--- /dev/null
+From 27923e84894bd6e88790b0d8e8f5936ef8d8f8b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 18:07:26 +0800
+Subject: ALSA: hda: conexant: Fix headset auto detect fail in the polling mode
+
+From: songxiebing <songxiebing@kylinos.cn>
+
+[ Upstream commit e60dc98122110594d0290845160f12916192fc6d ]
+
+The previous fix (7aeb25908648) only handles the unsol_event reporting
+during interrupts and does not include the polling mode used to set
+jackroll_ms, so now we are replacing it with
+snd_hda_jack_detect_enable_callback.
+
+Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140")
+Co-developed-by: bo liu <bo.liu@senarytech.com>
+Signed-off-by: bo liu <bo.liu@senarytech.com>
+Signed-off-by: songxiebing <songxiebing@kylinos.cn>
+Link: https://patch.msgid.link/20240726100726.50824-1-soxiebing@163.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_conexant.c | 54 ++++++----------------------------
+ 1 file changed, 9 insertions(+), 45 deletions(-)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 76ea4fb391fed..338f9d7462cd9 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -21,12 +21,6 @@
+ #include "hda_jack.h"
+ #include "hda_generic.h"
+
+-enum {
+- CX_HEADSET_NOPRESENT = 0,
+- CX_HEADSET_PARTPRESENT,
+- CX_HEADSET_ALLPRESENT,
+-};
+-
+ struct conexant_spec {
+ struct hda_gen_spec gen;
+
+@@ -48,7 +42,6 @@ struct conexant_spec {
+ unsigned int gpio_led;
+ unsigned int gpio_mute_led_mask;
+ unsigned int gpio_mic_led_mask;
+- unsigned int headset_present_flag;
+ bool is_cx8070_sn6140;
+ };
+
+@@ -250,48 +243,19 @@ static void cx_process_headset_plugin(struct hda_codec *codec)
+ }
+ }
+
+-static void cx_update_headset_mic_vref(struct hda_codec *codec, unsigned int res)
++static void cx_update_headset_mic_vref(struct hda_codec *codec, struct hda_jack_callback *event)
+ {
+- unsigned int phone_present, mic_persent, phone_tag, mic_tag;
+- struct conexant_spec *spec = codec->spec;
++ unsigned int mic_present;
+
+ /* In cx8070 and sn6140, the node 16 can only be config to headphone or disabled,
+ * the node 19 can only be config to microphone or disabled.
+ * Check hp&mic tag to process headset pulgin&plugout.
+ */
+- phone_tag = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0);
+- mic_tag = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_UNSOLICITED_RESPONSE, 0x0);
+- if ((phone_tag & (res >> AC_UNSOL_RES_TAG_SHIFT)) ||
+- (mic_tag & (res >> AC_UNSOL_RES_TAG_SHIFT))) {
+- phone_present = snd_hda_codec_read(codec, 0x16, 0, AC_VERB_GET_PIN_SENSE, 0x0);
+- if (!(phone_present & AC_PINSENSE_PRESENCE)) {/* headphone plugout */
+- spec->headset_present_flag = CX_HEADSET_NOPRESENT;
+- snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20);
+- return;
+- }
+- if (spec->headset_present_flag == CX_HEADSET_NOPRESENT) {
+- spec->headset_present_flag = CX_HEADSET_PARTPRESENT;
+- } else if (spec->headset_present_flag == CX_HEADSET_PARTPRESENT) {
+- mic_persent = snd_hda_codec_read(codec, 0x19, 0,
+- AC_VERB_GET_PIN_SENSE, 0x0);
+- /* headset is present */
+- if ((phone_present & AC_PINSENSE_PRESENCE) &&
+- (mic_persent & AC_PINSENSE_PRESENCE)) {
+- cx_process_headset_plugin(codec);
+- spec->headset_present_flag = CX_HEADSET_ALLPRESENT;
+- }
+- }
+- }
+-}
+-
+-static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res)
+-{
+- struct conexant_spec *spec = codec->spec;
+-
+- if (spec->is_cx8070_sn6140)
+- cx_update_headset_mic_vref(codec, res);
+-
+- snd_hda_jack_unsol_event(codec, res);
++ mic_present = snd_hda_codec_read(codec, 0x19, 0, AC_VERB_GET_PIN_SENSE, 0x0);
++ if (!(mic_present & AC_PINSENSE_PRESENCE)) /* mic plugout */
++ snd_hda_codec_write(codec, 0x19, 0, AC_VERB_SET_PIN_WIDGET_CONTROL, 0x20);
++ else
++ cx_process_headset_plugin(codec);
+ }
+
+ static int cx_auto_suspend(struct hda_codec *codec)
+@@ -305,7 +269,7 @@ static const struct hda_codec_ops cx_auto_patch_ops = {
+ .build_pcms = snd_hda_gen_build_pcms,
+ .init = cx_auto_init,
+ .free = cx_auto_free,
+- .unsol_event = cx_jack_unsol_event,
++ .unsol_event = snd_hda_jack_unsol_event,
+ .suspend = cx_auto_suspend,
+ .check_power_status = snd_hda_gen_check_power_status,
+ };
+@@ -1163,7 +1127,7 @@ static int patch_conexant_auto(struct hda_codec *codec)
+ case 0x14f11f86:
+ case 0x14f11f87:
+ spec->is_cx8070_sn6140 = true;
+- spec->headset_present_flag = CX_HEADSET_NOPRESENT;
++ snd_hda_jack_detect_enable_callback(codec, 0x19, cx_update_headset_mic_vref);
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From c5809eddd3d1d543051688b3e0d5fe1140d96853 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 18:13:50 +0200
+Subject: ALSA: hda: conexant: Reduce CONFIG_PM dependencies
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 29d57f6dc62485ee0752767debdfa2783d162beb ]
+
+CONFIG_PM dependencies got reduced in HD-audio codec core driver, and
+now it's time to reduce in HD-audio conexant codec driver, too.
+
+Simply drop CONFIG_PM ifdefs.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20240506161359.6960-8-tiwai@suse.de
+Stable-dep-of: e60dc9812211 ("ALSA: hda: conexant: Fix headset auto detect fail in the polling mode")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_conexant.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
+index 876380ad2ed13..76ea4fb391fed 100644
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -294,13 +294,11 @@ static void cx_jack_unsol_event(struct hda_codec *codec, unsigned int res)
+ snd_hda_jack_unsol_event(codec, res);
+ }
+
+-#ifdef CONFIG_PM
+ static int cx_auto_suspend(struct hda_codec *codec)
+ {
+ cx_auto_shutdown(codec);
+ return 0;
+ }
+-#endif
+
+ static const struct hda_codec_ops cx_auto_patch_ops = {
+ .build_controls = snd_hda_gen_build_controls,
+@@ -308,10 +306,8 @@ static const struct hda_codec_ops cx_auto_patch_ops = {
+ .init = cx_auto_init,
+ .free = cx_auto_free,
+ .unsol_event = cx_jack_unsol_event,
+-#ifdef CONFIG_PM
+ .suspend = cx_auto_suspend,
+ .check_power_status = snd_hda_gen_check_power_status,
+-#endif
+ };
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 0fc4bbb491ac1fbf6ce23de23afbac02e77794d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 18:58:46 +0200
+Subject: drm/nouveau: prime: fix refcount underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Danilo Krummrich <dakr@kernel.org>
+
+[ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ]
+
+Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and
+hence the backing ttm_bo) leads to a refcount underflow.
+
+Instead of calling nouveau_bo_ref() in the unwind path of
+drm_gem_object_init(), clean things up manually.
+
+Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers")
+Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org
+(cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_prime.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_prime.c b/drivers/gpu/drm/nouveau/nouveau_prime.c
+index 531615719f6da..89fcbfdb5f0af 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_prime.c
++++ b/drivers/gpu/drm/nouveau/nouveau_prime.c
+@@ -63,7 +63,8 @@ struct drm_gem_object *nouveau_gem_prime_import_sg_table(struct drm_device *dev,
+ * to the caller, instead of a normal nouveau_bo ttm reference. */
+ ret = drm_gem_object_init(dev, &nvbo->bo.base, size);
+ if (ret) {
+- nouveau_bo_ref(NULL, &nvbo);
++ drm_gem_object_release(&nvbo->bo.base);
++ kfree(nvbo);
+ obj = ERR_PTR(-ENOMEM);
+ goto unlock;
+ }
+--
+2.43.0
+
--- /dev/null
+From 66422c9433f44caf4be3e289af3c0e069d7c84bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 11:36:27 -0500
+Subject: drm/vmwgfx: Fix overlay when using Screen Targets
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ]
+
+This code was never updated to support Screen Targets.
+Fixes a bug where Xv playback displays a green screen instead of actual
+video contents when 3D acceleration is disabled in the guest.
+
+Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets")
+Reported-by: Doug Brown <doug@schmorgal.com>
+Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Tested-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
+index 54c5d16eb3b79..ec46b3b70d04d 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c
+@@ -98,7 +98,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv,
+ {
+ struct vmw_escape_video_flush *flush;
+ size_t fifo_size;
+- bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object);
++ bool have_so = (dev_priv->active_display_unit != vmw_du_legacy);
+ int i, num_items;
+ SVGAGuestPtr ptr;
+
+--
+2.43.0
+
--- /dev/null
+From 4246f4ab42246a8ac8743501e667acc5deae74b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 17:17:48 -0700
+Subject: ipv6: fix ndisc_is_useropt() handling for PIO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ]
+
+The current logic only works if the PIO is between two
+other ND user options. This fixes it so that the PIO
+can also be either before or after other ND user options
+(for example the first or last option in the RA).
+
+side note: there's actually Android tests verifying
+a portion of the old broken behaviour, so:
+ https://android-review.googlesource.com/c/kernel/tests/+/3196704
+fixes those up.
+
+Cc: Jen Linkova <furry@google.com>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Patrick Rohr <prohr@google.com>
+Cc: David Ahern <dsahern@kernel.org>
+Cc: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO")
+Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ndisc.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 856edbe81e11a..d56e80741c5ba 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -226,6 +226,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev,
+ return NULL;
+ memset(ndopts, 0, sizeof(*ndopts));
+ while (opt_len) {
++ bool unknown = false;
+ int l;
+ if (opt_len < sizeof(struct nd_opt_hdr))
+ return NULL;
+@@ -261,22 +262,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev,
+ break;
+ #endif
+ default:
+- if (ndisc_is_useropt(dev, nd_opt)) {
+- ndopts->nd_useropts_end = nd_opt;
+- if (!ndopts->nd_useropts)
+- ndopts->nd_useropts = nd_opt;
+- } else {
+- /*
+- * Unknown options must be silently ignored,
+- * to accommodate future extension to the
+- * protocol.
+- */
+- ND_PRINTK(2, notice,
+- "%s: ignored unsupported option; type=%d, len=%d\n",
+- __func__,
+- nd_opt->nd_opt_type,
+- nd_opt->nd_opt_len);
+- }
++ unknown = true;
++ }
++ if (ndisc_is_useropt(dev, nd_opt)) {
++ ndopts->nd_useropts_end = nd_opt;
++ if (!ndopts->nd_useropts)
++ ndopts->nd_useropts = nd_opt;
++ } else if (unknown) {
++ /*
++ * Unknown options must be silently ignored,
++ * to accommodate future extension to the
++ * protocol.
++ */
++ ND_PRINTK(2, notice,
++ "%s: ignored unsupported option; type=%d, len=%d\n",
++ __func__,
++ nd_opt->nd_opt_type,
++ nd_opt->nd_opt_len);
+ }
+ next_opt:
+ opt_len -= l;
+--
+2.43.0
+
--- /dev/null
+From 88a6fe29e280d7588fd408a8890b4d472114736b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 14:28:16 +0200
+Subject: net/iucv: fix use after free in iucv_sock_close()
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+[ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ]
+
+iucv_sever_path() is called from process context and from bh context.
+iucv->path is used as indicator whether somebody else is taking care of
+severing the path (or it is already removed / never existed).
+This needs to be done with atomic compare and swap, otherwise there is a
+small window where iucv_sock_close() will try to work with a path that has
+already been severed and freed by iucv_callback_connrej() called by
+iucv_tasklet_fn().
+
+Example:
+[452744.123844] Call Trace:
+[452744.123845] ([<0000001e87f03880>] 0x1e87f03880)
+[452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138
+[452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]
+[452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]
+[452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]
+[452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8
+[452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48
+[452744.124820] [<00000000d5421642>] __fput+0xba/0x268
+[452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0
+[452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90
+[452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8
+[452744.125319] Last Breaking-Event-Address:
+[452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138
+[452744.125324]
+[452744.125325] Kernel panic - not syncing: Fatal exception in interrupt
+
+Note that bh_lock_sock() is not serializing the tasklet context against
+process context, because the check for sock_owned_by_user() and
+corresponding handling is missing.
+
+Ideas for a future clean-up patch:
+A) Correct usage of bh_lock_sock() in tasklet context, as described in
+Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/
+Re-enqueue, if needed. This may require adding return values to the
+tasklet functions and thus changes to all users of iucv.
+
+B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
+
+Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely")
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/af_iucv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index 18316ee3c6921..e6cb3e1cbbf9b 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -336,8 +336,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data)
+ struct iucv_sock *iucv = iucv_sk(sk);
+ struct iucv_path *path = iucv->path;
+
+- if (iucv->path) {
+- iucv->path = NULL;
++ /* Whoever resets the path pointer, must sever and free it. */
++ if (xchg(&iucv->path, NULL)) {
+ if (with_user_data) {
+ low_nmcpy(user_data, iucv->src_name);
+ high_nmcpy(user_data, iucv->dst_name);
+--
+2.43.0
+
--- /dev/null
+From 503051e10eb3da6f60dc5586cd95987e79404967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 09:16:37 +0300
+Subject: net/mlx5e: Add a check for the return value from
+ mlx5_port_set_eth_ptys
+
+From: Shahar Shitrit <shshitrit@nvidia.com>
+
+[ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ]
+
+Since the documentation for mlx5_toggle_port_link states that it should
+only be used after setting the port register, we add a check for the
+return value from mlx5_port_set_eth_ptys to ensure the register was
+successfully set before calling it.
+
+Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters")
+Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index 2d3cd237355a6..06f6809b1c2b7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1181,7 +1181,12 @@ int mlx5e_ethtool_set_link_ksettings(struct mlx5e_priv *priv,
+ if (!an_changes && link_modes == eproto.admin)
+ goto out;
+
+- mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext);
++ err = mlx5_port_set_eth_ptys(mdev, an_disable, link_modes, ext);
++ if (err) {
++ netdev_err(priv->netdev, "%s: failed to set ptys reg: %d\n", __func__, err);
++ goto out;
++ }
++
+ mlx5_toggle_port_link(mdev);
+
+ out:
+--
+2.43.0
+
--- /dev/null
+From d7fb064aae3f5a157878224221d88ac2b0189027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 11:06:56 -0500
+Subject: net: mvpp2: Don't re-use loop iterator
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 0aa3ca956c46d849775eae1816cef8fe4bc8b50e ]
+
+This function has a nested loop. The problem is that both the inside
+and outside loop use the same variable as an iterator. I found this
+via static analysis so I'm not sure the impact. It could be that it
+loops forever or, more likely, the loop exits early.
+
+Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/eaa8f403-7779-4d81-973d-a9ecddc0bf6f@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index ba44d1d9cfcd4..2a60f949d9532 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -953,13 +953,13 @@ static void mvpp2_bm_pool_update_fc(struct mvpp2_port *port,
+ static void mvpp2_bm_pool_update_priv_fc(struct mvpp2 *priv, bool en)
+ {
+ struct mvpp2_port *port;
+- int i;
++ int i, j;
+
+ for (i = 0; i < priv->port_count; i++) {
+ port = priv->port_list[i];
+ if (port->priv->percpu_pools) {
+- for (i = 0; i < port->nrxqs; i++)
+- mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[i],
++ for (j = 0; j < port->nrxqs; j++)
++ mvpp2_bm_pool_update_fc(port, &port->priv->bm_pools[j],
+ port->tx_fc & en);
+ } else {
+ mvpp2_bm_pool_update_fc(port, port->pool_long, port->tx_fc & en);
+--
+2.43.0
+
--- /dev/null
+From ec11bf2a5686e809b90273466bf894a67156b9b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jul 2024 12:28:20 -0700
+Subject: netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 5830aa863981d43560748aa93589c0695191d95d ]
+
+We had a report that iptables-restore sometimes triggered null-ptr-deref
+at boot time. [0]
+
+The problem is that iptable_nat_table_init() is exposed to user space
+before the kernel fully initialises netns.
+
+In the small race window, a user could call iptable_nat_table_init()
+that accesses net_generic(net, iptable_nat_net_id), which is available
+only after registering iptable_nat_net_ops.
+
+Let's call register_pernet_subsys() before xt_register_template().
+
+[0]:
+bpfilter: Loaded bpfilter_umh pid 11702
+Started bpfilter
+BUG: kernel NULL pointer dereference, address: 0000000000000013
+ PF: supervisor write access in kernel mode
+ PF: error_code(0x0002) - not-present page
+PGD 0 P4D 0
+PREEMPT SMP NOPTI
+CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1
+Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017
+RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
+Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c
+RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246
+RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80
+RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0
+RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240
+R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000
+R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004
+FS: 00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
+ ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
+ ? xt_find_table_lock (net/netfilter/x_tables.c:1259)
+ ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
+ ? page_fault_oops (arch/x86/mm/fault.c:727)
+ ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)
+ ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)
+ ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
+ xt_find_table_lock (net/netfilter/x_tables.c:1259)
+ xt_request_find_table_lock (net/netfilter/x_tables.c:1287)
+ get_info (net/ipv4/netfilter/ip_tables.c:965)
+ ? security_capable (security/security.c:809 (discriminator 13))
+ ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)
+ ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)
+ ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter
+ nf_getsockopt (net/netfilter/nf_sockopt.c:116)
+ ip_getsockopt (net/ipv4/ip_sockglue.c:1827)
+ __sys_getsockopt (net/socket.c:2327)
+ __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)
+ do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
+RIP: 0033:0x7f62844685ee
+Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09
+RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
+RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee
+RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
+RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0
+R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2
+R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008
+ </TASK>
+Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs
+CR2: 0000000000000013
+
+Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
+Reported-by: Takahiro Kawahara <takawaha@amazon.co.jp>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/netfilter/iptable_nat.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
+index 45d7e072e6a54..226000a740860 100644
+--- a/net/ipv4/netfilter/iptable_nat.c
++++ b/net/ipv4/netfilter/iptable_nat.c
+@@ -152,25 +152,27 @@ static struct pernet_operations iptable_nat_net_ops = {
+
+ static int __init iptable_nat_init(void)
+ {
+- int ret = xt_register_template(&nf_nat_ipv4_table,
+- iptable_nat_table_init);
++ int ret;
+
++ /* net->gen->ptr[iptable_nat_net_id] must be allocated
++ * before calling iptable_nat_table_init().
++ */
++ ret = register_pernet_subsys(&iptable_nat_net_ops);
+ if (ret < 0)
+ return ret;
+
+- ret = register_pernet_subsys(&iptable_nat_net_ops);
+- if (ret < 0) {
+- xt_unregister_template(&nf_nat_ipv4_table);
+- return ret;
+- }
++ ret = xt_register_template(&nf_nat_ipv4_table,
++ iptable_nat_table_init);
++ if (ret < 0)
++ unregister_pernet_subsys(&iptable_nat_net_ops);
+
+ return ret;
+ }
+
+ static void __exit iptable_nat_exit(void)
+ {
+- unregister_pernet_subsys(&iptable_nat_net_ops);
+ xt_unregister_template(&nf_nat_ipv4_table);
++ unregister_pernet_subsys(&iptable_nat_net_ops);
+ }
+
+ module_init(iptable_nat_init);
+--
+2.43.0
+
--- /dev/null
+From 22501eb1fad7d44bc929c4a4ba9d26ce8ac7e39d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jul 2024 12:28:21 -0700
+Subject: netfilter: iptables: Fix potential null-ptr-deref in
+ ip6table_nat_table_init().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit c22921df777de5606f1047b1345b8d22ef1c0b34 ]
+
+ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],
+but the function is exposed to user space before the entry is allocated
+via register_pernet_subsys().
+
+Let's call register_pernet_subsys() before xt_register_template().
+
+Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/ip6table_nat.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
+index 921c1723a01e4..229a81cf1a729 100644
+--- a/net/ipv6/netfilter/ip6table_nat.c
++++ b/net/ipv6/netfilter/ip6table_nat.c
+@@ -154,23 +154,27 @@ static struct pernet_operations ip6table_nat_net_ops = {
+
+ static int __init ip6table_nat_init(void)
+ {
+- int ret = xt_register_template(&nf_nat_ipv6_table,
+- ip6table_nat_table_init);
++ int ret;
+
++ /* net->gen->ptr[ip6table_nat_net_id] must be allocated
++ * before calling ip6t_nat_register_lookups().
++ */
++ ret = register_pernet_subsys(&ip6table_nat_net_ops);
+ if (ret < 0)
+ return ret;
+
+- ret = register_pernet_subsys(&ip6table_nat_net_ops);
++ ret = xt_register_template(&nf_nat_ipv6_table,
++ ip6table_nat_table_init);
+ if (ret)
+- xt_unregister_template(&nf_nat_ipv6_table);
++ unregister_pernet_subsys(&ip6table_nat_net_ops);
+
+ return ret;
+ }
+
+ static void __exit ip6table_nat_exit(void)
+ {
+- unregister_pernet_subsys(&ip6table_nat_net_ops);
+ xt_unregister_template(&nf_nat_ipv6_table);
++ unregister_pernet_subsys(&ip6table_nat_net_ops);
+ }
+
+ module_init(ip6table_nat_init);
+--
+2.43.0
+
--- /dev/null
+From 24bbb68193b1d0275fa60045da0c24cdfb77bd2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 18:14:47 +0000
+Subject: power: supply: bq24190_charger: replace deprecated strncpy with
+ strscpy
+
+From: Justin Stitt <justinstitt@google.com>
+
+[ Upstream commit b0009b8bed98bd5d59449af48781703df261c247 ]
+
+strncpy() is deprecated for use on NUL-terminated destination strings
+[1] and as such we should prefer more robust and less ambiguous string
+interfaces.
+
+We expect bdi->model_name to be NUL-terminated based on its usage with
+sysfs_emit and format strings:
+
+val->strval is assigned to bdi->model_name in
+bq24190_charger_get_property():
+1186 | val->strval = bdi->model_name;
+
+... then in power_supply_sysfs.c we use value.strval with a format string:
+311 | ret = sysfs_emit(buf, "%s\n", value.strval);
+
+we assigned value.strval via:
+285 | ret = power_supply_get_property(psy, psp, &value);
+... which invokes psy->desc->get_property():
+1210 | return psy->desc->get_property(psy, psp, val);
+
+with bq24190_charger_get_property():
+1320 | static const struct power_supply_desc bq24190_charger_desc = {
+...
+1325 | .get_property = bq24190_charger_get_property,
+
+Moreover, no NUL-padding is required as bdi is zero-allocated in
+bq24190_charger.c:
+1798 | bdi = devm_kzalloc(dev, sizeof(*bdi), GFP_KERNEL);
+
+Considering the above, a suitable replacement is `strscpy` [2] due to
+the fact that it guarantees NUL-termination on the destination buffer
+without unnecessarily NUL-padding.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
+Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2]
+Link: https://github.com/KSPP/linux/issues/90
+Cc: linux-hardening@vger.kernel.org
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20231020-strncpy-drivers-power-supply-bq24190_charger-c-v1-1-e896223cb795@google.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/bq24190_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/bq24190_charger.c b/drivers/power/supply/bq24190_charger.c
+index 90ac5e59a5d6f..8a4729ee1ab19 100644
+--- a/drivers/power/supply/bq24190_charger.c
++++ b/drivers/power/supply/bq24190_charger.c
+@@ -1727,7 +1727,7 @@ static int bq24190_probe(struct i2c_client *client,
+
+ bdi->client = client;
+ bdi->dev = dev;
+- strncpy(bdi->model_name, id->name, I2C_NAME_SIZE);
++ strscpy(bdi->model_name, id->name, sizeof(bdi->model_name));
+ mutex_init(&bdi->f_reg_lock);
+ bdi->f_reg = 0;
+ bdi->ss_reg = BQ24190_REG_SS_VBUS_STAT_MASK; /* impossible state */
+--
+2.43.0
+
--- /dev/null
+From 9bbf8af32e823cee67fe3cee73bbac1f69e6f189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 16:45:47 +0800
+Subject: riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
+
+From: Zhe Qiao <qiaozhe@iscas.ac.cn>
+
+[ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ]
+
+Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly
+kill the process and we don't BUG() the kernel.
+
+Fixes: 07037db5d479 ("RISC-V: Paging and MMU")
+Signed-off-by: Zhe Qiao <qiaozhe@iscas.ac.cn>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/fault.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c
+index 884a3c76573cf..3fc62e05bac11 100644
+--- a/arch/riscv/mm/fault.c
++++ b/arch/riscv/mm/fault.c
+@@ -60,26 +60,27 @@ static inline void no_context(struct pt_regs *regs, unsigned long addr)
+
+ static inline void mm_fault_error(struct pt_regs *regs, unsigned long addr, vm_fault_t fault)
+ {
++ if (!user_mode(regs)) {
++ no_context(regs, addr);
++ return;
++ }
++
+ if (fault & VM_FAULT_OOM) {
+ /*
+ * We ran out of memory, call the OOM killer, and return the userspace
+ * (which will retry the fault, or kill us if we got oom-killed).
+ */
+- if (!user_mode(regs)) {
+- no_context(regs, addr);
+- return;
+- }
+ pagefault_out_of_memory();
+ return;
+ } else if (fault & VM_FAULT_SIGBUS) {
+ /* Kernel mode? Handle exceptions or die */
+- if (!user_mode(regs)) {
+- no_context(regs, addr);
+- return;
+- }
+ do_trap(regs, SIGBUS, BUS_ADRERR, addr);
+ return;
++ } else if (fault & VM_FAULT_SIGSEGV) {
++ do_trap(regs, SIGSEGV, SEGV_MAPERR, addr);
++ return;
+ }
++
+ BUG();
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8e70b6983c7f1a37dcea4c7aada8555f04799286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 17:19:53 -0700
+Subject: rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified
+ in rtnl_dellink().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 9415d375d8520e0ed55f0c0b058928da9a5b5b3d ]
+
+The cited commit accidentally replaced tgt_net with net in rtnl_dellink().
+
+As a result, IFLA_TARGET_NETNSID is ignored if the interface is specified
+with IFLA_IFNAME or IFLA_ALT_IFNAME.
+
+Let's pass tgt_net to rtnl_dev_get().
+
+Fixes: cc6090e985d7 ("net: rtnetlink: introduce helper to get net_device instance by ifname")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 4284406740932..eca7f6f4a52f5 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3115,7 +3115,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (ifm->ifi_index > 0)
+ dev = __dev_get_by_index(tgt_net, ifm->ifi_index);
+ else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
+- dev = rtnl_dev_get(net, tb);
++ dev = rtnl_dev_get(tgt_net, tb);
+ else if (tb[IFLA_GROUP])
+ err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP]));
+ else
+--
+2.43.0
+
--- /dev/null
+From 4de8851015ad8024e8dd09fbeebf6294e38016d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Apr 2022 18:53:28 +0200
+Subject: rtnetlink: enable alt_ifname for setlink/newlink
+
+From: Florent Fourcot <florent.fourcot@wifirst.fr>
+
+[ Upstream commit 5ea08b5286f66ee5ac0150668c92d1718e83e1ad ]
+
+buffer called "ifname" given in function rtnl_dev_get
+is always valid when called by setlink/newlink,
+but contains only empty string when IFLA_IFNAME is not given. So
+IFLA_ALT_IFNAME is always ignored
+
+This patch fixes rtnl_dev_get function with a remove of ifname argument,
+and move ifname copy in do_setlink when required.
+
+It extends feature of commit 76c9ac0ee878,
+"net: rtnetlink: add possibility to use alternative names as message
+handle""
+
+CC: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Florent Fourcot <florent.fourcot@wifirst.fr>
+Signed-off-by: Brian Baboch <brian.baboch@wifirst.fr>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: 9415d375d852 ("rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 69 +++++++++++++++++++-------------------------
+ 1 file changed, 29 insertions(+), 40 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index d25632fbfa892..4284406740932 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2617,17 +2617,23 @@ static int do_set_proto_down(struct net_device *dev,
+ static int do_setlink(const struct sk_buff *skb,
+ struct net_device *dev, struct ifinfomsg *ifm,
+ struct netlink_ext_ack *extack,
+- struct nlattr **tb, char *ifname, int status)
++ struct nlattr **tb, int status)
+ {
+ const struct net_device_ops *ops = dev->netdev_ops;
++ char ifname[IFNAMSIZ];
+ int err;
+
+ err = validate_linkmsg(dev, tb, extack);
+ if (err < 0)
+ return err;
+
++ if (tb[IFLA_IFNAME])
++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
++ else
++ ifname[0] = '\0';
++
+ if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_TARGET_NETNSID]) {
+- const char *pat = ifname && ifname[0] ? ifname : NULL;
++ const char *pat = ifname[0] ? ifname : NULL;
+ struct net *net;
+ int new_ifindex;
+
+@@ -2974,21 +2980,16 @@ static int do_setlink(const struct sk_buff *skb,
+ }
+
+ static struct net_device *rtnl_dev_get(struct net *net,
+- struct nlattr *ifname_attr,
+- struct nlattr *altifname_attr,
+- char *ifname)
+-{
+- char buffer[ALTIFNAMSIZ];
+-
+- if (!ifname) {
+- ifname = buffer;
+- if (ifname_attr)
+- nla_strscpy(ifname, ifname_attr, IFNAMSIZ);
+- else if (altifname_attr)
+- nla_strscpy(ifname, altifname_attr, ALTIFNAMSIZ);
+- else
+- return NULL;
+- }
++ struct nlattr *tb[])
++{
++ char ifname[ALTIFNAMSIZ];
++
++ if (tb[IFLA_IFNAME])
++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
++ else if (tb[IFLA_ALT_IFNAME])
++ nla_strscpy(ifname, tb[IFLA_ALT_IFNAME], ALTIFNAMSIZ);
++ else
++ return NULL;
+
+ return __dev_get_by_name(net, ifname);
+ }
+@@ -3001,7 +3002,6 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ struct net_device *dev;
+ int err;
+ struct nlattr *tb[IFLA_MAX+1];
+- char ifname[IFNAMSIZ];
+
+ err = nlmsg_parse_deprecated(nlh, sizeof(*ifm), tb, IFLA_MAX,
+ ifla_policy, extack);
+@@ -3012,17 +3012,12 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (err < 0)
+ goto errout;
+
+- if (tb[IFLA_IFNAME])
+- nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
+- else
+- ifname[0] = '\0';
+-
+ err = -EINVAL;
+ ifm = nlmsg_data(nlh);
+ if (ifm->ifi_index > 0)
+ dev = __dev_get_by_index(net, ifm->ifi_index);
+ else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
+- dev = rtnl_dev_get(net, NULL, tb[IFLA_ALT_IFNAME], ifname);
++ dev = rtnl_dev_get(net, tb);
+ else
+ goto errout;
+
+@@ -3031,7 +3026,7 @@ static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto errout;
+ }
+
+- err = do_setlink(skb, dev, ifm, extack, tb, ifname, 0);
++ err = do_setlink(skb, dev, ifm, extack, tb, 0);
+ errout:
+ return err;
+ }
+@@ -3120,8 +3115,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (ifm->ifi_index > 0)
+ dev = __dev_get_by_index(tgt_net, ifm->ifi_index);
+ else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
+- dev = rtnl_dev_get(net, tb[IFLA_IFNAME],
+- tb[IFLA_ALT_IFNAME], NULL);
++ dev = rtnl_dev_get(net, tb);
+ else if (tb[IFLA_GROUP])
+ err = rtnl_group_dellink(tgt_net, nla_get_u32(tb[IFLA_GROUP]));
+ else
+@@ -3267,7 +3261,7 @@ static int rtnl_group_changelink(const struct sk_buff *skb,
+
+ for_each_netdev_safe(net, dev, aux) {
+ if (dev->group == group) {
+- err = do_setlink(skb, dev, ifm, extack, tb, NULL, 0);
++ err = do_setlink(skb, dev, ifm, extack, tb, 0);
+ if (err < 0)
+ return err;
+ }
+@@ -3309,11 +3303,6 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (err < 0)
+ return err;
+
+- if (tb[IFLA_IFNAME])
+- nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
+- else
+- ifname[0] = '\0';
+-
+ ifm = nlmsg_data(nlh);
+ if (ifm->ifi_index > 0) {
+ link_specified = true;
+@@ -3323,7 +3312,7 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return -EINVAL;
+ } else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) {
+ link_specified = true;
+- dev = rtnl_dev_get(net, NULL, tb[IFLA_ALT_IFNAME], ifname);
++ dev = rtnl_dev_get(net, tb);
+ } else {
+ link_specified = false;
+ dev = NULL;
+@@ -3426,7 +3415,7 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ status |= DO_SETLINK_NOTIFY;
+ }
+
+- return do_setlink(skb, dev, ifm, extack, tb, ifname, status);
++ return do_setlink(skb, dev, ifm, extack, tb, status);
+ }
+
+ if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
+@@ -3463,7 +3452,9 @@ static int __rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (!ops->alloc && !ops->setup)
+ return -EOPNOTSUPP;
+
+- if (!ifname[0]) {
++ if (tb[IFLA_IFNAME]) {
++ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
++ } else {
+ snprintf(ifname, IFNAMSIZ, "%s%%d", ops->kind);
+ name_assign_type = NET_NAME_ENUM;
+ }
+@@ -3635,8 +3626,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (ifm->ifi_index > 0)
+ dev = __dev_get_by_index(tgt_net, ifm->ifi_index);
+ else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
+- dev = rtnl_dev_get(tgt_net, tb[IFLA_IFNAME],
+- tb[IFLA_ALT_IFNAME], NULL);
++ dev = rtnl_dev_get(tgt_net, tb);
+ else
+ goto out;
+
+@@ -3731,8 +3721,7 @@ static int rtnl_linkprop(int cmd, struct sk_buff *skb, struct nlmsghdr *nlh,
+ if (ifm->ifi_index > 0)
+ dev = __dev_get_by_index(net, ifm->ifi_index);
+ else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
+- dev = rtnl_dev_get(net, tb[IFLA_IFNAME],
+- tb[IFLA_ALT_IFNAME], NULL);
++ dev = rtnl_dev_get(net, tb);
+ else
+ return -EINVAL;
+
+--
+2.43.0
+
--- /dev/null
+From 6ce4d8b51197b14abe7402f04a34a031e134ba6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Jul 2024 09:27:45 +0000
+Subject: sched: act_ct: take care of padding in struct zones_ht_key
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2191a54f63225b548fd8346be3611c3219a24738 ]
+
+Blamed commit increased lookup key size from 2 bytes to 16 bytes,
+because zones_ht_key got a struct net pointer.
+
+Make sure rhashtable_lookup() is not using the padding bytes
+which are not initialized.
+
+ BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
+ BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
+ BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+ BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
+ BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
+ rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
+ __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
+ rhashtable_lookup include/linux/rhashtable.h:646 [inline]
+ rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
+ tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
+ tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
+ tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
+ tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
+ tcf_action_add net/sched/act_api.c:2061 [inline]
+ tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
+ rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
+ netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
+ rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
+ netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
+ netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
+ netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:745
+ ____sys_sendmsg+0x877/0xb60 net/socket.c:2597
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
+ __sys_sendmsg net/socket.c:2680 [inline]
+ __do_sys_sendmsg net/socket.c:2689 [inline]
+ __se_sys_sendmsg net/socket.c:2687 [inline]
+ __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
+ x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Local variable key created at:
+ tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
+ tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
+
+Fixes: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table")
+Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index c602b0d698f29..a6c3b7145a105 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -41,6 +41,8 @@ static DEFINE_MUTEX(zones_mutex);
+ struct zones_ht_key {
+ struct net *net;
+ u16 zone;
++ /* Note : pad[] must be the last field. */
++ u8 pad[];
+ };
+
+ struct tcf_ct_flow_table {
+@@ -57,7 +59,7 @@ struct tcf_ct_flow_table {
+ static const struct rhashtable_params zones_params = {
+ .head_offset = offsetof(struct tcf_ct_flow_table, node),
+ .key_offset = offsetof(struct tcf_ct_flow_table, key),
+- .key_len = sizeof_field(struct tcf_ct_flow_table, key),
++ .key_len = offsetof(struct zones_ht_key, pad),
+ .automatic_shrinking = true,
+ };
+
+--
+2.43.0
+
mips-loongson64-dts-fix-pcie-port-nodes-for-ls7a.patch
mips-dts-loongson-fix-liointc-irq-polarity.patch
mips-dts-loongson-fix-ls2k1000-rtc-interrupt.patch
+drm-nouveau-prime-fix-refcount-underflow.patch
+drm-vmwgfx-fix-overlay-when-using-screen-targets.patch
+sched-act_ct-take-care-of-padding-in-struct-zones_ht.patch
+alsa-hda-conexant-reduce-config_pm-dependencies.patch
+alsa-hda-conexant-fix-headset-auto-detect-fail-in-th.patch
+rtnetlink-enable-alt_ifname-for-setlink-newlink.patch
+rtnetlink-don-t-ignore-ifla_target_netnsid-when-ifna.patch
+net-iucv-fix-use-after-free-in-iucv_sock_close.patch
+net-mvpp2-don-t-re-use-loop-iterator.patch
+netfilter-iptables-fix-null-ptr-deref-in-iptable_nat.patch
+netfilter-iptables-fix-potential-null-ptr-deref-in-i.patch
+net-mlx5e-add-a-check-for-the-return-value-from-mlx5.patch
+ipv6-fix-ndisc_is_useropt-handling-for-pio.patch
+riscv-mm-add-handling-for-vm_fault_sigsegv-in-mm_fau.patch
+power-supply-bq24190_charger-replace-deprecated-strn.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
