, sizeof(zero_addr)) ||
+- memcmp(v6_m_spec->ip6dst, &zero_addr, sizeof(zero_addr))) {
++ if (!ipv6_addr_any((struct in6_addr *)v6_m_spec->ip6src) ||
++ !ipv6_addr_any((struct in6_addr *)v6_m_spec->ip6dst)) {
+ match->dissector.used_keys |=
+ BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS);
+ match->dissector.offset[FLOW_DISSECTOR_KEY_IPV6_ADDRS] =
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index c19b462662ad0..38a92c8c66863 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -813,13 +813,11 @@ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const
+ unsigned short port, int l3mdev, const struct sock *sk)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+- struct in6_addr addr_any = {};
+-
+ if (sk->sk_family != tb->family) {
+ if (sk->sk_family == AF_INET)
+ return net_eq(ib2_net(tb), net) && tb->port == port &&
+ tb->l3mdev == l3mdev &&
+- ipv6_addr_equal(&tb->v6_rcv_saddr, &addr_any);
++ ipv6_addr_any(&tb->v6_rcv_saddr);
+
+ return false;
+ }
+@@ -827,7 +825,7 @@ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const
+ if (sk->sk_family == AF_INET6)
+ return net_eq(ib2_net(tb), net) && tb->port == port &&
+ tb->l3mdev == l3mdev &&
+- ipv6_addr_equal(&tb->v6_rcv_saddr, &addr_any);
++ ipv6_addr_any(&tb->v6_rcv_saddr);
+ else
+ #endif
+ return net_eq(ib2_net(tb), net) && tb->port == port &&
+@@ -853,11 +851,10 @@ inet_bhash2_addr_any_hashbucket(const struct sock *sk, const struct net *net, in
+ {
+ struct inet_hashinfo *hinfo = tcp_or_dccp_get_hashinfo(sk);
+ u32 hash;
+-#if IS_ENABLED(CONFIG_IPV6)
+- struct in6_addr addr_any = {};
+
++#if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family == AF_INET6)
+- hash = ipv6_portaddr_hash(net, &addr_any, port);
++ hash = ipv6_portaddr_hash(net, &in6addr_any, port);
+ else
+ #endif
+ hash = ipv4_portaddr_hash(net, 0, port);
+--
+2.40.1
+
--- /dev/null
+From 59b72017c125d2e4772f8d7b0688a3e2be1e1ea0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 13:28:14 -0700
+Subject: ixgbe: fix timestamp configuration code
+
+From: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+
+[ Upstream commit 3c44191dd76cf9c0cc49adaf34384cbd42ef8ad2 ]
+
+The commit in fixes introduced flags to control the status of hardware
+configuration while processing packets. At the same time another structure
+is used to provide configuration of timestamper to user-space applications.
+The way it was coded makes this structures go out of sync easily. The
+repro is easy for 82599 chips:
+
+[root@hostname ~]# hwstamp_ctl -i eth0 -r 12 -t 1
+current settings:
+tx_type 0
+rx_filter 0
+new settings:
+tx_type 1
+rx_filter 12
+
+The eth0 device is properly configured to timestamp any PTPv2 events.
+
+[root@hostname ~]# hwstamp_ctl -i eth0 -r 1 -t 1
+current settings:
+tx_type 1
+rx_filter 12
+SIOCSHWTSTAMP failed: Numerical result out of range
+The requested time stamping mode is not supported by the hardware.
+
+The error is properly returned because HW doesn't support all packets
+timestamping. But the adapter->flags is cleared of timestamp flags
+even though no HW configuration was done. From that point no RX timestamps
+are received by user-space application. But configuration shows good
+values:
+
+[root@hostname ~]# hwstamp_ctl -i eth0
+current settings:
+tx_type 1
+rx_filter 12
+
+Fix the issue by applying new flags only when the HW was actually
+configured.
+
+Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices")
+Signed-off-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c | 28 +++++++++++---------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
+index f8605f57bd067..75e1383263c1e 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
+@@ -995,6 +995,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ u32 tsync_tx_ctl = IXGBE_TSYNCTXCTL_ENABLED;
+ u32 tsync_rx_ctl = IXGBE_TSYNCRXCTL_ENABLED;
+ u32 tsync_rx_mtrl = PTP_EV_PORT << 16;
++ u32 aflags = adapter->flags;
+ bool is_l2 = false;
+ u32 regval;
+
+@@ -1012,20 +1013,20 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ case HWTSTAMP_FILTER_NONE:
+ tsync_rx_ctl = 0;
+ tsync_rx_mtrl = 0;
+- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_SYNC:
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1;
+ tsync_rx_mtrl |= IXGBE_RXMTRL_V1_SYNC_MSG;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_DELAY_REQ:
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_L4_V1;
+ tsync_rx_mtrl |= IXGBE_RXMTRL_V1_DELAY_REQ_MSG;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V2_EVENT:
+ case HWTSTAMP_FILTER_PTP_V2_L2_EVENT:
+@@ -1039,8 +1040,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_EVENT_V2;
+ is_l2 = true;
+ config->rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+- adapter->flags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
++ aflags |= (IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
++ IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ break;
+ case HWTSTAMP_FILTER_PTP_V1_L4_EVENT:
+ case HWTSTAMP_FILTER_NTP_ALL:
+@@ -1051,7 +1052,7 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ if (hw->mac.type >= ixgbe_mac_X550) {
+ tsync_rx_ctl |= IXGBE_TSYNCRXCTL_TYPE_ALL;
+ config->rx_filter = HWTSTAMP_FILTER_ALL;
+- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
+ break;
+ }
+ fallthrough;
+@@ -1062,8 +1063,6 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ * Delay_Req messages and hardware does not support
+ * timestamping all packets => return error
+ */
+- adapter->flags &= ~(IXGBE_FLAG_RX_HWTSTAMP_ENABLED |
+- IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER);
+ config->rx_filter = HWTSTAMP_FILTER_NONE;
+ return -ERANGE;
+ }
+@@ -1095,8 +1094,8 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+ IXGBE_TSYNCRXCTL_TYPE_ALL |
+ IXGBE_TSYNCRXCTL_TSIP_UT_EN;
+ config->rx_filter = HWTSTAMP_FILTER_ALL;
+- adapter->flags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
+- adapter->flags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER;
++ aflags |= IXGBE_FLAG_RX_HWTSTAMP_ENABLED;
++ aflags &= ~IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER;
+ is_l2 = true;
+ break;
+ default:
+@@ -1129,6 +1128,9 @@ static int ixgbe_ptp_set_timestamp_mode(struct ixgbe_adapter *adapter,
+
+ IXGBE_WRITE_FLUSH(hw);
+
++ /* configure adapter flags only when HW is actually configured */
++ adapter->flags = aflags;
++
+ /* clear TX/RX time stamp registers, just to be sure */
+ ixgbe_ptp_clear_tx_timestamp(adapter);
+ IXGBE_READ_REG(hw, IXGBE_RXSTMPH);
+--
+2.40.1
+
--- /dev/null
+From 1e67f72f5a29c1603f72cd65234a78eab67bf800 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 19:27:53 -0700
+Subject: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada ]
+
+syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
+("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
+updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
+following sendmsg() will resume from the skb.
+
+However, we cannot know how many bytes were copied when we get the error.
+Thus, we could mess up the MSG_MORE queue.
+
+When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
+do so for UDP by udp_flush_pending_frames().
+
+Even without this change, when the error occurred, the following sendmsg()
+resumed from a wrong skb and the queue was messed up. However, we have
+yet to get such a report, and only syzkaller stumbled on it. So, this
+can be changed safely.
+
+Note this does not change SOCK_SEQPACKET behaviour.
+
+Fixes: c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()")
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index dd929a8350740..65845c59c0655 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1065,17 +1065,18 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ out_error:
+ kcm_push(kcm);
+
+- if (copied && sock->type == SOCK_SEQPACKET) {
++ if (sock->type == SOCK_SEQPACKET) {
+ /* Wrote some bytes before encountering an
+ * error, return partial success.
+ */
+- goto partial_message;
+- }
+-
+- if (head != kcm->seq_skb)
++ if (copied)
++ goto partial_message;
++ if (head != kcm->seq_skb)
++ kfree_skb(head);
++ } else {
+ kfree_skb(head);
+- else if (copied)
+- kcm_tx_msg(head)->last_skb = skb;
++ kcm->seq_skb = NULL;
++ }
+
+ err = sk_stream_error(sk, msg->msg_flags, err);
+
+--
+2.40.1
+
--- /dev/null
+From b0328e719b52d58de703815a7dae98d9d4e93eb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Sep 2023 02:03:10 +0900
+Subject: kcm: Fix memory leak in error path of kcm_sendmsg()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit c821a88bd720b0046433173185fd841a100d44ad ]
+
+syzbot reported a memory leak like below:
+
+BUG: memory leak
+unreferenced object 0xffff88810b088c00 (size 240):
+ comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s)
+ hex dump (first 32 bytes):
+ 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634
+ [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline]
+ [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815
+ [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline]
+ [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748
+ [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494
+ [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548
+ [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577
+ [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+ [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append
+newly allocated skbs to 'head'. If some bytes are copied, an error occurred,
+and jumped to out_error label, 'last_skb' is left unmodified. A later
+kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the
+'head' frag_list and causing the leak.
+
+This patch fixes this issue by properly updating the last allocated skb in
+'last_skb'.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Reported-and-tested-by: syzbot+6f98de741f7dbbfc4ccb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6f98de741f7dbbfc4ccb
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 6a97662d7548e..dd929a8350740 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1074,6 +1074,8 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+
+ if (head != kcm->seq_skb)
+ kfree_skb(head);
++ else if (copied)
++ kcm_tx_msg(head)->last_skb = skb;
+
+ err = sk_stream_error(sk, msg->msg_flags, err);
+
+--
+2.40.1
+
--- /dev/null
+From 31ec8d4d5ed3d6582837284dcbc24e7db7a327f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jul 2023 13:53:17 +0200
+Subject: kselftest/runner.sh: Propagate SIGTERM to runner child
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit 9616cb34b08ec86642b162eae75c5a7ca8debe3c ]
+
+Timeouts in kselftest are done using the "timeout" command with the
+"--foreground" option. Without the "foreground" option, it is not
+possible for a user to cancel the runner using SIGINT, because the
+signal is not propagated to timeout which is running in a different
+process group. The "forground" options places the timeout in the same
+process group as its parent, but only sends the SIGTERM (on timeout)
+signal to the forked process. Unfortunately, this does not play nice
+with all kselftests, e.g. "net:fcnal-test.sh", where the child
+processes will linger because timeout does not send SIGTERM to the
+group.
+
+Some users have noted these hangs [1].
+
+Fix this by nesting the timeout with an additional timeout without the
+foreground option.
+
+Link: https://lore.kernel.org/all/7650b2eb-0aee-a2b0-2e64-c9bc63210f67@alu.unizg.hr/ # [1]
+Fixes: 651e0d881461 ("kselftest/runner: allow to properly deliver signals to tests")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest/runner.sh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/kselftest/runner.sh b/tools/testing/selftests/kselftest/runner.sh
+index 294619ade49fe..1333ab1eda708 100644
+--- a/tools/testing/selftests/kselftest/runner.sh
++++ b/tools/testing/selftests/kselftest/runner.sh
+@@ -35,7 +35,8 @@ tap_timeout()
+ {
+ # Make sure tests will time out if utility is available.
+ if [ -x /usr/bin/timeout ] ; then
+- /usr/bin/timeout --foreground "$kselftest_timeout" $1
++ /usr/bin/timeout --foreground "$kselftest_timeout" \
++ /usr/bin/timeout "$kselftest_timeout" $1
+ else
+ $1
+ fi
+--
+2.40.1
+
--- /dev/null
+From 4b041f3d8d3d6e7c30f8fe936905e97ceb240320 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 15:10:25 +0800
+Subject: kunit: Fix wild-memory-access bug in kunit_free_suite_set()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 2810c1e99867a811e631dd24e63e6c1e3b78a59d ]
+
+Inject fault while probing kunit-example-test.ko, if kstrdup()
+fails in mod_sysfs_setup() in load_module(), the mod->state will
+switch from MODULE_STATE_COMING to MODULE_STATE_GOING instead of
+from MODULE_STATE_LIVE to MODULE_STATE_GOING, so only
+kunit_module_exit() will be called without kunit_module_init(), and
+the mod->kunit_suites is no set correctly and the free in
+kunit_free_suite_set() will cause below wild-memory-access bug.
+
+The mod->state state machine when load_module() succeeds:
+
+MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_LIVE
+ ^ |
+ | | delete_module
+ +---------------- MODULE_STATE_GOING <---------+
+
+The mod->state state machine when load_module() fails at
+mod_sysfs_setup():
+
+MODULE_STATE_UNFORMED ---> MODULE_STATE_COMING ---> MODULE_STATE_GOING
+ ^ |
+ | |
+ +-----------------------------------------------+
+
+Call kunit_module_init() at MODULE_STATE_COMING state to fix the issue
+because MODULE_STATE_LIVE is transformed from it.
+
+ Unable to handle kernel paging request at virtual address ffffff341e942a88
+ KASAN: maybe wild-memory-access in range [0x0003f9a0f4a15440-0x0003f9a0f4a15447]
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000441ea000
+ [ffffff341e942a88] pgd=0000000000000000, p4d=0000000000000000
+ Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+ Modules linked in: kunit_example_test(-) cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: kunit_example_test]
+ CPU: 3 PID: 2035 Comm: modprobe Tainted: G W N 6.5.0-next-20230828+ #136
+ Hardware name: linux,dummy-virt (DT)
+ pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : kfree+0x2c/0x70
+ lr : kunit_free_suite_set+0xcc/0x13c
+ sp : ffff8000829b75b0
+ x29: ffff8000829b75b0 x28: ffff8000829b7b90 x27: 0000000000000000
+ x26: dfff800000000000 x25: ffffcd07c82a7280 x24: ffffcd07a50ab300
+ x23: ffffcd07a50ab2e8 x22: 1ffff00010536ec0 x21: dfff800000000000
+ x20: ffffcd07a50ab2f0 x19: ffffcd07a50ab2f0 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000 x15: ffffcd07c24b6764
+ x14: ffffcd07c24b63c0 x13: ffffcd07c4cebb94 x12: ffff700010536ec7
+ x11: 1ffff00010536ec6 x10: ffff700010536ec6 x9 : dfff800000000000
+ x8 : 00008fffefac913a x7 : 0000000041b58ab3 x6 : 0000000000000000
+ x5 : 1ffff00010536ec5 x4 : ffff8000829b7628 x3 : dfff800000000000
+ x2 : ffffff341e942a80 x1 : ffffcd07a50aa000 x0 : fffffc0000000000
+ Call trace:
+ kfree+0x2c/0x70
+ kunit_free_suite_set+0xcc/0x13c
+ kunit_module_notify+0xd8/0x360
+ blocking_notifier_call_chain+0xc4/0x128
+ load_module+0x382c/0x44a4
+ init_module_from_file+0xd4/0x128
+ idempotent_init_module+0x2c8/0x524
+ __arm64_sys_finit_module+0xac/0x100
+ invoke_syscall+0x6c/0x258
+ el0_svc_common.constprop.0+0x160/0x22c
+ do_el0_svc+0x44/0x5c
+ el0_svc+0x38/0x78
+ el0t_64_sync_handler+0x13c/0x158
+ el0t_64_sync+0x190/0x194
+ Code: aa0003e1 b25657e0 d34cfc42 8b021802 (f9400440)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: Oops: Fatal exception
+ SMP: stopping secondary CPUs
+ Kernel Offset: 0x4d0742200000 from 0xffff800080000000
+ PHYS_OFFSET: 0xffffee43c0000000
+ CPU features: 0x88000203,3c020000,1000421b
+ Memory Limit: none
+ Rebooting in 1 seconds..
+
+Fixes: 3d6e44623841 ("kunit: unify module and builtin suite definitions")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Rae Moar <rmoar@google.com>
+Reviewed-by: David Gow <davidgow@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/test.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/kunit/test.c b/lib/kunit/test.c
+index 184df6f701b48..a90bd265d73db 100644
+--- a/lib/kunit/test.c
++++ b/lib/kunit/test.c
+@@ -667,12 +667,13 @@ static int kunit_module_notify(struct notifier_block *nb, unsigned long val,
+
+ switch (val) {
+ case MODULE_STATE_LIVE:
+- kunit_module_init(mod);
+ break;
+ case MODULE_STATE_GOING:
+ kunit_module_exit(mod);
+ break;
+ case MODULE_STATE_COMING:
++ kunit_module_init(mod);
++ break;
+ case MODULE_STATE_UNFORMED:
+ break;
+ }
+--
+2.40.1
+
--- /dev/null
+From 4a8bc5e8312137da12bac11eb6ca155d31e67dee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:52 +0300
+Subject: net: dsa: sja1105: block FDB accesses that are concurrent with a
+ switch reset
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 86899e9e1e29e854b5f6dcc24ba4f75f792c89aa ]
+
+Currently, when we add the first sja1105 port to a bridge with
+vlan_filtering 1, then we sometimes see this output:
+
+sja1105 spi2.2: port 4 failed to read back entry for be:79:b4:9e:9e:96 vid 3088: -ENOENT
+sja1105 spi2.2: Reset switch and programmed static config. Reason: VLAN filtering
+sja1105 spi2.2: port 0 failed to add be:79:b4:9e:9e:96 vid 0 to fdb: -2
+
+It is because sja1105_fdb_add() runs from the dsa_owq which is no longer
+serialized with switch resets since it dropped the rtnl_lock() in the
+blamed commit.
+
+Either performing the FDB accesses before the reset, or after the reset,
+is equally fine, because sja1105_static_fdb_change() backs up those
+changes in the static config, but FDB access during reset isn't ok.
+
+Make sja1105_static_config_reload() take the fdb_lock to fix that.
+
+Fixes: 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index c6c74e302e4dd..f1f1368e8146f 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2304,6 +2304,7 @@ int sja1105_static_config_reload(struct sja1105_private *priv,
+ int rc, i;
+ s64 now;
+
++ mutex_lock(&priv->fdb_lock);
+ mutex_lock(&priv->mgmt_lock);
+
+ mac = priv->static_config.tables[BLK_IDX_MAC_CONFIG].entries;
+@@ -2418,6 +2419,7 @@ int sja1105_static_config_reload(struct sja1105_private *priv,
+ goto out;
+ out:
+ mutex_unlock(&priv->mgmt_lock);
++ mutex_unlock(&priv->fdb_lock);
+
+ return rc;
+ }
+--
+2.40.1
+
--- /dev/null
+From b221438ebe5eb118e64ccba79c5d6bf02240327f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:50 +0300
+Subject: net: dsa: sja1105: fix multicast forwarding working only for last
+ added mdb entry
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 7cef293b9a634a05fcce9e1df4aee3aeed023345 ]
+
+The commit cited in Fixes: did 2 things: it refactored the read-back
+polling from sja1105_dynamic_config_read() into a new function,
+sja1105_dynamic_config_wait_complete(), and it called that from
+sja1105_dynamic_config_write() too.
+
+What is problematic is the refactoring.
+
+The refactored code from sja1105_dynamic_config_poll_valid() works like
+the previous one, but the problem is that it uses another packed_buf[]
+SPI buffer, and there was code at the end of sja1105_dynamic_config_read()
+which was relying on the read-back packed_buf[]:
+
+ /* Don't dereference possibly NULL pointer - maybe caller
+ * only wanted to see whether the entry existed or not.
+ */
+ if (entry)
+ ops->entry_packing(packed_buf, entry, UNPACK);
+
+After the change, the packed_buf[] that this code sees is no longer the
+entry read back from hardware, but the original entry that the caller
+passed to the sja1105_dynamic_config_read(), packed into this buffer.
+
+This difference is the most notable with the SJA1105_SEARCH uses from
+sja1105pqrs_fdb_add() - used for both fdb and mdb. There, we have logic
+added by commit 728db843df88 ("net: dsa: sja1105: ignore the FDB entry
+for unknown multicast when adding a new address") to figure out whether
+the address we're trying to add matches on any existing hardware entry,
+with the exception of the catch-all multicast address.
+
+That logic was broken, because with sja1105_dynamic_config_read() not
+working properly, it doesn't return us the entry read back from
+hardware, but the entry that we passed to it. And, since for multicast,
+a match will always exist, it will tell us that any mdb entry already
+exists at index=0 L2 Address Lookup table. It is index=0 because the
+caller doesn't know the index - it wants to find it out, and
+sja1105_dynamic_config_read() does:
+
+ if (index < 0) { // SJA1105_SEARCH
+ /* Avoid copying a signed negative number to an u64 */
+ cmd.index = 0; // <- this
+ cmd.search = true;
+ } else {
+ cmd.index = index;
+ cmd.search = false;
+ }
+
+So, to the caller of sja1105_dynamic_config_read(), the returned info
+looks entirely legit, and it will add all mdb entries to FDB index 0.
+There, they will always overwrite each other (not to mention,
+potentially they can also overwrite a pre-existing bridge fdb entry),
+and the user-visible impact will be that only the last mdb entry will be
+forwarded as it should. The others won't (will be flooded or dropped,
+depending on the egress flood settings).
+
+Fixing is a bit more complicated, and involves either passing the same
+packed_buf[] to sja1105_dynamic_config_wait_complete(), or moving all
+the extra processing on the packed_buf[] to
+sja1105_dynamic_config_wait_complete(). I've opted for the latter,
+because it makes sja1105_dynamic_config_wait_complete() a bit more
+self-contained.
+
+Fixes: df405910ab9f ("net: dsa: sja1105: wait for dynamic config command completion on writes too")
+Reported-by: Yanan Yang <yanan.yang@nxp.com>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/dsa/sja1105/sja1105_dynamic_config.c | 80 +++++++++----------
+ 1 file changed, 37 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
+index 93d47dab8d3e9..984c0e604e8de 100644
+--- a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
++++ b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
+@@ -1175,18 +1175,15 @@ const struct sja1105_dynamic_table_ops sja1110_dyn_ops[BLK_IDX_MAX_DYN] = {
+
+ static int
+ sja1105_dynamic_config_poll_valid(struct sja1105_private *priv,
+- struct sja1105_dyn_cmd *cmd,
+- const struct sja1105_dynamic_table_ops *ops)
++ const struct sja1105_dynamic_table_ops *ops,
++ void *entry, bool check_valident,
++ bool check_errors)
+ {
+ u8 packed_buf[SJA1105_MAX_DYN_CMD_SIZE] = {};
++ struct sja1105_dyn_cmd cmd = {};
+ int rc;
+
+- /* We don't _need_ to read the full entry, just the command area which
+- * is a fixed SJA1105_SIZE_DYN_CMD. But our cmd_packing() API expects a
+- * buffer that contains the full entry too. Additionally, our API
+- * doesn't really know how many bytes into the buffer does the command
+- * area really begin. So just read back the whole entry.
+- */
++ /* Read back the whole entry + command structure. */
+ rc = sja1105_xfer_buf(priv, SPI_READ, ops->addr, packed_buf,
+ ops->packed_size);
+ if (rc)
+@@ -1195,11 +1192,25 @@ sja1105_dynamic_config_poll_valid(struct sja1105_private *priv,
+ /* Unpack the command structure, and return it to the caller in case it
+ * needs to perform further checks on it (VALIDENT).
+ */
+- memset(cmd, 0, sizeof(*cmd));
+- ops->cmd_packing(packed_buf, cmd, UNPACK);
++ ops->cmd_packing(packed_buf, &cmd, UNPACK);
+
+ /* Hardware hasn't cleared VALID => still working on it */
+- return cmd->valid ? -EAGAIN : 0;
++ if (cmd.valid)
++ return -EAGAIN;
++
++ if (check_valident && !cmd.valident && !(ops->access & OP_VALID_ANYWAY))
++ return -ENOENT;
++
++ if (check_errors && cmd.errors)
++ return -EINVAL;
++
++ /* Don't dereference possibly NULL pointer - maybe caller
++ * only wanted to see whether the entry existed or not.
++ */
++ if (entry)
++ ops->entry_packing(packed_buf, entry, UNPACK);
++
++ return 0;
+ }
+
+ /* Poll the dynamic config entry's control area until the hardware has
+@@ -1208,8 +1219,9 @@ sja1105_dynamic_config_poll_valid(struct sja1105_private *priv,
+ */
+ static int
+ sja1105_dynamic_config_wait_complete(struct sja1105_private *priv,
+- struct sja1105_dyn_cmd *cmd,
+- const struct sja1105_dynamic_table_ops *ops)
++ const struct sja1105_dynamic_table_ops *ops,
++ void *entry, bool check_valident,
++ bool check_errors)
+ {
+ int err, rc;
+
+@@ -1217,7 +1229,8 @@ sja1105_dynamic_config_wait_complete(struct sja1105_private *priv,
+ rc, rc != -EAGAIN,
+ SJA1105_DYNAMIC_CONFIG_SLEEP_US,
+ SJA1105_DYNAMIC_CONFIG_TIMEOUT_US,
+- false, priv, cmd, ops);
++ false, priv, ops, entry, check_valident,
++ check_errors);
+ return err < 0 ? err : rc;
+ }
+
+@@ -1287,25 +1300,14 @@ int sja1105_dynamic_config_read(struct sja1105_private *priv,
+ mutex_lock(&priv->dynamic_config_lock);
+ rc = sja1105_xfer_buf(priv, SPI_WRITE, ops->addr, packed_buf,
+ ops->packed_size);
+- if (rc < 0) {
+- mutex_unlock(&priv->dynamic_config_lock);
+- return rc;
+- }
+-
+- rc = sja1105_dynamic_config_wait_complete(priv, &cmd, ops);
+- mutex_unlock(&priv->dynamic_config_lock);
+ if (rc < 0)
+- return rc;
++ goto out;
+
+- if (!cmd.valident && !(ops->access & OP_VALID_ANYWAY))
+- return -ENOENT;
++ rc = sja1105_dynamic_config_wait_complete(priv, ops, entry, true, false);
++out:
++ mutex_unlock(&priv->dynamic_config_lock);
+
+- /* Don't dereference possibly NULL pointer - maybe caller
+- * only wanted to see whether the entry existed or not.
+- */
+- if (entry)
+- ops->entry_packing(packed_buf, entry, UNPACK);
+- return 0;
++ return rc;
+ }
+
+ int sja1105_dynamic_config_write(struct sja1105_private *priv,
+@@ -1357,22 +1359,14 @@ int sja1105_dynamic_config_write(struct sja1105_private *priv,
+ mutex_lock(&priv->dynamic_config_lock);
+ rc = sja1105_xfer_buf(priv, SPI_WRITE, ops->addr, packed_buf,
+ ops->packed_size);
+- if (rc < 0) {
+- mutex_unlock(&priv->dynamic_config_lock);
+- return rc;
+- }
+-
+- rc = sja1105_dynamic_config_wait_complete(priv, &cmd, ops);
+- mutex_unlock(&priv->dynamic_config_lock);
+ if (rc < 0)
+- return rc;
++ goto out;
+
+- cmd = (struct sja1105_dyn_cmd) {0};
+- ops->cmd_packing(packed_buf, &cmd, UNPACK);
+- if (cmd.errors)
+- return -EINVAL;
++ rc = sja1105_dynamic_config_wait_complete(priv, ops, NULL, false, true);
++out:
++ mutex_unlock(&priv->dynamic_config_lock);
+
+- return 0;
++ return rc;
+ }
+
+ static u8 sja1105_crc8_add(u8 crc, u8 byte, u8 poly)
+--
+2.40.1
+
--- /dev/null
+From 78ea7f3be8a0d5abd4cb3b2bd06120784b9e5daa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:48 +0300
+Subject: net: dsa: sja1105: hide all multicast addresses from "bridge fdb
+ show"
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 02c652f5465011126152bbd93b6a582a1d0c32f1 ]
+
+Commit 4d9423549501 ("net: dsa: sja1105: offload bridge port flags to
+device") has partially hidden some multicast entries from showing up in
+the "bridge fdb show" output, but it wasn't enough. Addresses which are
+added through "bridge mdb add" still show up. Hide them all.
+
+Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index ff94c5996fafb..f8228a81234fe 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1875,13 +1875,14 @@ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ if (!(l2_lookup.destports & BIT(port)))
+ continue;
+
+- /* We need to hide the FDB entry for unknown multicast */
+- if (l2_lookup.macaddr == SJA1105_UNKNOWN_MULTICAST &&
+- l2_lookup.mask_macaddr == SJA1105_UNKNOWN_MULTICAST)
+- continue;
+-
+ u64_to_ether_addr(l2_lookup.macaddr, macaddr);
+
++ /* Hardware FDB is shared for fdb and mdb, "bridge fdb show"
++ * only wants to see unicast
++ */
++ if (is_multicast_ether_addr(macaddr))
++ continue;
++
+ /* We need to hide the dsa_8021q VLANs from the user. */
+ if (vid_is_dsa_8021q(l2_lookup.vlanid))
+ l2_lookup.vlanid = 0;
+--
+2.40.1
+
--- /dev/null
+From 379b336d5923255e6d2ba8ac3998196f2a354f09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:49 +0300
+Subject: net: dsa: sja1105: propagate exact error code from
+ sja1105_dynamic_config_poll_valid()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit c956798062b5a308db96e75157747291197f0378 ]
+
+Currently, sja1105_dynamic_config_wait_complete() returns either 0 or
+-ETIMEDOUT, because it just looks at the read_poll_timeout() return code.
+
+There will be future changes which move some more checks to
+sja1105_dynamic_config_poll_valid(). It is important that we propagate
+their exact return code (-ENOENT, -EINVAL), because callers of
+sja1105_dynamic_config_read() depend on them.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7cef293b9a63 ("net: dsa: sja1105: fix multicast forwarding working only for last added mdb entry")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_dynamic_config.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
+index 7729d3f8b7f50..93d47dab8d3e9 100644
+--- a/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
++++ b/drivers/net/dsa/sja1105/sja1105_dynamic_config.c
+@@ -1211,13 +1211,14 @@ sja1105_dynamic_config_wait_complete(struct sja1105_private *priv,
+ struct sja1105_dyn_cmd *cmd,
+ const struct sja1105_dynamic_table_ops *ops)
+ {
+- int rc;
+-
+- return read_poll_timeout(sja1105_dynamic_config_poll_valid,
+- rc, rc != -EAGAIN,
+- SJA1105_DYNAMIC_CONFIG_SLEEP_US,
+- SJA1105_DYNAMIC_CONFIG_TIMEOUT_US,
+- false, priv, cmd, ops);
++ int err, rc;
++
++ err = read_poll_timeout(sja1105_dynamic_config_poll_valid,
++ rc, rc != -EAGAIN,
++ SJA1105_DYNAMIC_CONFIG_SLEEP_US,
++ SJA1105_DYNAMIC_CONFIG_TIMEOUT_US,
++ false, priv, cmd, ops);
++ return err < 0 ? err : rc;
+ }
+
+ /* Provides read access to the settings through the dynamic interface
+--
+2.40.1
+
--- /dev/null
+From bd5043a163edfe56e496cbf47693023b074c0523 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 16:33:51 +0300
+Subject: net: dsa: sja1105: serialize sja1105_port_mcast_flood() with other
+ FDB accesses
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ea32690daf4fa525dc5a4d164bd00ed8c756e1c6 ]
+
+sja1105_fdb_add() runs from the dsa_owq, and sja1105_port_mcast_flood()
+runs from switchdev_deferred_process_work(). Prior to the blamed commit,
+they used to be indirectly serialized through the rtnl_lock(), which
+no longer holds true because dsa_owq dropped that.
+
+So, it is now possible that we traverse the static config BLK_IDX_L2_LOOKUP
+elements concurrently compared to when we change them, in
+sja1105_static_fdb_change(). That is not ideal, since it might result in
+data corruption.
+
+Introduce a mutex which serializes accesses to the hardware FDB and to
+the static config elements for the L2 Address Lookup table.
+
+I can't find a good reason to add locking around sja1105_fdb_dump().
+I'll add it later if needed.
+
+Fixes: 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105.h | 2 +
+ drivers/net/dsa/sja1105/sja1105_main.c | 56 ++++++++++++++++++++------
+ 2 files changed, 45 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105.h b/drivers/net/dsa/sja1105/sja1105.h
+index a831bb0a52074..06e0ebfe652a4 100644
+--- a/drivers/net/dsa/sja1105/sja1105.h
++++ b/drivers/net/dsa/sja1105/sja1105.h
+@@ -264,6 +264,8 @@ struct sja1105_private {
+ * the switch doesn't confuse them with one another.
+ */
+ struct mutex mgmt_lock;
++ /* Serializes accesses to the FDB */
++ struct mutex fdb_lock;
+ /* PTP two-step TX timestamp ID, and its serialization lock */
+ spinlock_t ts_id_lock;
+ u8 ts_id;
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index f8228a81234fe..c6c74e302e4dd 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -1805,6 +1805,7 @@ static int sja1105_fdb_add(struct dsa_switch *ds, int port,
+ struct dsa_db db)
+ {
+ struct sja1105_private *priv = ds->priv;
++ int rc;
+
+ if (!vid) {
+ switch (db.type) {
+@@ -1819,12 +1820,16 @@ static int sja1105_fdb_add(struct dsa_switch *ds, int port,
+ }
+ }
+
+- return priv->info->fdb_add_cmd(ds, port, addr, vid);
++ mutex_lock(&priv->fdb_lock);
++ rc = priv->info->fdb_add_cmd(ds, port, addr, vid);
++ mutex_unlock(&priv->fdb_lock);
++
++ return rc;
+ }
+
+-static int sja1105_fdb_del(struct dsa_switch *ds, int port,
+- const unsigned char *addr, u16 vid,
+- struct dsa_db db)
++static int __sja1105_fdb_del(struct dsa_switch *ds, int port,
++ const unsigned char *addr, u16 vid,
++ struct dsa_db db)
+ {
+ struct sja1105_private *priv = ds->priv;
+
+@@ -1844,6 +1849,20 @@ static int sja1105_fdb_del(struct dsa_switch *ds, int port,
+ return priv->info->fdb_del_cmd(ds, port, addr, vid);
+ }
+
++static int sja1105_fdb_del(struct dsa_switch *ds, int port,
++ const unsigned char *addr, u16 vid,
++ struct dsa_db db)
++{
++ struct sja1105_private *priv = ds->priv;
++ int rc;
++
++ mutex_lock(&priv->fdb_lock);
++ rc = __sja1105_fdb_del(ds, port, addr, vid, db);
++ mutex_unlock(&priv->fdb_lock);
++
++ return rc;
++}
++
+ static int sja1105_fdb_dump(struct dsa_switch *ds, int port,
+ dsa_fdb_dump_cb_t *cb, void *data)
+ {
+@@ -1906,6 +1925,8 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port)
+ };
+ int i;
+
++ mutex_lock(&priv->fdb_lock);
++
+ for (i = 0; i < SJA1105_MAX_L2_LOOKUP_COUNT; i++) {
+ struct sja1105_l2_lookup_entry l2_lookup = {0};
+ u8 macaddr[ETH_ALEN];
+@@ -1919,7 +1940,7 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port)
+ if (rc) {
+ dev_err(ds->dev, "Failed to read FDB: %pe\n",
+ ERR_PTR(rc));
+- return;
++ break;
+ }
+
+ if (!(l2_lookup.destports & BIT(port)))
+@@ -1931,14 +1952,16 @@ static void sja1105_fast_age(struct dsa_switch *ds, int port)
+
+ u64_to_ether_addr(l2_lookup.macaddr, macaddr);
+
+- rc = sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db);
++ rc = __sja1105_fdb_del(ds, port, macaddr, l2_lookup.vlanid, db);
+ if (rc) {
+ dev_err(ds->dev,
+ "Failed to delete FDB entry %pM vid %lld: %pe\n",
+ macaddr, l2_lookup.vlanid, ERR_PTR(rc));
+- return;
++ break;
+ }
+ }
++
++ mutex_unlock(&priv->fdb_lock);
+ }
+
+ static int sja1105_mdb_add(struct dsa_switch *ds, int port,
+@@ -2964,7 +2987,9 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to,
+ {
+ struct sja1105_l2_lookup_entry *l2_lookup;
+ struct sja1105_table *table;
+- int match;
++ int match, rc;
++
++ mutex_lock(&priv->fdb_lock);
+
+ table = &priv->static_config.tables[BLK_IDX_L2_LOOKUP];
+ l2_lookup = table->entries;
+@@ -2977,7 +3002,8 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to,
+ if (match == table->entry_count) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Could not find FDB entry for unknown multicast");
+- return -ENOSPC;
++ rc = -ENOSPC;
++ goto out;
+ }
+
+ if (flags.val & BR_MCAST_FLOOD)
+@@ -2985,10 +3011,13 @@ static int sja1105_port_mcast_flood(struct sja1105_private *priv, int to,
+ else
+ l2_lookup[match].destports &= ~BIT(to);
+
+- return sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
+- l2_lookup[match].index,
+- &l2_lookup[match],
+- true);
++ rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
++ l2_lookup[match].index,
++ &l2_lookup[match], true);
++out:
++ mutex_unlock(&priv->fdb_lock);
++
++ return rc;
+ }
+
+ static int sja1105_port_pre_bridge_flags(struct dsa_switch *ds, int port,
+@@ -3358,6 +3387,7 @@ static int sja1105_probe(struct spi_device *spi)
+ mutex_init(&priv->ptp_data.lock);
+ mutex_init(&priv->dynamic_config_lock);
+ mutex_init(&priv->mgmt_lock);
++ mutex_init(&priv->fdb_lock);
+ spin_lock_init(&priv->ts_id_lock);
+
+ rc = sja1105_parse_dt(priv);
+--
+2.40.1
+
--- /dev/null
+From 970d6b19a20c2fba86466e4bd64b58c0d354ffd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 15:58:08 +0300
+Subject: net:ethernet:adi:adin1110: Fix forwarding offload
+
+From: Ciprian Regus <ciprian.regus@analog.com>
+
+[ Upstream commit 32530dba1bd48da4437d18d9a8dbc9d2826938a6 ]
+
+Currently, when a new fdb entry is added (with both ports of the
+ADIN2111 bridged), the driver configures the MAC filters for the wrong
+port, which results in the forwarding being done by the host, and not
+actually hardware offloaded.
+
+The ADIN2111 offloads the forwarding by setting filters on the
+destination MAC address of incoming frames. Based on these, they may be
+routed to the other port. Thus, if a frame has to be forwarded from port
+1 to port 2, the required configuration for the ADDR_FILT_UPRn register
+should set the APPLY2PORT1 bit (instead of APPLY2PORT2, as it's
+currently the case).
+
+Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support")
+Signed-off-by: Ciprian Regus <ciprian.regus@analog.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/adin1110.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c
+index cc026780ee0e8..ed2863ed6a5bb 100644
+--- a/drivers/net/ethernet/adi/adin1110.c
++++ b/drivers/net/ethernet/adi/adin1110.c
+@@ -1365,7 +1365,7 @@ static int adin1110_fdb_add(struct adin1110_port_priv *port_priv,
+ return -ENOMEM;
+
+ other_port = priv->ports[!port_priv->nr];
+- port_rules = adin1110_port_rules(port_priv, false, true);
++ port_rules = adin1110_port_rules(other_port, false, true);
+ eth_broadcast_addr(mask);
+
+ return adin1110_write_mac_address(other_port, mac_nr, (u8 *)fdb->addr,
+--
+2.40.1
+
--- /dev/null
+From d58f17224f2e223c2aa50e20d008619adaa90bc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 17:35:31 +0800
+Subject: net: ethernet: adi: adin1110: use eth_broadcast_addr() to assign
+ broadcast address
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 54024dbec95585243391caeb9f04a2620e630765 ]
+
+Use eth_broadcast_addr() to assign broadcast address instead
+of memset().
+
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 32530dba1bd4 ("net:ethernet:adi:adin1110: Fix forwarding offload")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/adi/adin1110.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/adi/adin1110.c b/drivers/net/ethernet/adi/adin1110.c
+index ecce5f7a549f2..cc026780ee0e8 100644
+--- a/drivers/net/ethernet/adi/adin1110.c
++++ b/drivers/net/ethernet/adi/adin1110.c
+@@ -740,7 +740,7 @@ static int adin1110_broadcasts_filter(struct adin1110_port_priv *port_priv,
+ u32 port_rules = 0;
+ u8 mask[ETH_ALEN];
+
+- memset(mask, 0xFF, ETH_ALEN);
++ eth_broadcast_addr(mask);
+
+ if (accept_broadcast && port_priv->state == BR_STATE_FORWARDING)
+ port_rules = adin1110_port_rules(port_priv, true, true);
+@@ -761,7 +761,7 @@ static int adin1110_set_mac_address(struct net_device *netdev,
+ return -EADDRNOTAVAIL;
+
+ eth_hw_addr_set(netdev, dev_addr);
+- memset(mask, 0xFF, ETH_ALEN);
++ eth_broadcast_addr(mask);
+
+ mac_slot = (!port_priv->nr) ? ADIN_MAC_P1_ADDR_SLOT : ADIN_MAC_P2_ADDR_SLOT;
+ port_rules = adin1110_port_rules(port_priv, true, false);
+@@ -1251,7 +1251,7 @@ static int adin1110_port_set_blocking_state(struct adin1110_port_priv *port_priv
+ goto out;
+
+ /* Allow only BPDUs to be passed to the CPU */
+- memset(mask, 0xFF, ETH_ALEN);
++ eth_broadcast_addr(mask);
+ port_rules = adin1110_port_rules(port_priv, true, false);
+ ret = adin1110_write_mac_address(port_priv, mac_slot, mac,
+ mask, port_rules);
+@@ -1366,7 +1366,7 @@ static int adin1110_fdb_add(struct adin1110_port_priv *port_priv,
+
+ other_port = priv->ports[!port_priv->nr];
+ port_rules = adin1110_port_rules(port_priv, false, true);
+- memset(mask, 0xFF, ETH_ALEN);
++ eth_broadcast_addr(mask);
+
+ return adin1110_write_mac_address(other_port, mac_nr, (u8 *)fdb->addr,
+ mask, port_rules);
+--
+2.40.1
+
--- /dev/null
+From e80879eaf33eccdec0846760da97d3834526b49c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 14:19:50 +0800
+Subject: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in
+ mtk_hwlro_get_fdir_all()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit e4c79810755f66c9a933ca810da2724133b1165a ]
+
+rule_locs is allocated in ethtool_get_rxnfc and the size is determined by
+rule_cnt from user space. So rule_cnt needs to be check before using
+rule_locs to avoid NULL pointer dereference.
+
+Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 7e318133423a9..0ac5ae16308f6 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -2698,6 +2698,9 @@ static int mtk_hwlro_get_fdir_all(struct net_device *dev,
+ int i;
+
+ for (i = 0; i < MTK_MAX_LRO_IP_CNT; i++) {
++ if (cnt == cmd->rule_cnt)
++ return -EMSGSIZE;
++
+ if (mac->hwlro_ip[i]) {
+ rule_locs[cnt] = i;
+ cnt++;
+--
+2.40.1
+
--- /dev/null
+From 596844e934dba58f3b341cab7fd1d4a60d69bb05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 14:19:49 +0800
+Subject: net: ethernet: mvpp2_main: fix possible OOB write in
+ mvpp2_ethtool_get_rxnfc()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 51fe0a470543f345e3c62b6798929de3ddcedc1d ]
+
+rules is allocated in ethtool_get_rxnfc and the size is determined by
+rule_cnt from user space. So rule_cnt needs to be check before using
+rules to avoid OOB writing or NULL pointer dereference.
+
+Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Marcin Wojtas <mw@semihalf.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index b399bdb1ca362..f936640cca4e6 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5578,6 +5578,11 @@ static int mvpp2_ethtool_get_rxnfc(struct net_device *dev,
+ break;
+ case ETHTOOL_GRXCLSRLALL:
+ for (i = 0; i < MVPP2_N_RFS_ENTRIES_PER_FLOW; i++) {
++ if (loc == info->rule_cnt) {
++ ret = -EMSGSIZE;
++ break;
++ }
++
+ if (port->rfs_rules[i])
+ rules[loc++] = i;
+ }
+--
+2.40.1
+
--- /dev/null
+From c723636606b5585d1e926d38e69c041bddb4f2a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 10:57:09 +0800
+Subject: net: ipv4: fix one memleak in __inet_del_ifa()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit ac28b1ec6135649b5d78b028e47264cb3ebca5ea ]
+
+I got the below warning when do fuzzing test:
+unregister_netdevice: waiting for bond0 to become free. Usage count = 2
+
+It can be repoduced via:
+
+ip link add bond0 type bond
+sysctl -w net.ipv4.conf.bond0.promote_secondaries=1
+ip addr add 4.117.174.103/0 scope 0x40 dev bond0
+ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0
+ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0
+ip addr del 4.117.174.103/0 scope 0x40 dev bond0
+ip link delete bond0 type bond
+
+In this reproduction test case, an incorrect 'last_prim' is found in
+__inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40)
+is lost. The memory of the secondary address is leaked and the reference of
+in_device and net_device is leaked.
+
+Fix this problem:
+Look for 'last_prim' starting at location of the deleted IP and inserting
+the promoted IP into the location of 'last_prim'.
+
+Fixes: 0ff60a45678e ("[IPV4]: Fix secondary IP addresses after promotion")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/devinet.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index e8b9a9202fecd..35d6e74be8406 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -354,14 +354,14 @@ static void __inet_del_ifa(struct in_device *in_dev,
+ {
+ struct in_ifaddr *promote = NULL;
+ struct in_ifaddr *ifa, *ifa1;
+- struct in_ifaddr *last_prim;
++ struct in_ifaddr __rcu **last_prim;
+ struct in_ifaddr *prev_prom = NULL;
+ int do_promote = IN_DEV_PROMOTE_SECONDARIES(in_dev);
+
+ ASSERT_RTNL();
+
+ ifa1 = rtnl_dereference(*ifap);
+- last_prim = rtnl_dereference(in_dev->ifa_list);
++ last_prim = ifap;
+ if (in_dev->dead)
+ goto no_promotions;
+
+@@ -375,7 +375,7 @@ static void __inet_del_ifa(struct in_device *in_dev,
+ while ((ifa = rtnl_dereference(*ifap1)) != NULL) {
+ if (!(ifa->ifa_flags & IFA_F_SECONDARY) &&
+ ifa1->ifa_scope <= ifa->ifa_scope)
+- last_prim = ifa;
++ last_prim = &ifa->ifa_next;
+
+ if (!(ifa->ifa_flags & IFA_F_SECONDARY) ||
+ ifa1->ifa_mask != ifa->ifa_mask ||
+@@ -439,9 +439,9 @@ static void __inet_del_ifa(struct in_device *in_dev,
+
+ rcu_assign_pointer(prev_prom->ifa_next, next_sec);
+
+- last_sec = rtnl_dereference(last_prim->ifa_next);
++ last_sec = rtnl_dereference(*last_prim);
+ rcu_assign_pointer(promote->ifa_next, last_sec);
+- rcu_assign_pointer(last_prim->ifa_next, promote);
++ rcu_assign_pointer(*last_prim, promote);
+ }
+
+ promote->ifa_flags &= ~IFA_F_SECONDARY;
+--
+2.40.1
+
--- /dev/null
+From dd8368a78e8093c1b864b12da308b3bd8f32d1ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Apr 2023 18:07:11 +0530
+Subject: net: macb: Enable PTP unicast
+
+From: Harini Katakam <harini.katakam@xilinx.com>
+
+[ Upstream commit ee4e92c26c60b7344b7261035683a37da5a6119b ]
+
+Enable transmission and reception of PTP unicast packets by
+updating PTP unicast config bit and setting current HW mac
+address as allowed address in PTP unicast filter registers.
+
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: Michal Simek <michal.simek@xilinx.com>
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 403f0e771457 ("net: macb: fix sleep inside spinlock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb.h | 4 ++++
+ drivers/net/ethernet/cadence/macb_main.c | 13 +++++++++++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb.h b/drivers/net/ethernet/cadence/macb.h
+index 9c410f93a1039..1aa578c1ca4ad 100644
+--- a/drivers/net/ethernet/cadence/macb.h
++++ b/drivers/net/ethernet/cadence/macb.h
+@@ -95,6 +95,8 @@
+ #define GEM_SA4B 0x00A0 /* Specific4 Bottom */
+ #define GEM_SA4T 0x00A4 /* Specific4 Top */
+ #define GEM_WOL 0x00b8 /* Wake on LAN */
++#define GEM_RXPTPUNI 0x00D4 /* PTP RX Unicast address */
++#define GEM_TXPTPUNI 0x00D8 /* PTP TX Unicast address */
+ #define GEM_EFTSH 0x00e8 /* PTP Event Frame Transmitted Seconds Register 47:32 */
+ #define GEM_EFRSH 0x00ec /* PTP Event Frame Received Seconds Register 47:32 */
+ #define GEM_PEFTSH 0x00f0 /* PTP Peer Event Frame Transmitted Seconds Register 47:32 */
+@@ -245,6 +247,8 @@
+ #define MACB_TZQ_OFFSET 12 /* Transmit zero quantum pause frame */
+ #define MACB_TZQ_SIZE 1
+ #define MACB_SRTSM_OFFSET 15 /* Store Receive Timestamp to Memory */
++#define MACB_PTPUNI_OFFSET 20 /* PTP Unicast packet enable */
++#define MACB_PTPUNI_SIZE 1
+ #define MACB_OSSMODE_OFFSET 24 /* Enable One Step Synchro Mode */
+ #define MACB_OSSMODE_SIZE 1
+ #define MACB_MIIONRGMII_OFFSET 28 /* MII Usage on RGMII Interface */
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 5fb991835078a..9470e895591e5 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -288,6 +288,11 @@ static void macb_set_hwaddr(struct macb *bp)
+ top = cpu_to_le16(*((u16 *)(bp->dev->dev_addr + 4)));
+ macb_or_gem_writel(bp, SA1T, top);
+
++ if (gem_has_ptp(bp)) {
++ gem_writel(bp, RXPTPUNI, bottom);
++ gem_writel(bp, TXPTPUNI, bottom);
++ }
++
+ /* Clear unused address register sets */
+ macb_or_gem_writel(bp, SA2B, 0);
+ macb_or_gem_writel(bp, SA2T, 0);
+@@ -721,8 +726,12 @@ static void macb_mac_link_up(struct phylink_config *config,
+
+ spin_unlock_irqrestore(&bp->lock, flags);
+
+- /* Enable Rx and Tx */
+- macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(RE) | MACB_BIT(TE));
++ /* Enable Rx and Tx; Enable PTP unicast */
++ ctrl = macb_readl(bp, NCR);
++ if (gem_has_ptp(bp))
++ ctrl |= MACB_BIT(PTPUNI);
++
++ macb_writel(bp, NCR, ctrl | MACB_BIT(RE) | MACB_BIT(TE));
+
+ netif_tx_wake_all_queues(ndev);
+ }
+--
+2.40.1
+
--- /dev/null
+From c3b582bf9809a0558d4eebb52aa512f2d02f35e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 13:29:13 +0200
+Subject: net: macb: fix sleep inside spinlock
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit 403f0e771457e2b8811dc280719d11b9bacf10f4 ]
+
+macb_set_tx_clk() is called under a spinlock but itself calls clk_set_rate()
+which can sleep. This results in:
+
+| BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
+| pps pps1: new PPS source ptp1
+| in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 40, name: kworker/u4:3
+| preempt_count: 1, expected: 0
+| RCU nest depth: 0, expected: 0
+| 4 locks held by kworker/u4:3/40:
+| #0: ffff000003409148
+| macb ff0c0000.ethernet: gem-ptp-timer ptp clock registered.
+| ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c
+| #1: ffff8000833cbdd8 ((work_completion)(&pl->resolve)){+.+.}-{0:0}, at: process_one_work+0x14c/0x51c
+| #2: ffff000004f01578 (&pl->state_mutex){+.+.}-{4:4}, at: phylink_resolve+0x44/0x4e8
+| #3: ffff000004f06f50 (&bp->lock){....}-{3:3}, at: macb_mac_link_up+0x40/0x2ac
+| irq event stamp: 113998
+| hardirqs last enabled at (113997): [<ffff800080e8503c>] _raw_spin_unlock_irq+0x30/0x64
+| hardirqs last disabled at (113998): [<ffff800080e84478>] _raw_spin_lock_irqsave+0xac/0xc8
+| softirqs last enabled at (113608): [<ffff800080010630>] __do_softirq+0x430/0x4e4
+| softirqs last disabled at (113597): [<ffff80008001614c>] ____do_softirq+0x10/0x1c
+| CPU: 0 PID: 40 Comm: kworker/u4:3 Not tainted 6.5.0-11717-g9355ce8b2f50-dirty #368
+| Hardware name: ... ZynqMP ... (DT)
+| Workqueue: events_power_efficient phylink_resolve
+| Call trace:
+| dump_backtrace+0x98/0xf0
+| show_stack+0x18/0x24
+| dump_stack_lvl+0x60/0xac
+| dump_stack+0x18/0x24
+| __might_resched+0x144/0x24c
+| __might_sleep+0x48/0x98
+| __mutex_lock+0x58/0x7b0
+| mutex_lock_nested+0x24/0x30
+| clk_prepare_lock+0x4c/0xa8
+| clk_set_rate+0x24/0x8c
+| macb_mac_link_up+0x25c/0x2ac
+| phylink_resolve+0x178/0x4e8
+| process_one_work+0x1ec/0x51c
+| worker_thread+0x1ec/0x3e4
+| kthread+0x120/0x124
+| ret_from_fork+0x10/0x20
+
+The obvious fix is to move the call to macb_set_tx_clk() out of the
+protected area. This seems safe as rx and tx are both disabled anyway at
+this point.
+It is however not entirely clear what the spinlock shall protect. It
+could be the read-modify-write access to the NCFGR register, but this
+is accessed in macb_set_rx_mode() and macb_set_rxcsum_feature() as well
+without holding the spinlock. It could also be the register accesses
+done in mog_init_rings() or macb_init_buffers(), but again these
+functions are called without holding the spinlock in macb_hresp_error_task().
+The locking seems fishy in this driver and it might deserve another look
+before this patch is applied.
+
+Fixes: 633e98a711ac0 ("net: macb: use resolved link config in mac_link_up()")
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Link: https://lore.kernel.org/r/20230908112913.1701766-1-s.hauer@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index 9470e895591e5..54b032a46b48a 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -705,8 +705,6 @@ static void macb_mac_link_up(struct phylink_config *config,
+ if (rx_pause)
+ ctrl |= MACB_BIT(PAE);
+
+- macb_set_tx_clk(bp, speed);
+-
+ /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
+ * cleared the pipeline and control registers.
+ */
+@@ -726,6 +724,9 @@ static void macb_mac_link_up(struct phylink_config *config,
+
+ spin_unlock_irqrestore(&bp->lock, flags);
+
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
++ macb_set_tx_clk(bp, speed);
++
+ /* Enable Rx and Tx; Enable PTP unicast */
+ ctrl = macb_readl(bp, NCR);
+ if (gem_has_ptp(bp))
+--
+2.40.1
+
--- /dev/null
+From 4bf9f9d346992957c16b4b1e09fe3e248fad763c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 11:31:43 +0800
+Subject: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate
+ in smcr_port_add
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit f5146e3ef0a9eea405874b36178c19a4863b8989 ]
+
+While doing smcr_port_add, there maybe linkgroup add into or delete
+from smc_lgr_list.list at the same time, which may result kernel crash.
+So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in
+smcr_port_add.
+
+The crash calltrace show below:
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: 0000 [#1] SMP NOPTI
+CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G
+Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014
+Workqueue: events smc_ib_port_event_work [smc]
+RIP: 0010:smcr_port_add+0xa6/0xf0 [smc]
+RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297
+RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000
+RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918
+R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4
+R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08
+FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0
+PKRU: 55555554
+Call Trace:
+ smc_ib_port_event_work+0x18f/0x380 [smc]
+ process_one_work+0x19b/0x340
+ worker_thread+0x30/0x370
+ ? process_one_work+0x340/0x340
+ kthread+0x114/0x130
+ ? __kthread_cancel_work+0x50/0x50
+ ret_from_fork+0x1f/0x30
+
+Fixes: 1f90a05d9ff9 ("net/smc: add smcr_port_add() and smcr_link_up() processing")
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/smc_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
+index c676d92af7b7d..64b6dd439938e 100644
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -1650,6 +1650,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
+ {
+ struct smc_link_group *lgr, *n;
+
++ spin_lock_bh(&smc_lgr_list.lock);
+ list_for_each_entry_safe(lgr, n, &smc_lgr_list.list, list) {
+ struct smc_link *link;
+
+@@ -1665,6 +1666,7 @@ void smcr_port_add(struct smc_ib_device *smcibdev, u8 ibport)
+ if (link)
+ smc_llc_add_link_local(link);
+ }
++ spin_unlock_bh(&smc_lgr_list.lock);
+ }
+
+ /* link is down - switch connections to alternate link,
+--
+2.40.1
+
--- /dev/null
+From ceac954973be9b2c0db11fae9790c5a1dacaf1ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 12:46:31 +0200
+Subject: net: stmmac: fix handling of zero coalescing tx-usecs
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit fa60b8163816f194786f3ee334c9a458da7699c6 ]
+
+Setting ethtool -C eth0 tx-usecs 0 is supposed to disable the use of the
+coalescing timer but currently it gets programmed with zero delay
+instead.
+
+Disable the use of the coalescing timer if tx-usecs is zero by
+preventing it from being restarted. Note that to keep things simple we
+don't start/stop the timer when the coalescing settings are changed, but
+just let that happen on the next transmit or timer expiry.
+
+Fixes: 8fce33317023 ("net: stmmac: Rework coalesce timer and fix multi-queue races")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index a07bcb2f5d2e2..1559a4dafd413 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2692,9 +2692,7 @@ static int stmmac_tx_clean(struct stmmac_priv *priv, int budget, u32 queue)
+
+ /* We still have pending packets, let's call for a new scheduling */
+ if (tx_q->dirty_tx != tx_q->cur_tx)
+- hrtimer_start(&tx_q->txtimer,
+- STMMAC_COAL_TIMER(priv->tx_coal_timer[queue]),
+- HRTIMER_MODE_REL);
++ stmmac_tx_timer_arm(priv, queue);
+
+ __netif_tx_unlock_bh(netdev_get_tx_queue(priv->dev, queue));
+
+@@ -2975,9 +2973,13 @@ static int stmmac_init_dma_engine(struct stmmac_priv *priv)
+ static void stmmac_tx_timer_arm(struct stmmac_priv *priv, u32 queue)
+ {
+ struct stmmac_tx_queue *tx_q = &priv->dma_conf.tx_queue[queue];
++ u32 tx_coal_timer = priv->tx_coal_timer[queue];
++
++ if (!tx_coal_timer)
++ return;
+
+ hrtimer_start(&tx_q->txtimer,
+- STMMAC_COAL_TIMER(priv->tx_coal_timer[queue]),
++ STMMAC_COAL_TIMER(tx_coal_timer),
+ HRTIMER_MODE_REL);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 27db3e14549b9283534722daac982abd07de4e05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Sep 2023 16:14:34 +0800
+Subject: net/tls: do not free tls_rec on async operation in
+ bpf_exec_tx_verdict()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit cfaa80c91f6f99b9342b6557f0f0e1143e434066 ]
+
+I got the below warning when do fuzzing test:
+BUG: KASAN: null-ptr-deref in scatterwalk_copychunks+0x320/0x470
+Read of size 4 at addr 0000000000000008 by task kworker/u8:1/9
+
+CPU: 0 PID: 9 Comm: kworker/u8:1 Tainted: G OE
+Hardware name: linux,dummy-virt (DT)
+Workqueue: pencrypt_parallel padata_parallel_worker
+Call trace:
+ dump_backtrace+0x0/0x420
+ show_stack+0x34/0x44
+ dump_stack+0x1d0/0x248
+ __kasan_report+0x138/0x140
+ kasan_report+0x44/0x6c
+ __asan_load4+0x94/0xd0
+ scatterwalk_copychunks+0x320/0x470
+ skcipher_next_slow+0x14c/0x290
+ skcipher_walk_next+0x2fc/0x480
+ skcipher_walk_first+0x9c/0x110
+ skcipher_walk_aead_common+0x380/0x440
+ skcipher_walk_aead_encrypt+0x54/0x70
+ ccm_encrypt+0x13c/0x4d0
+ crypto_aead_encrypt+0x7c/0xfc
+ pcrypt_aead_enc+0x28/0x84
+ padata_parallel_worker+0xd0/0x2dc
+ process_one_work+0x49c/0xbdc
+ worker_thread+0x124/0x880
+ kthread+0x210/0x260
+ ret_from_fork+0x10/0x18
+
+This is because the value of rec_seq of tls_crypto_info configured by the
+user program is too large, for example, 0xffffffffffffff. In addition, TLS
+is asynchronously accelerated. When tls_do_encryption() returns
+-EINPROGRESS and sk->sk_err is set to EBADMSG due to rec_seq overflow,
+skmsg is released before the asynchronous encryption process ends. As a
+result, the UAF problem occurs during the asynchronous processing of the
+encryption module.
+
+If the operation is asynchronous and the encryption module returns
+EINPROGRESS, do not free the record information.
+
+Fixes: 635d93981786 ("net/tls: free record only on encryption error")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20230909081434.2324940-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 96b4545ea700f..9be00ebbb2341 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -802,7 +802,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ psock = sk_psock_get(sk);
+ if (!psock || !policy) {
+ err = tls_push_record(sk, flags, record_type);
+- if (err && sk->sk_err == EBADMSG) {
++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ err = -sk->sk_err;
+@@ -831,7 +831,7 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ switch (psock->eval) {
+ case __SK_PASS:
+ err = tls_push_record(sk, flags, record_type);
+- if (err && sk->sk_err == EBADMSG) {
++ if (err && err != -EINPROGRESS && sk->sk_err == EBADMSG) {
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ err = -sk->sk_err;
+--
+2.40.1
+
--- /dev/null
+From 034f05cfa0d23026a7e22a8c6610b5ef5168b592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 08:49:32 -0400
+Subject: platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit 80ccd40568bcd3655b0fd0be1e9b3379fd6e1056 ]
+
+Replace sprintf with sysfs_emit where possible.
+Size check in mlxbf_pmc_event_list_show should account for "\0".
+
+Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/bef39ef32319a31b32f999065911f61b0d3b17c3.1693917738.git.shravankr@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index be967d797c28e..95afcae7b9fa9 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -1008,7 +1008,7 @@ static ssize_t mlxbf_pmc_counter_show(struct device *dev,
+ } else
+ return -EINVAL;
+
+- return sprintf(buf, "0x%llx\n", value);
++ return sysfs_emit(buf, "0x%llx\n", value);
+ }
+
+ /* Store function for "counter" sysfs files */
+@@ -1078,13 +1078,13 @@ static ssize_t mlxbf_pmc_event_show(struct device *dev,
+
+ err = mlxbf_pmc_read_event(blk_num, cnt_num, is_l3, &evt_num);
+ if (err)
+- return sprintf(buf, "No event being monitored\n");
++ return sysfs_emit(buf, "No event being monitored\n");
+
+ evt_name = mlxbf_pmc_get_event_name(pmc->block_name[blk_num], evt_num);
+ if (!evt_name)
+ return -EINVAL;
+
+- return sprintf(buf, "0x%llx: %s\n", evt_num, evt_name);
++ return sysfs_emit(buf, "0x%llx: %s\n", evt_num, evt_name);
+ }
+
+ /* Store function for "event" sysfs files */
+@@ -1139,9 +1139,9 @@ static ssize_t mlxbf_pmc_event_list_show(struct device *dev,
+ return -EINVAL;
+
+ for (i = 0, buf[0] = '\0'; i < size; ++i) {
+- len += sprintf(e_info, "0x%x: %s\n", events[i].evt_num,
+- events[i].evt_name);
+- if (len > PAGE_SIZE)
++ len += snprintf(e_info, sizeof(e_info), "0x%x: %s\n",
++ events[i].evt_num, events[i].evt_name);
++ if (len >= PAGE_SIZE)
+ break;
+ strcat(buf, e_info);
+ ret = len;
+@@ -1168,7 +1168,7 @@ static ssize_t mlxbf_pmc_enable_show(struct device *dev,
+
+ value = FIELD_GET(MLXBF_PMC_L3C_PERF_CNT_CFG_EN, perfcnt_cfg);
+
+- return sprintf(buf, "%d\n", value);
++ return sysfs_emit(buf, "%d\n", value);
+ }
+
+ /* Store function for "enable" sysfs files - only for l3cache */
+--
+2.40.1
+
--- /dev/null
+From 543062f83efc9f21755135befd84ff0f14b6d947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 08:49:33 -0400
+Subject: platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
+
+From: Shravan Kumar Ramani <shravankr@nvidia.com>
+
+[ Upstream commit 0f5969452e162efc50bdc98968fb62b424a9874b ]
+
+This fix involves 2 changes:
+ - All event regs have a reset value of 0, which is not a valid
+ event_number as per the event_list for most blocks and hence seen
+ as an error. Add a "disable" event with event_number 0 for all blocks.
+
+ - The enable bit for each counter need not be checked before
+ reading the event info, and hence removed.
+
+Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver")
+Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/04d0213932d32681de1c716b54320ed894e52425.1693917738.git.shravankr@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 27 +++++++--------------------
+ 1 file changed, 7 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 95afcae7b9fa9..2d4bbe99959ef 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -191,6 +191,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_smgen_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = {
++ { 0x0, "DISABLE" },
+ { 0xa0, "TPIO_DATA_BEAT" },
+ { 0xa1, "TDMA_DATA_BEAT" },
+ { 0xa2, "MAP_DATA_BEAT" },
+@@ -214,6 +215,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_1[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = {
++ { 0x0, "DISABLE" },
+ { 0xa0, "TPIO_DATA_BEAT" },
+ { 0xa1, "TDMA_DATA_BEAT" },
+ { 0xa2, "MAP_DATA_BEAT" },
+@@ -246,6 +248,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_trio_events_2[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x100, "ECC_SINGLE_ERROR_CNT" },
+ { 0x104, "ECC_DOUBLE_ERROR_CNT" },
+ { 0x114, "SERR_INJ" },
+@@ -258,6 +261,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_ecc_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = {
++ { 0x0, "DISABLE" },
+ { 0xc0, "RXREQ_MSS" },
+ { 0xc1, "RXDAT_MSS" },
+ { 0xc2, "TXRSP_MSS" },
+@@ -265,6 +269,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_mss_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x45, "HNF_REQUESTS" },
+ { 0x46, "HNF_REJECTS" },
+ { 0x47, "ALL_BUSY" },
+@@ -323,6 +328,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_hnf_events[] = {
+ };
+
+ static const struct mlxbf_pmc_events mlxbf_pmc_hnfnet_events[] = {
++ { 0x0, "DISABLE" },
+ { 0x12, "CDN_REQ" },
+ { 0x13, "DDN_REQ" },
+ { 0x14, "NDN_REQ" },
+@@ -892,7 +898,7 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3,
+ uint64_t *result)
+ {
+ uint32_t perfcfg_offset, perfval_offset;
+- uint64_t perfmon_cfg, perfevt, perfctl;
++ uint64_t perfmon_cfg, perfevt;
+
+ if (cnt_num >= pmc->block[blk_num].counters)
+ return -EINVAL;
+@@ -904,25 +910,6 @@ static int mlxbf_pmc_read_event(int blk_num, uint32_t cnt_num, bool is_l3,
+ perfval_offset = perfcfg_offset +
+ pmc->block[blk_num].counters * MLXBF_PMC_REG_SIZE;
+
+- /* Set counter in "read" mode */
+- perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR,
+- MLXBF_PMC_PERFCTL);
+- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_STROBE, 1);
+- perfmon_cfg |= FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_WR_R_B, 0);
+-
+- if (mlxbf_pmc_write(pmc->block[blk_num].mmio_base + perfcfg_offset,
+- MLXBF_PMC_WRITE_REG_64, perfmon_cfg))
+- return -EFAULT;
+-
+- /* Check if the counter is enabled */
+-
+- if (mlxbf_pmc_read(pmc->block[blk_num].mmio_base + perfval_offset,
+- MLXBF_PMC_READ_REG_64, &perfctl))
+- return -EFAULT;
+-
+- if (!FIELD_GET(MLXBF_PMC_PERFCTL_EN0, perfctl))
+- return -EINVAL;
+-
+ /* Set counter in "read" mode */
+ perfmon_cfg = FIELD_PREP(MLXBF_PMC_PERFMON_CONFIG_ADDR,
+ MLXBF_PMC_PERFEVT);
+--
+2.40.1
+
--- /dev/null
+From f7e4b75121bbeda64ed24b3ca8952b95430d64d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 13:43:00 -0400
+Subject: platform/mellanox: mlxbf-tmfifo: Drop jumbo frames
+
+From: Liming Sun <limings@nvidia.com>
+
+[ Upstream commit fc4c655821546239abb3cf4274d66b9747aa87dd ]
+
+This commit drops over-sized network packets to avoid tmfifo
+queue stuck.
+
+Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc")
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/9318936c2447f76db475c985ca6d91f057efcd41.1693322547.git.limings@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index ee8648a271fda..a04ff89a7ec44 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -205,7 +205,7 @@ static u8 mlxbf_tmfifo_net_default_mac[ETH_ALEN] = {
+ static efi_char16_t mlxbf_tmfifo_efi_name[] = L"RshimMacAddr";
+
+ /* Maximum L2 header length. */
+-#define MLXBF_TMFIFO_NET_L2_OVERHEAD 36
++#define MLXBF_TMFIFO_NET_L2_OVERHEAD (ETH_HLEN + VLAN_HLEN)
+
+ /* Supported virtio-net features. */
+ #define MLXBF_TMFIFO_NET_FEATURES \
+@@ -623,13 +623,14 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring,
+ * flag is set.
+ */
+ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+- struct vring_desc *desc,
++ struct vring_desc **desc,
+ bool is_rx, bool *vring_change)
+ {
+ struct mlxbf_tmfifo *fifo = vring->fifo;
+ struct virtio_net_config *config;
+ struct mlxbf_tmfifo_msg_hdr hdr;
+ int vdev_id, hdr_len;
++ bool drop_rx = false;
+
+ /* Read/Write packet header. */
+ if (is_rx) {
+@@ -649,8 +650,8 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+ if (ntohs(hdr.len) >
+ __virtio16_to_cpu(virtio_legacy_is_little_endian(),
+ config->mtu) +
+- MLXBF_TMFIFO_NET_L2_OVERHEAD)
+- return;
++ MLXBF_TMFIFO_NET_L2_OVERHEAD)
++ drop_rx = true;
+ } else {
+ vdev_id = VIRTIO_ID_CONSOLE;
+ hdr_len = 0;
+@@ -665,16 +666,25 @@ static void mlxbf_tmfifo_rxtx_header(struct mlxbf_tmfifo_vring *vring,
+
+ if (!tm_dev2)
+ return;
+- vring->desc = desc;
++ vring->desc = *desc;
+ vring = &tm_dev2->vrings[MLXBF_TMFIFO_VRING_RX];
+ *vring_change = true;
+ }
++
++ if (drop_rx && !IS_VRING_DROP(vring)) {
++ if (vring->desc_head)
++ mlxbf_tmfifo_release_pkt(vring);
++ *desc = &vring->drop_desc;
++ vring->desc_head = *desc;
++ vring->desc = *desc;
++ }
++
+ vring->pkt_len = ntohs(hdr.len) + hdr_len;
+ } else {
+ /* Network virtio has an extra header. */
+ hdr_len = (vring->vdev_id == VIRTIO_ID_NET) ?
+ sizeof(struct virtio_net_hdr) : 0;
+- vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, desc);
++ vring->pkt_len = mlxbf_tmfifo_get_pkt_len(vring, *desc);
+ hdr.type = (vring->vdev_id == VIRTIO_ID_NET) ?
+ VIRTIO_ID_NET : VIRTIO_ID_CONSOLE;
+ hdr.len = htons(vring->pkt_len - hdr_len);
+@@ -723,7 +733,7 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+
+ /* Beginning of a packet. Start to Rx/Tx packet header. */
+ if (vring->pkt_len == 0) {
+- mlxbf_tmfifo_rxtx_header(vring, desc, is_rx, &vring_change);
++ mlxbf_tmfifo_rxtx_header(vring, &desc, is_rx, &vring_change);
+ (*avail)--;
+
+ /* Return if new packet is for another ring. */
+--
+2.40.1
+
--- /dev/null
+From c87ebf0e61e16ebf6a7bd2406fb4d7afb7331d11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 13:42:59 -0400
+Subject: platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more
+ descriptors
+
+From: Liming Sun <limings@nvidia.com>
+
+[ Upstream commit 78034cbece79c2d730ad0770b3b7f23eedbbecf5 ]
+
+This commit fixes tmfifo console stuck issue when the virtual
+networking interface is in down state. In such case, the network
+Rx descriptors runs out and causes the Rx network packet staying
+in the head of the tmfifo thus blocking the console packets. The
+fix is to drop the Rx network packet when no more Rx descriptors.
+Function name mlxbf_tmfifo_release_pending_pkt() is also renamed
+to mlxbf_tmfifo_release_pkt() to be more approperiate.
+
+Fixes: 1357dfd7261f ("platform/mellanox: Add TmFifo driver for Mellanox BlueField Soc")
+Signed-off-by: Liming Sun <limings@nvidia.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/8c0177dc938ae03f52ff7e0b62dbeee74b7bec09.1693322547.git.limings@nvidia.com
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 66 ++++++++++++++++++------
+ 1 file changed, 49 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index d31fe7eed38df..ee8648a271fda 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -56,6 +56,7 @@ struct mlxbf_tmfifo;
+ * @vq: pointer to the virtio virtqueue
+ * @desc: current descriptor of the pending packet
+ * @desc_head: head descriptor of the pending packet
++ * @drop_desc: dummy desc for packet dropping
+ * @cur_len: processed length of the current descriptor
+ * @rem_len: remaining length of the pending packet
+ * @pkt_len: total length of the pending packet
+@@ -72,6 +73,7 @@ struct mlxbf_tmfifo_vring {
+ struct virtqueue *vq;
+ struct vring_desc *desc;
+ struct vring_desc *desc_head;
++ struct vring_desc drop_desc;
+ int cur_len;
+ int rem_len;
+ u32 pkt_len;
+@@ -83,6 +85,14 @@ struct mlxbf_tmfifo_vring {
+ struct mlxbf_tmfifo *fifo;
+ };
+
++/* Check whether vring is in drop mode. */
++#define IS_VRING_DROP(_r) ({ \
++ typeof(_r) (r) = (_r); \
++ (r->desc_head == &r->drop_desc ? true : false); })
++
++/* A stub length to drop maximum length packet. */
++#define VRING_DROP_DESC_MAX_LEN GENMASK(15, 0)
++
+ /* Interrupt types. */
+ enum {
+ MLXBF_TM_RX_LWM_IRQ,
+@@ -243,6 +253,7 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+ vring->align = SMP_CACHE_BYTES;
+ vring->index = i;
+ vring->vdev_id = tm_vdev->vdev.id.device;
++ vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
+ dev = &tm_vdev->vdev.dev;
+
+ size = vring_size(vring->num, vring->align);
+@@ -348,7 +359,7 @@ static u32 mlxbf_tmfifo_get_pkt_len(struct mlxbf_tmfifo_vring *vring,
+ return len;
+ }
+
+-static void mlxbf_tmfifo_release_pending_pkt(struct mlxbf_tmfifo_vring *vring)
++static void mlxbf_tmfifo_release_pkt(struct mlxbf_tmfifo_vring *vring)
+ {
+ struct vring_desc *desc_head;
+ u32 len = 0;
+@@ -577,19 +588,25 @@ static void mlxbf_tmfifo_rxtx_word(struct mlxbf_tmfifo_vring *vring,
+
+ if (vring->cur_len + sizeof(u64) <= len) {
+ /* The whole word. */
+- if (is_rx)
+- memcpy(addr + vring->cur_len, &data, sizeof(u64));
+- else
+- memcpy(&data, addr + vring->cur_len, sizeof(u64));
++ if (!IS_VRING_DROP(vring)) {
++ if (is_rx)
++ memcpy(addr + vring->cur_len, &data,
++ sizeof(u64));
++ else
++ memcpy(&data, addr + vring->cur_len,
++ sizeof(u64));
++ }
+ vring->cur_len += sizeof(u64);
+ } else {
+ /* Leftover bytes. */
+- if (is_rx)
+- memcpy(addr + vring->cur_len, &data,
+- len - vring->cur_len);
+- else
+- memcpy(&data, addr + vring->cur_len,
+- len - vring->cur_len);
++ if (!IS_VRING_DROP(vring)) {
++ if (is_rx)
++ memcpy(addr + vring->cur_len, &data,
++ len - vring->cur_len);
++ else
++ memcpy(&data, addr + vring->cur_len,
++ len - vring->cur_len);
++ }
+ vring->cur_len = len;
+ }
+
+@@ -690,8 +707,16 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+ /* Get the descriptor of the next packet. */
+ if (!vring->desc) {
+ desc = mlxbf_tmfifo_get_next_pkt(vring, is_rx);
+- if (!desc)
+- return false;
++ if (!desc) {
++ /* Drop next Rx packet to avoid stuck. */
++ if (is_rx) {
++ desc = &vring->drop_desc;
++ vring->desc_head = desc;
++ vring->desc = desc;
++ } else {
++ return false;
++ }
++ }
+ } else {
+ desc = vring->desc;
+ }
+@@ -724,17 +749,24 @@ static bool mlxbf_tmfifo_rxtx_one_desc(struct mlxbf_tmfifo_vring *vring,
+ vring->rem_len -= len;
+
+ /* Get the next desc on the chain. */
+- if (vring->rem_len > 0 &&
++ if (!IS_VRING_DROP(vring) && vring->rem_len > 0 &&
+ (virtio16_to_cpu(vdev, desc->flags) & VRING_DESC_F_NEXT)) {
+ idx = virtio16_to_cpu(vdev, desc->next);
+ desc = &vr->desc[idx];
+ goto mlxbf_tmfifo_desc_done;
+ }
+
+- /* Done and release the pending packet. */
+- mlxbf_tmfifo_release_pending_pkt(vring);
++ /* Done and release the packet. */
+ desc = NULL;
+ fifo->vring[is_rx] = NULL;
++ if (!IS_VRING_DROP(vring)) {
++ mlxbf_tmfifo_release_pkt(vring);
++ } else {
++ vring->pkt_len = 0;
++ vring->desc_head = NULL;
++ vring->desc = NULL;
++ return false;
++ }
+
+ /*
+ * Make sure the load/store are in order before
+@@ -914,7 +946,7 @@ static void mlxbf_tmfifo_virtio_del_vqs(struct virtio_device *vdev)
+
+ /* Release the pending packet. */
+ if (vring->desc)
+- mlxbf_tmfifo_release_pending_pkt(vring);
++ mlxbf_tmfifo_release_pkt(vring);
+ vq = vring->vq;
+ if (vq) {
+ vring->vq = NULL;
+--
+2.40.1
+
--- /dev/null
+From 084840d9ccca2dff04823124cb8763a14c0e83db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 14:00:35 +0200
+Subject: platform/mellanox: NVSW_SN2201 should depend on ACPI
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 0a138f1670bd1af13ba6949c48ea86ddd4bf557e ]
+
+The only probing method supported by the Nvidia SN2201 platform driver
+is probing through an ACPI match table. Hence add a dependency on
+ACPI, to prevent asking the user about this driver when configuring a
+kernel without ACPI support.
+
+Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Vadim Pasternak <vadimp@nvidia.com>
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/ec5a4071691ab08d58771b7732a9988e89779268.1693828363.git.geert+renesas@glider.be
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/mellanox/Kconfig b/drivers/platform/mellanox/Kconfig
+index 382793e73a60a..30b50920b278c 100644
+--- a/drivers/platform/mellanox/Kconfig
++++ b/drivers/platform/mellanox/Kconfig
+@@ -80,8 +80,8 @@ config MLXBF_PMC
+
+ config NVSW_SN2201
+ tristate "Nvidia SN2201 platform driver support"
+- depends on HWMON
+- depends on I2C
++ depends on HWMON && I2C
++ depends on ACPI || COMPILE_TEST
+ select REGMAP_I2C
+ help
+ This driver provides support for the Nvidia SN2201 platform.
+--
+2.40.1
+
--- /dev/null
+From 49f1c3d16a906df380d261ab25305fe4378eff7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 15:01:52 +0800
+Subject: r8152: check budget for r8152_poll()
+
+From: Hayes Wang <hayeswang@realtek.com>
+
+[ Upstream commit a7b8d60b37237680009dd0b025fe8c067aba0ee3 ]
+
+According to the document of napi, there is no rx process when the
+budget is 0. Therefore, r8152_poll() has to return 0 directly when the
+budget is equal to 0.
+
+Fixes: d2187f8e4454 ("r8152: divide the tx and rx bottom functions")
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 059d610901d84..fc1458f96e170 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -2628,6 +2628,9 @@ static int r8152_poll(struct napi_struct *napi, int budget)
+ struct r8152 *tp = container_of(napi, struct r8152, napi);
+ int work_done;
+
++ if (!budget)
++ return 0;
++
+ work_done = rx_bottom(tp, budget);
+
+ if (work_done < budget) {
+--
+2.40.1
+
--- /dev/null
+From 8926e71e02abe84528feecb93b036de8553e19ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 15:58:37 +0200
+Subject: selftests: Keep symlinks, when possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit 3f3f384139ed147c71e1d770accf610133d5309b ]
+
+When kselftest is built/installed with the 'gen_tar' target, rsync is
+used for the installation step to copy files. Extra care is needed for
+tests that have symlinks. Commit ae108c48b5d2 ("selftests: net: Fix
+cross-tree inclusion of scripts") added '-L' (transform symlink into
+referent file/dir) to rsync, to fix dangling links. However, that
+broke some tests where the symlink (being a symlink) is part of the
+test (e.g. exec:execveat).
+
+Use rsync's '--copy-unsafe-links' that does right thing.
+
+Fixes: ae108c48b5d2 ("selftests: net: Fix cross-tree inclusion of scripts")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Reviewed-by: Benjamin Poirier <bpoirier@nvidia.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/lib.mk | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
+index 05400462c7799..aa646e0661f36 100644
+--- a/tools/testing/selftests/lib.mk
++++ b/tools/testing/selftests/lib.mk
+@@ -72,7 +72,7 @@ endef
+ run_tests: all
+ ifdef building_out_of_srctree
+ @if [ "X$(TEST_PROGS)$(TEST_PROGS_EXTENDED)$(TEST_FILES)" != "X" ]; then \
+- rsync -aLq $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(OUTPUT); \
++ rsync -aq --copy-unsafe-links $(TEST_PROGS) $(TEST_PROGS_EXTENDED) $(TEST_FILES) $(OUTPUT); \
+ fi
+ @if [ "X$(TEST_PROGS)" != "X" ]; then \
+ $(call RUN_TESTS, $(TEST_GEN_PROGS) $(TEST_CUSTOM_PROGS) \
+@@ -86,7 +86,7 @@ endif
+
+ define INSTALL_SINGLE_RULE
+ $(if $(INSTALL_LIST),@mkdir -p $(INSTALL_PATH))
+- $(if $(INSTALL_LIST),rsync -aL $(INSTALL_LIST) $(INSTALL_PATH)/)
++ $(if $(INSTALL_LIST),rsync -a --copy-unsafe-links $(INSTALL_LIST) $(INSTALL_PATH)/)
+ endef
+
+ define INSTALL_RULE
+--
+2.40.1
+
drm-amd-display-always-switch-off-odm-before-committing-more-streams.patch
drm-amd-display-remove-wait-while-locked.patch
drm-amdgpu-register-a-dirty-framebuffer-callback-for-fbcon.patch
+kunit-fix-wild-memory-access-bug-in-kunit_free_suite.patch
+net-ipv4-fix-one-memleak-in-__inet_del_ifa.patch
+kselftest-runner.sh-propagate-sigterm-to-runner-chil.patch
+selftests-keep-symlinks-when-possible.patch
+net-smc-use-smc_lgr_list.lock-to-protect-smc_lgr_lis.patch
+net-stmmac-fix-handling-of-zero-coalescing-tx-usecs.patch
+net-ethernet-mvpp2_main-fix-possible-oob-write-in-mv.patch
+net-ethernet-mtk_eth_soc-fix-possible-null-pointer-d.patch
+hsr-fix-uninit-value-access-in-fill_frame_info.patch
+net-ethernet-adi-adin1110-use-eth_broadcast_addr-to-.patch
+net-ethernet-adi-adin1110-fix-forwarding-offload.patch
+net-dsa-sja1105-hide-all-multicast-addresses-from-br.patch
+net-dsa-sja1105-propagate-exact-error-code-from-sja1.patch
+net-dsa-sja1105-fix-multicast-forwarding-working-onl.patch
+net-dsa-sja1105-serialize-sja1105_port_mcast_flood-w.patch
+net-dsa-sja1105-block-fdb-accesses-that-are-concurre.patch
+r8152-check-budget-for-r8152_poll.patch
+kcm-fix-memory-leak-in-error-path-of-kcm_sendmsg.patch
+platform-mellanox-mlxbf-tmfifo-drop-the-rx-packet-if.patch
+platform-mellanox-mlxbf-tmfifo-drop-jumbo-frames.patch
+platform-mellanox-mlxbf-pmc-fix-potential-buffer-ove.patch
+platform-mellanox-mlxbf-pmc-fix-reading-of-unprogram.patch
+platform-mellanox-nvsw_sn2201-should-depend-on-acpi.patch
+net-tls-do-not-free-tls_rec-on-async-operation-in-bp.patch
+net-macb-enable-ptp-unicast.patch
+net-macb-fix-sleep-inside-spinlock.patch
+ipv6-fix-ip6_sock_set_addr_preferences-typo.patch
+ipv6-remove-in6addr_any-alternatives.patch
+tcp-factorise-sk_family-independent-comparison-in-in.patch
+tcp-fix-bind-regression-for-v4-mapped-v6-wildcard-ad.patch
+tcp-fix-bind-regression-for-v4-mapped-v6-non-wildcar.patch
+ixgbe-fix-timestamp-configuration-code.patch
+kcm-fix-error-handling-for-sock_dgram-in-kcm_sendmsg.patch
--- /dev/null
+From ffbffc4b6f1470c7853a92a05c8a0989c0572527 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 11:36:55 -0700
+Subject: tcp: Factorise sk_family-independent comparison in
+ inet_bind2_bucket_match(_addr_any).
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit c6d277064b1da7f9015b575a562734de87a7e463 ]
+
+This is a prep patch to make the following patches cleaner that touch
+inet_bind2_bucket_match() and inet_bind2_bucket_match_addr_any().
+
+Both functions have duplicated comparison for netns, port, and l3mdev.
+Let's factorise them.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: aa99e5f87bd5 ("tcp: Fix bind() regression for v4-mapped-v6 wildcard address.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 28 +++++++++++++---------------
+ 1 file changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 38a92c8c66863..71d77b3b6536f 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -795,41 +795,39 @@ static bool inet_bind2_bucket_match(const struct inet_bind2_bucket *tb,
+ const struct net *net, unsigned short port,
+ int l3mdev, const struct sock *sk)
+ {
++ if (!net_eq(ib2_net(tb), net) || tb->port != port ||
++ tb->l3mdev != l3mdev)
++ return false;
++
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family != tb->family)
+ return false;
+
+ if (sk->sk_family == AF_INET6)
+- return net_eq(ib2_net(tb), net) && tb->port == port &&
+- tb->l3mdev == l3mdev &&
+- ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr);
+- else
++ return ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr);
+ #endif
+- return net_eq(ib2_net(tb), net) && tb->port == port &&
+- tb->l3mdev == l3mdev && tb->rcv_saddr == sk->sk_rcv_saddr;
++ return tb->rcv_saddr == sk->sk_rcv_saddr;
+ }
+
+ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const struct net *net,
+ unsigned short port, int l3mdev, const struct sock *sk)
+ {
++ if (!net_eq(ib2_net(tb), net) || tb->port != port ||
++ tb->l3mdev != l3mdev)
++ return false;
++
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family != tb->family) {
+ if (sk->sk_family == AF_INET)
+- return net_eq(ib2_net(tb), net) && tb->port == port &&
+- tb->l3mdev == l3mdev &&
+- ipv6_addr_any(&tb->v6_rcv_saddr);
++ return ipv6_addr_any(&tb->v6_rcv_saddr);
+
+ return false;
+ }
+
+ if (sk->sk_family == AF_INET6)
+- return net_eq(ib2_net(tb), net) && tb->port == port &&
+- tb->l3mdev == l3mdev &&
+- ipv6_addr_any(&tb->v6_rcv_saddr);
+- else
++ return ipv6_addr_any(&tb->v6_rcv_saddr);
+ #endif
+- return net_eq(ib2_net(tb), net) && tb->port == port &&
+- tb->l3mdev == l3mdev && tb->rcv_saddr == 0;
++ return tb->rcv_saddr == 0;
+ }
+
+ /* The socket's bhash2 hashbucket spinlock must be held when this is called */
+--
+2.40.1
+
--- /dev/null
+From 58d34b727b60324318b9ccc8006c6544a9944a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 11:36:57 -0700
+Subject: tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit c48ef9c4aed3632566b57ba66cec6ec78624d4cb ]
+
+Since bhash2 was introduced, the example below does not work as expected.
+These two bind() should conflict, but the 2nd bind() now succeeds.
+
+ from socket import *
+
+ s1 = socket(AF_INET6, SOCK_STREAM)
+ s1.bind(('::ffff:127.0.0.1', 0))
+
+ s2 = socket(AF_INET, SOCK_STREAM)
+ s2.bind(('127.0.0.1', s1.getsockname()[1]))
+
+During the 2nd bind() in inet_csk_get_port(), inet_bind2_bucket_find()
+fails to find the 1st socket's tb2, so inet_bind2_bucket_create() allocates
+a new tb2 for the 2nd socket. Then, we call inet_csk_bind_conflict() that
+checks conflicts in the new tb2 by inet_bhash2_conflict(). However, the
+new tb2 does not include the 1st socket, thus the bind() finally succeeds.
+
+In this case, inet_bind2_bucket_match() must check if AF_INET6 tb2 has
+the conflicting v4-mapped-v6 address so that inet_bind2_bucket_find()
+returns the 1st socket's tb2.
+
+Note that if we bind two sockets to 127.0.0.1 and then ::FFFF:127.0.0.1,
+the 2nd bind() fails properly for the same reason mentinoed in the previous
+commit.
+
+Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Andrei Vagin <avagin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/inet_hashtables.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index eb522c0374d59..d79de4b95186b 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -800,8 +800,13 @@ static bool inet_bind2_bucket_match(const struct inet_bind2_bucket *tb,
+ return false;
+
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (sk->sk_family != tb->family)
++ if (sk->sk_family != tb->family) {
++ if (sk->sk_family == AF_INET)
++ return ipv6_addr_v4mapped(&tb->v6_rcv_saddr) &&
++ tb->v6_rcv_saddr.s6_addr32[3] == sk->sk_rcv_saddr;
++
+ return false;
++ }
+
+ if (sk->sk_family == AF_INET6)
+ return ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr);
+--
+2.40.1
+
--- /dev/null
+From 210183841be9a4a1c6194f591c4b62425f320d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 11:36:56 -0700
+Subject: tcp: Fix bind() regression for v4-mapped-v6 wildcard address.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit aa99e5f87bd54db55dd37cb130bd5eb55933027f ]
+
+Andrei Vagin reported bind() regression with strace logs.
+
+If we bind() a TCPv6 socket to ::FFFF:0.0.0.0 and then bind() a TCPv4
+socket to 127.0.0.1, the 2nd bind() should fail but now succeeds.
+
+ from socket import *
+
+ s1 = socket(AF_INET6, SOCK_STREAM)
+ s1.bind(('::ffff:0.0.0.0', 0))
+
+ s2 = socket(AF_INET, SOCK_STREAM)
+ s2.bind(('127.0.0.1', s1.getsockname()[1]))
+
+During the 2nd bind(), if tb->family is AF_INET6 and sk->sk_family is
+AF_INET in inet_bind2_bucket_match_addr_any(), we still need to check
+if tb has the v4-mapped-v6 wildcard address.
+
+The example above does not work after commit 5456262d2baa ("net: Fix
+incorrect address comparison when searching for a bind2 bucket"), but
+the blamed change is not the commit.
+
+Before the commit, the leading zeros of ::FFFF:0.0.0.0 were treated
+as 0.0.0.0, and the sequence above worked by chance. Technically, this
+case has been broken since bhash2 was introduced.
+
+Note that if we bind() two sockets to 127.0.0.1 and then ::FFFF:0.0.0.0,
+the 2nd bind() fails properly because we fall back to using bhash to
+detect conflicts for the v4-mapped-v6 address.
+
+Fixes: 28044fc1d495 ("net: Add a bhash2 table hashed by port and address")
+Reported-by: Andrei Vagin <avagin@google.com>
+Closes: https://lore.kernel.org/netdev/ZPuYBOFC8zsK6r9T@google.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ipv6.h | 5 +++++
+ net/ipv4/inet_hashtables.c | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/ipv6.h b/include/net/ipv6.h
+index 8ced112167599..517bdae78614b 100644
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -750,6 +750,11 @@ static inline bool ipv6_addr_v4mapped(const struct in6_addr *a)
+ cpu_to_be32(0x0000ffff))) == 0UL;
+ }
+
++static inline bool ipv6_addr_v4mapped_any(const struct in6_addr *a)
++{
++ return ipv6_addr_v4mapped(a) && ipv4_is_zeronet(a->s6_addr32[3]);
++}
++
+ static inline bool ipv6_addr_v4mapped_loopback(const struct in6_addr *a)
+ {
+ return ipv6_addr_v4mapped(a) && ipv4_is_loopback(a->s6_addr32[3]);
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 71d77b3b6536f..eb522c0374d59 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -819,7 +819,8 @@ bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (sk->sk_family != tb->family) {
+ if (sk->sk_family == AF_INET)
+- return ipv6_addr_any(&tb->v6_rcv_saddr);
++ return ipv6_addr_any(&tb->v6_rcv_saddr) ||
++ ipv6_addr_v4mapped_any(&tb->v6_rcv_saddr);
+
+ return false;
+ }
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
