--- /dev/null
+From 534988c05fc14c60bdb2e761c0b6cd103f27e17b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 11:12:04 +0800
+Subject: Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmrvl_sdio.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
+index d76c799553aaa..468e4165c7cc0 100644
+--- a/drivers/bluetooth/btmrvl_sdio.c
++++ b/drivers/bluetooth/btmrvl_sdio.c
+@@ -92,7 +92,7 @@ static int btmrvl_sdio_probe_of(struct device *dev,
+ } else {
+ ret = devm_request_irq(dev, cfg->irq_bt,
+ btmrvl_wake_irq_bt,
+- 0, "bt_wake", card);
++ IRQF_NO_AUTOEN, "bt_wake", card);
+ if (ret) {
+ dev_err(dev,
+ "Failed to request irq_bt %d (%d)\n",
+@@ -101,7 +101,6 @@ static int btmrvl_sdio_probe_of(struct device *dev,
+
+ /* Configure wakeup (enabled by default) */
+ device_init_wakeup(dev, true);
+- disable_irq(cfg->irq_bt);
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From daaabb81716a51a226e550bedf2cd002424d01b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 12:47:39 -0400
+Subject: Bluetooth: L2CAP: Fix uaf in l2cap_connect
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 333b4fd11e89b29c84c269123f871883a30be586 ]
+
+[Syzbot reported]
+BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
+Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54
+
+CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Workqueue: hci2 hci_rx_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0xc3/0x620 mm/kasan/report.c:488
+ kasan_report+0xd9/0x110 mm/kasan/report.c:601
+ l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
+ l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
+ l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
+ l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
+ l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
+ l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
+ hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
+ hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
+ process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+...
+
+Freed by task 5245:
+ kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
+ kasan_save_track+0x14/0x30 mm/kasan/common.c:68
+ kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
+ poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
+ __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
+ kasan_slab_free include/linux/kasan.h:184 [inline]
+ slab_free_hook mm/slub.c:2256 [inline]
+ slab_free mm/slub.c:4477 [inline]
+ kfree+0x12a/0x3b0 mm/slub.c:4598
+ l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
+ kref_put include/linux/kref.h:65 [inline]
+ l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
+ l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
+ l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
+ hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
+ hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
+ hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
+ abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
+ hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
+ process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
+Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
+Fixes: 7b064edae38d ("Bluetooth: Fix authentication if acl data comes before remote feature evt")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 2 ++
+ net/bluetooth/hci_event.c | 2 +-
+ net/bluetooth/l2cap_core.c | 8 --------
+ 3 files changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 1b56355c40eaf..f787b0eb7d669 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3755,6 +3755,8 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
+
+ hci_dev_lock(hdev);
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
++ if (conn && hci_dev_test_flag(hdev, HCI_MGMT))
++ mgmt_device_connected(hdev, conn, NULL, 0);
+ hci_dev_unlock(hdev);
+
+ if (conn) {
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index d81c7fccdd404..b86a30c600a9a 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3707,7 +3707,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
+ goto unlock;
+ }
+
+- if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
++ if (!ev->status) {
+ struct hci_cp_remote_name_req cp;
+ memset(&cp, 0, sizeof(cp));
+ bacpy(&cp.bdaddr, &conn->dst);
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 2651cc2d5c283..93651c421767a 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4064,17 +4064,9 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
+ static int l2cap_connect_req(struct l2cap_conn *conn,
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+ {
+- struct hci_dev *hdev = conn->hcon->hdev;
+- struct hci_conn *hcon = conn->hcon;
+-
+ if (cmd_len < sizeof(struct l2cap_conn_req))
+ return -EPROTO;
+
+- hci_dev_lock(hdev);
+- if (hci_dev_test_flag(hdev, HCI_MGMT))
+- mgmt_device_connected(hdev, hcon, NULL, 0);
+- hci_dev_unlock(hdev);
+-
+ l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP);
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 224e43e2048d13265509ab379b90e2764396a2db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 12:34:42 -0400
+Subject: Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f53e1c9c726d83092167f2226f32bd3b73f26c21 ]
+
+If mgmt_index_removed is called while there are commands queued on
+cmd_sync it could lead to crashes like the bellow trace:
+
+0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
+0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
+0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
+0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]
+
+So while handling mgmt_index_removed this attempts to dequeue
+commands passed as user_data to cmd_sync.
+
+Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
+Reported-by: jiaymao <quic_jiaymao@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 149aff29e5646..1f3a39c20a911 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1446,10 +1446,15 @@ static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
+
+ static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
+ {
+- if (cmd->cmd_complete) {
+- u8 *status = data;
++ struct cmd_lookup *match = data;
++
++ /* dequeue cmd_sync entries using cmd as data as that is about to be
++ * removed/freed.
++ */
++ hci_cmd_sync_dequeue(match->hdev, NULL, cmd, NULL);
+
+- cmd->cmd_complete(cmd, *status);
++ if (cmd->cmd_complete) {
++ cmd->cmd_complete(cmd, match->mgmt_status);
+ mgmt_pending_remove(cmd);
+
+ return;
+@@ -9342,12 +9347,12 @@ void mgmt_index_added(struct hci_dev *hdev)
+ void mgmt_index_removed(struct hci_dev *hdev)
+ {
+ struct mgmt_ev_ext_index ev;
+- u8 status = MGMT_STATUS_INVALID_INDEX;
++ struct cmd_lookup match = { NULL, hdev, MGMT_STATUS_INVALID_INDEX };
+
+ if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
+ return;
+
+- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+
+ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
+ mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
+@@ -9398,7 +9403,7 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
+ void __mgmt_power_off(struct hci_dev *hdev)
+ {
+ struct cmd_lookup match = { NULL, hdev };
+- u8 status, zero_cod[] = { 0, 0, 0 };
++ u8 zero_cod[] = { 0, 0, 0 };
+
+ mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
+
+@@ -9410,11 +9415,11 @@ void __mgmt_power_off(struct hci_dev *hdev)
+ * status responses.
+ */
+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+- status = MGMT_STATUS_INVALID_INDEX;
++ match.mgmt_status = MGMT_STATUS_INVALID_INDEX;
+ else
+- status = MGMT_STATUS_NOT_POWERED;
++ match.mgmt_status = MGMT_STATUS_NOT_POWERED;
+
+- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
++ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+
+ if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
+ mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
+--
+2.43.0
+
--- /dev/null
+From a523a50c081ec7f3cbdc56a87f1c7073a74d891c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 06:22:18 +0800
+Subject: ceph: remove the incorrect Fw reference check when dirtying pages
+
+From: Xiubo Li <xiubli@redhat.com>
+
+[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ]
+
+When doing the direct-io reads it will also try to mark pages dirty,
+but for the read path it won't hold the Fw caps and there is case
+will it get the Fw reference.
+
+Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference")
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/addr.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
+index da64bb7325dbc..7549e2b07b6af 100644
+--- a/fs/ceph/addr.c
++++ b/fs/ceph/addr.c
+@@ -95,7 +95,6 @@ static bool ceph_dirty_folio(struct address_space *mapping, struct folio *folio)
+
+ /* dirty the head */
+ spin_lock(&ci->i_ceph_lock);
+- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference
+ if (__ceph_have_pending_cap_snap(ci)) {
+ struct ceph_cap_snap *capsnap =
+ list_last_entry(&ci->i_cap_snaps,
+--
+2.43.0
+
--- /dev/null
+From 85e8a2e1d40f0726e5c941152c10feaba7746a8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 19:45:11 +0800
+Subject: drm/amdgpu: Fix get each xcp macro
+
+From: Asad Kamal <asad.kamal@amd.com>
+
+[ Upstream commit ef126c06a98bde1a41303970eb0fc0ac33c3cc02 ]
+
+Fix get each xcp macro to loop over each partition correctly
+
+Fixes: 4bdca2057933 ("drm/amdgpu: Add utility functions for xcp")
+Signed-off-by: Asad Kamal <asad.kamal@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
+index 9a1036aeec2a0..9142238e7791a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
+@@ -179,6 +179,6 @@ amdgpu_get_next_xcp(struct amdgpu_xcp_mgr *xcp_mgr, int *from)
+
+ #define for_each_xcp(xcp_mgr, xcp, i) \
+ for (i = 0, xcp = amdgpu_get_next_xcp(xcp_mgr, &i); xcp; \
+- xcp = amdgpu_get_next_xcp(xcp_mgr, &i))
++ ++i, xcp = amdgpu_get_next_xcp(xcp_mgr, &i))
+
+ #endif
+--
+2.43.0
+
--- /dev/null
+From ddc812bdae2adebd18237398bbce4c1f86cca840 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 00:43:35 +0530
+Subject: dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems
+
+From: Ravikanth Tuniki <ravikanth.tuniki@amd.com>
+
+[ Upstream commit c6929644c1e0d6108e57061d427eb966e1746351 ]
+
+Add missing reg minItems as based on current binding document
+only ethernet MAC IO space is a supported configuration.
+
+There is a bug in schema, current examples contain 64-bit
+addressing as well as 32-bit addressing. The schema validation
+does pass incidentally considering one 64-bit reg address as
+two 32-bit reg address entries. If we change axi_ethernet_eth1
+example node reg addressing to 32-bit schema validation reports:
+
+Documentation/devicetree/bindings/net/xlnx,axi-ethernet.example.dtb:
+ethernet@40000000: reg: [[1073741824, 262144]] is too short
+
+To fix it add missing reg minItems constraints and to make things clearer
+stick to 32-bit addressing in examples.
+
+Fixes: cbb1ca6d5f9a ("dt-bindings: net: xlnx,axi-ethernet: convert bindings document to yaml")
+Signed-off-by: Ravikanth Tuniki <ravikanth.tuniki@amd.com>
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://patch.msgid.link/1727723615-2109795-1-git-send-email-radhey.shyam.pandey@amd.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
+index 1d33d80af11c3..652d696bc9e90 100644
+--- a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
++++ b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
+@@ -34,6 +34,7 @@ properties:
+ and length of the AXI DMA controller IO space, unless
+ axistream-connected is specified, in which case the reg
+ attribute of the node referenced by it is used.
++ minItems: 1
+ maxItems: 2
+
+ interrupts:
+@@ -165,7 +166,7 @@ examples:
+ clock-names = "s_axi_lite_clk", "axis_clk", "ref_clk", "mgt_clk";
+ clocks = <&axi_clk>, <&axi_clk>, <&pl_enet_ref_clk>, <&mgt_clk>;
+ phy-mode = "mii";
+- reg = <0x00 0x40000000 0x00 0x40000>;
++ reg = <0x40000000 0x40000>;
+ xlnx,rxcsum = <0x2>;
+ xlnx,rxmem = <0x800>;
+ xlnx,txcsum = <0x2>;
+--
+2.43.0
+
--- /dev/null
+From f417cf177f5b37c4433689a81c3af45b4872810b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 21:17:40 +0800
+Subject: ieee802154: Fix build error
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ]
+
+If REGMAP_SPI is m and IEEE802154_MCR20A is y,
+
+ mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi'
+ ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi'
+
+Select REGMAP_SPI for IEEE802154_MCR20A to fix it.
+
+Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig
+index 95da876c56138..1075e24b11def 100644
+--- a/drivers/net/ieee802154/Kconfig
++++ b/drivers/net/ieee802154/Kconfig
+@@ -101,6 +101,7 @@ config IEEE802154_CA8210_DEBUGFS
+
+ config IEEE802154_MCR20A
+ tristate "MCR20A transceiver driver"
++ select REGMAP_SPI
+ depends on IEEE802154_DRIVERS && MAC802154
+ depends on SPI
+ help
+--
+2.43.0
+
--- /dev/null
+From 2a4a942526c0b7b8eb8787b891e429f105dd486c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 08:02:13 -0700
+Subject: iomap: constrain the file range passed to iomap_file_unshare
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+[ Upstream commit a311a08a4237241fb5b9d219d3e33346de6e83e0 ]
+
+File contents can only be shared (i.e. reflinked) below EOF, so it makes
+no sense to try to unshare ranges beyond EOF. Constrain the file range
+parameters here so that we don't have to do that in the callers.
+
+Fixes: 5f4e5752a8a3 ("fs: add iomap_file_dirty")
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://lore.kernel.org/r/20241002150213.GC21853@frogsfrogsfrogs
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/dax.c | 6 +++++-
+ fs/iomap/buffered-io.c | 6 +++++-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/fs/dax.c b/fs/dax.c
+index 3380b43cb6bbb..d48b4fc7a4838 100644
+--- a/fs/dax.c
++++ b/fs/dax.c
+@@ -1305,11 +1305,15 @@ int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len,
+ struct iomap_iter iter = {
+ .inode = inode,
+ .pos = pos,
+- .len = len,
+ .flags = IOMAP_WRITE | IOMAP_UNSHARE | IOMAP_DAX,
+ };
++ loff_t size = i_size_read(inode);
+ int ret;
+
++ if (pos < 0 || pos >= size)
++ return 0;
++
++ iter.len = min(len, size - pos);
+ while ((ret = iomap_iter(&iter, ops)) > 0)
+ iter.processed = dax_unshare_iter(&iter);
+ return ret;
+diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
+index 975fd88c1f0f4..5371b16341fff 100644
+--- a/fs/iomap/buffered-io.c
++++ b/fs/iomap/buffered-io.c
+@@ -1316,11 +1316,15 @@ iomap_file_unshare(struct inode *inode, loff_t pos, loff_t len,
+ struct iomap_iter iter = {
+ .inode = inode,
+ .pos = pos,
+- .len = len,
+ .flags = IOMAP_WRITE | IOMAP_UNSHARE,
+ };
++ loff_t size = i_size_read(inode);
+ int ret;
+
++ if (pos < 0 || pos >= size)
++ return 0;
++
++ iter.len = min(len, size - pos);
+ while ((ret = iomap_iter(&iter, ops)) > 0)
+ iter.processed = iomap_unshare_iter(&iter);
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 3f23d317ef922a6248470c324ec092a279e20396 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 02:51:59 +0300
+Subject: ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
+
+From: Anton Danilov <littlesmilingcloud@gmail.com>
+
+[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ]
+
+Regression Description:
+
+Depending on the options specified for the GRE tunnel device, small
+packets may be dropped. This occurs because the pskb_network_may_pull
+function fails due to the packet's insufficient length.
+
+For example, if only the okey option is specified for the tunnel device,
+original (before encapsulation) packets smaller than 28 bytes (including
+the IPv4 header) will be dropped. This happens because the required
+length is calculated relative to the network header, not the skb->head.
+
+Here is how the required length is computed and checked:
+
+* The pull_len variable is set to 28 bytes, consisting of:
+ * IPv4 header: 20 bytes
+ * GRE header with Key field: 8 bytes
+
+* The pskb_network_may_pull function adds the network offset, shifting
+the checkable space further to the beginning of the network header and
+extending it to the beginning of the packet. As a result, the end of
+the checkable space occurs beyond the actual end of the packet.
+
+Instead of ensuring that 28 bytes are present in skb->head, the function
+is requesting these 28 bytes starting from the network header. For small
+packets, this requested length exceeds the actual packet size, causing
+the check to fail and the packets to be dropped.
+
+This issue affects both locally originated and forwarded packets in
+DMVPN-like setups.
+
+How to reproduce (for local originated packets):
+
+ ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \
+ local <your-ip> remote 0.0.0.0
+
+ ip link set mtu 1400 dev gre1
+ ip link set up dev gre1
+ ip address add 192.168.13.1/24 dev gre1
+ ip neighbor add 192.168.13.2 lladdr <remote-ip> dev gre1
+ ping -s 1374 -c 10 192.168.13.2
+ tcpdump -vni gre1
+ tcpdump -vni <your-ext-iface> 'ip proto 47'
+ ip -s -s -d link show dev gre1
+
+Solution:
+
+Use the pskb_may_pull function instead the pskb_network_may_pull.
+
+Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()")
+Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_gre.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index f21a1a5403723..890c15510b421 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -645,11 +645,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
+ if (skb_cow_head(skb, 0))
+ goto free_skb;
+
+- tnl_params = (const struct iphdr *)skb->data;
+-
+- if (!pskb_network_may_pull(skb, pull_len))
++ if (!pskb_may_pull(skb, pull_len))
+ goto free_skb;
+
++ tnl_params = (const struct iphdr *)skb->data;
++
+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */
+ skb_pull(skb, pull_len);
+ skb_reset_mac_header(skb);
+--
+2.43.0
+
--- /dev/null
+From c0bbf899af1b1e4699770cab0b5bd43870820ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 12:50:09 +0200
+Subject: jump_label: Fix static_key_slow_dec() yet again
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 1d7f856c2ca449f04a22d876e36b464b7a9d28b6 ]
+
+While commit 83ab38ef0a0b ("jump_label: Fix concurrency issues in
+static_key_slow_dec()") fixed one problem, it created yet another,
+notably the following is now possible:
+
+ slow_dec
+ if (try_dec) // dec_not_one-ish, false
+ // enabled == 1
+ slow_inc
+ if (inc_not_disabled) // inc_not_zero-ish
+ // enabled == 2
+ return
+
+ guard((mutex)(&jump_label_mutex);
+ if (atomic_cmpxchg(1,0)==1) // false, we're 2
+
+ slow_dec
+ if (try-dec) // dec_not_one, true
+ // enabled == 1
+ return
+ else
+ try_dec() // dec_not_one, false
+ WARN
+
+Use dec_and_test instead of cmpxchg(), like it was prior to
+83ab38ef0a0b. Add a few WARNs for the paranoid.
+
+Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()")
+Reported-by: "Darrick J. Wong" <djwong@kernel.org>
+Tested-by: Klara Modin <klarasmodin@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/jump_label.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/jump_label.c b/kernel/jump_label.c
+index 7374053bbe049..554e04b25b13a 100644
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -165,7 +165,7 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key)
+ jump_label_update(key);
+ /*
+ * Ensure that when static_key_fast_inc_not_disabled() or
+- * static_key_slow_try_dec() observe the positive value,
++ * static_key_dec_not_one() observe the positive value,
+ * they must also observe all the text changes.
+ */
+ atomic_set_release(&key->enabled, 1);
+@@ -247,7 +247,7 @@ void static_key_disable(struct static_key *key)
+ }
+ EXPORT_SYMBOL_GPL(static_key_disable);
+
+-static bool static_key_slow_try_dec(struct static_key *key)
++static bool static_key_dec_not_one(struct static_key *key)
+ {
+ int v;
+
+@@ -271,6 +271,14 @@ static bool static_key_slow_try_dec(struct static_key *key)
+ * enabled. This suggests an ordering problem on the user side.
+ */
+ WARN_ON_ONCE(v < 0);
++
++ /*
++ * Warn about underflow, and lie about success in an attempt to
++ * not make things worse.
++ */
++ if (WARN_ON_ONCE(v == 0))
++ return true;
++
+ if (v <= 1)
+ return false;
+ } while (!likely(atomic_try_cmpxchg(&key->enabled, &v, v - 1)));
+@@ -281,15 +289,27 @@ static bool static_key_slow_try_dec(struct static_key *key)
+ static void __static_key_slow_dec_cpuslocked(struct static_key *key)
+ {
+ lockdep_assert_cpus_held();
++ int val;
+
+- if (static_key_slow_try_dec(key))
++ if (static_key_dec_not_one(key))
+ return;
+
+ guard(mutex)(&jump_label_mutex);
+- if (atomic_cmpxchg(&key->enabled, 1, 0) == 1)
++ val = atomic_read(&key->enabled);
++ /*
++ * It should be impossible to observe -1 with jump_label_mutex held,
++ * see static_key_slow_inc_cpuslocked().
++ */
++ if (WARN_ON_ONCE(val == -1))
++ return;
++ /*
++ * Cannot already be 0, something went sideways.
++ */
++ if (WARN_ON_ONCE(val == 0))
++ return;
++
++ if (atomic_dec_and_test(&key->enabled))
+ jump_label_update(key);
+- else
+- WARN_ON_ONCE(!static_key_slow_try_dec(key));
+ }
+
+ static void __static_key_slow_dec(struct static_key *key)
+@@ -326,7 +346,7 @@ void __static_key_slow_dec_deferred(struct static_key *key,
+ {
+ STATIC_KEY_CHECK_USE(key);
+
+- if (static_key_slow_try_dec(key))
++ if (static_key_dec_not_one(key))
+ return;
+
+ schedule_delayed_work(work, timeout);
+--
+2.43.0
+
--- /dev/null
+From 4182881be5a7e79ad85a9169acde3f0a0a03603e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 14:46:39 +0200
+Subject: jump_label: Simplify and clarify static_key_fast_inc_cpus_locked()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 9bc2ff871f00437ad2f10c1eceff51aaa72b478f ]
+
+Make the code more obvious and add proper comments to avoid future head
+scratching.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20240610124406.548322963@linutronix.de
+Stable-dep-of: 1d7f856c2ca4 ("jump_label: Fix static_key_slow_dec() yet again")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/jump_label.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/jump_label.c b/kernel/jump_label.c
+index 1ed269b2c4035..7374053bbe049 100644
+--- a/kernel/jump_label.c
++++ b/kernel/jump_label.c
+@@ -159,22 +159,24 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key)
+ if (static_key_fast_inc_not_disabled(key))
+ return true;
+
+- jump_label_lock();
+- if (atomic_read(&key->enabled) == 0) {
+- atomic_set(&key->enabled, -1);
++ guard(mutex)(&jump_label_mutex);
++ /* Try to mark it as 'enabling in progress. */
++ if (!atomic_cmpxchg(&key->enabled, 0, -1)) {
+ jump_label_update(key);
+ /*
+- * Ensure that if the above cmpxchg loop observes our positive
+- * value, it must also observe all the text changes.
++ * Ensure that when static_key_fast_inc_not_disabled() or
++ * static_key_slow_try_dec() observe the positive value,
++ * they must also observe all the text changes.
+ */
+ atomic_set_release(&key->enabled, 1);
+ } else {
+- if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key))) {
+- jump_label_unlock();
++ /*
++ * While holding the mutex this should never observe
++ * anything else than a value >= 1 and succeed
++ */
++ if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key)))
+ return false;
+- }
+ }
+- jump_label_unlock();
+ return true;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e7884794dcb1970ec98969b10dd6882577ed40a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 23:40:44 +0200
+Subject: mailbox: bcm2835: Fix timeout during suspend mode
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ]
+
+During noirq suspend phase the Raspberry Pi power driver suffer of
+firmware property timeouts. The reason is that the IRQ of the underlying
+BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
+run into a timeout [1].
+
+Since the VideoCore side isn't consider as a wakeup source, set the
+IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
+during suspend-resume cycle.
+
+[1]
+PM: late suspend of devices complete after 1.754 msecs
+WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
+ rpi_firmware_property_list+0x204/0x22c
+Firmware transaction 0x00028001 timeout
+Modules linked in:
+CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17
+Hardware name: BCM2835
+Call trace:
+unwind_backtrace from show_stack+0x18/0x1c
+show_stack from dump_stack_lvl+0x34/0x44
+dump_stack_lvl from __warn+0x88/0xec
+__warn from warn_slowpath_fmt+0x7c/0xb0
+warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
+rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
+rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
+rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
+_genpd_power_off from genpd_sync_power_off+0x7c/0x11c
+genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
+genpd_finish_suspend from dpm_run_callback+0x78/0xd0
+dpm_run_callback from device_suspend_noirq+0xc0/0x238
+device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
+dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
+suspend_devices_and_enter from pm_suspend+0x254/0x2e4
+pm_suspend from state_store+0xa8/0xd4
+state_store from kernfs_fop_write_iter+0x154/0x1a0
+kernfs_fop_write_iter from vfs_write+0x12c/0x184
+vfs_write from ksys_write+0x78/0xc0
+ksys_write from ret_fast_syscall+0x0/0x54
+Exception stack(0xcc93dfa8 to 0xcc93dff0)
+[...]
+PM: noirq suspend of devices complete after 3095.584 msecs
+
+Link: https://github.com/raspberrypi/firmware/issues/1894
+Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/bcm2835-mailbox.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c
+index fbfd0202047c3..ea12fb8d24015 100644
+--- a/drivers/mailbox/bcm2835-mailbox.c
++++ b/drivers/mailbox/bcm2835-mailbox.c
+@@ -145,7 +145,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev)
+ spin_lock_init(&mbox->lock);
+
+ ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0),
+- bcm2835_mbox_irq, 0, dev_name(dev), mbox);
++ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev),
++ mbox);
+ if (ret) {
+ dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n",
+ ret);
+--
+2.43.0
+
--- /dev/null
+From 82fb3bce00143d6189826ec07c71e9325776caaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 02:51:47 +0000
+Subject: mailbox: rockchip: fix a typo in module autoloading
+
+From: Liao Chen <liaochen4@huawei.com>
+
+[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ]
+
+MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module
+properly autoloaded based on the alias from of_device_id table. It
+should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match',
+just fix it.
+
+Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver")
+Signed-off-by: Liao Chen <liaochen4@huawei.com>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/rockchip-mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c
+index 8ffad059e8984..4d966cb2ed036 100644
+--- a/drivers/mailbox/rockchip-mailbox.c
++++ b/drivers/mailbox/rockchip-mailbox.c
+@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = {
+ { .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data},
+ { },
+ };
+-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match);
++MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match);
+
+ static int rockchip_mbox_probe(struct platform_device *pdev)
+ {
+--
+2.43.0
+
--- /dev/null
+From 10e920cca6c543163c0920d199cb05248638cff3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:02:57 +0000
+Subject: net: add more sanity checks to qdisc_pkt_len_init()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ]
+
+One path takes care of SKB_GSO_DODGY, assuming
+skb->len is bigger than hdr_len.
+
+virtio_net_hdr_to_skb() does not fully dissect TCP headers,
+it only make sure it is at least 20 bytes.
+
+It is possible for an user to provide a malicious 'GSO' packet,
+total length of 80 bytes.
+
+- 20 bytes of IPv4 header
+- 60 bytes TCP header
+- a small gso_size like 8
+
+virtio_net_hdr_to_skb() would declare this packet as a normal
+GSO packet, because it would see 40 bytes of payload,
+bigger than gso_size.
+
+We need to make detect this case to not underflow
+qdisc_skb_cb(skb)->pkt_len.
+
+Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 877ebaff95586..70f757707f1a2 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3754,10 +3754,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
+ hdr_len += sizeof(struct udphdr);
+ }
+
+- if (shinfo->gso_type & SKB_GSO_DODGY)
+- gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
+- shinfo->gso_size);
++ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) {
++ int payload = skb->len - hdr_len;
+
++ /* Malicious packet. */
++ if (payload <= 0)
++ return;
++ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size);
++ }
+ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 275d155f2d6a8c4621c6297736eaae124bafb932 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 23:22:41 +0200
+Subject: net: Add netif_get_gro_max_size helper for GRO
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit e8d4d34df715133c319fabcf63fdec684be75ff8 ]
+
+Add a small netif_get_gro_max_size() helper which returns the maximum IPv4
+or IPv6 GRO size of the netdevice.
+
+We later add a netif_get_gso_max_size() equivalent as well for GSO, so that
+these helpers can be used consistently instead of open-coded checks.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240923212242.15669-1-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: e609c959a939 ("net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 9 +++++++++
+ net/core/gro.c | 9 ++-------
+ 2 files changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index b8e60a20416ba..e4f02e638b9d9 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -5029,6 +5029,15 @@ void netif_set_tso_max_segs(struct net_device *dev, unsigned int segs);
+ void netif_inherit_tso_max(struct net_device *to,
+ const struct net_device *from);
+
++static inline unsigned int
++netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb)
++{
++ /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */
++ return skb->protocol == htons(ETH_P_IPV6) ?
++ READ_ONCE(dev->gro_max_size) :
++ READ_ONCE(dev->gro_ipv4_max_size);
++}
++
+ static inline bool netif_is_macsec(const struct net_device *dev)
+ {
+ return dev->priv_flags & IFF_MACSEC;
+diff --git a/net/core/gro.c b/net/core/gro.c
+index 31e40f25fdf10..85d3f686ba539 100644
+--- a/net/core/gro.c
++++ b/net/core/gro.c
+@@ -100,7 +100,6 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+ unsigned int headlen = skb_headlen(skb);
+ unsigned int len = skb_gro_len(skb);
+ unsigned int delta_truesize;
+- unsigned int gro_max_size;
+ unsigned int new_truesize;
+ struct sk_buff *lp;
+ int segs;
+@@ -114,12 +113,8 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
+ if (p->pp_recycle != skb->pp_recycle)
+ return -ETOOMANYREFS;
+
+- /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */
+- gro_max_size = p->protocol == htons(ETH_P_IPV6) ?
+- READ_ONCE(p->dev->gro_max_size) :
+- READ_ONCE(p->dev->gro_ipv4_max_size);
+-
+- if (unlikely(p->len + len >= gro_max_size || NAPI_GRO_CB(skb)->flush))
++ if (unlikely(p->len + len >= netif_get_gro_max_size(p->dev, p) ||
++ NAPI_GRO_CB(skb)->flush))
+ return -E2BIG;
+
+ if (unlikely(p->len + len >= GRO_LEGACY_MAX_SIZE)) {
+--
+2.43.0
+
--- /dev/null
+From c9f9fca75493a91057bbf0943edd13cbf5e46cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:02:56 +0000
+Subject: net: avoid potential underflow in qdisc_pkt_len_init() with UFO
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ]
+
+After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
+requests coming from user") virtio_net_hdr_to_skb() had sanity check
+to detect malicious attempts from user space to cook a bad GSO packet.
+
+Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
+transport header in UFO") while fixing one issue, allowed user space
+to cook a GSO packet with the following characteristic :
+
+IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
+
+When this packet arrives in qdisc_pkt_len_init(), we end up
+with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
+
+Then the following sets gso_segs to 0 :
+
+gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
+ shinfo->gso_size);
+
+Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
+
+qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
+
+This leads to the following crash in fq_codel [1]
+
+qdisc_pkt_len_init() is best effort, we only want an estimation
+of the bytes sent on the wire, not crashing the kernel.
+
+This patch is fixing this particular issue, a following one
+adds more sanity checks for another potential bug.
+
+[1]
+[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[ 70.724561] #PF: supervisor read access in kernel mode
+[ 70.724561] #PF: error_code(0x0000) - not-present page
+[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
+[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
+[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
+[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
+All code
+========
+ 0: 24 08 and $0x8,%al
+ 2: 49 c1 e1 06 shl $0x6,%r9
+ 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
+ b: 45 31 ed xor %r13d,%r13d
+ e: 45 31 c0 xor %r8d,%r8d
+ 11: 31 ff xor %edi,%edi
+ 13: 89 44 24 14 mov %eax,0x14(%rsp)
+ 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
+ 1e: eb 04 jmp 0x24
+ 20: 39 ca cmp %ecx,%edx
+ 22: 73 37 jae 0x5b
+ 24: 4d 8b 39 mov (%r9),%r15
+ 27: 83 c7 01 add $0x1,%edi
+ 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
+ 2d: 49 89 11 mov %rdx,(%r9)
+ 30: 41 8b 57 28 mov 0x28(%r15),%edx
+ 34: 45 8b 5f 34 mov 0x34(%r15),%r11d
+ 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
+ 3f: 49 rex.WB
+
+Code starting with the faulting instruction
+===========================================
+ 0: 49 8b 17 mov (%r15),%rdx
+ 3: 49 89 11 mov %rdx,(%r9)
+ 6: 41 8b 57 28 mov 0x28(%r15),%edx
+ a: 45 8b 5f 34 mov 0x34(%r15),%r11d
+ e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
+ 15: 49 rex.WB
+[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
+[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
+[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
+[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
+[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
+[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
+[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
+[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
+[ 70.724561] Call Trace:
+[ 70.724561] <TASK>
+[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
+[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
+[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
+[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
+[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
+[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
+[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
+[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237)
+[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
+[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
+[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
+[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
+[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
+[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
+[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
+[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
+[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
+[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
+[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
+[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+[ 70.724561] RIP: 0033:0x41ae09
+
+Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jonathan Davies <jonathan.davies@nutanix.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Jonathan Davies <jonathan.davies@nutanix.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index decfa7cbba50a..877ebaff95586 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3746,7 +3746,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
+ sizeof(_tcphdr), &_tcphdr);
+ if (likely(th))
+ hdr_len += __tcp_hdrlen(th);
+- } else {
++ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) {
+ struct udphdr _udphdr;
+
+ if (skb_header_pointer(skb, hdr_len,
+--
+2.43.0
+
--- /dev/null
+From 039788f88d4f1815b03e62328cd50c3dbf03d324 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 23:49:49 +0200
+Subject: net: ethernet: lantiq_etop: fix memory disclosure
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ]
+
+When applying padding, the buffer is not zeroed, which results in memory
+disclosure. The mentioned data is observed on the wire. This patch uses
+skb_put_padto() to pad Ethernet frames properly. The mentioned function
+zeroes the expanded buffer.
+
+In case the packet cannot be padded it is silently dropped. Statistics
+are also not incremented. This driver does not support statistics in the
+old 32-bit format or the new 64-bit format. These will be added in the
+future. In its current form, the patch should be easily backported to
+stable versions.
+
+Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
+in hardware, so software padding must be applied.
+
+Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_etop.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
+index 61baf1da76eea..c33c31019562f 100644
+--- a/drivers/net/ethernet/lantiq_etop.c
++++ b/drivers/net/ethernet/lantiq_etop.c
+@@ -482,7 +482,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
+ unsigned long flags;
+ u32 byte_offset;
+
+- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
++ if (skb_put_padto(skb, ETH_ZLEN))
++ return NETDEV_TX_OK;
++ len = skb->len;
+
+ if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) {
+ netdev_err(dev, "tx ring full\n");
+--
+2.43.0
+
--- /dev/null
+From df7f4005a02af3dfda9edb9f7af8b3afac8f0f11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 11:37:06 +0200
+Subject: net: fec: Reload PTP registers after link-state change
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Csókás, Bence <csokas.bence@prolan.hu>
+
+[ Upstream commit d9335d0232d2da605585eea1518ac6733518f938 ]
+
+On link-state change, the controller gets reset,
+which clears all PTP registers, including PHC time,
+calibrated clock correction values etc. For correct
+IEEE 1588 operation we need to restore these after
+the reset.
+
+Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
+Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20240924093705.2897329-2-csokas.bence@prolan.hu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec.h | 3 +++
+ drivers/net/ethernet/freescale/fec_ptp.c | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
+index cb58696ec03b2..733af928caffc 100644
+--- a/drivers/net/ethernet/freescale/fec.h
++++ b/drivers/net/ethernet/freescale/fec.h
+@@ -693,6 +693,9 @@ struct fec_enet_private {
+
+ struct {
+ int pps_enable;
++ u64 ns_sys, ns_phc;
++ u32 at_corr;
++ u8 at_inc_corr;
+ } ptp_saved_state;
+
+ u64 ethtool_stats[];
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 8027b532de078..5e8fac50f945d 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -773,24 +773,44 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
+ void fec_ptp_save_state(struct fec_enet_private *fep)
+ {
+ unsigned long flags;
++ u32 atime_inc_corr;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ fep->ptp_saved_state.pps_enable = fep->pps_enable;
+
++ fep->ptp_saved_state.ns_phc = timecounter_read(&fep->tc);
++ fep->ptp_saved_state.ns_sys = ktime_get_ns();
++
++ fep->ptp_saved_state.at_corr = readl(fep->hwp + FEC_ATIME_CORR);
++ atime_inc_corr = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_CORR_MASK;
++ fep->ptp_saved_state.at_inc_corr = (u8)(atime_inc_corr >> FEC_T_INC_CORR_OFFSET);
++
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+ }
+
+ /* Restore PTP functionality after a reset */
+ void fec_ptp_restore_state(struct fec_enet_private *fep)
+ {
++ u32 atime_inc = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_MASK;
+ unsigned long flags;
++ u32 counter;
++ u64 ns;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ /* Reset turned it off, so adjust our status flag */
+ fep->pps_enable = 0;
+
++ writel(fep->ptp_saved_state.at_corr, fep->hwp + FEC_ATIME_CORR);
++ atime_inc |= ((u32)fep->ptp_saved_state.at_inc_corr) << FEC_T_INC_CORR_OFFSET;
++ writel(atime_inc, fep->hwp + FEC_ATIME_INC);
++
++ ns = ktime_get_ns() - fep->ptp_saved_state.ns_sys + fep->ptp_saved_state.ns_phc;
++ counter = ns & fep->cc.mask;
++ writel(counter, fep->hwp + FEC_ATIME);
++ timecounter_init(&fep->tc, &fep->cc, ns);
++
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+
+ /* Restart PPS if needed */
+--
+2.43.0
+
--- /dev/null
+From f1349cdfefe8d4bba2cc0843332c8a860bf41153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 11:37:04 +0200
+Subject: net: fec: Restart PPS after link state change
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Csókás, Bence <csokas.bence@prolan.hu>
+
+[ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
+
+On link state change, the controller gets reset,
+causing PPS to drop out. Re-enable PPS if it was
+enabled before the controller reset.
+
+Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
+Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
+Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec.h | 6 +++++
+ drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++-
+ drivers/net/ethernet/freescale/fec_ptp.c | 30 +++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
+index a8fbcada6b01f..cb58696ec03b2 100644
+--- a/drivers/net/ethernet/freescale/fec.h
++++ b/drivers/net/ethernet/freescale/fec.h
+@@ -691,10 +691,16 @@ struct fec_enet_private {
+ /* XDP BPF Program */
+ struct bpf_prog *xdp_prog;
+
++ struct {
++ int pps_enable;
++ } ptp_saved_state;
++
+ u64 ethtool_stats[];
+ };
+
+ void fec_ptp_init(struct platform_device *pdev, int irq_idx);
++void fec_ptp_restore_state(struct fec_enet_private *fep);
++void fec_ptp_save_state(struct fec_enet_private *fep);
+ void fec_ptp_stop(struct platform_device *pdev);
+ void fec_ptp_start_cyclecounter(struct net_device *ndev);
+ int fec_ptp_set(struct net_device *ndev, struct kernel_hwtstamp_config *config,
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 5604a47b35b2a..81e3173521589 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -1058,6 +1058,8 @@ fec_restart(struct net_device *ndev)
+ u32 rcntl = OPT_FRAME_SIZE | 0x04;
+ u32 ecntl = FEC_ECR_ETHEREN;
+
++ fec_ptp_save_state(fep);
++
+ /* Whack a reset. We should wait for this.
+ * For i.MX6SX SOC, enet use AXI bus, we use disable MAC
+ * instead of reset MAC itself.
+@@ -1225,8 +1227,10 @@ fec_restart(struct net_device *ndev)
+ writel(ecntl, fep->hwp + FEC_ECNTRL);
+ fec_enet_active_rxring(ndev);
+
+- if (fep->bufdesc_ex)
++ if (fep->bufdesc_ex) {
+ fec_ptp_start_cyclecounter(ndev);
++ fec_ptp_restore_state(fep);
++ }
+
+ /* Enable interrupts we wish to service */
+ if (fep->link)
+@@ -1317,6 +1321,8 @@ fec_stop(struct net_device *ndev)
+ netdev_err(ndev, "Graceful transmit stop did not complete!\n");
+ }
+
++ fec_ptp_save_state(fep);
++
+ /* Whack a reset. We should wait for this.
+ * For i.MX6SX SOC, enet use AXI bus, we use disable MAC
+ * instead of reset MAC itself.
+@@ -1347,6 +1353,9 @@ fec_stop(struct net_device *ndev)
+ val = readl(fep->hwp + FEC_ECNTRL);
+ val |= FEC_ECR_EN1588;
+ writel(val, fep->hwp + FEC_ECNTRL);
++
++ fec_ptp_start_cyclecounter(ndev);
++ fec_ptp_restore_state(fep);
+ }
+ }
+
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 2e4f3e1782a25..8027b532de078 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -770,6 +770,36 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
+ schedule_delayed_work(&fep->time_keep, HZ);
+ }
+
++void fec_ptp_save_state(struct fec_enet_private *fep)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&fep->tmreg_lock, flags);
++
++ fep->ptp_saved_state.pps_enable = fep->pps_enable;
++
++ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
++}
++
++/* Restore PTP functionality after a reset */
++void fec_ptp_restore_state(struct fec_enet_private *fep)
++{
++ unsigned long flags;
++
++ spin_lock_irqsave(&fep->tmreg_lock, flags);
++
++ /* Reset turned it off, so adjust our status flag */
++ fep->pps_enable = 0;
++
++ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
++
++ /* Restart PPS if needed */
++ if (fep->ptp_saved_state.pps_enable) {
++ /* Re-enable PPS */
++ fec_ptp_enable_pps(fep, 1);
++ }
++}
++
+ void fec_ptp_stop(struct platform_device *pdev)
+ {
+ struct net_device *ndev = platform_get_drvdata(pdev);
+--
+2.43.0
+
--- /dev/null
+From b3f1a4ba04b75a4f771dcfaeea377d83aba3c290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 23:22:42 +0200
+Subject: net: Fix gso_features_check to check for both
+ dev->gso_{ipv4_,}max_size
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit e609c959a939660c7519895f853dfa5624c6827a ]
+
+Commit 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()")
+added a dev->gso_max_size test to gso_features_check() in order to fall
+back to GSO when needed.
+
+This was added as it was noticed that some drivers could misbehave if TSO
+packets get too big. However, the check doesn't respect dev->gso_ipv4_max_size
+limit. For instance, a device could be configured with BIG TCP for IPv4,
+but not IPv6.
+
+Therefore, add a netif_get_gso_max_size() equivalent to netif_get_gro_max_size()
+and use the helper to respect both limits before falling back to GSO engine.
+
+Fixes: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20240923212242.15669-2-daniel@iogearbox.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netdevice.h | 9 +++++++++
+ net/core/dev.c | 2 +-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
+index e4f02e638b9d9..8f5ac20b4c03d 100644
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -5038,6 +5038,15 @@ netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb)
+ READ_ONCE(dev->gro_ipv4_max_size);
+ }
+
++static inline unsigned int
++netif_get_gso_max_size(const struct net_device *dev, const struct sk_buff *skb)
++{
++ /* pairs with WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
++ return skb->protocol == htons(ETH_P_IPV6) ?
++ READ_ONCE(dev->gso_max_size) :
++ READ_ONCE(dev->gso_ipv4_max_size);
++}
++
+ static inline bool netif_is_macsec(const struct net_device *dev)
+ {
+ return dev->priv_flags & IFF_MACSEC;
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 5a5bd339f11eb..decfa7cbba50a 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3500,7 +3500,7 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > READ_ONCE(dev->gso_max_segs))
+ return features & ~NETIF_F_GSO_MASK;
+
+- if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
++ if (unlikely(skb->len >= netif_get_gso_max_size(dev, skb)))
+ return features & ~NETIF_F_GSO_MASK;
+
+ if (!skb_shinfo(skb)->gso_type) {
+--
+2.43.0
+
--- /dev/null
+From 506afaf8a89433a20991e5c0ec4abc3996da453a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Sep 2024 17:42:34 +0800
+Subject: net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ]
+
+disable_irq() after request_irq() still has a time gap in which
+interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
+disable IRQ auto-enable when request IRQ.
+
+Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/mcr20a.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c
+index 87abe3b46316e..bab92f19c4f48 100644
+--- a/drivers/net/ieee802154/mcr20a.c
++++ b/drivers/net/ieee802154/mcr20a.c
+@@ -1303,16 +1303,13 @@ mcr20a_probe(struct spi_device *spi)
+ irq_type = IRQF_TRIGGER_FALLING;
+
+ ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr,
+- irq_type, dev_name(&spi->dev), lp);
++ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp);
+ if (ret) {
+ dev_err(&spi->dev, "could not request_irq for mcr20a\n");
+ ret = -ENODEV;
+ goto free_dev;
+ }
+
+- /* disable_irq by default and wait for starting hardware */
+- disable_irq(spi->irq);
+-
+ ret = ieee802154_register_hw(hw);
+ if (ret) {
+ dev_crit(&spi->dev, "ieee802154_register_hw failed\n");
+--
+2.43.0
+
--- /dev/null
+From 6c4161e3dc2e3c45c6abba2925c342ea417420b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 22:02:48 -0600
+Subject: net/mlx5: Added cond_resched() to crdump collection
+
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+
+[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ]
+
+Collecting crdump involves reading vsc registers from pci config space
+of mlx device, which can take long time to complete. This might result
+in starving other threads waiting to run on the cpu.
+
+Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab:
+
+- mlx5_vsc_gw_read_block_fast() was called with length = 1310716.
+- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to
+ read the entire 1310716 bytes. It was called 53813 times because
+ there are jumps in read_addr.
+- On average mlx5_vsc_gw_read_fast() took 35284.4ns.
+- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times.
+ The average time for each call was 17548.3ns. In some instances
+ vsc_read() was called more than one time when the flag was not set.
+ As expected the thread released the cpu after 16 iterations in
+ mlx5_vsc_wait_on_flag().
+- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s.
+
+It was seen in the field that crdump can take more than 5 seconds to
+complete. During that time mlx5_vsc_wait_on_flag() did not release the
+cpu because it did not complete 16 iterations. It is believed that pci
+config reads were slow. Adding cond_resched() every 128 register read
+improves the situation. In the common case the, crdump takes ~1.8989s,
+the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread
+yields the cpu every ~18.0ms.
+
+Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support")
+Reviewed-by: Yuanyuan Zhong <yzhong@purestorage.com>
+Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
+Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
+index d0b595ba61101..432c98f2626db 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
+@@ -24,6 +24,11 @@
+ pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val))
+ #define VSC_MAX_RETRIES 2048
+
++/* Reading VSC registers can take relatively long time.
++ * Yield the cpu every 128 registers read.
++ */
++#define VSC_GW_READ_BLOCK_COUNT 128
++
+ enum {
+ VSC_CTRL_OFFSET = 0x4,
+ VSC_COUNTER_OFFSET = 0x8,
+@@ -273,6 +278,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
+ {
+ unsigned int next_read_addr = 0;
+ unsigned int read_addr = 0;
++ unsigned int count = 0;
+
+ while (read_addr < length) {
+ if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr,
+@@ -280,6 +286,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
+ return read_addr;
+
+ read_addr = next_read_addr;
++ if (++count == VSC_GW_READ_BLOCK_COUNT) {
++ cond_resched();
++ count = 0;
++ }
+ }
+ return length;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0a68efce56573d5e4eebf678ec377ee23882e207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 10:53:51 +0200
+Subject: net/mlx5: Fix error path in multi-packet WQE transmit
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ]
+
+Remove the erroneous unmap in case no DMA mapping was established
+
+The multi-packet WQE transmit code attempts to obtain a DMA mapping for
+the skb. This could fail, e.g. under memory pressure, when the IOMMU
+driver just can't allocate more memory for page tables. While the code
+tries to handle this in the path below the err_unmap label it erroneously
+unmaps one entry from the sq's FIFO list of active mappings. Since the
+current map attempt failed this unmap is removing some random DMA mapping
+that might still be required. If the PCI function now presents that IOVA,
+the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
+function in error state.
+
+The erroneous behavior was seen in a stress-test environment that created
+memory pressure.
+
+Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs")
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Acked-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+index 3001a52e1ac2e..85d6334308e31 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -642,7 +642,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb,
+ return;
+
+ err_unmap:
+- mlx5e_dma_unmap_wqe_err(sq, 1);
+ sq->stats->dropped++;
+ dev_kfree_skb_any(skb);
+ mlx5e_tx_flush(sq);
+--
+2.43.0
+
--- /dev/null
+From d0244bf5090cb2466e774cb7095ce1efea787e1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 09:40:58 +0300
+Subject: net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit 7b124695db40d5c9c5295a94ae928a8d67a01c3d ]
+
+The km.state is not checked in driver's delayed work. When
+xfrm_state_check_expire() is called, the state can be reset to
+XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This
+happens when xfrm state is deleted, but not freed yet. As
+__xfrm_state_delete() is called again in xfrm timer, the following
+crash occurs.
+
+To fix this issue, skip xfrm_state_check_expire() if km.state is not
+XFRM_STATE_VALID.
+
+ Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
+ CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]
+ RIP: 0010:__xfrm_state_delete+0x3d/0x1b0
+ Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48
+ RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246
+ RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036
+ RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980
+ RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000
+ R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246
+ R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400
+ FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <IRQ>
+ ? die_addr+0x33/0x90
+ ? exc_general_protection+0x1a2/0x390
+ ? asm_exc_general_protection+0x22/0x30
+ ? __xfrm_state_delete+0x3d/0x1b0
+ ? __xfrm_state_delete+0x2f/0x1b0
+ xfrm_timer_handler+0x174/0x350
+ ? __xfrm_state_delete+0x1b0/0x1b0
+ __hrtimer_run_queues+0x121/0x270
+ hrtimer_run_softirq+0x88/0xd0
+ handle_softirqs+0xcc/0x270
+ do_softirq+0x3c/0x50
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0x47/0x50
+ mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]
+ process_one_work+0x137/0x2d0
+ worker_thread+0x28d/0x3a0
+ ? rescuer_thread+0x480/0x480
+ kthread+0xb8/0xe0
+ ? kthread_park+0x80/0x80
+ ret_from_fork+0x2d/0x50
+ ? kthread_park+0x80/0x80
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Fixes: b2f7b01d36a9 ("net/mlx5e: Simulate missing IPsec TX limits hardware functionality")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index e2ffc572de188..015faddabc8e0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -67,7 +67,6 @@ static void mlx5e_ipsec_handle_tx_limit(struct work_struct *_work)
+ return;
+
+ spin_lock_bh(&x->lock);
+- xfrm_state_check_expire(x);
+ if (x->km.state == XFRM_STATE_EXPIRED) {
+ sa_entry->attrs.drop = true;
+ spin_unlock_bh(&x->lock);
+@@ -75,6 +74,13 @@ static void mlx5e_ipsec_handle_tx_limit(struct work_struct *_work)
+ mlx5e_accel_ipsec_fs_modify(sa_entry);
+ return;
+ }
++
++ if (x->km.state != XFRM_STATE_VALID) {
++ spin_unlock_bh(&x->lock);
++ return;
++ }
++
++ xfrm_state_check_expire(x);
+ spin_unlock_bh(&x->lock);
+
+ queue_delayed_work(sa_entry->ipsec->wq, &dwork->dwork,
+--
+2.43.0
+
--- /dev/null
+From 31f48fb2a05e9866f56c0ce58188b1bd735ff73a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 19:00:18 +0300
+Subject: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
+
+From: Elena Salomatkina <esalomatkina@ispras.ru>
+
+[ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ]
+
+In mlx5e_tir_builder_alloc() kvzalloc() may return NULL
+which is dereferenced on the next line in a reference
+to the modify field.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object")
+Signed-off-by: Elena Salomatkina <esalomatkina@ispras.ru>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
+index d4239e3b3c88e..11f724ad90dbf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
+@@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify)
+ struct mlx5e_tir_builder *builder;
+
+ builder = kvzalloc(sizeof(*builder), GFP_KERNEL);
++ if (!builder)
++ return NULL;
++
+ builder->modify = modify;
+
+ return builder;
+--
+2.43.0
+
--- /dev/null
+From f5dc74221ecf1829d943f6935217aecc6f10707f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 22:18:29 -0700
+Subject: net: sparx5: Fix invalid timestamps
+
+From: Aakash Menon <aakash.r.menon@gmail.com>
+
+[ Upstream commit 151ac45348afc5b56baa584c7cd4876addf461ff ]
+
+Bit 270-271 are occasionally unexpectedly set by the hardware. This issue
+was observed with 10G SFPs causing huge time errors (> 30ms) in PTP. Only
+30 bits are needed for the nanosecond part of the timestamp, clear 2 most
+significant bits before extracting timestamp from the internal frame
+header.
+
+Fixes: 70dfe25cd866 ("net: sparx5: Update extraction/injection for timestamping")
+Signed-off-by: Aakash Menon <aakash.menon@protempis.com>
+Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+index ac7e1cffbcecf..dcf2e342fc14a 100644
+--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+@@ -45,8 +45,12 @@ void sparx5_ifh_parse(u32 *ifh, struct frame_info *info)
+ fwd = (fwd >> 5);
+ info->src_port = FIELD_GET(GENMASK(7, 1), fwd);
+
++ /*
++ * Bit 270-271 are occasionally unexpectedly set by the hardware,
++ * clear bits before extracting timestamp
++ */
+ info->timestamp =
+- ((u64)xtr_hdr[2] << 24) |
++ ((u64)(xtr_hdr[2] & GENMASK(5, 0)) << 24) |
+ ((u64)xtr_hdr[3] << 16) |
+ ((u64)xtr_hdr[4] << 8) |
+ ((u64)xtr_hdr[5] << 0);
+--
+2.43.0
+
--- /dev/null
+From 9240a7846a65ae512ce182a6d6694a606f0bc001 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 15:54:24 -0500
+Subject: net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit
+ check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Shenwei Wang <shenwei.wang@nxp.com>
+
+[ Upstream commit 4c1b56671b68ffcbe6b78308bfdda6bcce6491ae ]
+
+Increase the timeout for checking the busy bit of the VLAN Tag register
+from 10µs to 500ms. This change is necessary to accommodate scenarios
+where Energy Efficient Ethernet (EEE) is enabled.
+
+Overnight testing revealed that when EEE is active, the busy bit can
+remain set for up to approximately 300ms. The new 500ms timeout provides
+a safety margin.
+
+Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
+Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+index bf99495b51a9c..a9837985a483d 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -14,6 +14,7 @@
+ #include <linux/slab.h>
+ #include <linux/ethtool.h>
+ #include <linux/io.h>
++#include <linux/iopoll.h>
+ #include "stmmac.h"
+ #include "stmmac_pcs.h"
+ #include "dwmac4.h"
+@@ -475,7 +476,7 @@ static int dwmac4_write_vlan_filter(struct net_device *dev,
+ u8 index, u32 data)
+ {
+ void __iomem *ioaddr = (void __iomem *)dev->base_addr;
+- int i, timeout = 10;
++ int ret;
+ u32 val;
+
+ if (index >= hw->num_vlan)
+@@ -491,16 +492,15 @@ static int dwmac4_write_vlan_filter(struct net_device *dev,
+
+ writel(val, ioaddr + GMAC_VLAN_TAG);
+
+- for (i = 0; i < timeout; i++) {
+- val = readl(ioaddr + GMAC_VLAN_TAG);
+- if (!(val & GMAC_VLAN_TAG_CTRL_OB))
+- return 0;
+- udelay(1);
++ ret = readl_poll_timeout(ioaddr + GMAC_VLAN_TAG, val,
++ !(val & GMAC_VLAN_TAG_CTRL_OB),
++ 1000, 500000);
++ if (ret) {
++ netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n");
++ return -EBUSY;
+ }
+
+- netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n");
+-
+- return -EBUSY;
++ return 0;
+ }
+
+ static int dwmac4_add_hw_vlan_rx_fltr(struct net_device *dev,
+--
+2.43.0
+
--- /dev/null
+From c00a9b408f3434d991000aff45dbb10cb25e3f2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 16:58:36 +0000
+Subject: net: test for not too small csum_start in virtio_net_hdr_to_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 49d14b54a527289d09a9480f214b8c586322310a ]
+
+syzbot was able to trigger this warning [1], after injecting a
+malicious packet through af_packet, setting skb->csum_start and thus
+the transport header to an incorrect value.
+
+We can at least make sure the transport header is after
+the end of the network header (with a estimated minimal size).
+
+[1]
+[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
+mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
+shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
+csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
+hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
+priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
+encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
+[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
+[ 67.877764] sk family=17 type=3 proto=0
+[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
+[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
+[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
+[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
+[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
+[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 67.887384] skb frag: 00000100: 00 00
+[ 67.887878] ------------[ cut here ]------------
+[ 67.887908] offset (-6) >= skb_headlen() (14)
+[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
+[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
+[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
+[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
+[ 67.891043] Call Trace:
+[ 67.891173] <TASK>
+[ 67.891274] ? __warn (kernel/panic.c:741)
+[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
+[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
+[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
+[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
+[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
+[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
+[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
+[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
+[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113)
+[ 67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
+[ 67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13))
+[ 67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1))
+[ 67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670)
+[ 67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227)
+[ 67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604)
+[ 67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25))
+[ 67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1))
+[ 67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4))
+[ 67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657)
+[ 67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3))
+[ 67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
+[ 67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
+[ 67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
+[ 67.891734] ? do_sock_setsockopt (net/socket.c:2335)
+[ 67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
+[ 67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
+[ 67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
+[ 67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Fixes: 9181d6f8a2bb ("net: add more sanity check in virtio_net_hdr_to_skb()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_net.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 276ca543ef44d..02a9f4dc594d0 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -103,8 +103,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
++ if (skb_transport_offset(skb) < nh_min_len)
++ return -EINVAL;
+
+- nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb));
++ nh_min_len = skb_transport_offset(skb);
+ p_off = nh_min_len + thlen;
+ if (!pskb_may_pull(skb, p_off))
+ return -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From d486a9a1a1501fc66a1e16028d1443d1516dfa3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Sep 2024 19:57:43 +0800
+Subject: net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit d505d3593b52b6c43507f119572409087416ba28 ]
+
+It's important to undo pm_runtime_use_autosuspend() with
+pm_runtime_dont_use_autosuspend() at driver exit time.
+
+But the pm_runtime_disable() and pm_runtime_dont_use_autosuspend()
+is missing in the error path for bam_dmux_probe(). So add it.
+
+Found by code review. Compile-tested only.
+
+Fixes: 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver")
+Suggested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/qcom_bam_dmux.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wwan/qcom_bam_dmux.c b/drivers/net/wwan/qcom_bam_dmux.c
+index 17d46f4d29139..174a9156b3233 100644
+--- a/drivers/net/wwan/qcom_bam_dmux.c
++++ b/drivers/net/wwan/qcom_bam_dmux.c
+@@ -823,17 +823,17 @@ static int bam_dmux_probe(struct platform_device *pdev)
+ ret = devm_request_threaded_irq(dev, pc_ack_irq, NULL, bam_dmux_pc_ack_irq,
+ IRQF_ONESHOT, NULL, dmux);
+ if (ret)
+- return ret;
++ goto err_disable_pm;
+
+ ret = devm_request_threaded_irq(dev, dmux->pc_irq, NULL, bam_dmux_pc_irq,
+ IRQF_ONESHOT, NULL, dmux);
+ if (ret)
+- return ret;
++ goto err_disable_pm;
+
+ ret = irq_get_irqchip_state(dmux->pc_irq, IRQCHIP_STATE_LINE_LEVEL,
+ &dmux->pc_state);
+ if (ret)
+- return ret;
++ goto err_disable_pm;
+
+ /* Check if remote finished initialization before us */
+ if (dmux->pc_state) {
+@@ -844,6 +844,11 @@ static int bam_dmux_probe(struct platform_device *pdev)
+ }
+
+ return 0;
++
++err_disable_pm:
++ pm_runtime_disable(dev);
++ pm_runtime_dont_use_autosuspend(dev);
++ return ret;
+ }
+
+ static int bam_dmux_remove(struct platform_device *pdev)
+--
+2.43.0
+
--- /dev/null
+From c0fafa072d80cc603d48a32b395027fe8aedf01a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 18:56:11 +0000
+Subject: netfilter: nf_tables: prevent nf_skb_duplicated corruption
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ]
+
+syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
+per-cpu variable nf_skb_duplicated in an unsafe way [1].
+
+Disabling preemption as hinted by the splat is not enough,
+we have to disable soft interrupts as well.
+
+[1]
+BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
+ caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
+CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
+ nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
+ nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
+ nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
+ NF_HOOK_COND include/linux/netfilter.h:302 [inline]
+ ip_output+0x185/0x230 net/ipv4/ip_output.c:433
+ ip_local_out net/ipv4/ip_output.c:129 [inline]
+ ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
+ udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
+ udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x1a6/0x270 net/socket.c:745
+ ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
+ ___sys_sendmsg net/socket.c:2651 [inline]
+ __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
+ __do_sys_sendmmsg net/socket.c:2766 [inline]
+ __se_sys_sendmmsg net/socket.c:2763 [inline]
+ __x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f4ce4f7def9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
+RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
+RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
+ </TASK>
+
+Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++--
+ net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
+index 6cc5743c553a0..9a21175693db5 100644
+--- a/net/ipv4/netfilter/nf_dup_ipv4.c
++++ b/net/ipv4/netfilter/nf_dup_ipv4.c
+@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ {
+ struct iphdr *iph;
+
++ local_bh_disable();
+ if (this_cpu_read(nf_skb_duplicated))
+- return;
++ goto out;
+ /*
+ * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
+ * the original skb, which should continue on its way as if nothing has
+@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ */
+ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (skb == NULL)
+- return;
++ goto out;
+
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ /* Avoid counting cloned packets towards the original connection. */
+@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ } else {
+ kfree_skb(skb);
+ }
++out:
++ local_bh_enable();
+ }
+ EXPORT_SYMBOL_GPL(nf_dup_ipv4);
+
+diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
+index a0a2de30be3e7..0c39c77fe8a8a 100644
+--- a/net/ipv6/netfilter/nf_dup_ipv6.c
++++ b/net/ipv6/netfilter/nf_dup_ipv6.c
+@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
+ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ const struct in6_addr *gw, int oif)
+ {
++ local_bh_disable();
+ if (this_cpu_read(nf_skb_duplicated))
+- return;
++ goto out;
+ skb = pskb_copy(skb, GFP_ATOMIC);
+ if (skb == NULL)
+- return;
++ goto out;
+
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ nf_reset_ct(skb);
+@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
+ } else {
+ kfree_skb(skb);
+ }
++out:
++ local_bh_enable();
+ }
+ EXPORT_SYMBOL_GPL(nf_dup_ipv6);
+
+--
+2.43.0
+
--- /dev/null
+From c6313da65e2e28e0b31e8c8b04af389ea805ba0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2024 20:01:20 +0200
+Subject: netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ]
+
+Fix the comment which incorrectly defines it as NLA_U32.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/netfilter/nf_tables.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
+index 621e3035145eb..9c29015d09c10 100644
+--- a/include/uapi/linux/netfilter/nf_tables.h
++++ b/include/uapi/linux/netfilter/nf_tables.h
+@@ -1690,7 +1690,7 @@ enum nft_flowtable_flags {
+ *
+ * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
+ * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
+- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
++ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
+ * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
+ * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
+ * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
+--
+2.43.0
+
--- /dev/null
+From 7f97160468bed44474bb6d536fe5c681931acb10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 07:45:53 +0000
+Subject: ppp: do not assume bh is held in ppp_channel_bridge_input()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit aec7291003df78cb71fd461d7b672912bde55807 ]
+
+Networking receive path is usually handled from BH handler.
+However, some protocols need to acquire the socket lock, and
+packets might be stored in the socket backlog is the socket was
+owned by a user process.
+
+In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
+might call the sk->sk_backlog_rcv() handler in process context.
+
+sybot caught ppp was not considering this case in
+ppp_channel_bridge_input() :
+
+WARNING: inconsistent lock state
+6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
+--------------------------------
+inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
+ ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
+ ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
+ ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
+{SOFTIRQ-ON-W} state was registered at:
+ lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
+ __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
+ _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
+ spin_lock include/linux/spinlock.h:351 [inline]
+ ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
+ ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
+ pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
+ sk_backlog_rcv include/net/sock.h:1111 [inline]
+ __release_sock+0x1a8/0x3d8 net/core/sock.c:3004
+ release_sock+0x68/0x1b8 net/core/sock.c:3558
+ pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ __sys_sendto+0x374/0x4f4 net/socket.c:2204
+ __do_sys_sendto net/socket.c:2216 [inline]
+ __se_sys_sendto net/socket.c:2212 [inline]
+ __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
+ el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
+ el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
+irq event stamp: 282914
+ hardirqs last enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
+ hardirqs last enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
+ hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
+ hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
+ softirqs last enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
+ softirqs last enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
+ softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&pch->downl);
+ <Interrupt>
+ lock(&pch->downl);
+
+ *** DEADLOCK ***
+
+1 lock held by ksoftirqd/1/24:
+ #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325
+
+stack backtrace:
+CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+Call trace:
+ dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
+ show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
+ dump_stack+0x1c/0x28 lib/dump_stack.c:128
+ print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000
+ mark_lock_irq+0x980/0xd2c
+ mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677
+ __lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096
+ lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
+ __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
+ _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
+ spin_lock include/linux/spinlock.h:351 [inline]
+ ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
+ ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
+ ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495
+ tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785
+ tasklet_action+0x68/0x8c kernel/softirq.c:811
+ handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
+ run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
+ smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164
+ kthread+0x288/0x310 kernel/kthread.c:389
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
+
+Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls")
+Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Tom Parkin <tparkin@katalix.com>
+Cc: James Chapman <jchapman@katalix.com>
+Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_generic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
+index 370c84f393759..90f1cfbc7c50b 100644
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -2269,7 +2269,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb)
+ if (!pchb)
+ goto out_rcu;
+
+- spin_lock(&pchb->downl);
++ spin_lock_bh(&pchb->downl);
+ if (!pchb->chan) {
+ /* channel got unregistered */
+ kfree_skb(skb);
+@@ -2281,7 +2281,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb)
+ kfree_skb(skb);
+
+ outl:
+- spin_unlock(&pchb->downl);
++ spin_unlock_bh(&pchb->downl);
+ out_rcu:
+ rcu_read_unlock();
+
+--
+2.43.0
+
--- /dev/null
+From 0acd3afea70ca8174fcac1476e928758320df501 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:58:28 +0200
+Subject: scsi: pm8001: Do not overwrite PCI queue mapping
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit a141c17a543332fc1238eb5cba562bfc66879126 ]
+
+blk_mq_pci_map_queues() maps all queues but right after this, we overwrite
+these mappings by calling blk_mq_map_queues(). Just use one helper but not
+both.
+
+Fixes: 42f22fe36d51 ("scsi: pm8001: Expose hardware queues for pm80xx")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Link: https://lore.kernel.org/r/20240912-do-not-overwrite-pci-mapping-v1-1-85724b6cec49@suse.de
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm8001_init.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c
+index 443a3176c6c0c..c2f6151cbd2d0 100644
+--- a/drivers/scsi/pm8001/pm8001_init.c
++++ b/drivers/scsi/pm8001/pm8001_init.c
+@@ -88,10 +88,12 @@ static void pm8001_map_queues(struct Scsi_Host *shost)
+ struct pm8001_hba_info *pm8001_ha = sha->lldd_ha;
+ struct blk_mq_queue_map *qmap = &shost->tag_set.map[HCTX_TYPE_DEFAULT];
+
+- if (pm8001_ha->number_of_intr > 1)
++ if (pm8001_ha->number_of_intr > 1) {
+ blk_mq_pci_map_queues(qmap, pm8001_ha->pdev, 1);
++ return;
++ }
+
+- return blk_mq_map_queues(qmap);
++ blk_mq_map_queues(qmap);
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 7f1a8cefacbda526607d14a3adb116b458385d9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 12:39:21 -0500
+Subject: scsi: st: Fix input/output error on empty drive reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael Rocha <rrochavi@fnal.gov>
+
+[ Upstream commit 3d882cca73be830549833517ddccb3ac4668c04e ]
+
+A previous change was introduced to prevent data loss during a power-on
+reset when a tape is present inside the drive. This commit set the
+"pos_unknown" flag to true to avoid operations that could compromise data
+by performing actions from an untracked position. The relevant change is
+commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling")
+
+As a consequence of this change, a new issue has surfaced: the driver now
+returns an "Input/output error" even for empty drives when the drive, host,
+or bus is reset. This issue stems from the "flush_buffer" function, which
+first checks whether the "pos_unknown" flag is set. If the flag is set, the
+user will encounter an "Input/output error" until the tape position is
+known again. This behavior differs from the previous implementation, where
+empty drives were not affected at system start up time, allowing tape
+software to send commands to the driver to retrieve the drive's status and
+other information.
+
+The current behavior prioritizes the "pos_unknown" flag over the
+"ST_NO_TAPE" status, leading to issues for software that detects drives
+during system startup. This software will receive an "Input/output error"
+until a tape is loaded and its position is known.
+
+To resolve this, the "ST_NO_TAPE" status should take priority when the
+drive is empty, allowing communication with the drive following a power-on
+reset. At the same time, the change should continue to protect data by
+maintaining the "pos_unknown" flag when the drive contains a tape and its
+position is unknown.
+
+Signed-off-by: Rafael Rocha <rrochavi@fnal.gov>
+Link: https://lore.kernel.org/r/20240905173921.10944-1-rrochavi@fnal.gov
+Fixes: 9604eea5bd3a ("scsi: st: Add third party poweron reset handling")
+Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/st.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index 338aa8c429682..212a402e75358 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -835,6 +835,9 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next)
+ int backspace, result;
+ struct st_partstat *STps;
+
++ if (STp->ready != ST_READY)
++ return 0;
++
+ /*
+ * If there was a bus reset, block further access
+ * to this device.
+@@ -842,8 +845,6 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next)
+ if (STp->pos_unknown)
+ return (-EIO);
+
+- if (STp->ready != ST_READY)
+- return 0;
+ STps = &(STp->ps[STp->partition]);
+ if (STps->rw == ST_WRITING) /* Writing */
+ return st_flush_write_buffer(STp);
+--
+2.43.0
+
--- /dev/null
+From d92669e065621924a3abcdde8d63fd6fb2bdf6ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 16:49:51 -0400
+Subject: sctp: set sk_state back to CLOSED if autobind fails in
+ sctp_listen_start
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ]
+
+In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
+sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
+
+Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
+is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
+be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
+is NULL.
+
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
+ Call Trace:
+ <TASK>
+ __sys_listen_socket net/socket.c:1883 [inline]
+ __sys_listen+0x1b7/0x230 net/socket.c:1894
+ __do_sys_listen net/socket.c:1902 [inline]
+
+Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code")
+Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 225dfacfd233f..4a1ebe46d045d 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -8551,8 +8551,10 @@ static int sctp_listen_start(struct sock *sk, int backlog)
+ */
+ inet_sk_set_state(sk, SCTP_SS_LISTENING);
+ if (!ep->base.bind_addr.port) {
+- if (sctp_autobind(sk))
++ if (sctp_autobind(sk)) {
++ inet_sk_set_state(sk, SCTP_SS_CLOSED);
+ return -EAGAIN;
++ }
+ } else {
+ if (sctp_get_port(sk, inet_sk(sk)->inet_num)) {
+ inet_sk_set_state(sk, SCTP_SS_CLOSED);
+--
+2.43.0
+
--- /dev/null
+From 9be5854a1f11eda008ae47b681b8a91a1c4c102c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 18:56:31 +0200
+Subject: selftests: netfilter: Fix nft_audit.sh for newer nft binaries
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 8a89015644513ef69193a037eb966f2d55fe385a ]
+
+As a side-effect of nftables' commit dbff26bfba833 ("cache: consolidate
+reset command"), audit logs changed when more objects were reset than
+fit into a single netlink message.
+
+Since the objects' distribution in netlink messages is not relevant,
+implement a summarizing function which combines repeated audit logs into
+a single one with summed up 'entries=' value.
+
+Fixes: 203bb9d39866 ("selftests: netfilter: Extend nft_audit.sh")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/netfilter/nft_audit.sh | 57 ++++++++++---------
+ 1 file changed, 29 insertions(+), 28 deletions(-)
+
+diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
+index 99ed5bd6e8402..e4717444d38e7 100755
+--- a/tools/testing/selftests/netfilter/nft_audit.sh
++++ b/tools/testing/selftests/netfilter/nft_audit.sh
+@@ -25,12 +25,31 @@ logread_pid=$!
+ trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
+ exec 3<"$logfile"
+
++lsplit='s/^\(.*\) entries=\([^ ]*\) \(.*\)$/pfx="\1"\nval="\2"\nsfx="\3"/'
++summarize_logs() {
++ sum=0
++ while read line; do
++ eval $(sed "$lsplit" <<< "$line")
++ [[ $sum -gt 0 ]] && {
++ [[ "$pfx $sfx" == "$tpfx $tsfx" ]] && {
++ let "sum += val"
++ continue
++ }
++ echo "$tpfx entries=$sum $tsfx"
++ }
++ tpfx="$pfx"
++ tsfx="$sfx"
++ sum=$val
++ done
++ echo "$tpfx entries=$sum $tsfx"
++}
++
+ do_test() { # (cmd, log)
+ echo -n "testing for cmd: $1 ... "
+ cat <&3 >/dev/null
+ $1 >/dev/null || exit 1
+ sleep 0.1
+- res=$(diff -a -u <(echo "$2") - <&3)
++ res=$(diff -a -u <(echo "$2") <(summarize_logs <&3))
+ [ $? -eq 0 ] && { echo "OK"; return; }
+ echo "FAIL"
+ grep -v '^\(---\|+++\|@@\)' <<< "$res"
+@@ -129,31 +148,17 @@ do_test 'nft reset rules t1 c2' \
+ 'table=t1 family=2 entries=3 op=nft_reset_rule'
+
+ do_test 'nft reset rules table t1' \
+-'table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule'
++'table=t1 family=2 entries=9 op=nft_reset_rule'
+
+ do_test 'nft reset rules t2 c3' \
+-'table=t2 family=2 entries=189 op=nft_reset_rule
+-table=t2 family=2 entries=188 op=nft_reset_rule
+-table=t2 family=2 entries=126 op=nft_reset_rule'
++'table=t2 family=2 entries=503 op=nft_reset_rule'
+
+ do_test 'nft reset rules t2' \
+-'table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=186 op=nft_reset_rule
+-table=t2 family=2 entries=188 op=nft_reset_rule
+-table=t2 family=2 entries=129 op=nft_reset_rule'
++'table=t2 family=2 entries=509 op=nft_reset_rule'
+
+ do_test 'nft reset rules' \
+-'table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=180 op=nft_reset_rule
+-table=t2 family=2 entries=188 op=nft_reset_rule
+-table=t2 family=2 entries=135 op=nft_reset_rule'
++'table=t1 family=2 entries=9 op=nft_reset_rule
++table=t2 family=2 entries=509 op=nft_reset_rule'
+
+ # resetting sets and elements
+
+@@ -177,13 +182,11 @@ do_test 'nft reset counters t1' \
+ 'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+ do_test 'nft reset counters t2' \
+-'table=t2 family=2 entries=342 op=nft_reset_obj
+-table=t2 family=2 entries=158 op=nft_reset_obj'
++'table=t2 family=2 entries=500 op=nft_reset_obj'
+
+ do_test 'nft reset counters' \
+ 'table=t1 family=2 entries=1 op=nft_reset_obj
+-table=t2 family=2 entries=341 op=nft_reset_obj
+-table=t2 family=2 entries=159 op=nft_reset_obj'
++table=t2 family=2 entries=500 op=nft_reset_obj'
+
+ # resetting quotas
+
+@@ -194,13 +197,11 @@ do_test 'nft reset quotas t1' \
+ 'table=t1 family=2 entries=1 op=nft_reset_obj'
+
+ do_test 'nft reset quotas t2' \
+-'table=t2 family=2 entries=315 op=nft_reset_obj
+-table=t2 family=2 entries=185 op=nft_reset_obj'
++'table=t2 family=2 entries=500 op=nft_reset_obj'
+
+ do_test 'nft reset quotas' \
+ 'table=t1 family=2 entries=1 op=nft_reset_obj
+-table=t2 family=2 entries=314 op=nft_reset_obj
+-table=t2 family=2 entries=186 op=nft_reset_obj'
++table=t2 family=2 entries=500 op=nft_reset_obj'
+
+ # deleting rules
+
+--
+2.43.0
+
--- /dev/null
+static_call-handle-module-init-failure-correctly-in-.patch
+static_call-replace-pointless-warn_on-in-static_call.patch
+jump_label-simplify-and-clarify-static_key_fast_inc_.patch
+jump_label-fix-static_key_slow_dec-yet-again.patch
+scsi-st-fix-input-output-error-on-empty-drive-reset.patch
+scsi-pm8001-do-not-overwrite-pci-queue-mapping.patch
+drm-amdgpu-fix-get-each-xcp-macro.patch
+mailbox-rockchip-fix-a-typo-in-module-autoloading.patch
+mailbox-bcm2835-fix-timeout-during-suspend-mode.patch
+ceph-remove-the-incorrect-fw-reference-check-when-di.patch
+ieee802154-fix-build-error.patch
+net-sparx5-fix-invalid-timestamps.patch
+net-mlx5-fix-error-path-in-multi-packet-wqe-transmit.patch
+net-mlx5-added-cond_resched-to-crdump-collection.patch
+net-mlx5e-fix-null-deref-in-mlx5e_tir_builder_alloc.patch
+net-mlx5e-fix-crash-caused-by-calling-__xfrm_state_d.patch
+netfilter-uapi-nfta_flowtable_hook-is-nla_nested.patch
+net-ieee802154-mcr20a-use-irqf_no_autoen-flag-in-req.patch
+net-wwan-qcom_bam_dmux-fix-missing-pm_runtime_disabl.patch
+selftests-netfilter-fix-nft_audit.sh-for-newer-nft-b.patch
+netfilter-nf_tables-prevent-nf_skb_duplicated-corrup.patch
+bluetooth-mgmt-fix-possible-crash-on-mgmt_index_remo.patch
+bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch
+bluetooth-btmrvl-use-irqf_no_autoen-flag-in-request_.patch
+net-add-netif_get_gro_max_size-helper-for-gro.patch
+net-fix-gso_features_check-to-check-for-both-dev-gso.patch
+net-ethernet-lantiq_etop-fix-memory-disclosure.patch
+net-fec-restart-pps-after-link-state-change.patch
+net-fec-reload-ptp-registers-after-link-state-change.patch
+net-avoid-potential-underflow-in-qdisc_pkt_len_init-.patch
+net-add-more-sanity-checks-to-qdisc_pkt_len_init.patch
+net-stmmac-dwmac4-extend-timeout-for-vlan-tag-regist.patch
+ipv4-ip_gre-fix-drops-of-small-packets-in-ipgre_xmit.patch
+net-test-for-not-too-small-csum_start-in-virtio_net_.patch
+ppp-do-not-assume-bh-is-held-in-ppp_channel_bridge_i.patch
+iomap-constrain-the-file-range-passed-to-iomap_file_.patch
+dt-bindings-net-xlnx-axi-ethernet-add-missing-reg-mi.patch
+sctp-set-sk_state-back-to-closed-if-autobind-fails-i.patch
--- /dev/null
+From 88e9d4efe3192efc82ef13fa8e93165f1d3965cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 11:09:07 +0200
+Subject: static_call: Handle module init failure correctly in
+ static_call_del_module()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 4b30051c4864234ec57290c3d142db7c88f10d8a ]
+
+Module insertion invokes static_call_add_module() to initialize the static
+calls in a module. static_call_add_module() invokes __static_call_init(),
+which allocates a struct static_call_mod to either encapsulate the built-in
+static call sites of the associated key into it so further modules can be
+added or to append the module to the module chain.
+
+If that allocation fails the function returns with an error code and the
+module core invokes static_call_del_module() to clean up eventually added
+static_call_mod entries.
+
+This works correctly, when all keys used by the module were converted over
+to a module chain before the failure. If not then static_call_del_module()
+causes a #GP as it blindly assumes that key::mods points to a valid struct
+static_call_mod.
+
+The problem is that key::mods is not a individual struct member of struct
+static_call_key, it's part of a union to save space:
+
+ union {
+ /* bit 0: 0 = mods, 1 = sites */
+ unsigned long type;
+ struct static_call_mod *mods;
+ struct static_call_site *sites;
+ };
+
+key::sites is a pointer to the list of built-in usage sites of the static
+call. The type of the pointer is differentiated by bit 0. A mods pointer
+has the bit clear, the sites pointer has the bit set.
+
+As static_call_del_module() blidly assumes that the pointer is a valid
+static_call_mod type, it fails to check for this failure case and
+dereferences the pointer to the list of built-in call sites, which is
+obviously bogus.
+
+Cure it by checking whether the key has a sites or a mods pointer.
+
+If it's a sites pointer then the key is not to be touched. As the sites are
+walked in the same order as in __static_call_init() the site walk can be
+terminated because all subsequent sites have not been touched by the init
+code due to the error exit.
+
+If it was converted before the allocation fail, then the inner loop which
+searches for a module match will find nothing.
+
+A fail in the second allocation in __static_call_init() is harmless and
+does not require special treatment. The first allocation succeeded and
+converted the key to a module chain. That first entry has mod::mod == NULL
+and mod::next == NULL, so the inner loop of static_call_del_module() will
+neither find a module match nor a module chain. The next site in the walk
+was either already converted, but can't match the module, or it will exit
+the outer loop because it has a static_call_site pointer and not a
+static_call_mod pointer.
+
+Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
+Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
+Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/static_call_inline.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
+index 639397b5491ca..7bb0962b52291 100644
+--- a/kernel/static_call_inline.c
++++ b/kernel/static_call_inline.c
+@@ -411,6 +411,17 @@ static void static_call_del_module(struct module *mod)
+
+ for (site = start; site < stop; site++) {
+ key = static_call_key(site);
++
++ /*
++ * If the key was not updated due to a memory allocation
++ * failure in __static_call_init() then treating key::sites
++ * as key::mods in the code below would cause random memory
++ * access and #GP. In that case all subsequent sites have
++ * not been touched either, so stop iterating.
++ */
++ if (!static_call_key_has_mods(key))
++ break;
++
+ if (key == prev_key)
+ continue;
+
+--
+2.43.0
+
--- /dev/null
+From 637ec4331b457959c90c0c352e2a615ef215c23a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 11:08:28 +0200
+Subject: static_call: Replace pointless WARN_ON() in
+ static_call_module_notify()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 ]
+
+static_call_module_notify() triggers a WARN_ON(), when memory allocation
+fails in __static_call_add_module().
+
+That's not really justified, because the failure case must be correctly
+handled by the well known call chain and the error code is passed
+through to the initiating userspace application.
+
+A memory allocation fail is not a fatal problem, but the WARN_ON() takes
+the machine out when panic_on_warn is set.
+
+Replace it with a pr_warn().
+
+Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/static_call_inline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
+index 7bb0962b52291..5259cda486d05 100644
+--- a/kernel/static_call_inline.c
++++ b/kernel/static_call_inline.c
+@@ -453,7 +453,7 @@ static int static_call_module_notify(struct notifier_block *nb,
+ case MODULE_STATE_COMING:
+ ret = static_call_add_module(mod);
+ if (ret) {
+- WARN(1, "Failed to allocate memory for static calls");
++ pr_warn("Failed to allocate memory for static calls\n");
+ static_call_del_module(mod);
+ }
+ break;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
