--- /dev/null
+From 1e40caf9b2220c65feb59aa9f71ae55bca9d1048 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 22:46:34 +0200
+Subject: ASoC: cs42l51: Fix some error handling paths in cs42l51_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d221b844ee79823ffc29b7badc4010bdb0960224 ]
+
+If devm_gpiod_get_optional() fails, we need to disable previously enabled
+regulators, as done in the other error handling path of the function.
+
+Also, gpiod_set_value_cansleep(, 1) needs to be called to undo a
+potential gpiod_set_value_cansleep(, 0).
+If the "reset" gpio is not defined, this additional call is just a no-op.
+
+This behavior is the same as the one already in the .remove() function.
+
+Fixes: 11b9cd748e31 ("ASoC: cs42l51: add reset management")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/a5e5f4b9fb03f46abd2c93ed94b5c395972ce0d1.1729975570.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l51.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c
+index 07371e32167c8..7fa0a849e65f4 100644
+--- a/sound/soc/codecs/cs42l51.c
++++ b/sound/soc/codecs/cs42l51.c
+@@ -740,8 +740,10 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap)
+
+ cs42l51->reset_gpio = devm_gpiod_get_optional(dev, "reset",
+ GPIOD_OUT_LOW);
+- if (IS_ERR(cs42l51->reset_gpio))
+- return PTR_ERR(cs42l51->reset_gpio);
++ if (IS_ERR(cs42l51->reset_gpio)) {
++ ret = PTR_ERR(cs42l51->reset_gpio);
++ goto error;
++ }
+
+ if (cs42l51->reset_gpio) {
+ dev_dbg(dev, "Release reset gpio\n");
+@@ -773,6 +775,7 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap)
+ return 0;
+
+ error:
++ gpiod_set_value_cansleep(cs42l51->reset_gpio, 1);
+ regulator_bulk_disable(ARRAY_SIZE(cs42l51->supplies),
+ cs42l51->supplies);
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 65f7ced88c219aebad2eb1799dce6316f6d0dba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 14:02:43 +0900
+Subject: bpf: Fix out-of-bounds write in trie_get_next_key()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Byeonguk Jeong <jungbu2855@gmail.com>
+
+[ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ]
+
+trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
+while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
+full paths from the root to leaves. For example, consider a trie with
+max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
+0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
+.prefixlen = 8 make 9 nodes be written on the node stack with size 8.
+
+Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map")
+Signed-off-by: Byeonguk Jeong <jungbu2855@gmail.com>
+Reviewed-by: Toke Høiland-Jørgensen <toke@kernel.org>
+Tested-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index d78c1afe12737..c372be6df264e 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -660,7 +660,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key)
+ if (!key || key->prefixlen > trie->max_prefixlen)
+ goto find_leftmost;
+
+- node_stack = kmalloc_array(trie->max_prefixlen,
++ node_stack = kmalloc_array(trie->max_prefixlen + 1,
+ sizeof(struct lpm_trie_node *),
+ GFP_ATOMIC | __GFP_NOWARN);
+ if (!node_stack)
+--
+2.43.0
+
--- /dev/null
+From 25cb1f1f53fe137aefdc5e54bb1392098c4200ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2019 12:37:27 +0200
+Subject: dt-bindings: gpu: Convert Samsung Image Rotator to dt-schema
+
+From: Maciej Falkowski <m.falkowski@samsung.com>
+
+[ Upstream commit 6e3ffcd592060403ee2d956c9b1704775898db79 ]
+
+Convert Samsung Image Rotator to newer dt-schema format.
+
+Signed-off-by: Maciej Falkowski <m.falkowski@samsung.com>
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 338c4d3902fe ("igb: Disable threaded IRQ for igb_msix_other")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../bindings/gpu/samsung-rotator.txt | 28 -----------
+ .../bindings/gpu/samsung-rotator.yaml | 48 +++++++++++++++++++
+ 2 files changed, 48 insertions(+), 28 deletions(-)
+ delete mode 100644 Documentation/devicetree/bindings/gpu/samsung-rotator.txt
+ create mode 100644 Documentation/devicetree/bindings/gpu/samsung-rotator.yaml
+
+diff --git a/Documentation/devicetree/bindings/gpu/samsung-rotator.txt b/Documentation/devicetree/bindings/gpu/samsung-rotator.txt
+deleted file mode 100644
+index 3aca2578da0bd..0000000000000
+--- a/Documentation/devicetree/bindings/gpu/samsung-rotator.txt
++++ /dev/null
+@@ -1,28 +0,0 @@
+-* Samsung Image Rotator
+-
+-Required properties:
+- - compatible : value should be one of the following:
+- * "samsung,s5pv210-rotator" for Rotator IP in S5PV210
+- * "samsung,exynos4210-rotator" for Rotator IP in Exynos4210
+- * "samsung,exynos4212-rotator" for Rotator IP in Exynos4212/4412
+- * "samsung,exynos5250-rotator" for Rotator IP in Exynos5250
+-
+- - reg : Physical base address of the IP registers and length of memory
+- mapped region.
+-
+- - interrupts : Interrupt specifier for rotator interrupt, according to format
+- specific to interrupt parent.
+-
+- - clocks : Clock specifier for rotator clock, according to generic clock
+- bindings. (See Documentation/devicetree/bindings/clock/exynos*.txt)
+-
+- - clock-names : Names of clocks. For exynos rotator, it should be "rotator".
+-
+-Example:
+- rotator@12810000 {
+- compatible = "samsung,exynos4210-rotator";
+- reg = <0x12810000 0x1000>;
+- interrupts = <0 83 0>;
+- clocks = <&clock 278>;
+- clock-names = "rotator";
+- };
+diff --git a/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml b/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml
+new file mode 100644
+index 0000000000000..45ce562435fa7
+--- /dev/null
++++ b/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml
+@@ -0,0 +1,48 @@
++# SPDX-License-Identifier: GPL-2.0
++%YAML 1.2
++---
++$id: http://devicetree.org/schemas/gpu/samsung-rotator.yaml#
++$schema: http://devicetree.org/meta-schemas/core.yaml#
++
++title: Samsung SoC Image Rotator
++
++maintainers:
++ - Inki Dae <inki.dae@samsung.com>
++
++properties:
++ compatible:
++ enum:
++ - "samsung,s5pv210-rotator"
++ - "samsung,exynos4210-rotator"
++ - "samsung,exynos4212-rotator"
++ - "samsung,exynos5250-rotator"
++ reg:
++ maxItems: 1
++
++ interrupts:
++ maxItems: 1
++
++ clocks:
++ maxItems: 1
++
++ clock-names:
++ items:
++ - const: rotator
++
++required:
++ - compatible
++ - reg
++ - interrupts
++ - clocks
++ - clock-names
++
++examples:
++ - |
++ rotator@12810000 {
++ compatible = "samsung,exynos4210-rotator";
++ reg = <0x12810000 0x1000>;
++ interrupts = <0 83 0>;
++ clocks = <&clock 278>;
++ clock-names = "rotator";
++ };
++
+--
+2.43.0
+
--- /dev/null
+From d4a08e3d599fb56118de27499d2c6a4e0815e920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 16:48:25 +0200
+Subject: gtp: allow -1 to be specified as file description from userspace
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ]
+
+Existing user space applications maintained by the Osmocom project are
+breaking since a recent fix that addresses incorrect error checking.
+
+Restore operation for user space programs that specify -1 as file
+descriptor to skip GTPv0 or GTPv1 only sockets.
+
+Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference")
+Reported-by: Pau Espin Pedrol <pespin@sysmocom.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Oliver Smith <osmith@sysmocom.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 9c62bc277ae86..f85f4e3d28215 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -848,20 +848,24 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+ unsigned int role = GTP_ROLE_GGSN;
+
+ if (data[IFLA_GTP_FD0]) {
+- u32 fd0 = nla_get_u32(data[IFLA_GTP_FD0]);
++ int fd0 = nla_get_u32(data[IFLA_GTP_FD0]);
+
+- sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp);
+- if (IS_ERR(sk0))
+- return PTR_ERR(sk0);
++ if (fd0 >= 0) {
++ sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp);
++ if (IS_ERR(sk0))
++ return PTR_ERR(sk0);
++ }
+ }
+
+ if (data[IFLA_GTP_FD1]) {
+- u32 fd1 = nla_get_u32(data[IFLA_GTP_FD1]);
++ int fd1 = nla_get_u32(data[IFLA_GTP_FD1]);
+
+- sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp);
+- if (IS_ERR(sk1u)) {
+- gtp_encap_disable_sock(sk0);
+- return PTR_ERR(sk1u);
++ if (fd1 >= 0) {
++ sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp);
++ if (IS_ERR(sk1u)) {
++ gtp_encap_disable_sock(sk0);
++ return PTR_ERR(sk1u);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5375275dba809e124a311703b265d4398732990d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 Jan 2020 18:36:07 +0100
+Subject: gtp: simplify error handling code in 'gtp_encap_enable()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b289ba5e07105548b8219695e5443d807a825eb8 ]
+
+'gtp_encap_disable_sock(sk)' handles the case where sk is NULL, so there
+is no need to test it before calling the function.
+
+This saves a few line of code.
+
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 7515e37bce5c ("gtp: allow -1 to be specified as file description from userspace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index c868f4ffa240f..9c62bc277ae86 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -860,8 +860,7 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+
+ sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp);
+ if (IS_ERR(sk1u)) {
+- if (sk0)
+- gtp_encap_disable_sock(sk0);
++ gtp_encap_disable_sock(sk0);
+ return PTR_ERR(sk1u);
+ }
+ }
+@@ -869,10 +868,8 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+ if (data[IFLA_GTP_ROLE]) {
+ role = nla_get_u32(data[IFLA_GTP_ROLE]);
+ if (role > GTP_ROLE_SGSN) {
+- if (sk0)
+- gtp_encap_disable_sock(sk0);
+- if (sk1u)
+- gtp_encap_disable_sock(sk1u);
++ gtp_encap_disable_sock(sk0);
++ gtp_encap_disable_sock(sk1u);
+ return -EINVAL;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From d1dffef8369f0cb64bd73346249409b206f6f762 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 16:26:24 -0700
+Subject: igb: Disable threaded IRQ for igb_msix_other
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit 338c4d3902feb5be49bfda530a72c7ab860e2c9f ]
+
+During testing of SR-IOV, Red Hat QE encountered an issue where the
+ip link up command intermittently fails for the igbvf interfaces when
+using the PREEMPT_RT variant. Investigation revealed that
+e1000_write_posted_mbx returns an error due to the lack of an ACK
+from e1000_poll_for_ack.
+
+The underlying issue arises from the fact that IRQs are threaded by
+default under PREEMPT_RT. While the exact hardware details are not
+available, it appears that the IRQ handled by igb_msix_other must
+be processed before e1000_poll_for_ack times out. However,
+e1000_write_posted_mbx is called with preemption disabled, leading
+to a scenario where the IRQ is serviced only after the failure of
+e1000_write_posted_mbx.
+
+To resolve this, we set IRQF_NO_THREAD for the affected interrupt,
+ensuring that the kernel handles it immediately, thereby preventing
+the aforementioned error.
+
+Reproducer:
+
+ #!/bin/bash
+
+ # echo 2 > /sys/class/net/ens14f0/device/sriov_numvfs
+ ipaddr_vlan=3
+ nic_test=ens14f0
+ vf=${nic_test}v0
+
+ while true; do
+ ip link set ${nic_test} mtu 1500
+ ip link set ${vf} mtu 1500
+ ip link set $vf up
+ ip link set ${nic_test} vf 0 vlan ${ipaddr_vlan}
+ ip addr add 172.30.${ipaddr_vlan}.1/24 dev ${vf}
+ ip addr add 2021:db8:${ipaddr_vlan}::1/64 dev ${vf}
+ if ! ip link show $vf | grep 'state UP'; then
+ echo 'Error found'
+ break
+ fi
+ ip link set $vf down
+ done
+
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Reported-by: Yuying Ma <yuma@redhat.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 1e9967657248a..ebe216647c495 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -945,7 +945,7 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ int i, err = 0, vector = 0, free_vector = 0;
+
+ err = request_irq(adapter->msix_entries[vector].vector,
+- igb_msix_other, 0, netdev->name, adapter);
++ igb_msix_other, IRQF_NO_THREAD, netdev->name, adapter);
+ if (err)
+ goto err_out;
+
+--
+2.43.0
+
--- /dev/null
+From 0e00ce6c398c6199d8af87fa097d7ee59711a64c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Mar 2022 17:23:24 +0530
+Subject: mac80211: Add support to trigger sta disconnect on hardware restart
+
+From: Youghandhar Chintala <youghand@codeaurora.org>
+
+[ Upstream commit 7d352ccf1e9935b5222ca84e8baeb07a0c8f94b9 ]
+
+Currently in case of target hardware restart, we just reconfig and
+re-enable the security keys and enable the network queues to start
+data traffic back from where it was interrupted.
+
+Many ath10k wifi chipsets have sequence numbers for the data
+packets assigned by firmware and the mac sequence number will
+restart from zero after target hardware restart leading to mismatch
+in the sequence number expected by the remote peer vs the sequence
+number of the frame sent by the target firmware.
+
+This mismatch in sequence number will cause out-of-order packets
+on the remote peer and all the frames sent by the device are dropped
+until we reach the sequence number which was sent before we restarted
+the target hardware
+
+In order to fix this, we trigger a sta disconnect, in case of target
+hw restart. After this there will be a fresh connection and thereby
+avoiding the dropping of frames by remote peer.
+
+The right fix would be to pull the entire data path into the host
+which is not feasible or would need lots of complex changes and
+will still be inefficient.
+
+Tested on ath10k using WCN3990, QCA6174
+
+Signed-off-by: Youghandhar Chintala <youghand@codeaurora.org>
+Link: https://lore.kernel.org/r/20220308115325.5246-2-youghand@codeaurora.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 10 ++++++++++
+ net/mac80211/ieee80211_i.h | 3 +++
+ net/mac80211/mlme.c | 12 ++++++++++++
+ net/mac80211/util.c | 33 ++++++++++++++++++++++++++++++---
+ 4 files changed, 55 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index cb5cf6bf19867..4d641580e5db4 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -5700,6 +5700,16 @@ void ieee80211_connection_loss(struct ieee80211_vif *vif);
+ */
+ void ieee80211_resume_disconnect(struct ieee80211_vif *vif);
+
++/**
++ * ieee80211_hw_restart_disconnect - disconnect from AP after
++ * hardware restart
++ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
++ *
++ * Instructs mac80211 to disconnect from the AP after
++ * hardware restart.
++ */
++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif);
++
+ /**
+ * ieee80211_cqm_rssi_notify - inform a configured connection quality monitoring
+ * rssi threshold triggered
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index e26368fab65d6..a9d064c75a15b 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -750,6 +750,8 @@ struct ieee80211_if_mesh {
+ * back to wireless media and to the local net stack.
+ * @IEEE80211_SDATA_DISCONNECT_RESUME: Disconnect after resume.
+ * @IEEE80211_SDATA_IN_DRIVER: indicates interface was added to driver
++ * @IEEE80211_SDATA_DISCONNECT_HW_RESTART: Disconnect after hardware restart
++ * recovery
+ */
+ enum ieee80211_sub_if_data_flags {
+ IEEE80211_SDATA_ALLMULTI = BIT(0),
+@@ -757,6 +759,7 @@ enum ieee80211_sub_if_data_flags {
+ IEEE80211_SDATA_DONT_BRIDGE_PACKETS = BIT(3),
+ IEEE80211_SDATA_DISCONNECT_RESUME = BIT(4),
+ IEEE80211_SDATA_IN_DRIVER = BIT(5),
++ IEEE80211_SDATA_DISCONNECT_HW_RESTART = BIT(6),
+ };
+
+ /**
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index b48a09043663a..fe6ada0d79217 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4584,6 +4584,18 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
+ sdata_unlock(sdata);
+ return;
+ }
++
++ if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) {
++ sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART;
++ mlme_dbg(sdata, "driver requested disconnect after hardware restart\n");
++ ieee80211_sta_connection_lost(sdata,
++ ifmgd->associated->bssid,
++ WLAN_REASON_UNSPECIFIED,
++ true);
++ sdata_unlock(sdata);
++ return;
++ }
++
+ sdata_unlock(sdata);
+ }
+ #endif
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 8d3069c93a60a..63b66fd0a1ce6 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2148,6 +2148,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ struct cfg80211_sched_scan_request *sched_scan_req;
+ bool sched_scan_stopped = false;
+ bool suspended = local->suspended;
++ bool in_reconfig = false;
+
+ /* nothing to do if HW shouldn't run */
+ if (!local->open_count)
+@@ -2499,6 +2500,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
+
+ if (local->in_reconfig) {
++ in_reconfig = local->in_reconfig;
+ local->in_reconfig = false;
+ barrier();
+
+@@ -2516,6 +2518,15 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ IEEE80211_QUEUE_STOP_REASON_SUSPEND,
+ false);
+
++ if (in_reconfig) {
++ list_for_each_entry(sdata, &local->interfaces, list) {
++ if (!ieee80211_sdata_running(sdata))
++ continue;
++ if (sdata->vif.type == NL80211_IFTYPE_STATION)
++ ieee80211_sta_restart(sdata);
++ }
++ }
++
+ if (!suspended)
+ return 0;
+
+@@ -2545,7 +2556,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ return 0;
+ }
+
+-void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
++static void ieee80211_reconfig_disconnect(struct ieee80211_vif *vif, u8 flag)
+ {
+ struct ieee80211_sub_if_data *sdata;
+ struct ieee80211_local *local;
+@@ -2557,19 +2568,35 @@ void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
+ sdata = vif_to_sdata(vif);
+ local = sdata->local;
+
+- if (WARN_ON(!local->resuming))
++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_RESUME &&
++ !local->resuming))
++ return;
++
++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_HW_RESTART &&
++ !local->in_reconfig))
+ return;
+
+ if (WARN_ON(vif->type != NL80211_IFTYPE_STATION))
+ return;
+
+- sdata->flags |= IEEE80211_SDATA_DISCONNECT_RESUME;
++ sdata->flags |= flag;
+
+ mutex_lock(&local->key_mtx);
+ list_for_each_entry(key, &sdata->key_list, list)
+ key->flags |= KEY_FLAG_TAINTED;
+ mutex_unlock(&local->key_mtx);
+ }
++
++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif)
++{
++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_HW_RESTART);
++}
++EXPORT_SYMBOL_GPL(ieee80211_hw_restart_disconnect);
++
++void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
++{
++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_RESUME);
++}
+ EXPORT_SYMBOL_GPL(ieee80211_resume_disconnect);
+
+ void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata)
+--
+2.43.0
+
--- /dev/null
+From cec26c98fb4699ef9d456af02cb00829edbca680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 15:32:40 +0200
+Subject: mac80211: do drv_reconfig_complete() before restarting all
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 13dee10b30c058ee2c58c5da00339cc0d4201aa6 ]
+
+When we reconfigure, the driver might do some things to complete
+the reconfiguration. It's strange and could be broken in some
+cases because we restart other works (e.g. remain-on-channel and
+TX) before this happens, yet only start queues later.
+
+Change this to do the reconfig complete when reconfiguration is
+actually complete, not when we've already started doing other
+things again.
+
+For iwlwifi, this should fix a race where the reconfig can race
+with TX, for ath10k and ath11k that also use this it won't make
+a difference because they just start queues there, and mac80211
+also stopped the queues and will restart them later as before.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211129152938.cab99f22fe19.Iefe494687f15fd85f77c1b989d1149c8efdfdc36@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/util.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 6223af1c3457a..8d3069c93a60a 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2491,6 +2491,13 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ mutex_unlock(&local->sta_mtx);
+ }
+
++ /*
++ * If this is for hw restart things are still running.
++ * We may want to change that later, however.
++ */
++ if (local->open_count && (!suspended || reconfig_due_to_wowlan))
++ drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
++
+ if (local->in_reconfig) {
+ local->in_reconfig = false;
+ barrier();
+@@ -2509,13 +2516,6 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ IEEE80211_QUEUE_STOP_REASON_SUSPEND,
+ false);
+
+- /*
+- * If this is for hw restart things are still running.
+- * We may want to change that later, however.
+- */
+- if (local->open_count && (!suspended || reconfig_due_to_wowlan))
+- drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
+-
+ if (!suspended)
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 4709cea136c08aa5f7753d423198b627dabc1d7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 12:55:47 -0400
+Subject: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
+
+In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
+to be either root or ingress. This assumption is bogus since it's valid
+to create egress qdiscs with major handle ffff:
+Budimir Markovic found that for qdiscs like DRR that maintain an active
+class list, it will cause a UAF with a dangling class pointer.
+
+In 066a3b5b2346, the concern was to avoid iterating over the ingress
+qdisc since its parent is itself. The proper fix is to stop when parent
+TC_H_ROOT is reached because the only way to retrieve ingress is when a
+hierarchy which does not contain a ffff: major handle call into
+qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
+
+In the scenario where major ffff: is an egress qdisc in any of the tree
+levels, the updates will also propagate to TC_H_ROOT, which then the
+iteration must stop.
+
+Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
+Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
+Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+
+ net/sched/sch_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Reviewed-by: Simon Horman <horms@kernel.org>
+
+Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 069d0d8a89397..b8dc03a7487e3 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -770,7 +770,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ drops = max_t(int, n, 0);
+ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+- if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
++ if (parentid == TC_H_ROOT)
+ break;
+
+ if (sch->flags & TCQ_F_NOPARENT)
+--
+2.43.0
+
--- /dev/null
+From 653231808bc085e3eac9c98a80872eb73e0ec590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 16:01:54 +0200
+Subject: net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains
+ extension
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Monin <benoit.monin@gmx.fr>
+
+[ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ]
+
+As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability
+can only checksum TCP and UDP over IPv6 if the IP header does not
+contains extension.
+
+This is enforced for UDP packets emitted from user-space to an IPv6
+address as they go through ip6_make_skb(), which calls
+__ip6_append_data() where a check is done on the header size before
+setting CHECKSUM_PARTIAL.
+
+But the introduction of UDP encapsulation with fou6 added a code-path
+where it is possible to get an skb with a partial UDP checksum and an
+IPv6 header with extension:
+* fou6 adds a UDP header with a partial checksum if the inner packet
+does not contains a valid checksum.
+* ip6_tunnel adds an IPv6 header with a destination option extension
+header if encap_limit is non-zero (the default value is 4).
+
+The thread linked below describes in more details how to reproduce the
+problem with GRE-in-UDP tunnel.
+
+Add a check on the network header size in skb_csum_hwoffload_help() to
+make sure no IPv6 packet with extension header is handed to a network
+device with NETIF_F_IPV6_CSUM capability.
+
+Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u
+Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
+Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index ff62b0027d600..b75c9bebd5c6e 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3267,6 +3267,9 @@ int skb_csum_hwoffload_help(struct sk_buff *skb,
+ return 0;
+
+ if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) {
++ if (vlan_get_protocol(skb) == htons(ETH_P_IPV6) &&
++ skb_network_header_len(skb) != sizeof(struct ipv6hdr))
++ goto sw_checksum;
+ switch (skb->csum_offset) {
+ case offsetof(struct tcphdr, check):
+ case offsetof(struct udphdr, check):
+@@ -3274,6 +3277,7 @@ int skb_csum_hwoffload_help(struct sk_buff *skb,
+ }
+ }
+
++sw_checksum:
+ return skb_checksum_help(skb);
+ }
+ EXPORT_SYMBOL(skb_csum_hwoffload_help);
+--
+2.43.0
+
--- /dev/null
+From 738e8d416d2ecc2b41da223a8debda5a4a54a8cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Jan 2021 17:18:31 +0800
+Subject: net: support ip generic csum processing in skb_csum_hwoffload_help
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 62fafcd63139920eb25b3fbf154177ce3e6f3232 ]
+
+NETIF_F_IP|IPV6_CSUM feature flag indicates UDP and TCP csum offload
+while NETIF_F_HW_CSUM feature flag indicates ip generic csum offload
+for HW, which includes not only for TCP/UDP csum, but also for other
+protocols' csum like GRE's.
+
+However, in skb_csum_hwoffload_help() it only checks features against
+NETIF_F_CSUM_MASK(NETIF_F_HW|IP|IPV6_CSUM). So if it's a non TCP/UDP
+packet and the features doesn't support NETIF_F_HW_CSUM, but supports
+NETIF_F_IP|IPV6_CSUM only, it would still return 0 and leave the HW
+to do csum.
+
+This patch is to support ip generic csum processing by checking
+NETIF_F_HW_CSUM for all protocols, and check (NETIF_F_IP_CSUM |
+NETIF_F_IPV6_CSUM) only for TCP and UDP.
+
+Note that we're using skb->csum_offset to check if it's a TCP/UDP
+proctol, this might be fragile. However, as Alex said, for now we
+only have a few L4 protocols that are requesting Tx csum offload,
+we'd better fix this until a new protocol comes with a same csum
+offset.
+
+v1->v2:
+ - not extend skb->csum_not_inet, but use skb->csum_offset to tell
+ if it's an UDP/TCP csum packet.
+v2->v3:
+ - add a note in the changelog, as Willem suggested.
+
+Suggested-by: Alexander Duyck <alexander.duyck@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 04c20a9356f2 ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 8f2f14df3610b..ff62b0027d600 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3263,7 +3263,18 @@ int skb_csum_hwoffload_help(struct sk_buff *skb,
+ return !!(features & NETIF_F_SCTP_CRC) ? 0 :
+ skb_crc32c_csum_help(skb);
+
+- return !!(features & NETIF_F_CSUM_MASK) ? 0 : skb_checksum_help(skb);
++ if (features & NETIF_F_HW_CSUM)
++ return 0;
++
++ if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) {
++ switch (skb->csum_offset) {
++ case offsetof(struct tcphdr, check):
++ case offsetof(struct udphdr, check):
++ return 0;
++ }
++ }
++
++ return skb_checksum_help(skb);
+ }
+ EXPORT_SYMBOL(skb_csum_hwoffload_help);
+
+--
+2.43.0
+
--- /dev/null
+From 48e0e9c89122abe7f304660afdd936b2d77ae65a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 23:13:48 +0100
+Subject: netfilter: nft_payload: sanitize offset and length before calling
+ skb_checksum()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]
+
+If access to offset + length is larger than the skbuff length, then
+skb_checksum() triggers BUG_ON().
+
+skb_checksum() internally subtracts the length parameter while iterating
+over skbuff, BUG_ON(len) at the end of it checks that the expected
+length to be included in the checksum calculation is fully consumed.
+
+Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
+Reported-by: Slavin Liu <slavin-ayu@qq.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_payload.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
+index a4f9a150812a3..e40948b508588 100644
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -532,6 +532,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
+ if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&
+ (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER ||
+ skb->ip_summed != CHECKSUM_PARTIAL)) {
++ if (offset + priv->len > skb->len)
++ goto err;
++
+ fsum = skb_checksum(skb, offset, priv->len, 0);
+ tsum = csum_partial(src, priv->len, 0);
+
+--
+2.43.0
+
arm64-uprobes-change-the-uprobe_opcode_t-typedef-to-fix-the-sparse-warning.patch
xfrm-validate-new-sa-s-prefixlen-using-sa-family-whe.patch
cgroup-fix-potential-overflow-issue-when-checking-ma.patch
+wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch
+mac80211-do-drv_reconfig_complete-before-restarting-.patch
+mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch
+wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch
+wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch
+asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch
+dt-bindings-gpu-convert-samsung-image-rotator-to-dt-.patch
+igb-disable-threaded-irq-for-igb_msix_other.patch
+gtp-simplify-error-handling-code-in-gtp_encap_enable.patch
+gtp-allow-1-to-be-specified-as-file-description-from.patch
+net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch
+bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch
+net-support-ip-generic-csum-processing-in-skb_csum_h.patch
+net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch
+netfilter-nft_payload-sanitize-offset-and-length-bef.patch
--- /dev/null
+From 5c6e45c4eb557b558922361cc1c5926e36bdcb9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 08:53:56 +0200
+Subject: wifi: iwlwifi: mvm: disconnect station vifs if recovery failed
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit e50a88e5cb8792cc416866496288c5f4d1eb4b1f ]
+
+This will allow to reconnect immediately instead of leaving the
+connection in a limbo state.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240128084842.e90531cd3a36.Iebdc9483983c0d8497f9dcf9d79ec37332a5fdcc@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 27bd9ed48bec4..16bf070566e6c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1182,6 +1182,13 @@ static int iwl_mvm_ppag_init(struct iwl_mvm *mvm)
+ }
+ #endif /* CONFIG_ACPI */
+
++static void iwl_mvm_disconnect_iterator(void *data, u8 *mac,
++ struct ieee80211_vif *vif)
++{
++ if (vif->type == NL80211_IFTYPE_STATION)
++ ieee80211_hw_restart_disconnect(vif);
++}
++
+ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ {
+ u32 error_log_size = mvm->fw->ucode_capa.error_log_size;
+@@ -1226,10 +1233,15 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */
+ if (flags & ERROR_RECOVERY_UPDATE_DB) {
+ resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data);
+- if (resp)
++ if (resp) {
+ IWL_ERR(mvm,
+ "Failed to send recovery cmd blob was invalid %d\n",
+ resp);
++
++ ieee80211_iterate_interfaces(mvm->hw, 0,
++ iwl_mvm_disconnect_iterator,
++ mvm);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 68edc5caeedacbb1d66bd6a74637c1dceaa883e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 14:05:05 +0300
+Subject: wifi: iwlwifi: mvm: Fix response handling in
+ iwl_mvm_send_recovery_cmd()
+
+From: Daniel Gabay <daniel.gabay@intel.com>
+
+[ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ]
+
+1. The size of the response packet is not validated.
+2. The response buffer is not freed.
+
+Resolve these issues by switching to iwl_mvm_send_cmd_status(),
+which handles both size validation and frees the buffer.
+
+Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow")
+Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 16bf070566e6c..287f9c551525c 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1192,8 +1192,8 @@ static void iwl_mvm_disconnect_iterator(void *data, u8 *mac,
+ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ {
+ u32 error_log_size = mvm->fw->ucode_capa.error_log_size;
++ u32 status = 0;
+ int ret;
+- u32 resp;
+
+ struct iwl_fw_error_recovery_cmd recovery_cmd = {
+ .flags = cpu_to_le32(flags),
+@@ -1201,7 +1201,6 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ };
+ struct iwl_host_cmd host_cmd = {
+ .id = WIDE_ID(SYSTEM_GROUP, FW_ERROR_RECOVERY_CMD),
+- .flags = CMD_WANT_SKB,
+ .data = {&recovery_cmd, },
+ .len = {sizeof(recovery_cmd), },
+ };
+@@ -1221,7 +1220,7 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ recovery_cmd.buf_size = cpu_to_le32(error_log_size);
+ }
+
+- ret = iwl_mvm_send_cmd(mvm, &host_cmd);
++ ret = iwl_mvm_send_cmd_status(mvm, &host_cmd, &status);
+ kfree(mvm->error_recovery_buf);
+ mvm->error_recovery_buf = NULL;
+
+@@ -1232,11 +1231,10 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+
+ /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */
+ if (flags & ERROR_RECOVERY_UPDATE_DB) {
+- resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data);
+- if (resp) {
++ if (status) {
+ IWL_ERR(mvm,
+ "Failed to send recovery cmd blob was invalid %d\n",
+- resp);
++ status);
+
+ ieee80211_iterate_interfaces(mvm->hw, 0,
+ iwl_mvm_disconnect_iterator,
+--
+2.43.0
+
--- /dev/null
+From 3d925bd658eae262b9642e74d5ebe4f6be574644 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 17:36:30 +0200
+Subject: wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 52009b419355195912a628d0a9847922e90c348c ]
+
+Sync iterator conditions with ieee80211_iter_keys_rcu.
+
+Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/key.c | 42 +++++++++++++++++++++++++-----------------
+ 1 file changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 1be9cd265c727..5889a590b3edd 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -883,6 +883,26 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata)
+ mutex_unlock(&sdata->local->key_mtx);
+ }
+
++static void
++ieee80211_key_iter(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_key *key,
++ void (*iter)(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_sta *sta,
++ struct ieee80211_key_conf *key,
++ void *data),
++ void *iter_data)
++{
++ /* skip keys of station in removal process */
++ if (key->sta && key->sta->removed)
++ return;
++ if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
++ return;
++ iter(hw, vif, key->sta ? &key->sta->sta : NULL,
++ &key->conf, iter_data);
++}
++
+ void ieee80211_iter_keys(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ void (*iter)(struct ieee80211_hw *hw,
+@@ -902,16 +922,13 @@ void ieee80211_iter_keys(struct ieee80211_hw *hw,
+ if (vif) {
+ sdata = vif_to_sdata(vif);
+ list_for_each_entry_safe(key, tmp, &sdata->key_list, list)
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
++ ieee80211_key_iter(hw, vif, key, iter, iter_data);
+ } else {
+ list_for_each_entry(sdata, &local->interfaces, list)
+ list_for_each_entry_safe(key, tmp,
+ &sdata->key_list, list)
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
++ ieee80211_key_iter(hw, &sdata->vif, key,
++ iter, iter_data);
+ }
+ mutex_unlock(&local->key_mtx);
+ }
+@@ -929,17 +946,8 @@ _ieee80211_iter_keys_rcu(struct ieee80211_hw *hw,
+ {
+ struct ieee80211_key *key;
+
+- list_for_each_entry_rcu(key, &sdata->key_list, list) {
+- /* skip keys of station in removal process */
+- if (key->sta && key->sta->removed)
+- continue;
+- if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
+- continue;
+-
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
+- }
++ list_for_each_entry_rcu(key, &sdata->key_list, list)
++ ieee80211_key_iter(hw, &sdata->vif, key, iter, iter_data);
+ }
+
+ void ieee80211_iter_keys_rcu(struct ieee80211_hw *hw,
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
