--- /dev/null
+From 822e74c050a512da8aa8cee092880e56d1a56220 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 22:46:34 +0200
+Subject: ASoC: cs42l51: Fix some error handling paths in cs42l51_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit d221b844ee79823ffc29b7badc4010bdb0960224 ]
+
+If devm_gpiod_get_optional() fails, we need to disable previously enabled
+regulators, as done in the other error handling path of the function.
+
+Also, gpiod_set_value_cansleep(, 1) needs to be called to undo a
+potential gpiod_set_value_cansleep(, 0).
+If the "reset" gpio is not defined, this additional call is just a no-op.
+
+This behavior is the same as the one already in the .remove() function.
+
+Fixes: 11b9cd748e31 ("ASoC: cs42l51: add reset management")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/a5e5f4b9fb03f46abd2c93ed94b5c395972ce0d1.1729975570.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs42l51.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c
+index 4b026e1c3fe3e..09445db29aa1f 100644
+--- a/sound/soc/codecs/cs42l51.c
++++ b/sound/soc/codecs/cs42l51.c
+@@ -754,8 +754,10 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap)
+
+ cs42l51->reset_gpio = devm_gpiod_get_optional(dev, "reset",
+ GPIOD_OUT_LOW);
+- if (IS_ERR(cs42l51->reset_gpio))
+- return PTR_ERR(cs42l51->reset_gpio);
++ if (IS_ERR(cs42l51->reset_gpio)) {
++ ret = PTR_ERR(cs42l51->reset_gpio);
++ goto error;
++ }
+
+ if (cs42l51->reset_gpio) {
+ dev_dbg(dev, "Release reset gpio\n");
+@@ -787,6 +789,7 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap)
+ return 0;
+
+ error:
++ gpiod_set_value_cansleep(cs42l51->reset_gpio, 1);
+ regulator_bulk_disable(ARRAY_SIZE(cs42l51->supplies),
+ cs42l51->supplies);
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From a6d20a7d82be3a98e8fa4cc3f1f5d36820746abf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Oct 2024 14:02:43 +0900
+Subject: bpf: Fix out-of-bounds write in trie_get_next_key()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Byeonguk Jeong <jungbu2855@gmail.com>
+
+[ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ]
+
+trie_get_next_key() allocates a node stack with size trie->max_prefixlen,
+while it writes (trie->max_prefixlen + 1) nodes to the stack when it has
+full paths from the root to leaves. For example, consider a trie with
+max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ...
+0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with
+.prefixlen = 8 make 9 nodes be written on the node stack with size 8.
+
+Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map")
+Signed-off-by: Byeonguk Jeong <jungbu2855@gmail.com>
+Reviewed-by: Toke Høiland-Jørgensen <toke@kernel.org>
+Tested-by: Hou Tao <houtao1@huawei.com>
+Acked-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index 4ea7fb0ca1ad4..6b2bf71f8de4b 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -644,7 +644,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key)
+ if (!key || key->prefixlen > trie->max_prefixlen)
+ goto find_leftmost;
+
+- node_stack = kmalloc_array(trie->max_prefixlen,
++ node_stack = kmalloc_array(trie->max_prefixlen + 1,
+ sizeof(struct lpm_trie_node *),
+ GFP_ATOMIC | __GFP_NOWARN);
+ if (!node_stack)
+--
+2.43.0
+
--- /dev/null
+From a73bd03c415a468e11b3c7a462a23e237d41f57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 16:48:25 +0200
+Subject: gtp: allow -1 to be specified as file description from userspace
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ]
+
+Existing user space applications maintained by the Osmocom project are
+breaking since a recent fix that addresses incorrect error checking.
+
+Restore operation for user space programs that specify -1 as file
+descriptor to skip GTPv0 or GTPv1 only sockets.
+
+Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference")
+Reported-by: Pau Espin Pedrol <pespin@sysmocom.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Tested-by: Oliver Smith <osmith@sysmocom.de>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 40c94df382e54..2509d7bccb2b3 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -858,20 +858,24 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[])
+ unsigned int role = GTP_ROLE_GGSN;
+
+ if (data[IFLA_GTP_FD0]) {
+- u32 fd0 = nla_get_u32(data[IFLA_GTP_FD0]);
++ int fd0 = nla_get_u32(data[IFLA_GTP_FD0]);
+
+- sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp);
+- if (IS_ERR(sk0))
+- return PTR_ERR(sk0);
++ if (fd0 >= 0) {
++ sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp);
++ if (IS_ERR(sk0))
++ return PTR_ERR(sk0);
++ }
+ }
+
+ if (data[IFLA_GTP_FD1]) {
+- u32 fd1 = nla_get_u32(data[IFLA_GTP_FD1]);
++ int fd1 = nla_get_u32(data[IFLA_GTP_FD1]);
+
+- sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp);
+- if (IS_ERR(sk1u)) {
+- gtp_encap_disable_sock(sk0);
+- return PTR_ERR(sk1u);
++ if (fd1 >= 0) {
++ sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp);
++ if (IS_ERR(sk1u)) {
++ gtp_encap_disable_sock(sk0);
++ return PTR_ERR(sk1u);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9d7a1ed92d47919a56125b16e6420298f02a11d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 16:26:24 -0700
+Subject: igb: Disable threaded IRQ for igb_msix_other
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit 338c4d3902feb5be49bfda530a72c7ab860e2c9f ]
+
+During testing of SR-IOV, Red Hat QE encountered an issue where the
+ip link up command intermittently fails for the igbvf interfaces when
+using the PREEMPT_RT variant. Investigation revealed that
+e1000_write_posted_mbx returns an error due to the lack of an ACK
+from e1000_poll_for_ack.
+
+The underlying issue arises from the fact that IRQs are threaded by
+default under PREEMPT_RT. While the exact hardware details are not
+available, it appears that the IRQ handled by igb_msix_other must
+be processed before e1000_poll_for_ack times out. However,
+e1000_write_posted_mbx is called with preemption disabled, leading
+to a scenario where the IRQ is serviced only after the failure of
+e1000_write_posted_mbx.
+
+To resolve this, we set IRQF_NO_THREAD for the affected interrupt,
+ensuring that the kernel handles it immediately, thereby preventing
+the aforementioned error.
+
+Reproducer:
+
+ #!/bin/bash
+
+ # echo 2 > /sys/class/net/ens14f0/device/sriov_numvfs
+ ipaddr_vlan=3
+ nic_test=ens14f0
+ vf=${nic_test}v0
+
+ while true; do
+ ip link set ${nic_test} mtu 1500
+ ip link set ${vf} mtu 1500
+ ip link set $vf up
+ ip link set ${nic_test} vf 0 vlan ${ipaddr_vlan}
+ ip addr add 172.30.${ipaddr_vlan}.1/24 dev ${vf}
+ ip addr add 2021:db8:${ipaddr_vlan}::1/64 dev ${vf}
+ if ! ip link show $vf | grep 'state UP'; then
+ echo 'Error found'
+ break
+ fi
+ ip link set $vf down
+ done
+
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Reported-by: Yuying Ma <yuma@redhat.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index f3a433b4c7cdb..7b4d04d33154a 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -937,7 +937,7 @@ static int igb_request_msix(struct igb_adapter *adapter)
+ int i, err = 0, vector = 0, free_vector = 0;
+
+ err = request_irq(adapter->msix_entries[vector].vector,
+- igb_msix_other, 0, netdev->name, adapter);
++ igb_msix_other, IRQF_NO_THREAD, netdev->name, adapter);
+ if (err)
+ goto err_out;
+
+--
+2.43.0
+
--- /dev/null
+From bbbbb1f38918a8f2ab98b7e6794fef4d60b77dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 09:38:22 +0300
+Subject: ipv4: ip_tunnel: Fix suspicious RCU usage warning in
+ ip_tunnel_init_flow()
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit ad4a3ca6a8e886f6491910a3ae5d53595e40597d ]
+
+There are code paths from which the function is called without holding
+the RCU read lock, resulting in a suspicious RCU usage warning [1].
+
+Fix by using l3mdev_master_upper_ifindex_by_index() which will acquire
+the RCU read lock before calling
+l3mdev_master_upper_ifindex_by_index_rcu().
+
+[1]
+WARNING: suspicious RCU usage
+6.12.0-rc3-custom-gac8f72681cf2 #141 Not tainted
+-----------------------------
+net/core/dev.c:876 RCU-list traversed in non-reader section!!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by ip/361:
+ #0: ffffffff86fc7cb0 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x377/0xf60
+
+stack backtrace:
+CPU: 3 UID: 0 PID: 361 Comm: ip Not tainted 6.12.0-rc3-custom-gac8f72681cf2 #141
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0xba/0x110
+ lockdep_rcu_suspicious.cold+0x4f/0xd6
+ dev_get_by_index_rcu+0x1d3/0x210
+ l3mdev_master_upper_ifindex_by_index_rcu+0x2b/0xf0
+ ip_tunnel_bind_dev+0x72f/0xa00
+ ip_tunnel_newlink+0x368/0x7a0
+ ipgre_newlink+0x14c/0x170
+ __rtnl_newlink+0x1173/0x19c0
+ rtnl_newlink+0x6c/0xa0
+ rtnetlink_rcv_msg+0x3cc/0xf60
+ netlink_rcv_skb+0x171/0x450
+ netlink_unicast+0x539/0x7f0
+ netlink_sendmsg+0x8c1/0xd80
+ ____sys_sendmsg+0x8f9/0xc20
+ ___sys_sendmsg+0x197/0x1e0
+ __sys_sendmsg+0x122/0x1f0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: db53cd3d88dc ("net: Handle l3mdev in ip_tunnel_init_flow")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20241022063822.462057-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 0a0de98c0b7f2..d8b9942f1afd9 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -247,7 +247,7 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4,
+ memset(fl4, 0, sizeof(*fl4));
+
+ if (oif) {
+- fl4->flowi4_l3mdev = l3mdev_master_upper_ifindex_by_index_rcu(net, oif);
++ fl4->flowi4_l3mdev = l3mdev_master_upper_ifindex_by_index(net, oif);
+ /* Legacy VRF/l3mdev use case */
+ fl4->flowi4_oif = fl4->flowi4_l3mdev ? 0 : oif;
+ }
+--
+2.43.0
+
--- /dev/null
+From 1ae24f15416046c669bbf8097aadbdc132f1a29f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Mar 2022 17:23:24 +0530
+Subject: mac80211: Add support to trigger sta disconnect on hardware restart
+
+From: Youghandhar Chintala <youghand@codeaurora.org>
+
+[ Upstream commit 7d352ccf1e9935b5222ca84e8baeb07a0c8f94b9 ]
+
+Currently in case of target hardware restart, we just reconfig and
+re-enable the security keys and enable the network queues to start
+data traffic back from where it was interrupted.
+
+Many ath10k wifi chipsets have sequence numbers for the data
+packets assigned by firmware and the mac sequence number will
+restart from zero after target hardware restart leading to mismatch
+in the sequence number expected by the remote peer vs the sequence
+number of the frame sent by the target firmware.
+
+This mismatch in sequence number will cause out-of-order packets
+on the remote peer and all the frames sent by the device are dropped
+until we reach the sequence number which was sent before we restarted
+the target hardware
+
+In order to fix this, we trigger a sta disconnect, in case of target
+hw restart. After this there will be a fresh connection and thereby
+avoiding the dropping of frames by remote peer.
+
+The right fix would be to pull the entire data path into the host
+which is not feasible or would need lots of complex changes and
+will still be inefficient.
+
+Tested on ath10k using WCN3990, QCA6174
+
+Signed-off-by: Youghandhar Chintala <youghand@codeaurora.org>
+Link: https://lore.kernel.org/r/20220308115325.5246-2-youghand@codeaurora.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 10 ++++++++++
+ net/mac80211/ieee80211_i.h | 3 +++
+ net/mac80211/mlme.c | 12 ++++++++++++
+ net/mac80211/util.c | 33 ++++++++++++++++++++++++++++++---
+ 4 files changed, 55 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 618d1f427cb27..c713edfbe2b65 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -6009,6 +6009,16 @@ void ieee80211_disconnect(struct ieee80211_vif *vif, bool reconnect);
+ */
+ void ieee80211_resume_disconnect(struct ieee80211_vif *vif);
+
++/**
++ * ieee80211_hw_restart_disconnect - disconnect from AP after
++ * hardware restart
++ * @vif: &struct ieee80211_vif pointer from the add_interface callback.
++ *
++ * Instructs mac80211 to disconnect from the AP after
++ * hardware restart.
++ */
++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif);
++
+ /**
+ * ieee80211_cqm_rssi_notify - inform a configured connection quality monitoring
+ * rssi threshold triggered
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 03c238e68038b..3b5350cfc0eec 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -765,6 +765,8 @@ struct ieee80211_if_mesh {
+ * back to wireless media and to the local net stack.
+ * @IEEE80211_SDATA_DISCONNECT_RESUME: Disconnect after resume.
+ * @IEEE80211_SDATA_IN_DRIVER: indicates interface was added to driver
++ * @IEEE80211_SDATA_DISCONNECT_HW_RESTART: Disconnect after hardware restart
++ * recovery
+ */
+ enum ieee80211_sub_if_data_flags {
+ IEEE80211_SDATA_ALLMULTI = BIT(0),
+@@ -772,6 +774,7 @@ enum ieee80211_sub_if_data_flags {
+ IEEE80211_SDATA_DONT_BRIDGE_PACKETS = BIT(3),
+ IEEE80211_SDATA_DISCONNECT_RESUME = BIT(4),
+ IEEE80211_SDATA_IN_DRIVER = BIT(5),
++ IEEE80211_SDATA_DISCONNECT_HW_RESTART = BIT(6),
+ };
+
+ /**
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 5da0c2a2e293e..29c136abaee26 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -4853,6 +4853,18 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
+ sdata_unlock(sdata);
+ return;
+ }
++
++ if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) {
++ sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART;
++ mlme_dbg(sdata, "driver requested disconnect after hardware restart\n");
++ ieee80211_sta_connection_lost(sdata,
++ ifmgd->associated->bssid,
++ WLAN_REASON_UNSPECIFIED,
++ true);
++ sdata_unlock(sdata);
++ return;
++ }
++
+ sdata_unlock(sdata);
+ }
+ #endif
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index 28676a305916c..85d3d2034d437 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2313,6 +2313,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ struct cfg80211_sched_scan_request *sched_scan_req;
+ bool sched_scan_stopped = false;
+ bool suspended = local->suspended;
++ bool in_reconfig = false;
+
+ /* nothing to do if HW shouldn't run */
+ if (!local->open_count)
+@@ -2664,6 +2665,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
+
+ if (local->in_reconfig) {
++ in_reconfig = local->in_reconfig;
+ local->in_reconfig = false;
+ barrier();
+
+@@ -2681,6 +2683,15 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ IEEE80211_QUEUE_STOP_REASON_SUSPEND,
+ false);
+
++ if (in_reconfig) {
++ list_for_each_entry(sdata, &local->interfaces, list) {
++ if (!ieee80211_sdata_running(sdata))
++ continue;
++ if (sdata->vif.type == NL80211_IFTYPE_STATION)
++ ieee80211_sta_restart(sdata);
++ }
++ }
++
+ if (!suspended)
+ return 0;
+
+@@ -2710,7 +2721,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ return 0;
+ }
+
+-void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
++static void ieee80211_reconfig_disconnect(struct ieee80211_vif *vif, u8 flag)
+ {
+ struct ieee80211_sub_if_data *sdata;
+ struct ieee80211_local *local;
+@@ -2722,19 +2733,35 @@ void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
+ sdata = vif_to_sdata(vif);
+ local = sdata->local;
+
+- if (WARN_ON(!local->resuming))
++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_RESUME &&
++ !local->resuming))
++ return;
++
++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_HW_RESTART &&
++ !local->in_reconfig))
+ return;
+
+ if (WARN_ON(vif->type != NL80211_IFTYPE_STATION))
+ return;
+
+- sdata->flags |= IEEE80211_SDATA_DISCONNECT_RESUME;
++ sdata->flags |= flag;
+
+ mutex_lock(&local->key_mtx);
+ list_for_each_entry(key, &sdata->key_list, list)
+ key->flags |= KEY_FLAG_TAINTED;
+ mutex_unlock(&local->key_mtx);
+ }
++
++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif)
++{
++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_HW_RESTART);
++}
++EXPORT_SYMBOL_GPL(ieee80211_hw_restart_disconnect);
++
++void ieee80211_resume_disconnect(struct ieee80211_vif *vif)
++{
++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_RESUME);
++}
+ EXPORT_SYMBOL_GPL(ieee80211_resume_disconnect);
+
+ void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata)
+--
+2.43.0
+
--- /dev/null
+From b4a0b9c92d5c037d027e5297451819d94b6f6896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 15:32:40 +0200
+Subject: mac80211: do drv_reconfig_complete() before restarting all
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 13dee10b30c058ee2c58c5da00339cc0d4201aa6 ]
+
+When we reconfigure, the driver might do some things to complete
+the reconfiguration. It's strange and could be broken in some
+cases because we restart other works (e.g. remain-on-channel and
+TX) before this happens, yet only start queues later.
+
+Change this to do the reconfig complete when reconfiguration is
+actually complete, not when we've already started doing other
+things again.
+
+For iwlwifi, this should fix a race where the reconfig can race
+with TX, for ath10k and ath11k that also use this it won't make
+a difference because they just start queues there, and mac80211
+also stopped the queues and will restart them later as before.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211129152938.cab99f22fe19.Iefe494687f15fd85f77c1b989d1149c8efdfdc36@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/util.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/mac80211/util.c b/net/mac80211/util.c
+index ef7b6d88ee00c..28676a305916c 100644
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -2656,6 +2656,13 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ mutex_unlock(&local->sta_mtx);
+ }
+
++ /*
++ * If this is for hw restart things are still running.
++ * We may want to change that later, however.
++ */
++ if (local->open_count && (!suspended || reconfig_due_to_wowlan))
++ drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
++
+ if (local->in_reconfig) {
+ local->in_reconfig = false;
+ barrier();
+@@ -2674,13 +2681,6 @@ int ieee80211_reconfig(struct ieee80211_local *local)
+ IEEE80211_QUEUE_STOP_REASON_SUSPEND,
+ false);
+
+- /*
+- * If this is for hw restart things are still running.
+- * We may want to change that later, however.
+- */
+- if (local->open_count && (!suspended || reconfig_due_to_wowlan))
+- drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
+-
+ if (!suspended)
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 431120bb3213e838e5ab816d737e065212995072 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 14:08:57 +0200
+Subject: mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit b3e046c31441d182b954fc2f57b2dc38c71ad4bc ]
+
+When tracing is disabled, there is no point in asking the user about
+enabling tracing of all mac80211 debug messages.
+
+Fixes: 3fae0273168026ed ("mac80211: trace debug messages")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://patch.msgid.link/85bbe38ce0df13350f45714e2dc288cc70947a19.1727179690.git.geert@linux-m68k.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
+index 51ec8256b7fa9..8278221a36a1d 100644
+--- a/net/mac80211/Kconfig
++++ b/net/mac80211/Kconfig
+@@ -86,7 +86,7 @@ config MAC80211_DEBUGFS
+
+ config MAC80211_MESSAGE_TRACING
+ bool "Trace all mac80211 debug messages"
+- depends on MAC80211
++ depends on MAC80211 && TRACING
+ help
+ Select this option to have mac80211 register the
+ mac80211_msg trace subsystem with tracepoints to
+--
+2.43.0
+
--- /dev/null
+From 4ba73f7a48e53564e867ee42410fd069f78032fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:38 +0800
+Subject: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 2cf246143519ecc11dab754385ec42d78b6b6a05 ]
+
+Currently, HIP08 devices does not register the ptp devices, so the
+hdev->ptp is NULL. But the tx process would still try to set hardware time
+stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash.
+
+[ 128.087798] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018
+...
+[ 128.280251] pc : hclge_ptp_set_tx_info+0x2c/0x140 [hclge]
+[ 128.286600] lr : hclge_ptp_set_tx_info+0x20/0x140 [hclge]
+[ 128.292938] sp : ffff800059b93140
+[ 128.297200] x29: ffff800059b93140 x28: 0000000000003280
+[ 128.303455] x27: ffff800020d48280 x26: ffff0cb9dc814080
+[ 128.309715] x25: ffff0cb9cde93fa0 x24: 0000000000000001
+[ 128.315969] x23: 0000000000000000 x22: 0000000000000194
+[ 128.322219] x21: ffff0cd94f986000 x20: 0000000000000000
+[ 128.328462] x19: ffff0cb9d2a166c0 x18: 0000000000000000
+[ 128.334698] x17: 0000000000000000 x16: ffffcf1fc523ed24
+[ 128.340934] x15: 0000ffffd530a518 x14: 0000000000000000
+[ 128.347162] x13: ffff0cd6bdb31310 x12: 0000000000000368
+[ 128.353388] x11: ffff0cb9cfbc7070 x10: ffff2cf55dd11e02
+[ 128.359606] x9 : ffffcf1f85a212b4 x8 : ffff0cd7cf27dab0
+[ 128.365831] x7 : 0000000000000a20 x6 : ffff0cd7cf27d000
+[ 128.372040] x5 : 0000000000000000 x4 : 000000000000ffff
+[ 128.378243] x3 : 0000000000000400 x2 : ffffcf1f85a21294
+[ 128.384437] x1 : ffff0cb9db520080 x0 : ffff0cb9db500080
+[ 128.390626] Call trace:
+[ 128.393964] hclge_ptp_set_tx_info+0x2c/0x140 [hclge]
+[ 128.399893] hns3_nic_net_xmit+0x39c/0x4c4 [hns3]
+[ 128.405468] xmit_one.constprop.0+0xc4/0x200
+[ 128.410600] dev_hard_start_xmit+0x54/0xf0
+[ 128.415556] sch_direct_xmit+0xe8/0x634
+[ 128.420246] __dev_queue_xmit+0x224/0xc70
+[ 128.425101] dev_queue_xmit+0x1c/0x40
+[ 128.429608] ovs_vport_send+0xac/0x1a0 [openvswitch]
+[ 128.435409] do_output+0x60/0x17c [openvswitch]
+[ 128.440770] do_execute_actions+0x898/0x8c4 [openvswitch]
+[ 128.446993] ovs_execute_actions+0x64/0xf0 [openvswitch]
+[ 128.453129] ovs_dp_process_packet+0xa0/0x224 [openvswitch]
+[ 128.459530] ovs_vport_receive+0x7c/0xfc [openvswitch]
+[ 128.465497] internal_dev_xmit+0x34/0xb0 [openvswitch]
+[ 128.471460] xmit_one.constprop.0+0xc4/0x200
+[ 128.476561] dev_hard_start_xmit+0x54/0xf0
+[ 128.481489] __dev_queue_xmit+0x968/0xc70
+[ 128.486330] dev_queue_xmit+0x1c/0x40
+[ 128.490856] ip_finish_output2+0x250/0x570
+[ 128.495810] __ip_finish_output+0x170/0x1e0
+[ 128.500832] ip_finish_output+0x3c/0xf0
+[ 128.505504] ip_output+0xbc/0x160
+[ 128.509654] ip_send_skb+0x58/0xd4
+[ 128.513892] udp_send_skb+0x12c/0x354
+[ 128.518387] udp_sendmsg+0x7a8/0x9c0
+[ 128.522793] inet_sendmsg+0x4c/0x8c
+[ 128.527116] __sock_sendmsg+0x48/0x80
+[ 128.531609] __sys_sendto+0x124/0x164
+[ 128.536099] __arm64_sys_sendto+0x30/0x5c
+[ 128.540935] invoke_syscall+0x50/0x130
+[ 128.545508] el0_svc_common.constprop.0+0x10c/0x124
+[ 128.551205] do_el0_svc+0x34/0xdc
+[ 128.555347] el0_svc+0x20/0x30
+[ 128.559227] el0_sync_handler+0xb8/0xc0
+[ 128.563883] el0_sync+0x160/0x180
+
+Fixes: 0bf5eb788512 ("net: hns3: add support for PTP")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+index 0f06f95b09bc2..8802cdd6403ed 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c
+@@ -70,6 +70,9 @@ bool hclge_ptp_set_tx_info(struct hnae3_handle *handle, struct sk_buff *skb)
+ struct hclge_dev *hdev = vport->back;
+ struct hclge_ptp *ptp = hdev->ptp;
+
++ if (!ptp)
++ return false;
++
+ if (!test_bit(HCLGE_PTP_FLAG_TX_EN, &ptp->flags) ||
+ test_and_set_bit(HCLGE_STATE_PTP_TX_HANDLING, &hdev->state)) {
+ ptp->tx_skipped++;
+--
+2.43.0
+
--- /dev/null
+From 7fb7b6de9d6d967efe5ce4b8c3ee1c58219ab0e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:33 +0800
+Subject: net: hns3: fix missing features due to dev->features configuration
+ too early
+
+From: Hao Lan <lanhao@huawei.com>
+
+[ Upstream commit 662ecfc46690e92cf630f51b5d4bbbcffe102980 ]
+
+Currently, the netdev->features is configured in hns3_nic_set_features.
+As a result, __netdev_update_features considers that there is no feature
+difference, and the procedures of the real features are missing.
+
+Fixes: 2a7556bb2b73 ("net: hns3: implement ndo_features_check ops for hns3 driver")
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index d6bdcd9f285b0..f277ba8a15094 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -2314,7 +2314,6 @@ static int hns3_nic_set_features(struct net_device *netdev,
+ return ret;
+ }
+
+- netdev->features = features;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a5698ef1a3ab2e4f5c290f2d667d4331e2de9fe7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:36 +0800
+Subject: net: hns3: initialize reset_timer before hclgevf_misc_irq_init()
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit d1c2e2961ab460ac2433ff8ad46000582abc573c ]
+
+Currently the misc irq is initialized before reset_timer setup. But
+it will access the reset_timer in the irq handler. So initialize
+the reset_timer earlier.
+
+Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 5b861a2a3e73e..b011df3a684f0 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2793,6 +2793,7 @@ static void hclgevf_state_init(struct hclgevf_dev *hdev)
+ clear_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state);
+
+ INIT_DELAYED_WORK(&hdev->service_task, hclgevf_service_task);
++ timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0);
+
+ mutex_init(&hdev->mbx_resp.mbx_mutex);
+ sema_init(&hdev->reset_sem, 1);
+@@ -3488,7 +3489,6 @@ static int hclgevf_init_hdev(struct hclgevf_dev *hdev)
+ HCLGEVF_DRIVER_NAME);
+
+ hclgevf_task_schedule(hdev, round_jiffies_relative(HZ));
+- timer_setup(&hdev->reset_timer, hclgevf_reset_timer, 0);
+
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From e3025a942d034818d78d55d1ef1f86fe262e02cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 17:29:34 +0800
+Subject: net: hns3: Resolved the issue that the debugfs query result is
+ inconsistent.
+
+From: Hao Lan <lanhao@huawei.com>
+
+[ Upstream commit 2758f18a83ef283d50c0566d3f672621cc658a1a ]
+
+This patch modifies the implementation of debugfs:
+When the user process stops unexpectedly, not all data of the file system
+is read. In this case, the save_buf pointer is not released. When the user
+process is called next time, save_buf is used to copy the cached data
+to the user space. As a result, the queried data is inconsistent. To solve
+this problem, determine whether the function is invoked for the first time
+based on the value of *ppos. If *ppos is 0, obtain the actual data.
+
+Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process")
+Signed-off-by: Hao Lan <lanhao@huawei.com>
+Signed-off-by: Guangwei Zhang <zhangwangwei6@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+index bd801e35d51ea..b4580c02ff539 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+@@ -1043,8 +1043,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
+
+ /* save the buffer addr until the last read operation */
+ *save_buf = read_buf;
++ }
+
+- /* get data ready for the first time to read */
++ /* get data ready for the first time to read */
++ if (!*ppos) {
+ ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd,
+ read_buf, hns3_dbg_cmd[index].buf_len);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 9f65e8d4239d1f6400af4990927197ccde985680 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 12:55:47 -0400
+Subject: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ]
+
+In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed
+to be either root or ingress. This assumption is bogus since it's valid
+to create egress qdiscs with major handle ffff:
+Budimir Markovic found that for qdiscs like DRR that maintain an active
+class list, it will cause a UAF with a dangling class pointer.
+
+In 066a3b5b2346, the concern was to avoid iterating over the ingress
+qdisc since its parent is itself. The proper fix is to stop when parent
+TC_H_ROOT is reached because the only way to retrieve ingress is when a
+hierarchy which does not contain a ffff: major handle call into
+qdisc_lookup with TC_H_MAJ(TC_H_ROOT).
+
+In the scenario where major ffff: is an egress qdisc in any of the tree
+levels, the updates will also propagate to TC_H_ROOT, which then the
+iteration must stop.
+
+Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop")
+Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
+Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Tested-by: Victor Nogueira <victor@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+
+ net/sched/sch_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+Reviewed-by: Simon Horman <horms@kernel.org>
+
+Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index 724bfeccc6e7f..bf8af9f3f3dce 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -780,7 +780,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ drops = max_t(int, n, 0);
+ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+- if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS))
++ if (parentid == TC_H_ROOT)
+ break;
+
+ if (sch->flags & TCQ_F_NOPARENT)
+--
+2.43.0
+
--- /dev/null
+From 98b4fae1d316c19b87e3cb5278458532eb4999ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 16:01:54 +0200
+Subject: net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains
+ extension
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Monin <benoit.monin@gmx.fr>
+
+[ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ]
+
+As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability
+can only checksum TCP and UDP over IPv6 if the IP header does not
+contains extension.
+
+This is enforced for UDP packets emitted from user-space to an IPv6
+address as they go through ip6_make_skb(), which calls
+__ip6_append_data() where a check is done on the header size before
+setting CHECKSUM_PARTIAL.
+
+But the introduction of UDP encapsulation with fou6 added a code-path
+where it is possible to get an skb with a partial UDP checksum and an
+IPv6 header with extension:
+* fou6 adds a UDP header with a partial checksum if the inner packet
+does not contains a valid checksum.
+* ip6_tunnel adds an IPv6 header with a destination option extension
+header if encap_limit is non-zero (the default value is 4).
+
+The thread linked below describes in more details how to reproduce the
+problem with GRE-in-UDP tunnel.
+
+Add a check on the network header size in skb_csum_hwoffload_help() to
+make sure no IPv6 packet with extension header is handed to a network
+device with NETIF_F_IPV6_CSUM capability.
+
+Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u
+Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
+Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 8a22ce15b7f53..15ed4a79be46f 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3668,6 +3668,9 @@ int skb_csum_hwoffload_help(struct sk_buff *skb,
+ return 0;
+
+ if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) {
++ if (vlan_get_protocol(skb) == htons(ETH_P_IPV6) &&
++ skb_network_header_len(skb) != sizeof(struct ipv6hdr))
++ goto sw_checksum;
+ switch (skb->csum_offset) {
+ case offsetof(struct tcphdr, check):
+ case offsetof(struct udphdr, check):
+@@ -3675,6 +3678,7 @@ int skb_csum_hwoffload_help(struct sk_buff *skb,
+ }
+ }
+
++sw_checksum:
+ return skb_checksum_help(skb);
+ }
+ EXPORT_SYMBOL(skb_csum_hwoffload_help);
+--
+2.43.0
+
--- /dev/null
+From 45eb433993aff727af88737784eed886ab809f1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 14:10:23 +0800
+Subject: net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data
+
+From: Furong Xu <0x1207@gmail.com>
+
+[ Upstream commit 66600fac7a984dea4ae095411f644770b2561ede ]
+
+In case the non-paged data of a SKB carries protocol header and protocol
+payload to be transmitted on a certain platform that the DMA AXI address
+width is configured to 40-bit/48-bit, or the size of the non-paged data
+is bigger than TSO_MAX_BUFF_SIZE on a certain platform that the DMA AXI
+address width is configured to 32-bit, then this SKB requires at least
+two DMA transmit descriptors to serve it.
+
+For example, three descriptors are allocated to split one DMA buffer
+mapped from one piece of non-paged data:
+ dma_desc[N + 0],
+ dma_desc[N + 1],
+ dma_desc[N + 2].
+Then three elements of tx_q->tx_skbuff_dma[] will be allocated to hold
+extra information to be reused in stmmac_tx_clean():
+ tx_q->tx_skbuff_dma[N + 0],
+ tx_q->tx_skbuff_dma[N + 1],
+ tx_q->tx_skbuff_dma[N + 2].
+Now we focus on tx_q->tx_skbuff_dma[entry].buf, which is the DMA buffer
+address returned by DMA mapping call. stmmac_tx_clean() will try to
+unmap the DMA buffer _ONLY_IF_ tx_q->tx_skbuff_dma[entry].buf
+is a valid buffer address.
+
+The expected behavior that saves DMA buffer address of this non-paged
+data to tx_q->tx_skbuff_dma[entry].buf is:
+ tx_q->tx_skbuff_dma[N + 0].buf = NULL;
+ tx_q->tx_skbuff_dma[N + 1].buf = NULL;
+ tx_q->tx_skbuff_dma[N + 2].buf = dma_map_single();
+Unfortunately, the current code misbehaves like this:
+ tx_q->tx_skbuff_dma[N + 0].buf = dma_map_single();
+ tx_q->tx_skbuff_dma[N + 1].buf = NULL;
+ tx_q->tx_skbuff_dma[N + 2].buf = NULL;
+
+On the stmmac_tx_clean() side, when dma_desc[N + 0] is closed by the
+DMA engine, tx_q->tx_skbuff_dma[N + 0].buf is a valid buffer address
+obviously, then the DMA buffer will be unmapped immediately.
+There may be a rare case that the DMA engine does not finish the
+pending dma_desc[N + 1], dma_desc[N + 2] yet. Now things will go
+horribly wrong, DMA is going to access a unmapped/unreferenced memory
+region, corrupted data will be transmited or iommu fault will be
+triggered :(
+
+In contrast, the for-loop that maps SKB fragments behaves perfectly
+as expected, and that is how the driver should do for both non-paged
+data and paged frags actually.
+
+This patch corrects DMA map/unmap sequences by fixing the array index
+for tx_q->tx_skbuff_dma[entry].buf when assigning DMA buffer address.
+
+Tested and verified on DWXGMAC CORE 3.20a
+
+Reported-by: Suraj Jaiswal <quic_jsuraj@quicinc.com>
+Fixes: f748be531d70 ("stmmac: support new GMAC4")
+Signed-off-by: Furong Xu <0x1207@gmail.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241021061023.2162701-1-0x1207@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 22 ++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index b62d153f1676e..4a194f30f4a83 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4110,11 +4110,6 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+ if (dma_mapping_error(priv->device, des))
+ goto dma_map_err;
+
+- tx_q->tx_skbuff_dma[first_entry].buf = des;
+- tx_q->tx_skbuff_dma[first_entry].len = skb_headlen(skb);
+- tx_q->tx_skbuff_dma[first_entry].map_as_page = false;
+- tx_q->tx_skbuff_dma[first_entry].buf_type = STMMAC_TXBUF_T_SKB;
+-
+ if (priv->dma_cap.addr64 <= 32) {
+ first->des0 = cpu_to_le32(des);
+
+@@ -4133,6 +4128,23 @@ static netdev_tx_t stmmac_tso_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ stmmac_tso_allocator(priv, des, tmp_pay_len, (nfrags == 0), queue);
+
++ /* In case two or more DMA transmit descriptors are allocated for this
++ * non-paged SKB data, the DMA buffer address should be saved to
++ * tx_q->tx_skbuff_dma[].buf corresponding to the last descriptor,
++ * and leave the other tx_q->tx_skbuff_dma[].buf as NULL to guarantee
++ * that stmmac_tx_clean() does not unmap the entire DMA buffer too early
++ * since the tail areas of the DMA buffer can be accessed by DMA engine
++ * sooner or later.
++ * By saving the DMA buffer address to tx_q->tx_skbuff_dma[].buf
++ * corresponding to the last descriptor, stmmac_tx_clean() will unmap
++ * this DMA buffer right after the DMA engine completely finishes the
++ * full buffer transmission.
++ */
++ tx_q->tx_skbuff_dma[tx_q->cur_tx].buf = des;
++ tx_q->tx_skbuff_dma[tx_q->cur_tx].len = skb_headlen(skb);
++ tx_q->tx_skbuff_dma[tx_q->cur_tx].map_as_page = false;
++ tx_q->tx_skbuff_dma[tx_q->cur_tx].buf_type = STMMAC_TXBUF_T_SKB;
++
+ /* Prepare fragments */
+ for (i = 0; i < nfrags; i++) {
+ const skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
+--
+2.43.0
+
--- /dev/null
+From 4ba111f2425eba5a0785cd8bd834c3093888290f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 12:19:08 -0500
+Subject: netdevsim: Add trailing zero to terminate the string in
+ nsim_nexthop_bucket_activity_write()
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+[ Upstream commit 4ce1f56a1eaced2523329bef800d004e30f2f76c ]
+
+This was found by a static analyzer.
+We should not forget the trailing zero after copy_from_user()
+if we will further do some string operations, sscanf() in this
+case. Adding a trailing zero will ensure that the function
+performs properly.
+
+Fixes: c6385c0b67c5 ("netdevsim: Allow reporting activity on nexthop buckets")
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20241022171907.8606-1-zichenxie0106@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/fib.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
+index 14787d17f703f..b71414b3a1d40 100644
+--- a/drivers/net/netdevsim/fib.c
++++ b/drivers/net/netdevsim/fib.c
+@@ -1366,10 +1366,12 @@ static ssize_t nsim_nexthop_bucket_activity_write(struct file *file,
+
+ if (pos != 0)
+ return -EINVAL;
+- if (size > sizeof(buf))
++ if (size > sizeof(buf) - 1)
+ return -EINVAL;
+ if (copy_from_user(buf, user_buf, size))
+ return -EFAULT;
++ buf[size] = 0;
++
+ if (sscanf(buf, "%u %hu", &nhid, &bucket_index) != 2)
+ return -EINVAL;
+
+--
+2.43.0
+
--- /dev/null
+From 4333d0cf0ddfb5fdad28970f57f119e59f5ef588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 09:47:01 +0800
+Subject: netfilter: Fix use-after-free in get_info()
+
+From: Dong Chenchen <dongchenchen2@huawei.com>
+
+[ Upstream commit f48d258f0ac540f00fa617dac496c4c18b5dc2fa ]
+
+ip6table_nat module unload has refcnt warning for UAF. call trace is:
+
+WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80
+Modules linked in: ip6table_nat(-)
+CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+RIP: 0010:module_put+0x6f/0x80
+Call Trace:
+ <TASK>
+ get_info+0x128/0x180
+ do_ip6t_get_ctl+0x6a/0x430
+ nf_getsockopt+0x46/0x80
+ ipv6_getsockopt+0xb9/0x100
+ rawv6_getsockopt+0x42/0x190
+ do_sock_getsockopt+0xaa/0x180
+ __sys_getsockopt+0x70/0xc0
+ __x64_sys_getsockopt+0x20/0x30
+ do_syscall_64+0xa2/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Concurrent execution of module unload and get_info() trigered the warning.
+The root cause is as follows:
+
+cpu0 cpu1
+module_exit
+//mod->state = MODULE_STATE_GOING
+ ip6table_nat_exit
+ xt_unregister_template
+ kfree(t)
+ //removed from templ_list
+ getinfo()
+ t = xt_find_table_lock
+ list_for_each_entry(tmpl, &xt_templates[af]...)
+ if (strcmp(tmpl->name, name))
+ continue; //table not found
+ try_module_get
+ list_for_each_entry(t, &xt_net->tables[af]...)
+ return t; //not get refcnt
+ module_put(t->me) //uaf
+ unregister_pernet_subsys
+ //remove table from xt_net list
+
+While xt_table module was going away and has been removed from
+xt_templates list, we couldnt get refcnt of xt_table->me. Check
+module in xt_net->tables list re-traversal to fix it.
+
+Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
+Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/x_tables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 25524e3933496..9a579217763df 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -1268,7 +1268,7 @@ struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
+
+ /* and once again: */
+ list_for_each_entry(t, &xt_net->tables[af], list)
+- if (strcmp(t->name, name) == 0)
++ if (strcmp(t->name, name) == 0 && owner == t->me)
+ return t;
+
+ module_put(owner);
+--
+2.43.0
+
--- /dev/null
+From dcbcea6d7ef81a2cc9f34349dc23022476d8c5e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 23:13:48 +0100
+Subject: netfilter: nft_payload: sanitize offset and length before calling
+ skb_checksum()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ]
+
+If access to offset + length is larger than the skbuff length, then
+skb_checksum() triggers BUG_ON().
+
+skb_checksum() internally subtracts the length parameter while iterating
+over skbuff, BUG_ON(len) at the end of it checks that the expected
+length to be included in the checksum calculation is fully consumed.
+
+Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support")
+Reported-by: Slavin Liu <slavin-ayu@qq.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_payload.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
+index 55237d8a3d882..49a1cf53064fe 100644
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -749,6 +749,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
+ ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
+ priv->base != NFT_PAYLOAD_INNER_HEADER) ||
+ skb->ip_summed != CHECKSUM_PARTIAL)) {
++ if (offset + priv->len > skb->len)
++ goto err;
++
+ fsum = skb_checksum(skb, offset, priv->len, 0);
+ tsum = csum_partial(src, priv->len, 0);
+
+--
+2.43.0
+
--- /dev/null
+From 689eb8fa2a9a3c9cd6bb325c6004d9191d3255f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 06:36:15 -0700
+Subject: RDMA/bnxt_re: synchronize the qp-handle table array
+
+From: Selvin Xavier <selvin.xavier@broadcom.com>
+
+[ Upstream commit 76d3ddff7153cc0bcc14a63798d19f5d0693ea71 ]
+
+There is a race between the CREQ tasklet and destroy qp when accessing the
+qp-handle table. There is a chance of reading a valid qp-handle in the
+CREQ tasklet handler while the QP is already moving ahead with the
+destruction.
+
+Fixing this race by implementing a table-lock to synchronize the access.
+
+Fixes: f218d67ef004 ("RDMA/bnxt_re: Allow posting when QPs are in error")
+Fixes: 84cf229f4001 ("RDMA/bnxt_re: Fix the qp table indexing")
+Link: https://patch.msgid.link/r/1728912975-19346-3-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 4 ++++
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 13 +++++++++----
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 2 ++
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+index f1aa3e19b6de6..dea70db9ee971 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c
+@@ -1494,9 +1494,11 @@ int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res,
+ u32 tbl_indx;
+ int rc;
+
++ spin_lock_bh(&rcfw->tbl_lock);
+ tbl_indx = map_qp_id_to_tbl_indx(qp->id, rcfw);
+ rcfw->qp_tbl[tbl_indx].qp_id = BNXT_QPLIB_QP_ID_INVALID;
+ rcfw->qp_tbl[tbl_indx].qp_handle = NULL;
++ spin_unlock_bh(&rcfw->tbl_lock);
+
+ RCFW_CMD_PREP(req, DESTROY_QP, cmd_flags);
+
+@@ -1504,8 +1506,10 @@ int bnxt_qplib_destroy_qp(struct bnxt_qplib_res *res,
+ rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req,
+ (void *)&resp, NULL, 0);
+ if (rc) {
++ spin_lock_bh(&rcfw->tbl_lock);
+ rcfw->qp_tbl[tbl_indx].qp_id = qp->id;
+ rcfw->qp_tbl[tbl_indx].qp_handle = qp;
++ spin_unlock_bh(&rcfw->tbl_lock);
+ return rc;
+ }
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 8d5557e3056c4..2394dcc0338cf 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -320,17 +320,21 @@ static int bnxt_qplib_process_qp_event(struct bnxt_qplib_rcfw *rcfw,
+ case CREQ_QP_EVENT_EVENT_QP_ERROR_NOTIFICATION:
+ err_event = (struct creq_qp_error_notification *)qp_event;
+ qp_id = le32_to_cpu(err_event->xid);
++ spin_lock(&rcfw->tbl_lock);
+ tbl_indx = map_qp_id_to_tbl_indx(qp_id, rcfw);
+ qp = rcfw->qp_tbl[tbl_indx].qp_handle;
++ if (!qp) {
++ spin_unlock(&rcfw->tbl_lock);
++ break;
++ }
++ bnxt_qplib_mark_qp_error(qp);
++ rc = rcfw->creq.aeq_handler(rcfw, qp_event, qp);
++ spin_unlock(&rcfw->tbl_lock);
+ dev_dbg(&pdev->dev, "Received QP error notification\n");
+ dev_dbg(&pdev->dev,
+ "qpid 0x%x, req_err=0x%x, resp_err=0x%x\n",
+ qp_id, err_event->req_err_state_reason,
+ err_event->res_err_state_reason);
+- if (!qp)
+- break;
+- bnxt_qplib_mark_qp_error(qp);
+- rc = rcfw->creq.aeq_handler(rcfw, qp_event, qp);
+ break;
+ default:
+ /*
+@@ -631,6 +635,7 @@ int bnxt_qplib_alloc_rcfw_channel(struct bnxt_qplib_res *res,
+ GFP_KERNEL);
+ if (!rcfw->qp_tbl)
+ goto fail;
++ spin_lock_init(&rcfw->tbl_lock);
+
+ return 0;
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+index 2acdec55a667e..aaf06cd939e69 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h
+@@ -186,6 +186,8 @@ struct bnxt_qplib_rcfw {
+ struct bnxt_qplib_crsqe *crsqe_tbl;
+ int qp_tbl_size;
+ struct bnxt_qplib_qp_node *qp_tbl;
++ /* To synchronize the qp-handle hash table */
++ spinlock_t tbl_lock;
+ u64 oos_prev;
+ u32 init_oos_stats;
+ u32 cmdq_depth;
+--
+2.43.0
+
--- /dev/null
+From 98221fb4038d5d827320cb238384b2591be92c20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 20:55:17 +0300
+Subject: RDMA/cxgb4: Dump vendor specific QP details
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 89f8c6f197f480fe05edf91eb9359d5425869d04 ]
+
+Restore the missing functionality to dump vendor specific QP details,
+which was mistakenly removed in the commit mentioned in Fixes line.
+
+Fixes: 5cc34116ccec ("RDMA: Add dedicated QP resource tracker function")
+Link: https://patch.msgid.link/r/ed9844829135cfdcac7d64285688195a5cd43f82.1728323026.git.leonro@nvidia.com
+Reported-by: Dr. David Alan Gilbert <linux@treblig.org>
+Closes: https://lore.kernel.org/all/Zv_4qAxuC0dLmgXP@gallifrey
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/provider.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/provider.c b/drivers/infiniband/hw/cxgb4/provider.c
+index e7337662aff87..8cbbef770086c 100644
+--- a/drivers/infiniband/hw/cxgb4/provider.c
++++ b/drivers/infiniband/hw/cxgb4/provider.c
+@@ -469,6 +469,7 @@ static const struct ib_device_ops c4iw_dev_ops = {
+ .fill_res_cq_entry = c4iw_fill_res_cq_entry,
+ .fill_res_cm_id_entry = c4iw_fill_res_cm_id_entry,
+ .fill_res_mr_entry = c4iw_fill_res_mr_entry,
++ .fill_res_qp_entry = c4iw_fill_res_qp_entry,
+ .get_dev_fw_str = get_dev_fw_str,
+ .get_dma_mr = c4iw_get_dma_mr,
+ .get_hw_stats = c4iw_get_mib,
+--
+2.43.0
+
--- /dev/null
+From 90ded249ddc5e2f4e1c349e8c12f3ba570a86987 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:50:23 +0300
+Subject: RDMA/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 78ed28e08e74da6265e49e19206e1bcb8b9a7f0d ]
+
+After the cited commit below max_dest_rd_atomic and max_rd_atomic values
+are being rounded down to the next power of 2. As opposed to the old
+behavior and mlx4 driver where they used to be rounded up instead.
+
+In order to stay consistent with older code and other drivers, revert to
+using fls round function which rounds up to the next power of 2.
+
+Fixes: f18e26af6aba ("RDMA/mlx5: Convert modify QP to use MLX5_SET macros")
+Link: https://patch.msgid.link/r/d85515d6ef21a2fa8ef4c8293dce9b58df8a6297.1728550179.git.leon@kernel.org
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
+index d4b5ce37c2cbd..d2b4db783b254 100644
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -4182,14 +4182,14 @@ static int __mlx5_ib_modify_qp(struct ib_qp *ibqp,
+ MLX5_SET(qpc, qpc, retry_count, attr->retry_cnt);
+
+ if (attr_mask & IB_QP_MAX_QP_RD_ATOMIC && attr->max_rd_atomic)
+- MLX5_SET(qpc, qpc, log_sra_max, ilog2(attr->max_rd_atomic));
++ MLX5_SET(qpc, qpc, log_sra_max, fls(attr->max_rd_atomic - 1));
+
+ if (attr_mask & IB_QP_SQ_PSN)
+ MLX5_SET(qpc, qpc, next_send_psn, attr->sq_psn);
+
+ if (attr_mask & IB_QP_MAX_DEST_RD_ATOMIC && attr->max_dest_rd_atomic)
+ MLX5_SET(qpc, qpc, log_rra_max,
+- ilog2(attr->max_dest_rd_atomic));
++ fls(attr->max_dest_rd_atomic - 1));
+
+ if (attr_mask & (IB_QP_ACCESS_FLAGS | IB_QP_MAX_DEST_RD_ATOMIC)) {
+ err = set_qpc_atomic_flags(qp, attr, attr_mask, qpc);
+--
+2.43.0
+
acpi-prm-change-handler_addr-type-to-void-pointer.patch
acpi-prm-find-efi_memory_runtime-block-for-prm-handl.patch
cgroup-fix-potential-overflow-issue-when-checking-ma.patch
+mac80211-mac80211_message_tracing-should-depend-on-t.patch
+wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch
+wifi-brcm80211-brcm_tracing-should-depend-on-tracing.patch
+rdma-cxgb4-dump-vendor-specific-qp-details.patch
+rdma-mlx5-round-max_rd_atomic-max_dest_rd_atomic-up-.patch
+rdma-bnxt_re-synchronize-the-qp-handle-table-array.patch
+mac80211-do-drv_reconfig_complete-before-restarting-.patch
+mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch
+wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch
+wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch
+asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch
+net-stmmac-tso-fix-unbalanced-dma-map-unmap-for-non-.patch
+igb-disable-threaded-irq-for-igb_msix_other.patch
+ipv4-ip_tunnel-fix-suspicious-rcu-usage-warning-in-i.patch
+gtp-allow-1-to-be-specified-as-file-description-from.patch
+net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch
+netdevsim-add-trailing-zero-to-terminate-the-string-.patch
+bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch
+netfilter-fix-use-after-free-in-get_info.patch
+net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch
+netfilter-nft_payload-sanitize-offset-and-length-bef.patch
+net-hns3-fix-missing-features-due-to-dev-features-co.patch
+net-hns3-resolved-the-issue-that-the-debugfs-query-r.patch
+net-hns3-initialize-reset_timer-before-hclgevf_misc_.patch
+net-hns3-fix-kernel-crash-when-1588-is-sent-on-hip08.patch
--- /dev/null
+From 1ad48e08793b918056befcb4c647099780265828 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2024 14:09:32 +0200
+Subject: wifi: brcm80211: BRCM_TRACING should depend on TRACING
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit b73b2069528f90ec49d5fa1010a759baa2c2be05 ]
+
+When tracing is disabled, there is no point in asking the user about
+enabling Broadcom wireless device tracing.
+
+Fixes: f5c4f10852d42012 ("brcm80211: Allow trace support to be enabled separately from debug")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/81a29b15eaacc1ac1fb421bdace9ac0c3385f40f.1727179742.git.geert@linux-m68k.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/Kconfig b/drivers/net/wireless/broadcom/brcm80211/Kconfig
+index 5bf2318763c55..8f51099e15c90 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/Kconfig
++++ b/drivers/net/wireless/broadcom/brcm80211/Kconfig
+@@ -23,6 +23,7 @@ source "drivers/net/wireless/broadcom/brcm80211/brcmfmac/Kconfig"
+ config BRCM_TRACING
+ bool "Broadcom device tracing"
+ depends on BRCMSMAC || BRCMFMAC
++ depends on TRACING
+ help
+ If you say Y here, the Broadcom wireless drivers will register
+ with ftrace to dump event information into the trace ringbuffer.
+--
+2.43.0
+
--- /dev/null
+From 181dd30f4d2e804f2b1f019c48d139272e5f4b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Jan 2024 08:53:56 +0200
+Subject: wifi: iwlwifi: mvm: disconnect station vifs if recovery failed
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit e50a88e5cb8792cc416866496288c5f4d1eb4b1f ]
+
+This will allow to reconnect immediately instead of leaving the
+connection in a limbo state.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Gregory Greenman <gregory.greenman@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240128084842.e90531cd3a36.Iebdc9483983c0d8497f9dcf9d79ec37332a5fdcc@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 578956032e08b..62f16966899eb 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1272,6 +1272,13 @@ void iwl_mvm_get_acpi_tables(struct iwl_mvm *mvm)
+ }
+ #endif /* CONFIG_ACPI */
+
++static void iwl_mvm_disconnect_iterator(void *data, u8 *mac,
++ struct ieee80211_vif *vif)
++{
++ if (vif->type == NL80211_IFTYPE_STATION)
++ ieee80211_hw_restart_disconnect(vif);
++}
++
+ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ {
+ u32 error_log_size = mvm->fw->ucode_capa.error_log_size;
+@@ -1316,10 +1323,15 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */
+ if (flags & ERROR_RECOVERY_UPDATE_DB) {
+ resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data);
+- if (resp)
++ if (resp) {
+ IWL_ERR(mvm,
+ "Failed to send recovery cmd blob was invalid %d\n",
+ resp);
++
++ ieee80211_iterate_interfaces(mvm->hw, 0,
++ iwl_mvm_disconnect_iterator,
++ mvm);
++ }
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 911180578bb050214be340229c5031f4f4cc597f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 14:05:05 +0300
+Subject: wifi: iwlwifi: mvm: Fix response handling in
+ iwl_mvm_send_recovery_cmd()
+
+From: Daniel Gabay <daniel.gabay@intel.com>
+
+[ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ]
+
+1. The size of the response packet is not validated.
+2. The response buffer is not freed.
+
+Resolve these issues by switching to iwl_mvm_send_cmd_status(),
+which handles both size validation and frees the buffer.
+
+Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow")
+Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 62f16966899eb..3009fff9086f5 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1282,8 +1282,8 @@ static void iwl_mvm_disconnect_iterator(void *data, u8 *mac,
+ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ {
+ u32 error_log_size = mvm->fw->ucode_capa.error_log_size;
++ u32 status = 0;
+ int ret;
+- u32 resp;
+
+ struct iwl_fw_error_recovery_cmd recovery_cmd = {
+ .flags = cpu_to_le32(flags),
+@@ -1291,7 +1291,6 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ };
+ struct iwl_host_cmd host_cmd = {
+ .id = WIDE_ID(SYSTEM_GROUP, FW_ERROR_RECOVERY_CMD),
+- .flags = CMD_WANT_SKB,
+ .data = {&recovery_cmd, },
+ .len = {sizeof(recovery_cmd), },
+ };
+@@ -1311,7 +1310,7 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+ recovery_cmd.buf_size = cpu_to_le32(error_log_size);
+ }
+
+- ret = iwl_mvm_send_cmd(mvm, &host_cmd);
++ ret = iwl_mvm_send_cmd_status(mvm, &host_cmd, &status);
+ kfree(mvm->error_recovery_buf);
+ mvm->error_recovery_buf = NULL;
+
+@@ -1322,11 +1321,10 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags)
+
+ /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */
+ if (flags & ERROR_RECOVERY_UPDATE_DB) {
+- resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data);
+- if (resp) {
++ if (status) {
+ IWL_ERR(mvm,
+ "Failed to send recovery cmd blob was invalid %d\n",
+- resp);
++ status);
+
+ ieee80211_iterate_interfaces(mvm->hw, 0,
+ iwl_mvm_disconnect_iterator,
+--
+2.43.0
+
--- /dev/null
+From 6262a3f68fc751b878b4d87cdf05050a6d951ff7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 17:36:30 +0200
+Subject: wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 52009b419355195912a628d0a9847922e90c348c ]
+
+Sync iterator conditions with ieee80211_iter_keys_rcu.
+
+Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/key.c | 42 +++++++++++++++++++++++++-----------------
+ 1 file changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 7b427e39831bd..c755e3b332de0 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -918,6 +918,26 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata)
+ mutex_unlock(&sdata->local->key_mtx);
+ }
+
++static void
++ieee80211_key_iter(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_key *key,
++ void (*iter)(struct ieee80211_hw *hw,
++ struct ieee80211_vif *vif,
++ struct ieee80211_sta *sta,
++ struct ieee80211_key_conf *key,
++ void *data),
++ void *iter_data)
++{
++ /* skip keys of station in removal process */
++ if (key->sta && key->sta->removed)
++ return;
++ if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
++ return;
++ iter(hw, vif, key->sta ? &key->sta->sta : NULL,
++ &key->conf, iter_data);
++}
++
+ void ieee80211_iter_keys(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ void (*iter)(struct ieee80211_hw *hw,
+@@ -937,16 +957,13 @@ void ieee80211_iter_keys(struct ieee80211_hw *hw,
+ if (vif) {
+ sdata = vif_to_sdata(vif);
+ list_for_each_entry_safe(key, tmp, &sdata->key_list, list)
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
++ ieee80211_key_iter(hw, vif, key, iter, iter_data);
+ } else {
+ list_for_each_entry(sdata, &local->interfaces, list)
+ list_for_each_entry_safe(key, tmp,
+ &sdata->key_list, list)
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
++ ieee80211_key_iter(hw, &sdata->vif, key,
++ iter, iter_data);
+ }
+ mutex_unlock(&local->key_mtx);
+ }
+@@ -964,17 +981,8 @@ _ieee80211_iter_keys_rcu(struct ieee80211_hw *hw,
+ {
+ struct ieee80211_key *key;
+
+- list_for_each_entry_rcu(key, &sdata->key_list, list) {
+- /* skip keys of station in removal process */
+- if (key->sta && key->sta->removed)
+- continue;
+- if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE))
+- continue;
+-
+- iter(hw, &sdata->vif,
+- key->sta ? &key->sta->sta : NULL,
+- &key->conf, iter_data);
+- }
++ list_for_each_entry_rcu(key, &sdata->key_list, list)
++ ieee80211_key_iter(hw, &sdata->vif, key, iter, iter_data);
+ }
+
+ void ieee80211_iter_keys_rcu(struct ieee80211_hw *hw,
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
