--- /dev/null
+From 902567d5d7229ded6fd8b2f750a12b7db863ee72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 21:56:09 +0530
+Subject: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
+
+From: Suraj Sonawane <surajsonawane0215@gmail.com>
+
+[ Upstream commit 265e98f72bac6c41a4492d3e30a8e5fd22fe0779 ]
+
+Fix an issue detected by syzbot with KASAN:
+
+BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/
+core.c:416 [inline]
+BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
+drivers/acpi/nfit/core.c:459
+
+The issue occurs in cmd_to_func when the call_pkg->nd_reserved2
+array is accessed without verifying that call_pkg points to a buffer
+that is appropriately sized as a struct nd_cmd_pkg. This can lead
+to out-of-bounds access and undefined behavior if the buffer does not
+have sufficient space.
+
+To address this, a check was added in acpi_nfit_ctl() to ensure that
+buf is not NULL and that buf_len is less than sizeof(*call_pkg)
+before accessing it. This ensures safe access to the members of
+call_pkg, including the nd_reserved2 array.
+
+Reported-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7534f060ebda6b8b51b3
+Tested-by: syzbot+7534f060ebda6b8b51b3@syzkaller.appspotmail.com
+Fixes: ebe9f6f19d80 ("acpi/nfit: Fix bus command validation")
+Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://patch.msgid.link/20241118162609.29063-1-surajsonawane0215@gmail.com
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/nfit/core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c
+index 5429ec9ef06f..a5d47819b3a4 100644
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -454,8 +454,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_descriptor *nd_desc, struct nvdimm *nvdimm,
+ if (cmd_rc)
+ *cmd_rc = -EINVAL;
+
+- if (cmd == ND_CMD_CALL)
++ if (cmd == ND_CMD_CALL) {
++ if (!buf || buf_len < sizeof(*call_pkg))
++ return -EINVAL;
++
+ call_pkg = buf;
++ }
++
+ func = cmd_to_func(nfit_mem, cmd, call_pkg, &family);
+ if (func < 0)
+ return func;
+--
+2.39.5
+
--- /dev/null
+From 49a017046f3b63b5c6c94ba35a058b0e90fb72e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 12:06:13 +0200
+Subject: ACPI: resource: Fix memory resource type union access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 7899ca9f3bd2b008e9a7c41f2a9f1986052d7e96 ]
+
+In acpi_decode_space() addr->info.mem.caching is checked on main level
+for any resource type but addr->info.mem is part of union and thus
+valid only if the resource type is memory range.
+
+Move the check inside the preceeding switch/case to only execute it
+when the union is of correct type.
+
+Fixes: fcb29bbcd540 ("ACPI: Add prefetch decoding to the address space parser")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://patch.msgid.link/20241202100614.20731-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/resource.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
+index 7fe842dae1ec..821867de43be 100644
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -250,6 +250,9 @@ static bool acpi_decode_space(struct resource_win *win,
+ switch (addr->resource_type) {
+ case ACPI_MEMORY_RANGE:
+ acpi_dev_memresource_flags(res, len, wp);
++
++ if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY)
++ res->flags |= IORESOURCE_PREFETCH;
+ break;
+ case ACPI_IO_RANGE:
+ acpi_dev_ioresource_flags(res, len, iodec,
+@@ -265,9 +268,6 @@ static bool acpi_decode_space(struct resource_win *win,
+ if (addr->producer_consumer == ACPI_PRODUCER)
+ res->flags |= IORESOURCE_WINDOW;
+
+- if (addr->info.mem.caching == ACPI_PREFETCHABLE_MEMORY)
+- res->flags |= IORESOURCE_PREFETCH;
+-
+ return !(res->flags & IORESOURCE_DISABLED);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ae7b7116ae798b9a81b2fb0cf38551d84b9ebb37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 11:29:54 +0300
+Subject: ACPICA: events/evxfregn: don't release the ContextMutex that was
+ never acquired
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit c53d96a4481f42a1635b96d2c1acbb0a126bfd54 ]
+
+This bug was first introduced in c27f3d011b08, where the author of the
+patch probably meant to do DeleteMutex instead of ReleaseMutex. The
+mutex leak was noticed later on and fixed in e4dfe108371, but the bogus
+MutexRelease line was never removed, so do it now.
+
+Link: https://github.com/acpica/acpica/pull/982
+Fixes: c27f3d011b08 ("ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Link: https://patch.msgid.link/20241122082954.658356-1-d-tatianin@yandex-team.ru
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/evxfregn.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/acpi/acpica/evxfregn.c b/drivers/acpi/acpica/evxfregn.c
+index 95f78383bbdb..bff2d099f469 100644
+--- a/drivers/acpi/acpica/evxfregn.c
++++ b/drivers/acpi/acpica/evxfregn.c
+@@ -232,8 +232,6 @@ acpi_remove_address_space_handler(acpi_handle device,
+
+ /* Now we can delete the handler object */
+
+- acpi_os_release_mutex(handler_obj->address_space.
+- context_mutex);
+ acpi_ut_remove_reference(handler_obj);
+ goto unlock_and_exit;
+ }
+--
+2.39.5
+
--- /dev/null
+From 752454fd9dfb90546d296a567878dc585f7e81a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 10:56:12 +0100
+Subject: ALSA: control: Avoid WARN() for symlink errors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 ]
+
+Using WARN() for showing the error of symlink creations don't give
+more information than telling that something goes wrong, since the
+usual code path is a lregister callback from each control element
+creation. More badly, the use of WARN() rather confuses fuzzer as if
+it were serious issues.
+
+This patch downgrades the warning messages to use the normal dev_err()
+instead of WARN(). For making it clearer, add the function name to
+the prefix, too.
+
+Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
+Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com
+Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/control_led.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/control_led.c b/sound/core/control_led.c
+index 65a1ebe87776..e33dfcf863cf 100644
+--- a/sound/core/control_led.c
++++ b/sound/core/control_led.c
+@@ -668,10 +668,16 @@ static void snd_ctl_led_sysfs_add(struct snd_card *card)
+ goto cerr;
+ led->cards[card->number] = led_card;
+ snprintf(link_name, sizeof(link_name), "led-%s", led->name);
+- WARN(sysfs_create_link(&card->ctl_dev->kobj, &led_card->dev.kobj, link_name),
+- "can't create symlink to controlC%i device\n", card->number);
+- WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"),
+- "can't create symlink to card%i\n", card->number);
++ if (sysfs_create_link(&card->ctl_dev->kobj, &led_card->dev.kobj,
++ link_name))
++ dev_err(card->dev,
++ "%s: can't create symlink to controlC%i device\n",
++ __func__, card->number);
++ if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj,
++ "card"))
++ dev_err(card->dev,
++ "%s: can't create symlink to card%i\n",
++ __func__, card->number);
+
+ continue;
+ cerr:
+--
+2.39.5
+
--- /dev/null
+From 11353444cff82115202210e81a1698886ee62958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 11:30:01 -0500
+Subject: amdgpu/uvd: get ring reference from rq scheduler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+[ Upstream commit 47f402a3e08113e0f5d8e1e6fcc197667a16022f ]
+
+base.sched may not be set for each instance and should not
+be used for cases such as non-IB tests.
+
+Fixes: 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()")
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c
+index 6068b784dc69..9a30b8c10838 100644
+--- a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c
+@@ -1289,7 +1289,7 @@ static int uvd_v7_0_ring_patch_cs_in_place(struct amdgpu_cs_parser *p,
+ struct amdgpu_job *job,
+ struct amdgpu_ib *ib)
+ {
+- struct amdgpu_ring *ring = to_amdgpu_ring(job->base.sched);
++ struct amdgpu_ring *ring = amdgpu_job_ring(job);
+ unsigned i;
+
+ /* No patching necessary for the first instance */
+--
+2.39.5
+
--- /dev/null
+From af392f1b136bc3a450a747c067506bfb92ca9182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 14:40:25 +0530
+Subject: ASoC: amd: yc: Fix the wrong return value
+
+From: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+
+[ Upstream commit 984795e76def5c903724b8d6a8228e356bbdf2af ]
+
+With the current implementation, when ACP driver fails to read
+ACPI _WOV entry then the DMI overrides code won't invoke,
+may cause regressions for some BIOS versions.
+
+Add a condition check to jump to check the DMI entries incase of
+ACP driver fail to read ACPI _WOV method.
+
+Fixes: 4095cf872084 (ASoC: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry)
+
+Signed-off-by: Venkata Prasad Potturu <venkataprasad.potturu@amd.com>
+Link: https://patch.msgid.link/20241210091026.996860-1-venkataprasad.potturu@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index e38c5885dadf..ecf57a6cb7c3 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -578,14 +578,19 @@ static int acp6x_probe(struct platform_device *pdev)
+
+ handle = ACPI_HANDLE(pdev->dev.parent);
+ ret = acpi_evaluate_integer(handle, "_WOV", NULL, &dmic_status);
+- if (!ACPI_FAILURE(ret))
++ if (!ACPI_FAILURE(ret)) {
+ wov_en = dmic_status;
++ if (!wov_en)
++ return -ENODEV;
++ } else {
++ /* Incase of ACPI method read failure then jump to check_dmi_entry */
++ goto check_dmi_entry;
++ }
+
+- if (is_dmic_enable && wov_en)
++ if (is_dmic_enable)
+ platform_set_drvdata(pdev, &acp6x_card);
+- else
+- return 0;
+
++check_dmi_entry:
+ /* check for any DMI overrides */
+ dmi_id = dmi_first_match(yc_acp_quirk_table);
+ if (dmi_id)
+--
+2.39.5
+
--- /dev/null
+From e5342f86ce92d26dce6cc4f0450dcef1cf4301f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 13:32:54 +0800
+Subject: ASoC: fsl_spdif: change IFACE_PCM to IFACE_MIXER
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit bb76e82bfe57fdd1fe595cb0ccd33159df49ed09 ]
+
+As the snd_soc_card_get_kcontrol() is updated to use
+snd_ctl_find_id_mixer() in
+commit 897cc72b0837 ("ASoC: soc-card: Use
+snd_ctl_find_id_mixer() instead of open-coding")
+which make the iface fix to be IFACE_MIXER.
+
+Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20241126053254.3657344-3-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_spdif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_spdif.c b/sound/soc/fsl/fsl_spdif.c
+index b6ff04f7138a..ee946e0d3f49 100644
+--- a/sound/soc/fsl/fsl_spdif.c
++++ b/sound/soc/fsl/fsl_spdif.c
+@@ -1204,7 +1204,7 @@ static struct snd_kcontrol_new fsl_spdif_ctrls[] = {
+ },
+ /* DPLL lock info get controller */
+ {
+- .iface = SNDRV_CTL_ELEM_IFACE_PCM,
++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
+ .name = RX_SAMPLE_RATE_KCONTROL,
+ .access = SNDRV_CTL_ELEM_ACCESS_READ |
+ SNDRV_CTL_ELEM_ACCESS_VOLATILE,
+--
+2.39.5
+
--- /dev/null
+From 7b3f4d309e15f40867145745152a090c8b910d28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 13:32:53 +0800
+Subject: ASoC: fsl_xcvr: change IFACE_PCM to IFACE_MIXER
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit 7c17f7780a48b5ed36b6d13a06004fac993e75af ]
+
+As the snd_soc_card_get_kcontrol() is updated to use
+snd_ctl_find_id_mixer() in
+commit 897cc72b0837 ("ASoC: soc-card: Use
+snd_ctl_find_id_mixer() instead of open-coding")
+which make the iface fix to be IFACE_MIXER.
+
+Fixes: 897cc72b0837 ("ASoC: soc-card: Use snd_ctl_find_id_mixer() instead of open-coding")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Link: https://patch.msgid.link/20241126053254.3657344-2-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_xcvr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
+index beede7344efd..4341269eb977 100644
+--- a/sound/soc/fsl/fsl_xcvr.c
++++ b/sound/soc/fsl/fsl_xcvr.c
+@@ -169,7 +169,7 @@ static int fsl_xcvr_capds_put(struct snd_kcontrol *kcontrol,
+ }
+
+ static struct snd_kcontrol_new fsl_xcvr_earc_capds_kctl = {
+- .iface = SNDRV_CTL_ELEM_IFACE_PCM,
++ .iface = SNDRV_CTL_ELEM_IFACE_MIXER,
+ .name = "Capabilities Data Structure",
+ .access = SNDRV_CTL_ELEM_ACCESS_READWRITE,
+ .info = fsl_xcvr_type_capds_bytes_info,
+--
+2.39.5
+
--- /dev/null
+From e7988d3100ffd08556ec07d3f4ed40c997e3a913 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 10:57:42 +0000
+Subject: ASoC: Intel: sof_sdw: Add space for a terminator into DAIs array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit 255cc582e6e16191a20d54bcdbca6c91d3e90c5e ]
+
+The code uses the initialised member of the asoc_sdw_dailink struct to
+determine if a member of the array is in use. However in the case the
+array is completely full this will lead to an access 1 past the end of
+the array, expand the array by one entry to include a space for a
+terminator.
+
+Fixes: 27fd36aefa00 ("ASoC: Intel: sof-sdw: Add new code for parsing the snd_soc_acpi structs")
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20241212105742.1508574-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/sof_sdw.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/intel/boards/sof_sdw.c b/sound/soc/intel/boards/sof_sdw.c
+index a58842a8c8a6..db57292c00ca 100644
+--- a/sound/soc/intel/boards/sof_sdw.c
++++ b/sound/soc/intel/boards/sof_sdw.c
+@@ -1003,8 +1003,12 @@ static int sof_card_dai_links_create(struct snd_soc_card *card)
+ return ret;
+ }
+
+- /* One per DAI link, worst case is a DAI link for every endpoint */
+- sof_dais = kcalloc(num_ends, sizeof(*sof_dais), GFP_KERNEL);
++ /*
++ * One per DAI link, worst case is a DAI link for every endpoint, also
++ * add one additional to act as a terminator such that code can iterate
++ * until it hits an uninitialised DAI.
++ */
++ sof_dais = kcalloc(num_ends + 1, sizeof(*sof_dais), GFP_KERNEL);
+ if (!sof_dais)
+ return -ENOMEM;
+
+--
+2.39.5
+
--- /dev/null
+From 3df4b48177ac6d2cc94bc6331f08b8ec99a18199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 12:38:59 +0800
+Subject: ASoC: tas2781: Fix calibration issue in stress test
+
+From: Shenghao Ding <shenghao-ding@ti.com>
+
+[ Upstream commit 2aa13da97e2b92d20a8ad4ead10da89f880b64e7 ]
+
+One specific test condition: the default registers of p[j].reg ~
+p[j+3].reg are 0, TASDEVICE_REG(0x00, 0x14, 0x38)(PLT_FLAG_REG),
+TASDEVICE_REG(0x00, 0x14, 0x40)(SINEGAIN_REG), and
+TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN2_REG). After first calibration,
+they are freshed to TASDEVICE_REG(0x00, 0x1a, 0x20), TASDEVICE_REG(0x00,
+0x16, 0x58)(PLT_FLAG_REG), TASDEVICE_REG(0x00, 0x14, 0x44)(SINEGAIN_REG),
+and TASDEVICE_REG(0x00, 0x16, 0x64)(SINEGAIN2_REG) via "Calibration Start"
+kcontrol. In second calibration, the p[j].reg ~ p[j+3].reg have already
+become tas2781_cali_start_reg. However, p[j+2].reg, TASDEVICE_REG(0x00,
+0x14, 0x44)(SINEGAIN_REG), will be freshed to TASDEVICE_REG(0x00, 0x16,
+0x64), which is the third register in the input params of the kcontrol.
+This is why only first calibration can work, the second-time, third-time
+or more-time calibration always failed without reboot. Of course, if no
+p[j].reg is in the list of tas2781_cali_start_reg, this stress test can
+work well.
+
+Fixes: 49e2e353fb0d ("ASoC: tas2781: Add Calibration Kcontrols for Chromebook")
+Signed-off-by: Shenghao Ding <shenghao-ding@ti.com>
+Link: https://patch.msgid.link/20241211043859.1328-1-shenghao-ding@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2781-i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2781-i2c.c b/sound/soc/codecs/tas2781-i2c.c
+index 12d093437ba9..1b2f55030c39 100644
+--- a/sound/soc/codecs/tas2781-i2c.c
++++ b/sound/soc/codecs/tas2781-i2c.c
+@@ -370,7 +370,7 @@ static void sngl_calib_start(struct tasdevice_priv *tas_priv, int i,
+ tasdevice_dev_read(tas_priv, i, p[j].reg,
+ (int *)&p[j].val[0]);
+ } else {
+- switch (p[j].reg) {
++ switch (tas2781_cali_start_reg[j].reg) {
+ case 0: {
+ if (!reg[0])
+ continue;
+--
+2.39.5
+
--- /dev/null
+From ed178a58f78b453390c4df519ce1dd19c784582b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 16:52:50 +0100
+Subject: batman-adv: Do not let TT changes list grows indefinitely
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit fff8f17c1a6fc802ca23bbd3a276abfde8cc58e6 ]
+
+When TT changes list is too big to fit in packet due to MTU size, an
+empty OGM is sent expected other node to send TT request to get the
+changes. The issue is that tt.last_changeset was not built thus the
+originator was responding with previous changes to those TT requests
+(see batadv_send_my_tt_response). Also the changes list was never
+cleaned up effectively never ending growing from this point onwards,
+repeatedly sending the same TT response changes over and over, and
+creating a new empty OGM every OGM interval expecting for the local
+changes to be purged.
+
+When there is more TT changes that can fit in packet, drop all changes,
+send empty OGM and wait for TT request so we can respond with a full
+table instead.
+
+Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Acked-by: Antonio Quartulli <Antonio@mandelbit.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index bbab7491c83f..53dea8ae96e4 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ int tt_diff_len, tt_change_len = 0;
+ int tt_diff_entries_num = 0;
+ int tt_diff_entries_count = 0;
++ bool drop_changes = false;
+ size_t tt_extra_len = 0;
+ u16 tvlv_len;
+
+@@ -997,10 +998,17 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ tt_diff_len = batadv_tt_len(tt_diff_entries_num);
+
+ /* if we have too many changes for one packet don't send any
+- * and wait for the tt table request which will be fragmented
++ * and wait for the tt table request so we can reply with the full
++ * (fragmented) table.
++ *
++ * The local change history should still be cleaned up so the next
++ * TT round can start again with a clean state.
+ */
+- if (tt_diff_len > bat_priv->soft_iface->mtu)
++ if (tt_diff_len > bat_priv->soft_iface->mtu) {
+ tt_diff_len = 0;
++ tt_diff_entries_num = 0;
++ drop_changes = true;
++ }
+
+ tvlv_len = batadv_tt_prepare_tvlv_local_data(bat_priv, &tt_data,
+ &tt_change, &tt_diff_len);
+@@ -1009,7 +1017,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+
+ tt_data->flags = BATADV_TT_OGM_DIFF;
+
+- if (tt_diff_len == 0)
++ if (!drop_changes && tt_diff_len == 0)
+ goto container_register;
+
+ spin_lock_bh(&bat_priv->tt.changes_list_lock);
+--
+2.39.5
+
--- /dev/null
+From 24fb10a2708c61d449640b5f3f5ae941ae1bc89a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 16:52:48 +0100
+Subject: batman-adv: Do not send uninitialized TT changes
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ]
+
+The number of TT changes can be less than initially expected in
+batadv_tt_tvlv_container_update() (changes can be removed by
+batadv_tt_local_event() in ADD+DEL sequence between reading
+tt_diff_entries_num and actually iterating the change list under lock).
+
+Thus tt_diff_len could be bigger than the actual changes size that need
+to be sent. Because batadv_send_my_tt_response sends the whole
+packet, uninitialized data can be interpreted as TT changes on other
+nodes leading to weird TT global entries on those nodes such as:
+
+ * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380)
+ * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
+
+All of the above also applies to OGM tvlv container buffer's tvlv_len.
+
+Remove the extra allocated space to avoid sending uninitialized TT
+changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif().
+
+Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index 2243cec18ecc..f0590f9bc2b1 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ int tt_diff_len, tt_change_len = 0;
+ int tt_diff_entries_num = 0;
+ int tt_diff_entries_count = 0;
++ size_t tt_extra_len = 0;
+ u16 tvlv_len;
+
+ tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes);
+@@ -1027,6 +1028,9 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ }
+ spin_unlock_bh(&bat_priv->tt.changes_list_lock);
+
++ tt_extra_len = batadv_tt_len(tt_diff_entries_num -
++ tt_diff_entries_count);
++
+ /* Keep the buffer for possible tt_request */
+ spin_lock_bh(&bat_priv->tt.last_changeset_lock);
+ kfree(bat_priv->tt.last_changeset);
+@@ -1035,6 +1039,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ tt_change_len = batadv_tt_len(tt_diff_entries_count);
+ /* check whether this new OGM has no changes due to size problems */
+ if (tt_diff_entries_count > 0) {
++ tt_diff_len -= tt_extra_len;
+ /* if kmalloc() fails we will reply with the full table
+ * instead of providing the diff
+ */
+@@ -1047,6 +1052,8 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
+ }
+ spin_unlock_bh(&bat_priv->tt.last_changeset_lock);
+
++ /* Remove extra packet space for OGM */
++ tvlv_len -= tt_extra_len;
+ container_register:
+ batadv_tvlv_container_register(bat_priv, BATADV_TVLV_TT, 1, tt_data,
+ tvlv_len);
+--
+2.39.5
+
--- /dev/null
+From 0b2ca01bbb9b5123cec64c675eb48cc1214bc775 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 16:52:49 +0100
+Subject: batman-adv: Remove uninitialized data in full table TT response
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ]
+
+The number of entries filled by batadv_tt_tvlv_generate() can be less
+than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
+(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
+in the meantime as the lock held during the whole tvlv global/local data
+generation).
+
+Thus tvlv_len could be bigger than the actual TT entry size that need
+to be sent so full table TT_RESPONSE could hold invalid TT entries such
+as below.
+
+ * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380)
+ * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
+
+Remove the extra allocated space to avoid sending uninitialized entries
+for full table TT_RESPONSE in both batadv_send_other_tt_response() and
+batadv_send_my_tt_response().
+
+Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/translation-table.c | 37 ++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
+index f0590f9bc2b1..bbab7491c83f 100644
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -2754,14 +2754,16 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
+ *
+ * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
+ * is not provided then this becomes a no-op.
++ *
++ * Return: Remaining unused length in tvlv_buff.
+ */
+-static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+- struct batadv_hashtable *hash,
+- void *tvlv_buff, u16 tt_len,
+- bool (*valid_cb)(const void *,
+- const void *,
+- u8 *flags),
+- void *cb_data)
++static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
++ struct batadv_hashtable *hash,
++ void *tvlv_buff, u16 tt_len,
++ bool (*valid_cb)(const void *,
++ const void *,
++ u8 *flags),
++ void *cb_data)
+ {
+ struct batadv_tt_common_entry *tt_common_entry;
+ struct batadv_tvlv_tt_change *tt_change;
+@@ -2775,7 +2777,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+ tt_change = tvlv_buff;
+
+ if (!valid_cb)
+- return;
++ return tt_len;
+
+ rcu_read_lock();
+ for (i = 0; i < hash->size; i++) {
+@@ -2801,6 +2803,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+ }
+ }
+ rcu_read_unlock();
++
++ return batadv_tt_len(tt_tot - tt_num_entries);
+ }
+
+ /**
+@@ -3076,10 +3080,11 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv,
+ goto out;
+
+ /* fill the rest of the tvlv with the real TT entries */
+- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash,
+- tt_change, tt_len,
+- batadv_tt_global_valid,
+- req_dst_orig_node);
++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
++ bat_priv->tt.global_hash,
++ tt_change, tt_len,
++ batadv_tt_global_valid,
++ req_dst_orig_node);
+ }
+
+ /* Don't send the response, if larger than fragmented packet. */
+@@ -3203,9 +3208,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
+ goto out;
+
+ /* fill the rest of the tvlv with the real TT entries */
+- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash,
+- tt_change, tt_len,
+- batadv_tt_local_valid, NULL);
++ tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
++ bat_priv->tt.local_hash,
++ tt_change, tt_len,
++ batadv_tt_local_valid,
++ NULL);
+ }
+
+ tvlv_tt_data->flags = BATADV_TT_RESPONSE;
+--
+2.39.5
+
--- /dev/null
+From cbd4b00e15391c5ae95f61b5db20744b74b7cd8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 10:13:29 -0700
+Subject: blk-iocost: Avoid using clamp() on inuse in __propagate_weights()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 57e420c84f9ab55ba4c5e2ae9c5f6c8e1ea834d2 ]
+
+After a recent change to clamp() and its variants [1] that increases the
+coverage of the check that high is greater than low because it can be
+done through inlining, certain build configurations (such as s390
+defconfig) fail to build with clang with:
+
+ block/blk-iocost.c:1101:11: error: call to '__compiletime_assert_557' declared with 'error' attribute: clamp() low limit 1 greater than high limit active
+ 1101 | inuse = clamp_t(u32, inuse, 1, active);
+ | ^
+ include/linux/minmax.h:218:36: note: expanded from macro 'clamp_t'
+ 218 | #define clamp_t(type, val, lo, hi) __careful_clamp(type, val, lo, hi)
+ | ^
+ include/linux/minmax.h:195:2: note: expanded from macro '__careful_clamp'
+ 195 | __clamp_once(type, val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_))
+ | ^
+ include/linux/minmax.h:188:2: note: expanded from macro '__clamp_once'
+ 188 | BUILD_BUG_ON_MSG(statically_true(ulo > uhi), \
+ | ^
+
+__propagate_weights() is called with an active value of zero in
+ioc_check_iocgs(), which results in the high value being less than the
+low value, which is undefined because the value returned depends on the
+order of the comparisons.
+
+The purpose of this expression is to ensure inuse is not more than
+active and at least 1. This could be written more simply with a ternary
+expression that uses min(inuse, active) as the condition so that the
+value of that condition can be used if it is not zero and one if it is.
+Do this conversion to resolve the error and add a comment to deter
+people from turning this back into clamp().
+
+Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost")
+Link: https://lore.kernel.org/r/34d53778977747f19cce2abb287bb3e6@AcuMS.aculab.com/ [1]
+Suggested-by: David Laight <david.laight@aculab.com>
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/llvm/CA+G9fYsD7mw13wredcZn0L-KBA3yeoVSTuxnss-AEWMN3ha0cA@mail.gmail.com/
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202412120322.3GfVe3vF-lkp@intel.com/
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iocost.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/block/blk-iocost.c b/block/blk-iocost.c
+index 384aa15e8260..a5894ec9696e 100644
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -1098,7 +1098,14 @@ static void __propagate_weights(struct ioc_gq *iocg, u32 active, u32 inuse,
+ inuse = DIV64_U64_ROUND_UP(active * iocg->child_inuse_sum,
+ iocg->child_active_sum);
+ } else {
+- inuse = clamp_t(u32, inuse, 1, active);
++ /*
++ * It may be tempting to turn this into a clamp expression with
++ * a lower limit of 1 but active may be 0, which cannot be used
++ * as an upper limit in that situation. This expression allows
++ * active to clamp inuse unless it is 0, in which case inuse
++ * becomes 1.
++ */
++ inuse = min(inuse, active) ?: 1;
+ }
+
+ iocg->last_inuse = iocg->inuse;
+--
+2.39.5
+
--- /dev/null
+From 1ad7642fb5443445525a974e997da0e77598a57e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:16:07 +0800
+Subject: blk-mq: move cpuhp callback registering out of q->sysfs_lock
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 22465bbac53c821319089016f268a2437de9b00a ]
+
+Registering and unregistering cpuhp callback requires global cpu hotplug lock,
+which is used everywhere. Meantime q->sysfs_lock is used in block layer
+almost everywhere.
+
+It is easy to trigger lockdep warning[1] by connecting the two locks.
+
+Fix the warning by moving blk-mq's cpuhp callback registering out of
+q->sysfs_lock. Add one dedicated global lock for covering registering &
+unregistering hctx's cpuhp, and it is safe to do so because hctx is
+guaranteed to be live if our request_queue is live.
+
+[1] https://lore.kernel.org/lkml/Z04pz3AlvI4o0Mr8@agluck-desk3/
+
+Cc: Reinette Chatre <reinette.chatre@intel.com>
+Cc: Fenghua Yu <fenghua.yu@intel.com>
+Cc: Peter Newman <peternewman@google.com>
+Cc: Babu Moger <babu.moger@amd.com>
+Reported-by: Luck Tony <tony.luck@intel.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Tested-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20241206111611.978870-3-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: be26ba96421a ("block: Fix potential deadlock while freezing queue and acquiring sysfs_lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 92 insertions(+), 6 deletions(-)
+
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index b4fba7b398e5..1030875a3e95 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -43,6 +43,7 @@
+
+ static DEFINE_PER_CPU(struct llist_head, blk_cpu_done);
+ static DEFINE_PER_CPU(call_single_data_t, blk_cpu_csd);
++static DEFINE_MUTEX(blk_mq_cpuhp_lock);
+
+ static void blk_mq_insert_request(struct request *rq, blk_insert_t flags);
+ static void blk_mq_request_bypass_insert(struct request *rq,
+@@ -3740,13 +3741,91 @@ static int blk_mq_hctx_notify_dead(unsigned int cpu, struct hlist_node *node)
+ return 0;
+ }
+
+-static void blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx)
++static void __blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx)
+ {
+- if (!(hctx->flags & BLK_MQ_F_STACKING))
++ lockdep_assert_held(&blk_mq_cpuhp_lock);
++
++ if (!(hctx->flags & BLK_MQ_F_STACKING) &&
++ !hlist_unhashed(&hctx->cpuhp_online)) {
+ cpuhp_state_remove_instance_nocalls(CPUHP_AP_BLK_MQ_ONLINE,
+ &hctx->cpuhp_online);
+- cpuhp_state_remove_instance_nocalls(CPUHP_BLK_MQ_DEAD,
+- &hctx->cpuhp_dead);
++ INIT_HLIST_NODE(&hctx->cpuhp_online);
++ }
++
++ if (!hlist_unhashed(&hctx->cpuhp_dead)) {
++ cpuhp_state_remove_instance_nocalls(CPUHP_BLK_MQ_DEAD,
++ &hctx->cpuhp_dead);
++ INIT_HLIST_NODE(&hctx->cpuhp_dead);
++ }
++}
++
++static void blk_mq_remove_cpuhp(struct blk_mq_hw_ctx *hctx)
++{
++ mutex_lock(&blk_mq_cpuhp_lock);
++ __blk_mq_remove_cpuhp(hctx);
++ mutex_unlock(&blk_mq_cpuhp_lock);
++}
++
++static void __blk_mq_add_cpuhp(struct blk_mq_hw_ctx *hctx)
++{
++ lockdep_assert_held(&blk_mq_cpuhp_lock);
++
++ if (!(hctx->flags & BLK_MQ_F_STACKING) &&
++ hlist_unhashed(&hctx->cpuhp_online))
++ cpuhp_state_add_instance_nocalls(CPUHP_AP_BLK_MQ_ONLINE,
++ &hctx->cpuhp_online);
++
++ if (hlist_unhashed(&hctx->cpuhp_dead))
++ cpuhp_state_add_instance_nocalls(CPUHP_BLK_MQ_DEAD,
++ &hctx->cpuhp_dead);
++}
++
++static void __blk_mq_remove_cpuhp_list(struct list_head *head)
++{
++ struct blk_mq_hw_ctx *hctx;
++
++ lockdep_assert_held(&blk_mq_cpuhp_lock);
++
++ list_for_each_entry(hctx, head, hctx_list)
++ __blk_mq_remove_cpuhp(hctx);
++}
++
++/*
++ * Unregister cpuhp callbacks from exited hw queues
++ *
++ * Safe to call if this `request_queue` is live
++ */
++static void blk_mq_remove_hw_queues_cpuhp(struct request_queue *q)
++{
++ LIST_HEAD(hctx_list);
++
++ spin_lock(&q->unused_hctx_lock);
++ list_splice_init(&q->unused_hctx_list, &hctx_list);
++ spin_unlock(&q->unused_hctx_lock);
++
++ mutex_lock(&blk_mq_cpuhp_lock);
++ __blk_mq_remove_cpuhp_list(&hctx_list);
++ mutex_unlock(&blk_mq_cpuhp_lock);
++
++ spin_lock(&q->unused_hctx_lock);
++ list_splice(&hctx_list, &q->unused_hctx_list);
++ spin_unlock(&q->unused_hctx_lock);
++}
++
++/*
++ * Register cpuhp callbacks from all hw queues
++ *
++ * Safe to call if this `request_queue` is live
++ */
++static void blk_mq_add_hw_queues_cpuhp(struct request_queue *q)
++{
++ struct blk_mq_hw_ctx *hctx;
++ unsigned long i;
++
++ mutex_lock(&blk_mq_cpuhp_lock);
++ queue_for_each_hw_ctx(q, hctx, i)
++ __blk_mq_add_cpuhp(hctx);
++ mutex_unlock(&blk_mq_cpuhp_lock);
+ }
+
+ /*
+@@ -3797,8 +3876,6 @@ static void blk_mq_exit_hctx(struct request_queue *q,
+ if (set->ops->exit_hctx)
+ set->ops->exit_hctx(hctx, hctx_idx);
+
+- blk_mq_remove_cpuhp(hctx);
+-
+ xa_erase(&q->hctx_table, hctx_idx);
+
+ spin_lock(&q->unused_hctx_lock);
+@@ -3815,6 +3892,7 @@ static void blk_mq_exit_hw_queues(struct request_queue *q,
+ queue_for_each_hw_ctx(q, hctx, i) {
+ if (i == nr_queue)
+ break;
++ blk_mq_remove_cpuhp(hctx);
+ blk_mq_exit_hctx(q, set, hctx, i);
+ }
+ }
+@@ -3878,6 +3956,8 @@ blk_mq_alloc_hctx(struct request_queue *q, struct blk_mq_tag_set *set,
+ INIT_DELAYED_WORK(&hctx->run_work, blk_mq_run_work_fn);
+ spin_lock_init(&hctx->lock);
+ INIT_LIST_HEAD(&hctx->dispatch);
++ INIT_HLIST_NODE(&hctx->cpuhp_dead);
++ INIT_HLIST_NODE(&hctx->cpuhp_online);
+ hctx->queue = q;
+ hctx->flags = set->flags & ~BLK_MQ_F_TAG_QUEUE_SHARED;
+
+@@ -4416,6 +4496,12 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
+ xa_for_each_start(&q->hctx_table, j, hctx, j)
+ blk_mq_exit_hctx(q, set, hctx, j);
+ mutex_unlock(&q->sysfs_lock);
++
++ /* unregister cpuhp callbacks for exited hctxs */
++ blk_mq_remove_hw_queues_cpuhp(q);
++
++ /* register cpuhp for new initialized hctxs */
++ blk_mq_add_hw_queues_cpuhp(q);
+ }
+
+ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
+--
+2.39.5
+
--- /dev/null
+From 1c427ba428d7f4a51f1d5a99a1630de483029251 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 20:11:43 +0530
+Subject: block: Fix potential deadlock while freezing queue and acquiring
+ sysfs_lock
+
+From: Nilay Shroff <nilay@linux.ibm.com>
+
+[ Upstream commit be26ba96421ab0a8fa2055ccf7db7832a13c44d2 ]
+
+For storing a value to a queue attribute, the queue_attr_store function
+first freezes the queue (->q_usage_counter(io)) and then acquire
+->sysfs_lock. This seems not correct as the usual ordering should be to
+acquire ->sysfs_lock before freezing the queue. This incorrect ordering
+causes the following lockdep splat which we are able to reproduce always
+simply by accessing /sys/kernel/debug file using ls command:
+
+[ 57.597146] WARNING: possible circular locking dependency detected
+[ 57.597154] 6.12.0-10553-gb86545e02e8c #20 Tainted: G W
+[ 57.597162] ------------------------------------------------------
+[ 57.597168] ls/4605 is trying to acquire lock:
+[ 57.597176] c00000003eb56710 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0x58/0xc0
+[ 57.597200]
+ but task is already holding lock:
+[ 57.597207] c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4
+[ 57.597226]
+ which lock already depends on the new lock.
+
+[ 57.597233]
+ the existing dependency chain (in reverse order) is:
+[ 57.597241]
+ -> #5 (&sb->s_type->i_mutex_key#3){++++}-{4:4}:
+[ 57.597255] down_write+0x6c/0x18c
+[ 57.597264] start_creating+0xb4/0x24c
+[ 57.597274] debugfs_create_dir+0x2c/0x1e8
+[ 57.597283] blk_register_queue+0xec/0x294
+[ 57.597292] add_disk_fwnode+0x2e4/0x548
+[ 57.597302] brd_alloc+0x2c8/0x338
+[ 57.597309] brd_init+0x100/0x178
+[ 57.597317] do_one_initcall+0x88/0x3e4
+[ 57.597326] kernel_init_freeable+0x3cc/0x6e0
+[ 57.597334] kernel_init+0x34/0x1cc
+[ 57.597342] ret_from_kernel_user_thread+0x14/0x1c
+[ 57.597350]
+ -> #4 (&q->debugfs_mutex){+.+.}-{4:4}:
+[ 57.597362] __mutex_lock+0xfc/0x12a0
+[ 57.597370] blk_register_queue+0xd4/0x294
+[ 57.597379] add_disk_fwnode+0x2e4/0x548
+[ 57.597388] brd_alloc+0x2c8/0x338
+[ 57.597395] brd_init+0x100/0x178
+[ 57.597402] do_one_initcall+0x88/0x3e4
+[ 57.597410] kernel_init_freeable+0x3cc/0x6e0
+[ 57.597418] kernel_init+0x34/0x1cc
+[ 57.597426] ret_from_kernel_user_thread+0x14/0x1c
+[ 57.597434]
+ -> #3 (&q->sysfs_lock){+.+.}-{4:4}:
+[ 57.597446] __mutex_lock+0xfc/0x12a0
+[ 57.597454] queue_attr_store+0x9c/0x110
+[ 57.597462] sysfs_kf_write+0x70/0xb0
+[ 57.597471] kernfs_fop_write_iter+0x1b0/0x2ac
+[ 57.597480] vfs_write+0x3dc/0x6e8
+[ 57.597488] ksys_write+0x84/0x140
+[ 57.597495] system_call_exception+0x130/0x360
+[ 57.597504] system_call_common+0x160/0x2c4
+[ 57.597516]
+ -> #2 (&q->q_usage_counter(io)#21){++++}-{0:0}:
+[ 57.597530] __submit_bio+0x5ec/0x828
+[ 57.597538] submit_bio_noacct_nocheck+0x1e4/0x4f0
+[ 57.597547] iomap_readahead+0x2a0/0x448
+[ 57.597556] xfs_vm_readahead+0x28/0x3c
+[ 57.597564] read_pages+0x88/0x41c
+[ 57.597571] page_cache_ra_unbounded+0x1ac/0x2d8
+[ 57.597580] filemap_get_pages+0x188/0x984
+[ 57.597588] filemap_read+0x13c/0x4bc
+[ 57.597596] xfs_file_buffered_read+0x88/0x17c
+[ 57.597605] xfs_file_read_iter+0xac/0x158
+[ 57.597614] vfs_read+0x2d4/0x3b4
+[ 57.597622] ksys_read+0x84/0x144
+[ 57.597629] system_call_exception+0x130/0x360
+[ 57.597637] system_call_common+0x160/0x2c4
+[ 57.597647]
+ -> #1 (mapping.invalidate_lock#2){++++}-{4:4}:
+[ 57.597661] down_read+0x6c/0x220
+[ 57.597669] filemap_fault+0x870/0x100c
+[ 57.597677] xfs_filemap_fault+0xc4/0x18c
+[ 57.597684] __do_fault+0x64/0x164
+[ 57.597693] __handle_mm_fault+0x1274/0x1dac
+[ 57.597702] handle_mm_fault+0x248/0x484
+[ 57.597711] ___do_page_fault+0x428/0xc0c
+[ 57.597719] hash__do_page_fault+0x30/0x68
+[ 57.597727] do_hash_fault+0x90/0x35c
+[ 57.597736] data_access_common_virt+0x210/0x220
+[ 57.597745] _copy_from_user+0xf8/0x19c
+[ 57.597754] sel_write_load+0x178/0xd54
+[ 57.597762] vfs_write+0x108/0x6e8
+[ 57.597769] ksys_write+0x84/0x140
+[ 57.597777] system_call_exception+0x130/0x360
+[ 57.597785] system_call_common+0x160/0x2c4
+[ 57.597794]
+ -> #0 (&mm->mmap_lock){++++}-{4:4}:
+[ 57.597806] __lock_acquire+0x17cc/0x2330
+[ 57.597814] lock_acquire+0x138/0x400
+[ 57.597822] __might_fault+0x7c/0xc0
+[ 57.597830] filldir64+0xe8/0x390
+[ 57.597839] dcache_readdir+0x80/0x2d4
+[ 57.597846] iterate_dir+0xd8/0x1d4
+[ 57.597855] sys_getdents64+0x88/0x2d4
+[ 57.597864] system_call_exception+0x130/0x360
+[ 57.597872] system_call_common+0x160/0x2c4
+[ 57.597881]
+ other info that might help us debug this:
+
+[ 57.597888] Chain exists of:
+ &mm->mmap_lock --> &q->debugfs_mutex --> &sb->s_type->i_mutex_key#3
+
+[ 57.597905] Possible unsafe locking scenario:
+
+[ 57.597911] CPU0 CPU1
+[ 57.597917] ---- ----
+[ 57.597922] rlock(&sb->s_type->i_mutex_key#3);
+[ 57.597932] lock(&q->debugfs_mutex);
+[ 57.597940] lock(&sb->s_type->i_mutex_key#3);
+[ 57.597950] rlock(&mm->mmap_lock);
+[ 57.597958]
+ *** DEADLOCK ***
+
+[ 57.597965] 2 locks held by ls/4605:
+[ 57.597971] #0: c0000000137c12f8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0xcc/0x154
+[ 57.597989] #1: c0000018e27c6810 (&sb->s_type->i_mutex_key#3){++++}-{4:4}, at: iterate_dir+0x94/0x1d4
+
+Prevent the above lockdep warning by acquiring ->sysfs_lock before
+freezing the queue while storing a queue attribute in queue_attr_store
+function. Later, we also found[1] another function __blk_mq_update_nr_
+hw_queues where we first freeze queue and then acquire the ->sysfs_lock.
+So we've also updated lock ordering in __blk_mq_update_nr_hw_queues
+function and ensured that in all code paths we follow the correct lock
+ordering i.e. acquire ->sysfs_lock before freezing the queue.
+
+[1] https://lore.kernel.org/all/CAFj5m9Ke8+EHKQBs_Nk6hqd=LGXtk4mUxZUN5==ZcCjnZSBwHw@mail.gmail.com/
+
+Reported-by: kjain@linux.ibm.com
+Fixes: af2814149883 ("block: freeze the queue in queue_attr_store")
+Tested-by: kjain@linux.ibm.com
+Cc: hch@lst.de
+Cc: axboe@kernel.dk
+Cc: ritesh.list@gmail.com
+Cc: ming.lei@redhat.com
+Cc: gjoyce@linux.ibm.com
+Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241210144222.1066229-1-nilay@linux.ibm.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-mq-sysfs.c | 16 ++++++----------
+ block/blk-mq.c | 29 ++++++++++++++++++-----------
+ block/blk-sysfs.c | 4 ++--
+ 3 files changed, 26 insertions(+), 23 deletions(-)
+
+diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
+index 156e9bb07abf..cd5ea6eaa76b 100644
+--- a/block/blk-mq-sysfs.c
++++ b/block/blk-mq-sysfs.c
+@@ -275,15 +275,13 @@ void blk_mq_sysfs_unregister_hctxs(struct request_queue *q)
+ struct blk_mq_hw_ctx *hctx;
+ unsigned long i;
+
+- mutex_lock(&q->sysfs_dir_lock);
++ lockdep_assert_held(&q->sysfs_dir_lock);
++
+ if (!q->mq_sysfs_init_done)
+- goto unlock;
++ return;
+
+ queue_for_each_hw_ctx(q, hctx, i)
+ blk_mq_unregister_hctx(hctx);
+-
+-unlock:
+- mutex_unlock(&q->sysfs_dir_lock);
+ }
+
+ int blk_mq_sysfs_register_hctxs(struct request_queue *q)
+@@ -292,9 +290,10 @@ int blk_mq_sysfs_register_hctxs(struct request_queue *q)
+ unsigned long i;
+ int ret = 0;
+
+- mutex_lock(&q->sysfs_dir_lock);
++ lockdep_assert_held(&q->sysfs_dir_lock);
++
+ if (!q->mq_sysfs_init_done)
+- goto unlock;
++ return ret;
+
+ queue_for_each_hw_ctx(q, hctx, i) {
+ ret = blk_mq_register_hctx(hctx);
+@@ -302,8 +301,5 @@ int blk_mq_sysfs_register_hctxs(struct request_queue *q)
+ break;
+ }
+
+-unlock:
+- mutex_unlock(&q->sysfs_dir_lock);
+-
+ return ret;
+ }
+diff --git a/block/blk-mq.c b/block/blk-mq.c
+index 1030875a3e95..cc1b32023838 100644
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -4462,7 +4462,8 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
+ unsigned long i, j;
+
+ /* protect against switching io scheduler */
+- mutex_lock(&q->sysfs_lock);
++ lockdep_assert_held(&q->sysfs_lock);
++
+ for (i = 0; i < set->nr_hw_queues; i++) {
+ int old_node;
+ int node = blk_mq_get_hctx_node(set, i);
+@@ -4495,7 +4496,6 @@ static void blk_mq_realloc_hw_ctxs(struct blk_mq_tag_set *set,
+
+ xa_for_each_start(&q->hctx_table, j, hctx, j)
+ blk_mq_exit_hctx(q, set, hctx, j);
+- mutex_unlock(&q->sysfs_lock);
+
+ /* unregister cpuhp callbacks for exited hctxs */
+ blk_mq_remove_hw_queues_cpuhp(q);
+@@ -4527,10 +4527,14 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
+
+ xa_init(&q->hctx_table);
+
++ mutex_lock(&q->sysfs_lock);
++
+ blk_mq_realloc_hw_ctxs(set, q);
+ if (!q->nr_hw_queues)
+ goto err_hctxs;
+
++ mutex_unlock(&q->sysfs_lock);
++
+ INIT_WORK(&q->timeout_work, blk_mq_timeout_work);
+ blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ);
+
+@@ -4549,6 +4553,7 @@ int blk_mq_init_allocated_queue(struct blk_mq_tag_set *set,
+ return 0;
+
+ err_hctxs:
++ mutex_unlock(&q->sysfs_lock);
+ blk_mq_release(q);
+ err_exit:
+ q->mq_ops = NULL;
+@@ -4929,12 +4934,12 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
+ return false;
+
+ /* q->elevator needs protection from ->sysfs_lock */
+- mutex_lock(&q->sysfs_lock);
++ lockdep_assert_held(&q->sysfs_lock);
+
+ /* the check has to be done with holding sysfs_lock */
+ if (!q->elevator) {
+ kfree(qe);
+- goto unlock;
++ goto out;
+ }
+
+ INIT_LIST_HEAD(&qe->node);
+@@ -4944,9 +4949,7 @@ static bool blk_mq_elv_switch_none(struct list_head *head,
+ __elevator_get(qe->type);
+ list_add(&qe->node, head);
+ elevator_disable(q);
+-unlock:
+- mutex_unlock(&q->sysfs_lock);
+-
++out:
+ return true;
+ }
+
+@@ -4975,11 +4978,9 @@ static void blk_mq_elv_switch_back(struct list_head *head,
+ list_del(&qe->node);
+ kfree(qe);
+
+- mutex_lock(&q->sysfs_lock);
+ elevator_switch(q, t);
+ /* drop the reference acquired in blk_mq_elv_switch_none */
+ elevator_put(t);
+- mutex_unlock(&q->sysfs_lock);
+ }
+
+ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+@@ -4999,8 +5000,11 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ if (set->nr_maps == 1 && nr_hw_queues == set->nr_hw_queues)
+ return;
+
+- list_for_each_entry(q, &set->tag_list, tag_set_list)
++ list_for_each_entry(q, &set->tag_list, tag_set_list) {
++ mutex_lock(&q->sysfs_dir_lock);
++ mutex_lock(&q->sysfs_lock);
+ blk_mq_freeze_queue(q);
++ }
+ /*
+ * Switch IO scheduler to 'none', cleaning up the data associated
+ * with the previous scheduler. We will switch back once we are done
+@@ -5056,8 +5060,11 @@ static void __blk_mq_update_nr_hw_queues(struct blk_mq_tag_set *set,
+ list_for_each_entry(q, &set->tag_list, tag_set_list)
+ blk_mq_elv_switch_back(&head, q);
+
+- list_for_each_entry(q, &set->tag_list, tag_set_list)
++ list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ blk_mq_unfreeze_queue(q);
++ mutex_unlock(&q->sysfs_lock);
++ mutex_unlock(&q->sysfs_dir_lock);
++ }
+
+ /* Free the excess tags when nr_hw_queues shrink. */
+ for (i = set->nr_hw_queues; i < prev_nr_hw_queues; i++)
+diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
+index 207577145c54..42c2cb97d778 100644
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -690,11 +690,11 @@ queue_attr_store(struct kobject *kobj, struct attribute *attr,
+ return res;
+ }
+
+- blk_mq_freeze_queue(q);
+ mutex_lock(&q->sysfs_lock);
++ blk_mq_freeze_queue(q);
+ res = entry->store(disk, page, length);
+- mutex_unlock(&q->sysfs_lock);
+ blk_mq_unfreeze_queue(q);
++ mutex_unlock(&q->sysfs_lock);
+ return res;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 042d8ff457039fc227e730d8680c6349d77c5853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:04:41 +0800
+Subject: block: get wp_offset by bdev_offset_from_zone_start
+
+From: LongPing Wei <weilongping@oppo.com>
+
+[ Upstream commit 790eb09e59709a1ffc1c64fe4aae2789120851b0 ]
+
+Call bdev_offset_from_zone_start() instead of open-coding it.
+
+Fixes: dd291d77cc90 ("block: Introduce zone write plugging")
+Signed-off-by: LongPing Wei <weilongping@oppo.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20241107020439.1644577-1-weilongping@oppo.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-zoned.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-zoned.c b/block/blk-zoned.c
+index 6d21693f39b7..767bcbce74fa 100644
+--- a/block/blk-zoned.c
++++ b/block/blk-zoned.c
+@@ -568,7 +568,7 @@ static struct blk_zone_wplug *disk_get_and_lock_zone_wplug(struct gendisk *disk,
+ spin_lock_init(&zwplug->lock);
+ zwplug->flags = 0;
+ zwplug->zone_no = zno;
+- zwplug->wp_offset = sector & (disk->queue->limits.chunk_sectors - 1);
++ zwplug->wp_offset = bdev_offset_from_zone_start(disk->part0, sector);
+ bio_list_init(&zwplug->bio_list);
+ INIT_WORK(&zwplug->bio_work, blk_zone_wplug_bio_work);
+ zwplug->disk = disk;
+--
+2.39.5
+
--- /dev/null
+From 9428deadcea2e8b992f9120ee0c64f652bcde0a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 16:36:10 -0300
+Subject: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit b548f5e9456c568155499d9ebac675c0d7a296e8 ]
+
+hci_devcd_append may lead to the release of the skb, so it cannot be
+accessed once it is called.
+
+==================================================================
+BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]
+Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82
+
+CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c
+Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024
+Workqueue: events btusb_rx_work [btusb]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xfd/0x150
+ print_report+0x131/0x780
+ kasan_report+0x177/0x1c0
+ btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]
+ btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
+ btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
+ worker_thread+0xe44/0x2cc0
+ kthread+0x2ff/0x3a0
+ ret_from_fork+0x51/0x80
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+Allocated by task 82:
+ stack_trace_save+0xdc/0x190
+ kasan_set_track+0x4e/0x80
+ __kasan_slab_alloc+0x4e/0x60
+ kmem_cache_alloc+0x19f/0x360
+ skb_clone+0x132/0xf70
+ btusb_recv_acl_mtk+0x104/0x1a0 [btusb]
+ btusb_rx_work+0x9e/0xe0 [btusb]
+ worker_thread+0xe44/0x2cc0
+ kthread+0x2ff/0x3a0
+ ret_from_fork+0x51/0x80
+ ret_from_fork_asm+0x1b/0x30
+
+Freed by task 1733:
+ stack_trace_save+0xdc/0x190
+ kasan_set_track+0x4e/0x80
+ kasan_save_free_info+0x28/0xb0
+ ____kasan_slab_free+0xfd/0x170
+ kmem_cache_free+0x183/0x3f0
+ hci_devcd_rx+0x91a/0x2060 [bluetooth]
+ worker_thread+0xe44/0x2cc0
+ kthread+0x2ff/0x3a0
+ ret_from_fork+0x51/0x80
+ ret_from_fork_asm+0x1b/0x30
+
+The buggy address belongs to the object at ffff888033cfab40
+ which belongs to the cache skbuff_head_cache of size 232
+The buggy address is located 112 bytes inside of
+ freed 232-byte region [ffff888033cfab40, ffff888033cfac28)
+
+The buggy address belongs to the physical page:
+page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa
+head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+anon flags: 0x4000000000000840(slab|head|zone=1)
+page_type: 0xffffffff()
+raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001
+raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+ ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
+ ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Check if we need to call hci_devcd_complete before calling
+hci_devcd_append. That requires that we check data->cd_info.cnt >=
+MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we
+increment data->cd_info.cnt only once the call to hci_devcd_append
+succeeds.
+
+Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtk.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
+index 480e4adba9fa..85e99641eaae 100644
+--- a/drivers/bluetooth/btmtk.c
++++ b/drivers/bluetooth/btmtk.c
+@@ -395,6 +395,7 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
+ {
+ struct btmtk_data *data = hci_get_priv(hdev);
+ int err;
++ bool complete = false;
+
+ if (!IS_ENABLED(CONFIG_DEV_COREDUMP)) {
+ kfree_skb(skb);
+@@ -416,19 +417,22 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
+ fallthrough;
+ case HCI_DEVCOREDUMP_ACTIVE:
+ default:
++ /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
++ if (data->cd_info.cnt >= MTK_COREDUMP_NUM &&
++ skb->len > MTK_COREDUMP_END_LEN)
++ if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],
++ MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1))
++ complete = true;
++
+ err = hci_devcd_append(hdev, skb);
+ if (err < 0)
+ break;
+ data->cd_info.cnt++;
+
+- /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
+- if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
+- skb->len > MTK_COREDUMP_END_LEN)
+- if (!memcmp((char *)&skb->data[skb->len - MTK_COREDUMP_END_LEN],
+- MTK_COREDUMP_END, MTK_COREDUMP_END_LEN - 1)) {
+- bt_dev_info(hdev, "Mediatek coredump end");
+- hci_devcd_complete(hdev);
+- }
++ if (complete) {
++ bt_dev_info(hdev, "Mediatek coredump end");
++ hci_devcd_complete(hdev);
++ }
+
+ break;
+ }
+--
+2.39.5
+
--- /dev/null
+From 1f2cf2487b4fe4f3ae42a30bb04ed48697d8ca12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 11:40:59 -0500
+Subject: Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 581dd2dc168fe0ed2a7a5534a724f0d3751c93ae ]
+
+The usage of rcu_read_(un)lock while inside list_for_each_entry_rcu is
+not safe since for the most part entries fetched this way shall be
+treated as rcu_dereference:
+
+ Note that the value returned by rcu_dereference() is valid
+ only within the enclosing RCU read-side critical section [1]_.
+ For example, the following is **not** legal::
+
+ rcu_read_lock();
+ p = rcu_dereference(head.next);
+ rcu_read_unlock();
+ x = p->address; /* BUG!!! */
+ rcu_read_lock();
+ y = p->data; /* BUG!!! */
+ rcu_read_unlock();
+
+Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 33 +++++++++++----------------------
+ 1 file changed, 11 insertions(+), 22 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 2b5ba8acd1d8..388d46c6a043 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6872,38 +6872,27 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
+ return;
+
+ hci_dev_lock(hdev);
+- rcu_read_lock();
+
+ /* Connect all BISes that are bound to the BIG */
+- list_for_each_entry_rcu(conn, &hdev->conn_hash.list, list) {
+- if (bacmp(&conn->dst, BDADDR_ANY) ||
+- conn->type != ISO_LINK ||
+- conn->iso_qos.bcast.big != ev->handle)
++ while ((conn = hci_conn_hash_lookup_big_state(hdev, ev->handle,
++ BT_BOUND))) {
++ if (ev->status) {
++ hci_connect_cfm(conn, ev->status);
++ hci_conn_del(conn);
+ continue;
++ }
+
+ if (hci_conn_set_handle(conn,
+ __le16_to_cpu(ev->bis_handle[i++])))
+ continue;
+
+- if (!ev->status) {
+- conn->state = BT_CONNECTED;
+- set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
+- rcu_read_unlock();
+- hci_debugfs_create_conn(conn);
+- hci_conn_add_sysfs(conn);
+- hci_iso_setup_path(conn);
+- rcu_read_lock();
+- continue;
+- }
+-
+- hci_connect_cfm(conn, ev->status);
+- rcu_read_unlock();
+- hci_conn_del(conn);
+- rcu_read_lock();
++ conn->state = BT_CONNECTED;
++ set_bit(HCI_CONN_BIG_CREATED, &conn->flags);
++ hci_debugfs_create_conn(conn);
++ hci_conn_add_sysfs(conn);
++ hci_iso_setup_path(conn);
+ }
+
+- rcu_read_unlock();
+-
+ if (!ev->status && !i)
+ /* If no BISes have been connected for the BIG,
+ * terminate. This is in case all bound connections
+--
+2.39.5
+
--- /dev/null
+From 3aa11cd5a6144dba244630540f34ca73d7beb29a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 14:31:40 +0100
+Subject: Bluetooth: Improve setsockopt() handling of malformed user input
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 3e643e4efa1e87432204b62f9cfdea3b2508c830 ]
+
+The bt_copy_from_sockptr() return value is being misinterpreted by most
+users: a non-zero result is mistakenly assumed to represent an error code,
+but actually indicates the number of bytes that could not be copied.
+
+Remove bt_copy_from_sockptr() and adapt callers to use
+copy_safe_from_sockptr().
+
+For sco_sock_setsockopt() (case BT_CODEC) use copy_struct_from_sockptr() to
+scrub parts of uninitialized buffer.
+
+Opportunistically, rename `len` to `optlen` in hci_sock_setsockopt_old()
+and hci_sock_setsockopt().
+
+Fixes: 51eda36d33e4 ("Bluetooth: SCO: Fix not validating setsockopt user input")
+Fixes: a97de7bff13b ("Bluetooth: RFCOMM: Fix not validating setsockopt user input")
+Fixes: 4f3951242ace ("Bluetooth: L2CAP: Fix not validating setsockopt user input")
+Fixes: 9e8742cdfc4b ("Bluetooth: ISO: Fix not validating setsockopt user input")
+Fixes: b2186061d604 ("Bluetooth: hci_sock: Fix not validating setsockopt user input")
+Reviewed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Reviewed-by: David Wei <dw@davidwei.uk>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/bluetooth.h | 9 ---------
+ net/bluetooth/hci_sock.c | 14 +++++++-------
+ net/bluetooth/iso.c | 10 +++++-----
+ net/bluetooth/l2cap_sock.c | 20 +++++++++++---------
+ net/bluetooth/rfcomm/sock.c | 9 ++++-----
+ net/bluetooth/sco.c | 11 ++++++-----
+ 6 files changed, 33 insertions(+), 40 deletions(-)
+
+diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
+index f66bc85c6411..e6760c11f007 100644
+--- a/include/net/bluetooth/bluetooth.h
++++ b/include/net/bluetooth/bluetooth.h
+@@ -590,15 +590,6 @@ static inline struct sk_buff *bt_skb_sendmmsg(struct sock *sk,
+ return skb;
+ }
+
+-static inline int bt_copy_from_sockptr(void *dst, size_t dst_size,
+- sockptr_t src, size_t src_size)
+-{
+- if (dst_size > src_size)
+- return -EINVAL;
+-
+- return copy_from_sockptr(dst, src, dst_size);
+-}
+-
+ int bt_to_errno(u16 code);
+ __u8 bt_status(int err);
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 2272e1849ebd..022b86797acd 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -1926,7 +1926,7 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ }
+
+ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
+- sockptr_t optval, unsigned int len)
++ sockptr_t optval, unsigned int optlen)
+ {
+ struct hci_ufilter uf = { .opcode = 0 };
+ struct sock *sk = sock->sk;
+@@ -1943,7 +1943,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
+
+ switch (optname) {
+ case HCI_DATA_DIR:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1954,7 +1954,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
+ break;
+
+ case HCI_TIME_STAMP:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1974,7 +1974,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
+
+- err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len);
++ err = copy_safe_from_sockptr(&uf, sizeof(uf), optval, optlen);
+ if (err)
+ break;
+
+@@ -2005,7 +2005,7 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
+ }
+
+ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+- sockptr_t optval, unsigned int len)
++ sockptr_t optval, unsigned int optlen)
+ {
+ struct sock *sk = sock->sk;
+ int err = 0;
+@@ -2015,7 +2015,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+
+ if (level == SOL_HCI)
+ return hci_sock_setsockopt_old(sock, level, optname, optval,
+- len);
++ optlen);
+
+ if (level != SOL_BLUETOOTH)
+ return -ENOPROTOOPT;
+@@ -2035,7 +2035,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
+ goto done;
+ }
+
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 5e2d9758bd3c..7212fd6047b9 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1566,7 +1566,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1577,7 +1577,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+
+ case BT_PKT_STATUS:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1596,7 +1596,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
++ err = copy_safe_from_sockptr(&qos, sizeof(qos), optval, optlen);
+ if (err)
+ break;
+
+@@ -1617,8 +1617,8 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
+- optlen);
++ err = copy_safe_from_sockptr(iso_pi(sk)->base, optlen, optval,
++ optlen);
+ if (err)
+ break;
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 18e89e764f3b..3d2553dcdb1b 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -755,7 +755,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
+ opts.max_tx = chan->max_tx;
+ opts.txwin_size = chan->tx_win;
+
+- err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
++ err = copy_safe_from_sockptr(&opts, sizeof(opts), optval,
++ optlen);
+ if (err)
+ break;
+
+@@ -800,7 +801,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
+ break;
+
+ case L2CAP_LM:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -909,7 +910,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+
+ sec.level = BT_SECURITY_LOW;
+
+- err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
++ err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
+ if (err)
+ break;
+
+@@ -956,7 +957,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -970,7 +971,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+
+ case BT_FLUSHABLE:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1004,7 +1005,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+
+ pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
+
+- err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
++ err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
+ if (err)
+ break;
+
+@@ -1015,7 +1016,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+
+ case BT_CHANNEL_POLICY:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -1046,7 +1047,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
++ err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
+ if (err)
+ break;
+
+@@ -1076,7 +1077,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
++ err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
++ optlen);
+ if (err)
+ break;
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 40766f8119ed..913402806fa0 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -629,10 +629,9 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
+
+ switch (optname) {
+ case RFCOMM_LM:
+- if (bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen)) {
+- err = -EFAULT;
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ if (err)
+ break;
+- }
+
+ if (opt & RFCOMM_LM_FIPS) {
+ err = -EINVAL;
+@@ -685,7 +684,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
+
+ sec.level = BT_SECURITY_LOW;
+
+- err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
++ err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
+ if (err)
+ break;
+
+@@ -703,7 +702,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 1c7252a36866..700abb639a55 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -853,7 +853,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -872,8 +872,8 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+
+ voice.setting = sco_pi(sk)->setting;
+
+- err = bt_copy_from_sockptr(&voice, sizeof(voice), optval,
+- optlen);
++ err = copy_safe_from_sockptr(&voice, sizeof(voice), optval,
++ optlen);
+ if (err)
+ break;
+
+@@ -898,7 +898,7 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+
+ case BT_PKT_STATUS:
+- err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
++ err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
+ break;
+
+@@ -941,7 +941,8 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
+- err = bt_copy_from_sockptr(buffer, optlen, optval, optlen);
++ err = copy_struct_from_sockptr(buffer, sizeof(buffer), optval,
++ optlen);
+ if (err) {
+ hci_dev_put(hdev);
+ break;
+--
+2.39.5
+
--- /dev/null
+From b54dc682a0d0296ea3729759e4dbc323e6e30db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 14:28:48 +0200
+Subject: Bluetooth: iso: Always release hdev at the end of iso_listen_bis
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 9c76fff747a73ba01d1d87ed53dd9c00cb40ba05 ]
+
+Since hci_get_route holds the device before returning, the hdev
+should be released with hci_dev_put at the end of iso_listen_bis
+even if the function returns with an error.
+
+Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 7212fd6047b9..34eade4b0587 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1158,10 +1158,9 @@ static int iso_listen_bis(struct sock *sk)
+ goto unlock;
+ }
+
+- hci_dev_put(hdev);
+-
+ unlock:
+ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 76eee9f0fc7d5ca13db482035c9db20d5eb1458f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 11:42:18 +0200
+Subject: Bluetooth: iso: Fix circular lock in iso_conn_big_sync
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 7a17308c17880d259105f6e591eb1bc77b9612f0 ]
+
+This fixes the circular locking dependency warning below, by reworking
+iso_sock_recvmsg, to ensure that the socket lock is always released
+before calling a function that locks hdev.
+
+[ 561.670344] ======================================================
+[ 561.670346] WARNING: possible circular locking dependency detected
+[ 561.670349] 6.12.0-rc6+ #26 Not tainted
+[ 561.670351] ------------------------------------------------------
+[ 561.670353] iso-tester/3289 is trying to acquire lock:
+[ 561.670355] ffff88811f600078 (&hdev->lock){+.+.}-{3:3},
+ at: iso_conn_big_sync+0x73/0x260 [bluetooth]
+[ 561.670405]
+ but task is already holding lock:
+[ 561.670407] ffff88815af58258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0},
+ at: iso_sock_recvmsg+0xbf/0x500 [bluetooth]
+[ 561.670450]
+ which lock already depends on the new lock.
+
+[ 561.670452]
+ the existing dependency chain (in reverse order) is:
+[ 561.670453]
+ -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
+[ 561.670458] lock_acquire+0x7c/0xc0
+[ 561.670463] lock_sock_nested+0x3b/0xf0
+[ 561.670467] bt_accept_dequeue+0x1a5/0x4d0 [bluetooth]
+[ 561.670510] iso_sock_accept+0x271/0x830 [bluetooth]
+[ 561.670547] do_accept+0x3dd/0x610
+[ 561.670550] __sys_accept4+0xd8/0x170
+[ 561.670553] __x64_sys_accept+0x74/0xc0
+[ 561.670556] x64_sys_call+0x17d6/0x25f0
+[ 561.670559] do_syscall_64+0x87/0x150
+[ 561.670563] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 561.670567]
+ -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:
+[ 561.670571] lock_acquire+0x7c/0xc0
+[ 561.670574] lock_sock_nested+0x3b/0xf0
+[ 561.670577] iso_sock_listen+0x2de/0xf30 [bluetooth]
+[ 561.670617] __sys_listen_socket+0xef/0x130
+[ 561.670620] __x64_sys_listen+0xe1/0x190
+[ 561.670623] x64_sys_call+0x2517/0x25f0
+[ 561.670626] do_syscall_64+0x87/0x150
+[ 561.670629] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 561.670632]
+ -> #0 (&hdev->lock){+.+.}-{3:3}:
+[ 561.670636] __lock_acquire+0x32ad/0x6ab0
+[ 561.670639] lock_acquire.part.0+0x118/0x360
+[ 561.670642] lock_acquire+0x7c/0xc0
+[ 561.670644] __mutex_lock+0x18d/0x12f0
+[ 561.670647] mutex_lock_nested+0x1b/0x30
+[ 561.670651] iso_conn_big_sync+0x73/0x260 [bluetooth]
+[ 561.670687] iso_sock_recvmsg+0x3e9/0x500 [bluetooth]
+[ 561.670722] sock_recvmsg+0x1d5/0x240
+[ 561.670725] sock_read_iter+0x27d/0x470
+[ 561.670727] vfs_read+0x9a0/0xd30
+[ 561.670731] ksys_read+0x1a8/0x250
+[ 561.670733] __x64_sys_read+0x72/0xc0
+[ 561.670736] x64_sys_call+0x1b12/0x25f0
+[ 561.670738] do_syscall_64+0x87/0x150
+[ 561.670741] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 561.670744]
+ other info that might help us debug this:
+
+[ 561.670745] Chain exists of:
+&hdev->lock --> sk_lock-AF_BLUETOOTH-BTPROTO_ISO --> sk_lock-AF_BLUETOOTH
+
+[ 561.670751] Possible unsafe locking scenario:
+
+[ 561.670753] CPU0 CPU1
+[ 561.670754] ---- ----
+[ 561.670756] lock(sk_lock-AF_BLUETOOTH);
+[ 561.670758] lock(sk_lock
+ AF_BLUETOOTH-BTPROTO_ISO);
+[ 561.670761] lock(sk_lock-AF_BLUETOOTH);
+[ 561.670764] lock(&hdev->lock);
+[ 561.670767]
+ *** DEADLOCK ***
+
+Fixes: 07a9342b94a9 ("Bluetooth: ISO: Send BIG Create Sync via hci_sync")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 809e88fd3fcb..644b606743e2 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1411,6 +1411,7 @@ static void iso_conn_big_sync(struct sock *sk)
+ * change.
+ */
+ hci_dev_lock(hdev);
++ lock_sock(sk);
+
+ if (!test_and_set_bit(BT_SK_BIG_SYNC, &iso_pi(sk)->flags)) {
+ err = hci_le_big_create_sync(hdev, iso_pi(sk)->conn->hcon,
+@@ -1423,6 +1424,7 @@ static void iso_conn_big_sync(struct sock *sk)
+ err);
+ }
+
++ release_sock(sk);
+ hci_dev_unlock(hdev);
+ }
+
+@@ -1431,39 +1433,57 @@ static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
+ {
+ struct sock *sk = sock->sk;
+ struct iso_pinfo *pi = iso_pi(sk);
++ bool early_ret = false;
++ int err = 0;
+
+ BT_DBG("sk %p", sk);
+
+ if (test_and_clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) {
++ sock_hold(sk);
+ lock_sock(sk);
++
+ switch (sk->sk_state) {
+ case BT_CONNECT2:
+ if (test_bit(BT_SK_PA_SYNC, &pi->flags)) {
++ release_sock(sk);
+ iso_conn_big_sync(sk);
++ lock_sock(sk);
++
+ sk->sk_state = BT_LISTEN;
+ } else {
+ iso_conn_defer_accept(pi->conn->hcon);
+ sk->sk_state = BT_CONFIG;
+ }
+- release_sock(sk);
+- return 0;
++
++ early_ret = true;
++ break;
+ case BT_CONNECTED:
+ if (test_bit(BT_SK_PA_SYNC, &iso_pi(sk)->flags)) {
++ release_sock(sk);
+ iso_conn_big_sync(sk);
++ lock_sock(sk);
++
+ sk->sk_state = BT_LISTEN;
+- release_sock(sk);
+- return 0;
++ early_ret = true;
+ }
+
+- release_sock(sk);
+ break;
+ case BT_CONNECT:
+ release_sock(sk);
+- return iso_connect_cis(sk);
++ err = iso_connect_cis(sk);
++ lock_sock(sk);
++
++ early_ret = true;
++ break;
+ default:
+- release_sock(sk);
+ break;
+ }
++
++ release_sock(sk);
++ sock_put(sk);
++
++ if (early_ret)
++ return err;
+ }
+
+ return bt_sock_recvmsg(sock, msg, len, flags);
+--
+2.39.5
+
--- /dev/null
+From f634a7bec5f43ceafcb5113d11d96a58d62f646a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 11:42:17 +0200
+Subject: Bluetooth: iso: Fix circular lock in iso_listen_bis
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 168e28305b871d8ec604a8f51f35467b8d7ba05b ]
+
+This fixes the circular locking dependency warning below, by
+releasing the socket lock before enterning iso_listen_bis, to
+avoid any potential deadlock with hdev lock.
+
+[ 75.307983] ======================================================
+[ 75.307984] WARNING: possible circular locking dependency detected
+[ 75.307985] 6.12.0-rc6+ #22 Not tainted
+[ 75.307987] ------------------------------------------------------
+[ 75.307987] kworker/u81:2/2623 is trying to acquire lock:
+[ 75.307988] ffff8fde1769da58 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO)
+ at: iso_connect_cfm+0x253/0x840 [bluetooth]
+[ 75.308021]
+ but task is already holding lock:
+[ 75.308022] ffff8fdd61a10078 (&hdev->lock)
+ at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]
+[ 75.308053]
+ which lock already depends on the new lock.
+
+[ 75.308054]
+ the existing dependency chain (in reverse order) is:
+[ 75.308055]
+ -> #1 (&hdev->lock){+.+.}-{3:3}:
+[ 75.308057] __mutex_lock+0xad/0xc50
+[ 75.308061] mutex_lock_nested+0x1b/0x30
+[ 75.308063] iso_sock_listen+0x143/0x5c0 [bluetooth]
+[ 75.308085] __sys_listen_socket+0x49/0x60
+[ 75.308088] __x64_sys_listen+0x4c/0x90
+[ 75.308090] x64_sys_call+0x2517/0x25f0
+[ 75.308092] do_syscall_64+0x87/0x150
+[ 75.308095] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 75.308098]
+ -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_ISO){+.+.}-{0:0}:
+[ 75.308100] __lock_acquire+0x155e/0x25f0
+[ 75.308103] lock_acquire+0xc9/0x300
+[ 75.308105] lock_sock_nested+0x32/0x90
+[ 75.308107] iso_connect_cfm+0x253/0x840 [bluetooth]
+[ 75.308128] hci_connect_cfm+0x6c/0x190 [bluetooth]
+[ 75.308155] hci_le_per_adv_report_evt+0x27b/0x2f0 [bluetooth]
+[ 75.308180] hci_le_meta_evt+0xe7/0x200 [bluetooth]
+[ 75.308206] hci_event_packet+0x21f/0x5c0 [bluetooth]
+[ 75.308230] hci_rx_work+0x3ae/0xb10 [bluetooth]
+[ 75.308254] process_one_work+0x212/0x740
+[ 75.308256] worker_thread+0x1bd/0x3a0
+[ 75.308258] kthread+0xe4/0x120
+[ 75.308259] ret_from_fork+0x44/0x70
+[ 75.308261] ret_from_fork_asm+0x1a/0x30
+[ 75.308263]
+ other info that might help us debug this:
+
+[ 75.308264] Possible unsafe locking scenario:
+
+[ 75.308264] CPU0 CPU1
+[ 75.308265] ---- ----
+[ 75.308265] lock(&hdev->lock);
+[ 75.308267] lock(sk_lock-
+ AF_BLUETOOTH-BTPROTO_ISO);
+[ 75.308268] lock(&hdev->lock);
+[ 75.308269] lock(sk_lock-AF_BLUETOOTH-BTPROTO_ISO);
+[ 75.308270]
+ *** DEADLOCK ***
+
+[ 75.308271] 4 locks held by kworker/u81:2/2623:
+[ 75.308272] #0: ffff8fdd66e52148 ((wq_completion)hci0#2){+.+.}-{0:0},
+ at: process_one_work+0x443/0x740
+[ 75.308276] #1: ffffafb488b7fe48 ((work_completion)(&hdev->rx_work)),
+ at: process_one_work+0x1ce/0x740
+[ 75.308280] #2: ffff8fdd61a10078 (&hdev->lock){+.+.}-{3:3}
+ at: hci_le_per_adv_report_evt+0x47/0x2f0 [bluetooth]
+[ 75.308304] #3: ffffffffb6ba4900 (rcu_read_lock){....}-{1:2},
+ at: hci_connect_cfm+0x29/0x190 [bluetooth]
+
+Fixes: 02171da6e86a ("Bluetooth: ISO: Add hcon for listening bis sk")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 269ce0bb73a1..809e88fd3fcb 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1129,6 +1129,7 @@ static int iso_listen_bis(struct sock *sk)
+ return -EHOSTUNREACH;
+
+ hci_dev_lock(hdev);
++ lock_sock(sk);
+
+ /* Fail if user set invalid QoS */
+ if (iso_pi(sk)->qos_user_set && !check_bcast_qos(&iso_pi(sk)->qos)) {
+@@ -1159,6 +1160,7 @@ static int iso_listen_bis(struct sock *sk)
+ }
+
+ unlock:
++ release_sock(sk);
+ hci_dev_unlock(hdev);
+ hci_dev_put(hdev);
+ return err;
+@@ -1187,6 +1189,7 @@ static int iso_sock_listen(struct socket *sock, int backlog)
+
+ BT_DBG("sk %p backlog %d", sk, backlog);
+
++ sock_hold(sk);
+ lock_sock(sk);
+
+ if (sk->sk_state != BT_BOUND) {
+@@ -1199,10 +1202,16 @@ static int iso_sock_listen(struct socket *sock, int backlog)
+ goto done;
+ }
+
+- if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY))
++ if (!bacmp(&iso_pi(sk)->dst, BDADDR_ANY)) {
+ err = iso_listen_cis(sk);
+- else
++ } else {
++ /* Drop sock lock to avoid potential
++ * deadlock with the hdev lock.
++ */
++ release_sock(sk);
+ err = iso_listen_bis(sk);
++ lock_sock(sk);
++ }
+
+ if (err)
+ goto done;
+@@ -1214,6 +1223,7 @@ static int iso_sock_listen(struct socket *sock, int backlog)
+
+ done:
+ release_sock(sk);
++ sock_put(sk);
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 3c7954d458199def158e7839ca142070d1d2ecf8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 14:28:49 +0200
+Subject: Bluetooth: iso: Fix recursive locking warning
+
+From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+
+[ Upstream commit 9bde7c3b3ad0e1f39d6df93dd1c9caf63e19e50f ]
+
+This updates iso_sock_accept to use nested locking for the parent
+socket, to avoid lockdep warnings caused because the parent and
+child sockets are locked by the same thread:
+
+[ 41.585683] ============================================
+[ 41.585688] WARNING: possible recursive locking detected
+[ 41.585694] 6.12.0-rc6+ #22 Not tainted
+[ 41.585701] --------------------------------------------
+[ 41.585705] iso-tester/3139 is trying to acquire lock:
+[ 41.585711] ffff988b29530a58 (sk_lock-AF_BLUETOOTH)
+ at: bt_accept_dequeue+0xe3/0x280 [bluetooth]
+[ 41.585905]
+ but task is already holding lock:
+[ 41.585909] ffff988b29533a58 (sk_lock-AF_BLUETOOTH)
+ at: iso_sock_accept+0x61/0x2d0 [bluetooth]
+[ 41.586064]
+ other info that might help us debug this:
+[ 41.586069] Possible unsafe locking scenario:
+
+[ 41.586072] CPU0
+[ 41.586076] ----
+[ 41.586079] lock(sk_lock-AF_BLUETOOTH);
+[ 41.586086] lock(sk_lock-AF_BLUETOOTH);
+[ 41.586093]
+ *** DEADLOCK ***
+
+[ 41.586097] May be due to missing lock nesting notation
+
+[ 41.586101] 1 lock held by iso-tester/3139:
+[ 41.586107] #0: ffff988b29533a58 (sk_lock-AF_BLUETOOTH)
+ at: iso_sock_accept+0x61/0x2d0 [bluetooth]
+
+Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
+Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 34eade4b0587..269ce0bb73a1 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -1225,7 +1225,11 @@ static int iso_sock_accept(struct socket *sock, struct socket *newsock,
+ long timeo;
+ int err = 0;
+
+- lock_sock(sk);
++ /* Use explicit nested locking to avoid lockdep warnings generated
++ * because the parent socket and the child socket are locked on the
++ * same thread.
++ */
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+
+ timeo = sock_rcvtimeo(sk, arg->flags & O_NONBLOCK);
+
+@@ -1256,7 +1260,7 @@ static int iso_sock_accept(struct socket *sock, struct socket *newsock,
+ release_sock(sk);
+
+ timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
+- lock_sock(sk);
++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+ }
+ remove_wait_queue(sk_sleep(sk), &wait);
+
+--
+2.39.5
+
--- /dev/null
+From 4a5dcf5e76cfa6513c835819f58abd0ed95d07f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:51:59 +0100
+Subject: Bluetooth: SCO: Add support for 16 bits transparent voice setting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+[ Upstream commit 29a651451e6c264f58cd9d9a26088e579d17b242 ]
+
+The voice setting is used by sco_connect() or sco_conn_defer_accept()
+after being set by sco_sock_setsockopt().
+
+The PCM part of the voice setting is used for offload mode through PCM
+chipset port.
+This commits add support for mSBC 16 bits offloading, i.e. audio data
+not transported over HCI.
+
+The BCM4349B1 supports 16 bits transparent data on its I2S port.
+If BT_VOICE_TRANSPARENT is used when accepting a SCO connection, this
+gives only garbage audio while using BT_VOICE_TRANSPARENT_16BIT gives
+correct audio.
+This has been tested with connection to iPhone 14 and Samsung S24.
+
+Fixes: ad10b1a48754 ("Bluetooth: Add Bluetooth socket voice option")
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/bluetooth.h | 1 +
+ net/bluetooth/sco.c | 29 +++++++++++++++--------------
+ 2 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/include/net/bluetooth/bluetooth.h b/include/net/bluetooth/bluetooth.h
+index e6760c11f007..435250c72d56 100644
+--- a/include/net/bluetooth/bluetooth.h
++++ b/include/net/bluetooth/bluetooth.h
+@@ -123,6 +123,7 @@ struct bt_voice {
+
+ #define BT_VOICE_TRANSPARENT 0x0003
+ #define BT_VOICE_CVSD_16BIT 0x0060
++#define BT_VOICE_TRANSPARENT_16BIT 0x0063
+
+ #define BT_SNDMTU 12
+ #define BT_RCVMTU 13
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 700abb639a55..b872a2ca3ff3 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -267,10 +267,13 @@ static int sco_connect(struct sock *sk)
+ else
+ type = SCO_LINK;
+
+- if (sco_pi(sk)->setting == BT_VOICE_TRANSPARENT &&
+- (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev))) {
+- err = -EOPNOTSUPP;
+- goto unlock;
++ switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) {
++ case SCO_AIRMODE_TRANSP:
++ if (!lmp_transp_capable(hdev) || !lmp_esco_capable(hdev)) {
++ err = -EOPNOTSUPP;
++ goto unlock;
++ }
++ break;
+ }
+
+ hcon = hci_connect_sco(hdev, type, &sco_pi(sk)->dst,
+@@ -877,13 +880,6 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+ if (err)
+ break;
+
+- /* Explicitly check for these values */
+- if (voice.setting != BT_VOICE_TRANSPARENT &&
+- voice.setting != BT_VOICE_CVSD_16BIT) {
+- err = -EINVAL;
+- break;
+- }
+-
+ sco_pi(sk)->setting = voice.setting;
+ hdev = hci_get_route(&sco_pi(sk)->dst, &sco_pi(sk)->src,
+ BDADDR_BREDR);
+@@ -891,9 +887,14 @@ static int sco_sock_setsockopt(struct socket *sock, int level, int optname,
+ err = -EBADFD;
+ break;
+ }
+- if (enhanced_sync_conn_capable(hdev) &&
+- voice.setting == BT_VOICE_TRANSPARENT)
+- sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT;
++
++ switch (sco_pi(sk)->setting & SCO_AIRMODE_MASK) {
++ case SCO_AIRMODE_TRANSP:
++ if (enhanced_sync_conn_capable(hdev))
++ sco_pi(sk)->codec.id = BT_CODEC_TRANSPARENT;
++ break;
++ }
++
+ hci_dev_put(hdev);
+ break;
+
+--
+2.39.5
+
--- /dev/null
+From f31d6d189118fddd9245a11f506ae0e6e15a594b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 17:54:48 -0800
+Subject: bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 24c6843b7393ebc80962b59d7ae71af91bf0dcc1 ]
+
+The 5760X (P7) chip's HW GRO/LRO interface is very similar to that of
+the previous generation (5750X or P5). However, the aggregation ID
+fields in the completion structures on P7 have been redefined from
+16 bits to 12 bits. The freed up 4 bits are redefined for part of the
+metadata such as the VLAN ID. The aggregation ID mask was not modified
+when adding support for P7 chips. Including the extra 4 bits for the
+aggregation ID can potentially cause the driver to store or fetch the
+packet header of GRO/LRO packets in the wrong TPA buffer. It may hit
+the BUG() condition in __skb_pull() because the SKB contains no valid
+packet header:
+
+kernel BUG at include/linux/skbuff.h:2766!
+Oops: invalid opcode: 0000 1 PREEMPT SMP NOPTI
+CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Kdump: loaded Tainted: G OE 6.12.0-rc2+ #7
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: Dell Inc. PowerEdge R760/0VRV9X, BIOS 1.0.1 12/27/2022
+RIP: 0010:eth_type_trans+0xda/0x140
+Code: 80 00 00 00 eb c1 8b 47 70 2b 47 74 48 8b 97 d0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb a5 <0f> 0b b8 00 01 00 00 eb 9c 48 85 ff 74 eb 31 f6 b9 02 00 00 00 48
+RSP: 0018:ff615003803fcc28 EFLAGS: 00010283
+RAX: 00000000000022d2 RBX: 0000000000000003 RCX: ff2e8c25da334040
+RDX: 0000000000000040 RSI: ff2e8c25c1ce8000 RDI: ff2e8c25869f9000
+RBP: ff2e8c258c31c000 R08: ff2e8c25da334000 R09: 0000000000000001
+R10: ff2e8c25da3342c0 R11: ff2e8c25c1ce89c0 R12: ff2e8c258e0990b0
+R13: ff2e8c25bb120000 R14: ff2e8c25c1ce89c0 R15: ff2e8c25869f9000
+FS: 0000000000000000(0000) GS:ff2e8c34be300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055f05317e4c8 CR3: 000000108bac6006 CR4: 0000000000773ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <IRQ>
+ ? die+0x33/0x90
+ ? do_trap+0xd9/0x100
+ ? eth_type_trans+0xda/0x140
+ ? do_error_trap+0x65/0x80
+ ? eth_type_trans+0xda/0x140
+ ? exc_invalid_op+0x4e/0x70
+ ? eth_type_trans+0xda/0x140
+ ? asm_exc_invalid_op+0x16/0x20
+ ? eth_type_trans+0xda/0x140
+ bnxt_tpa_end+0x10b/0x6b0 [bnxt_en]
+ ? bnxt_tpa_start+0x195/0x320 [bnxt_en]
+ bnxt_rx_pkt+0x902/0xd90 [bnxt_en]
+ ? __bnxt_tx_int.constprop.0+0x89/0x300 [bnxt_en]
+ ? kmem_cache_free+0x343/0x440
+ ? __bnxt_tx_int.constprop.0+0x24f/0x300 [bnxt_en]
+ __bnxt_poll_work+0x193/0x370 [bnxt_en]
+ bnxt_poll_p5+0x9a/0x300 [bnxt_en]
+ ? try_to_wake_up+0x209/0x670
+ __napi_poll+0x29/0x1b0
+
+Fix it by redefining the aggregation ID mask for P5_PLUS chips to be
+12 bits. This will work because the maximum aggregation ID is less
+than 4096 on all P5_PLUS chips.
+
+Fixes: 13d2d3d381ee ("bnxt_en: Add new P7 hardware interface definitions")
+Reviewed-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241209015448.1937766-1-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+index 1d97219369c5..9e05704d9445 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -381,7 +381,7 @@ struct rx_agg_cmp {
+ u32 rx_agg_cmp_opaque;
+ __le32 rx_agg_cmp_v;
+ #define RX_AGG_CMP_V (1 << 0)
+- #define RX_AGG_CMP_AGG_ID (0xffff << 16)
++ #define RX_AGG_CMP_AGG_ID (0x0fff << 16)
+ #define RX_AGG_CMP_AGG_ID_SHIFT 16
+ __le32 rx_agg_cmp_unused;
+ };
+@@ -419,7 +419,7 @@ struct rx_tpa_start_cmp {
+ #define RX_TPA_START_CMP_V3_RSS_HASH_TYPE_SHIFT 7
+ #define RX_TPA_START_CMP_AGG_ID (0x7f << 25)
+ #define RX_TPA_START_CMP_AGG_ID_SHIFT 25
+- #define RX_TPA_START_CMP_AGG_ID_P5 (0xffff << 16)
++ #define RX_TPA_START_CMP_AGG_ID_P5 (0x0fff << 16)
+ #define RX_TPA_START_CMP_AGG_ID_SHIFT_P5 16
+ #define RX_TPA_START_CMP_METADATA1 (0xf << 28)
+ #define RX_TPA_START_CMP_METADATA1_SHIFT 28
+@@ -543,7 +543,7 @@ struct rx_tpa_end_cmp {
+ #define RX_TPA_END_CMP_PAYLOAD_OFFSET_SHIFT 16
+ #define RX_TPA_END_CMP_AGG_ID (0x7f << 25)
+ #define RX_TPA_END_CMP_AGG_ID_SHIFT 25
+- #define RX_TPA_END_CMP_AGG_ID_P5 (0xffff << 16)
++ #define RX_TPA_END_CMP_AGG_ID_P5 (0x0fff << 16)
+ #define RX_TPA_END_CMP_AGG_ID_SHIFT_P5 16
+
+ __le32 rx_tpa_end_cmp_tsdelta;
+--
+2.39.5
+
--- /dev/null
+From 395800cc25ce77ab841ff275170a661ef2326418 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 13:59:17 -0800
+Subject: bnxt_en: Fix GSO type for HW GRO packets on 5750X chips
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit de37faf41ac55619dd329229a9bd9698faeabc52 ]
+
+The existing code is using RSS profile to determine IPV4/IPV6 GSO type
+on all chips older than 5760X. This won't work on 5750X chips that may
+be using modified RSS profiles. This commit from 2018 has updated the
+driver to not use RSS profile for HW GRO packets on newer chips:
+
+50f011b63d8c ("bnxt_en: Update RSS setup and GRO-HW logic according to the latest spec.")
+
+However, a recent commit to add support for the newest 5760X chip broke
+the logic. If the GRO packet needs to be re-segmented by the stack, the
+wrong GSO type will cause the packet to be dropped.
+
+Fix it to only use RSS profile to determine GSO type on the oldest
+5730X/5740X chips which cannot use the new method and is safe to use the
+RSS profiles.
+
+Also fix the L3/L4 hash type for RX packets by not using the RSS
+profile for the same reason. Use the ITYPE field in the RX completion
+to determine L3/L4 hash types correctly.
+
+Fixes: a7445d69809f ("bnxt_en: Add support for new RX and TPA_START completion types for P7")
+Reviewed-by: Colin Winegarden <colin.winegarden@broadcom.com>
+Reviewed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20241204215918.1692597-2-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 14 ++++++--------
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 +++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 3d9ee91e1f8b..dafc5a4039cd 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1518,7 +1518,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr,
+ if (TPA_START_IS_IPV6(tpa_start1))
+ tpa_info->gso_type = SKB_GSO_TCPV6;
+ /* RSS profiles 1 and 3 with extract code 0 for inner 4-tuple */
+- else if (cmp_type == CMP_TYPE_RX_L2_TPA_START_CMP &&
++ else if (!BNXT_CHIP_P4_PLUS(bp) &&
+ TPA_START_HASH_TYPE(tpa_start) == 3)
+ tpa_info->gso_type = SKB_GSO_TCPV6;
+ tpa_info->rss_hash =
+@@ -2212,15 +2212,13 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ if (cmp_type == CMP_TYPE_RX_L2_V3_CMP) {
+ type = bnxt_rss_ext_op(bp, rxcmp);
+ } else {
+- u32 hash_type = RX_CMP_HASH_TYPE(rxcmp);
++ u32 itypes = RX_CMP_ITYPES(rxcmp);
+
+- /* RSS profiles 1 and 3 with extract code 0 for inner
+- * 4-tuple
+- */
+- if (hash_type != 1 && hash_type != 3)
+- type = PKT_HASH_TYPE_L3;
+- else
++ if (itypes == RX_CMP_FLAGS_ITYPE_TCP ||
++ itypes == RX_CMP_FLAGS_ITYPE_UDP)
+ type = PKT_HASH_TYPE_L4;
++ else
++ type = PKT_HASH_TYPE_L3;
+ }
+ skb_set_hash(skb, le32_to_cpu(rxcmp->rx_cmp_rss_hash), type);
+ }
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+index 69231e85140b..1d97219369c5 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -267,6 +267,9 @@ struct rx_cmp {
+ (((le32_to_cpu((rxcmp)->rx_cmp_misc_v1) & RX_CMP_RSS_HASH_TYPE) >>\
+ RX_CMP_RSS_HASH_TYPE_SHIFT) & RSS_PROFILE_ID_MASK)
+
++#define RX_CMP_ITYPES(rxcmp) \
++ (le32_to_cpu((rxcmp)->rx_cmp_len_flags_type) & RX_CMP_FLAGS_ITYPES_MASK)
++
+ #define RX_CMP_V3_HASH_TYPE_LEGACY(rxcmp) \
+ ((le32_to_cpu((rxcmp)->rx_cmp_misc_v1) & RX_CMP_V3_RSS_EXT_OP_LEGACY) >>\
+ RX_CMP_V3_RSS_EXT_OP_LEGACY_SHIFT)
+--
+2.39.5
+
--- /dev/null
+From ecb7f8d43973d5d35f1e0c7a1ef90f94fbf6b779 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:12:43 +0100
+Subject: bonding: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 77b11c8bf3a228d1c63464534c2dcc8d9c8bf7ff ]
+
+Drivers like mlx5 expose NIC's vlan_features such as
+NETIF_F_GSO_UDP_TUNNEL & NETIF_F_GSO_UDP_TUNNEL_CSUM which are
+later not propagated when the underlying devices are bonded and
+a vlan device created on top of the bond.
+
+Right now, the more cumbersome workaround for this is to create
+the vlan on top of the mlx5 and then enslave the vlan devices
+to a bond.
+
+To fix this, add NETIF_F_GSO_ENCAP_ALL to BOND_VLAN_FEATURES
+such that bond_compute_features() can probe and propagate the
+vlan_features from the slave devices up to the vlan device.
+
+Given the following bond:
+
+ # ethtool -i enp2s0f{0,1}np{0,1}
+ driver: mlx5_core
+ [...]
+
+ # ethtool -k enp2s0f0np0 | grep udp
+ tx-udp_tnl-segmentation: on
+ tx-udp_tnl-csum-segmentation: on
+ tx-udp-segmentation: on
+ rx-udp_tunnel-port-offload: on
+ rx-udp-gro-forwarding: off
+
+ # ethtool -k enp2s0f1np1 | grep udp
+ tx-udp_tnl-segmentation: on
+ tx-udp_tnl-csum-segmentation: on
+ tx-udp-segmentation: on
+ rx-udp_tunnel-port-offload: on
+ rx-udp-gro-forwarding: off
+
+ # ethtool -k bond0 | grep udp
+ tx-udp_tnl-segmentation: on
+ tx-udp_tnl-csum-segmentation: on
+ tx-udp-segmentation: on
+ rx-udp_tunnel-port-offload: off [fixed]
+ rx-udp-gro-forwarding: off
+
+Before:
+
+ # ethtool -k bond0.100 | grep udp
+ tx-udp_tnl-segmentation: off [requested on]
+ tx-udp_tnl-csum-segmentation: off [requested on]
+ tx-udp-segmentation: on
+ rx-udp_tunnel-port-offload: off [fixed]
+ rx-udp-gro-forwarding: off
+
+After:
+
+ # ethtool -k bond0.100 | grep udp
+ tx-udp_tnl-segmentation: on
+ tx-udp_tnl-csum-segmentation: on
+ tx-udp-segmentation: on
+ rx-udp_tunnel-port-offload: off [fixed]
+ rx-udp-gro-forwarding: off
+
+Various users have run into this reporting performance issues when
+configuring Cilium in vxlan tunneling mode and having the combination
+of bond & vlan for the core devices connecting the Kubernetes cluster
+to the outside world.
+
+Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Ido Schimmel <idosch@idosch.org>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20241210141245.327886-3-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index dfad7b6f9f35..4d73abae503d 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1534,6 +1534,7 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
+
+ #define BOND_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \
++ NETIF_F_GSO_ENCAP_ALL | \
+ NETIF_F_HIGHDMA | NETIF_F_LRO)
+
+ #define BOND_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+--
+2.39.5
+
--- /dev/null
+From bb11905813fc70a80e568e1195b3e672e22674a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:12:42 +0100
+Subject: bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit d064ea7fe2a24938997b5e88e6b61cbb0a4bb906 ]
+
+If a bonding device has slave devices, then the current logic to derive
+the feature set for the master bond device is limited in that flags which
+are fully supported by the underlying slave devices cannot be propagated
+up to vlan devices which sit on top of bond devices. Instead, these get
+blindly masked out via current NETIF_F_ALL_FOR_ALL logic.
+
+vlan_features and mpls_features should reuse netdev_base_features() in
+order derive the set in the same way as ndo_fix_features before iterating
+through the slave devices to refine the feature set.
+
+Fixes: a9b3ace44c7d ("bonding: fix vlan_features computing")
+Fixes: 2e770b507ccd ("net: bonding: Inherit MPLS features from slave devices")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Ido Schimmel <idosch@idosch.org>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20241210141245.327886-2-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 166910693fd7..dfad7b6f9f35 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1562,8 +1562,9 @@ static void bond_compute_features(struct bonding *bond)
+
+ if (!bond_has_slaves(bond))
+ goto done;
+- vlan_features &= NETIF_F_ALL_FOR_ALL;
+- mpls_features &= NETIF_F_ALL_FOR_ALL;
++
++ vlan_features = netdev_base_features(vlan_features);
++ mpls_features = netdev_base_features(mpls_features);
+
+ bond_for_each_slave(bond, slave, iter) {
+ vlan_features = netdev_increment_features(vlan_features,
+--
+2.39.5
+
--- /dev/null
+From 5b830ec5229762b4d7ff782b009aff28ad97fc16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 11:06:32 +0000
+Subject: cifs: Fix rmdir failure due to ongoing I/O on deleted file
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bb57c81e97e0082abfb0406ed6f67c615c3d206c ]
+
+The cifs_io_request struct (a wrapper around netfs_io_request) holds open
+the file on the server, even beyond the local Linux file being closed.
+This can cause problems with Windows-based filesystems as the file's name
+still exists after deletion until the file is closed, preventing the parent
+directory from being removed and causing spurious test failures in xfstests
+due to inability to remove a directory. The symptom looks something like
+this in the test output:
+
+ rm: cannot remove '/mnt/scratch/test/p0/d3': Directory not empty
+ rm: cannot remove '/mnt/scratch/test/p1/dc/dae': Directory not empty
+
+Fix this by waiting in unlink and rename for any outstanding I/O requests
+to be completed on the target file before removing that file.
+
+Note that this doesn't prevent Linux from trying to start new requests
+after deletion if it still has the file open locally - something that's
+perfectly acceptable on a UNIX system.
+
+Note also that whilst I've marked this as fixing the commit to make cifs
+use netfslib, I don't know that it won't occur before that.
+
+Fixes: 3ee1a1fc3981 ("cifs: Cut over to using netfslib")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+cc: Jeff Layton <jlayton@kernel.org>
+cc: linux-cifs@vger.kernel.org
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/smb/client/inode.c b/fs/smb/client/inode.c
+index b35fe1075503..fafc07e38663 100644
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -1925,6 +1925,7 @@ int cifs_unlink(struct inode *dir, struct dentry *dentry)
+ goto unlink_out;
+ }
+
++ netfs_wait_for_outstanding_io(inode);
+ cifs_close_deferred_file_under_dentry(tcon, full_path);
+ #ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
+ if (cap_unix(tcon->ses) && (CIFS_UNIX_POSIX_PATH_OPS_CAP &
+@@ -2442,8 +2443,10 @@ cifs_rename2(struct mnt_idmap *idmap, struct inode *source_dir,
+ }
+
+ cifs_close_deferred_file_under_dentry(tcon, from_name);
+- if (d_inode(target_dentry) != NULL)
++ if (d_inode(target_dentry) != NULL) {
++ netfs_wait_for_outstanding_io(d_inode(target_dentry));
+ cifs_close_deferred_file_under_dentry(tcon, to_name);
++ }
+
+ rc = cifs_do_rename(xid, source_dentry, from_name, target_dentry,
+ to_name);
+--
+2.39.5
+
--- /dev/null
+From 6413098cd5bded5be14c1f28311fd831f44a7293 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 11:50:14 +0530
+Subject: cxgb4: use port number to set mac addr
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit 356983f569c1f5991661fc0050aa263792f50616 ]
+
+t4_set_vf_mac_acl() uses pf to set mac addr, but t4vf_get_vf_mac_acl()
+uses port number to get mac addr, this leads to error when an attempt
+to set MAC address on VF's of PF2 and PF3.
+This patch fixes the issue by using port number to set mac address.
+
+Fixes: e0cdac65ba26 ("cxgb4vf: configure ports accessible by the VF")
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241206062014.49414-1-anumula@chelsio.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +-
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 5 +++--
+ 3 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
+index bbf7641a0fc7..7e13cd69f68a 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4.h
+@@ -2077,7 +2077,7 @@ void t4_idma_monitor(struct adapter *adapter,
+ struct sge_idma_monitor_state *idma,
+ int hz, int ticks);
+ int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf,
+- unsigned int naddr, u8 *addr);
++ u8 start, unsigned int naddr, u8 *addr);
+ void t4_tp_pio_read(struct adapter *adap, u32 *buff, u32 nregs,
+ u32 start_index, bool sleep_ok);
+ void t4_tp_tm_pio_read(struct adapter *adap, u32 *buff, u32 nregs,
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+index 2418645c8823..fb3933fbb842 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+@@ -3246,7 +3246,7 @@ static int cxgb4_mgmt_set_vf_mac(struct net_device *dev, int vf, u8 *mac)
+
+ dev_info(pi->adapter->pdev_dev,
+ "Setting MAC %pM on VF %d\n", mac, vf);
+- ret = t4_set_vf_mac_acl(adap, vf + 1, 1, mac);
++ ret = t4_set_vf_mac_acl(adap, vf + 1, pi->lport, 1, mac);
+ if (!ret)
+ ether_addr_copy(adap->vfinfo[vf].vf_mac_addr, mac);
+ return ret;
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+index 76de55306c4d..175bf9b13058 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -10215,11 +10215,12 @@ int t4_load_cfg(struct adapter *adap, const u8 *cfg_data, unsigned int size)
+ * t4_set_vf_mac_acl - Set MAC address for the specified VF
+ * @adapter: The adapter
+ * @vf: one of the VFs instantiated by the specified PF
++ * @start: The start port id associated with specified VF
+ * @naddr: the number of MAC addresses
+ * @addr: the MAC address(es) to be set to the specified VF
+ */
+ int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf,
+- unsigned int naddr, u8 *addr)
++ u8 start, unsigned int naddr, u8 *addr)
+ {
+ struct fw_acl_mac_cmd cmd;
+
+@@ -10234,7 +10235,7 @@ int t4_set_vf_mac_acl(struct adapter *adapter, unsigned int vf,
+ cmd.en_to_len16 = cpu_to_be32((unsigned int)FW_LEN16(cmd));
+ cmd.nmac = naddr;
+
+- switch (adapter->pf) {
++ switch (start) {
+ case 3:
+ memcpy(cmd.macaddr3, addr, sizeof(cmd.macaddr3));
+ break;
+--
+2.39.5
+
--- /dev/null
+From 196deb085965fb01abbb928181eff567bcabba81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 12:05:31 +0100
+Subject: Documentation: networking: Add a caveat to nexthop_compat_mode sysctl
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit bbe4b41259a3e255a16d795486d331c1670b4e75 ]
+
+net.ipv4.nexthop_compat_mode was added when nexthop objects were added to
+provide the view of nexthop objects through the usual lens of the route
+UAPI. As nexthop objects evolved, the information provided through this
+lens became incomplete. For example, details of resilient nexthop groups
+are obviously omitted.
+
+Now that 16-bit nexthop group weights are a thing, the 8-bit UAPI cannot
+convey the >8-bit weight accurately. Instead of inventing workarounds for
+an obsolete interface, just document the expectations of inaccuracy.
+
+Fixes: b72a6a7ab957 ("net: nexthop: Increase weight to u16")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/b575e32399ccacd09079b2a218255164535123bd.1733740749.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/ip-sysctl.rst | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
+index eacf8983e230..dcbb6f6caf6d 100644
+--- a/Documentation/networking/ip-sysctl.rst
++++ b/Documentation/networking/ip-sysctl.rst
+@@ -2170,6 +2170,12 @@ nexthop_compat_mode - BOOLEAN
+ understands the new API, this sysctl can be disabled to achieve full
+ performance benefits of the new API by disabling the nexthop expansion
+ and extraneous notifications.
++
++ Note that as a backward-compatible mode, dumping of modern features
++ might be incomplete or wrong. For example, resilient groups will not be
++ shown as such, but rather as just a list of next hops. Also weights that
++ do not fit into 8 bits will show incorrectly.
++
+ Default: true (backward compat mode)
+
+ fib_notify_on_flag_change - INTEGER
+--
+2.39.5
+
--- /dev/null
+From 3796fe96f7c390533571da99332754f0e4fef91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 14:37:29 +0000
+Subject: Documentation: PM: Clarify pm_runtime_resume_and_get() return value
+
+From: Paul Barker <paul.barker.ct@bp.renesas.com>
+
+[ Upstream commit ccb84dc8f4a02e7d30ffd388522996546b4d00e1 ]
+
+Update the documentation to match the behaviour of the code.
+
+pm_runtime_resume_and_get() always returns 0 on success, even if
+__pm_runtime_resume() returns 1.
+
+Fixes: 2c412337cfe6 ("PM: runtime: Add documentation for pm_runtime_resume_and_get()")
+Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
+Link: https://patch.msgid.link/20241203143729.478-1-paul.barker.ct@bp.renesas.com
+[ rjw: Subject and changelog edits, adjusted new comment formatting ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/power/runtime_pm.rst | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/power/runtime_pm.rst b/Documentation/power/runtime_pm.rst
+index 53d1996460ab..12f429359a82 100644
+--- a/Documentation/power/runtime_pm.rst
++++ b/Documentation/power/runtime_pm.rst
+@@ -347,7 +347,9 @@ drivers/base/power/runtime.c and include/linux/pm_runtime.h:
+
+ `int pm_runtime_resume_and_get(struct device *dev);`
+ - run pm_runtime_resume(dev) and if successful, increment the device's
+- usage counter; return the result of pm_runtime_resume
++ usage counter; returns 0 on success (whether or not the device's
++ runtime PM status was already 'active') or the error code from
++ pm_runtime_resume() on failure.
+
+ `int pm_request_idle(struct device *dev);`
+ - submit a request to execute the subsystem-level idle callback for the
+--
+2.39.5
+
--- /dev/null
+From 62695e172bf8557a25888a38fe770a70b08e6fac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 22:20:58 +0100
+Subject: drm/xe: fix the ERR_PTR() returned on failure to allocate tiny pt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Todorovac <mtodorovac69@gmail.com>
+
+[ Upstream commit ed69b28b3a5e39871ba5599992f80562d6ee59db ]
+
+Running coccinelle spatch gave the following warning:
+
+./drivers/gpu/drm/xe/tests/xe_migrate.c:226:5-11: inconsistent IS_ERR
+and PTR_ERR on line 228.
+
+The code reports PTR_ERR(pt) when IS_ERR(tiny) is checked:
+
+→ 211 pt = xe_bo_create_pin_map(xe, tile, m->q->vm, XE_PAGE_SIZE,
+ 212 ttm_bo_type_kernel,
+ 213 XE_BO_FLAG_VRAM_IF_DGFX(tile) |
+ 214 XE_BO_FLAG_PINNED);
+ 215 if (IS_ERR(pt)) {
+ 216 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n",
+ 217 PTR_ERR(pt));
+ 218 goto free_big;
+ 219 }
+ 220
+ 221 tiny = xe_bo_create_pin_map(xe, tile, m->q->vm,
+→ 222 2 * SZ_4K,
+ 223 ttm_bo_type_kernel,
+ 224 XE_BO_FLAG_VRAM_IF_DGFX(tile) |
+ 225 XE_BO_FLAG_PINNED);
+→ 226 if (IS_ERR(tiny)) {
+→ 227 KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n",
+→ 228 PTR_ERR(pt));
+ 229 goto free_pt;
+ 230 }
+
+Now, the IS_ERR(tiny) and the corresponding PTR_ERR(pt) do not match.
+
+Returning PTR_ERR(tiny), as the last failed function call, seems logical.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241121212057.1526634-2-mtodorovac69@gmail.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit cb57c75098c1c449a007ba301f9073f96febaaa9)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/tests/xe_migrate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/tests/xe_migrate.c b/drivers/gpu/drm/xe/tests/xe_migrate.c
+index 1a192a2a941b..3bbdb362d6f0 100644
+--- a/drivers/gpu/drm/xe/tests/xe_migrate.c
++++ b/drivers/gpu/drm/xe/tests/xe_migrate.c
+@@ -224,8 +224,8 @@ static void xe_migrate_sanity_test(struct xe_migrate *m, struct kunit *test)
+ XE_BO_FLAG_VRAM_IF_DGFX(tile) |
+ XE_BO_FLAG_PINNED);
+ if (IS_ERR(tiny)) {
+- KUNIT_FAIL(test, "Failed to allocate fake pt: %li\n",
+- PTR_ERR(pt));
++ KUNIT_FAIL(test, "Failed to allocate tiny fake pt: %li\n",
++ PTR_ERR(tiny));
+ goto free_pt;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6689bda24aaaed732c142158cb9e5d9446848805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 15:27:35 -0800
+Subject: drm/xe/reg_sr: Remove register pool
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit d7b028656c29b22fcde1c6ee1df5b28fbba987b5 ]
+
+That pool implementation doesn't really work: if the krealloc happens to
+move the memory and return another address, the entries in the xarray
+become invalid, leading to use-after-free later:
+
+ BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]
+ Read of size 4 at addr ffff8881244b2590 by task modprobe/2753
+
+ Allocated by task 2753:
+ kasan_save_stack+0x39/0x70
+ kasan_save_track+0x14/0x40
+ kasan_save_alloc_info+0x37/0x60
+ __kasan_kmalloc+0xc3/0xd0
+ __kmalloc_node_track_caller_noprof+0x200/0x6d0
+ krealloc_noprof+0x229/0x380
+
+Simplify the code to fix the bug. A better pooling strategy may be added
+back later if needed.
+
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241209232739.147417-2-lucas.demarchi@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_reg_sr.c | 31 ++++++----------------------
+ drivers/gpu/drm/xe/xe_reg_sr_types.h | 6 ------
+ 2 files changed, 6 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_reg_sr.c b/drivers/gpu/drm/xe/xe_reg_sr.c
+index 440ac572f6e5..52969c090965 100644
+--- a/drivers/gpu/drm/xe/xe_reg_sr.c
++++ b/drivers/gpu/drm/xe/xe_reg_sr.c
+@@ -26,46 +26,27 @@
+ #include "xe_reg_whitelist.h"
+ #include "xe_rtp_types.h"
+
+-#define XE_REG_SR_GROW_STEP_DEFAULT 16
+-
+ static void reg_sr_fini(struct drm_device *drm, void *arg)
+ {
+ struct xe_reg_sr *sr = arg;
++ struct xe_reg_sr_entry *entry;
++ unsigned long reg;
++
++ xa_for_each(&sr->xa, reg, entry)
++ kfree(entry);
+
+ xa_destroy(&sr->xa);
+- kfree(sr->pool.arr);
+- memset(&sr->pool, 0, sizeof(sr->pool));
+ }
+
+ int xe_reg_sr_init(struct xe_reg_sr *sr, const char *name, struct xe_device *xe)
+ {
+ xa_init(&sr->xa);
+- memset(&sr->pool, 0, sizeof(sr->pool));
+- sr->pool.grow_step = XE_REG_SR_GROW_STEP_DEFAULT;
+ sr->name = name;
+
+ return drmm_add_action_or_reset(&xe->drm, reg_sr_fini, sr);
+ }
+ EXPORT_SYMBOL_IF_KUNIT(xe_reg_sr_init);
+
+-static struct xe_reg_sr_entry *alloc_entry(struct xe_reg_sr *sr)
+-{
+- if (sr->pool.used == sr->pool.allocated) {
+- struct xe_reg_sr_entry *arr;
+-
+- arr = krealloc_array(sr->pool.arr,
+- ALIGN(sr->pool.allocated + 1, sr->pool.grow_step),
+- sizeof(*arr), GFP_KERNEL);
+- if (!arr)
+- return NULL;
+-
+- sr->pool.arr = arr;
+- sr->pool.allocated += sr->pool.grow_step;
+- }
+-
+- return &sr->pool.arr[sr->pool.used++];
+-}
+-
+ static bool compatible_entries(const struct xe_reg_sr_entry *e1,
+ const struct xe_reg_sr_entry *e2)
+ {
+@@ -111,7 +92,7 @@ int xe_reg_sr_add(struct xe_reg_sr *sr,
+ return 0;
+ }
+
+- pentry = alloc_entry(sr);
++ pentry = kmalloc(sizeof(*pentry), GFP_KERNEL);
+ if (!pentry) {
+ ret = -ENOMEM;
+ goto fail;
+diff --git a/drivers/gpu/drm/xe/xe_reg_sr_types.h b/drivers/gpu/drm/xe/xe_reg_sr_types.h
+index ad48a52b824a..ebe11f237fa2 100644
+--- a/drivers/gpu/drm/xe/xe_reg_sr_types.h
++++ b/drivers/gpu/drm/xe/xe_reg_sr_types.h
+@@ -20,12 +20,6 @@ struct xe_reg_sr_entry {
+ };
+
+ struct xe_reg_sr {
+- struct {
+- struct xe_reg_sr_entry *arr;
+- unsigned int used;
+- unsigned int allocated;
+- unsigned int grow_step;
+- } pool;
+ struct xarray xa;
+ const char *name;
+
+--
+2.39.5
+
--- /dev/null
+From 8845b746c447c715080e448d62aeed25f73fb205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 18:26:30 +0100
+Subject: gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 9ac4b58fcef0f9fc03fa6e126a5f53c1c71ada8a ]
+
+DEFAULT_SYMBOL_NAMESPACE must already be defined when <linux/export.h>
+is included. So move the define above the include block.
+
+Fixes: b9b1fc1ae119 ("gpio: idio-16: Introduce the ACCES IDIO-16 GPIO library module")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Acked-by: William Breathitt Gray <wbg@kernel.org>
+Link: https://lore.kernel.org/r/20241203172631.1647792-2-u.kleine-koenig@baylibre.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-idio-16.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-idio-16.c b/drivers/gpio/gpio-idio-16.c
+index 2c9512589297..0103be977c66 100644
+--- a/drivers/gpio/gpio-idio-16.c
++++ b/drivers/gpio/gpio-idio-16.c
+@@ -3,6 +3,9 @@
+ * GPIO library for the ACCES IDIO-16 family
+ * Copyright (C) 2022 William Breathitt Gray
+ */
++
++#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16"
++
+ #include <linux/bits.h>
+ #include <linux/device.h>
+ #include <linux/err.h>
+@@ -14,8 +17,6 @@
+
+ #include "gpio-idio-16.h"
+
+-#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16"
+-
+ #define IDIO_16_DAT_BASE 0x0
+ #define IDIO_16_OUT_BASE IDIO_16_DAT_BASE
+ #define IDIO_16_IN_BASE (IDIO_16_DAT_BASE + 1)
+--
+2.39.5
+
--- /dev/null
+From ca8b0c4640e5fac7c06164b0494493bf64c60c94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 19:16:39 +0800
+Subject: kselftest/arm64: abi: fix SVCR detection
+
+From: Weizhao Ouyang <o451686892@gmail.com>
+
+[ Upstream commit ce03573a1917532da06057da9f8e74a2ee9e2ac9 ]
+
+When using svcr_in to check ZA and Streaming Mode, we should make sure
+that the value in x2 is correct, otherwise it may trigger an Illegal
+instruction if FEAT_SVE and !FEAT_SME.
+
+Fixes: 43e3f85523e4 ("kselftest/arm64: Add SME support to syscall ABI test")
+Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20241211111639.12344-1-o451686892@gmail.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/arm64/abi/syscall-abi-asm.S | 32 +++++++++----------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/tools/testing/selftests/arm64/abi/syscall-abi-asm.S b/tools/testing/selftests/arm64/abi/syscall-abi-asm.S
+index df3230fdac39..66ab2e0bae5f 100644
+--- a/tools/testing/selftests/arm64/abi/syscall-abi-asm.S
++++ b/tools/testing/selftests/arm64/abi/syscall-abi-asm.S
+@@ -81,32 +81,31 @@ do_syscall:
+ stp x27, x28, [sp, #96]
+
+ // Set SVCR if we're doing SME
+- cbz x1, 1f
++ cbz x1, load_gpr
+ adrp x2, svcr_in
+ ldr x2, [x2, :lo12:svcr_in]
+ msr S3_3_C4_C2_2, x2
+-1:
+
+ // Load ZA and ZT0 if enabled - uses x12 as scratch due to SME LDR
+- tbz x2, #SVCR_ZA_SHIFT, 1f
++ tbz x2, #SVCR_ZA_SHIFT, load_gpr
+ mov w12, #0
+ ldr x2, =za_in
+-2: _ldr_za 12, 2
++1: _ldr_za 12, 2
+ add x2, x2, x1
+ add x12, x12, #1
+ cmp x1, x12
+- bne 2b
++ bne 1b
+
+ // ZT0
+ mrs x2, S3_0_C0_C4_5 // ID_AA64SMFR0_EL1
+ ubfx x2, x2, #ID_AA64SMFR0_EL1_SMEver_SHIFT, \
+ #ID_AA64SMFR0_EL1_SMEver_WIDTH
+- cbz x2, 1f
++ cbz x2, load_gpr
+ adrp x2, zt_in
+ add x2, x2, :lo12:zt_in
+ _ldr_zt 2
+-1:
+
++load_gpr:
+ // Load GPRs x8-x28, and save our SP/FP for later comparison
+ ldr x2, =gpr_in
+ add x2, x2, #64
+@@ -125,9 +124,9 @@ do_syscall:
+ str x30, [x2], #8 // LR
+
+ // Load FPRs if we're not doing neither SVE nor streaming SVE
+- cbnz x0, 1f
++ cbnz x0, check_sve_in
+ ldr x2, =svcr_in
+- tbnz x2, #SVCR_SM_SHIFT, 1f
++ tbnz x2, #SVCR_SM_SHIFT, check_sve_in
+
+ ldr x2, =fpr_in
+ ldp q0, q1, [x2]
+@@ -148,8 +147,8 @@ do_syscall:
+ ldp q30, q31, [x2, #16 * 30]
+
+ b 2f
+-1:
+
++check_sve_in:
+ // Load the SVE registers if we're doing SVE/SME
+
+ ldr x2, =z_in
+@@ -256,32 +255,31 @@ do_syscall:
+ stp q30, q31, [x2, #16 * 30]
+
+ // Save SVCR if we're doing SME
+- cbz x1, 1f
++ cbz x1, check_sve_out
+ mrs x2, S3_3_C4_C2_2
+ adrp x3, svcr_out
+ str x2, [x3, :lo12:svcr_out]
+-1:
+
+ // Save ZA if it's enabled - uses x12 as scratch due to SME STR
+- tbz x2, #SVCR_ZA_SHIFT, 1f
++ tbz x2, #SVCR_ZA_SHIFT, check_sve_out
+ mov w12, #0
+ ldr x2, =za_out
+-2: _str_za 12, 2
++1: _str_za 12, 2
+ add x2, x2, x1
+ add x12, x12, #1
+ cmp x1, x12
+- bne 2b
++ bne 1b
+
+ // ZT0
+ mrs x2, S3_0_C0_C4_5 // ID_AA64SMFR0_EL1
+ ubfx x2, x2, #ID_AA64SMFR0_EL1_SMEver_SHIFT, \
+ #ID_AA64SMFR0_EL1_SMEver_WIDTH
+- cbz x2, 1f
++ cbz x2, check_sve_out
+ adrp x2, zt_out
+ add x2, x2, :lo12:zt_out
+ _str_zt 2
+-1:
+
++check_sve_out:
+ // Save the SVE state if we have some
+ cbz x0, 1f
+
+--
+2.39.5
+
--- /dev/null
+From 40c52ebd18634bc2ff9e25c558ef7a8bfdbabc35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 16:04:48 +0000
+Subject: libperf: evlist: Fix --cpu argument on hybrid platform
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit f7e36d02d771ee14acae1482091718460cffb321 ]
+
+Since the linked fixes: commit, specifying a CPU on hybrid platforms
+results in an error because Perf tries to open an extended type event
+on "any" CPU which isn't valid. Extended type events can only be opened
+on CPUs that match the type.
+
+Before (working):
+
+ $ perf record --cpu 1 -- true
+ [ perf record: Woken up 1 times to write data ]
+ [ perf record: Captured and wrote 2.385 MB perf.data (7 samples) ]
+
+After (not working):
+
+ $ perf record -C 1 -- true
+ WARNING: A requested CPU in '1' is not supported by PMU 'cpu_atom' (CPUs 16-27) for event 'cycles:P'
+ Error:
+ The sys_perf_event_open() syscall returned with 22 (Invalid argument) for event (cpu_atom/cycles:P/).
+ /bin/dmesg | grep -i perf may provide additional information.
+
+(Ignore the warning message, that's expected and not particularly
+relevant to this issue).
+
+This is because perf_cpu_map__intersect() of the user specified CPU (1)
+and one of the PMU's CPUs (16-27) correctly results in an empty (NULL)
+CPU map. However for the purposes of opening an event, libperf converts
+empty CPU maps into an any CPU (-1) which the kernel rejects.
+
+Fix it by deleting evsels with empty CPU maps in the specific case where
+user requested CPU maps are evaluated.
+
+Fixes: 251aa040244a ("perf parse-events: Wildcard most "numeric" events")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Tested-by: Thomas Falcon <thomas.falcon@intel.com>
+Signed-off-by: James Clark <james.clark@linaro.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20241114160450.295844-2-james.clark@linaro.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/perf/evlist.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/perf/evlist.c b/tools/lib/perf/evlist.c
+index c6d67fc9e57e..83c43dc13313 100644
+--- a/tools/lib/perf/evlist.c
++++ b/tools/lib/perf/evlist.c
+@@ -47,6 +47,20 @@ static void __perf_evlist__propagate_maps(struct perf_evlist *evlist,
+ */
+ perf_cpu_map__put(evsel->cpus);
+ evsel->cpus = perf_cpu_map__intersect(evlist->user_requested_cpus, evsel->own_cpus);
++
++ /*
++ * Empty cpu lists would eventually get opened as "any" so remove
++ * genuinely empty ones before they're opened in the wrong place.
++ */
++ if (perf_cpu_map__is_empty(evsel->cpus)) {
++ struct perf_evsel *next = perf_evlist__next(evlist, evsel);
++
++ perf_evlist__remove(evlist, evsel);
++ /* Keep idx contiguous */
++ if (next)
++ list_for_each_entry_from(next, &evlist->entries, node)
++ next->idx--;
++ }
+ } else if (!evsel->own_cpus || evlist->has_user_cpus ||
+ (!evsel->requires_cpu && perf_cpu_map__has_any_cpu(evlist->user_requested_cpus))) {
+ /*
+@@ -80,11 +94,11 @@ static void __perf_evlist__propagate_maps(struct perf_evlist *evlist,
+
+ static void perf_evlist__propagate_maps(struct perf_evlist *evlist)
+ {
+- struct perf_evsel *evsel;
++ struct perf_evsel *evsel, *n;
+
+ evlist->needs_map_propagation = true;
+
+- perf_evlist__for_each_evsel(evlist, evsel)
++ list_for_each_entry_safe(evsel, n, &evlist->entries, node)
+ __perf_evlist__propagate_maps(evlist, evsel);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From af461b6079e6df3b95b6b1f568d9680fcdcafa71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 19:21:07 +0900
+Subject: module: Convert default symbol namespace to string literal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit ceb8bf2ceaa77fe222fe8fe32cb7789c9099ddf1 ]
+
+Commit cdd30ebb1b9f ("module: Convert symbol namespace to string
+literal") only converted MODULE_IMPORT_NS() and EXPORT_SYMBOL_NS(),
+leaving DEFAULT_SYMBOL_NAMESPACE as a macro expansion.
+
+This commit converts DEFAULT_SYMBOL_NAMESPACE in the same way to avoid
+annoyance for the default namespace as well.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 9ac4b58fcef0 ("gpio: idio-16: Actually make use of the GPIO_IDIO_16 symbol namespace")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/core-api/symbol-namespaces.rst | 4 ++--
+ .../translations/it_IT/core-api/symbol-namespaces.rst | 4 ++--
+ .../translations/zh_CN/core-api/symbol-namespaces.rst | 4 ++--
+ drivers/cdx/Makefile | 2 +-
+ drivers/crypto/intel/iaa/Makefile | 2 +-
+ drivers/crypto/intel/qat/qat_common/Makefile | 2 +-
+ drivers/dma/idxd/Makefile | 2 +-
+ drivers/gpio/gpio-idio-16.c | 2 +-
+ drivers/hwmon/nct6775-core.c | 2 +-
+ drivers/i2c/busses/i2c-designware-common.c | 2 +-
+ drivers/i2c/busses/i2c-designware-master.c | 2 +-
+ drivers/i2c/busses/i2c-designware-slave.c | 2 +-
+ drivers/pwm/core.c | 2 +-
+ drivers/pwm/pwm-dwc-core.c | 2 +-
+ drivers/pwm/pwm-lpss.c | 2 +-
+ drivers/tty/serial/sc16is7xx.c | 2 +-
+ drivers/usb/storage/Makefile | 2 +-
+ include/linux/export.h | 2 +-
+ 18 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
+index 12e4aecdae94..d1154eb43810 100644
+--- a/Documentation/core-api/symbol-namespaces.rst
++++ b/Documentation/core-api/symbol-namespaces.rst
+@@ -68,7 +68,7 @@ is to define the default namespace in the ``Makefile`` of the subsystem. E.g. to
+ export all symbols defined in usb-common into the namespace USB_COMMON, add a
+ line like this to drivers/usb/common/Makefile::
+
+- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON
++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"'
+
+ That will affect all EXPORT_SYMBOL() and EXPORT_SYMBOL_GPL() statements. A
+ symbol exported with EXPORT_SYMBOL_NS() while this definition is present, will
+@@ -79,7 +79,7 @@ A second option to define the default namespace is directly in the compilation
+ unit as preprocessor statement. The above example would then read::
+
+ #undef DEFAULT_SYMBOL_NAMESPACE
+- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON
++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON"
+
+ within the corresponding compilation unit before any EXPORT_SYMBOL macro is
+ used.
+diff --git a/Documentation/translations/it_IT/core-api/symbol-namespaces.rst b/Documentation/translations/it_IT/core-api/symbol-namespaces.rst
+index 17abc25ee4c1..6657f82c0101 100644
+--- a/Documentation/translations/it_IT/core-api/symbol-namespaces.rst
++++ b/Documentation/translations/it_IT/core-api/symbol-namespaces.rst
+@@ -69,7 +69,7 @@ Per esempio per esportare tutti i simboli definiti in usb-common nello spazio
+ dei nomi USB_COMMON, si può aggiungere la seguente linea in
+ drivers/usb/common/Makefile::
+
+- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON
++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"'
+
+ Questo cambierà tutte le macro EXPORT_SYMBOL() ed EXPORT_SYMBOL_GPL(). Invece,
+ un simbolo esportato con EXPORT_SYMBOL_NS() non verrà cambiato e il simbolo
+@@ -79,7 +79,7 @@ Una seconda possibilità è quella di definire il simbolo di preprocessore
+ direttamente nei file da compilare. L'esempio precedente diventerebbe::
+
+ #undef DEFAULT_SYMBOL_NAMESPACE
+- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON
++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON"
+
+ Questo va messo prima di un qualsiasi uso di EXPORT_SYMBOL.
+
+diff --git a/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst b/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst
+index bb16f0611046..f3e73834f7d7 100644
+--- a/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst
++++ b/Documentation/translations/zh_CN/core-api/symbol-namespaces.rst
+@@ -66,7 +66,7 @@
+ 子系统的 ``Makefile`` 中定义默认命名空间。例如,如果要将usb-common中定义的所有符号导
+ 出到USB_COMMON命名空间,可以在drivers/usb/common/Makefile中添加这样一行::
+
+- ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_COMMON
++ ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_COMMON"'
+
+ 这将影响所有 EXPORT_SYMBOL() 和 EXPORT_SYMBOL_GPL() 语句。当这个定义存在时,
+ 用EXPORT_SYMBOL_NS()导出的符号仍然会被导出到作为命名空间参数传递的命名空间中,
+@@ -76,7 +76,7 @@
+ 成::
+
+ #undef DEFAULT_SYMBOL_NAMESPACE
+- #define DEFAULT_SYMBOL_NAMESPACE USB_COMMON
++ #define DEFAULT_SYMBOL_NAMESPACE "USB_COMMON"
+
+ 应置于相关编译单元中任何 EXPORT_SYMBOL 宏之前
+
+diff --git a/drivers/cdx/Makefile b/drivers/cdx/Makefile
+index 749a3295c2bd..3ca7068a3052 100644
+--- a/drivers/cdx/Makefile
++++ b/drivers/cdx/Makefile
+@@ -5,7 +5,7 @@
+ # Copyright (C) 2022-2023, Advanced Micro Devices, Inc.
+ #
+
+-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=CDX_BUS
++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"CDX_BUS"'
+
+ obj-$(CONFIG_CDX_BUS) += cdx.o controller/
+
+diff --git a/drivers/crypto/intel/iaa/Makefile b/drivers/crypto/intel/iaa/Makefile
+index b64b208d2344..55bda7770fac 100644
+--- a/drivers/crypto/intel/iaa/Makefile
++++ b/drivers/crypto/intel/iaa/Makefile
+@@ -3,7 +3,7 @@
+ # Makefile for IAA crypto device drivers
+ #
+
+-ccflags-y += -I $(srctree)/drivers/dma/idxd -DDEFAULT_SYMBOL_NAMESPACE=IDXD
++ccflags-y += -I $(srctree)/drivers/dma/idxd -DDEFAULT_SYMBOL_NAMESPACE='"IDXD"'
+
+ obj-$(CONFIG_CRYPTO_DEV_IAA_CRYPTO) := iaa_crypto.o
+
+diff --git a/drivers/crypto/intel/qat/qat_common/Makefile b/drivers/crypto/intel/qat/qat_common/Makefile
+index eac73cbfdd38..7acf9c576149 100644
+--- a/drivers/crypto/intel/qat/qat_common/Makefile
++++ b/drivers/crypto/intel/qat/qat_common/Makefile
+@@ -1,6 +1,6 @@
+ # SPDX-License-Identifier: GPL-2.0
+ obj-$(CONFIG_CRYPTO_DEV_QAT) += intel_qat.o
+-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=CRYPTO_QAT
++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"CRYPTO_QAT"'
+ intel_qat-objs := adf_cfg.o \
+ adf_isr.o \
+ adf_ctl_drv.o \
+diff --git a/drivers/dma/idxd/Makefile b/drivers/dma/idxd/Makefile
+index 2b4a0d406e1e..9ff9d7b87b64 100644
+--- a/drivers/dma/idxd/Makefile
++++ b/drivers/dma/idxd/Makefile
+@@ -1,4 +1,4 @@
+-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=IDXD
++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"IDXD"'
+
+ obj-$(CONFIG_INTEL_IDXD_BUS) += idxd_bus.o
+ idxd_bus-y := bus.o
+diff --git a/drivers/gpio/gpio-idio-16.c b/drivers/gpio/gpio-idio-16.c
+index 53b1eb876a12..2c9512589297 100644
+--- a/drivers/gpio/gpio-idio-16.c
++++ b/drivers/gpio/gpio-idio-16.c
+@@ -14,7 +14,7 @@
+
+ #include "gpio-idio-16.h"
+
+-#define DEFAULT_SYMBOL_NAMESPACE GPIO_IDIO_16
++#define DEFAULT_SYMBOL_NAMESPACE "GPIO_IDIO_16"
+
+ #define IDIO_16_DAT_BASE 0x0
+ #define IDIO_16_OUT_BASE IDIO_16_DAT_BASE
+diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
+index ee04795b98aa..c243b51837d2 100644
+--- a/drivers/hwmon/nct6775-core.c
++++ b/drivers/hwmon/nct6775-core.c
+@@ -57,7 +57,7 @@
+ #include "nct6775.h"
+
+ #undef DEFAULT_SYMBOL_NAMESPACE
+-#define DEFAULT_SYMBOL_NAMESPACE HWMON_NCT6775
++#define DEFAULT_SYMBOL_NAMESPACE "HWMON_NCT6775"
+
+ #define USE_ALTERNATE
+
+diff --git a/drivers/i2c/busses/i2c-designware-common.c b/drivers/i2c/busses/i2c-designware-common.c
+index 9d88b4fa03e4..0e7771d21469 100644
+--- a/drivers/i2c/busses/i2c-designware-common.c
++++ b/drivers/i2c/busses/i2c-designware-common.c
+@@ -29,7 +29,7 @@
+ #include <linux/types.h>
+ #include <linux/units.h>
+
+-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW_COMMON
++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW_COMMON"
+
+ #include "i2c-designware-core.h"
+
+diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c
+index e8ac9a7bf0b3..e23f93b8974e 100644
+--- a/drivers/i2c/busses/i2c-designware-master.c
++++ b/drivers/i2c/busses/i2c-designware-master.c
+@@ -22,7 +22,7 @@
+ #include <linux/regmap.h>
+ #include <linux/reset.h>
+
+-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW
++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW"
+
+ #include "i2c-designware-core.h"
+
+diff --git a/drivers/i2c/busses/i2c-designware-slave.c b/drivers/i2c/busses/i2c-designware-slave.c
+index 7035296aa24c..0a76e10f77a2 100644
+--- a/drivers/i2c/busses/i2c-designware-slave.c
++++ b/drivers/i2c/busses/i2c-designware-slave.c
+@@ -16,7 +16,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/regmap.h>
+
+-#define DEFAULT_SYMBOL_NAMESPACE I2C_DW
++#define DEFAULT_SYMBOL_NAMESPACE "I2C_DW"
+
+ #include "i2c-designware-core.h"
+
+diff --git a/drivers/pwm/core.c b/drivers/pwm/core.c
+index 210368099a06..174939359ae3 100644
+--- a/drivers/pwm/core.c
++++ b/drivers/pwm/core.c
+@@ -6,7 +6,7 @@
+ * Copyright (C) 2011-2012 Avionic Design GmbH
+ */
+
+-#define DEFAULT_SYMBOL_NAMESPACE PWM
++#define DEFAULT_SYMBOL_NAMESPACE "PWM"
+
+ #include <linux/acpi.h>
+ #include <linux/module.h>
+diff --git a/drivers/pwm/pwm-dwc-core.c b/drivers/pwm/pwm-dwc-core.c
+index c8425493b95d..6dabec93a3c6 100644
+--- a/drivers/pwm/pwm-dwc-core.c
++++ b/drivers/pwm/pwm-dwc-core.c
+@@ -9,7 +9,7 @@
+ * Author: Raymond Tan <raymond.tan@intel.com>
+ */
+
+-#define DEFAULT_SYMBOL_NAMESPACE dwc_pwm
++#define DEFAULT_SYMBOL_NAMESPACE "dwc_pwm"
+
+ #include <linux/bitops.h>
+ #include <linux/export.h>
+diff --git a/drivers/pwm/pwm-lpss.c b/drivers/pwm/pwm-lpss.c
+index 867e2bc8c601..3b99feb3bb49 100644
+--- a/drivers/pwm/pwm-lpss.c
++++ b/drivers/pwm/pwm-lpss.c
+@@ -19,7 +19,7 @@
+ #include <linux/pm_runtime.h>
+ #include <linux/time.h>
+
+-#define DEFAULT_SYMBOL_NAMESPACE PWM_LPSS
++#define DEFAULT_SYMBOL_NAMESPACE "PWM_LPSS"
+
+ #include "pwm-lpss.h"
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index ad88a33a504f..6a0a1cce3a89 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -8,7 +8,7 @@
+ */
+
+ #undef DEFAULT_SYMBOL_NAMESPACE
+-#define DEFAULT_SYMBOL_NAMESPACE SERIAL_NXP_SC16IS7XX
++#define DEFAULT_SYMBOL_NAMESPACE "SERIAL_NXP_SC16IS7XX"
+
+ #include <linux/bits.h>
+ #include <linux/clk.h>
+diff --git a/drivers/usb/storage/Makefile b/drivers/usb/storage/Makefile
+index 46635fa4a340..28db337f190b 100644
+--- a/drivers/usb/storage/Makefile
++++ b/drivers/usb/storage/Makefile
+@@ -8,7 +8,7 @@
+
+ ccflags-y := -I $(srctree)/drivers/scsi
+
+-ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE=USB_STORAGE
++ccflags-y += -DDEFAULT_SYMBOL_NAMESPACE='"USB_STORAGE"'
+
+ obj-$(CONFIG_USB_UAS) += uas.o
+ obj-$(CONFIG_USB_STORAGE) += usb-storage.o
+diff --git a/include/linux/export.h b/include/linux/export.h
+index 0bbd02fd351d..1e04dbc675c2 100644
+--- a/include/linux/export.h
++++ b/include/linux/export.h
+@@ -60,7 +60,7 @@
+ #endif
+
+ #ifdef DEFAULT_SYMBOL_NAMESPACE
+-#define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, __stringify(DEFAULT_SYMBOL_NAMESPACE))
++#define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, DEFAULT_SYMBOL_NAMESPACE)
+ #else
+ #define _EXPORT_SYMBOL(sym, license) __EXPORT_SYMBOL(sym, license, "")
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 57158f19cdaf2b57f32ec1566dfeb6fd8c1f9f78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 12:54:55 +0000
+Subject: net: defer final 'struct net' free in netns dismantle
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0f6ede9fbc747e2553612271bce108f7517e7a45 ]
+
+Ilya reported a slab-use-after-free in dst_destroy [1]
+
+Issue is in xfrm6_net_init() and xfrm4_net_init() :
+
+They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops.
+
+But net structure might be freed before all the dst callbacks are
+called. So when dst_destroy() calls later :
+
+if (dst->ops->destroy)
+ dst->ops->destroy(dst);
+
+dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed.
+
+See a relevant issue fixed in :
+
+ac888d58869b ("net: do not delay dst_entries_add() in dst_release()")
+
+A fix is to queue the 'struct net' to be freed after one
+another cleanup_net() round (and existing rcu_barrier())
+
+[1]
+
+BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)
+Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0
+Dec 03 05:46:18 kernel:
+CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67
+Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014
+Call Trace:
+ <IRQ>
+dump_stack_lvl (lib/dump_stack.c:124)
+print_address_description.constprop.0 (mm/kasan/report.c:378)
+? dst_destroy (net/core/dst.c:112)
+print_report (mm/kasan/report.c:489)
+? dst_destroy (net/core/dst.c:112)
+? kasan_addr_to_slab (mm/kasan/common.c:37)
+kasan_report (mm/kasan/report.c:603)
+? dst_destroy (net/core/dst.c:112)
+? rcu_do_batch (kernel/rcu/tree.c:2567)
+dst_destroy (net/core/dst.c:112)
+rcu_do_batch (kernel/rcu/tree.c:2567)
+? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)
+? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)
+rcu_core (kernel/rcu/tree.c:2825)
+handle_softirqs (kernel/softirq.c:554)
+__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)
+irq_exit_rcu (kernel/softirq.c:651)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)
+ </IRQ>
+ <TASK>
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
+RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)
+Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90
+RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246
+RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123
+RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d
+R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000
+R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000
+? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)
+? cpuidle_idle_call (kernel/sched/idle.c:186)
+default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)
+cpuidle_idle_call (kernel/sched/idle.c:186)
+? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)
+? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
+? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
+? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)
+do_idle (kernel/sched/idle.c:326)
+cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)
+? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)
+? soft_restart_cpu (arch/x86/kernel/head_64.S:452)
+common_startup_64 (arch/x86/kernel/head_64.S:414)
+ </TASK>
+Dec 03 05:46:18 kernel:
+Allocated by task 12184:
+kasan_save_stack (mm/kasan/common.c:48)
+kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
+__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)
+kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)
+copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)
+create_new_namespaces (kernel/nsproxy.c:110)
+unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))
+ksys_unshare (kernel/fork.c:3313)
+__x64_sys_unshare (kernel/fork.c:3382)
+do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+Dec 03 05:46:18 kernel:
+Freed by task 11:
+kasan_save_stack (mm/kasan/common.c:48)
+kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
+kasan_save_free_info (mm/kasan/generic.c:582)
+__kasan_slab_free (mm/kasan/common.c:271)
+kmem_cache_free (mm/slub.c:4579 mm/slub.c:4681)
+cleanup_net (net/core/net_namespace.c:456 net/core/net_namespace.c:446 net/core/net_namespace.c:647)
+process_one_work (kernel/workqueue.c:3229)
+worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
+kthread (kernel/kthread.c:389)
+ret_from_fork (arch/x86/kernel/process.c:147)
+ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
+Dec 03 05:46:18 kernel:
+Last potentially related work creation:
+kasan_save_stack (mm/kasan/common.c:48)
+__kasan_record_aux_stack (mm/kasan/generic.c:541)
+insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
+__queue_work (kernel/workqueue.c:2340)
+queue_work_on (kernel/workqueue.c:2391)
+xfrm_policy_insert (net/xfrm/xfrm_policy.c:1610)
+xfrm_add_policy (net/xfrm/xfrm_user.c:2116)
+xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321)
+netlink_rcv_skb (net/netlink/af_netlink.c:2536)
+xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344)
+netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342)
+netlink_sendmsg (net/netlink/af_netlink.c:1886)
+sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165)
+vfs_write (fs/read_write.c:590 fs/read_write.c:683)
+ksys_write (fs/read_write.c:736)
+do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+Dec 03 05:46:18 kernel:
+Second to last potentially related work creation:
+kasan_save_stack (mm/kasan/common.c:48)
+__kasan_record_aux_stack (mm/kasan/generic.c:541)
+insert_work (./include/linux/instrumented.h:68 ./include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
+__queue_work (kernel/workqueue.c:2340)
+queue_work_on (kernel/workqueue.c:2391)
+__xfrm_state_insert (./include/linux/workqueue.h:723 net/xfrm/xfrm_state.c:1150 net/xfrm/xfrm_state.c:1145 net/xfrm/xfrm_state.c:1513)
+xfrm_state_update (./include/linux/spinlock.h:396 net/xfrm/xfrm_state.c:1940)
+xfrm_add_sa (net/xfrm/xfrm_user.c:912)
+xfrm_user_rcv_msg (net/xfrm/xfrm_user.c:3321)
+netlink_rcv_skb (net/netlink/af_netlink.c:2536)
+xfrm_netlink_rcv (net/xfrm/xfrm_user.c:3344)
+netlink_unicast (net/netlink/af_netlink.c:1316 net/netlink/af_netlink.c:1342)
+netlink_sendmsg (net/netlink/af_netlink.c:1886)
+sock_write_iter (net/socket.c:729 net/socket.c:744 net/socket.c:1165)
+vfs_write (fs/read_write.c:590 fs/read_write.c:683)
+ksys_write (fs/read_write.c:736)
+do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Fixes: a8a572a6b5f2 ("xfrm: dst_entries_init() per-net dst_ops")
+Reported-by: Ilya Maximets <i.maximets@ovn.org>
+Closes: https://lore.kernel.org/netdev/CANn89iKKYDVpB=MtmfH7nyv2p=rJWSLedO5k7wSZgtY_tO8WQg@mail.gmail.com/T/#m02c98c3009fe66382b73cfb4db9cf1df6fab3fbf
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20241204125455.3871859-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/net_namespace.h | 1 +
+ net/core/net_namespace.c | 20 +++++++++++++++++++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
+index e67b483cc8bb..9398c8f49953 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -80,6 +80,7 @@ struct net {
+ * or to unregister pernet ops
+ * (pernet_ops_rwsem write locked).
+ */
++ struct llist_node defer_free_list;
+ struct llist_node cleanup_list; /* namespaces on death row */
+
+ #ifdef CONFIG_KEYS
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index e39479f1c9a4..70fea7c1a4b0 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -443,6 +443,21 @@ static struct net *net_alloc(void)
+ goto out;
+ }
+
++static LLIST_HEAD(defer_free_list);
++
++static void net_complete_free(void)
++{
++ struct llist_node *kill_list;
++ struct net *net, *next;
++
++ /* Get the list of namespaces to free from last round. */
++ kill_list = llist_del_all(&defer_free_list);
++
++ llist_for_each_entry_safe(net, next, kill_list, defer_free_list)
++ kmem_cache_free(net_cachep, net);
++
++}
++
+ static void net_free(struct net *net)
+ {
+ if (refcount_dec_and_test(&net->passive)) {
+@@ -451,7 +466,8 @@ static void net_free(struct net *net)
+ /* There should not be any trackers left there. */
+ ref_tracker_dir_exit(&net->notrefcnt_tracker);
+
+- kmem_cache_free(net_cachep, net);
++ /* Wait for an extra rcu_barrier() before final free. */
++ llist_add(&net->defer_free_list, &defer_free_list);
+ }
+ }
+
+@@ -636,6 +652,8 @@ static void cleanup_net(struct work_struct *work)
+ */
+ rcu_barrier();
+
++ net_complete_free();
++
+ /* Finally it is safe to free my network namespace structure */
+ list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) {
+ list_del_init(&net->exit_list);
+--
+2.39.5
+
--- /dev/null
+From 2bf73e69c7bd715b934f0e984e703da324b6967f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:26:40 +0200
+Subject: net: dsa: felix: fix stuck CPU-injected packets with short taprio
+ windows
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit acfcdb78d5d4cdb78e975210c8825b9a112463f6 ]
+
+With this port schedule:
+
+tc qdisc replace dev $send_if parent root handle 100 taprio \
+ num_tc 8 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \
+ map 0 1 2 3 4 5 6 7 \
+ base-time 0 cycle-time 10000 \
+ sched-entry S 01 1250 \
+ sched-entry S 02 1250 \
+ sched-entry S 04 1250 \
+ sched-entry S 08 1250 \
+ sched-entry S 10 1250 \
+ sched-entry S 20 1250 \
+ sched-entry S 40 1250 \
+ sched-entry S 80 1250 \
+ flags 2
+
+ptp4l would fail to take TX timestamps of Pdelay_Resp messages like this:
+
+increasing tx_timestamp_timeout may correct this issue, but it is likely caused by a driver bug
+ptp4l[4134.168]: port 2: send peer delay response failed
+
+It turns out that the driver can't take their TX timestamps because it
+can't transmit them in the first place. And there's nothing special
+about the Pdelay_Resp packets - they're just regular 68 byte packets.
+But with this taprio configuration, the switch would refuse to send even
+the ETH_ZLEN minimum packet size.
+
+This should have definitely not been the case. When applying the taprio
+config, the driver prints:
+
+mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 132 octets including FCS
+
+and thus, everything under 132 bytes - ETH_FCS_LEN should have been sent
+without problems. Yet it's not.
+
+For the forwarding path, the configuration is fine, yet packets injected
+from Linux get stuck with this schedule no matter what.
+
+The first hint that the static guard bands are the cause of the problem
+is that reverting Michael Walle's commit 297c4de6f780 ("net: dsa: felix:
+re-enable TAS guard band mode") made things work. It must be that the
+guard bands are calculated incorrectly.
+
+I remembered that there is a magic constant in the driver, set to 33 ns
+for no logical reason other than experimentation, which says "never let
+the static guard bands get so large as to leave less than this amount of
+remaining space in the time slot, because the queue system will refuse
+to schedule packets otherwise, and they will get stuck". I had a hunch
+that my previous experimentally-determined value was only good for
+packets coming from the forwarding path, and that the CPU injection path
+needed more.
+
+I came to the new value of 35 ns through binary search, after seeing
+that with 544 ns (the bit time required to send the Pdelay_Resp packet
+at gigabit) it works. Again, this is purely experimental, there's no
+logic and the manual doesn't say anything.
+
+The new driver prints for this schedule look like this:
+
+mscc_felix 0000:00:00.5: port 0 tc 0 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 1250 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 131 octets including FCS
+
+So yes, the maximum MTU is now even smaller by 1 byte than before.
+This is maybe counter-intuitive, but makes more sense with a diagram of
+one time slot.
+
+Before:
+
+ Gate open Gate close
+ | |
+ v 1250 ns total time slot duration v
+ <---------------------------------------------------->
+ <----><---------------------------------------------->
+ 33 ns 1217 ns static guard band
+ useful
+
+ Gate open Gate close
+ | |
+ v 1250 ns total time slot duration v
+ <---------------------------------------------------->
+ <-----><--------------------------------------------->
+ 35 ns 1215 ns static guard band
+ useful
+
+The static guard band implemented by this switch hardware directly
+determines the maximum allowable MTU for that traffic class. The larger
+it is, the earlier the switch will stop scheduling frames for
+transmission, because otherwise they might overrun the gate close time
+(and avoiding that is the entire purpose of Michael's patch).
+So, we now have guard bands smaller by 2 ns, thus, in this particular
+case, we lose a byte of the maximum MTU.
+
+Fixes: 11afdc6526de ("net: dsa: felix: tc-taprio intervals smaller than MTU should send at least one packet")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Michael Walle <mwalle@kernel.org>
+Link: https://patch.msgid.link/20241210132640.3426788-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/ocelot/felix_vsc9959.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/dsa/ocelot/felix_vsc9959.c b/drivers/net/dsa/ocelot/felix_vsc9959.c
+index 0102a82e88cc..940f1b71226d 100644
+--- a/drivers/net/dsa/ocelot/felix_vsc9959.c
++++ b/drivers/net/dsa/ocelot/felix_vsc9959.c
+@@ -24,7 +24,7 @@
+ #define VSC9959_NUM_PORTS 6
+
+ #define VSC9959_TAS_GCL_ENTRY_MAX 63
+-#define VSC9959_TAS_MIN_GATE_LEN_NS 33
++#define VSC9959_TAS_MIN_GATE_LEN_NS 35
+ #define VSC9959_VCAP_POLICER_BASE 63
+ #define VSC9959_VCAP_POLICER_MAX 383
+ #define VSC9959_SWITCH_PCI_BAR 4
+@@ -1056,11 +1056,15 @@ static void vsc9959_mdio_bus_free(struct ocelot *ocelot)
+ mdiobus_free(felix->imdio);
+ }
+
+-/* The switch considers any frame (regardless of size) as eligible for
+- * transmission if the traffic class gate is open for at least 33 ns.
++/* The switch considers any frame (regardless of size) as eligible
++ * for transmission if the traffic class gate is open for at least
++ * VSC9959_TAS_MIN_GATE_LEN_NS.
++ *
+ * Overruns are prevented by cropping an interval at the end of the gate time
+- * slot for which egress scheduling is blocked, but we need to still keep 33 ns
+- * available for one packet to be transmitted, otherwise the port tc will hang.
++ * slot for which egress scheduling is blocked, but we need to still keep
++ * VSC9959_TAS_MIN_GATE_LEN_NS available for one packet to be transmitted,
++ * otherwise the port tc will hang.
++ *
+ * This function returns the size of a gate interval that remains available for
+ * setting the guard band, after reserving the space for one egress frame.
+ */
+@@ -1303,7 +1307,8 @@ static void vsc9959_tas_guard_bands_update(struct ocelot *ocelot, int port)
+ * per-tc static guard band lengths, so it reduces the
+ * useful gate interval length. Therefore, be careful
+ * to calculate a guard band (and therefore max_sdu)
+- * that still leaves 33 ns available in the time slot.
++ * that still leaves VSC9959_TAS_MIN_GATE_LEN_NS
++ * available in the time slot.
+ */
+ max_sdu = div_u64(remaining_gate_len_ps, picos_per_byte);
+ /* A TC gate may be completely closed, which is a
+--
+2.39.5
+
--- /dev/null
+From 8a76012c4a11c91d5228f8f92b7419631a64e9d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 10:29:32 +0100
+Subject: net: dsa: microchip: KSZ9896 register regmap alignment to 32 bit
+ boundaries
+
+From: Jesse Van Gavere <jesseevg@gmail.com>
+
+[ Upstream commit 5af53577c64fa84da032d490b701127fe8d1a6aa ]
+
+Commit 8d7ae22ae9f8 ("net: dsa: microchip: KSZ9477 register regmap
+alignment to 32 bit boundaries") fixed an issue whereby regmap_reg_range
+did not allow writes as 32 bit words to KSZ9477 PHY registers, this fix
+for KSZ9896 is adapted from there as the same errata is present in
+KSZ9896C as "Module 5: Certain PHY registers must be written as pairs
+instead of singly" the explanation below is likewise taken from this
+commit.
+
+The commit provided code
+to apply "Module 6: Certain PHY registers must be written as pairs instead
+of singly" errata for KSZ9477 as this chip for certain PHY registers
+(0xN120 to 0xN13F, N=1,2,3,4,5) must be accessed as 32 bit words instead
+of 16 or 8 bit access.
+Otherwise, adjacent registers (no matter if reserved or not) are
+overwritten with 0x0.
+
+Without this patch some registers (e.g. 0x113c or 0x1134) required for 32
+bit access are out of valid regmap ranges.
+
+As a result, following error is observed and KSZ9896 is not properly
+configured:
+
+ksz-switch spi1.0: can't rmw 32bit reg 0x113c: -EIO
+ksz-switch spi1.0: can't rmw 32bit reg 0x1134: -EIO
+ksz-switch spi1.0 lan1 (uninitialized): failed to connect to PHY: -EIO
+ksz-switch spi1.0 lan1 (uninitialized): error -5 setting up PHY for tree 0, switch 0, port 0
+
+The solution is to modify regmap_reg_range to allow accesses with 4 bytes
+boundaries.
+
+Fixes: 5c844d57aa78 ("net: dsa: microchip: fix writes to phy registers >= 0x10")
+Signed-off-by: Jesse Van Gavere <jesse.vangavere@scioteq.com>
+Link: https://patch.msgid.link/20241211092932.26881-1-jesse.vangavere@scioteq.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/microchip/ksz_common.c | 42 +++++++++++---------------
+ 1 file changed, 18 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/net/dsa/microchip/ksz_common.c b/drivers/net/dsa/microchip/ksz_common.c
+index 5290f5ad98f3..bf26cd0abf6d 100644
+--- a/drivers/net/dsa/microchip/ksz_common.c
++++ b/drivers/net/dsa/microchip/ksz_common.c
+@@ -1098,10 +1098,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x1030, 0x1030),
+ regmap_reg_range(0x1100, 0x1115),
+ regmap_reg_range(0x111a, 0x111f),
+- regmap_reg_range(0x1122, 0x1127),
+- regmap_reg_range(0x112a, 0x112b),
+- regmap_reg_range(0x1136, 0x1139),
+- regmap_reg_range(0x113e, 0x113f),
++ regmap_reg_range(0x1120, 0x112b),
++ regmap_reg_range(0x1134, 0x113b),
++ regmap_reg_range(0x113c, 0x113f),
+ regmap_reg_range(0x1400, 0x1401),
+ regmap_reg_range(0x1403, 0x1403),
+ regmap_reg_range(0x1410, 0x1417),
+@@ -1128,10 +1127,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x2030, 0x2030),
+ regmap_reg_range(0x2100, 0x2115),
+ regmap_reg_range(0x211a, 0x211f),
+- regmap_reg_range(0x2122, 0x2127),
+- regmap_reg_range(0x212a, 0x212b),
+- regmap_reg_range(0x2136, 0x2139),
+- regmap_reg_range(0x213e, 0x213f),
++ regmap_reg_range(0x2120, 0x212b),
++ regmap_reg_range(0x2134, 0x213b),
++ regmap_reg_range(0x213c, 0x213f),
+ regmap_reg_range(0x2400, 0x2401),
+ regmap_reg_range(0x2403, 0x2403),
+ regmap_reg_range(0x2410, 0x2417),
+@@ -1158,10 +1156,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x3030, 0x3030),
+ regmap_reg_range(0x3100, 0x3115),
+ regmap_reg_range(0x311a, 0x311f),
+- regmap_reg_range(0x3122, 0x3127),
+- regmap_reg_range(0x312a, 0x312b),
+- regmap_reg_range(0x3136, 0x3139),
+- regmap_reg_range(0x313e, 0x313f),
++ regmap_reg_range(0x3120, 0x312b),
++ regmap_reg_range(0x3134, 0x313b),
++ regmap_reg_range(0x313c, 0x313f),
+ regmap_reg_range(0x3400, 0x3401),
+ regmap_reg_range(0x3403, 0x3403),
+ regmap_reg_range(0x3410, 0x3417),
+@@ -1188,10 +1185,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x4030, 0x4030),
+ regmap_reg_range(0x4100, 0x4115),
+ regmap_reg_range(0x411a, 0x411f),
+- regmap_reg_range(0x4122, 0x4127),
+- regmap_reg_range(0x412a, 0x412b),
+- regmap_reg_range(0x4136, 0x4139),
+- regmap_reg_range(0x413e, 0x413f),
++ regmap_reg_range(0x4120, 0x412b),
++ regmap_reg_range(0x4134, 0x413b),
++ regmap_reg_range(0x413c, 0x413f),
+ regmap_reg_range(0x4400, 0x4401),
+ regmap_reg_range(0x4403, 0x4403),
+ regmap_reg_range(0x4410, 0x4417),
+@@ -1218,10 +1214,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x5030, 0x5030),
+ regmap_reg_range(0x5100, 0x5115),
+ regmap_reg_range(0x511a, 0x511f),
+- regmap_reg_range(0x5122, 0x5127),
+- regmap_reg_range(0x512a, 0x512b),
+- regmap_reg_range(0x5136, 0x5139),
+- regmap_reg_range(0x513e, 0x513f),
++ regmap_reg_range(0x5120, 0x512b),
++ regmap_reg_range(0x5134, 0x513b),
++ regmap_reg_range(0x513c, 0x513f),
+ regmap_reg_range(0x5400, 0x5401),
+ regmap_reg_range(0x5403, 0x5403),
+ regmap_reg_range(0x5410, 0x5417),
+@@ -1248,10 +1243,9 @@ static const struct regmap_range ksz9896_valid_regs[] = {
+ regmap_reg_range(0x6030, 0x6030),
+ regmap_reg_range(0x6100, 0x6115),
+ regmap_reg_range(0x611a, 0x611f),
+- regmap_reg_range(0x6122, 0x6127),
+- regmap_reg_range(0x612a, 0x612b),
+- regmap_reg_range(0x6136, 0x6139),
+- regmap_reg_range(0x613e, 0x613f),
++ regmap_reg_range(0x6120, 0x612b),
++ regmap_reg_range(0x6134, 0x613b),
++ regmap_reg_range(0x613c, 0x613f),
+ regmap_reg_range(0x6300, 0x6301),
+ regmap_reg_range(0x6400, 0x6401),
+ regmap_reg_range(0x6403, 0x6403),
+--
+2.39.5
+
--- /dev/null
+From 39b5875d28493f0b59b73588675c8f9a398d68d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 15:47:41 +0100
+Subject: net: dsa: tag_ocelot_8021q: fix broken reception
+
+From: Robert Hodaszi <robert.hodaszi@digi.com>
+
+[ Upstream commit 36ff681d2283410742489ce77e7b01419eccf58c ]
+
+The blamed commit changed the dsa_8021q_rcv() calling convention to
+accept pre-populated source_port and switch_id arguments. If those are
+not available, as in the case of tag_ocelot_8021q, the arguments must be
+pre-initialized with -1.
+
+Due to the bug of passing uninitialized arguments in tag_ocelot_8021q,
+dsa_8021q_rcv() does not detect that it needs to populate the
+source_port and switch_id, and this makes dsa_conduit_find_user() fail,
+which leads to packet loss on reception.
+
+Fixes: dcfe7673787b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()")
+Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241211144741.1415758-1-robert.hodaszi@digi.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_ocelot_8021q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_ocelot_8021q.c b/net/dsa/tag_ocelot_8021q.c
+index 8e8b1bef6af6..11ea8cfd6266 100644
+--- a/net/dsa/tag_ocelot_8021q.c
++++ b/net/dsa/tag_ocelot_8021q.c
+@@ -79,7 +79,7 @@ static struct sk_buff *ocelot_xmit(struct sk_buff *skb,
+ static struct sk_buff *ocelot_rcv(struct sk_buff *skb,
+ struct net_device *netdev)
+ {
+- int src_port, switch_id;
++ int src_port = -1, switch_id = -1;
+
+ dsa_8021q_rcv(skb, &src_port, &switch_id, NULL, NULL);
+
+--
+2.39.5
+
--- /dev/null
+From 44ca27373f0bec8d7c7354b9d3859a860854a475 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 14:10:31 +0000
+Subject: net: lapb: increase LAPB_HEADER_LEN
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a6d75ecee2bf828ac6a1b52724aba0a977e4eaf4 ]
+
+It is unclear if net/lapb code is supposed to be ready for 8021q.
+
+We can at least avoid crashes like the following :
+
+skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2
+------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:206 !
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
+ RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
+ RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
+Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
+RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282
+RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600
+RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
+RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60
+R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140
+R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016
+FS: 00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ skb_push+0xe5/0x100 net/core/skbuff.c:2636
+ nr_header+0x36/0x320 net/netrom/nr_dev.c:69
+ dev_hard_header include/linux/netdevice.h:3148 [inline]
+ vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83
+ dev_hard_header include/linux/netdevice.h:3148 [inline]
+ lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257
+ lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447
+ lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149
+ lapb_establish_data_link+0x84/0xd0
+ lapb_device_event+0x4e0/0x670
+ notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
+ __dev_notify_flags+0x207/0x400
+ dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922
+ devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188
+ inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003
+ sock_do_ioctl+0x158/0x460 net/socket.c:1227
+ sock_ioctl+0x626/0x8e0 net/socket.c:1346
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+fb99d1b0c0f81d94a5e2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/67506220.050a0220.17bd51.006c.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241204141031.4030267-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/lapb.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/lapb.h b/include/net/lapb.h
+index 124ee122f2c8..6c07420644e4 100644
+--- a/include/net/lapb.h
++++ b/include/net/lapb.h
+@@ -4,7 +4,7 @@
+ #include <linux/lapb.h>
+ #include <linux/refcount.h>
+
+-#define LAPB_HEADER_LEN 20 /* LAPB over Ethernet + a bit more */
++#define LAPB_HEADER_LEN MAX_HEADER /* LAPB over Ethernet + a bit more */
+
+ #define LAPB_ACK_PENDING_CONDITION 0x01
+ #define LAPB_REJECT_CONDITION 0x02
+--
+2.39.5
+
--- /dev/null
+From 1e2f200da3fcfa42aa841664c51dbbe233418464 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 12:57:51 -0500
+Subject: net: mana: Fix irq_contexts memory leak in mana_gd_setup_irqs
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit 9a5beb6ca6305de5c5210efab0702ea79b62eb39 ]
+
+gc->irq_contexts is not freeded if one of the later operations
+fail.
+
+Suggested-by: Michael Kelley <mhklinux@outlook.com>
+Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Reviewed-by: Yury Norov <yury.norov@gmail.com>
+Link: https://patch.msgid.link/20241209175751.287738-3-mlevitsk@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/gdma_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+index 42076c90ce87..0c2ba2fa88c4 100644
+--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+@@ -1315,7 +1315,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
+ GFP_KERNEL);
+ if (!gc->irq_contexts) {
+ err = -ENOMEM;
+- goto free_irq_vector;
++ goto free_irq_array;
+ }
+
+ for (i = 0; i < nvec; i++) {
+@@ -1385,8 +1385,9 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
+ }
+
+ kfree(gc->irq_contexts);
+- kfree(irqs);
+ gc->irq_contexts = NULL;
++free_irq_array:
++ kfree(irqs);
+ free_irq_vector:
+ cpus_read_unlock();
+ pci_free_irq_vectors(pdev);
+--
+2.39.5
+
--- /dev/null
+From dfc3b53125f0eb4c7ecb841aefbbf834888a658e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 12:57:50 -0500
+Subject: net: mana: Fix memory leak in mana_gd_setup_irqs
+
+From: Maxim Levitsky <mlevitsk@redhat.com>
+
+[ Upstream commit bb1e3eb57d2cc38951f9a9f1b8c298ced175798f ]
+
+Commit 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores")
+added memory allocation in mana_gd_setup_irqs of 'irqs' but the code
+doesn't free this temporary array in the success path.
+
+This was caught by kmemleak.
+
+Fixes: 8afefc361209 ("net: mana: Assigning IRQ affinity on HT cores")
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Reviewed-by: Yury Norov <yury.norov@gmail.com>
+Link: https://patch.msgid.link/20241209175751.287738-2-mlevitsk@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/gdma_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+index ca4ed58f1206..42076c90ce87 100644
+--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
++++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
+@@ -1372,6 +1372,7 @@ static int mana_gd_setup_irqs(struct pci_dev *pdev)
+ gc->max_num_msix = nvec;
+ gc->num_msix_usable = nvec;
+ cpus_read_unlock();
++ kfree(irqs);
+ return 0;
+
+ free_irq:
+--
+2.39.5
+
--- /dev/null
+From e693a60895d2580e8e35e7a638c2bc0acf68eb91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 15:06:41 +0300
+Subject: net/mlx5: DR, prevent potential error pointer dereference
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 11776cff0b563c8b8a4fa76cab620bfb633a8cb8 ]
+
+The dr_domain_add_vport_cap() function generally returns NULL on error
+but sometimes we want it to return ERR_PTR(-EBUSY) so the caller can
+retry. The problem here is that "ret" can be either -EBUSY or -ENOMEM
+and if it's and -ENOMEM then the error pointer is propogated back and
+eventually dereferenced in dr_ste_v0_build_src_gvmi_qpn_tag().
+
+Fixes: 11a45def2e19 ("net/mlx5: DR, Add support for SF vports")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/07477254-e179-43e2-b1b3-3b9db4674195@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
+index 3d74109f8230..49f22cad92bf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
+@@ -297,7 +297,9 @@ dr_domain_add_vport_cap(struct mlx5dr_domain *dmn, u16 vport)
+ if (ret) {
+ mlx5dr_dbg(dmn, "Couldn't insert new vport into xarray (%d)\n", ret);
+ kvfree(vport_caps);
+- return ERR_PTR(ret);
++ if (ret == -EBUSY)
++ return ERR_PTR(-EBUSY);
++ return NULL;
+ }
+
+ return vport_caps;
+--
+2.39.5
+
--- /dev/null
+From 777d1ad1a1fc1afcf4e979b9c9555418dc1b6615 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:55:18 +0200
+Subject: net: mscc: ocelot: be resilient to loss of PTP packets during
+ transmission
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit b454abfab52543c44b581afc807b9f97fc1e7a3a ]
+
+The Felix DSA driver presents unique challenges that make the simplistic
+ocelot PTP TX timestamping procedure unreliable: any transmitted packet
+may be lost in hardware before it ever leaves our local system.
+
+This may happen because there is congestion on the DSA conduit, the
+switch CPU port or even user port (Qdiscs like taprio may delay packets
+indefinitely by design).
+
+The technical problem is that the kernel, i.e. ocelot_port_add_txtstamp_skb(),
+runs out of timestamp IDs eventually, because it never detects that
+packets are lost, and keeps the IDs of the lost packets on hold
+indefinitely. The manifestation of the issue once the entire timestamp
+ID range becomes busy looks like this in dmesg:
+
+mscc_felix 0000:00:00.5: port 0 delivering skb without TX timestamp
+mscc_felix 0000:00:00.5: port 1 delivering skb without TX timestamp
+
+At the surface level, we need a timeout timer so that the kernel knows a
+timestamp ID is available again. But there is a deeper problem with the
+implementation, which is the monotonically increasing ocelot_port->ts_id.
+In the presence of packet loss, it will be impossible to detect that and
+reuse one of the holes created in the range of free timestamp IDs.
+
+What we actually need is a bitmap of 63 timestamp IDs tracking which one
+is available. That is able to use up holes caused by packet loss, but
+also gives us a unique opportunity to not implement an actual timer_list
+for the timeout timer (very complicated in terms of locking).
+
+We could only declare a timestamp ID stale on demand (lazily), aka when
+there's no other timestamp ID available. There are pros and cons to this
+approach: the implementation is much more simple than per-packet timers
+would be, but most of the stale packets would be quasi-leaked - not
+really leaked, but blocked in driver memory, since this algorithm sees
+no reason to free them.
+
+An improved technique would be to check for stale timestamp IDs every
+time we allocate a new one. Assuming a constant flux of PTP packets,
+this avoids stale packets being blocked in memory, but of course,
+packets lost at the end of the flux are still blocked until the flux
+resumes (nobody left to kick them out).
+
+Since implementing per-packet timers is way too complicated, this should
+be good enough.
+
+Testing procedure:
+
+Persistently block traffic class 5 and try to run PTP on it:
+$ tc qdisc replace dev swp3 parent root taprio num_tc 8 \
+ map 0 1 2 3 4 5 6 7 queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 \
+ base-time 0 sched-entry S 0xdf 100000 flags 0x2
+[ 126.948141] mscc_felix 0000:00:00.5: port 3 tc 5 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
+$ ptp4l -i swp3 -2 -P -m --socket_priority 5 --fault_reset_interval ASAP --logSyncInterval -3
+ptp4l[70.351]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE
+ptp4l[70.354]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE
+ptp4l[70.358]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE
+[ 70.394583] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+ptp4l[70.406]: timed out while polling for tx timestamp
+ptp4l[70.406]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[70.406]: port 1 (swp3): send peer delay response failed
+ptp4l[70.407]: port 1 (swp3): clearing fault immediately
+ptp4l[70.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1
+[ 71.394858] mscc_felix 0000:00:00.5: port 3 timestamp id 1
+ptp4l[71.400]: timed out while polling for tx timestamp
+ptp4l[71.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[71.401]: port 1 (swp3): send peer delay response failed
+ptp4l[71.401]: port 1 (swp3): clearing fault immediately
+[ 72.393616] mscc_felix 0000:00:00.5: port 3 timestamp id 2
+ptp4l[72.401]: timed out while polling for tx timestamp
+ptp4l[72.402]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[72.402]: port 1 (swp3): send peer delay response failed
+ptp4l[72.402]: port 1 (swp3): clearing fault immediately
+ptp4l[72.952]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1
+[ 73.395291] mscc_felix 0000:00:00.5: port 3 timestamp id 3
+ptp4l[73.400]: timed out while polling for tx timestamp
+ptp4l[73.400]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[73.400]: port 1 (swp3): send peer delay response failed
+ptp4l[73.400]: port 1 (swp3): clearing fault immediately
+[ 74.394282] mscc_felix 0000:00:00.5: port 3 timestamp id 4
+ptp4l[74.400]: timed out while polling for tx timestamp
+ptp4l[74.401]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[74.401]: port 1 (swp3): send peer delay response failed
+ptp4l[74.401]: port 1 (swp3): clearing fault immediately
+ptp4l[74.953]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1
+[ 75.396830] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost
+[ 75.405760] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+ptp4l[75.410]: timed out while polling for tx timestamp
+ptp4l[75.411]: increasing tx_timestamp_timeout or increasing kworker priority may correct this issue, but a driver bug likely causes it
+ptp4l[75.411]: port 1 (swp3): send peer delay response failed
+ptp4l[75.411]: port 1 (swp3): clearing fault immediately
+(...)
+
+Remove the blocking condition and see that the port recovers:
+$ same tc command as above, but use "sched-entry S 0xff" instead
+$ same ptp4l command as above
+ptp4l[99.489]: port 1 (swp3): INITIALIZING to LISTENING on INIT_COMPLETE
+ptp4l[99.490]: port 0 (/var/run/ptp4l): INITIALIZING to LISTENING on INIT_COMPLETE
+ptp4l[99.492]: port 0 (/var/run/ptp4lro): INITIALIZING to LISTENING on INIT_COMPLETE
+[ 100.403768] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 0 which seems lost
+[ 100.412545] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 1 which seems lost
+[ 100.421283] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 2 which seems lost
+[ 100.430015] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 3 which seems lost
+[ 100.438744] mscc_felix 0000:00:00.5: port 3 invalidating stale timestamp ID 4 which seems lost
+[ 100.447470] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 100.505919] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+ptp4l[100.963]: port 1 (swp3): new foreign master d858d7.fffe.00ca6d-1
+[ 101.405077] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 101.507953] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 102.405405] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 102.509391] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 103.406003] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 103.510011] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 104.405601] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 104.510624] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+ptp4l[104.965]: selected best master clock d858d7.fffe.00ca6d
+ptp4l[104.966]: port 1 (swp3): assuming the grand master role
+ptp4l[104.967]: port 1 (swp3): LISTENING to GRAND_MASTER on RS_GRAND_MASTER
+[ 105.106201] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.232420] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.359001] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.405500] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.485356] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.511220] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.610938] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+[ 105.737237] mscc_felix 0000:00:00.5: port 3 timestamp id 0
+(...)
+
+Notice that in this new usage pattern, a non-congested port should
+basically use timestamp ID 0 all the time, progressing to higher numbers
+only if there are unacknowledged timestamps in flight. Compare this to
+the old usage, where the timestamp ID used to monotonically increase
+modulo OCELOT_MAX_PTP_ID.
+
+In terms of implementation, this simplifies the bookkeeping of the
+ocelot_port :: ts_id and ptp_skbs_in_flight. Since we need to traverse
+the list of two-step timestampable skbs for each new packet anyway, the
+information can already be computed and does not need to be stored.
+Also, ocelot_port->tx_skbs is always accessed under the switch-wide
+ocelot->ts_id_lock IRQ-unsafe spinlock, so we don't need the skb queue's
+lock and can use the unlocked primitives safely.
+
+This problem was actually detected using the tc-taprio offload, and is
+causing trouble in TSN scenarios, which Felix (NXP LS1028A / VSC9959)
+supports but Ocelot (VSC7514) does not. Thus, I've selected the commit
+to blame as the one adding initial timestamping support for the Felix
+switch.
+
+Fixes: c0bcf537667c ("net: dsa: ocelot: add hardware timestamping support for Felix")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241205145519.1236778-5-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ptp.c | 134 +++++++++++++++----------
+ include/linux/dsa/ocelot.h | 1 +
+ include/soc/mscc/ocelot.h | 2 -
+ 3 files changed, 80 insertions(+), 57 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c
+index d732f99e6391..7eb01d1e1ecd 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ptp.c
++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c
+@@ -14,6 +14,8 @@
+ #include <soc/mscc/ocelot.h>
+ #include "ocelot.h"
+
++#define OCELOT_PTP_TX_TSTAMP_TIMEOUT (5 * HZ)
++
+ int ocelot_ptp_gettime64(struct ptp_clock_info *ptp, struct timespec64 *ts)
+ {
+ struct ocelot *ocelot = container_of(ptp, struct ocelot, ptp_info);
+@@ -603,34 +605,88 @@ int ocelot_get_ts_info(struct ocelot *ocelot, int port,
+ }
+ EXPORT_SYMBOL(ocelot_get_ts_info);
+
+-static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port,
++static struct sk_buff *ocelot_port_dequeue_ptp_tx_skb(struct ocelot *ocelot,
++ int port, u8 ts_id,
++ u32 seqid)
++{
++ struct ocelot_port *ocelot_port = ocelot->ports[port];
++ struct sk_buff *skb, *skb_tmp, *skb_match = NULL;
++ struct ptp_header *hdr;
++
++ spin_lock(&ocelot->ts_id_lock);
++
++ skb_queue_walk_safe(&ocelot_port->tx_skbs, skb, skb_tmp) {
++ if (OCELOT_SKB_CB(skb)->ts_id != ts_id)
++ continue;
++
++ /* Check that the timestamp ID is for the expected PTP
++ * sequenceId. We don't have to test ptp_parse_header() against
++ * NULL, because we've pre-validated the packet's ptp_class.
++ */
++ hdr = ptp_parse_header(skb, OCELOT_SKB_CB(skb)->ptp_class);
++ if (seqid != ntohs(hdr->sequence_id))
++ continue;
++
++ __skb_unlink(skb, &ocelot_port->tx_skbs);
++ ocelot->ptp_skbs_in_flight--;
++ skb_match = skb;
++ break;
++ }
++
++ spin_unlock(&ocelot->ts_id_lock);
++
++ return skb_match;
++}
++
++static int ocelot_port_queue_ptp_tx_skb(struct ocelot *ocelot, int port,
+ struct sk_buff *clone)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
++ DECLARE_BITMAP(ts_id_in_flight, OCELOT_MAX_PTP_ID);
++ struct sk_buff *skb, *skb_tmp;
++ unsigned long n;
+
+ spin_lock(&ocelot->ts_id_lock);
+
+- if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID ||
+- ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) {
++ /* To get a better chance of acquiring a timestamp ID, first flush the
++ * stale packets still waiting in the TX timestamping queue. They are
++ * probably lost.
++ */
++ skb_queue_walk_safe(&ocelot_port->tx_skbs, skb, skb_tmp) {
++ if (time_before(OCELOT_SKB_CB(skb)->ptp_tx_time +
++ OCELOT_PTP_TX_TSTAMP_TIMEOUT, jiffies)) {
++ dev_warn_ratelimited(ocelot->dev,
++ "port %d invalidating stale timestamp ID %u which seems lost\n",
++ port, OCELOT_SKB_CB(skb)->ts_id);
++ __skb_unlink(skb, &ocelot_port->tx_skbs);
++ kfree_skb(skb);
++ ocelot->ptp_skbs_in_flight--;
++ } else {
++ __set_bit(OCELOT_SKB_CB(skb)->ts_id, ts_id_in_flight);
++ }
++ }
++
++ if (ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) {
+ spin_unlock(&ocelot->ts_id_lock);
+ return -EBUSY;
+ }
+
+- skb_shinfo(clone)->tx_flags |= SKBTX_IN_PROGRESS;
+- /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */
+- OCELOT_SKB_CB(clone)->ts_id = ocelot_port->ts_id;
+-
+- ocelot_port->ts_id++;
+- if (ocelot_port->ts_id == OCELOT_MAX_PTP_ID)
+- ocelot_port->ts_id = 0;
++ n = find_first_zero_bit(ts_id_in_flight, OCELOT_MAX_PTP_ID);
++ if (n == OCELOT_MAX_PTP_ID) {
++ spin_unlock(&ocelot->ts_id_lock);
++ return -EBUSY;
++ }
+
+- ocelot_port->ptp_skbs_in_flight++;
++ /* Found an available timestamp ID, use it */
++ OCELOT_SKB_CB(clone)->ts_id = n;
++ OCELOT_SKB_CB(clone)->ptp_tx_time = jiffies;
+ ocelot->ptp_skbs_in_flight++;
+-
+- skb_queue_tail(&ocelot_port->tx_skbs, clone);
++ __skb_queue_tail(&ocelot_port->tx_skbs, clone);
+
+ spin_unlock(&ocelot->ts_id_lock);
+
++ dev_dbg_ratelimited(ocelot->dev, "port %d timestamp id %lu\n", port, n);
++
+ return 0;
+ }
+
+@@ -686,12 +742,14 @@ int ocelot_port_txtstamp_request(struct ocelot *ocelot, int port,
+ if (!(*clone))
+ return -ENOMEM;
+
+- err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone);
++ /* Store timestamp ID in OCELOT_SKB_CB(clone)->ts_id */
++ err = ocelot_port_queue_ptp_tx_skb(ocelot, port, *clone);
+ if (err) {
+ kfree_skb(*clone);
+ return err;
+ }
+
++ skb_shinfo(*clone)->tx_flags |= SKBTX_IN_PROGRESS;
+ OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd;
+ OCELOT_SKB_CB(*clone)->ptp_class = ptp_class;
+ }
+@@ -727,26 +785,14 @@ static void ocelot_get_hwtimestamp(struct ocelot *ocelot,
+ spin_unlock_irqrestore(&ocelot->ptp_clock_lock, flags);
+ }
+
+-static bool ocelot_validate_ptp_skb(struct sk_buff *clone, u16 seqid)
+-{
+- struct ptp_header *hdr;
+-
+- hdr = ptp_parse_header(clone, OCELOT_SKB_CB(clone)->ptp_class);
+- if (WARN_ON(!hdr))
+- return false;
+-
+- return seqid == ntohs(hdr->sequence_id);
+-}
+-
+ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ {
+ int budget = OCELOT_PTP_QUEUE_SZ;
+
+ while (budget--) {
+- struct sk_buff *skb, *skb_tmp, *skb_match = NULL;
+ struct skb_shared_hwtstamps shhwtstamps;
+ u32 val, id, seqid, txport;
+- struct ocelot_port *port;
++ struct sk_buff *skb_match;
+ struct timespec64 ts;
+
+ val = ocelot_read(ocelot, SYS_PTP_STATUS);
+@@ -762,36 +808,14 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ txport = SYS_PTP_STATUS_PTP_MESS_TXPORT_X(val);
+ seqid = SYS_PTP_STATUS_PTP_MESS_SEQ_ID(val);
+
+- port = ocelot->ports[txport];
+-
+- spin_lock(&ocelot->ts_id_lock);
+- port->ptp_skbs_in_flight--;
+- ocelot->ptp_skbs_in_flight--;
+- spin_unlock(&ocelot->ts_id_lock);
+-
+ /* Retrieve its associated skb */
+-try_again:
+- spin_lock(&port->tx_skbs.lock);
+-
+- skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) {
+- if (OCELOT_SKB_CB(skb)->ts_id != id)
+- continue;
+- __skb_unlink(skb, &port->tx_skbs);
+- skb_match = skb;
+- break;
+- }
+-
+- spin_unlock(&port->tx_skbs.lock);
+-
+- if (WARN_ON(!skb_match))
++ skb_match = ocelot_port_dequeue_ptp_tx_skb(ocelot, txport, id,
++ seqid);
++ if (!skb_match) {
++ dev_warn_ratelimited(ocelot->dev,
++ "port %d received TX timestamp (seqid %d, ts id %u) for packet previously declared stale\n",
++ txport, seqid, id);
+ goto next_ts;
+-
+- if (!ocelot_validate_ptp_skb(skb_match, seqid)) {
+- dev_err_ratelimited(ocelot->dev,
+- "port %d received stale TX timestamp for seqid %d, discarding\n",
+- txport, seqid);
+- kfree_skb(skb);
+- goto try_again;
+ }
+
+ /* Get the h/w timestamp */
+diff --git a/include/linux/dsa/ocelot.h b/include/linux/dsa/ocelot.h
+index 6fbfbde68a37..620a3260fc08 100644
+--- a/include/linux/dsa/ocelot.h
++++ b/include/linux/dsa/ocelot.h
+@@ -15,6 +15,7 @@
+ struct ocelot_skb_cb {
+ struct sk_buff *clone;
+ unsigned int ptp_class; /* valid only for clones */
++ unsigned long ptp_tx_time; /* valid only for clones */
+ u32 tstamp_lo;
+ u8 ptp_cmd;
+ u8 ts_id;
+diff --git a/include/soc/mscc/ocelot.h b/include/soc/mscc/ocelot.h
+index 462c653e1017..2db9ae0575b6 100644
+--- a/include/soc/mscc/ocelot.h
++++ b/include/soc/mscc/ocelot.h
+@@ -778,7 +778,6 @@ struct ocelot_port {
+
+ phy_interface_t phy_mode;
+
+- unsigned int ptp_skbs_in_flight;
+ struct sk_buff_head tx_skbs;
+
+ unsigned int trap_proto;
+@@ -786,7 +785,6 @@ struct ocelot_port {
+ u16 mrp_ring_id;
+
+ u8 ptp_cmd;
+- u8 ts_id;
+
+ u8 index;
+
+--
+2.39.5
+
--- /dev/null
+From 71d69f6a7dd80dbb34d126c9003ac29920072a37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:55:15 +0200
+Subject: net: mscc: ocelot: fix memory leak on ocelot_port_add_txtstamp_skb()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 4b01bec25bef62544228bce06db6a3afa5d3d6bb ]
+
+If ocelot_port_add_txtstamp_skb() fails, for example due to a full PTP
+timestamp FIFO, we must undo the skb_clone_sk() call with kfree_skb().
+Otherwise, the reference to the skb clone is lost.
+
+Fixes: 52849bcf0029 ("net: mscc: ocelot: avoid overflowing the PTP timestamp FIFO")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241205145519.1236778-2-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ptp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c
+index e172638b0601..db00a51a7430 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ptp.c
++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c
+@@ -688,8 +688,10 @@ int ocelot_port_txtstamp_request(struct ocelot *ocelot, int port,
+ return -ENOMEM;
+
+ err = ocelot_port_add_txtstamp_skb(ocelot, port, *clone);
+- if (err)
++ if (err) {
++ kfree_skb(*clone);
+ return err;
++ }
+
+ OCELOT_SKB_CB(skb)->ptp_cmd = ptp_cmd;
+ OCELOT_SKB_CB(*clone)->ptp_class = ptp_class;
+--
+2.39.5
+
--- /dev/null
+From 858a5c7ab2b4cc2a294a5bb56d8f7705be411ef8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:55:16 +0200
+Subject: net: mscc: ocelot: improve handling of TX timestamp for unknown skb
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit b6fba4b3f0becb794e274430f3a0839d8ba31262 ]
+
+This condition, theoretically impossible to trigger, is not really
+handled well. By "continuing", we are skipping the write to SYS_PTP_NXT
+which advances the timestamp FIFO to the next entry. So we are reading
+the same FIFO entry all over again, printing stack traces and eventually
+killing the kernel.
+
+No real problem has been observed here. This is part of a larger rework
+of the timestamp IRQ procedure, with this logical change split out into
+a patch of its own. We will need to "goto next_ts" for other conditions
+as well.
+
+Fixes: 9fde506e0c53 ("net: mscc: ocelot: warn when a PTP IRQ is raised for an unknown skb")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241205145519.1236778-3-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ptp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c
+index db00a51a7430..95a5267bc9ce 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ptp.c
++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c
+@@ -786,7 +786,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ spin_unlock_irqrestore(&port->tx_skbs.lock, flags);
+
+ if (WARN_ON(!skb_match))
+- continue;
++ goto next_ts;
+
+ if (!ocelot_validate_ptp_skb(skb_match, seqid)) {
+ dev_err_ratelimited(ocelot->dev,
+@@ -804,7 +804,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ shhwtstamps.hwtstamp = ktime_set(ts.tv_sec, ts.tv_nsec);
+ skb_complete_tx_timestamp(skb_match, &shhwtstamps);
+
+- /* Next ts */
++next_ts:
+ ocelot_write(ocelot, SYS_PTP_NXT_PTP_NXT, SYS_PTP_NXT);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From a0a9b0156ad5caf44128d0fb9a4756a95944a6bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:55:17 +0200
+Subject: net: mscc: ocelot: ocelot->ts_id_lock and ocelot_port->tx_skbs.lock
+ are IRQ-safe
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 0c53cdb95eb4a604062e326636971d96dd9b1b26 ]
+
+ocelot_get_txtstamp() is a threaded IRQ handler, requested explicitly as
+such by both ocelot_ptp_rdy_irq_handler() and vsc9959_irq_handler().
+
+As such, it runs with IRQs enabled, and not in hardirq context. Thus,
+ocelot_port_add_txtstamp_skb() has no reason to turn off IRQs, it cannot
+be preempted by ocelot_get_txtstamp(). For the same reason,
+dev_kfree_skb_any_reason() will always evaluate as kfree_skb_reason() in
+this calling context, so just simplify the dev_kfree_skb_any() call to
+kfree_skb().
+
+Also, ocelot_port_txtstamp_request() runs from NET_TX softirq context,
+not with hardirqs enabled. Thus, ocelot_get_txtstamp() which shares the
+ocelot_port->tx_skbs.lock lock with it, has no reason to disable hardirqs.
+
+This is part of a larger rework of the TX timestamping procedure.
+A logical subportion of the rework has been split into a separate
+change.
+
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241205145519.1236778-4-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: b454abfab525 ("net: mscc: ocelot: be resilient to loss of PTP packets during transmission")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ptp.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c
+index 95a5267bc9ce..d732f99e6391 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ptp.c
++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c
+@@ -607,13 +607,12 @@ static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port,
+ struct sk_buff *clone)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+- unsigned long flags;
+
+- spin_lock_irqsave(&ocelot->ts_id_lock, flags);
++ spin_lock(&ocelot->ts_id_lock);
+
+ if (ocelot_port->ptp_skbs_in_flight == OCELOT_MAX_PTP_ID ||
+ ocelot->ptp_skbs_in_flight == OCELOT_PTP_FIFO_SIZE) {
+- spin_unlock_irqrestore(&ocelot->ts_id_lock, flags);
++ spin_unlock(&ocelot->ts_id_lock);
+ return -EBUSY;
+ }
+
+@@ -630,7 +629,7 @@ static int ocelot_port_add_txtstamp_skb(struct ocelot *ocelot, int port,
+
+ skb_queue_tail(&ocelot_port->tx_skbs, clone);
+
+- spin_unlock_irqrestore(&ocelot->ts_id_lock, flags);
++ spin_unlock(&ocelot->ts_id_lock);
+
+ return 0;
+ }
+@@ -749,7 +748,6 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ u32 val, id, seqid, txport;
+ struct ocelot_port *port;
+ struct timespec64 ts;
+- unsigned long flags;
+
+ val = ocelot_read(ocelot, SYS_PTP_STATUS);
+
+@@ -773,7 +771,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+
+ /* Retrieve its associated skb */
+ try_again:
+- spin_lock_irqsave(&port->tx_skbs.lock, flags);
++ spin_lock(&port->tx_skbs.lock);
+
+ skb_queue_walk_safe(&port->tx_skbs, skb, skb_tmp) {
+ if (OCELOT_SKB_CB(skb)->ts_id != id)
+@@ -783,7 +781,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ break;
+ }
+
+- spin_unlock_irqrestore(&port->tx_skbs.lock, flags);
++ spin_unlock(&port->tx_skbs.lock);
+
+ if (WARN_ON(!skb_match))
+ goto next_ts;
+@@ -792,7 +790,7 @@ void ocelot_get_txtstamp(struct ocelot *ocelot)
+ dev_err_ratelimited(ocelot->dev,
+ "port %d received stale TX timestamp for seqid %d, discarding\n",
+ txport, seqid);
+- dev_kfree_skb_any(skb);
++ kfree_skb(skb);
+ goto try_again;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 95ce36ca4e371d7f13f8615fbd9bb9f6e365f533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:55:19 +0200
+Subject: net: mscc: ocelot: perform error cleanup in ocelot_hwstamp_set()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 43a4166349a254446e7a3db65f721c6a30daccf3 ]
+
+An unsupported RX filter will leave the port with TX timestamping still
+applied as per the new request, rather than the old setting. When
+parsing the tx_type, don't apply it just yet, but delay that until after
+we've parsed the rx_filter as well (and potentially returned -ERANGE for
+that).
+
+Similarly, copy_to_user() may fail, which is a rare occurrence, but
+should still be treated by unwinding what was done.
+
+Fixes: 96ca08c05838 ("net: mscc: ocelot: set up traps for PTP packets")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20241205145519.1236778-6-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mscc/ocelot_ptp.c | 59 ++++++++++++++++++--------
+ 1 file changed, 42 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/mscc/ocelot_ptp.c b/drivers/net/ethernet/mscc/ocelot_ptp.c
+index 7eb01d1e1ecd..808ce8e68d39 100644
+--- a/drivers/net/ethernet/mscc/ocelot_ptp.c
++++ b/drivers/net/ethernet/mscc/ocelot_ptp.c
+@@ -497,6 +497,28 @@ static int ocelot_traps_to_ptp_rx_filter(unsigned int proto)
+ return HWTSTAMP_FILTER_NONE;
+ }
+
++static int ocelot_ptp_tx_type_to_cmd(int tx_type, int *ptp_cmd)
++{
++ switch (tx_type) {
++ case HWTSTAMP_TX_ON:
++ *ptp_cmd = IFH_REW_OP_TWO_STEP_PTP;
++ break;
++ case HWTSTAMP_TX_ONESTEP_SYNC:
++ /* IFH_REW_OP_ONE_STEP_PTP updates the correctionField,
++ * what we need to update is the originTimestamp.
++ */
++ *ptp_cmd = IFH_REW_OP_ORIGIN_PTP;
++ break;
++ case HWTSTAMP_TX_OFF:
++ *ptp_cmd = 0;
++ break;
++ default:
++ return -ERANGE;
++ }
++
++ return 0;
++}
++
+ int ocelot_hwstamp_get(struct ocelot *ocelot, int port, struct ifreq *ifr)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
+@@ -523,30 +545,19 @@ EXPORT_SYMBOL(ocelot_hwstamp_get);
+ int ocelot_hwstamp_set(struct ocelot *ocelot, int port, struct ifreq *ifr)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
++ int ptp_cmd, old_ptp_cmd = ocelot_port->ptp_cmd;
+ bool l2 = false, l4 = false;
+ struct hwtstamp_config cfg;
++ bool old_l2, old_l4;
+ int err;
+
+ if (copy_from_user(&cfg, ifr->ifr_data, sizeof(cfg)))
+ return -EFAULT;
+
+ /* Tx type sanity check */
+- switch (cfg.tx_type) {
+- case HWTSTAMP_TX_ON:
+- ocelot_port->ptp_cmd = IFH_REW_OP_TWO_STEP_PTP;
+- break;
+- case HWTSTAMP_TX_ONESTEP_SYNC:
+- /* IFH_REW_OP_ONE_STEP_PTP updates the correctional field, we
+- * need to update the origin time.
+- */
+- ocelot_port->ptp_cmd = IFH_REW_OP_ORIGIN_PTP;
+- break;
+- case HWTSTAMP_TX_OFF:
+- ocelot_port->ptp_cmd = 0;
+- break;
+- default:
+- return -ERANGE;
+- }
++ err = ocelot_ptp_tx_type_to_cmd(cfg.tx_type, &ptp_cmd);
++ if (err)
++ return err;
+
+ switch (cfg.rx_filter) {
+ case HWTSTAMP_FILTER_NONE:
+@@ -571,13 +582,27 @@ int ocelot_hwstamp_set(struct ocelot *ocelot, int port, struct ifreq *ifr)
+ return -ERANGE;
+ }
+
++ old_l2 = ocelot_port->trap_proto & OCELOT_PROTO_PTP_L2;
++ old_l4 = ocelot_port->trap_proto & OCELOT_PROTO_PTP_L4;
++
+ err = ocelot_setup_ptp_traps(ocelot, port, l2, l4);
+ if (err)
+ return err;
+
++ ocelot_port->ptp_cmd = ptp_cmd;
++
+ cfg.rx_filter = ocelot_traps_to_ptp_rx_filter(ocelot_port->trap_proto);
+
+- return copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg)) ? -EFAULT : 0;
++ if (copy_to_user(ifr->ifr_data, &cfg, sizeof(cfg))) {
++ err = -EFAULT;
++ goto out_restore_ptp_traps;
++ }
++
++ return 0;
++out_restore_ptp_traps:
++ ocelot_setup_ptp_traps(ocelot, port, old_l2, old_l4);
++ ocelot_port->ptp_cmd = old_ptp_cmd;
++ return err;
+ }
+ EXPORT_SYMBOL(ocelot_hwstamp_set);
+
+--
+2.39.5
+
--- /dev/null
+From 3825d2ac123f0444a8176bc3ac92a6756c12b7e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 14:50:04 +0500
+Subject: net: renesas: rswitch: avoid use-after-put for a device tree node
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 66b7e9f85b8459c823b11e9af69dbf4be5eb6be8 ]
+
+The device tree node saved in the rswitch_device structure is used at
+several driver locations. So passing this node to of_node_put() after
+the first use is wrong.
+
+Move of_node_put() for this node to exit paths.
+
+Fixes: b46f1e579329 ("net: renesas: rswitch: Simplify struct phy * handling")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://patch.msgid.link/20241208095004.69468-5-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index af0bc95ad6ae..3b57abada200 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -1891,7 +1891,6 @@ static int rswitch_device_alloc(struct rswitch_private *priv, unsigned int index
+ rdev->np_port = rswitch_get_port_node(rdev);
+ rdev->disabled = !rdev->np_port;
+ err = of_get_ethdev_address(rdev->np_port, ndev);
+- of_node_put(rdev->np_port);
+ if (err) {
+ if (is_valid_ether_addr(rdev->etha->mac_addr))
+ eth_hw_addr_set(ndev, rdev->etha->mac_addr);
+@@ -1921,6 +1920,7 @@ static int rswitch_device_alloc(struct rswitch_private *priv, unsigned int index
+
+ out_rxdmac:
+ out_get_params:
++ of_node_put(rdev->np_port);
+ netif_napi_del(&rdev->napi);
+ free_netdev(ndev);
+
+@@ -1934,6 +1934,7 @@ static void rswitch_device_free(struct rswitch_private *priv, unsigned int index
+
+ rswitch_txdmac_free(ndev);
+ rswitch_rxdmac_free(ndev);
++ of_node_put(rdev->np_port);
+ netif_napi_del(&rdev->napi);
+ free_netdev(ndev);
+ }
+--
+2.39.5
+
--- /dev/null
+From 782bac5e2c35cb9f77b76aa99748dc77bf4438fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 10:30:12 +0500
+Subject: net: renesas: rswitch: fix initial MPIC register setting
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit fb9e6039c325cc205a368046dc03c56c87df2310 ]
+
+MPIC.PIS must be set per phy interface type.
+MPIC.LSC must be set per speed.
+
+Do that strictly per datasheet, instead of hardcoding MPIC.PIS to GMII.
+
+Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20241211053012.368914-1-nikita.yoush@cogentembedded.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 27 ++++++++++++++++++++------
+ drivers/net/ethernet/renesas/rswitch.h | 14 ++++++-------
+ 2 files changed, 28 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 9dffb7cf1254..09117110e3dd 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -1116,25 +1116,40 @@ static int rswitch_etha_wait_link_verification(struct rswitch_etha *etha)
+
+ static void rswitch_rmac_setting(struct rswitch_etha *etha, const u8 *mac)
+ {
+- u32 val;
++ u32 pis, lsc;
+
+ rswitch_etha_write_mac_address(etha, mac);
+
++ switch (etha->phy_interface) {
++ case PHY_INTERFACE_MODE_SGMII:
++ pis = MPIC_PIS_GMII;
++ break;
++ case PHY_INTERFACE_MODE_USXGMII:
++ case PHY_INTERFACE_MODE_5GBASER:
++ pis = MPIC_PIS_XGMII;
++ break;
++ default:
++ pis = FIELD_GET(MPIC_PIS, ioread32(etha->addr + MPIC));
++ break;
++ }
++
+ switch (etha->speed) {
+ case 100:
+- val = MPIC_LSC_100M;
++ lsc = MPIC_LSC_100M;
+ break;
+ case 1000:
+- val = MPIC_LSC_1G;
++ lsc = MPIC_LSC_1G;
+ break;
+ case 2500:
+- val = MPIC_LSC_2_5G;
++ lsc = MPIC_LSC_2_5G;
+ break;
+ default:
+- return;
++ lsc = FIELD_GET(MPIC_LSC, ioread32(etha->addr + MPIC));
++ break;
+ }
+
+- iowrite32(MPIC_PIS_GMII | val, etha->addr + MPIC);
++ rswitch_modify(etha->addr, MPIC, MPIC_PIS | MPIC_LSC,
++ FIELD_PREP(MPIC_PIS, pis) | FIELD_PREP(MPIC_LSC, lsc));
+ }
+
+ static void rswitch_etha_enable_mii(struct rswitch_etha *etha)
+diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h
+index 72e3ff596d31..e020800dcc57 100644
+--- a/drivers/net/ethernet/renesas/rswitch.h
++++ b/drivers/net/ethernet/renesas/rswitch.h
+@@ -724,13 +724,13 @@ enum rswitch_etha_mode {
+
+ #define EAVCC_VEM_SC_TAG (0x3 << 16)
+
+-#define MPIC_PIS_MII 0x00
+-#define MPIC_PIS_GMII 0x02
+-#define MPIC_PIS_XGMII 0x04
+-#define MPIC_LSC_SHIFT 3
+-#define MPIC_LSC_100M (1 << MPIC_LSC_SHIFT)
+-#define MPIC_LSC_1G (2 << MPIC_LSC_SHIFT)
+-#define MPIC_LSC_2_5G (3 << MPIC_LSC_SHIFT)
++#define MPIC_PIS GENMASK(2, 0)
++#define MPIC_PIS_GMII 2
++#define MPIC_PIS_XGMII 4
++#define MPIC_LSC GENMASK(5, 3)
++#define MPIC_LSC_100M 1
++#define MPIC_LSC_1G 2
++#define MPIC_LSC_2_5G 3
+
+ #define MDIO_READ_C45 0x03
+ #define MDIO_WRITE_C45 0x01
+--
+2.39.5
+
--- /dev/null
+From 0b33b71437792773cfa7113e2b070274291e044e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 14:50:03 +0500
+Subject: net: renesas: rswitch: fix leaked pointer on error path
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit bb617328bafa1023d8e9c25a25345a564c66c14f ]
+
+If error path is taken while filling descriptor for a frame, skb
+pointer is left in the entry. Later, on the ring entry reuse, the
+same entry could be used as a part of a multi-descriptor frame,
+and skb for that new frame could be stored in a different entry.
+
+Then, the stale pointer will reach the completion routine, and passed
+to the release operation.
+
+Fix that by clearing the saved skb pointer at the error path.
+
+Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://patch.msgid.link/20241208095004.69468-4-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index c251becef6f8..af0bc95ad6ae 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -1703,6 +1703,7 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd
+ return ret;
+
+ err_unmap:
++ gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = NULL;
+ dma_unmap_single(ndev->dev.parent, dma_addr_orig, skb->len, DMA_TO_DEVICE);
+
+ err_kfree:
+--
+2.39.5
+
--- /dev/null
+From 0a6888a799f11203e4f9b7a3c427dd682634b9cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 14:50:01 +0500
+Subject: net: renesas: rswitch: fix possible early skb release
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 5cb099902b6b6292b3a85ffa1bb844e0ba195945 ]
+
+When sending frame split into multiple descriptors, hardware processes
+descriptors one by one, including writing back DT values. The first
+descriptor could be already marked as completed when processing of
+next descriptors for the same frame is still in progress.
+
+Although only the last descriptor is configured to generate interrupt,
+completion of the first descriptor could be noticed by the driver when
+handling interrupt for the previous frame.
+
+Currently, driver stores skb in the entry that corresponds to the first
+descriptor. This results into skb could be unmapped and freed when
+hardware did not complete the send yet. This opens a window for
+corrupting the data being sent.
+
+Fix this by saving skb in the entry that corresponds to the last
+descriptor used to send the frame.
+
+Fixes: d2c96b9d5f83 ("net: rswitch: Add jumbo frames handling for TX")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://patch.msgid.link/20241208095004.69468-2-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index b80aa27a7214..32b32aa7e01f 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -1681,8 +1681,9 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd
+ if (dma_mapping_error(ndev->dev.parent, dma_addr_orig))
+ goto err_kfree;
+
+- gq->skbs[gq->cur] = skb;
+- gq->unmap_addrs[gq->cur] = dma_addr_orig;
++ /* Stored the skb at the last descriptor to avoid skb free before hardware completes send */
++ gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = skb;
++ gq->unmap_addrs[(gq->cur + nr_desc - 1) % gq->ring_size] = dma_addr_orig;
+
+ /* DT_FSTART should be set at last. So, this is reverse order. */
+ for (i = nr_desc; i-- > 0; ) {
+--
+2.39.5
+
--- /dev/null
+From b82d0b0657f544dc16255b1743fad56014bf1979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 14:50:02 +0500
+Subject: net: renesas: rswitch: fix race window between tx start and complete
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 0c9547e6ccf40455b0574cf589be3b152a3edf5b ]
+
+If hardware is already transmitting, it can start handling the
+descriptor being written to immediately after it observes updated DT
+field, before the queue is kicked by a write to GWTRC.
+
+If the start_xmit() execution is preempted at unfortunate moment, this
+transmission can complete, and interrupt handled, before gq->cur gets
+updated. With the current implementation of completion, this will cause
+the last entry not completed.
+
+Fix that by changing completion loop to check DT values directly, instead
+of depending on gq->cur.
+
+Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"")
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://patch.msgid.link/20241208095004.69468-3-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 32b32aa7e01f..c251becef6f8 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -862,13 +862,10 @@ static void rswitch_tx_free(struct net_device *ndev)
+ struct rswitch_ext_desc *desc;
+ struct sk_buff *skb;
+
+- for (; rswitch_get_num_cur_queues(gq) > 0;
+- gq->dirty = rswitch_next_queue_index(gq, false, 1)) {
+- desc = &gq->tx_ring[gq->dirty];
+- if ((desc->desc.die_dt & DT_MASK) != DT_FEMPTY)
+- break;
+-
++ desc = &gq->tx_ring[gq->dirty];
++ while ((desc->desc.die_dt & DT_MASK) == DT_FEMPTY) {
+ dma_rmb();
++
+ skb = gq->skbs[gq->dirty];
+ if (skb) {
+ rdev->ndev->stats.tx_packets++;
+@@ -879,7 +876,10 @@ static void rswitch_tx_free(struct net_device *ndev)
+ dev_kfree_skb_any(gq->skbs[gq->dirty]);
+ gq->skbs[gq->dirty] = NULL;
+ }
++
+ desc->desc.die_dt = DT_EEMPTY;
++ gq->dirty = rswitch_next_queue_index(gq, false, 1);
++ desc = &gq->tx_ring[gq->dirty];
+ }
+ }
+
+@@ -1685,6 +1685,8 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd
+ gq->skbs[(gq->cur + nr_desc - 1) % gq->ring_size] = skb;
+ gq->unmap_addrs[(gq->cur + nr_desc - 1) % gq->ring_size] = dma_addr_orig;
+
++ dma_wmb();
++
+ /* DT_FSTART should be set at last. So, this is reverse order. */
+ for (i = nr_desc; i-- > 0; ) {
+ desc = &gq->tx_ring[rswitch_next_queue_index(gq, true, i)];
+@@ -1695,8 +1697,6 @@ static netdev_tx_t rswitch_start_xmit(struct sk_buff *skb, struct net_device *nd
+ goto err_unmap;
+ }
+
+- wmb(); /* gq->cur must be incremented after die_dt was set */
+-
+ gq->cur = rswitch_next_queue_index(gq, true, nr_desc);
+ rswitch_modify(rdev->addr, GWTRC(gq->index), 0, BIT(gq->index % 32));
+
+--
+2.39.5
+
--- /dev/null
+From 997269d0ebdf37fba665a178e3aec7b69ddc80a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 16:32:04 +0500
+Subject: net: renesas: rswitch: handle stop vs interrupt race
+
+From: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+
+[ Upstream commit 3dd002f20098b9569f8fd7f8703f364571e2e975 ]
+
+Currently the stop routine of rswitch driver does not immediately
+prevent hardware from continuing to update descriptors and requesting
+interrupts.
+
+It can happen that when rswitch_stop() executes the masking of
+interrupts from the queues of the port being closed, napi poll for
+that port is already scheduled or running on a different CPU. When
+execution of this napi poll completes, it will unmask the interrupts.
+And unmasked interrupt can fire after rswitch_stop() returns from
+napi_disable() call. Then, the handler won't mask it, because
+napi_schedule_prep() will return false, and interrupt storm will
+happen.
+
+This can't be fixed by making rswitch_stop() call napi_disable() before
+masking interrupts. In this case, the interrupt storm will happen if
+interrupt fires between napi_disable() and masking.
+
+Fix this by checking for priv->opened_ports bit when unmasking
+interrupts after napi poll. For that to be consistent, move
+priv->opened_ports changes into spinlock-protected areas, and reorder
+other operations in rswitch_open() and rswitch_stop() accordingly.
+
+Signed-off-by: Nikita Yushchenko <nikita.yoush@cogentembedded.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"")
+Link: https://patch.msgid.link/20241209113204.175015-1-nikita.yoush@cogentembedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 33 ++++++++++++++------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 3b57abada200..9dffb7cf1254 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -908,8 +908,10 @@ static int rswitch_poll(struct napi_struct *napi, int budget)
+
+ if (napi_complete_done(napi, budget - quota)) {
+ spin_lock_irqsave(&priv->lock, flags);
+- rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true);
+- rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true);
++ if (test_bit(rdev->port, priv->opened_ports)) {
++ rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true);
++ rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true);
++ }
+ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+@@ -1538,20 +1540,20 @@ static int rswitch_open(struct net_device *ndev)
+ struct rswitch_device *rdev = netdev_priv(ndev);
+ unsigned long flags;
+
+- phy_start(ndev->phydev);
++ if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS))
++ iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE);
+
+ napi_enable(&rdev->napi);
+- netif_start_queue(ndev);
+
+ spin_lock_irqsave(&rdev->priv->lock, flags);
++ bitmap_set(rdev->priv->opened_ports, rdev->port, 1);
+ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, true);
+ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, true);
+ spin_unlock_irqrestore(&rdev->priv->lock, flags);
+
+- if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS))
+- iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE);
++ phy_start(ndev->phydev);
+
+- bitmap_set(rdev->priv->opened_ports, rdev->port, 1);
++ netif_start_queue(ndev);
+
+ return 0;
+ };
+@@ -1563,7 +1565,16 @@ static int rswitch_stop(struct net_device *ndev)
+ unsigned long flags;
+
+ netif_tx_stop_all_queues(ndev);
++
++ phy_stop(ndev->phydev);
++
++ spin_lock_irqsave(&rdev->priv->lock, flags);
++ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false);
++ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false);
+ bitmap_clear(rdev->priv->opened_ports, rdev->port, 1);
++ spin_unlock_irqrestore(&rdev->priv->lock, flags);
++
++ napi_disable(&rdev->napi);
+
+ if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS))
+ iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDID);
+@@ -1576,14 +1587,6 @@ static int rswitch_stop(struct net_device *ndev)
+ kfree(ts_info);
+ }
+
+- spin_lock_irqsave(&rdev->priv->lock, flags);
+- rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false);
+- rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false);
+- spin_unlock_irqrestore(&rdev->priv->lock, flags);
+-
+- phy_stop(ndev->phydev);
+- napi_disable(&rdev->napi);
+-
+ return 0;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 829f96282846f93f1f2d4f4a0f0b2c410b880d7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 14:14:11 +0100
+Subject: net/sched: netem: account for backlog updates from child qdisc
+
+From: Martin Ottens <martin.ottens@fau.de>
+
+[ Upstream commit f8d4bc455047cf3903cd6f85f49978987dbb3027 ]
+
+In general, 'qlen' of any classful qdisc should keep track of the
+number of packets that the qdisc itself and all of its children holds.
+In case of netem, 'qlen' only accounts for the packets in its internal
+tfifo. When netem is used with a child qdisc, the child qdisc can use
+'qdisc_tree_reduce_backlog' to inform its parent, netem, about created
+or dropped SKBs. This function updates 'qlen' and the backlog statistics
+of netem, but netem does not account for changes made by a child qdisc.
+'qlen' then indicates the wrong number of packets in the tfifo.
+If a child qdisc creates new SKBs during enqueue and informs its parent
+about this, netem's 'qlen' value is increased. When netem dequeues the
+newly created SKBs from the child, the 'qlen' in netem is not updated.
+If 'qlen' reaches the configured sch->limit, the enqueue function stops
+working, even though the tfifo is not full.
+
+Reproduce the bug:
+Ensure that the sender machine has GSO enabled. Configure netem as root
+qdisc and tbf as its child on the outgoing interface of the machine
+as follows:
+$ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100
+$ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms
+
+Send bulk TCP traffic out via this interface, e.g., by running an iPerf3
+client on the machine. Check the qdisc statistics:
+$ tc -s qdisc show dev <oif>
+
+Statistics after 10s of iPerf3 TCP test before the fix (note that
+netem's backlog > limit, netem stopped accepting packets):
+qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
+ Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)
+ backlog 4294528236b 1155p requeues 0
+qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
+ Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)
+ backlog 0b 0p requeues 0
+
+Statistics after the fix:
+qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
+ Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)
+ backlog 0b 0p requeues 0
+qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
+ Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)
+ backlog 0b 0p requeues 0
+
+tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'.
+The interface fully stops transferring packets and "locks". In this case,
+the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at
+its limit and no more packets are accepted.
+
+This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is
+only decreased when a packet is returned by its dequeue function, and not
+during enqueuing into the child qdisc. External updates to 'qlen' are thus
+accounted for and only the behavior of the backlog statistics changes. As
+in other qdiscs, 'qlen' then keeps track of how many packets are held in
+netem and all of its children. As before, sch->limit remains as the
+maximum number of packets in the tfifo. The same applies to netem's
+backlog statistics.
+
+Fixes: 50612537e9ab ("netem: fix classful handling")
+Signed-off-by: Martin Ottens <martin.ottens@fau.de>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20241210131412.1837202-1-martin.ottens@fau.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_netem.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
+index 39382ee1e331..3b519adc0125 100644
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -78,6 +78,8 @@ struct netem_sched_data {
+ struct sk_buff *t_head;
+ struct sk_buff *t_tail;
+
++ u32 t_len;
++
+ /* optional qdisc for classful handling (NULL at netem init) */
+ struct Qdisc *qdisc;
+
+@@ -382,6 +384,7 @@ static void tfifo_reset(struct Qdisc *sch)
+ rtnl_kfree_skbs(q->t_head, q->t_tail);
+ q->t_head = NULL;
+ q->t_tail = NULL;
++ q->t_len = 0;
+ }
+
+ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
+@@ -411,6 +414,7 @@ static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
+ rb_link_node(&nskb->rbnode, parent, p);
+ rb_insert_color(&nskb->rbnode, &q->t_root);
+ }
++ q->t_len++;
+ sch->q.qlen++;
+ }
+
+@@ -517,7 +521,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ 1<<get_random_u32_below(8);
+ }
+
+- if (unlikely(sch->q.qlen >= sch->limit)) {
++ if (unlikely(q->t_len >= sch->limit)) {
+ /* re-link segs, so that qdisc_drop_all() frees them all */
+ skb->next = segs;
+ qdisc_drop_all(skb, sch, to_free);
+@@ -701,8 +705,8 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
+ tfifo_dequeue:
+ skb = __qdisc_dequeue_head(&sch->q);
+ if (skb) {
+- qdisc_qstats_backlog_dec(sch, skb);
+ deliver:
++ qdisc_qstats_backlog_dec(sch, skb);
+ qdisc_bstats_update(sch, skb);
+ return skb;
+ }
+@@ -718,8 +722,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
+
+ if (time_to_send <= now && q->slot.slot_next <= now) {
+ netem_erase_head(q, skb);
+- sch->q.qlen--;
+- qdisc_qstats_backlog_dec(sch, skb);
++ q->t_len--;
+ skb->next = NULL;
+ skb->prev = NULL;
+ /* skb->dev shares skb->rbnode area,
+@@ -746,16 +749,21 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
+ if (net_xmit_drop_count(err))
+ qdisc_qstats_drop(sch);
+ qdisc_tree_reduce_backlog(sch, 1, pkt_len);
++ sch->qstats.backlog -= pkt_len;
++ sch->q.qlen--;
+ }
+ goto tfifo_dequeue;
+ }
++ sch->q.qlen--;
+ goto deliver;
+ }
+
+ if (q->qdisc) {
+ skb = q->qdisc->ops->dequeue(q->qdisc);
+- if (skb)
++ if (skb) {
++ sch->q.qlen--;
+ goto deliver;
++ }
+ }
+
+ qdisc_watchdog_schedule_ns(&q->watchdog,
+@@ -765,8 +773,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
+
+ if (q->qdisc) {
+ skb = q->qdisc->ops->dequeue(q->qdisc);
+- if (skb)
++ if (skb) {
++ sch->q.qlen--;
+ goto deliver;
++ }
+ }
+ return NULL;
+ }
+--
+2.39.5
+
--- /dev/null
+From a88ee71e3f41551e49fe44d175c37615293dc490 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 14:54:26 +0100
+Subject: net: sparx5: fix FDMA performance issue
+
+From: Daniel Machon <daniel.machon@microchip.com>
+
+[ Upstream commit f004f2e535e2b66ccbf5ac35f8eaadeac70ad7b7 ]
+
+The FDMA handler is responsible for scheduling a NAPI poll, which will
+eventually fetch RX packets from the FDMA queue. Currently, the FDMA
+handler is run in a threaded context. For some reason, this kills
+performance. Admittedly, I did not do a thorough investigation to see
+exactly what causes the issue, however, I noticed that in the other
+driver utilizing the same FDMA engine, we run the FDMA handler in hard
+IRQ context.
+
+Fix this performance issue, by running the FDMA handler in hard IRQ
+context, not deferring any work to a thread.
+
+Prior to this change, the RX UDP performance was:
+
+Interval Transfer Bitrate Jitter
+0.00-10.20 sec 44.6 MBytes 36.7 Mbits/sec 0.027 ms
+
+After this change, the rx UDP performance is:
+
+Interval Transfer Bitrate Jitter
+0.00-9.12 sec 1.01 GBytes 953 Mbits/sec 0.020 ms
+
+Fixes: 10615907e9b5 ("net: sparx5: switchdev: adding frame DMA functionality")
+Signed-off-by: Daniel Machon <daniel.machon@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_main.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+index b64c814eac11..0c4c75b3682f 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.c
+@@ -693,12 +693,11 @@ static int sparx5_start(struct sparx5 *sparx5)
+ err = -ENXIO;
+ if (sparx5->fdma_irq >= 0) {
+ if (GCB_CHIP_ID_REV_ID_GET(sparx5->chip_id) > 0)
+- err = devm_request_threaded_irq(sparx5->dev,
+- sparx5->fdma_irq,
+- NULL,
+- sparx5_fdma_handler,
+- IRQF_ONESHOT,
+- "sparx5-fdma", sparx5);
++ err = devm_request_irq(sparx5->dev,
++ sparx5->fdma_irq,
++ sparx5_fdma_handler,
++ 0,
++ "sparx5-fdma", sparx5);
+ if (!err)
+ err = sparx5_fdma_start(sparx5);
+ if (err)
+--
+2.39.5
+
--- /dev/null
+From e1d420e1e9087d38b869d5ad221f5fbbd96f97da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 14:54:28 +0100
+Subject: net: sparx5: fix the maximum frame length register
+
+From: Daniel Machon <daniel.machon@microchip.com>
+
+[ Upstream commit ddd7ba006078a2bef5971b2dc5f8383d47f96207 ]
+
+On port initialization, we configure the maximum frame length accepted
+by the receive module associated with the port. This value is currently
+written to the MAX_LEN field of the DEV10G_MAC_ENA_CFG register, when in
+fact, it should be written to the DEV10G_MAC_MAXLEN_CFG register. Fix
+this.
+
+Fixes: 946e7fd5053a ("net: sparx5: add port module support")
+Signed-off-by: Daniel Machon <daniel.machon@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_port.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c
+index 062e486c002c..672508efce5c 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_port.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_port.c
+@@ -1119,7 +1119,7 @@ int sparx5_port_init(struct sparx5 *sparx5,
+ spx5_inst_rmw(DEV10G_MAC_MAXLEN_CFG_MAX_LEN_SET(ETH_MAXLEN),
+ DEV10G_MAC_MAXLEN_CFG_MAX_LEN,
+ devinst,
+- DEV10G_MAC_ENA_CFG(0));
++ DEV10G_MAC_MAXLEN_CFG(0));
+
+ /* Handle Signal Detect in 10G PCS */
+ spx5_inst_wr(PCS10G_BR_PCS_SD_CFG_SD_POL_SET(sd_pol) |
+--
+2.39.5
+
--- /dev/null
+From db226a143ff53b7d6b03560b4428a245233f2038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:12:41 +0100
+Subject: net, team, bonding: Add netdev_base_features helper
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit d2516c3a53705f783bb6868df0f4a2b977898a71 ]
+
+Both bonding and team driver have logic to derive the base feature
+flags before iterating over their slave devices to refine the set
+via netdev_increment_features().
+
+Add a small helper netdev_base_features() so this can be reused
+instead of having it open-coded multiple times.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Ido Schimmel <idosch@idosch.org>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20241210141245.327886-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: d064ea7fe2a2 ("bonding: Fix initial {vlan,mpls}_feature set in bond_compute_features")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 4 +---
+ drivers/net/team/team_core.c | 3 +--
+ include/linux/netdev_features.h | 7 +++++++
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 15e0f14d0d49..166910693fd7 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1520,9 +1520,7 @@ static netdev_features_t bond_fix_features(struct net_device *dev,
+ struct slave *slave;
+
+ mask = features;
+-
+- features &= ~NETIF_F_ONE_FOR_ALL;
+- features |= NETIF_F_ALL_FOR_ALL;
++ features = netdev_base_features(features);
+
+ bond_for_each_slave(bond, slave, iter) {
+ features = netdev_increment_features(features,
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index 18191d5a8bd4..481c8df8842f 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -2012,8 +2012,7 @@ static netdev_features_t team_fix_features(struct net_device *dev,
+ netdev_features_t mask;
+
+ mask = features;
+- features &= ~NETIF_F_ONE_FOR_ALL;
+- features |= NETIF_F_ALL_FOR_ALL;
++ features = netdev_base_features(features);
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(port, &team->port_list, list) {
+diff --git a/include/linux/netdev_features.h b/include/linux/netdev_features.h
+index 66e7d26b70a4..11be70a7929f 100644
+--- a/include/linux/netdev_features.h
++++ b/include/linux/netdev_features.h
+@@ -253,4 +253,11 @@ static inline int find_next_netdev_feature(u64 feature, unsigned long start)
+ NETIF_F_GSO_UDP_TUNNEL | \
+ NETIF_F_GSO_UDP_TUNNEL_CSUM)
+
++static inline netdev_features_t netdev_base_features(netdev_features_t features)
++{
++ features &= ~NETIF_F_ONE_FOR_ALL;
++ features |= NETIF_F_ALL_FOR_ALL;
++ return features;
++}
++
+ #endif /* _LINUX_NETDEV_FEATURES_H */
+--
+2.39.5
+
--- /dev/null
+From b2d4378ab3706bf06c9c358fb54c445afda1e378 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:32:29 +0100
+Subject: netfilter: IDLETIMER: Fix for possible ABBA deadlock
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit f36b01994d68ffc253c8296e2228dfe6e6431c03 ]
+
+Deletion of the last rule referencing a given idletimer may happen at
+the same time as a read of its file in sysfs:
+
+| ======================================================
+| WARNING: possible circular locking dependency detected
+| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted
+| ------------------------------------------------------
+| iptables/3303 is trying to acquire lock:
+| ffff8881057e04b8 (kn->active#48){++++}-{0:0}, at: __kernfs_remove+0x20
+|
+| but task is already holding lock:
+| ffffffffa0249068 (list_mutex){+.+.}-{3:3}, at: idletimer_tg_destroy_v]
+|
+| which lock already depends on the new lock.
+
+A simple reproducer is:
+
+| #!/bin/bash
+|
+| while true; do
+| iptables -A INPUT -i foo -j IDLETIMER --timeout 10 --label "testme"
+| iptables -D INPUT -i foo -j IDLETIMER --timeout 10 --label "testme"
+| done &
+| while true; do
+| cat /sys/class/xt_idletimer/timers/testme >/dev/null
+| done
+
+Avoid this by freeing list_mutex right after deleting the element from
+the list, then continuing with the teardown.
+
+Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_IDLETIMER.c | 52 +++++++++++++++++++-----------------
+ 1 file changed, 28 insertions(+), 24 deletions(-)
+
+diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
+index f8b25b6f5da7..9869ef3c2ab3 100644
+--- a/net/netfilter/xt_IDLETIMER.c
++++ b/net/netfilter/xt_IDLETIMER.c
+@@ -409,21 +409,23 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par)
+
+ mutex_lock(&list_mutex);
+
+- if (--info->timer->refcnt == 0) {
+- pr_debug("deleting timer %s\n", info->label);
+-
+- list_del(&info->timer->entry);
+- timer_shutdown_sync(&info->timer->timer);
+- cancel_work_sync(&info->timer->work);
+- sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
+- kfree(info->timer->attr.attr.name);
+- kfree(info->timer);
+- } else {
++ if (--info->timer->refcnt > 0) {
+ pr_debug("decreased refcnt of timer %s to %u\n",
+ info->label, info->timer->refcnt);
++ mutex_unlock(&list_mutex);
++ return;
+ }
+
++ pr_debug("deleting timer %s\n", info->label);
++
++ list_del(&info->timer->entry);
+ mutex_unlock(&list_mutex);
++
++ timer_shutdown_sync(&info->timer->timer);
++ cancel_work_sync(&info->timer->work);
++ sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
++ kfree(info->timer->attr.attr.name);
++ kfree(info->timer);
+ }
+
+ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par)
+@@ -434,25 +436,27 @@ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par)
+
+ mutex_lock(&list_mutex);
+
+- if (--info->timer->refcnt == 0) {
+- pr_debug("deleting timer %s\n", info->label);
+-
+- list_del(&info->timer->entry);
+- if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
+- alarm_cancel(&info->timer->alarm);
+- } else {
+- timer_shutdown_sync(&info->timer->timer);
+- }
+- cancel_work_sync(&info->timer->work);
+- sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
+- kfree(info->timer->attr.attr.name);
+- kfree(info->timer);
+- } else {
++ if (--info->timer->refcnt > 0) {
+ pr_debug("decreased refcnt of timer %s to %u\n",
+ info->label, info->timer->refcnt);
++ mutex_unlock(&list_mutex);
++ return;
+ }
+
++ pr_debug("deleting timer %s\n", info->label);
++
++ list_del(&info->timer->entry);
+ mutex_unlock(&list_mutex);
++
++ if (info->timer->timer_type & XT_IDLETIMER_ALARM) {
++ alarm_cancel(&info->timer->alarm);
++ } else {
++ timer_shutdown_sync(&info->timer->timer);
++ }
++ cancel_work_sync(&info->timer->work);
++ sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
++ kfree(info->timer->attr.attr.name);
++ kfree(info->timer);
+ }
+
+
+--
+2.39.5
+
--- /dev/null
+From 0c839d5b145459d98b016ca1da6d3b06979ee532 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Dec 2024 12:14:48 +0100
+Subject: netfilter: nf_tables: do not defer rule destruction via call_rcu
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit b04df3da1b5c6f6dc7cdccc37941740c078c4043 ]
+
+nf_tables_chain_destroy can sleep, it can't be used from call_rcu
+callbacks.
+
+Moreover, nf_tables_rule_release() is only safe for error unwinding,
+while transaction mutex is held and the to-be-desroyed rule was not
+exposed to either dataplane or dumps, as it deactives+frees without
+the required synchronize_rcu() in-between.
+
+nft_rule_expr_deactivate() callbacks will change ->use counters
+of other chains/sets, see e.g. nft_lookup .deactivate callback, these
+must be serialized via transaction mutex.
+
+Also add a few lockdep asserts to make this more explicit.
+
+Calling synchronize_rcu() isn't ideal, but fixing this without is hard
+and way more intrusive. As-is, we can get:
+
+WARNING: .. net/netfilter/nf_tables_api.c:5515 nft_set_destroy+0x..
+Workqueue: events nf_tables_trans_destroy_work
+RIP: 0010:nft_set_destroy+0x3fe/0x5c0
+Call Trace:
+ <TASK>
+ nf_tables_trans_destroy_work+0x6b7/0xad0
+ process_one_work+0x64a/0xce0
+ worker_thread+0x613/0x10d0
+
+In case the synchronize_rcu becomes an issue, we can explore alternatives.
+
+One way would be to allocate nft_trans_rule objects + one nft_trans_chain
+object, deactivate the rules + the chain and then defer the freeing to the
+nft destroy workqueue. We'd still need to keep the synchronize_rcu path as
+a fallback to handle -ENOMEM corner cases though.
+
+Reported-by: syzbot+b26935466701e56cfdc2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67478d92.050a0220.253251.0062.GAE@google.com/T/
+Fixes: c03d278fdf35 ("netfilter: nf_tables: wait for rcu grace period on net_device removal")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 4 ----
+ net/netfilter/nf_tables_api.c | 32 +++++++++++++++----------------
+ 2 files changed, 15 insertions(+), 21 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 066a3ea33b12..91ae20cb7648 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -1103,7 +1103,6 @@ struct nft_rule_blob {
+ * @name: name of the chain
+ * @udlen: user data length
+ * @udata: user data in the chain
+- * @rcu_head: rcu head for deferred release
+ * @blob_next: rule blob pointer to the next in the chain
+ */
+ struct nft_chain {
+@@ -1121,7 +1120,6 @@ struct nft_chain {
+ char *name;
+ u16 udlen;
+ u8 *udata;
+- struct rcu_head rcu_head;
+
+ /* Only used during control plane commit phase: */
+ struct nft_rule_blob *blob_next;
+@@ -1265,7 +1263,6 @@ static inline void nft_use_inc_restore(u32 *use)
+ * @sets: sets in the table
+ * @objects: stateful objects in the table
+ * @flowtables: flow tables in the table
+- * @net: netnamespace this table belongs to
+ * @hgenerator: handle generator state
+ * @handle: table handle
+ * @use: number of chain references to this table
+@@ -1285,7 +1282,6 @@ struct nft_table {
+ struct list_head sets;
+ struct list_head objects;
+ struct list_head flowtables;
+- possible_net_t net;
+ u64 hgenerator;
+ u64 handle;
+ u32 use;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 4a137afaf0b8..0c5ff4afc370 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1495,7 +1495,6 @@ static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info,
+ INIT_LIST_HEAD(&table->sets);
+ INIT_LIST_HEAD(&table->objects);
+ INIT_LIST_HEAD(&table->flowtables);
+- write_pnet(&table->net, net);
+ table->family = family;
+ table->flags = flags;
+ table->handle = ++nft_net->table_handle;
+@@ -3884,8 +3883,11 @@ void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
+ kfree(rule);
+ }
+
++/* can only be used if rule is no longer visible to dumps */
+ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
+ {
++ lockdep_commit_lock_is_held(ctx->net);
++
+ nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
+ nf_tables_rule_destroy(ctx, rule);
+ }
+@@ -5650,6 +5652,8 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
+ struct nft_set_binding *binding,
+ enum nft_trans_phase phase)
+ {
++ lockdep_commit_lock_is_held(ctx->net);
++
+ switch (phase) {
+ case NFT_TRANS_PREPARE_ERROR:
+ nft_set_trans_unbind(ctx, set);
+@@ -11456,19 +11460,6 @@ static void __nft_release_basechain_now(struct nft_ctx *ctx)
+ nf_tables_chain_destroy(ctx->chain);
+ }
+
+-static void nft_release_basechain_rcu(struct rcu_head *head)
+-{
+- struct nft_chain *chain = container_of(head, struct nft_chain, rcu_head);
+- struct nft_ctx ctx = {
+- .family = chain->table->family,
+- .chain = chain,
+- .net = read_pnet(&chain->table->net),
+- };
+-
+- __nft_release_basechain_now(&ctx);
+- put_net(ctx.net);
+-}
+-
+ int __nft_release_basechain(struct nft_ctx *ctx)
+ {
+ struct nft_rule *rule;
+@@ -11483,11 +11474,18 @@ int __nft_release_basechain(struct nft_ctx *ctx)
+ nft_chain_del(ctx->chain);
+ nft_use_dec(&ctx->table->use);
+
+- if (maybe_get_net(ctx->net))
+- call_rcu(&ctx->chain->rcu_head, nft_release_basechain_rcu);
+- else
++ if (!maybe_get_net(ctx->net)) {
+ __nft_release_basechain_now(ctx);
++ return 0;
++ }
++
++ /* wait for ruleset dumps to complete. Owning chain is no longer in
++ * lists, so new dumps can't find any of these rules anymore.
++ */
++ synchronize_rcu();
+
++ __nft_release_basechain_now(ctx);
++ put_net(ctx->net);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(__nft_release_basechain);
+--
+2.39.5
+
--- /dev/null
+From 1f106e3c9f292394a5b51b596ef4fbd8d10f74c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 11:47:25 -0300
+Subject: perf machine: Initialize machine->env to address a segfault
+
+From: Arnaldo Carvalho de Melo <acme@kernel.org>
+
+[ Upstream commit 88a6e2f67cc94f751a74409ab4c21e5fc8ea6757 ]
+
+Its used from trace__run(), for the 'perf trace' live mode, i.e. its
+strace-like, non-perf.data file processing mode, the most common one.
+
+The trace__run() function will set trace->host using machine__new_host()
+that is supposed to give a machine instance representing the running
+machine, and since we'll use perf_env__arch_strerrno() to get the right
+errno -> string table, we need to use machine->env, so initialize it in
+machine__new_host().
+
+Before the patch:
+
+ (gdb) run trace --errno-summary -a sleep 1
+ <SNIP>
+ Summary of events:
+
+ gvfs-afc-volume (3187), 2 events, 0.0%
+
+ syscall calls errors total min avg max stddev
+ (msec) (msec) (msec) (msec) (%)
+ --------------- -------- ------ -------- --------- --------- --------- ------
+ pselect6 1 0 0.000 0.000 0.000 0.000 0.00%
+
+ GUsbEventThread (3519), 2 events, 0.0%
+
+ syscall calls errors total min avg max stddev
+ (msec) (msec) (msec) (msec) (%)
+ --------------- -------- ------ -------- --------- --------- --------- ------
+ poll 1 0 0.000 0.000 0.000 0.000 0.00%
+ <SNIP>
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478
+ 478 if (env->arch_strerrno == NULL)
+ (gdb) bt
+ #0 0x00000000005caba0 in perf_env__arch_strerrno (env=0x0, err=110) at util/env.c:478
+ #1 0x00000000004b75d2 in thread__dump_stats (ttrace=0x14f58f0, trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4673
+ #2 0x00000000004b78bf in trace__fprintf_thread (fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>, thread=0x10fa0b0, trace=0x7fffffffa5b0) at builtin-trace.c:4708
+ #3 0x00000000004b7ad9 in trace__fprintf_thread_summary (trace=0x7fffffffa5b0, fp=0x7ffff6ff74e0 <_IO_2_1_stderr_>) at builtin-trace.c:4747
+ #4 0x00000000004b656e in trace__run (trace=0x7fffffffa5b0, argc=2, argv=0x7fffffffde60) at builtin-trace.c:4456
+ #5 0x00000000004ba43e in cmd_trace (argc=2, argv=0x7fffffffde60) at builtin-trace.c:5487
+ #6 0x00000000004c0414 in run_builtin (p=0xec3068 <commands+648>, argc=5, argv=0x7fffffffde60) at perf.c:351
+ #7 0x00000000004c06bb in handle_internal_command (argc=5, argv=0x7fffffffde60) at perf.c:404
+ #8 0x00000000004c0814 in run_argv (argcp=0x7fffffffdc4c, argv=0x7fffffffdc40) at perf.c:448
+ #9 0x00000000004c0b5d in main (argc=5, argv=0x7fffffffde60) at perf.c:560
+ (gdb)
+
+After:
+
+ root@number:~# perf trace -a --errno-summary sleep 1
+ <SNIP>
+ pw-data-loop (2685), 1410 events, 16.0%
+
+ syscall calls errors total min avg max stddev
+ (msec) (msec) (msec) (msec) (%)
+ --------------- -------- ------ -------- --------- --------- --------- ------
+ epoll_wait 188 0 983.428 0.000 5.231 15.595 8.68%
+ ioctl 94 0 0.811 0.004 0.009 0.016 2.82%
+ read 188 0 0.322 0.001 0.002 0.006 5.15%
+ write 141 0 0.280 0.001 0.002 0.018 8.39%
+ timerfd_settime 94 0 0.138 0.001 0.001 0.007 6.47%
+
+ gnome-control-c (179406), 1848 events, 20.9%
+
+ syscall calls errors total min avg max stddev
+ (msec) (msec) (msec) (msec) (%)
+ --------------- -------- ------ -------- --------- --------- --------- ------
+ poll 222 0 959.577 0.000 4.322 21.414 11.40%
+ recvmsg 150 0 0.539 0.001 0.004 0.013 5.12%
+ write 300 0 0.442 0.001 0.001 0.007 3.29%
+ read 150 0 0.183 0.001 0.001 0.009 5.53%
+ getpid 102 0 0.101 0.000 0.001 0.008 7.82%
+
+ root@number:~#
+
+Fixes: 54373b5d53c1f6aa ("perf env: Introduce perf_env__arch_strerrno()")
+Reported-by: Veronika Molnarova <vmolnaro@redhat.com>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Acked-by: Veronika Molnarova <vmolnaro@redhat.com>
+Acked-by: Michael Petlan <mpetlan@redhat.com>
+Tested-by: Michael Petlan <mpetlan@redhat.com>
+Link: https://lore.kernel.org/r/Z0XffUgNSv_9OjOi@x1
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 4f0ac998b0cc..27d5345d2b30 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -134,6 +134,8 @@ struct machine *machine__new_host(void)
+
+ if (machine__create_kernel_maps(machine) < 0)
+ goto out_delete;
++
++ machine->env = &perf_env;
+ }
+
+ return machine;
+--
+2.39.5
+
--- /dev/null
+From 9aa58caa1c895fb1b9337019c5d238fb79a14de7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 19:13:31 -0800
+Subject: perf tools: Fix build-id event recording
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 23c44f6c83257923b179461694edcf62749bedd5 ]
+
+The build-id events written at the end of the record session are broken
+due to unexpected data. The write_buildid() writes the fixed length
+event first and then variable length filename.
+
+But a recent change made it write more data in the padding area
+accidentally. So readers of the event see zero-filled data for the
+next entry and treat it incorrectly. This resulted in wrong kernel
+symbols because the kernel DSO loaded a random vmlinux image in the
+path as it didn't have a valid build-id.
+
+Fixes: ae39ba16554e ("perf inject: Fix build ID injection")
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/Z0aRFFW9xMh3mqKB@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/build-id.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/build-id.c b/tools/perf/util/build-id.c
+index 8982f68e7230..e763e8d99a43 100644
+--- a/tools/perf/util/build-id.c
++++ b/tools/perf/util/build-id.c
+@@ -277,7 +277,7 @@ static int write_buildid(const char *name, size_t name_len, struct build_id *bid
+ struct perf_record_header_build_id b;
+ size_t len;
+
+- len = sizeof(b) + name_len + 1;
++ len = name_len + 1;
+ len = PERF_ALIGN(len, sizeof(u64));
+
+ memset(&b, 0, sizeof(b));
+@@ -286,7 +286,7 @@ static int write_buildid(const char *name, size_t name_len, struct build_id *bid
+ misc |= PERF_RECORD_MISC_BUILD_ID_SIZE;
+ b.pid = pid;
+ b.header.misc = misc;
+- b.header.size = len;
++ b.header.size = sizeof(b) + len;
+
+ err = do_write(fd, &b, sizeof(b));
+ if (err < 0)
+--
+2.39.5
+
--- /dev/null
+From 939e70e54ccc258ea67a6c84f787ce6eb0ef83e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 18:09:55 +0100
+Subject: ptp: kvm: x86: Return EOPNOTSUPP instead of ENODEV from
+ kvm_arch_ptp_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 5e7aa97c7acf171275ac02a8bb018c31b8918d13 ]
+
+The caller, ptp_kvm_init(), emits a warning if kvm_arch_ptp_init() exits
+with any error which is not EOPNOTSUPP:
+
+ "fail to initialize ptp_kvm"
+
+Replace ENODEV with EOPNOTSUPP to avoid this spurious warning,
+aligning with the ARM implementation.
+
+Fixes: a86ed2cfa13c ("ptp: Don't print an error if ptp_kvm is not supported")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://patch.msgid.link/20241203-kvm_ptp-eopnotsuppp-v2-1-d1d060f27aa6@weissschuh.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_kvm_x86.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ptp/ptp_kvm_x86.c b/drivers/ptp/ptp_kvm_x86.c
+index 617c8d6706d3..6cea4fe39bcf 100644
+--- a/drivers/ptp/ptp_kvm_x86.c
++++ b/drivers/ptp/ptp_kvm_x86.c
+@@ -26,7 +26,7 @@ int kvm_arch_ptp_init(void)
+ long ret;
+
+ if (!kvm_para_available())
+- return -ENODEV;
++ return -EOPNOTSUPP;
+
+ if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) {
+ p = alloc_page(GFP_KERNEL | __GFP_ZERO);
+@@ -46,14 +46,14 @@ int kvm_arch_ptp_init(void)
+
+ clock_pair_gpa = slow_virt_to_phys(clock_pair);
+ if (!pvclock_get_pvti_cpu0_va()) {
+- ret = -ENODEV;
++ ret = -EOPNOTSUPP;
+ goto err;
+ }
+
+ ret = kvm_hypercall2(KVM_HC_CLOCK_PAIRING, clock_pair_gpa,
+ KVM_CLOCK_PAIRING_WALLCLOCK);
+ if (ret == -KVM_ENOSYS) {
+- ret = -ENODEV;
++ ret = -EOPNOTSUPP;
+ goto err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4fa3d117f9781fe37d7e6316ee5f914d4e049f8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:46:42 +0100
+Subject: qca_spi: Fix clock speed for multiple QCA7000
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit 4dba406fac06b009873fe7a28231b9b7e4288b09 ]
+
+Storing the maximum clock speed in module parameter qcaspi_clkspeed
+has the unintended side effect that the first probed instance
+defines the value for all other instances. Fix this issue by storing
+it in max_speed_hz of the relevant SPI device.
+
+This fix keeps the priority of the speed parameter (module parameter,
+device tree property, driver default). Btw this uses the opportunity
+to get the rid of the unused member clkspeed.
+
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://patch.msgid.link/20241206184643.123399-2-wahrenst@gmx.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 24 ++++++++++--------------
+ drivers/net/ethernet/qualcomm/qca_spi.h | 1 -
+ 2 files changed, 10 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index 8f7ce6b51a1c..a73426a8c429 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -812,7 +812,6 @@ qcaspi_netdev_init(struct net_device *dev)
+
+ dev->mtu = QCAFRM_MAX_MTU;
+ dev->type = ARPHRD_ETHER;
+- qca->clkspeed = qcaspi_clkspeed;
+ qca->burst_len = qcaspi_burst_len;
+ qca->spi_thread = NULL;
+ qca->buffer_size = (QCAFRM_MAX_MTU + VLAN_ETH_HLEN + QCAFRM_HEADER_LEN +
+@@ -903,17 +902,15 @@ qca_spi_probe(struct spi_device *spi)
+ legacy_mode = of_property_read_bool(spi->dev.of_node,
+ "qca,legacy-mode");
+
+- if (qcaspi_clkspeed == 0) {
+- if (spi->max_speed_hz)
+- qcaspi_clkspeed = spi->max_speed_hz;
+- else
+- qcaspi_clkspeed = QCASPI_CLK_SPEED;
+- }
++ if (qcaspi_clkspeed)
++ spi->max_speed_hz = qcaspi_clkspeed;
++ else if (!spi->max_speed_hz)
++ spi->max_speed_hz = QCASPI_CLK_SPEED;
+
+- if ((qcaspi_clkspeed < QCASPI_CLK_SPEED_MIN) ||
+- (qcaspi_clkspeed > QCASPI_CLK_SPEED_MAX)) {
+- dev_err(&spi->dev, "Invalid clkspeed: %d\n",
+- qcaspi_clkspeed);
++ if (spi->max_speed_hz < QCASPI_CLK_SPEED_MIN ||
++ spi->max_speed_hz > QCASPI_CLK_SPEED_MAX) {
++ dev_err(&spi->dev, "Invalid clkspeed: %u\n",
++ spi->max_speed_hz);
+ return -EINVAL;
+ }
+
+@@ -938,14 +935,13 @@ qca_spi_probe(struct spi_device *spi)
+ return -EINVAL;
+ }
+
+- dev_info(&spi->dev, "ver=%s, clkspeed=%d, burst_len=%d, pluggable=%d\n",
++ dev_info(&spi->dev, "ver=%s, clkspeed=%u, burst_len=%d, pluggable=%d\n",
+ QCASPI_DRV_VERSION,
+- qcaspi_clkspeed,
++ spi->max_speed_hz,
+ qcaspi_burst_len,
+ qcaspi_pluggable);
+
+ spi->mode = SPI_MODE_3;
+- spi->max_speed_hz = qcaspi_clkspeed;
+ if (spi_setup(spi) < 0) {
+ dev_err(&spi->dev, "Unable to setup SPI device\n");
+ return -EFAULT;
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.h b/drivers/net/ethernet/qualcomm/qca_spi.h
+index 8f4808695e82..0831cefc58b8 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.h
++++ b/drivers/net/ethernet/qualcomm/qca_spi.h
+@@ -89,7 +89,6 @@ struct qcaspi {
+ #endif
+
+ /* user configurable options */
+- u32 clkspeed;
+ u8 legacy_mode;
+ u16 burst_len;
+ };
+--
+2.39.5
+
--- /dev/null
+From 61a9870dee8cf0be6b5a30d71a9be35ae4ab6cdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:46:43 +0100
+Subject: qca_spi: Make driver probing reliable
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit becc6399ce3b724cffe9ccb7ef0bff440bb1b62b ]
+
+The module parameter qcaspi_pluggable controls if QCA7000 signature
+should be checked at driver probe (current default) or not. Unfortunately
+this could fail in case the chip is temporary in reset, which isn't under
+total control by the Linux host. So disable this check per default
+in order to avoid unexpected probe failures.
+
+Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://patch.msgid.link/20241206184643.123399-3-wahrenst@gmx.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qualcomm/qca_spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qualcomm/qca_spi.c b/drivers/net/ethernet/qualcomm/qca_spi.c
+index a73426a8c429..6b4b40c6e1fe 100644
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -53,7 +53,7 @@ MODULE_PARM_DESC(qcaspi_burst_len, "Number of data bytes per burst. Use 1-5000."
+
+ #define QCASPI_PLUGGABLE_MIN 0
+ #define QCASPI_PLUGGABLE_MAX 1
+-static int qcaspi_pluggable = QCASPI_PLUGGABLE_MIN;
++static int qcaspi_pluggable = QCASPI_PLUGGABLE_MAX;
+ module_param(qcaspi_pluggable, int, 0);
+ MODULE_PARM_DESC(qcaspi_pluggable, "Pluggable SPI connection (yes/no).");
+
+--
+2.39.5
+
--- /dev/null
+From 87e8c809c47a12c4e90e2a65bc2fddc1f83e8aae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Dec 2024 13:43:08 +0100
+Subject: regulator: axp20x: AXP717: set ramp_delay
+
+From: Philippe Simons <simons.philippe@gmail.com>
+
+[ Upstream commit f07ae52f5cf6a5584fdf7c8c652f027d90bc8b74 ]
+
+AXP717 datasheet says that regulator ramp delay is 15.625 us/step,
+which is 10mV in our case.
+
+Add a AXP_DESC_RANGES_DELAY macro and update AXP_DESC_RANGES macro to
+expand to AXP_DESC_RANGES_DELAY with ramp_delay = 0
+
+For DCDC4, steps is 100mv
+
+Add a AXP_DESC_DELAY macro and update AXP_DESC macro to
+expand to AXP_DESC_DELAY with ramp_delay = 0
+
+This patch fix crashes when using CPU DVFS.
+
+Signed-off-by: Philippe Simons <simons.philippe@gmail.com>
+Tested-by: Hironori KIKUCHI <kikuchan98@gmail.com>
+Tested-by: Chris Morgan <macromorgan@hotmail.com>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Fixes: d2ac3df75c3a ("regulator: axp20x: add support for the AXP717")
+Link: https://patch.msgid.link/20241208124308.5630-1-simons.philippe@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/axp20x-regulator.c | 36 ++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/regulator/axp20x-regulator.c b/drivers/regulator/axp20x-regulator.c
+index a8e91d9d028b..945d2917b91b 100644
+--- a/drivers/regulator/axp20x-regulator.c
++++ b/drivers/regulator/axp20x-regulator.c
+@@ -371,8 +371,8 @@
+ .ops = &axp20x_ops, \
+ }
+
+-#define AXP_DESC(_family, _id, _match, _supply, _min, _max, _step, _vreg, \
+- _vmask, _ereg, _emask) \
++#define AXP_DESC_DELAY(_family, _id, _match, _supply, _min, _max, _step, _vreg, \
++ _vmask, _ereg, _emask, _ramp_delay) \
+ [_family##_##_id] = { \
+ .name = (_match), \
+ .supply_name = (_supply), \
+@@ -388,9 +388,15 @@
+ .vsel_mask = (_vmask), \
+ .enable_reg = (_ereg), \
+ .enable_mask = (_emask), \
++ .ramp_delay = (_ramp_delay), \
+ .ops = &axp20x_ops, \
+ }
+
++#define AXP_DESC(_family, _id, _match, _supply, _min, _max, _step, _vreg, \
++ _vmask, _ereg, _emask) \
++ AXP_DESC_DELAY(_family, _id, _match, _supply, _min, _max, _step, _vreg, \
++ _vmask, _ereg, _emask, 0)
++
+ #define AXP_DESC_SW(_family, _id, _match, _supply, _ereg, _emask) \
+ [_family##_##_id] = { \
+ .name = (_match), \
+@@ -419,8 +425,8 @@
+ .ops = &axp20x_ops_fixed \
+ }
+
+-#define AXP_DESC_RANGES(_family, _id, _match, _supply, _ranges, _n_voltages, \
+- _vreg, _vmask, _ereg, _emask) \
++#define AXP_DESC_RANGES_DELAY(_family, _id, _match, _supply, _ranges, _n_voltages, \
++ _vreg, _vmask, _ereg, _emask, _ramp_delay) \
+ [_family##_##_id] = { \
+ .name = (_match), \
+ .supply_name = (_supply), \
+@@ -436,9 +442,15 @@
+ .enable_mask = (_emask), \
+ .linear_ranges = (_ranges), \
+ .n_linear_ranges = ARRAY_SIZE(_ranges), \
++ .ramp_delay = (_ramp_delay), \
+ .ops = &axp20x_ops_range, \
+ }
+
++#define AXP_DESC_RANGES(_family, _id, _match, _supply, _ranges, _n_voltages, \
++ _vreg, _vmask, _ereg, _emask) \
++ AXP_DESC_RANGES_DELAY(_family, _id, _match, _supply, _ranges, \
++ _n_voltages, _vreg, _vmask, _ereg, _emask, 0)
++
+ static const int axp209_dcdc2_ldo3_slew_rates[] = {
+ 1600,
+ 800,
+@@ -781,21 +793,21 @@ static const struct linear_range axp717_dcdc3_ranges[] = {
+ };
+
+ static const struct regulator_desc axp717_regulators[] = {
+- AXP_DESC_RANGES(AXP717, DCDC1, "dcdc1", "vin1",
++ AXP_DESC_RANGES_DELAY(AXP717, DCDC1, "dcdc1", "vin1",
+ axp717_dcdc1_ranges, AXP717_DCDC1_NUM_VOLTAGES,
+ AXP717_DCDC1_CONTROL, AXP717_DCDC_V_OUT_MASK,
+- AXP717_DCDC_OUTPUT_CONTROL, BIT(0)),
+- AXP_DESC_RANGES(AXP717, DCDC2, "dcdc2", "vin2",
++ AXP717_DCDC_OUTPUT_CONTROL, BIT(0), 640),
++ AXP_DESC_RANGES_DELAY(AXP717, DCDC2, "dcdc2", "vin2",
+ axp717_dcdc2_ranges, AXP717_DCDC2_NUM_VOLTAGES,
+ AXP717_DCDC2_CONTROL, AXP717_DCDC_V_OUT_MASK,
+- AXP717_DCDC_OUTPUT_CONTROL, BIT(1)),
+- AXP_DESC_RANGES(AXP717, DCDC3, "dcdc3", "vin3",
++ AXP717_DCDC_OUTPUT_CONTROL, BIT(1), 640),
++ AXP_DESC_RANGES_DELAY(AXP717, DCDC3, "dcdc3", "vin3",
+ axp717_dcdc3_ranges, AXP717_DCDC3_NUM_VOLTAGES,
+ AXP717_DCDC3_CONTROL, AXP717_DCDC_V_OUT_MASK,
+- AXP717_DCDC_OUTPUT_CONTROL, BIT(2)),
+- AXP_DESC(AXP717, DCDC4, "dcdc4", "vin4", 1000, 3700, 100,
++ AXP717_DCDC_OUTPUT_CONTROL, BIT(2), 640),
++ AXP_DESC_DELAY(AXP717, DCDC4, "dcdc4", "vin4", 1000, 3700, 100,
+ AXP717_DCDC4_CONTROL, AXP717_DCDC_V_OUT_MASK,
+- AXP717_DCDC_OUTPUT_CONTROL, BIT(3)),
++ AXP717_DCDC_OUTPUT_CONTROL, BIT(3), 6400),
+ AXP_DESC(AXP717, ALDO1, "aldo1", "aldoin", 500, 3500, 100,
+ AXP717_ALDO1_CONTROL, AXP717_LDO_V_OUT_MASK,
+ AXP717_LDO0_OUTPUT_CONTROL, BIT(0)),
+--
+2.39.5
+
--- /dev/null
+From ee0c5dbddc7cb1abd074a4959e4b433c0f4fb0e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 17:36:01 +0100
+Subject: selftests: mlxsw: sharedbuffer: Ensure no extra packets are counted
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit 5f2c7ab15fd806043db1a7d54b5ec36be0bd93b1 ]
+
+The test assumes that the packet it is sending is the only packet being
+passed to the device.
+
+However, it is not the case and so other packets are filling the buffers
+as well. Therefore, the test sometimes fails because it is reading a
+maximum occupancy that is larger than expected.
+
+Add egress filters on $h1 and $h2 that will guarantee the above.
+
+Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test")
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/64c28bc9b1cc1d78c4a73feda7cedbe9526ccf8b.1733414773.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drivers/net/mlxsw/sharedbuffer.sh | 40 +++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+index 21bebc5726f6..c068e6c2a580 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+@@ -22,20 +22,34 @@ SB_ITC=0
+ h1_create()
+ {
+ simple_if_init $h1 192.0.1.1/24
++ tc qdisc add dev $h1 clsact
++
++ # Add egress filter on $h1 that will guarantee that the packet sent,
++ # will be the only packet being passed to the device.
++ tc filter add dev $h1 egress pref 2 handle 102 matchall action drop
+ }
+
+ h1_destroy()
+ {
++ tc filter del dev $h1 egress pref 2 handle 102 matchall action drop
++ tc qdisc del dev $h1 clsact
+ simple_if_fini $h1 192.0.1.1/24
+ }
+
+ h2_create()
+ {
+ simple_if_init $h2 192.0.1.2/24
++ tc qdisc add dev $h2 clsact
++
++ # Add egress filter on $h2 that will guarantee that the packet sent,
++ # will be the only packet being passed to the device.
++ tc filter add dev $h2 egress pref 1 handle 101 matchall action drop
+ }
+
+ h2_destroy()
+ {
++ tc filter del dev $h2 egress pref 1 handle 101 matchall action drop
++ tc qdisc del dev $h2 clsact
+ simple_if_fini $h2 192.0.1.2/24
+ }
+
+@@ -101,6 +115,11 @@ port_pool_test()
+ local exp_max_occ=$(devlink_cell_size_get)
+ local max_occ
+
++ tc filter add dev $h1 egress protocol ip pref 1 handle 101 flower \
++ src_mac $h1mac dst_mac $h2mac \
++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \
++ action pass
++
+ devlink sb occupancy clearmax $DEVLINK_DEV
+
+ $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
+@@ -117,6 +136,11 @@ port_pool_test()
+ max_occ=$(sb_occ_pool_check $cpu_dl_port $SB_POOL_EGR_CPU $exp_max_occ)
+ check_err $? "Expected ePool($SB_POOL_EGR_CPU) max occupancy to be $exp_max_occ, but got $max_occ"
+ log_test "CPU port's egress pool"
++
++ tc filter del dev $h1 egress protocol ip pref 1 handle 101 flower \
++ src_mac $h1mac dst_mac $h2mac \
++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \
++ action pass
+ }
+
+ port_tc_ip_test()
+@@ -124,6 +148,11 @@ port_tc_ip_test()
+ local exp_max_occ=$(devlink_cell_size_get)
+ local max_occ
+
++ tc filter add dev $h1 egress protocol ip pref 1 handle 101 flower \
++ src_mac $h1mac dst_mac $h2mac \
++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \
++ action pass
++
+ devlink sb occupancy clearmax $DEVLINK_DEV
+
+ $MZ $h1 -c 1 -p 10 -a $h1mac -b $h2mac -A 192.0.1.1 -B 192.0.1.2 \
+@@ -140,6 +169,11 @@ port_tc_ip_test()
+ max_occ=$(sb_occ_etc_check $cpu_dl_port $SB_ITC_CPU_IP $exp_max_occ)
+ check_err $? "Expected egress TC($SB_ITC_CPU_IP) max occupancy to be $exp_max_occ, but got $max_occ"
+ log_test "CPU port's egress TC - IP packet"
++
++ tc filter del dev $h1 egress protocol ip pref 1 handle 101 flower \
++ src_mac $h1mac dst_mac $h2mac \
++ src_ip 192.0.1.1 dst_ip 192.0.1.2 \
++ action pass
+ }
+
+ port_tc_arp_test()
+@@ -147,6 +181,9 @@ port_tc_arp_test()
+ local exp_max_occ=$(devlink_cell_size_get)
+ local max_occ
+
++ tc filter add dev $h1 egress protocol arp pref 1 handle 101 flower \
++ src_mac $h1mac action pass
++
+ devlink sb occupancy clearmax $DEVLINK_DEV
+
+ $MZ $h1 -c 1 -p 10 -a $h1mac -A 192.0.1.1 -t arp -q
+@@ -162,6 +199,9 @@ port_tc_arp_test()
+ max_occ=$(sb_occ_etc_check $cpu_dl_port $SB_ITC_CPU_ARP $exp_max_occ)
+ check_err $? "Expected egress TC($SB_ITC_IP2ME) max occupancy to be $exp_max_occ, but got $max_occ"
+ log_test "CPU port's egress TC - ARP packet"
++
++ tc filter del dev $h1 egress protocol arp pref 1 handle 101 flower \
++ src_mac $h1mac action pass
+ }
+
+ setup_prepare()
+--
+2.39.5
+
--- /dev/null
+From 49081c6f8f26a9e56762596dcbb8b62055065cdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 17:36:00 +0100
+Subject: selftests: mlxsw: sharedbuffer: Remove duplicate test cases
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit 6c46ad4d1bb2e8ec2265296e53765190f6e32f33 ]
+
+On both port_tc_ip_test() and port_tc_arp_test(), the max occupancy is
+checked on $h2 twice, when only the error message is different and does not
+match the check itself.
+
+Remove the two duplicated test cases from the test.
+
+Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test")
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/d9eb26f6fc16a06a30b5c2c16ad80caf502bc561.1733414773.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/drivers/net/mlxsw/sharedbuffer.sh | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+index a7b3d6cf3185..21bebc5726f6 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+@@ -131,11 +131,6 @@ port_tc_ip_test()
+
+ devlink sb occupancy snapshot $DEVLINK_DEV
+
+- RET=0
+- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ)
+- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ"
+- log_test "physical port's($h1) ingress TC - IP packet"
+-
+ RET=0
+ max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ)
+ check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ"
+@@ -158,11 +153,6 @@ port_tc_arp_test()
+
+ devlink sb occupancy snapshot $DEVLINK_DEV
+
+- RET=0
+- max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ)
+- check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ"
+- log_test "physical port's($h1) ingress TC - ARP packet"
+-
+ RET=0
+ max_occ=$(sb_occ_itc_check $dl_port2 $SB_ITC $exp_max_occ)
+ check_err $? "Expected ingress TC($SB_ITC) max occupancy to be $exp_max_occ, but got $max_occ"
+--
+2.39.5
+
--- /dev/null
+From 1bc4ba59d6f376b39cdde1394791d20b55bd9b04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 17:35:59 +0100
+Subject: selftests: mlxsw: sharedbuffer: Remove h1 ingress test case
+
+From: Danielle Ratson <danieller@nvidia.com>
+
+[ Upstream commit cf3515c556907b4da290967a2a6cbbd9ee0ee723 ]
+
+The test is sending only one packet generated with mausezahn from $h1 to
+$h2. However, for some reason, it is testing for non-zero maximum occupancy
+in both the ingress pool of $h1 and $h2. The former only passes when $h2
+happens to send a packet.
+
+Avoid intermittent failures by removing unintentional test case
+regarding the ingress pool of $h1.
+
+Fixes: a865ad999603 ("selftests: mlxsw: Add shared buffer traffic test")
+Signed-off-by: Danielle Ratson <danieller@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/5b7344608d5e06f38209e48d8af8c92fa11b6742.1733414773.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+index 0c47faff9274..a7b3d6cf3185 100755
+--- a/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
++++ b/tools/testing/selftests/drivers/net/mlxsw/sharedbuffer.sh
+@@ -108,11 +108,6 @@ port_pool_test()
+
+ devlink sb occupancy snapshot $DEVLINK_DEV
+
+- RET=0
+- max_occ=$(sb_occ_pool_check $dl_port1 $SB_POOL_ING $exp_max_occ)
+- check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ"
+- log_test "physical port's($h1) ingress pool"
+-
+ RET=0
+ max_occ=$(sb_occ_pool_check $dl_port2 $SB_POOL_ING $exp_max_occ)
+ check_err $? "Expected iPool($SB_POOL_ING) max occupancy to be $exp_max_occ, but got $max_occ"
+--
+2.39.5
+
--- /dev/null
+From a39cd06039339c64ea9c8bfd41d241be8f34fedc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 15:08:40 +0100
+Subject: selftests: netfilter: Stabilize rpath.sh
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit d92906fd1b940681b4509f7bb8ae737789fb4695 ]
+
+On some systems, neighbor discoveries from ns1 for fec0:42::1 (i.e., the
+martian trap address) would happen at the wrong time and cause
+false-negative test result.
+
+Problem analysis also discovered that IPv6 martian ping test was broken
+in that sent neighbor discoveries, not echo requests were inadvertently
+trapped
+
+Avoid the race condition by introducing the neighbors to each other
+upfront. Also pin down the firewall rules to matching on echo requests
+only.
+
+Fixes: efb056e5f1f0 ("netfilter: ip6t_rpfilter: Fix regression with VRF interfaces")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/netfilter/rpath.sh | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/netfilter/rpath.sh b/tools/testing/selftests/net/netfilter/rpath.sh
+index 4485fd7675ed..86ec4e68594d 100755
+--- a/tools/testing/selftests/net/netfilter/rpath.sh
++++ b/tools/testing/selftests/net/netfilter/rpath.sh
+@@ -61,9 +61,20 @@ ip -net "$ns2" a a 192.168.42.1/24 dev d0
+ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad
+ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
+
++# avoid neighbor lookups and enable martian IPv6 pings
++ns2_hwaddr=$(ip -net "$ns2" link show dev v0 | \
++ sed -n 's, *link/ether \([^ ]*\) .*,\1,p')
++ns1_hwaddr=$(ip -net "$ns1" link show dev v0 | \
++ sed -n 's, *link/ether \([^ ]*\) .*,\1,p')
++ip -net "$ns1" neigh add fec0:42::1 lladdr "$ns2_hwaddr" nud permanent dev v0
++ip -net "$ns1" neigh add fec0:23::1 lladdr "$ns2_hwaddr" nud permanent dev v0
++ip -net "$ns2" neigh add fec0:42::2 lladdr "$ns1_hwaddr" nud permanent dev d0
++ip -net "$ns2" neigh add fec0:23::2 lladdr "$ns1_hwaddr" nud permanent dev v0
++
+ # firewall matches to test
+ [ -n "$iptables" ] && {
+ common='-t raw -A PREROUTING -s 192.168.0.0/16'
++ common+=' -p icmp --icmp-type echo-request'
+ if ! ip netns exec "$ns2" "$iptables" $common -m rpfilter;then
+ echo "Cannot add rpfilter rule"
+ exit $ksft_skip
+@@ -72,6 +83,7 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
+ }
+ [ -n "$ip6tables" ] && {
+ common='-t raw -A PREROUTING -s fec0::/16'
++ common+=' -p icmpv6 --icmpv6-type echo-request'
+ if ! ip netns exec "$ns2" "$ip6tables" $common -m rpfilter;then
+ echo "Cannot add rpfilter rule"
+ exit $ksft_skip
+@@ -82,8 +94,10 @@ ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
+ table inet t {
+ chain c {
+ type filter hook prerouting priority raw;
+- ip saddr 192.168.0.0/16 fib saddr . iif oif exists counter
+- ip6 saddr fec0::/16 fib saddr . iif oif exists counter
++ ip saddr 192.168.0.0/16 icmp type echo-request \
++ fib saddr . iif oif exists counter
++ ip6 saddr fec0::/16 icmpv6 type echo-request \
++ fib saddr . iif oif exists counter
+ }
+ }
+ EOF
+--
+2.39.5
+
bpf-sockmap-fix-race-between-element-replace-and-close.patch
bpf-sockmap-fix-update-element-with-same.patch
bpf-augment-raw_tp-arguments-with-ptr_maybe_null.patch
+perf-tools-fix-build-id-event-recording.patch
+wifi-nl80211-fix-nl80211_attr_mlo_link_id-off-by-one.patch
+wifi-mac80211-init-cnt-before-accessing-elem-in-ieee.patch
+wifi-mac80211-fix-a-queue-stall-in-certain-cases-of-.patch
+wifi-mac80211-fix-station-nss-capability-initializat.patch
+perf-machine-initialize-machine-env-to-address-a-seg.patch
+acpi-nfit-vmalloc-out-of-bounds-read-in-acpi_nfit_ct.patch
+amdgpu-uvd-get-ring-reference-from-rq-scheduler.patch
+batman-adv-do-not-send-uninitialized-tt-changes.patch
+batman-adv-remove-uninitialized-data-in-full-table-t.patch
+batman-adv-do-not-let-tt-changes-list-grows-indefini.patch
+tipc-fix-null-deref-in-cleanup_bearer.patch
+net-mlx5-dr-prevent-potential-error-pointer-derefere.patch
+wifi-cfg80211-sme-init-n_channels-before-channels-ac.patch
+selftests-mlxsw-sharedbuffer-remove-h1-ingress-test-.patch
+selftests-mlxsw-sharedbuffer-remove-duplicate-test-c.patch
+selftests-mlxsw-sharedbuffer-ensure-no-extra-packets.patch
+ptp-kvm-x86-return-eopnotsupp-instead-of-enodev-from.patch
+bnxt_en-fix-gso-type-for-hw-gro-packets-on-5750x-chi.patch
+net-lapb-increase-lapb_header_len.patch
+net-defer-final-struct-net-free-in-netns-dismantle.patch
+net-mscc-ocelot-fix-memory-leak-on-ocelot_port_add_t.patch
+net-mscc-ocelot-improve-handling-of-tx-timestamp-for.patch
+net-mscc-ocelot-ocelot-ts_id_lock-and-ocelot_port-tx.patch
+net-mscc-ocelot-be-resilient-to-loss-of-ptp-packets-.patch
+net-mscc-ocelot-perform-error-cleanup-in-ocelot_hwst.patch
+regulator-axp20x-axp717-set-ramp_delay.patch
+spi-aspeed-fix-an-error-handling-path-in-aspeed_spi_.patch
+net-sparx5-fix-fdma-performance-issue.patch
+net-sparx5-fix-the-maximum-frame-length-register.patch
+acpi-resource-fix-memory-resource-type-union-access.patch
+cxgb4-use-port-number-to-set-mac-addr.patch
+qca_spi-fix-clock-speed-for-multiple-qca7000.patch
+qca_spi-make-driver-probing-reliable.patch
+module-convert-default-symbol-namespace-to-string-li.patch
+gpio-idio-16-actually-make-use-of-the-gpio_idio_16-s.patch
+alsa-control-avoid-warn-for-symlink-errors.patch
+asoc-amd-yc-fix-the-wrong-return-value.patch
+documentation-pm-clarify-pm_runtime_resume_and_get-r.patch
+block-get-wp_offset-by-bdev_offset_from_zone_start.patch
+bnxt_en-fix-aggregation-id-mask-to-prevent-oops-on-5.patch
+documentation-networking-add-a-caveat-to-nexthop_com.patch
+cifs-fix-rmdir-failure-due-to-ongoing-i-o-on-deleted.patch
+net-renesas-rswitch-fix-possible-early-skb-release.patch
+net-renesas-rswitch-fix-race-window-between-tx-start.patch
+net-renesas-rswitch-fix-leaked-pointer-on-error-path.patch
+net-renesas-rswitch-avoid-use-after-put-for-a-device.patch
+net-renesas-rswitch-handle-stop-vs-interrupt-race.patch
+asoc-tas2781-fix-calibration-issue-in-stress-test.patch
+bluetooth-improve-setsockopt-handling-of-malformed-u.patch
+libperf-evlist-fix-cpu-argument-on-hybrid-platform.patch
+asoc-fsl_xcvr-change-iface_pcm-to-iface_mixer.patch
+asoc-fsl_spdif-change-iface_pcm-to-iface_mixer.patch
+selftests-netfilter-stabilize-rpath.sh.patch
+netfilter-idletimer-fix-for-possible-abba-deadlock.patch
+netfilter-nf_tables-do-not-defer-rule-destruction-vi.patch
+net-mana-fix-memory-leak-in-mana_gd_setup_irqs.patch
+net-mana-fix-irq_contexts-memory-leak-in-mana_gd_set.patch
+net-dsa-felix-fix-stuck-cpu-injected-packets-with-sh.patch
+net-sched-netem-account-for-backlog-updates-from-chi.patch
+net-team-bonding-add-netdev_base_features-helper.patch
+bonding-fix-initial-vlan-mpls-_feature-set-in-bond_c.patch
+bonding-fix-feature-propagation-of-netif_f_gso_encap.patch
+team-fix-initial-vlan_feature-set-in-__team_compute_.patch
+team-fix-feature-propagation-of-netif_f_gso_encap_al.patch
+asoc-intel-sof_sdw-add-space-for-a-terminator-into-d.patch
+acpica-events-evxfregn-don-t-release-the-contextmute.patch
+bluetooth-hci_event-fix-using-rcu_read_-un-lock-whil.patch
+bluetooth-iso-always-release-hdev-at-the-end-of-iso_.patch
+bluetooth-iso-fix-recursive-locking-warning.patch
+bluetooth-sco-add-support-for-16-bits-transparent-vo.patch
+bluetooth-iso-fix-circular-lock-in-iso_listen_bis.patch
+bluetooth-iso-fix-circular-lock-in-iso_conn_big_sync.patch
+bluetooth-btmtk-avoid-uaf-in-btmtk_process_coredump.patch
+net-renesas-rswitch-fix-initial-mpic-register-settin.patch
+net-dsa-microchip-ksz9896-register-regmap-alignment-.patch
+net-dsa-tag_ocelot_8021q-fix-broken-reception.patch
+drm-xe-fix-the-err_ptr-returned-on-failure-to-alloca.patch
+drm-xe-reg_sr-remove-register-pool.patch
+blk-iocost-avoid-using-clamp-on-inuse-in-__propagate.patch
+kselftest-arm64-abi-fix-svcr-detection.patch
+blk-mq-move-cpuhp-callback-registering-out-of-q-sysf.patch
+block-fix-potential-deadlock-while-freezing-queue-an.patch
--- /dev/null
+From 3e236c09ca2c7303be7538941369fc980c32c4ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 22:30:29 +0100
+Subject: spi: aspeed: Fix an error handling path in
+ aspeed_spi_[read|write]_user()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c84dda3751e945a67d71cbe3af4474aad24a5794 ]
+
+A aspeed_spi_start_user() is not balanced by a corresponding
+aspeed_spi_stop_user().
+Add the missing call.
+
+Fixes: e3228ed92893 ("spi: spi-mem: Convert Aspeed SMC driver to spi-mem")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://patch.msgid.link/4052aa2f9a9ea342fa6af83fa991b55ce5d5819e.1732051814.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-aspeed-smc.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-aspeed-smc.c b/drivers/spi/spi-aspeed-smc.c
+index bbd417c55e7f..b0e3f307b283 100644
+--- a/drivers/spi/spi-aspeed-smc.c
++++ b/drivers/spi/spi-aspeed-smc.c
+@@ -239,7 +239,7 @@ static ssize_t aspeed_spi_read_user(struct aspeed_spi_chip *chip,
+
+ ret = aspeed_spi_send_cmd_addr(chip, op->addr.nbytes, offset, op->cmd.opcode);
+ if (ret < 0)
+- return ret;
++ goto stop_user;
+
+ if (op->dummy.buswidth && op->dummy.nbytes) {
+ for (i = 0; i < op->dummy.nbytes / op->dummy.buswidth; i++)
+@@ -249,8 +249,9 @@ static ssize_t aspeed_spi_read_user(struct aspeed_spi_chip *chip,
+ aspeed_spi_set_io_mode(chip, io_mode);
+
+ aspeed_spi_read_from_ahb(buf, chip->ahb_base, len);
++stop_user:
+ aspeed_spi_stop_user(chip);
+- return 0;
++ return ret;
+ }
+
+ static ssize_t aspeed_spi_write_user(struct aspeed_spi_chip *chip,
+@@ -261,10 +262,11 @@ static ssize_t aspeed_spi_write_user(struct aspeed_spi_chip *chip,
+ aspeed_spi_start_user(chip);
+ ret = aspeed_spi_send_cmd_addr(chip, op->addr.nbytes, op->addr.val, op->cmd.opcode);
+ if (ret < 0)
+- return ret;
++ goto stop_user;
+ aspeed_spi_write_to_ahb(chip->ahb_base, op->data.buf.out, op->data.nbytes);
++stop_user:
+ aspeed_spi_stop_user(chip);
+- return 0;
++ return ret;
+ }
+
+ /* support for 1-1-1, 1-1-2 or 1-1-4 */
+--
+2.39.5
+
--- /dev/null
+From 82659e8e02bca3a55997563baa7270e0cd4757d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:12:45 +0100
+Subject: team: Fix feature propagation of NETIF_F_GSO_ENCAP_ALL
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 98712844589e06d9aa305b5077169942139fd75c ]
+
+Similar to bonding driver, add NETIF_F_GSO_ENCAP_ALL to TEAM_VLAN_FEATURES
+in order to support slave devices which propagate NETIF_F_GSO_UDP_TUNNEL &
+NETIF_F_GSO_UDP_TUNNEL_CSUM as vlan_features.
+
+Fixes: 3625920b62c3 ("teaming: fix vlan_features computing")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Ido Schimmel <idosch@idosch.org>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20241210141245.327886-5-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index ddd9ae7085c7..6ace5a74cddb 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -983,7 +983,8 @@ static void team_port_disable(struct team *team,
+
+ #define TEAM_VLAN_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_FRAGLIST | NETIF_F_GSO_SOFTWARE | \
+- NETIF_F_HIGHDMA | NETIF_F_LRO)
++ NETIF_F_HIGHDMA | NETIF_F_LRO | \
++ NETIF_F_GSO_ENCAP_ALL)
+
+ #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_RXCSUM | NETIF_F_GSO_SOFTWARE)
+--
+2.39.5
+
--- /dev/null
+From 5c5bc715a6a390a39686b4533ba8f1fed332a3e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:12:44 +0100
+Subject: team: Fix initial vlan_feature set in __team_compute_features
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 396699ac2cb1bc4e3485abb48a1e3e41956de0cd ]
+
+Similarly as with bonding, fix the calculation of vlan_features to reuse
+netdev_base_features() in order derive the set in the same way as
+ndo_fix_features before iterating through the slave devices to refine the
+feature set.
+
+Fixes: 3625920b62c3 ("teaming: fix vlan_features computing")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Ido Schimmel <idosch@idosch.org>
+Cc: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://patch.msgid.link/20241210141245.327886-4-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team_core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
+index 481c8df8842f..ddd9ae7085c7 100644
+--- a/drivers/net/team/team_core.c
++++ b/drivers/net/team/team_core.c
+@@ -991,13 +991,14 @@ static void team_port_disable(struct team *team,
+ static void __team_compute_features(struct team *team)
+ {
+ struct team_port *port;
+- netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
+- NETIF_F_ALL_FOR_ALL;
++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES;
+ netdev_features_t enc_features = TEAM_ENC_FEATURES;
+ unsigned short max_hard_header_len = ETH_HLEN;
+ unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
+ IFF_XMIT_DST_RELEASE_PERM;
+
++ vlan_features = netdev_base_features(vlan_features);
++
+ rcu_read_lock();
+ list_for_each_entry_rcu(port, &team->port_list, list) {
+ vlan_features = netdev_increment_features(vlan_features,
+--
+2.39.5
+
--- /dev/null
+From 5c5eb189b538abca622f1a5139c88b31bc562244 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 17:05:48 +0000
+Subject: tipc: fix NULL deref in cleanup_bearer()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b04d86fff66b15c07505d226431f808c15b1703c ]
+
+syzbot found [1] that after blamed commit, ub->ubsock->sk
+was NULL when attempting the atomic_dec() :
+
+atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
+
+Fix this by caching the tipc_net pointer.
+
+[1]
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: events cleanup_bearer
+ RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline]
+ RIP: 0010:sock_net include/net/sock.h:655 [inline]
+ RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820
+Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b
+RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206
+RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00
+RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900
+RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20
+R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980
+R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918
+FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 6a2fa13312e5 ("tipc: Fix use-after-free of kernel socket in cleanup_bearer().")
+Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/67508b5f.050a0220.17bd51.0070.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20241204170548.4152658-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/udp_media.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index b7e25e7e9933..108a4cc2e001 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -807,6 +807,7 @@ static void cleanup_bearer(struct work_struct *work)
+ {
+ struct udp_bearer *ub = container_of(work, struct udp_bearer, work);
+ struct udp_replicast *rcast, *tmp;
++ struct tipc_net *tn;
+
+ list_for_each_entry_safe(rcast, tmp, &ub->rcast.list, list) {
+ dst_cache_destroy(&rcast->dst_cache);
+@@ -814,10 +815,14 @@ static void cleanup_bearer(struct work_struct *work)
+ kfree_rcu(rcast, rcu);
+ }
+
++ tn = tipc_net(sock_net(ub->ubsock->sk));
++
+ dst_cache_destroy(&ub->rcast.dst_cache);
+ udp_tunnel_sock_release(ub->ubsock);
++
++ /* Note: could use a call_rcu() to avoid another synchronize_net() */
+ synchronize_net();
+- atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
++ atomic_dec(&tn->wq_count);
+ kfree(ub);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e2a2117eea15e73bec7e1cc7216718cd9197110f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 23:20:49 +0800
+Subject: wifi: cfg80211: sme: init n_channels before channels[] access
+
+From: Haoyu Li <lihaoyu499@gmail.com>
+
+[ Upstream commit f1d3334d604cc32db63f6e2b3283011e02294e54 ]
+
+With the __counted_by annocation in cfg80211_scan_request struct,
+the "n_channels" struct member must be set before accessing the
+"channels" array. Failing to do so will trigger a runtime warning
+when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE.
+
+Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by")
+Signed-off-by: Haoyu Li <lihaoyu499@gmail.com>
+Link: https://patch.msgid.link/20241203152049.348806-1-lihaoyu499@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/sme.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index 431da30817a6..268171600087 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -83,6 +83,7 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
+ if (!request)
+ return -ENOMEM;
+
++ request->n_channels = n_channels;
+ if (wdev->conn->params.channel) {
+ enum nl80211_band band = wdev->conn->params.channel->band;
+ struct ieee80211_supported_band *sband =
+--
+2.39.5
+
--- /dev/null
+From 84745557fd47a5882c1b7ea9f8e3a4153643b1bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 17:35:40 +0200
+Subject: wifi: mac80211: fix a queue stall in certain cases of CSA
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 11ac0d7c3b5ba58232fb7dacb54371cbe75ec183 ]
+
+If we got an unprotected action frame with CSA and then we heard the
+beacon with the CSA IE, we'll block the queues with the CSA reason
+twice. Since this reason is refcounted, we won't wake up the queues
+since we wake them up only once and the ref count will never reach 0.
+This led to blocked queues that prevented any activity (even
+disconnection wouldn't reset the queue state and the only way to recover
+would be to reload the kernel module.
+
+Fix this by not refcounting the CSA reason.
+It becomes now pointless to maintain the csa_blocked_queues state.
+Remove it.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Fixes: 414e090bc41d ("wifi: mac80211: restrict public action ECSA frame handling")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219447
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241119173108.5ea90828c2cc.I4f89e58572fb71ae48e47a81e74595cac410fbac@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 2 +-
+ include/net/mac80211.h | 4 +-
+ net/mac80211/cfg.c | 3 +-
+ net/mac80211/ieee80211_i.h | 49 +++++++++++++++----
+ net/mac80211/iface.c | 12 ++---
+ net/mac80211/mlme.c | 2 -
+ net/mac80211/util.c | 23 ++-------
+ 7 files changed, 50 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+index a7a10e716e65..e96ddaeeeeff 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+@@ -1967,7 +1967,7 @@ void iwl_mvm_channel_switch_error_notif(struct iwl_mvm *mvm,
+ if (csa_err_mask & (CS_ERR_COUNT_ERROR |
+ CS_ERR_LONG_DELAY_AFTER_CS |
+ CS_ERR_TX_BLOCK_TIMER_EXPIRED))
+- ieee80211_channel_switch_disconnect(vif, true);
++ ieee80211_channel_switch_disconnect(vif);
+ rcu_read_unlock();
+ }
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 333e0fae6796..5b712582f9a9 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -6770,14 +6770,12 @@ void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success,
+ /**
+ * ieee80211_channel_switch_disconnect - disconnect due to channel switch error
+ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
+- * @block_tx: if %true, do not send deauth frame.
+ *
+ * Instruct mac80211 to disconnect due to a channel switch error. The channel
+ * switch can request to block the tx and so, we need to make sure we do not send
+ * a deauth frame in this case.
+ */
+-void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif,
+- bool block_tx);
++void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif);
+
+ /**
+ * ieee80211_request_smps - request SM PS transition
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 242b718b1cd9..16d47123a73c 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3674,13 +3674,12 @@ void ieee80211_csa_finish(struct ieee80211_vif *vif, unsigned int link_id)
+ }
+ EXPORT_SYMBOL(ieee80211_csa_finish);
+
+-void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif, bool block_tx)
++void ieee80211_channel_switch_disconnect(struct ieee80211_vif *vif)
+ {
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+ struct ieee80211_local *local = sdata->local;
+
+- sdata->csa_blocked_queues = block_tx;
+ sdata_info(sdata, "channel switch failed, disconnecting\n");
+ wiphy_work_queue(local->hw.wiphy, &ifmgd->csa_connection_drop_work);
+ }
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 3d3c9139ff5e..7a0242e937d3 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1106,8 +1106,6 @@ struct ieee80211_sub_if_data {
+
+ unsigned long state;
+
+- bool csa_blocked_queues;
+-
+ char name[IFNAMSIZ];
+
+ struct ieee80211_fragment_cache frags;
+@@ -2411,17 +2409,13 @@ void ieee80211_send_4addr_nullfunc(struct ieee80211_local *local,
+ struct ieee80211_sub_if_data *sdata);
+ void ieee80211_sta_tx_notify(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_hdr *hdr, bool ack, u16 tx_time);
+-
++unsigned int
++ieee80211_get_vif_queues(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata);
+ void ieee80211_wake_queues_by_reason(struct ieee80211_hw *hw,
+ unsigned long queues,
+ enum queue_stop_reason reason,
+ bool refcounted);
+-void ieee80211_stop_vif_queues(struct ieee80211_local *local,
+- struct ieee80211_sub_if_data *sdata,
+- enum queue_stop_reason reason);
+-void ieee80211_wake_vif_queues(struct ieee80211_local *local,
+- struct ieee80211_sub_if_data *sdata,
+- enum queue_stop_reason reason);
+ void ieee80211_stop_queues_by_reason(struct ieee80211_hw *hw,
+ unsigned long queues,
+ enum queue_stop_reason reason,
+@@ -2432,6 +2426,43 @@ void ieee80211_wake_queue_by_reason(struct ieee80211_hw *hw, int queue,
+ void ieee80211_stop_queue_by_reason(struct ieee80211_hw *hw, int queue,
+ enum queue_stop_reason reason,
+ bool refcounted);
++static inline void
++ieee80211_stop_vif_queues(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata,
++ enum queue_stop_reason reason)
++{
++ ieee80211_stop_queues_by_reason(&local->hw,
++ ieee80211_get_vif_queues(local, sdata),
++ reason, true);
++}
++
++static inline void
++ieee80211_wake_vif_queues(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata,
++ enum queue_stop_reason reason)
++{
++ ieee80211_wake_queues_by_reason(&local->hw,
++ ieee80211_get_vif_queues(local, sdata),
++ reason, true);
++}
++static inline void
++ieee80211_stop_vif_queues_norefcount(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata,
++ enum queue_stop_reason reason)
++{
++ ieee80211_stop_queues_by_reason(&local->hw,
++ ieee80211_get_vif_queues(local, sdata),
++ reason, false);
++}
++static inline void
++ieee80211_wake_vif_queues_norefcount(struct ieee80211_local *local,
++ struct ieee80211_sub_if_data *sdata,
++ enum queue_stop_reason reason)
++{
++ ieee80211_wake_queues_by_reason(&local->hw,
++ ieee80211_get_vif_queues(local, sdata),
++ reason, false);
++}
+ void ieee80211_add_pending_skb(struct ieee80211_local *local,
+ struct sk_buff *skb);
+ void ieee80211_add_pending_skbs(struct ieee80211_local *local,
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 6ef0990d3d29..af9055252e6d 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -2364,18 +2364,14 @@ void ieee80211_vif_block_queues_csa(struct ieee80211_sub_if_data *sdata)
+ if (ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA))
+ return;
+
+- ieee80211_stop_vif_queues(local, sdata,
+- IEEE80211_QUEUE_STOP_REASON_CSA);
+- sdata->csa_blocked_queues = true;
++ ieee80211_stop_vif_queues_norefcount(local, sdata,
++ IEEE80211_QUEUE_STOP_REASON_CSA);
+ }
+
+ void ieee80211_vif_unblock_queues_csa(struct ieee80211_sub_if_data *sdata)
+ {
+ struct ieee80211_local *local = sdata->local;
+
+- if (sdata->csa_blocked_queues) {
+- ieee80211_wake_vif_queues(local, sdata,
+- IEEE80211_QUEUE_STOP_REASON_CSA);
+- sdata->csa_blocked_queues = false;
+- }
++ ieee80211_wake_vif_queues_norefcount(local, sdata,
++ IEEE80211_QUEUE_STOP_REASON_CSA);
+ }
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 0303972c23e4..111066928b96 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2636,8 +2636,6 @@ ieee80211_sta_process_chanswitch(struct ieee80211_link_data *link,
+ */
+ link->conf->csa_active = true;
+ link->u.mgd.csa.blocked_tx = csa_ie.mode;
+- sdata->csa_blocked_queues =
+- csa_ie.mode && !ieee80211_hw_check(&local->hw, HANDLES_QUIET_CSA);
+
+ wiphy_work_queue(sdata->local->hw.wiphy,
+ &ifmgd->csa_connection_drop_work);
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index f94faa86ba8a..b4814e97cf74 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -657,7 +657,7 @@ void ieee80211_wake_queues(struct ieee80211_hw *hw)
+ }
+ EXPORT_SYMBOL(ieee80211_wake_queues);
+
+-static unsigned int
++unsigned int
+ ieee80211_get_vif_queues(struct ieee80211_local *local,
+ struct ieee80211_sub_if_data *sdata)
+ {
+@@ -669,7 +669,8 @@ ieee80211_get_vif_queues(struct ieee80211_local *local,
+ queues = 0;
+
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
+- queues |= BIT(sdata->vif.hw_queue[ac]);
++ if (sdata->vif.hw_queue[ac] != IEEE80211_INVAL_HW_QUEUE)
++ queues |= BIT(sdata->vif.hw_queue[ac]);
+ if (sdata->vif.cab_queue != IEEE80211_INVAL_HW_QUEUE)
+ queues |= BIT(sdata->vif.cab_queue);
+ } else {
+@@ -724,24 +725,6 @@ void ieee80211_flush_queues(struct ieee80211_local *local,
+ __ieee80211_flush_queues(local, sdata, 0, drop);
+ }
+
+-void ieee80211_stop_vif_queues(struct ieee80211_local *local,
+- struct ieee80211_sub_if_data *sdata,
+- enum queue_stop_reason reason)
+-{
+- ieee80211_stop_queues_by_reason(&local->hw,
+- ieee80211_get_vif_queues(local, sdata),
+- reason, true);
+-}
+-
+-void ieee80211_wake_vif_queues(struct ieee80211_local *local,
+- struct ieee80211_sub_if_data *sdata,
+- enum queue_stop_reason reason)
+-{
+- ieee80211_wake_queues_by_reason(&local->hw,
+- ieee80211_get_vif_queues(local, sdata),
+- reason, true);
+-}
+-
+ static void __iterate_interfaces(struct ieee80211_local *local,
+ u32 iter_flags,
+ void (*iterator)(void *data, u8 *mac,
+--
+2.39.5
+
--- /dev/null
+From 2e287a6489bd4368229ec60d5baa757e9482d415 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 16:07:22 +0800
+Subject: wifi: mac80211: fix station NSS capability initialization order
+
+From: Benjamin Lin <benjamin-jw.lin@mediatek.com>
+
+[ Upstream commit 819e0f1e58e0ba3800cd9eb96b2a39e44e49df97 ]
+
+Station's spatial streaming capability should be initialized before
+handling VHT OMN, because the handling requires the capability information.
+
+Fixes: a8bca3e9371d ("wifi: mac80211: track capability/opmode NSS separately")
+Signed-off-by: Benjamin Lin <benjamin-jw.lin@mediatek.com>
+Link: https://patch.msgid.link/20241118080722.9603-1-benjamin-jw.lin@mediatek.com
+[rewrite subject]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 16d47123a73c..1b1bf044378d 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1911,6 +1911,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ params->eht_capa_len,
+ link_sta);
+
++ ieee80211_sta_init_nss(link_sta);
++
+ if (params->opmode_notif_used) {
+ /* returned value is only needed for rc update, but the
+ * rc isn't initialized here yet, so ignore it
+@@ -1920,8 +1922,6 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
+ sband->band);
+ }
+
+- ieee80211_sta_init_nss(link_sta);
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5a46e36b4c4155488e3e8f91c2d846605330775a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 01:25:00 +0800
+Subject: wifi: mac80211: init cnt before accessing elem in
+ ieee80211_copy_mbssid_beacon
+
+From: Haoyu Li <lihaoyu499@gmail.com>
+
+[ Upstream commit 496db69fd860570145f7c266b31f3af85fca5b00 ]
+
+With the new __counted_by annocation in cfg80211_mbssid_elems,
+the "cnt" struct member must be set before accessing the "elem"
+array. Failing to do so will trigger a runtime warning when enabling
+CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE.
+
+Fixes: c14679d7005a ("wifi: cfg80211: Annotate struct cfg80211_mbssid_elems with __counted_by")
+Signed-off-by: Haoyu Li <lihaoyu499@gmail.com>
+Link: https://patch.msgid.link/20241123172500.311853-1-lihaoyu499@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 6dfc61a9acd4..242b718b1cd9 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1061,13 +1061,13 @@ ieee80211_copy_mbssid_beacon(u8 *pos, struct cfg80211_mbssid_elems *dst,
+ {
+ int i, offset = 0;
+
++ dst->cnt = src->cnt;
+ for (i = 0; i < src->cnt; i++) {
+ memcpy(pos + offset, src->elem[i].data, src->elem[i].len);
+ dst->elem[i].len = src->elem[i].len;
+ dst->elem[i].data = pos + offset;
+ offset += dst->elem[i].len;
+ }
+- dst->cnt = src->cnt;
+
+ return offset;
+ }
+--
+2.39.5
+
--- /dev/null
+From 502a8bf3c3a42d00f139debaed3c811da0d99433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Dec 2024 01:05:26 +0800
+Subject: wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 2e3dbf938656986cce73ac4083500d0bcfbffe24 ]
+
+Since the netlink attribute range validation provides inclusive
+checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be
+IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.
+
+One crash stack for demonstration:
+==================================================================
+BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939
+Read of size 6 at addr 001102080000000c by task fuzzer.386/9508
+
+CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106
+ print_report+0xe0/0x750 mm/kasan/report.c:398
+ kasan_report+0x139/0x170 mm/kasan/report.c:495
+ kasan_check_range+0x287/0x290 mm/kasan/generic.c:189
+ memcpy+0x25/0x60 mm/kasan/shadow.c:65
+ ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939
+ rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]
+ nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453
+ genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756
+ genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]
+ genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850
+ netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:861
+ netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
+ netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352
+ netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874
+ sock_sendmsg_nosec net/socket.c:716 [inline]
+ __sock_sendmsg net/socket.c:728 [inline]
+ ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499
+ ___sys_sendmsg+0x21c/0x290 net/socket.c:2553
+ __sys_sendmsg net/socket.c:2582 [inline]
+ __do_sys_sendmsg net/socket.c:2591 [inline]
+ __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Update the policy to ensure correct validation.
+
+Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Suggested-by: Cengiz Can <cengiz.can@canonical.com>
+Link: https://patch.msgid.link/20241130170526.96698-1-linma@zju.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 9b1b9dc5a7eb..1e78f575fb56 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -814,7 +814,7 @@ static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
+ [NL80211_ATTR_MLO_LINKS] =
+ NLA_POLICY_NESTED_ARRAY(nl80211_policy),
+ [NL80211_ATTR_MLO_LINK_ID] =
+- NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
++ NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
+ [NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
+ [NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
+ [NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
