--- /dev/null
+From 508465ab03b80157c20352ab9d4c95ed6d8cd72e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 09:59:44 +0200
+Subject: ALSA: docs: Fix a typo of midi2_ump_probe option for snd-usb-audio
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 60edec9beffebd01a49c005221230f3a61fe6587 ]
+
+A simple typo fix: midi2_probe => midi2_ump_probe.
+
+Fixes: febdfa0e9c8a ("ALSA: docs: Update MIDI 2.0 documentation for UMP 1.1 enhancement")
+Link: https://lore.kernel.org/r/20230912075944.14032-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/sound/designs/midi-2.0.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/sound/designs/midi-2.0.rst b/Documentation/sound/designs/midi-2.0.rst
+index 27d0d3dea1b0a..d91fdad524f1f 100644
+--- a/Documentation/sound/designs/midi-2.0.rst
++++ b/Documentation/sound/designs/midi-2.0.rst
+@@ -74,8 +74,8 @@ topology based on those information. When the device is older and
+ doesn't respond to the new UMP inquiries, the driver falls back and
+ builds the topology based on Group Terminal Block (GTB) information
+ from the USB descriptor. Some device might be screwed up by the
+-unexpected UMP command; in such a case, pass `midi2_probe=0` option to
+-snd-usb-audio driver for skipping the UMP v1.1 inquiries.
++unexpected UMP command; in such a case, pass `midi2_ump_probe=0`
++option to snd-usb-audio driver for skipping the UMP v1.1 inquiries.
+
+ When the MIDI 2.0 device is probed, the kernel creates a rawmidi
+ device for each UMP Endpoint of the device. Its device name is
+--
+2.40.1
+
--- /dev/null
+From e90ec38711795d8ffc17882253d27bb6863eee85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 10:33:43 +0500
+Subject: ALSA: hda/realtek: Splitting the UX3402 into two separate models
+
+From: Knyazev Arseniy <poseaydone@ya.ru>
+
+[ Upstream commit 07058dceb038a4b0dd49af07118b6b2a685bb4a6 ]
+
+UX3402VA and UX3402ZA models require different hex values, so comibining
+them into one model is incorrect.
+
+Fixes: 491a4ccd8a02 ("ALSA: hda/realtek: Add quirk for ASUS Zenbook using CS35L41")
+Signed-off-by: Knyazev Arseniy <poseaydone@ya.ru>
+Link: https://lore.kernel.org/r/20230913053343.119798-1-poseaydone@ya.ru
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index dc7b7a407638a..4a13747b2b0f3 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9680,7 +9680,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1d1f, "ASUS ROG Strix G17 2023 (G713PV)", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1d4e, "ASUS TM420", ALC256_FIXUP_ASUS_HPE),
+- SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402", ALC245_FIXUP_CS35L41_SPI_2),
++ SND_PCI_QUIRK(0x1043, 0x1e02, "ASUS UX3402ZA", ALC245_FIXUP_CS35L41_SPI_2),
++ SND_PCI_QUIRK(0x1043, 0x16a3, "ASUS UX3402VA", ALC245_FIXUP_CS35L41_SPI_2),
+ SND_PCI_QUIRK(0x1043, 0x1e11, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA502),
+ SND_PCI_QUIRK(0x1043, 0x1e12, "ASUS UM3402", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1e51, "ASUS Zephyrus M15", ALC294_FIXUP_ASUS_GU502_PINS),
+--
+2.40.1
+
--- /dev/null
+From 1eef3f912a660dcecd245ece2cdc5c8bff10f611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 10:51:44 +0200
+Subject: ALSA: seq: Avoid delivery of events for disabled UMP groups
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 22eefaeab03fe968ab7786fb3d5c5abd203a8bab ]
+
+ALSA sequencer core still delivers events to the disabled UMP Group,
+leaving this handling to the device. But it's rather risky and it's
+easy to imagine that such an unexpected event may screw up the device
+firmware.
+
+This patch avoids the superfluous event deliveries by setting the
+group_filter of the UMP client as default, and evaluate the
+group_filter properly at delivery from non-UMP clients.
+
+The grouop_filter is updated upon the dynamic UMP Function Block
+updates, so that it follows the change of the disabled UMP Groups,
+too.
+
+Fixes: d2b706077792 ("ALSA: seq: Add UMP group filter")
+Link: https://lore.kernel.org/r/20230912085144.32534-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_ump_client.c | 22 ++++++++++++++++++++++
+ sound/core/seq/seq_ump_convert.c | 2 ++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
+index f26a1812dfa73..a60e3f069a80f 100644
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -416,6 +416,25 @@ static void setup_client_midi_version(struct seq_ump_client *client)
+ snd_seq_kernel_client_put(cptr);
+ }
+
++/* set up client's group_filter bitmap */
++static void setup_client_group_filter(struct seq_ump_client *client)
++{
++ struct snd_seq_client *cptr;
++ unsigned int filter;
++ int p;
++
++ cptr = snd_seq_kernel_client_get(client->seq_client);
++ if (!cptr)
++ return;
++ filter = ~(1U << 0); /* always allow groupless messages */
++ for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
++ if (client->groups[p].active)
++ filter &= ~(1U << (p + 1));
++ }
++ cptr->group_filter = filter;
++ snd_seq_kernel_client_put(cptr);
++}
++
+ /* UMP group change notification */
+ static void handle_group_notify(struct work_struct *work)
+ {
+@@ -424,6 +443,7 @@ static void handle_group_notify(struct work_struct *work)
+
+ update_group_attrs(client);
+ update_port_infos(client);
++ setup_client_group_filter(client);
+ }
+
+ /* UMP FB change notification */
+@@ -492,6 +512,8 @@ static int snd_seq_ump_probe(struct device *_dev)
+ goto error;
+ }
+
++ setup_client_group_filter(client);
++
+ err = create_ump_endpoint_port(client);
+ if (err < 0)
+ goto error;
+diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c
+index 7cc84e137999c..b141024830ecc 100644
+--- a/sound/core/seq/seq_ump_convert.c
++++ b/sound/core/seq/seq_ump_convert.c
+@@ -1197,6 +1197,8 @@ int snd_seq_deliver_to_ump(struct snd_seq_client *source,
+ struct snd_seq_event *event,
+ int atomic, int hop)
+ {
++ if (dest->group_filter & (1U << dest_port->ump_group))
++ return 0; /* group filtered - skip the event */
+ if (event->type == SNDRV_SEQ_EVENT_SYSEX)
+ return cvt_sysex_to_ump(dest, dest_port, event, atomic, hop);
+ else if (snd_seq_client_is_midi2(dest))
+--
+2.40.1
+
--- /dev/null
+From a8c7759acc93562e6ef739527a8b37233766f31b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 10:27:50 +0200
+Subject: ALSA: seq: ump: Fix -Wformat-truncation warning
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 0d42260867f9ff3e3a5bcfa8750fa06a658e0b1c ]
+
+The filling of a port name string got a warning with W=1 due to the
+potentially too long group name. Add the string precision to limit
+the size.
+
+Fixes: 81fd444aa371 ("ALSA: seq: Bind UMP device")
+Link: https://lore.kernel.org/r/20230915082802.28684-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_ump_client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
+index a60e3f069a80f..2db371d79930d 100644
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -207,7 +207,7 @@ static void fill_port_info(struct snd_seq_port_info *port,
+ SNDRV_SEQ_PORT_TYPE_PORT;
+ port->midi_channels = 16;
+ if (*group->name)
+- snprintf(port->name, sizeof(port->name), "Group %d (%s)",
++ snprintf(port->name, sizeof(port->name), "Group %d (%.53s)",
+ group->group + 1, group->name);
+ else
+ sprintf(port->name, "Group %d", group->group + 1);
+--
+2.40.1
+
--- /dev/null
+From dc859509a142b47d2396c019bb26d0af2984a0ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 02:13:44 +0000
+Subject: ASoC: hdaudio.c: Add missing check for devm_kstrdup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit c04efbfd76d23157e64e6d6147518c187ab4233a ]
+
+Because of the potential failure of the devm_kstrdup(), the
+dl[i].codecs->name could be NULL.
+Therefore, we need to check it and return -ENOMEM in order to transfer
+the error.
+
+Fixes: 97030a43371e ("ASoC: Intel: avs: Add HDAudio machine board")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://lore.kernel.org/r/20230915021344.3078-1-nichen@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/boards/hdaudio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/intel/avs/boards/hdaudio.c b/sound/soc/intel/avs/boards/hdaudio.c
+index cb00bc86ac949..8876558f19a1b 100644
+--- a/sound/soc/intel/avs/boards/hdaudio.c
++++ b/sound/soc/intel/avs/boards/hdaudio.c
+@@ -55,6 +55,9 @@ static int avs_create_dai_links(struct device *dev, struct hda_codec *codec, int
+ return -ENOMEM;
+
+ dl[i].codecs->name = devm_kstrdup(dev, cname, GFP_KERNEL);
++ if (!dl[i].codecs->name)
++ return -ENOMEM;
++
+ dl[i].codecs->dai_name = pcm->name;
+ dl[i].num_codecs = 1;
+ dl[i].num_cpus = 1;
+--
+2.40.1
+
--- /dev/null
+From 3a297ea3f07ea3c33814fa534fb8fdfbf0f4c3fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 14:02:11 +0800
+Subject: ASoC: imx-audmix: Fix return error with devm_clk_get()
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit b19a5733de255cabba5feecabf6e900638b582d1 ]
+
+The devm_clk_get() can return -EPROBE_DEFER error,
+modify the error code to be -EINVAL is not correct, which
+cause the -EPROBE_DEFER error is not correctly handled.
+
+This patch is to fix the return error code.
+
+Fixes: b86ef5367761 ("ASoC: fsl: Add Audio Mixer machine driver")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://lore.kernel.org/r/1694757731-18308-1-git-send-email-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-audmix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/imx-audmix.c b/sound/soc/fsl/imx-audmix.c
+index 0b58df56f4daa..aeb81aa61184f 100644
+--- a/sound/soc/fsl/imx-audmix.c
++++ b/sound/soc/fsl/imx-audmix.c
+@@ -315,7 +315,7 @@ static int imx_audmix_probe(struct platform_device *pdev)
+ if (IS_ERR(priv->cpu_mclk)) {
+ ret = PTR_ERR(priv->cpu_mclk);
+ dev_err(&cpu_pdev->dev, "failed to get DAI mclk1: %d\n", ret);
+- return -EINVAL;
++ return ret;
+ }
+
+ priv->audmix_pdev = audmix_pdev;
+--
+2.40.1
+
--- /dev/null
+From 311531ed7cee30085f5799d6a5d2cb38bb256ec4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 11:05:04 +0200
+Subject: ASoC: meson: spdifin: start hw on dai probe
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit aedf323b66b2b875137422ecb7d2525179759076 ]
+
+For spdif input to report the locked rate correctly, even when no capture
+is running, the HW and reference clock must be started as soon as
+the dai is probed.
+
+Fixes: 5ce5658375e6 ("ASoC: meson: add axg spdif input")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20230907090504.12700-1-jbrunet@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-spdifin.c | 49 ++++++++++++-----------------------
+ 1 file changed, 17 insertions(+), 32 deletions(-)
+
+diff --git a/sound/soc/meson/axg-spdifin.c b/sound/soc/meson/axg-spdifin.c
+index e2cc4c4be7586..97e81ec4a78ce 100644
+--- a/sound/soc/meson/axg-spdifin.c
++++ b/sound/soc/meson/axg-spdifin.c
+@@ -112,34 +112,6 @@ static int axg_spdifin_prepare(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int axg_spdifin_startup(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+- int ret;
+-
+- ret = clk_prepare_enable(priv->refclk);
+- if (ret) {
+- dev_err(dai->dev,
+- "failed to enable spdifin reference clock\n");
+- return ret;
+- }
+-
+- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN,
+- SPDIFIN_CTRL0_EN);
+-
+- return 0;
+-}
+-
+-static void axg_spdifin_shutdown(struct snd_pcm_substream *substream,
+- struct snd_soc_dai *dai)
+-{
+- struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+-
+- regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0);
+- clk_disable_unprepare(priv->refclk);
+-}
+-
+ static void axg_spdifin_write_mode_param(struct regmap *map, int mode,
+ unsigned int val,
+ unsigned int num_per_reg,
+@@ -251,25 +223,38 @@ static int axg_spdifin_dai_probe(struct snd_soc_dai *dai)
+ ret = axg_spdifin_sample_mode_config(dai, priv);
+ if (ret) {
+ dev_err(dai->dev, "mode configuration failed\n");
+- clk_disable_unprepare(priv->pclk);
+- return ret;
++ goto pclk_err;
+ }
+
++ ret = clk_prepare_enable(priv->refclk);
++ if (ret) {
++ dev_err(dai->dev,
++ "failed to enable spdifin reference clock\n");
++ goto pclk_err;
++ }
++
++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN,
++ SPDIFIN_CTRL0_EN);
++
+ return 0;
++
++pclk_err:
++ clk_disable_unprepare(priv->pclk);
++ return ret;
+ }
+
+ static int axg_spdifin_dai_remove(struct snd_soc_dai *dai)
+ {
+ struct axg_spdifin *priv = snd_soc_dai_get_drvdata(dai);
+
++ regmap_update_bits(priv->map, SPDIFIN_CTRL0, SPDIFIN_CTRL0_EN, 0);
++ clk_disable_unprepare(priv->refclk);
+ clk_disable_unprepare(priv->pclk);
+ return 0;
+ }
+
+ static const struct snd_soc_dai_ops axg_spdifin_ops = {
+ .prepare = axg_spdifin_prepare,
+- .startup = axg_spdifin_startup,
+- .shutdown = axg_spdifin_shutdown,
+ };
+
+ static int axg_spdifin_iec958_info(struct snd_kcontrol *kcontrol,
+--
+2.40.1
+
--- /dev/null
+From 50decf700276dadc233c02ede3f10481cb27f8c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 13:32:42 +0200
+Subject: ASoC: rt5640: Do not disable/enable IRQ twice on suspend/resume
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 786120ebb649b166021f0212250e8627e53d068a ]
+
+When jack-detect was originally added disabling the IRQ during suspend
+was done by the sound/soc/intel/boards/bytcr_rt5640.c driver
+calling snd_soc_component_set_jack(NULL) on suspend, which calls
+rt5640_disable_jack_detect(), which calls free_irq() which also
+disables it.
+
+Commit 5fabcc90e79b ("ASoC: rt5640: Fix Jack work after system suspend")
+added disable_irq() / enable_irq() calls on suspend/resume for machine
+drivers which do not call snd_soc_component_set_jack(NULL) on suspend.
+
+The new disable_irq() / enable_irq() are made conditional by
+"if (rt5640->irq)" statements, but this is true for the machine drivers
+which do call snd_soc_component_set_jack(NULL) on suspend too, causing
+a disable_irq() call there on the already free-ed IRQ.
+
+Change the "if (rt5640->irq)" condition to "if (rt5640->jack)" to fix this,
+rt5640->jack is only set if the jack-detect IRQ handler is still active
+when rt5640_suspend() runs.
+
+And adjust rt5640_enable_hda_jack_detect()'s request_irq() error handling
+to set rt5640->jack to NULL to match (note that the old setting of irq to
+-ENOXIO still resulted in disable_irq(-ENOXIO) calls on suspend).
+
+Fixes: 5fabcc90e79b ("ASoC: rt5640: Fix Jack work after system suspend")
+Cc: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230912113245.320159-4-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index 10086755ae82c..c2c82da36c625 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2623,7 +2623,7 @@ static void rt5640_enable_hda_jack_detect(
+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640);
+ if (ret) {
+ dev_warn(component->dev, "Failed to request IRQ %d: %d\n", rt5640->irq, ret);
+- rt5640->irq = -ENXIO;
++ rt5640->jack = NULL;
+ return;
+ }
+
+@@ -2798,7 +2798,7 @@ static int rt5640_suspend(struct snd_soc_component *component)
+ {
+ struct rt5640_priv *rt5640 = snd_soc_component_get_drvdata(component);
+
+- if (rt5640->irq) {
++ if (rt5640->jack) {
+ /* disable jack interrupts during system suspend */
+ disable_irq(rt5640->irq);
+ }
+@@ -2826,10 +2826,9 @@ static int rt5640_resume(struct snd_soc_component *component)
+ regcache_cache_only(rt5640->regmap, false);
+ regcache_sync(rt5640->regmap);
+
+- if (rt5640->irq)
++ if (rt5640->jack) {
+ enable_irq(rt5640->irq);
+
+- if (rt5640->jack) {
+ if (rt5640->jd_src == RT5640_JD_SRC_HDA_HEADER) {
+ snd_soc_component_update_bits(component,
+ RT5640_DUMMY2, 0x1100, 0x1100);
+--
+2.40.1
+
--- /dev/null
+From ab6e4857f53b2d5cb7704b77901a468ffbd232c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 13:32:43 +0200
+Subject: ASoC: rt5640: Enable the IRQ on resume after configuring jack-detect
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit b5e85e535551bf82242aa5896e14a136ed3c156d ]
+
+The jack-detect IRQ should be enabled *after* the jack-detect related
+configuration registers have been programmed.
+
+Move the enable_irq() call for this to after the register setup.
+
+Fixes: 5fabcc90e79b ("ASoC: rt5640: Fix Jack work after system suspend")
+Cc: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230912113245.320159-5-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index c2c82da36c625..7522a9803d098 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2827,8 +2827,6 @@ static int rt5640_resume(struct snd_soc_component *component)
+ regcache_sync(rt5640->regmap);
+
+ if (rt5640->jack) {
+- enable_irq(rt5640->irq);
+-
+ if (rt5640->jd_src == RT5640_JD_SRC_HDA_HEADER) {
+ snd_soc_component_update_bits(component,
+ RT5640_DUMMY2, 0x1100, 0x1100);
+@@ -2855,6 +2853,7 @@ static int rt5640_resume(struct snd_soc_component *component)
+ }
+ }
+
++ enable_irq(rt5640->irq);
+ queue_delayed_work(system_long_wq, &rt5640->jack_work, 0);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 50beba35f5ed79463be170badf087371ad369e68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 13:32:44 +0200
+Subject: ASoC: rt5640: Fix IRQ not being free-ed for HDA jack detect mode
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8c8bf3df6b7c0ed1c4dd373b23eb0ce13a63f452 ]
+
+Set "rt5640->irq_requested = true" after a successful request_irq()
+in rt5640_enable_hda_jack_detect(), so that rt5640_disable_jack_detect()
+properly frees the IRQ.
+
+This fixes the IRQ not being freed on rmmod / driver unbind.
+
+Fixes: 2b9c8d2b3c89 ("ASoC: rt5640: Add the HDA header support")
+Cc: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230912113245.320159-6-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index 7522a9803d098..a39d556ad1a10 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2626,6 +2626,7 @@ static void rt5640_enable_hda_jack_detect(
+ rt5640->jack = NULL;
+ return;
+ }
++ rt5640->irq_requested = true;
+
+ /* sync initial jack state */
+ queue_delayed_work(system_long_wq, &rt5640->jack_work, 0);
+--
+2.40.1
+
--- /dev/null
+From 643be49e845e34f48f59e17b4269d3816ae07c97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 13:32:41 +0200
+Subject: ASoC: rt5640: Fix sleep in atomic context
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit df7d595f6bd9dc96cc275cc4b0f313fcfa423c58 ]
+
+Following prints are observed while testing audio on Jetson AGX Orin which
+has onboard RT5640 audio codec:
+
+ BUG: sleeping function called from invalid context at kernel/workqueue.c:3027
+ in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0
+ preempt_count: 10001, expected: 0
+ RCU nest depth: 0, expected: 0
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1e0/0x270
+ ---[ end trace ad1c64905aac14a6 ]-
+
+The IRQ handler rt5640_irq() runs in interrupt context and can sleep
+during cancel_delayed_work_sync().
+
+The only thing which rt5640_irq() does is cancel + (re-)queue
+the jack_work delayed_work. This can be done in a single non sleeping
+call by replacing queue_delayed_work() with mod_delayed_work(),
+avoiding the sleep in atomic context.
+
+Fixes: 051dade34695 ("ASoC: rt5640: Fix the wrong state of JD1 and JD2")
+Reported-by: Sameer Pujar <spujar@nvidia.com>
+Closes: https://lore.kernel.org/r/1688015537-31682-4-git-send-email-spujar@nvidia.com
+Cc: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230912113245.320159-3-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index 7ec930fb9aab5..24c1ed1c40589 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2404,13 +2404,11 @@ static irqreturn_t rt5640_irq(int irq, void *data)
+ struct rt5640_priv *rt5640 = data;
+ int delay = 0;
+
+- if (rt5640->jd_src == RT5640_JD_SRC_HDA_HEADER) {
+- cancel_delayed_work_sync(&rt5640->jack_work);
++ if (rt5640->jd_src == RT5640_JD_SRC_HDA_HEADER)
+ delay = 100;
+- }
+
+ if (rt5640->jack)
+- queue_delayed_work(system_long_wq, &rt5640->jack_work, delay);
++ mod_delayed_work(system_long_wq, &rt5640->jack_work, delay);
+
+ return IRQ_HANDLED;
+ }
+--
+2.40.1
+
--- /dev/null
+From 83e4c04b6bbf7437a441b8cb17d4e5d689f3baa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Aug 2023 06:33:45 -0700
+Subject: ASoC: rt5640: fix typos
+
+From: Senhong Liu <liusenhong2022@email.szu.edu.cn>
+
+[ Upstream commit 8e6657159131f90b746572f6a5bd622b3ccac82d ]
+
+I noticed typos and i fixed them.
+
+Signed-off-by: Senhong Liu <liusenhong2022@email.szu.edu.cn>
+Link: https://lore.kernel.org/r/20230819133345.39961-1-liusenhong2022@email.szu.edu.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 786120ebb649 ("ASoC: rt5640: Do not disable/enable IRQ twice on suspend/resume")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index 24c1ed1c40589..10086755ae82c 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2568,7 +2568,7 @@ static void rt5640_enable_jack_detect(struct snd_soc_component *component,
+ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+ "rt5640", rt5640);
+ if (ret) {
+- dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret);
++ dev_warn(component->dev, "Failed to request IRQ %d: %d\n", rt5640->irq, ret);
+ rt5640_disable_jack_detect(component);
+ return;
+ }
+@@ -2622,7 +2622,7 @@ static void rt5640_enable_hda_jack_detect(
+ ret = request_irq(rt5640->irq, rt5640_irq,
+ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640);
+ if (ret) {
+- dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret);
++ dev_warn(component->dev, "Failed to request IRQ %d: %d\n", rt5640->irq, ret);
+ rt5640->irq = -ENXIO;
+ return;
+ }
+--
+2.40.1
+
--- /dev/null
+From f0694dcc97f64b6bb2fecca8c13b78dc868d02e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 13:32:40 +0200
+Subject: ASoC: rt5640: Revert "Fix sleep in atomic context"
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit fa6a0c0c1dd53b3949ca56bf7213648dfd6a62ee ]
+
+Commit 70a6404ff610 ("ASoC: rt5640: Fix sleep in atomic context")
+not only switched from request_irq() to request_threaded_irq(),
+to fix the sleep in atomic context issue, but it also added
+devm management of the IRQ by actually switching to
+devm_request_threaded_irq() (without any explanation in the commit
+message for this change).
+
+This is wrong since the IRQ was already explicitly managed by
+the driver. On unbind the ASoC core will call rt5640_set_jack(NULL)
+which in turn will call rt5640_disable_jack_detect() which
+frees the IRQ already. So now we have a double free.
+
+Besides the unexplained switch to devm being wrong, the actual fix
+for the sleep in atomic context issue also is not the best solution.
+
+The only thing which rt5640_irq() does is cancel + (re-)queue
+the jack_work delayed_work. This can be done in a single non sleeping
+call by replacing queue_delayed_work() with mod_delayed_work(),
+which does not sleep. Using mod_delayed_work() is a much better fix
+then adding a thread which does nothing other then queuing a work-item.
+
+This patch is a straight revert of the troublesome changes, the switch
+to mod_delayed_work() is done in a separate follow-up patch.
+
+Fixes: 70a6404ff610 ("ASoC: rt5640: Fix sleep in atomic context")
+Cc: Sameer Pujar <spujar@nvidia.com>
+Cc: Oder Chiou <oder_chiou@realtek.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20230912113245.320159-2-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index eceed82097877..7ec930fb9aab5 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2566,10 +2566,9 @@ static void rt5640_enable_jack_detect(struct snd_soc_component *component,
+ if (jack_data && jack_data->use_platform_clock)
+ rt5640->use_platform_clock = jack_data->use_platform_clock;
+
+- ret = devm_request_threaded_irq(component->dev, rt5640->irq,
+- NULL, rt5640_irq,
+- IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
+- "rt5640", rt5640);
++ ret = request_irq(rt5640->irq, rt5640_irq,
++ IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT,
++ "rt5640", rt5640);
+ if (ret) {
+ dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret);
+ rt5640_disable_jack_detect(component);
+@@ -2622,9 +2621,8 @@ static void rt5640_enable_hda_jack_detect(
+
+ rt5640->jack = jack;
+
+- ret = devm_request_threaded_irq(component->dev, rt5640->irq,
+- NULL, rt5640_irq, IRQF_TRIGGER_RISING | IRQF_ONESHOT,
+- "rt5640", rt5640);
++ ret = request_irq(rt5640->irq, rt5640_irq,
++ IRQF_TRIGGER_RISING | IRQF_ONESHOT, "rt5640", rt5640);
+ if (ret) {
+ dev_warn(component->dev, "Failed to reguest IRQ %d: %d\n", rt5640->irq, ret);
+ rt5640->irq = -ENXIO;
+--
+2.40.1
+
--- /dev/null
+From d029481edba69864618efb42a540276146b7ab0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 15:40:15 +0300
+Subject: ASoC: SOF: core: Only call sof_ops_free() on remove if the probe was
+ successful
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 31bb7bd9ffee50d09ec931998b823a86132ab807 ]
+
+All the fail paths during probe will free up the ops, on remove we should
+only free it if the probe was successful.
+
+Fixes: bc433fd76fae ("ASoC: SOF: Add ops_free")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Rander Wang <rander.wang@intel.com>
+Link: https://lore.kernel.org/r/20230915124015.19637-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/core.c b/sound/soc/sof/core.c
+index 30db685cc5f4b..2d1616b81485c 100644
+--- a/sound/soc/sof/core.c
++++ b/sound/soc/sof/core.c
+@@ -486,10 +486,9 @@ int snd_sof_device_remove(struct device *dev)
+ snd_sof_ipc_free(sdev);
+ snd_sof_free_debug(sdev);
+ snd_sof_remove(sdev);
++ sof_ops_free(sdev);
+ }
+
+- sof_ops_free(sdev);
+-
+ /* release firmware */
+ snd_sof_fw_unload(sdev);
+
+--
+2.40.1
+
--- /dev/null
+From 09b07441a991905b7312bbc4151ed3f9046c9b01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 16:25:04 +0300
+Subject: ASoC: SOF: ipc4-topology: fix wrong sizeof argument
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit 6ba59c008f08e84b3c87be10f3391c9735e4f833 ]
+
+available_fmt is a pointer.
+
+Fixes: 4fdef47a44d6 ("ASoC: SOF: ipc4-topology: Add new tokens for input/output pin format count")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230914132504.18463-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4-topology.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c
+index 11361e1cd6881..8fb6582e568e7 100644
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -218,7 +218,7 @@ static int sof_ipc4_get_audio_fmt(struct snd_soc_component *scomp,
+
+ ret = sof_update_ipc_object(scomp, available_fmt,
+ SOF_AUDIO_FMT_NUM_TOKENS, swidget->tuples,
+- swidget->num_tuples, sizeof(available_fmt), 1);
++ swidget->num_tuples, sizeof(*available_fmt), 1);
+ if (ret) {
+ dev_err(scomp->dev, "Failed to parse audio format token count\n");
+ return ret;
+--
+2.40.1
+
--- /dev/null
+From 16fc34ad3a3294aca7e8d6e7150e015078650796 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 17:36:10 +0200
+Subject: bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit edc0140cc3b7b91874ebe70eb7d2a851e8817ccc ]
+
+bnxt_poll_nitroa0() invokes bnxt_rx_pkt() which can run a XDP program
+which in turn can return XDP_REDIRECT. bnxt_rx_pkt() is also used by
+__bnxt_poll_work() which flushes (xdp_do_flush()) the packets after each
+round. bnxt_poll_nitroa0() lacks this feature.
+xdp_do_flush() should be invoked before leaving the NAPI callback.
+
+Invoke xdp_do_flush() after a redirect in bnxt_poll_nitroa0() NAPI.
+
+Cc: Michael Chan <michael.chan@broadcom.com>
+Fixes: f18c2b77b2e4e ("bnxt_en: optimized XDP_REDIRECT support")
+Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 1eb490c48c52e..3325e7021745f 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2626,6 +2626,7 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+ struct rx_cmp_ext *rxcmp1;
+ u32 cp_cons, tmp_raw_cons;
+ u32 raw_cons = cpr->cp_raw_cons;
++ bool flush_xdp = false;
+ u32 rx_pkts = 0;
+ u8 event = 0;
+
+@@ -2660,6 +2661,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+ rx_pkts++;
+ else if (rc == -EBUSY) /* partial completion */
+ break;
++ if (event & BNXT_REDIRECT_EVENT)
++ flush_xdp = true;
+ } else if (unlikely(TX_CMP_TYPE(txcmp) ==
+ CMPL_BASE_TYPE_HWRM_DONE)) {
+ bnxt_hwrm_handler(bp, txcmp);
+@@ -2679,6 +2682,8 @@ static int bnxt_poll_nitroa0(struct napi_struct *napi, int budget)
+
+ if (event & BNXT_AGG_EVENT)
+ bnxt_db_write(bp, &rxr->rx_agg_db, rxr->rx_agg_prod);
++ if (flush_xdp)
++ xdp_do_flush();
+
+ if (!bnxt_has_work(bp, cpr) && rx_pkts < budget) {
+ napi_complete_done(napi, rx_pkts);
+--
+2.40.1
+
--- /dev/null
+From 3009673e9d2661bf1caec7d9627576daf7708131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 15:28:14 +0200
+Subject: bpf: Avoid deadlock when using queue and stack maps from NMI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit a34a9f1a19afe9c60ca0ea61dfeee63a1c2baac8 ]
+
+Sysbot discovered that the queue and stack maps can deadlock if they are
+being used from a BPF program that can be called from NMI context (such as
+one that is attached to a perf HW counter event). To fix this, add an
+in_nmi() check and use raw_spin_trylock() in NMI context, erroring out if
+grabbing the lock fails.
+
+Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
+Reported-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Tested-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Co-developed-by: Hsin-Wei Hung <hsinweih@uci.edu>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20230911132815.717240-1-toke@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/queue_stack_maps.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/queue_stack_maps.c b/kernel/bpf/queue_stack_maps.c
+index 8d2ddcb7566b7..d869f51ea93a0 100644
+--- a/kernel/bpf/queue_stack_maps.c
++++ b/kernel/bpf/queue_stack_maps.c
+@@ -98,7 +98,12 @@ static long __queue_map_get(struct bpf_map *map, void *value, bool delete)
+ int err = 0;
+ void *ptr;
+
+- raw_spin_lock_irqsave(&qs->lock, flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, flags);
++ }
+
+ if (queue_stack_map_is_empty(qs)) {
+ memset(value, 0, qs->map.value_size);
+@@ -128,7 +133,12 @@ static long __stack_map_get(struct bpf_map *map, void *value, bool delete)
+ void *ptr;
+ u32 index;
+
+- raw_spin_lock_irqsave(&qs->lock, flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, flags);
++ }
+
+ if (queue_stack_map_is_empty(qs)) {
+ memset(value, 0, qs->map.value_size);
+@@ -193,7 +203,12 @@ static long queue_stack_map_push_elem(struct bpf_map *map, void *value,
+ if (flags & BPF_NOEXIST || flags > BPF_EXIST)
+ return -EINVAL;
+
+- raw_spin_lock_irqsave(&qs->lock, irq_flags);
++ if (in_nmi()) {
++ if (!raw_spin_trylock_irqsave(&qs->lock, irq_flags))
++ return -EBUSY;
++ } else {
++ raw_spin_lock_irqsave(&qs->lock, irq_flags);
++ }
+
+ if (queue_stack_map_is_full(qs)) {
+ if (!replace) {
+--
+2.40.1
+
--- /dev/null
+From 8bc0eb464185d6cc5586cb97367da894324561be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 03:55:37 +0300
+Subject: bpf: Avoid dummy bpf_offload_netdev in __bpf_prog_dev_bound_init
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 1a49f4195d3498fe458a7f5ff7ec5385da70d92e ]
+
+Fix for a bug observable under the following sequence of events:
+1. Create a network device that does not support XDP offload.
+2. Load a device bound XDP program with BPF_F_XDP_DEV_BOUND_ONLY flag
+ (such programs are not offloaded).
+3. Load a device bound XDP program with zero flags
+ (such programs are offloaded).
+
+At step (2) __bpf_prog_dev_bound_init() associates with device (1)
+a dummy bpf_offload_netdev struct with .offdev field set to NULL.
+At step (3) __bpf_prog_dev_bound_init() would reuse dummy struct
+allocated at step (2).
+However, downstream usage of the bpf_offload_netdev assumes that
+.offdev field can't be NULL, e.g. in bpf_prog_offload_verifier_prep().
+
+Adjust __bpf_prog_dev_bound_init() to require bpf_offload_netdev
+with non-NULL .offdev for offloaded BPF programs.
+
+Fixes: 2b3486bc2d23 ("bpf: Introduce device-bound XDP programs")
+Reported-by: syzbot+291100dcb32190ec02a8@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/000000000000d97f3c060479c4f8@google.com/
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20230912005539.2248244-2-eddyz87@gmail.com
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/offload.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/offload.c b/kernel/bpf/offload.c
+index 8a26cd8814c1b..e842229123ffc 100644
+--- a/kernel/bpf/offload.c
++++ b/kernel/bpf/offload.c
+@@ -198,12 +198,14 @@ static int __bpf_prog_dev_bound_init(struct bpf_prog *prog, struct net_device *n
+ offload->netdev = netdev;
+
+ ondev = bpf_offload_find_netdev(offload->netdev);
++ /* When program is offloaded require presence of "true"
++ * bpf_offload_netdev, avoid the one created for !ondev case below.
++ */
++ if (bpf_prog_is_offloaded(prog->aux) && (!ondev || !ondev->offdev)) {
++ err = -EINVAL;
++ goto err_free;
++ }
+ if (!ondev) {
+- if (bpf_prog_is_offloaded(prog->aux)) {
+- err = -EINVAL;
+- goto err_free;
+- }
+-
+ /* When only binding to the device, explicitly
+ * create an entry in the hashtable.
+ */
+--
+2.40.1
+
--- /dev/null
+From 700110c16d4e27592beb2a16f606263856bba573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:33:35 +0200
+Subject: bpf: Fix a erroneous check after snprintf()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit a8f12572860ad8ba659d96eee9cf09e181f6ebcc ]
+
+snprintf() does not return negative error code on error, it returns the
+number of characters which *would* be generated for the given input.
+
+Fix the error handling check.
+
+Fixes: 57539b1c0ac2 ("bpf: Enable annotating trusted nested pointers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/393bdebc87b22563c08ace094defa7160eb7a6c0.1694190795.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 4b38c97990872..197d8252ffc65 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -8498,7 +8498,7 @@ bool btf_nested_type_is_trusted(struct bpf_verifier_log *log,
+ tname = btf_name_by_offset(btf, walk_type->name_off);
+
+ ret = snprintf(safe_tname, sizeof(safe_tname), "%s%s", tname, suffix);
+- if (ret < 0)
++ if (ret >= sizeof(safe_tname))
+ return false;
+
+ safe_id = btf_find_by_name_kind(btf, safe_tname, BTF_INFO_KIND(walk_type->info));
+--
+2.40.1
+
--- /dev/null
+From 8d294d8b2ced0cd7de71ef504c28457b34aa65af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 13:06:03 -0700
+Subject: Compiler Attributes: counted_by: Adjust name and identifier expansion
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit c8248faf3ca276ebdf60f003b3e04bf764daba91 ]
+
+GCC and Clang's current RFCs name this attribute "counted_by", and have
+moved away from using a string for the member name. Update the kernel's
+macros to match. Additionally provide a UAPI no-op macro for UAPI structs
+that will gain annotations.
+
+Cc: Miguel Ojeda <ojeda@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Fixes: dd06e72e68bc ("Compiler Attributes: Add __counted_by macro")
+Acked-by: Miguel Ojeda <ojeda@kernel.org>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/r/20230817200558.never.077-kees@kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 32a4ec211d41 ("uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/compiler_attributes.h | 26 +++++++++++++-------------
+ include/uapi/linux/stddef.h | 4 ++++
+ 2 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
+index 00efa35c350f6..28566624f008f 100644
+--- a/include/linux/compiler_attributes.h
++++ b/include/linux/compiler_attributes.h
+@@ -94,6 +94,19 @@
+ # define __copy(symbol)
+ #endif
+
++/*
++ * Optional: only supported since gcc >= 14
++ * Optional: only supported since clang >= 18
++ *
++ * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
++ * clang: https://reviews.llvm.org/D148381
++ */
++#if __has_attribute(__counted_by__)
++# define __counted_by(member) __attribute__((__counted_by__(member)))
++#else
++# define __counted_by(member)
++#endif
++
+ /*
+ * Optional: not supported by gcc
+ * Optional: only supported since clang >= 14.0
+@@ -129,19 +142,6 @@
+ # define __designated_init
+ #endif
+
+-/*
+- * Optional: only supported since gcc >= 14
+- * Optional: only supported since clang >= 17
+- *
+- * gcc: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108896
+- * clang: https://reviews.llvm.org/D148381
+- */
+-#if __has_attribute(__element_count__)
+-# define __counted_by(member) __attribute__((__element_count__(#member)))
+-#else
+-# define __counted_by(member)
+-#endif
+-
+ /*
+ * Optional: only supported since clang >= 14.0
+ *
+diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
+index 7837ba4fe7289..7c3fc39808811 100644
+--- a/include/uapi/linux/stddef.h
++++ b/include/uapi/linux/stddef.h
+@@ -45,3 +45,7 @@
+ TYPE NAME[]; \
+ }
+ #endif
++
++#ifndef __counted_by
++#define __counted_by(m)
++#endif
+--
+2.40.1
+
--- /dev/null
+From 78bcbab2b2e8ac6b5c3b4be327b26a4661396f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 19:00:35 +0000
+Subject: dccp: fix dccp_v4_err()/dccp_v6_err() again
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6af289746a636f71f4c0535a9801774118486c7a ]
+
+dh->dccph_x is the 9th byte (offset 8) in "struct dccp_hdr",
+not in the "byte 7" as Jann claimed.
+
+We need to make sure the ICMP messages are big enough,
+using more standard ways (no more assumptions).
+
+syzbot reported:
+BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
+BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2681 [inline]
+BUG: KMSAN: uninit-value in dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
+pskb_may_pull_reason include/linux/skbuff.h:2667 [inline]
+pskb_may_pull include/linux/skbuff.h:2681 [inline]
+dccp_v6_err+0x426/0x1aa0 net/dccp/ipv6.c:94
+icmpv6_notify+0x4c7/0x880 net/ipv6/icmp.c:867
+icmpv6_rcv+0x19d5/0x30d0
+ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
+ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
+NF_HOOK include/linux/netfilter.h:304 [inline]
+ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
+ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
+dst_input include/net/dst.h:468 [inline]
+ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
+NF_HOOK include/linux/netfilter.h:304 [inline]
+ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
+__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
+__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
+netif_receive_skb_internal net/core/dev.c:5723 [inline]
+netif_receive_skb+0x58/0x660 net/core/dev.c:5782
+tun_rx_batched+0x83b/0x920
+tun_get_user+0x564c/0x6940 drivers/net/tun.c:2002
+tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+call_write_iter include/linux/fs.h:1985 [inline]
+new_sync_write fs/read_write.c:491 [inline]
+vfs_write+0x8ef/0x15c0 fs/read_write.c:584
+ksys_write+0x20f/0x4c0 fs/read_write.c:637
+__do_sys_write fs/read_write.c:649 [inline]
+__se_sys_write fs/read_write.c:646 [inline]
+__x64_sys_write+0x93/0xd0 fs/read_write.c:646
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Uninit was created at:
+slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
+slab_alloc_node mm/slub.c:3478 [inline]
+kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
+kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
+__alloc_skb+0x318/0x740 net/core/skbuff.c:650
+alloc_skb include/linux/skbuff.h:1286 [inline]
+alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6313
+sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2795
+tun_alloc_skb drivers/net/tun.c:1531 [inline]
+tun_get_user+0x23cf/0x6940 drivers/net/tun.c:1846
+tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
+call_write_iter include/linux/fs.h:1985 [inline]
+new_sync_write fs/read_write.c:491 [inline]
+vfs_write+0x8ef/0x15c0 fs/read_write.c:584
+ksys_write+0x20f/0x4c0 fs/read_write.c:637
+__do_sys_write fs/read_write.c:649 [inline]
+__se_sys_write fs/read_write.c:646 [inline]
+__x64_sys_write+0x93/0xd0 fs/read_write.c:646
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+CPU: 0 PID: 4995 Comm: syz-executor153 Not tainted 6.6.0-rc1-syzkaller-00014-ga747acc0b752 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+
+Fixes: 977ad86c2a1b ("dccp: Fix out of bounds access in DCCP error handler")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jann Horn <jannh@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dccp/ipv4.c | 9 ++-------
+ net/dccp/ipv6.c | 9 ++-------
+ 2 files changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
+index a5361fb7a415b..fa14eef8f0688 100644
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -255,13 +255,8 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info)
+ int err;
+ struct net *net = dev_net(skb->dev);
+
+- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+- * which is in byte 7 of the dccp header.
+- * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
+- *
+- * Later on, we want to access the sequence number fields, which are
+- * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+- */
++ if (!pskb_may_pull(skb, offset + sizeof(*dh)))
++ return -EINVAL;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
+index 33f6ccf6ba77b..c693a570682fb 100644
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -83,13 +83,8 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+ __u64 seq;
+ struct net *net = dev_net(skb->dev);
+
+- /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+- * which is in byte 7 of the dccp header.
+- * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
+- *
+- * Later on, we want to access the sequence number fields, which are
+- * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
+- */
++ if (!pskb_may_pull(skb, offset + sizeof(*dh)))
++ return -EINVAL;
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+--
+2.40.1
+
--- /dev/null
+From 3715e836ea0e71d4c1ab58092414d441f0e6f0a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 09:08:24 +0300
+Subject: drm/virtio: clean out_fence on complete_submit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Pekkarinen <jose.pekkarinen@foxhound.fi>
+
+[ Upstream commit 4556b93f6c026c62c93e7acc22838224ac2e2eba ]
+
+The removed line prevents the following cleanup function
+to execute a dma_fence_put on the out_fence to free its
+memory, producing the following output in kmemleak:
+
+unreferenced object 0xffff888126d8ee00 (size 128):
+ comm "kwin_wayland", pid 981, jiffies 4295380296 (age 390.060s)
+ hex dump (first 32 bytes):
+ c8 a1 c2 27 81 88 ff ff e0 14 a9 c0 ff ff ff ff ...'............
+ 30 1a e1 2e a6 00 00 00 28 fc 5b 17 81 88 ff ff 0.......(.[.....
+ backtrace:
+ [<0000000011655661>] kmalloc_trace+0x26/0xa0
+ [<0000000055f15b82>] virtio_gpu_fence_alloc+0x47/0xc0 [virtio_gpu]
+ [<00000000fa6d96f9>] virtio_gpu_execbuffer_ioctl+0x1a8/0x800 [virtio_gpu]
+ [<00000000e6cb5105>] drm_ioctl_kernel+0x169/0x240 [drm]
+ [<000000005ad33e27>] drm_ioctl+0x399/0x6b0 [drm]
+ [<00000000a19dbf65>] __x64_sys_ioctl+0xc5/0x100
+ [<0000000011fa801e>] do_syscall_64+0x5b/0xc0
+ [<0000000065c76d8a>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+unreferenced object 0xffff888121930500 (size 128):
+ comm "kwin_wayland", pid 981, jiffies 4295380313 (age 390.096s)
+ hex dump (first 32 bytes):
+ c8 a1 c2 27 81 88 ff ff e0 14 a9 c0 ff ff ff ff ...'............
+ f9 ec d7 2f a6 00 00 00 28 fc 5b 17 81 88 ff ff .../....(.[.....
+ backtrace:
+ [<0000000011655661>] kmalloc_trace+0x26/0xa0
+ [<0000000055f15b82>] virtio_gpu_fence_alloc+0x47/0xc0 [virtio_gpu]
+ [<00000000fa6d96f9>] virtio_gpu_execbuffer_ioctl+0x1a8/0x800 [virtio_gpu]
+ [<00000000e6cb5105>] drm_ioctl_kernel+0x169/0x240 [drm]
+ [<000000005ad33e27>] drm_ioctl+0x399/0x6b0 [drm]
+ [<00000000a19dbf65>] __x64_sys_ioctl+0xc5/0x100
+ [<0000000011fa801e>] do_syscall_64+0x5b/0xc0
+ [<0000000065c76d8a>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[...]
+
+This memleak will grow quickly, being possible to see the
+following line in dmesg after few minutes of life in the
+virtual machine:
+
+[ 706.217388] kmemleak: 10731 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
+
+The patch will remove the line to allow the cleanup
+function do its job.
+
+Signed-off-by: José Pekkarinen <jose.pekkarinen@foxhound.fi>
+Fixes: e4812ab8e6b1 ("drm/virtio: Refactor and optimize job submission code path")
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230912060824.5210-1-jose.pekkarinen@foxhound.fi
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_submit.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_submit.c b/drivers/gpu/drm/virtio/virtgpu_submit.c
+index 1d010c66910d8..aa61e7993e21b 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_submit.c
++++ b/drivers/gpu/drm/virtio/virtgpu_submit.c
+@@ -147,7 +147,6 @@ static void virtio_gpu_complete_submit(struct virtio_gpu_submit *submit)
+ submit->buf = NULL;
+ submit->buflist = NULL;
+ submit->sync_file = NULL;
+- submit->out_fence = NULL;
+ submit->out_fence_fd = -1;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From a00c68ff5e081ab2e4cb3e8d4e8efd7fda70e784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 17:44:57 +0200
+Subject: i40e: Fix VF VLAN offloading when port VLAN is configured
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit d0d362ffa33da4acdcf7aee2116ceef8c8fef658 ]
+
+If port VLAN is configured on a VF then any other VLANs on top of this VF
+are broken.
+
+During i40e_ndo_set_vf_port_vlan() call the i40e driver reset the VF and
+iavf driver asks PF (using VIRTCHNL_OP_GET_VF_RESOURCES) for VF capabilities
+but this reset occurs too early, prior setting of vf->info.pvid field
+and because this field can be zero during i40e_vc_get_vf_resources_msg()
+then VIRTCHNL_VF_OFFLOAD_VLAN capability is reported to iavf driver.
+
+This is wrong because iavf driver should not report VLAN offloading
+capability when port VLAN is configured as i40e does not support QinQ
+offloading.
+
+Fix the issue by moving VF reset after setting of vf->port_vlan_id
+field.
+
+Without this patch:
+$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
+$ ip link set enp2s0f0 vf 0 vlan 3
+$ ip link set enp2s0f0v0 up
+$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4
+$ ip link set vlan4 up
+...
+$ ethtool -k enp2s0f0v0 | grep vlan-offload
+rx-vlan-offload: on
+tx-vlan-offload: on
+$ dmesg -l err | grep iavf
+[1292500.742914] iavf 0000:02:02.0: Failed to add VLAN filter, error IAVF_ERR_INVALID_QP_ID
+
+With this patch:
+$ echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs
+$ ip link set enp2s0f0 vf 0 vlan 3
+$ ip link set enp2s0f0v0 up
+$ ip link add link enp2s0f0v0 name vlan4 type vlan id 4
+$ ip link set vlan4 up
+...
+$ ethtool -k enp2s0f0v0 | grep vlan-offload
+rx-vlan-offload: off [requested on]
+tx-vlan-offload: off [requested on]
+$ dmesg -l err | grep iavf
+
+Fixes: f9b4b6278d51 ("i40e: Reset the VF upon conflicting VLAN configuration")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+index be59ba3774e15..c1e1e8912350b 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+@@ -4464,9 +4464,7 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ goto error_pvid;
+
+ i40e_vlan_stripping_enable(vsi);
+- i40e_vc_reset_vf(vf, true);
+- /* During reset the VF got a new VSI, so refresh a pointer. */
+- vsi = pf->vsi[vf->lan_vsi_idx];
++
+ /* Locked once because multiple functions below iterate list */
+ spin_lock_bh(&vsi->mac_filter_hash_lock);
+
+@@ -4552,6 +4550,10 @@ int i40e_ndo_set_vf_port_vlan(struct net_device *netdev, int vf_id,
+ */
+ vf->port_vlan_id = le16_to_cpu(vsi->info.pvid);
+
++ i40e_vc_reset_vf(vf, true);
++ /* During reset the VF got a new VSI, so refresh a pointer. */
++ vsi = pf->vsi[vf->lan_vsi_idx];
++
+ ret = i40e_config_vf_promiscuous_mode(vf, vsi->id, allmulti, alluni);
+ if (ret) {
+ dev_err(&pf->pdev->dev, "Unable to config vf promiscuous mode\n");
+--
+2.40.1
+
--- /dev/null
+From 2609752bf1b64e7b73a8e57a54e3c41c3fb5218e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 14:22:47 -0700
+Subject: i915/pmu: Move execlist stats initialization to execlist specific
+ setup
+
+From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+
+[ Upstream commit c524cd40e8a2a1a36f4898eaf2024beefeb815f3 ]
+
+engine->stats is a union of execlist and guc stat objects. When execlist
+specific fields are initialized, the initial state of guc stats is
+affected. This results in bad busyness values when using GuC mode. Move
+the execlist initialization from common code to execlist specific code.
+
+Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu")
+Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Reviewed-by: Alan Previn <alan.previn.teres.alexis@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230912212247.1828681-1-umesh.nerlige.ramappa@intel.com
+(cherry picked from commit 4485bd519f5d6d620a29d0547ff3c982bdeeb468)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_cs.c | 1 -
+ drivers/gpu/drm/i915/gt/intel_execlists_submission.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_engine_cs.c b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+index 0aff5bb13c538..0e81ea6191c64 100644
+--- a/drivers/gpu/drm/i915/gt/intel_engine_cs.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_cs.c
+@@ -558,7 +558,6 @@ static int intel_engine_setup(struct intel_gt *gt, enum intel_engine_id id,
+ DRIVER_CAPS(i915)->has_logical_contexts = true;
+
+ ewma__engine_latency_init(&engine->latency);
+- seqcount_init(&engine->stats.execlists.lock);
+
+ ATOMIC_INIT_NOTIFIER_HEAD(&engine->context_status_notifier);
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
+index 2ebd937f3b4cb..082c973370824 100644
+--- a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
+@@ -3550,6 +3550,8 @@ int intel_execlists_submission_setup(struct intel_engine_cs *engine)
+ logical_ring_default_vfuncs(engine);
+ logical_ring_default_irqs(engine);
+
++ seqcount_init(&engine->stats.execlists.lock);
++
+ if (engine->flags & I915_ENGINE_HAS_RCS_REG_STATE)
+ rcs_submission_override(engine);
+
+--
+2.40.1
+
--- /dev/null
+From 9305e755fc9c7299ab370a8f00e706019cae41d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 17:02:50 +0200
+Subject: iavf: add iavf_schedule_aq_request() helper
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit ed4cad33df9e272feaa6698b33359b29c2929564 ]
+
+Add helper for set iavf aq request AVF_FLAG_AQ_* and immediately
+schedule watchdog_task. Helper will be used in cases where it is
+necessary to run aq requests asap
+
+Signed-off-by: Petr Oros <poros@redhat.com>
+Co-developed-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 5f3d319a2486 ("iavf: schedule a request immediately after add/delete vlan")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf.h | 2 +-
+ drivers/net/ethernet/intel/iavf/iavf_ethtool.c | 2 +-
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 10 ++++------
+ 3 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf.h b/drivers/net/ethernet/intel/iavf/iavf.h
+index 8cbdebc5b6989..4d4508e04b1d2 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf.h
++++ b/drivers/net/ethernet/intel/iavf/iavf.h
+@@ -521,7 +521,7 @@ void iavf_down(struct iavf_adapter *adapter);
+ int iavf_process_config(struct iavf_adapter *adapter);
+ int iavf_parse_vf_resource_msg(struct iavf_adapter *adapter);
+ void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags);
+-void iavf_schedule_request_stats(struct iavf_adapter *adapter);
++void iavf_schedule_aq_request(struct iavf_adapter *adapter, u64 flags);
+ void iavf_schedule_finish_config(struct iavf_adapter *adapter);
+ void iavf_reset(struct iavf_adapter *adapter);
+ void iavf_set_ethtool_ops(struct net_device *netdev);
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+index a34303ad057d0..90397293525f7 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_ethtool.c
+@@ -362,7 +362,7 @@ static void iavf_get_ethtool_stats(struct net_device *netdev,
+ unsigned int i;
+
+ /* Explicitly request stats refresh */
+- iavf_schedule_request_stats(adapter);
++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_REQUEST_STATS);
+
+ iavf_add_ethtool_stats(&data, adapter, iavf_gstrings_stats);
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 1d24a71905d06..d76465474049c 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -314,15 +314,13 @@ void iavf_schedule_reset(struct iavf_adapter *adapter, u64 flags)
+ }
+
+ /**
+- * iavf_schedule_request_stats - Set the flags and schedule statistics request
++ * iavf_schedule_aq_request - Set the flags and schedule aq request
+ * @adapter: board private structure
+- *
+- * Sets IAVF_FLAG_AQ_REQUEST_STATS flag so iavf_watchdog_task() will explicitly
+- * request and refresh ethtool stats
++ * @flags: requested aq flags
+ **/
+-void iavf_schedule_request_stats(struct iavf_adapter *adapter)
++void iavf_schedule_aq_request(struct iavf_adapter *adapter, u64 flags)
+ {
+- adapter->aq_required |= IAVF_FLAG_AQ_REQUEST_STATS;
++ adapter->aq_required |= flags;
+ mod_delayed_work(adapter->wq, &adapter->watchdog_task, 0);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From fabc3556799da8a7923de420df4726e79fb0f82b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Aug 2023 14:59:40 +0200
+Subject: iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set
+
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+
+[ Upstream commit c8de44b577eb540e8bfea55afe1d0904bb571b7a ]
+
+Prevent schedule operations for adminq during device remove and when
+__IAVF_IN_REMOVE_TASK flag is set. Currently, the iavf_down function
+adds operations for adminq that shouldn't be processed when the device
+is in the __IAVF_REMOVE state.
+
+Reproduction:
+
+echo 4 > /sys/bus/pci/devices/0000:17:00.0/sriov_numvfs
+ip link set dev ens1f0 vf 0 trust on
+ip link set dev ens1f0 vf 1 trust on
+ip link set dev ens1f0 vf 2 trust on
+ip link set dev ens1f0 vf 3 trust on
+
+ip link set dev ens1f0 vf 0 mac 00:22:33:44:55:66
+ip link set dev ens1f0 vf 1 mac 00:22:33:44:55:67
+ip link set dev ens1f0 vf 2 mac 00:22:33:44:55:68
+ip link set dev ens1f0 vf 3 mac 00:22:33:44:55:69
+
+echo 0000:17:02.0 > /sys/bus/pci/devices/0000\:17\:02.0/driver/unbind
+echo 0000:17:02.1 > /sys/bus/pci/devices/0000\:17\:02.1/driver/unbind
+echo 0000:17:02.2 > /sys/bus/pci/devices/0000\:17\:02.2/driver/unbind
+echo 0000:17:02.3 > /sys/bus/pci/devices/0000\:17\:02.3/driver/unbind
+sleep 10
+echo 0000:17:02.0 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.1 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.2 > /sys/bus/pci/drivers/iavf/bind
+echo 0000:17:02.3 > /sys/bus/pci/drivers/iavf/bind
+
+modprobe vfio-pci
+echo 8086 154c > /sys/bus/pci/drivers/vfio-pci/new_id
+
+qemu-system-x86_64 -accel kvm -m 4096 -cpu host \
+-drive file=centos9.qcow2,if=none,id=virtio-disk0 \
+-device virtio-blk-pci,drive=virtio-disk0,bootindex=0 -smp 4 \
+-device vfio-pci,host=17:02.0 -net none \
+-device vfio-pci,host=17:02.1 -net none \
+-device vfio-pci,host=17:02.2 -net none \
+-device vfio-pci,host=17:02.3 -net none \
+-daemonize -vnc :5
+
+Current result:
+There is a probability that the mac of VF in guest is inconsistent with
+it in host
+
+Expected result:
+When passthrough NIC VF to guest, the VF in guest should always get
+the same mac as it in host.
+
+Fixes: 14756b2ae265 ("iavf: Fix __IAVF_RESETTING state usage")
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index 9610ca770349e..1d24a71905d06 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -1421,7 +1421,8 @@ void iavf_down(struct iavf_adapter *adapter)
+ iavf_clear_fdir_filters(adapter);
+ iavf_clear_adv_rss_conf(adapter);
+
+- if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED)) {
++ if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED) &&
++ !(test_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section))) {
+ /* cancel any current operation */
+ adapter->current_op = VIRTCHNL_OP_UNKNOWN;
+ /* Schedule operations to close down the HW. Don't wait
+--
+2.40.1
+
--- /dev/null
+From 36388c5bd5c72e6f6a8df316988bea393f17e4e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 17:02:51 +0200
+Subject: iavf: schedule a request immediately after add/delete vlan
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 5f3d319a248654a805bafc9e7094bcea47dac6c7 ]
+
+When the iavf driver wants to reconfigure the VLAN filters
+(iavf_add_vlan, iavf_del_vlan), it sets a flag in
+aq_required:
+ adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
+or:
+ adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
+
+This is later processed by the watchdog_task, but it runs periodically
+every 2 seconds, so it can be a long time before it processes the request.
+
+In the worst case, the interface is unable to receive traffic for more
+than 2 seconds for no objective reason.
+
+Fixes: 5eae00c57f5e ("i40evf: main driver core")
+Signed-off-by: Petr Oros <poros@redhat.com>
+Co-developed-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Reviewed-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
+index d76465474049c..8ea5c0825c3c4 100644
+--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
+@@ -821,7 +821,7 @@ iavf_vlan_filter *iavf_add_vlan(struct iavf_adapter *adapter,
+ list_add_tail(&f->list, &adapter->vlan_filter_list);
+ f->state = IAVF_VLAN_ADD;
+ adapter->num_vlan_filters++;
+- adapter->aq_required |= IAVF_FLAG_AQ_ADD_VLAN_FILTER;
++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_ADD_VLAN_FILTER);
+ }
+
+ clearout:
+@@ -843,7 +843,7 @@ static void iavf_del_vlan(struct iavf_adapter *adapter, struct iavf_vlan vlan)
+ f = iavf_find_vlan(adapter, vlan);
+ if (f) {
+ f->state = IAVF_VLAN_REMOVE;
+- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER;
++ iavf_schedule_aq_request(adapter, IAVF_FLAG_AQ_DEL_VLAN_FILTER);
+ }
+
+ spin_unlock_bh(&adapter->mac_vlan_list_lock);
+--
+2.40.1
+
--- /dev/null
+From 82a8f3fae549ab6f6b5acdf91d439d69fe3b0ef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 10:03:31 -0700
+Subject: igc: Expose tx-usecs coalesce setting to user
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+[ Upstream commit 1703b2e0de653b459ca6230be32ce7f2ea0ae7ee ]
+
+When users attempt to obtain the coalesce setting using the
+ethtool command, current code always returns 0 for tx-usecs.
+This is because I225/6 always uses a queue pair setting, hence
+tx_coalesce_usecs does not return a value during the
+igc_ethtool_get_coalesce() callback process. The pair queue
+condition checking in igc_ethtool_get_coalesce() is removed by
+this patch so that the user gets information of the value of tx-usecs.
+
+Even if i225/6 is using queue pair setting, there is no harm in
+notifying the user of the tx-usecs. The implementation of the current
+code may have previously been a copy of the legacy code i210.
+Since I225 has the queue pair setting enabled, tx-usecs will always adhere
+to the user-set rx-usecs value. An error message will appear when the user
+attempts to set the tx-usecs value for the input parameters because,
+by default, they should only set the rx-usecs value.
+
+This patch also adds the helper function to get the
+previous rx coalesce value similar to tx coalesce.
+
+How to test:
+User can get the coalesce value using ethtool command.
+
+Example command:
+Get: ethtool -c <interface>
+
+Previous output:
+
+rx-usecs: 3
+rx-frames: n/a
+rx-usecs-irq: n/a
+rx-frames-irq: n/a
+
+tx-usecs: 0
+tx-frames: n/a
+tx-usecs-irq: n/a
+tx-frames-irq: n/a
+
+New output:
+
+rx-usecs: 3
+rx-frames: n/a
+rx-usecs-irq: n/a
+rx-frames-irq: n/a
+
+tx-usecs: 3
+tx-frames: n/a
+tx-usecs-irq: n/a
+tx-frames-irq: n/a
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20230919170331.1581031-1-anthony.l.nguyen@intel.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 31 ++++++++++++--------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index 93bce729be76a..7ab6dd58e4001 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -868,6 +868,18 @@ static void igc_ethtool_get_stats(struct net_device *netdev,
+ spin_unlock(&adapter->stats64_lock);
+ }
+
++static int igc_ethtool_get_previous_rx_coalesce(struct igc_adapter *adapter)
++{
++ return (adapter->rx_itr_setting <= 3) ?
++ adapter->rx_itr_setting : adapter->rx_itr_setting >> 2;
++}
++
++static int igc_ethtool_get_previous_tx_coalesce(struct igc_adapter *adapter)
++{
++ return (adapter->tx_itr_setting <= 3) ?
++ adapter->tx_itr_setting : adapter->tx_itr_setting >> 2;
++}
++
+ static int igc_ethtool_get_coalesce(struct net_device *netdev,
+ struct ethtool_coalesce *ec,
+ struct kernel_ethtool_coalesce *kernel_coal,
+@@ -875,17 +887,8 @@ static int igc_ethtool_get_coalesce(struct net_device *netdev,
+ {
+ struct igc_adapter *adapter = netdev_priv(netdev);
+
+- if (adapter->rx_itr_setting <= 3)
+- ec->rx_coalesce_usecs = adapter->rx_itr_setting;
+- else
+- ec->rx_coalesce_usecs = adapter->rx_itr_setting >> 2;
+-
+- if (!(adapter->flags & IGC_FLAG_QUEUE_PAIRS)) {
+- if (adapter->tx_itr_setting <= 3)
+- ec->tx_coalesce_usecs = adapter->tx_itr_setting;
+- else
+- ec->tx_coalesce_usecs = adapter->tx_itr_setting >> 2;
+- }
++ ec->rx_coalesce_usecs = igc_ethtool_get_previous_rx_coalesce(adapter);
++ ec->tx_coalesce_usecs = igc_ethtool_get_previous_tx_coalesce(adapter);
+
+ return 0;
+ }
+@@ -910,8 +913,12 @@ static int igc_ethtool_set_coalesce(struct net_device *netdev,
+ ec->tx_coalesce_usecs == 2)
+ return -EINVAL;
+
+- if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) && ec->tx_coalesce_usecs)
++ if ((adapter->flags & IGC_FLAG_QUEUE_PAIRS) &&
++ ec->tx_coalesce_usecs != igc_ethtool_get_previous_tx_coalesce(adapter)) {
++ NL_SET_ERR_MSG_MOD(extack,
++ "Queue Pair mode enabled, both Rx and Tx coalescing controlled by rx-usecs");
+ return -EINVAL;
++ }
+
+ /* If ITR is disabled, disable DMAC */
+ if (ec->rx_coalesce_usecs == 0) {
+--
+2.40.1
+
--- /dev/null
+From c3c596c36e46595a169721edc36e982ac84dd728 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 11:06:15 -0700
+Subject: igc: Fix infinite initialization loop with early XDP redirect
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit cb47b1f679c4d83a5fa5f1852e472f844e41a3da ]
+
+When an XDP redirect happens before the link is ready, that
+transmission will not finish and will timeout, causing an adapter
+reset. If the redirects do not stop, the adapter will not stop
+resetting.
+
+Wait for the driver to signal that there's a carrier before allowing
+transmissions to proceed.
+
+Previous code was relying that when __IGC_DOWN is cleared, the NIC is
+ready to transmit as all the queues are ready, what happens is that
+the carrier presence will only be signaled later, after the watchdog
+workqueue has a chance to run. And during this interval (between
+clearing __IGC_DOWN and the watchdog running) if any transmission
+happens the timeout is emitted (detected by igc_tx_timeout()) which
+causes the reset, with the potential for the infinite loop.
+
+Fixes: 4ff320361092 ("igc: Add support for XDP_REDIRECT action")
+Reported-by: Ferenc Fejes <ferenc.fejes@ericsson.com>
+Closes: https://lore.kernel.org/netdev/0caf33cf6adb3a5bf137eeaa20e89b167c9986d5.camel@ericsson.com/
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Ferenc Fejes <ferenc.fejes@ericsson.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 6f557e843e495..4e23b821c39ba 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6433,7 +6433,7 @@ static int igc_xdp_xmit(struct net_device *dev, int num_frames,
+ struct igc_ring *ring;
+ int i, drops;
+
+- if (unlikely(test_bit(__IGC_DOWN, &adapter->state)))
++ if (unlikely(!netif_carrier_ok(dev)))
+ return -ENETDOWN;
+
+ if (unlikely(flags & ~XDP_XMIT_FLAGS_MASK))
+--
+2.40.1
+
--- /dev/null
+From 507be9f4f3a775ad2ad00f8f53db342518a140c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 18:02:52 -0400
+Subject: ionic: fix 16bit math issue when PAGE_SIZE >= 64KB
+
+From: David Christensen <drc@linux.vnet.ibm.com>
+
+[ Upstream commit 8f6b846b0a86c3cbae8a25b772651cfc2270ad0a ]
+
+The ionic device supports a maximum buffer length of 16 bits (see
+ionic_rxq_desc or ionic_rxq_sg_elem). When adding new buffers to
+the receive rings, the function ionic_rx_fill() uses 16bit math when
+calculating the number of pages to allocate for an RX descriptor,
+given the interface's MTU setting. If the system PAGE_SIZE >= 64KB,
+and the buf_info->page_offset is 0, the remain_len value will never
+decrement from the original MTU value and the frag_len value will
+always be 0, causing additional pages to be allocated as scatter-
+gather elements unnecessarily.
+
+A similar math issue exists in ionic_rx_frags(), but no failures
+have been observed here since a 64KB page should not normally
+require any scatter-gather elements at any legal Ethernet MTU size.
+
+Fixes: 4b0a7539a372 ("ionic: implement Rx page reuse")
+Signed-off-by: David Christensen <drc@linux.vnet.ibm.com>
+Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_dev.h | 1 +
+ drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_dev.h b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
+index 0bea208bfba2f..43ce0aac6a94c 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.h
+@@ -187,6 +187,7 @@ typedef void (*ionic_desc_cb)(struct ionic_queue *q,
+ struct ionic_desc_info *desc_info,
+ struct ionic_cq_info *cq_info, void *cb_arg);
+
++#define IONIC_MAX_BUF_LEN ((u16)-1)
+ #define IONIC_PAGE_SIZE PAGE_SIZE
+ #define IONIC_PAGE_SPLIT_SZ (PAGE_SIZE / 2)
+ #define IONIC_PAGE_GFP_MASK (GFP_ATOMIC | __GFP_NOWARN |\
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+index 26798fc635dbd..44466e8c5d77b 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+@@ -207,7 +207,8 @@ static struct sk_buff *ionic_rx_frags(struct ionic_queue *q,
+ return NULL;
+ }
+
+- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE - buf_info->page_offset));
+ len -= frag_len;
+
+ dma_sync_single_for_cpu(dev,
+@@ -452,7 +453,8 @@ void ionic_rx_fill(struct ionic_queue *q)
+
+ /* fill main descriptor - buf[0] */
+ desc->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
+- frag_len = min_t(u16, len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE - buf_info->page_offset));
+ desc->len = cpu_to_le16(frag_len);
+ remain_len -= frag_len;
+ buf_info++;
+@@ -471,7 +473,9 @@ void ionic_rx_fill(struct ionic_queue *q)
+ }
+
+ sg_elem->addr = cpu_to_le64(buf_info->dma_addr + buf_info->page_offset);
+- frag_len = min_t(u16, remain_len, IONIC_PAGE_SIZE - buf_info->page_offset);
++ frag_len = min_t(u16, remain_len, min_t(u32, IONIC_MAX_BUF_LEN,
++ IONIC_PAGE_SIZE -
++ buf_info->page_offset));
+ sg_elem->len = cpu_to_le16(frag_len);
+ remain_len -= frag_len;
+ buf_info++;
+--
+2.40.1
+
--- /dev/null
+From 629505ce9eb1dfc5388e42b094ec7ac77bd2bd5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 22:12:57 -0700
+Subject: ipv4: fix null-deref in ipv4_link_failure
+
+From: Kyle Zeng <zengyhkyle@gmail.com>
+
+[ Upstream commit 0113d9c9d1ccc07f5a3710dac4aa24b6d711278c ]
+
+Currently, we assume the skb is associated with a device before calling
+__ip_options_compile, which is not always the case if it is re-routed by
+ipvs.
+When skb->dev is NULL, dev_net(skb->dev) will become null-dereference.
+This patch adds a check for the edge case and switch to use the net_device
+from the rtable when skb->dev is NULL.
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Suggested-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Cc: Vadim Fedorenko <vfedorenko@novek.ru>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 33626619aee79..0a53ca6ebb0d5 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1213,6 +1213,7 @@ EXPORT_INDIRECT_CALLABLE(ipv4_dst_check);
+
+ static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ {
++ struct net_device *dev;
+ struct ip_options opt;
+ int res;
+
+@@ -1230,7 +1231,8 @@ static void ipv4_send_dest_unreach(struct sk_buff *skb)
+ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
+
+ rcu_read_lock();
+- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ dev = skb->dev ? skb->dev : skb_rtable(skb)->dst.dev;
++ res = __ip_options_compile(dev_net(dev), &opt, skb, NULL);
+ rcu_read_unlock();
+
+ if (res)
+--
+2.40.1
+
--- /dev/null
+From c8aa5a33c387d7da4be9e5e3068f9943a9c32b76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 18:14:29 +0100
+Subject: locking/atomic: scripts: fix fallback ifdeffery
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 6d2779ecaeb56f92d7105c56772346c71c88c278 ]
+
+Since commit:
+
+ 9257959a6e5b4fca ("locking/atomic: scripts: restructure fallback ifdeffery")
+
+The ordering fallbacks for atomic*_read_acquire() and
+atomic*_set_release() erroneously fall back to the implictly relaxed
+atomic*_read() and atomic*_set() variants respectively, without any
+additional barriers. This loses the ACQUIRE and RELEASE ordering
+semantics, which can result in a wide variety of problems, even on
+strongly-ordered architectures where the implementation of
+atomic*_read() and/or atomic*_set() allows the compiler to reorder those
+relative to other accesses.
+
+In practice this has been observed to break bit spinlocks on arm64,
+resulting in dentry cache corruption.
+
+The fallback logic was intended to allow ACQUIRE/RELEASE/RELAXED ops to
+be defined in terms of FULL ops, but where an op had RELAXED ordering by
+default, this unintentionally permitted the ACQUIRE/RELEASE ops to be
+defined in terms of the implicitly RELAXED default.
+
+This patch corrects the logic to avoid falling back to implicitly
+RELAXED ops, resulting in the same behaviour as prior to commit
+9257959a6e5b4fca.
+
+I've verified the resulting assembly on arm64 by generating outlined
+wrappers of the atomics. Prior to this patch the compiler generates
+sequences using relaxed load (LDR) and store (STR) instructions, e.g.
+
+| <outlined_atomic64_read_acquire>:
+| ldr x0, [x0]
+| ret
+|
+| <outlined_atomic64_set_release>:
+| str x1, [x0]
+| ret
+
+With this patch applied the compiler generates sequences using the
+intended load-acquire (LDAR) and store-release (STLR) instructions, e.g.
+
+| <outlined_atomic64_read_acquire>:
+| ldar x0, [x0]
+| ret
+|
+| <outlined_atomic64_set_release>:
+| stlr x1, [x0]
+| ret
+
+To make sure that there were no other victims of the ifdeffery rewrite,
+I generated outlined copies of all of the {atomic,atomic64,atomic_long}
+atomic operations before and after commit 9257959a6e5b4fca. A diff of
+the generated assembly on arm64 shows that only the read_acquire() and
+set_release() operations were changed, and only lost their intended
+ordering:
+
+| [mark@lakrids:~/src/linux]% diff -u \
+| <(aarch64-linux-gnu-objdump -d before-9257959a6e5b4fca.o)
+| <(aarch64-linux-gnu-objdump -d after-9257959a6e5b4fca.o)
+| --- /proc/self/fd/11 2023-09-19 16:51:51.114779415 +0100
+| +++ /proc/self/fd/16 2023-09-19 16:51:51.114779415 +0100
+| @@ -1,5 +1,5 @@
+|
+| -before-9257959a6e5b4fca.o: file format elf64-littleaarch64
+| +after-9257959a6e5b4fca.o: file format elf64-littleaarch64
+|
+|
+| Disassembly of section .text:
+| @@ -9,7 +9,7 @@
+| 4: d65f03c0 ret
+|
+| 0000000000000008 <outlined_atomic_read_acquire>:
+| - 8: 88dffc00 ldar w0, [x0]
+| + 8: b9400000 ldr w0, [x0]
+| c: d65f03c0 ret
+|
+| 0000000000000010 <outlined_atomic_set>:
+| @@ -17,7 +17,7 @@
+| 14: d65f03c0 ret
+|
+| 0000000000000018 <outlined_atomic_set_release>:
+| - 18: 889ffc01 stlr w1, [x0]
+| + 18: b9000001 str w1, [x0]
+| 1c: d65f03c0 ret
+|
+| 0000000000000020 <outlined_atomic_add>:
+| @@ -1230,7 +1230,7 @@
+| 1070: d65f03c0 ret
+|
+| 0000000000001074 <outlined_atomic64_read_acquire>:
+| - 1074: c8dffc00 ldar x0, [x0]
+| + 1074: f9400000 ldr x0, [x0]
+| 1078: d65f03c0 ret
+|
+| 000000000000107c <outlined_atomic64_set>:
+| @@ -1238,7 +1238,7 @@
+| 1080: d65f03c0 ret
+|
+| 0000000000001084 <outlined_atomic64_set_release>:
+| - 1084: c89ffc01 stlr x1, [x0]
+| + 1084: f9000001 str x1, [x0]
+| 1088: d65f03c0 ret
+|
+| 000000000000108c <outlined_atomic64_add>:
+| @@ -2427,7 +2427,7 @@
+| 207c: d65f03c0 ret
+|
+| 0000000000002080 <outlined_atomic_long_read_acquire>:
+| - 2080: c8dffc00 ldar x0, [x0]
+| + 2080: f9400000 ldr x0, [x0]
+| 2084: d65f03c0 ret
+|
+| 0000000000002088 <outlined_atomic_long_set>:
+| @@ -2435,7 +2435,7 @@
+| 208c: d65f03c0 ret
+|
+| 0000000000002090 <outlined_atomic_long_set_release>:
+| - 2090: c89ffc01 stlr x1, [x0]
+| + 2090: f9000001 str x1, [x0]
+| 2094: d65f03c0 ret
+|
+| 0000000000002098 <outlined_atomic_long_add>:
+
+I've build tested this with a variety of configs for alpha, arm, arm64,
+csky, i386, m68k, microblaze, mips, nios2, openrisc, powerpc, riscv,
+s390, sh, sparc, x86_64, and xtensa, for which I've seen no issues. I
+was unable to build test for ia64 and parisc due to existing build
+breakage in v6.6-rc2.
+
+Fixes: 9257959a6e5b4fca ("locking/atomic: scripts: restructure fallback ifdeffery")
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Reported-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Baokun Li <libaokun1@huawei.com>
+Link: https://lkml.kernel.org/r/20230919171430.2697727-1-mark.rutland@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/atomic/atomic-arch-fallback.h | 10 +---------
+ scripts/atomic/gen-atomic-fallback.sh | 2 +-
+ 2 files changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/atomic/atomic-arch-fallback.h b/include/linux/atomic/atomic-arch-fallback.h
+index 18f5744dfb5d8..b83ef19da13de 100644
+--- a/include/linux/atomic/atomic-arch-fallback.h
++++ b/include/linux/atomic/atomic-arch-fallback.h
+@@ -459,8 +459,6 @@ raw_atomic_read_acquire(const atomic_t *v)
+ {
+ #if defined(arch_atomic_read_acquire)
+ return arch_atomic_read_acquire(v);
+-#elif defined(arch_atomic_read)
+- return arch_atomic_read(v);
+ #else
+ int ret;
+
+@@ -508,8 +506,6 @@ raw_atomic_set_release(atomic_t *v, int i)
+ {
+ #if defined(arch_atomic_set_release)
+ arch_atomic_set_release(v, i);
+-#elif defined(arch_atomic_set)
+- arch_atomic_set(v, i);
+ #else
+ if (__native_word(atomic_t)) {
+ smp_store_release(&(v)->counter, i);
+@@ -2575,8 +2571,6 @@ raw_atomic64_read_acquire(const atomic64_t *v)
+ {
+ #if defined(arch_atomic64_read_acquire)
+ return arch_atomic64_read_acquire(v);
+-#elif defined(arch_atomic64_read)
+- return arch_atomic64_read(v);
+ #else
+ s64 ret;
+
+@@ -2624,8 +2618,6 @@ raw_atomic64_set_release(atomic64_t *v, s64 i)
+ {
+ #if defined(arch_atomic64_set_release)
+ arch_atomic64_set_release(v, i);
+-#elif defined(arch_atomic64_set)
+- arch_atomic64_set(v, i);
+ #else
+ if (__native_word(atomic64_t)) {
+ smp_store_release(&(v)->counter, i);
+@@ -4657,4 +4649,4 @@ raw_atomic64_dec_if_positive(atomic64_t *v)
+ }
+
+ #endif /* _LINUX_ATOMIC_FALLBACK_H */
+-// 202b45c7db600ce36198eb1f1fc2c2d5268ace2d
++// 2fdd6702823fa842f9cea57a002e6e4476ae780c
+diff --git a/scripts/atomic/gen-atomic-fallback.sh b/scripts/atomic/gen-atomic-fallback.sh
+index c0c8a85d7c81b..a45154cefa487 100755
+--- a/scripts/atomic/gen-atomic-fallback.sh
++++ b/scripts/atomic/gen-atomic-fallback.sh
+@@ -102,7 +102,7 @@ gen_proto_order_variant()
+ fi
+
+ # Allow ACQUIRE/RELEASE/RELAXED ops to be defined in terms of FULL ops
+- if [ ! -z "${order}" ]; then
++ if [ ! -z "${order}" ] && ! meta_is_implicitly_relaxed "${meta}"; then
+ printf "#elif defined(arch_${basename})\n"
+ printf "\t${retstmt}arch_${basename}(${args});\n"
+ fi
+--
+2.40.1
+
--- /dev/null
+From f14ca18ee9c997e48e58e2ee58f56cbb289d36a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 12:46:27 +0200
+Subject: locking/seqlock: Do the lockdep annotation before locking in
+ do_write_seqcount_begin_nested()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 41b43b6c6e30a832c790b010a06772e793bca193 ]
+
+It was brought up by Tetsuo that the following sequence:
+
+ write_seqlock_irqsave()
+ printk_deferred_enter()
+
+could lead to a deadlock if the lockdep annotation within
+write_seqlock_irqsave() triggers.
+
+The problem is that the sequence counter is incremented before the lockdep
+annotation is performed. The lockdep splat would then attempt to invoke
+printk() but the reader side, of the same seqcount, could have a
+tty_port::lock acquired waiting for the sequence number to become even again.
+
+The other lockdep annotations come before the actual locking because "we
+want to see the locking error before it happens". There is no reason why
+seqcount should be different here.
+
+Do the lockdep annotation first then perform the locking operation (the
+sequence increment).
+
+Fixes: 1ca7d67cf5d5a ("seqcount: Add lockdep functionality to seqcount/seqlock structures")
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20230920104627._DTHgPyA@linutronix.de
+
+Closes: https://lore.kernel.org/20230621130641.-5iueY1I@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/seqlock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
+index 987a59d977c56..e9bd2f65d7f4e 100644
+--- a/include/linux/seqlock.h
++++ b/include/linux/seqlock.h
+@@ -512,8 +512,8 @@ do { \
+
+ static inline void do_write_seqcount_begin_nested(seqcount_t *s, int subclass)
+ {
+- do_raw_write_seqcount_begin(s);
+ seqcount_acquire(&s->dep_map, subclass, 0, _RET_IP_);
++ do_raw_write_seqcount_begin(s);
+ }
+
+ /**
+--
+2.40.1
+
--- /dev/null
+From 1bcfa13d4fb6474d7aa12f2b0d6aafa1f4c573e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 22:32:56 +0800
+Subject: memblock tests: Fix compilation errors.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rong Tao <rongtao@cestc.cn>
+
+[ Upstream commit 4b2d631236931550f2ab0abc9a666958853ae846 ]
+
+This patch fix the follow errors.
+
+commit 61167ad5fecd ("mm: pass nid to reserve_bootmem_region()") pass nid
+parameter to reserve_bootmem_region(),
+
+ $ make -C tools/testing/memblock/
+ ...
+ memblock.c: In function ‘memmap_init_reserved_pages’:
+ memblock.c:2111:25: error: too many arguments to function ‘reserve_bootmem_region’
+ 2111 | reserve_bootmem_region(start, end, nid);
+ | ^~~~~~~~~~~~~~~~~~~~~~
+ ../../include/linux/mm.h:32:6: note: declared here
+ 32 | void reserve_bootmem_region(phys_addr_t start, phys_addr_t end);
+ | ^~~~~~~~~~~~~~~~~~~~~~
+ memblock.c:2122:17: error: too many arguments to function ‘reserve_bootmem_region’
+ 2122 | reserve_bootmem_region(start, end, nid);
+ | ^~~~~~~~~~~~~~~~~~~~~~
+
+commit dcdfdd40fa82 ("mm: Add support for unaccepted memory") call
+accept_memory() in memblock.c
+
+ $ make -C tools/testing/memblock/
+ ...
+ cc -fsanitize=address -fsanitize=undefined main.o memblock.o \
+ lib/slab.o mmzone.o slab.o tests/alloc_nid_api.o \
+ tests/alloc_helpers_api.o tests/alloc_api.o tests/basic_api.o \
+ tests/common.o tests/alloc_exact_nid_api.o -o main
+ /usr/bin/ld: memblock.o: in function `memblock_alloc_range_nid':
+ memblock.c:(.text+0x7ae4): undefined reference to `accept_memory'
+
+Signed-off-by: Rong Tao <rongtao@cestc.cn>
+Fixes: dcdfdd40fa82 ("mm: Add support for unaccepted memory")
+Fixes: 61167ad5fecd ("mm: pass nid to reserve_bootmem_region()")
+Link: https://lore.kernel.org/r/tencent_6F19BC082167F15DF2A8D8BEFE8EF220F60A@qq.com
+Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/linux/mm.h | 2 +-
+ tools/testing/memblock/internal.h | 4 ++++
+ tools/testing/memblock/mmzone.c | 2 +-
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/tools/include/linux/mm.h b/tools/include/linux/mm.h
+index a03d9bba51514..2bc94079d6166 100644
+--- a/tools/include/linux/mm.h
++++ b/tools/include/linux/mm.h
+@@ -29,7 +29,7 @@ static inline void *phys_to_virt(unsigned long address)
+ return __va(address);
+ }
+
+-void reserve_bootmem_region(phys_addr_t start, phys_addr_t end);
++void reserve_bootmem_region(phys_addr_t start, phys_addr_t end, int nid);
+
+ static inline void totalram_pages_inc(void)
+ {
+diff --git a/tools/testing/memblock/internal.h b/tools/testing/memblock/internal.h
+index fdb7f5db73082..f6c6e5474c3af 100644
+--- a/tools/testing/memblock/internal.h
++++ b/tools/testing/memblock/internal.h
+@@ -20,4 +20,8 @@ void memblock_free_pages(struct page *page, unsigned long pfn,
+ {
+ }
+
++static inline void accept_memory(phys_addr_t start, phys_addr_t end)
++{
++}
++
+ #endif
+diff --git a/tools/testing/memblock/mmzone.c b/tools/testing/memblock/mmzone.c
+index 7b0909e8b759d..d3d58851864e7 100644
+--- a/tools/testing/memblock/mmzone.c
++++ b/tools/testing/memblock/mmzone.c
+@@ -11,7 +11,7 @@ struct pglist_data *next_online_pgdat(struct pglist_data *pgdat)
+ return NULL;
+ }
+
+-void reserve_bootmem_region(phys_addr_t start, phys_addr_t end)
++void reserve_bootmem_region(phys_addr_t start, phys_addr_t end, int nid)
+ {
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 43d467d0e29786c95cc141f7b7c6f5118e2cc9c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 09:13:51 +0000
+Subject: net: bridge: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 44bdb313da57322c9b3c108eb66981c6ec6509f4 ]
+
+syzbot/KCSAN reported data-races in br_handle_frame_finish() [1]
+This function can run from multiple cpus without mutual exclusion.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+Handles updates to dev->stats.tx_dropped while we are at it.
+
+[1]
+BUG: KCSAN: data-race in br_handle_frame_finish / br_handle_frame_finish
+
+read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 1:
+br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
+br_nf_hook_thresh+0x1ed/0x220
+br_nf_pre_routing_finish_ipv6+0x50f/0x540
+NF_HOOK include/linux/netfilter.h:304 [inline]
+br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
+br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
+nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
+nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
+br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
+__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
+__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
+process_backlog+0x21f/0x380 net/core/dev.c:5965
+__napi_poll+0x60/0x3b0 net/core/dev.c:6527
+napi_poll net/core/dev.c:6594 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6727
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read-write to 0xffff8881374b2178 of 8 bytes by interrupt on cpu 0:
+br_handle_frame_finish+0xd4f/0xef0 net/bridge/br_input.c:189
+br_nf_hook_thresh+0x1ed/0x220
+br_nf_pre_routing_finish_ipv6+0x50f/0x540
+NF_HOOK include/linux/netfilter.h:304 [inline]
+br_nf_pre_routing_ipv6+0x1e3/0x2a0 net/bridge/br_netfilter_ipv6.c:178
+br_nf_pre_routing+0x526/0xba0 net/bridge/br_netfilter_hooks.c:508
+nf_hook_entry_hookfn include/linux/netfilter.h:144 [inline]
+nf_hook_bridge_pre net/bridge/br_input.c:272 [inline]
+br_handle_frame+0x4c9/0x940 net/bridge/br_input.c:417
+__netif_receive_skb_core+0xa8a/0x21e0 net/core/dev.c:5417
+__netif_receive_skb_one_core net/core/dev.c:5521 [inline]
+__netif_receive_skb+0x57/0x1b0 net/core/dev.c:5637
+process_backlog+0x21f/0x380 net/core/dev.c:5965
+__napi_poll+0x60/0x3b0 net/core/dev.c:6527
+napi_poll net/core/dev.c:6594 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6727
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+do_softirq+0x5e/0x90 kernel/softirq.c:454
+__local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381
+__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
+_raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210
+spin_unlock_bh include/linux/spinlock.h:396 [inline]
+batadv_tt_local_purge+0x1a8/0x1f0 net/batman-adv/translation-table.c:1356
+batadv_tt_purge+0x2b/0x630 net/batman-adv/translation-table.c:3560
+process_one_work kernel/workqueue.c:2630 [inline]
+process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
+worker_thread+0x525/0x730 kernel/workqueue.c:2784
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x00000000000d7190 -> 0x00000000000d7191
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 14848 Comm: kworker/u4:11 Not tainted 6.6.0-rc1-syzkaller-00236-gad8a69f361b9 #0
+
+Fixes: 1c29fc4989bc ("[BRIDGE]: keep track of received multicast packets")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: bridge@lists.linux-foundation.org
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://lore.kernel.org/r/20230918091351.1356153-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_forward.c | 4 ++--
+ net/bridge/br_input.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index 6116eba1bd891..bb1ab53e54e03 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -124,7 +124,7 @@ static int deliver_clone(const struct net_bridge_port *prev,
+
+ skb = skb_clone(skb, GFP_ATOMIC);
+ if (!skb) {
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return -ENOMEM;
+ }
+
+@@ -267,7 +267,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+
+ skb = skb_copy(skb, GFP_ATOMIC);
+ if (!skb) {
+- dev->stats.tx_dropped++;
++ DEV_STATS_INC(dev, tx_dropped);
+ return;
+ }
+
+diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
+index c34a0b0901b07..c729528b5e85f 100644
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -181,12 +181,12 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
+ if ((mdst && mdst->host_joined) ||
+ br_multicast_is_router(brmctx, skb)) {
+ local_rcv = true;
+- br->dev->stats.multicast++;
++ DEV_STATS_INC(br->dev, multicast);
+ }
+ mcast_hit = true;
+ } else {
+ local_rcv = true;
+- br->dev->stats.multicast++;
++ DEV_STATS_INC(br->dev, multicast);
+ }
+ break;
+ case BR_PKT_UNICAST:
+--
+2.40.1
+
--- /dev/null
+From 2d5a9396f6255a4f23547228c7c3fdd54c64114b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 09:39:05 +0300
+Subject: net/core: Fix ETH_P_1588 flow dissector
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3 ]
+
+When a PTP ethernet raw frame with a size of more than 256 bytes followed
+by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation
+is wrong. For example: hdr->message_length takes the wrong value (0xffff)
+and it does not replicate real header length. In this case, 'nhoff' value
+was overridden and the PTP header was badly dissected. This leads to a
+kernel crash.
+
+net/core: flow_dissector
+net/core flow dissector nhoff = 0x0000000e
+net/core flow dissector hdr->message_length = 0x0000ffff
+net/core flow dissector nhoff = 0x0001000d (u16 overflow)
+...
+skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88
+skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Using the size of the ptp_header struct will allow the corrected
+calculation of the nhoff value.
+
+net/core flow dissector nhoff = 0x0000000e
+net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header)
+...
+skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff
+skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Kernel trace:
+[ 74.984279] ------------[ cut here ]------------
+[ 74.989471] kernel BUG at include/linux/skbuff.h:2440!
+[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1
+[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023
+[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130
+[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
+[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
+[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
+[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
+[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
+[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
+[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
+[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
+[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
+[ 75.121980] PKRU: 55555554
+[ 75.125035] Call Trace:
+[ 75.127792] <IRQ>
+[ 75.130063] ? eth_get_headlen+0xa4/0xc0
+[ 75.134472] igc_process_skb_fields+0xcd/0x150
+[ 75.139461] igc_poll+0xc80/0x17b0
+[ 75.143272] __napi_poll+0x27/0x170
+[ 75.147192] net_rx_action+0x234/0x280
+[ 75.151409] __do_softirq+0xef/0x2f4
+[ 75.155424] irq_exit_rcu+0xc7/0x110
+[ 75.159432] common_interrupt+0xb8/0xd0
+[ 75.163748] </IRQ>
+[ 75.166112] <TASK>
+[ 75.168473] asm_common_interrupt+0x22/0x40
+[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350
+[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1
+[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202
+[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f
+[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20
+[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001
+[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980
+[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000
+[ 75.245635] ? cpuidle_enter_state+0xc7/0x350
+[ 75.250518] cpuidle_enter+0x29/0x40
+[ 75.254539] do_idle+0x1d9/0x260
+[ 75.258166] cpu_startup_entry+0x19/0x20
+[ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb
+[ 75.268259] </TASK>
+[ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs
+[ 75.342736] ---[ end trace 3785f9f360400e3a ]---
+[ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130
+[ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9
+[ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297
+[ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003
+[ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300
+[ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800
+[ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010
+[ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800
+[ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000
+[ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0
+[ 75.443410] PKRU: 55555554
+[ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt
+[ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+Fixes: 4f1cc51f3488 ("net: flow_dissector: Parse PTP L2 packet header")
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/flow_dissector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
+index 6bed3992df814..aac954d1f757d 100644
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1402,7 +1402,7 @@ bool __skb_flow_dissect(const struct net *net,
+ break;
+ }
+
+- nhoff += ntohs(hdr->message_length);
++ nhoff += sizeof(struct ptp_header);
+ fdret = FLOW_DISSECT_RET_OUT_GOOD;
+ break;
+ }
+--
+2.40.1
+
--- /dev/null
+From 209f714dea4d1c209af4165e3a9c56545d638609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 17:36:09 +0200
+Subject: net: ena: Flush XDP packets on error.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 6f411fb5ca9419090bee6a0a46425e0a5060b734 ]
+
+xdp_do_flush() should be invoked before leaving the NAPI poll function
+after a XDP-redirect. This is not the case if the driver leaves via
+the error path (after having a redirect in one of its previous
+iterations).
+
+Invoke xdp_do_flush() also in the error path.
+
+Cc: Arthur Kiyanovski <akiyano@amazon.com>
+Cc: David Arinzon <darinzon@amazon.com>
+Cc: Noam Dagan <ndagan@amazon.com>
+Cc: Saeed Bishara <saeedb@amazon.com>
+Cc: Shay Agroskin <shayagr@amazon.com>
+Fixes: a318c70ad152b ("net: ena: introduce XDP redirect implementation")
+Acked-by: Arthur Kiyanovski <akiyano@amazon.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+index d19593fae2265..dcfda0e8e1b78 100644
+--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
+@@ -1833,6 +1833,9 @@ static int ena_clean_rx_irq(struct ena_ring *rx_ring, struct napi_struct *napi,
+ return work_done;
+
+ error:
++ if (xdp_flags & ENA_XDP_REDIRECT)
++ xdp_do_flush();
++
+ adapter = netdev_priv(rx_ring->netdev);
+
+ if (rc == -ENOSPC) {
+--
+2.40.1
+
--- /dev/null
+From a0b443de902ca65f8ef88062be23081aeacf082c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 18:44:06 +0800
+Subject: net/handshake: Fix memory leak in __sock_create() and
+ sock_alloc_file()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 4a0f07d71b0483cc08c03cefa7c85749e187c214 ]
+
+When making CONFIG_DEBUG_KMEMLEAK=y and CONFIG_DEBUG_KMEMLEAK_AUTO_SCAN=y,
+modprobe handshake-test and then rmmmod handshake-test, the below memory
+leak is detected.
+
+The struct socket_alloc which is allocated by alloc_inode_sb() in
+__sock_create() is not freed. And the struct dentry which is allocated
+by __d_alloc() in sock_alloc_file() is not freed.
+
+Since fput() will call file->f_op->release() which is sock_close() here and
+it will call __sock_release(). and fput() will call dput(dentry) to free
+the struct dentry. So replace sock_release() with fput() to fix the
+below memory leak. After applying this patch, the following memory leak is
+never detected.
+
+unreferenced object 0xffff888109165840 (size 768):
+ comm "kunit_try_catch", pid 1852, jiffies 4294685807 (age 976.262s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa0209ba2>] 0xffffffffa0209ba2
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810f472008 (size 192):
+ comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 08 20 47 0f 81 88 ff ff ......... G.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0209bbb>] 0xffffffffa0209bbb
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810958e580 (size 224):
+ comm "kunit_try_catch", pid 1852, jiffies 4294685808 (age 976.261s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0209bbb>] 0xffffffffa0209bbb
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810926dc88 (size 192):
+ comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 88 dc 26 09 81 88 ff ff ..........&.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208fdc>] 0xffffffffa0208fdc
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810a241380 (size 224):
+ comm "kunit_try_catch", pid 1854, jiffies 4294685809 (age 976.271s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208fdc>] 0xffffffffa0208fdc
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888109165040 (size 768):
+ comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa0208860>] 0xffffffffa0208860
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810926d568 (size 192):
+ comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.269s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 68 d5 26 09 81 88 ff ff ........h.&.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208879>] 0xffffffffa0208879
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810a240580 (size 224):
+ comm "kunit_try_catch", pid 1856, jiffies 4294685811 (age 976.347s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208879>] 0xffffffffa0208879
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888109164c40 (size 768):
+ comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa0208541>] 0xffffffffa0208541
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810926cd18 (size 192):
+ comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 18 cd 26 09 81 88 ff ff ..........&.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa020855a>] 0xffffffffa020855a
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810a240200 (size 224):
+ comm "kunit_try_catch", pid 1858, jiffies 4294685816 (age 976.342s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa020855a>] 0xffffffffa020855a
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888109164840 (size 768):
+ comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa02093e2>] 0xffffffffa02093e2
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810926cab8 (size 192):
+ comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 b8 ca 26 09 81 88 ff ff ..........&.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa02093fb>] 0xffffffffa02093fb
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810a240040 (size 224):
+ comm "kunit_try_catch", pid 1860, jiffies 4294685817 (age 976.416s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa02093fb>] 0xffffffffa02093fb
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888109166440 (size 768):
+ comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa02097c1>] 0xffffffffa02097c1
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810926c398 (size 192):
+ comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 98 c3 26 09 81 88 ff ff ..........&.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa02097da>] 0xffffffffa02097da
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888107e0b8c0 (size 224):
+ comm "kunit_try_catch", pid 1862, jiffies 4294685819 (age 976.489s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa02097da>] 0xffffffffa02097da
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888109164440 (size 768):
+ comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.487s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 01 00 5a 5a 20 00 00 00 00 00 00 00 ......ZZ .......
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8397993f>] sock_alloc_inode+0x1f/0x1b0
+ [<ffffffff81a2cb5b>] alloc_inode+0x5b/0x1a0
+ [<ffffffff81a32bed>] new_inode_pseudo+0xd/0x70
+ [<ffffffff8397889c>] sock_alloc+0x3c/0x260
+ [<ffffffff83979b46>] __sock_create+0x66/0x3d0
+ [<ffffffffa020824e>] 0xffffffffa020824e
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff88810f4cf698 (size 192):
+ comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
+ hex dump (first 32 bytes):
+ 00 00 50 40 02 00 00 00 00 00 00 00 00 00 00 00 ..P@............
+ 00 00 00 00 00 00 00 00 98 f6 4c 0f 81 88 ff ff ..........L.....
+ backtrace:
+ [<ffffffff81a1ff11>] __d_alloc+0x31/0x8a0
+ [<ffffffff81a2910e>] d_alloc_pseudo+0xe/0x50
+ [<ffffffff819d549e>] alloc_file_pseudo+0xce/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208267>] 0xffffffffa0208267
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+unreferenced object 0xffff888107e0b000 (size 224):
+ comm "kunit_try_catch", pid 1864, jiffies 4294685821 (age 976.501s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 03 00 2e 08 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff819d4b90>] alloc_empty_file+0x50/0x160
+ [<ffffffff819d4cf9>] alloc_file+0x59/0x730
+ [<ffffffff819d5524>] alloc_file_pseudo+0x154/0x210
+ [<ffffffff83978582>] sock_alloc_file+0x42/0x1b0
+ [<ffffffffa0208267>] 0xffffffffa0208267
+ [<ffffffff829cf03a>] kunit_generic_run_threadfn_adapter+0x4a/0x90
+ [<ffffffff81236fc6>] kthread+0x2b6/0x380
+ [<ffffffff81096afd>] ret_from_fork+0x2d/0x70
+ [<ffffffff81003511>] ret_from_fork_asm+0x11/0x20
+
+Fixes: 88232ec1ec5e ("net/handshake: Add Kunit tests for the handshake consumer API")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/handshake/handshake-test.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/handshake/handshake-test.c b/net/handshake/handshake-test.c
+index 6d37bab35c8fc..16ed7bfd29e4f 100644
+--- a/net/handshake/handshake-test.c
++++ b/net/handshake/handshake-test.c
+@@ -235,7 +235,7 @@ static void handshake_req_submit_test4(struct kunit *test)
+ KUNIT_EXPECT_PTR_EQ(test, req, result);
+
+ handshake_req_cancel(sock->sk);
+- sock_release(sock);
++ fput(filp);
+ }
+
+ static void handshake_req_submit_test5(struct kunit *test)
+@@ -272,7 +272,7 @@ static void handshake_req_submit_test5(struct kunit *test)
+ /* Assert */
+ KUNIT_EXPECT_EQ(test, err, -EAGAIN);
+
+- sock_release(sock);
++ fput(filp);
+ hn->hn_pending = saved;
+ }
+
+@@ -306,7 +306,7 @@ static void handshake_req_submit_test6(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, err, -EBUSY);
+
+ handshake_req_cancel(sock->sk);
+- sock_release(sock);
++ fput(filp);
+ }
+
+ static void handshake_req_cancel_test1(struct kunit *test)
+@@ -340,7 +340,7 @@ static void handshake_req_cancel_test1(struct kunit *test)
+ /* Assert */
+ KUNIT_EXPECT_TRUE(test, result);
+
+- sock_release(sock);
++ fput(filp);
+ }
+
+ static void handshake_req_cancel_test2(struct kunit *test)
+@@ -382,7 +382,7 @@ static void handshake_req_cancel_test2(struct kunit *test)
+ /* Assert */
+ KUNIT_EXPECT_TRUE(test, result);
+
+- sock_release(sock);
++ fput(filp);
+ }
+
+ static void handshake_req_cancel_test3(struct kunit *test)
+@@ -427,7 +427,7 @@ static void handshake_req_cancel_test3(struct kunit *test)
+ /* Assert */
+ KUNIT_EXPECT_FALSE(test, result);
+
+- sock_release(sock);
++ fput(filp);
+ }
+
+ static struct handshake_req *handshake_req_destroy_test;
+@@ -471,7 +471,7 @@ static void handshake_req_destroy_test1(struct kunit *test)
+ handshake_req_cancel(sock->sk);
+
+ /* Act */
+- sock_release(sock);
++ fput(filp);
+
+ /* Assert */
+ KUNIT_EXPECT_PTR_EQ(test, handshake_req_destroy_test, req);
+--
+2.40.1
+
--- /dev/null
+From 1a254ee241286af14561d618aacc127e4b305d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 10:27:15 +0800
+Subject: net: hinic: Fix warning-hinic_set_vlan_fliter() warn: variable
+ dereferenced before check 'hwdev'
+
+From: Cai Huoqing <cai.huoqing@linux.dev>
+
+[ Upstream commit 22b6e7f3d6d51ff2716480f3d8f3098d90d69165 ]
+
+'hwdev' is checked too late and hwdev will not be NULL, so remove the check
+
+Fixes: 2acf960e3be6 ("net: hinic: Add support for configuration of rx-vlan-filter by ethtool")
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202309112354.pikZCmyk-lkp@intel.com/
+Signed-off-by: Cai Huoqing <cai.huoqing@linux.dev>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/huawei/hinic/hinic_port.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/huawei/hinic/hinic_port.c b/drivers/net/ethernet/huawei/hinic/hinic_port.c
+index 9406237c461e0..f81a43d2cdfcd 100644
+--- a/drivers/net/ethernet/huawei/hinic/hinic_port.c
++++ b/drivers/net/ethernet/huawei/hinic/hinic_port.c
+@@ -456,9 +456,6 @@ int hinic_set_vlan_fliter(struct hinic_dev *nic_dev, u32 en)
+ u16 out_size = sizeof(vlan_filter);
+ int err;
+
+- if (!hwdev)
+- return -EINVAL;
+-
+ vlan_filter.func_idx = HINIC_HWIF_FUNC_IDX(hwif);
+ vlan_filter.enable = en;
+
+--
+2.40.1
+
--- /dev/null
+From 967baacb3965d94d84c89215dd4439893556bbfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:40 +0800
+Subject: net: hns3: add 5ms delay before clear firmware reset irq source
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit 0770063096d5da4a8e467b6e73c1646a75589628 ]
+
+Currently the reset process in hns3 and firmware watchdog init process is
+asynchronous. we think firmware watchdog initialization is completed
+before hns3 clear the firmware interrupt source. However, firmware
+initialization may not complete early.
+
+so we add delay before hns3 clear firmware interrupt source and 5 ms delay
+is enough to avoid second firmware reset interrupt.
+
+Fixes: c1a81619d73a ("net: hns3: Add mailbox interrupt handling to PF driver")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index a4500abfa286f..ed6cf59853bf6 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -3564,9 +3564,14 @@ static u32 hclge_check_event_cause(struct hclge_dev *hdev, u32 *clearval)
+ static void hclge_clear_event_cause(struct hclge_dev *hdev, u32 event_type,
+ u32 regclr)
+ {
++#define HCLGE_IMP_RESET_DELAY 5
++
+ switch (event_type) {
+ case HCLGE_VECTOR0_EVENT_PTP:
+ case HCLGE_VECTOR0_EVENT_RST:
++ if (regclr == BIT(HCLGE_VECTOR0_IMPRESET_INT_B))
++ mdelay(HCLGE_IMP_RESET_DELAY);
++
+ hclge_write_dev(&hdev->hw, HCLGE_MISC_RESET_STS_REG, regclr);
+ break;
+ case HCLGE_VECTOR0_EVENT_MBX:
+--
+2.40.1
+
--- /dev/null
+From 7987d72a8a87ee16c005bdd9943846da7e9c7520 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:36 +0800
+Subject: net: hns3: add cmdq check for vf periodic service task
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit bd3caddf299a640efb66c6022efed7fe744db626 ]
+
+When the vf cmdq is disabled, there is no need to keep these task running.
+So this patch skip these task when the cmdq is disabled.
+
+Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 7a2f9233d6954..a4d68fb216fb9 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -1855,7 +1855,8 @@ static void hclgevf_periodic_service_task(struct hclgevf_dev *hdev)
+ unsigned long delta = round_jiffies_relative(HZ);
+ struct hnae3_handle *handle = &hdev->nic;
+
+- if (test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state))
++ if (test_bit(HCLGEVF_STATE_RST_FAIL, &hdev->state) ||
++ test_bit(HCLGE_COMM_STATE_CMD_DISABLE, &hdev->hw.hw.comm_state))
+ return;
+
+ if (time_is_after_jiffies(hdev->last_serv_processed + HZ)) {
+--
+2.40.1
+
--- /dev/null
+From 4305669bbd768b3632140ad0adf1c3bdecfe38c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:39 +0800
+Subject: net: hns3: fix fail to delete tc flower rules during reset issue
+
+From: Jijie Shao <shaojijie@huawei.com>
+
+[ Upstream commit 1a7be66e4685b8541546222c305cce9710718a88 ]
+
+Firmware does not respond driver commands during reset
+Therefore, rule will fail to delete while the firmware is resetting
+
+So, if failed to delete rule, set rule state to TO_DEL,
+and the rule will be deleted when periodic task being scheduled.
+
+Fixes: 0205ec041ec6 ("net: hns3: add support for hw tc offload of tc flower")
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 26e9fa9cc2cd3..a4500abfa286f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -7348,6 +7348,12 @@ static int hclge_del_cls_flower(struct hnae3_handle *handle,
+ ret = hclge_fd_tcam_config(hdev, HCLGE_FD_STAGE_1, true, rule->location,
+ NULL, false);
+ if (ret) {
++ /* if tcam config fail, set rule state to TO_DEL,
++ * so the rule will be deleted when periodic
++ * task being scheduled.
++ */
++ hclge_update_fd_list(hdev, HCLGE_FD_TO_DEL, rule->location, NULL);
++ set_bit(HCLGE_STATE_FD_TBL_CHANGED, &hdev->state);
+ spin_unlock_bh(&hdev->fd_rule_lock);
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From 82dad221a5d5d05699733eb3fd3429c06912fba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:37 +0800
+Subject: net: hns3: fix GRE checksum offload issue
+
+From: Jie Wang <wangjie125@huawei.com>
+
+[ Upstream commit f9f651261130cdcb7adc9a3e365b356bc2749ab3 ]
+
+The device_version V3 hardware can't offload the checksum for IP in GRE
+packets, but can do it for NvGRE. So default to disable the checksum and
+GSO offload for GRE, but keep the ability to enable it when only using
+NvGRE.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Jie Wang <wangjie125@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 613d0a779cef2..71a2ec03f2b38 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3352,6 +3352,15 @@ static void hns3_set_default_feature(struct net_device *netdev)
+ NETIF_F_HW_TC);
+
+ netdev->hw_enc_features |= netdev->vlan_features | NETIF_F_TSO_MANGLEID;
++
++ /* The device_version V3 hardware can't offload the checksum for IP in
++ * GRE packets, but can do it for NvGRE. So default to disable the
++ * checksum and GSO offload for GRE.
++ */
++ if (ae_dev->dev_version > HNAE3_DEVICE_VERSION_V2) {
++ netdev->features &= ~NETIF_F_GSO_GRE;
++ netdev->features &= ~NETIF_F_GSO_GRE_CSUM;
++ }
+ }
+
+ static int hns3_alloc_buffer(struct hns3_enet_ring *ring,
+--
+2.40.1
+
--- /dev/null
+From a569130d37ff7d1fc7907fbe221882c89663dc4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:48:38 +0800
+Subject: net: hns3: only enable unicast promisc when mac table full
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit f2ed304922a55690529bcca59678dd92d7466ce8 ]
+
+Currently, the driver will enable unicast promisc for the function
+once configure mac address fail. It's unreasonable when the failure
+is caused by using same mac address with other functions. So only
+enable unicast promisc when mac table full.
+
+Fixes: c631c696823c ("net: hns3: refactor the promisc mode setting")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index ce6b658a930cc..26e9fa9cc2cd3 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -8824,7 +8824,7 @@ static void hclge_update_overflow_flags(struct hclge_vport *vport,
+ if (mac_type == HCLGE_MAC_ADDR_UC) {
+ if (is_all_added)
+ vport->overflow_promisc_flags &= ~HNAE3_OVERFLOW_UPE;
+- else
++ else if (hclge_is_umv_space_full(vport, true))
+ vport->overflow_promisc_flags |= HNAE3_OVERFLOW_UPE;
+ } else {
+ if (is_all_added)
+--
+2.40.1
+
--- /dev/null
+From 8dea0cf627b7c6052a07484d0fa75a2f05e61aa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 20:10:02 +0200
+Subject: net: hsr: Properly parse HSRv1 supervisor frames.
+
+From: Lukasz Majewski <lukma@denx.de>
+
+[ Upstream commit 295de650d3aaf9e50258465c5f1c84b465d836f6 ]
+
+While adding support for parsing the redbox supervision frames, the
+author added `pull_size' and `total_pull_size' to track the amount of
+bytes that were pulled from the skb during while parsing the skb so it
+can be reverted/ pushed back at the end.
+In the process probably copy&paste error occurred and for the HSRv1 case
+the ethhdr was used instead of the hsr_tag. Later the hsr_tag was used
+instead of hsr_sup_tag. The later error didn't matter because both
+structs have the size so HSRv0 was still working. It broke however HSRv1
+parsing because struct ethhdr is larger than struct hsr_tag.
+
+Reinstate the old pulling flow and pull first ethhdr, hsr_tag in v1 case
+followed by hsr_sup_tag.
+
+[bigeasy: commit message]
+
+Fixes: eafaa88b3eb7 ("net: hsr: Add support for redbox supervision frames")'
+Suggested-by: Tristram.Ha@microchip.com
+Signed-off-by: Lukasz Majewski <lukma@denx.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_framereg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
+index b77f1189d19d1..6d14d935ee828 100644
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -288,13 +288,13 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
+
+ /* And leave the HSR tag. */
+ if (ethhdr->h_proto == htons(ETH_P_HSR)) {
+- pull_size = sizeof(struct ethhdr);
++ pull_size = sizeof(struct hsr_tag);
+ skb_pull(skb, pull_size);
+ total_pull_size += pull_size;
+ }
+
+ /* And leave the HSR sup tag. */
+- pull_size = sizeof(struct hsr_tag);
++ pull_size = sizeof(struct hsr_sup_tag);
+ skb_pull(skb, pull_size);
+ total_pull_size += pull_size;
+
+--
+2.40.1
+
--- /dev/null
+From 80f0e3568f02089d85bf322f72e4012efd05ded0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:03:06 +0800
+Subject: net: microchip: sparx5: Fix memory leak for
+ vcap_api_rule_add_keyvalue_test()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit f037fc9905ffa6fa19b89bfbc86946798cede071 ]
+
+Inject fault while probing kunit-example-test.ko, the field which
+is allocated by kzalloc in vcap_rule_add_key() of
+vcap_rule_add_key_bit/u32/u128() is not freed, and it cause
+the memory leaks below.
+
+unreferenced object 0xffff0276c14b7240 (size 64):
+ comm "kunit_try_catch", pid 284, jiffies 4294894220 (age 920.072s)
+ hex dump (first 32 bytes):
+ 28 3c 61 82 00 80 ff ff 28 3c 61 82 00 80 ff ff (<a.....(<a.....
+ 67 00 00 00 00 00 00 00 00 01 37 2b af ab ff ff g.........7+....
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<0000000059ad6bcd>] vcap_rule_add_key+0x104/0x180
+ [<00000000ff8002d3>] vcap_api_rule_add_keyvalue_test+0x100/0xba8
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c14b7280 (size 64):
+ comm "kunit_try_catch", pid 284, jiffies 4294894221 (age 920.068s)
+ hex dump (first 32 bytes):
+ 28 3c 61 82 00 80 ff ff 28 3c 61 82 00 80 ff ff (<a.....(<a.....
+ 67 00 00 00 00 00 00 00 01 01 37 2b af ab ff ff g.........7+....
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<0000000059ad6bcd>] vcap_rule_add_key+0x104/0x180
+ [<00000000f5ac9dc7>] vcap_api_rule_add_keyvalue_test+0x168/0xba8
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c14b72c0 (size 64):
+ comm "kunit_try_catch", pid 284, jiffies 4294894221 (age 920.068s)
+ hex dump (first 32 bytes):
+ 28 3c 61 82 00 80 ff ff 28 3c 61 82 00 80 ff ff (<a.....(<a.....
+ 67 00 00 00 00 00 00 00 00 00 37 2b af ab ff ff g.........7+....
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<0000000059ad6bcd>] vcap_rule_add_key+0x104/0x180
+ [<00000000c918ae7f>] vcap_api_rule_add_keyvalue_test+0x1d0/0xba8
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c14b7300 (size 64):
+ comm "kunit_try_catch", pid 284, jiffies 4294894221 (age 920.084s)
+ hex dump (first 32 bytes):
+ 28 3c 61 82 00 80 ff ff 28 3c 61 82 00 80 ff ff (<a.....(<a.....
+ 7d 00 00 00 01 00 00 00 32 54 76 98 ab ff 00 ff }.......2Tv.....
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<0000000059ad6bcd>] vcap_rule_add_key+0x104/0x180
+ [<0000000003352814>] vcap_api_rule_add_keyvalue_test+0x240/0xba8
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c14b7340 (size 64):
+ comm "kunit_try_catch", pid 284, jiffies 4294894221 (age 920.084s)
+ hex dump (first 32 bytes):
+ 28 3c 61 82 00 80 ff ff 28 3c 61 82 00 80 ff ff (<a.....(<a.....
+ 51 00 00 00 07 00 00 00 17 26 35 44 63 62 71 00 Q........&5Dcbq.
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<0000000059ad6bcd>] vcap_rule_add_key+0x104/0x180
+ [<000000001516f109>] vcap_api_rule_add_keyvalue_test+0x2cc/0xba8
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+
+Fixes: c956b9b318d9 ("net: microchip: sparx5: Adding KUNIT tests of key/action values in VCAP API")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microchip/vcap/vcap_api_kunit.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+index c07f25e791c76..2fb0b8cf2b0cd 100644
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -995,6 +995,16 @@ static void vcap_api_encode_rule_actionset_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, (u32)0x00000000, actwords[11]);
+ }
+
++static void vcap_free_ckf(struct vcap_rule *rule)
++{
++ struct vcap_client_keyfield *ckf, *next_ckf;
++
++ list_for_each_entry_safe(ckf, next_ckf, &rule->keyfields, ctrl.list) {
++ list_del(&ckf->ctrl.list);
++ kfree(ckf);
++ }
++}
++
+ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ {
+ struct vcap_admin admin = {
+@@ -1027,6 +1037,7 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, kf->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x0, kf->data.u1.value);
+ KUNIT_EXPECT_EQ(test, 0x1, kf->data.u1.mask);
++ vcap_free_ckf(rule);
+
+ INIT_LIST_HEAD(&rule->keyfields);
+ ret = vcap_rule_add_key_bit(rule, VCAP_KF_LOOKUP_FIRST_IS, VCAP_BIT_1);
+@@ -1039,6 +1050,7 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, kf->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x1, kf->data.u1.value);
+ KUNIT_EXPECT_EQ(test, 0x1, kf->data.u1.mask);
++ vcap_free_ckf(rule);
+
+ INIT_LIST_HEAD(&rule->keyfields);
+ ret = vcap_rule_add_key_bit(rule, VCAP_KF_LOOKUP_FIRST_IS,
+@@ -1052,6 +1064,7 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, kf->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x0, kf->data.u1.value);
+ KUNIT_EXPECT_EQ(test, 0x0, kf->data.u1.mask);
++ vcap_free_ckf(rule);
+
+ INIT_LIST_HEAD(&rule->keyfields);
+ ret = vcap_rule_add_key_u32(rule, VCAP_KF_TYPE, 0x98765432, 0xff00ffab);
+@@ -1064,6 +1077,7 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_U32, kf->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x98765432, kf->data.u32.value);
+ KUNIT_EXPECT_EQ(test, 0xff00ffab, kf->data.u32.mask);
++ vcap_free_ckf(rule);
+
+ INIT_LIST_HEAD(&rule->keyfields);
+ ret = vcap_rule_add_key_u128(rule, VCAP_KF_L3_IP6_SIP, &dip);
+@@ -1078,6 +1092,7 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, dip.value[idx], kf->data.u128.value[idx]);
+ for (idx = 0; idx < ARRAY_SIZE(dip.mask); ++idx)
+ KUNIT_EXPECT_EQ(test, dip.mask[idx], kf->data.u128.mask[idx]);
++ vcap_free_ckf(rule);
+ }
+
+ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+--
+2.40.1
+
--- /dev/null
+From 74a9e9bf3226c02cb1b065a020185c6e6094091f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:03:07 +0800
+Subject: net: microchip: sparx5: Fix memory leak for
+ vcap_api_rule_add_actionvalue_test()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 39d0ccc185315408e7cecfcaf06d167927b51052 ]
+
+Inject fault while probing kunit-example-test.ko, the field which
+is allocated by kzalloc in vcap_rule_add_action() of
+vcap_rule_add_action_bit/u32() is not freed, and it cause
+the memory leaks below.
+
+unreferenced object 0xffff0276c496b300 (size 64):
+ comm "kunit_try_catch", pid 286, jiffies 4294894224 (age 920.072s)
+ hex dump (first 32 bytes):
+ 68 3c 62 82 00 80 ff ff 68 3c 62 82 00 80 ff ff h<b.....h<b.....
+ 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<000000008b41c84d>] vcap_rule_add_action+0x104/0x178
+ [<00000000ae66c16c>] vcap_api_rule_add_actionvalue_test+0xa4/0x990
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c496b2c0 (size 64):
+ comm "kunit_try_catch", pid 286, jiffies 4294894224 (age 920.072s)
+ hex dump (first 32 bytes):
+ 68 3c 62 82 00 80 ff ff 68 3c 62 82 00 80 ff ff h<b.....h<b.....
+ 3c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 <...............
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<000000008b41c84d>] vcap_rule_add_action+0x104/0x178
+ [<00000000607782aa>] vcap_api_rule_add_actionvalue_test+0x100/0x990
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c496b280 (size 64):
+ comm "kunit_try_catch", pid 286, jiffies 4294894224 (age 920.072s)
+ hex dump (first 32 bytes):
+ 68 3c 62 82 00 80 ff ff 68 3c 62 82 00 80 ff ff h<b.....h<b.....
+ 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<000000008b41c84d>] vcap_rule_add_action+0x104/0x178
+ [<000000004e640602>] vcap_api_rule_add_actionvalue_test+0x15c/0x990
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c496b240 (size 64):
+ comm "kunit_try_catch", pid 286, jiffies 4294894224 (age 920.092s)
+ hex dump (first 32 bytes):
+ 68 3c 62 82 00 80 ff ff 68 3c 62 82 00 80 ff ff h<b.....h<b.....
+ 5a 00 00 00 01 00 00 00 32 54 76 98 00 00 00 00 Z.......2Tv.....
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<000000008b41c84d>] vcap_rule_add_action+0x104/0x178
+ [<0000000011141bf8>] vcap_api_rule_add_actionvalue_test+0x1bc/0x990
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0276c496b200 (size 64):
+ comm "kunit_try_catch", pid 286, jiffies 4294894224 (age 920.092s)
+ hex dump (first 32 bytes):
+ 68 3c 62 82 00 80 ff ff 68 3c 62 82 00 80 ff ff h<b.....h<b.....
+ 28 00 00 00 01 00 00 00 dd cc bb aa 00 00 00 00 (...............
+ backtrace:
+ [<0000000028f08898>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000514b9b37>] __kmem_cache_alloc_node+0x174/0x290
+ [<000000004620684a>] kmalloc_trace+0x40/0x164
+ [<000000008b41c84d>] vcap_rule_add_action+0x104/0x178
+ [<00000000d5ed3088>] vcap_api_rule_add_actionvalue_test+0x22c/0x990
+ [<00000000fcc5326c>] kunit_try_run_case+0x50/0xac
+ [<00000000f5f45b20>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000026284079>] kthread+0x124/0x130
+ [<0000000024d4a996>] ret_from_fork+0x10/0x20
+
+Fixes: c956b9b318d9 ("net: microchip: sparx5: Adding KUNIT tests of key/action values in VCAP API")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microchip/vcap/vcap_api_kunit.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+index 2fb0b8cf2b0cd..f268383a75707 100644
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -1095,6 +1095,17 @@ static void vcap_api_rule_add_keyvalue_test(struct kunit *test)
+ vcap_free_ckf(rule);
+ }
+
++static void vcap_free_caf(struct vcap_rule *rule)
++{
++ struct vcap_client_actionfield *caf, *next_caf;
++
++ list_for_each_entry_safe(caf, next_caf,
++ &rule->actionfields, ctrl.list) {
++ list_del(&caf->ctrl.list);
++ kfree(caf);
++ }
++}
++
+ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ {
+ struct vcap_admin admin = {
+@@ -1120,6 +1131,7 @@ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_AF_POLICE_ENA, af->ctrl.action);
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, af->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x0, af->data.u1.value);
++ vcap_free_caf(rule);
+
+ INIT_LIST_HEAD(&rule->actionfields);
+ ret = vcap_rule_add_action_bit(rule, VCAP_AF_POLICE_ENA, VCAP_BIT_1);
+@@ -1131,6 +1143,7 @@ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_AF_POLICE_ENA, af->ctrl.action);
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, af->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x1, af->data.u1.value);
++ vcap_free_caf(rule);
+
+ INIT_LIST_HEAD(&rule->actionfields);
+ ret = vcap_rule_add_action_bit(rule, VCAP_AF_POLICE_ENA, VCAP_BIT_ANY);
+@@ -1142,6 +1155,7 @@ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_AF_POLICE_ENA, af->ctrl.action);
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_BIT, af->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x0, af->data.u1.value);
++ vcap_free_caf(rule);
+
+ INIT_LIST_HEAD(&rule->actionfields);
+ ret = vcap_rule_add_action_u32(rule, VCAP_AF_TYPE, 0x98765432);
+@@ -1153,6 +1167,7 @@ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_AF_TYPE, af->ctrl.action);
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_U32, af->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0x98765432, af->data.u32.value);
++ vcap_free_caf(rule);
+
+ INIT_LIST_HEAD(&rule->actionfields);
+ ret = vcap_rule_add_action_u32(rule, VCAP_AF_MASK_MODE, 0xaabbccdd);
+@@ -1164,6 +1179,7 @@ static void vcap_api_rule_add_actionvalue_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, VCAP_AF_MASK_MODE, af->ctrl.action);
+ KUNIT_EXPECT_EQ(test, VCAP_FIELD_U32, af->ctrl.type);
+ KUNIT_EXPECT_EQ(test, 0xaabbccdd, af->data.u32.value);
++ vcap_free_caf(rule);
+ }
+
+ static void vcap_api_rule_find_keyset_basic_test(struct kunit *test)
+--
+2.40.1
+
--- /dev/null
+From 780a96272d91016dc51676267ac524890b0eeaa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:03:08 +0800
+Subject: net: microchip: sparx5: Fix possible memory leak in
+ vcap_api_encode_rule_test()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 89e3af0277388f32d56915a6715c735e4afae5d6 ]
+
+Inject fault while probing kunit-example-test.ko, the duprule which
+is allocated in vcap_dup_rule() and the vcap enabled port which
+is allocated in vcap_enable() of vcap_enable_lookups in
+vcap_api_encode_rule_test() is not freed, and it cause the memory
+leaks below.
+
+Use vcap_enable_lookups() with false arg to free the vcap enabled
+port as other drivers do it. And use vcap_del_rule() to
+free the duprule.
+
+unreferenced object 0xffff677a0278bb00 (size 64):
+ comm "kunit_try_catch", pid 388, jiffies 4294895987 (age 1101.840s)
+ hex dump (first 32 bytes):
+ 18 bd a5 82 00 80 ff ff 18 bd a5 82 00 80 ff ff ................
+ 40 fe c8 0e be c6 ff ff 00 00 00 00 00 00 00 00 @...............
+ backtrace:
+ [<000000007d53023a>] slab_post_alloc_hook+0xb8/0x368
+ [<0000000076e3f654>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000034d76721>] kmalloc_trace+0x40/0x164
+ [<00000000013380a5>] vcap_enable_lookups+0x1c8/0x70c
+ [<00000000bbec496b>] vcap_api_encode_rule_test+0x2f8/0xb18
+ [<000000002c2bfb7b>] kunit_try_run_case+0x50/0xac
+ [<00000000ff74642b>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<000000004af845ca>] kthread+0x124/0x130
+ [<0000000038a000ca>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff677a027803c0 (size 192):
+ comm "kunit_try_catch", pid 388, jiffies 4294895988 (age 1101.836s)
+ hex dump (first 32 bytes):
+ 00 12 7a 00 05 00 00 00 0a 00 00 00 64 00 00 00 ..z.........d...
+ 00 00 00 00 00 00 00 00 d8 03 78 02 7a 67 ff ff ..........x.zg..
+ backtrace:
+ [<000000007d53023a>] slab_post_alloc_hook+0xb8/0x368
+ [<0000000076e3f654>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000034d76721>] kmalloc_trace+0x40/0x164
+ [<00000000c1010131>] vcap_dup_rule+0x34/0x14c
+ [<00000000d43c54a4>] vcap_add_rule+0x29c/0x32c
+ [<0000000073f1c26d>] vcap_api_encode_rule_test+0x304/0xb18
+ [<000000002c2bfb7b>] kunit_try_run_case+0x50/0xac
+ [<00000000ff74642b>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<000000004af845ca>] kthread+0x124/0x130
+ [<0000000038a000ca>] ret_from_fork+0x10/0x20
+
+Fixes: c956b9b318d9 ("net: microchip: sparx5: Adding KUNIT tests of key/action values in VCAP API")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+index f268383a75707..8c61a5dbce55f 100644
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -1439,6 +1439,10 @@ static void vcap_api_encode_rule_test(struct kunit *test)
+ ret = list_empty(&is2_admin.rules);
+ KUNIT_EXPECT_EQ(test, false, ret);
+ KUNIT_EXPECT_EQ(test, 0, ret);
++
++ vcap_enable_lookups(&test_vctrl, &test_netdev, 0, 0,
++ rule->cookie, false);
++
+ vcap_free_rule(rule);
+
+ /* Check that the rule has been freed: tricky to access since this
+@@ -1449,6 +1453,8 @@ static void vcap_api_encode_rule_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, true, ret);
+ ret = list_empty(&rule->actionfields);
+ KUNIT_EXPECT_EQ(test, true, ret);
++
++ vcap_del_rule(&test_vctrl, &test_netdev, id);
+ }
+
+ static void vcap_api_set_rule_counter_test(struct kunit *test)
+--
+2.40.1
+
--- /dev/null
+From 55013c2d91e269597746c7adddb35acafab51da0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:03:09 +0800
+Subject: net: microchip: sparx5: Fix possible memory leaks in
+ test_vcap_xn_rule_creator()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 20146fa73ab8db2ab9f4916bbaf4610646787a09 ]
+
+Inject fault while probing kunit-example-test.ko, the rule which
+is allocated by kzalloc in vcap_alloc_rule(), the field which is
+allocated by kzalloc in vcap_rule_add_action() and
+vcap_rule_add_key() is not freed, and it cause the memory leaks
+below. Use vcap_free_rule() to free them as other drivers do it.
+
+And since the return rule of test_vcap_xn_rule_creator() is not
+used, remove it and switch to void.
+
+unreferenced object 0xffff058383334240 (size 192):
+ comm "kunit_try_catch", pid 309, jiffies 4294894222 (age 639.800s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 14 00 00 00 90 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 00 81 93 84 83 05 ff ff ................
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000648fefae>] vcap_alloc_rule+0x17c/0x26c
+ [<000000004da16164>] test_vcap_xn_rule_creator.constprop.43+0xac/0x328
+ [<00000000231b1097>] vcap_api_rule_insert_in_order_test+0xcc/0x184
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0583849380c0 (size 64):
+ comm "kunit_try_catch", pid 309, jiffies 4294894222 (age 639.800s)
+ hex dump (first 32 bytes):
+ 40 81 93 84 83 05 ff ff 68 42 33 83 83 05 ff ff @.......hB3.....
+ 22 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 "...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000ee41df9e>] vcap_rule_add_action+0x104/0x178
+ [<000000001cc1bb38>] test_vcap_xn_rule_creator.constprop.43+0xd8/0x328
+ [<00000000231b1097>] vcap_api_rule_insert_in_order_test+0xcc/0x184
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff058384938100 (size 64):
+ comm "kunit_try_catch", pid 309, jiffies 4294894222 (age 639.800s)
+ hex dump (first 32 bytes):
+ 80 81 93 84 83 05 ff ff 58 42 33 83 83 05 ff ff ........XB3.....
+ 7d 00 00 00 01 00 00 00 02 00 00 00 ff 00 00 00 }...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<0000000043c78991>] vcap_rule_add_key+0x104/0x180
+ [<00000000ba73cfbe>] vcap_add_type_keyfield+0xfc/0x128
+ [<000000002b00f7df>] vcap_val_rule+0x274/0x3e8
+ [<00000000e67d2ff5>] test_vcap_xn_rule_creator.constprop.43+0xf0/0x328
+ [<00000000231b1097>] vcap_api_rule_insert_in_order_test+0xcc/0x184
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+
+unreferenced object 0xffff0583833b6240 (size 192):
+ comm "kunit_try_catch", pid 311, jiffies 4294894225 (age 639.844s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...
+ 00 00 00 00 00 00 00 00 40 91 8f 84 83 05 ff ff ........@.......
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000648fefae>] vcap_alloc_rule+0x17c/0x26c
+ [<000000004da16164>] test_vcap_xn_rule_creator.constprop.43+0xac/0x328
+ [<00000000509de3f4>] vcap_api_rule_insert_reverse_order_test+0x10c/0x654
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0583848f9100 (size 64):
+ comm "kunit_try_catch", pid 311, jiffies 4294894225 (age 639.844s)
+ hex dump (first 32 bytes):
+ 80 91 8f 84 83 05 ff ff 68 62 3b 83 83 05 ff ff ........hb;.....
+ 22 00 00 00 01 00 00 00 00 00 00 00 a5 b4 ff ff "...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000ee41df9e>] vcap_rule_add_action+0x104/0x178
+ [<000000001cc1bb38>] test_vcap_xn_rule_creator.constprop.43+0xd8/0x328
+ [<00000000509de3f4>] vcap_api_rule_insert_reverse_order_test+0x10c/0x654
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0583848f9140 (size 64):
+ comm "kunit_try_catch", pid 311, jiffies 4294894225 (age 639.844s)
+ hex dump (first 32 bytes):
+ c0 91 8f 84 83 05 ff ff 58 62 3b 83 83 05 ff ff ........Xb;.....
+ 7d 00 00 00 01 00 00 00 02 00 00 00 ff 00 00 00 }...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<0000000043c78991>] vcap_rule_add_key+0x104/0x180
+ [<00000000ba73cfbe>] vcap_add_type_keyfield+0xfc/0x128
+ [<000000002b00f7df>] vcap_val_rule+0x274/0x3e8
+ [<00000000e67d2ff5>] test_vcap_xn_rule_creator.constprop.43+0xf0/0x328
+ [<00000000509de3f4>] vcap_api_rule_insert_reverse_order_test+0x10c/0x654
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+
+unreferenced object 0xffff05838264e0c0 (size 192):
+ comm "kunit_try_catch", pid 313, jiffies 4294894230 (age 639.864s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 0a 00 00 00 f4 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 40 3a 97 84 83 05 ff ff ........@:......
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000648fefae>] vcap_alloc_rule+0x17c/0x26c
+ [<000000004da16164>] test_vcap_xn_rule_creator.constprop.43+0xac/0x328
+ [<00000000a29794d8>] vcap_api_rule_remove_at_end_test+0xbc/0xb48
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff058384973a80 (size 64):
+ comm "kunit_try_catch", pid 313, jiffies 4294894230 (age 639.864s)
+ hex dump (first 32 bytes):
+ e8 e0 64 82 83 05 ff ff e8 e0 64 82 83 05 ff ff ..d.......d.....
+ 22 00 00 00 01 00 00 00 00 00 00 00 00 80 ff ff "...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000ee41df9e>] vcap_rule_add_action+0x104/0x178
+ [<000000001cc1bb38>] test_vcap_xn_rule_creator.constprop.43+0xd8/0x328
+ [<00000000a29794d8>] vcap_api_rule_remove_at_end_test+0xbc/0xb48
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff058384973a40 (size 64):
+ comm "kunit_try_catch", pid 313, jiffies 4294894230 (age 639.880s)
+ hex dump (first 32 bytes):
+ 80 39 97 84 83 05 ff ff d8 e0 64 82 83 05 ff ff .9........d.....
+ 7d 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 }...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<0000000043c78991>] vcap_rule_add_key+0x104/0x180
+ [<0000000094335477>] vcap_add_type_keyfield+0xbc/0x128
+ [<000000002b00f7df>] vcap_val_rule+0x274/0x3e8
+ [<00000000e67d2ff5>] test_vcap_xn_rule_creator.constprop.43+0xf0/0x328
+ [<00000000a29794d8>] vcap_api_rule_remove_at_end_test+0xbc/0xb48
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+
+unreferenced object 0xffff0583832fa240 (size 192):
+ comm "kunit_try_catch", pid 315, jiffies 4294894233 (age 639.920s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 14 00 00 00 90 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 00 a1 8b 84 83 05 ff ff ................
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000648fefae>] vcap_alloc_rule+0x17c/0x26c
+ [<000000004da16164>] test_vcap_xn_rule_creator.constprop.43+0xac/0x328
+ [<00000000be638a45>] vcap_api_rule_remove_in_middle_test+0xc4/0xb80
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0583848ba0c0 (size 64):
+ comm "kunit_try_catch", pid 315, jiffies 4294894233 (age 639.920s)
+ hex dump (first 32 bytes):
+ 40 a1 8b 84 83 05 ff ff 68 a2 2f 83 83 05 ff ff @.......h./.....
+ 22 00 00 00 01 00 00 00 00 00 00 00 00 80 ff ff "...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000ee41df9e>] vcap_rule_add_action+0x104/0x178
+ [<000000001cc1bb38>] test_vcap_xn_rule_creator.constprop.43+0xd8/0x328
+ [<00000000be638a45>] vcap_api_rule_remove_in_middle_test+0xc4/0xb80
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff0583848ba100 (size 64):
+ comm "kunit_try_catch", pid 315, jiffies 4294894233 (age 639.920s)
+ hex dump (first 32 bytes):
+ 80 a1 8b 84 83 05 ff ff 58 a2 2f 83 83 05 ff ff ........X./.....
+ 7d 00 00 00 01 00 00 00 02 00 00 00 ff 00 00 00 }...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<0000000043c78991>] vcap_rule_add_key+0x104/0x180
+ [<00000000ba73cfbe>] vcap_add_type_keyfield+0xfc/0x128
+ [<000000002b00f7df>] vcap_val_rule+0x274/0x3e8
+ [<00000000e67d2ff5>] test_vcap_xn_rule_creator.constprop.43+0xf0/0x328
+ [<00000000be638a45>] vcap_api_rule_remove_in_middle_test+0xc4/0xb80
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+
+unreferenced object 0xffff0583827d2180 (size 192):
+ comm "kunit_try_catch", pid 317, jiffies 4294894238 (age 639.956s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 14 00 00 00 90 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 00 e1 06 83 83 05 ff ff ................
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000648fefae>] vcap_alloc_rule+0x17c/0x26c
+ [<000000004da16164>] test_vcap_xn_rule_creator.constprop.43+0xac/0x328
+ [<00000000e1ed8350>] vcap_api_rule_remove_in_front_test+0x144/0x6c0
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff05838306e0c0 (size 64):
+ comm "kunit_try_catch", pid 317, jiffies 4294894238 (age 639.956s)
+ hex dump (first 32 bytes):
+ 40 e1 06 83 83 05 ff ff a8 21 7d 82 83 05 ff ff @........!}.....
+ 22 00 00 00 01 00 00 00 00 00 00 00 00 80 ff ff "...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<00000000ee41df9e>] vcap_rule_add_action+0x104/0x178
+ [<000000001cc1bb38>] test_vcap_xn_rule_creator.constprop.43+0xd8/0x328
+ [<00000000e1ed8350>] vcap_api_rule_remove_in_front_test+0x144/0x6c0
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff05838306e180 (size 64):
+ comm "kunit_try_catch", pid 317, jiffies 4294894238 (age 639.968s)
+ hex dump (first 32 bytes):
+ 98 21 7d 82 83 05 ff ff 00 e1 06 83 83 05 ff ff .!}.............
+ 67 00 00 00 00 00 00 00 01 01 00 00 ff 00 00 00 g...............
+ backtrace:
+ [<000000008585a8f7>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000795eba12>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000061886991>] kmalloc_trace+0x40/0x164
+ [<0000000043c78991>] vcap_rule_add_key+0x104/0x180
+ [<000000006ce4945d>] test_add_def_fields+0x84/0x8c
+ [<00000000507e0ab6>] vcap_val_rule+0x294/0x3e8
+ [<00000000e67d2ff5>] test_vcap_xn_rule_creator.constprop.43+0xf0/0x328
+ [<00000000e1ed8350>] vcap_api_rule_remove_in_front_test+0x144/0x6c0
+ [<00000000548b559e>] kunit_try_run_case+0x50/0xac
+ [<00000000663f0105>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<00000000e646f120>] kthread+0x124/0x130
+ [<000000005257599e>] ret_from_fork+0x10/0x20
+
+Fixes: dccc30cc4906 ("net: microchip: sparx5: Add KUNIT test of counters and sorted rules")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202309090950.uOTEKQq3-lkp@intel.com/
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+index 8c61a5dbce55f..99f04a53a442b 100644
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -243,10 +243,9 @@ static void vcap_test_api_init(struct vcap_admin *admin)
+ }
+
+ /* Helper function to create a rule of a specific size */
+-static struct vcap_rule *
+-test_vcap_xn_rule_creator(struct kunit *test, int cid, enum vcap_user user,
+- u16 priority,
+- int id, int size, int expected_addr)
++static void test_vcap_xn_rule_creator(struct kunit *test, int cid,
++ enum vcap_user user, u16 priority,
++ int id, int size, int expected_addr)
+ {
+ struct vcap_rule *rule;
+ struct vcap_rule_internal *ri;
+@@ -311,7 +310,7 @@ test_vcap_xn_rule_creator(struct kunit *test, int cid, enum vcap_user user,
+ ret = vcap_add_rule(rule);
+ KUNIT_EXPECT_EQ(test, 0, ret);
+ KUNIT_EXPECT_EQ(test, expected_addr, ri->addr);
+- return rule;
++ vcap_free_rule(rule);
+ }
+
+ /* Prepare testing rule deletion */
+--
+2.40.1
+
--- /dev/null
+From d91ddb71b13de8966da42e7461b336006a68c57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:03:10 +0800
+Subject: net: microchip: sparx5: Fix possible memory leaks in vcap_api_kunit
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit 2a2dffd911d4139258b828b9c5056cb64b826758 ]
+
+Inject fault while probing kunit-example-test.ko, the duprule which
+is allocated by kzalloc in vcap_dup_rule() of
+test_vcap_xn_rule_creator() is not freed, and it cause the memory leaks
+below. Use vcap_del_rule() to free them as other functions do it.
+
+unreferenced object 0xffff6eb4846f6180 (size 192):
+ comm "kunit_try_catch", pid 405, jiffies 4294895522 (age 880.004s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 0a 00 00 00 f4 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 98 61 6f 84 b4 6e ff ff .........ao..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000d2ac4ccb>] vcap_api_rule_insert_in_order_test+0xa4/0x114
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4846f6240 (size 192):
+ comm "kunit_try_catch", pid 405, jiffies 4294895524 (age 879.996s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 14 00 00 00 90 01 00 00 .'..............
+ 00 00 00 00 00 00 00 00 58 62 6f 84 b4 6e ff ff ........Xbo..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<0000000052e6ad35>] vcap_api_rule_insert_in_order_test+0xbc/0x114
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4846f6300 (size 192):
+ comm "kunit_try_catch", pid 405, jiffies 4294895524 (age 879.996s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...
+ 00 00 00 00 00 00 00 00 18 63 6f 84 b4 6e ff ff .........co..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<000000001b0895d4>] vcap_api_rule_insert_in_order_test+0xd4/0x114
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4846f63c0 (size 192):
+ comm "kunit_try_catch", pid 405, jiffies 4294895524 (age 880.012s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 28 00 00 00 c8 00 00 00 .'......(.......
+ 00 00 00 00 00 00 00 00 d8 63 6f 84 b4 6e ff ff .........co..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000134c151f>] vcap_api_rule_insert_in_order_test+0xec/0x114
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4845fc180 (size 192):
+ comm "kunit_try_catch", pid 407, jiffies 4294895527 (age 880.000s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 14 00 00 00 c8 00 00 00 .'..............
+ 00 00 00 00 00 00 00 00 98 c1 5f 84 b4 6e ff ff .........._..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000fa5f64d3>] vcap_api_rule_insert_reverse_order_test+0xc8/0x600
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4845fc240 (size 192):
+ comm "kunit_try_catch", pid 407, jiffies 4294895527 (age 880.000s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...
+ 00 00 00 00 00 00 00 00 58 c2 5f 84 b4 6e ff ff ........X._..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000453dcd80>] vcap_add_rule+0x134/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000a7db42de>] vcap_api_rule_insert_reverse_order_test+0x108/0x600
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4845fc300 (size 192):
+ comm "kunit_try_catch", pid 407, jiffies 4294895527 (age 880.000s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 28 00 00 00 90 01 00 00 .'......(.......
+ 00 00 00 00 00 00 00 00 18 c3 5f 84 b4 6e ff ff .........._..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000453dcd80>] vcap_add_rule+0x134/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000ea416c94>] vcap_api_rule_insert_reverse_order_test+0x150/0x600
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb4845fc3c0 (size 192):
+ comm "kunit_try_catch", pid 407, jiffies 4294895527 (age 880.020s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 32 00 00 00 f4 01 00 00 .'......2.......
+ 00 00 00 00 00 00 00 00 d8 c3 5f 84 b4 6e ff ff .........._..n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000453dcd80>] vcap_add_rule+0x134/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<00000000764a39b4>] vcap_api_rule_insert_reverse_order_test+0x198/0x600
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb484cd4240 (size 192):
+ comm "kunit_try_catch", pid 413, jiffies 4294895543 (age 879.956s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 1e 00 00 00 2c 01 00 00 .'..........,...
+ 00 00 00 00 00 00 00 00 58 42 cd 84 b4 6e ff ff ........XB...n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<0000000023976dd4>] vcap_api_rule_remove_in_front_test+0x158/0x658
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff6eb484cd4300 (size 192):
+ comm "kunit_try_catch", pid 413, jiffies 4294895543 (age 879.956s)
+ hex dump (first 32 bytes):
+ 10 27 00 00 04 00 00 00 28 00 00 00 c8 00 00 00 .'......(.......
+ 00 00 00 00 00 00 00 00 18 43 cd 84 b4 6e ff ff .........C...n..
+ backtrace:
+ [<00000000f1b5b86e>] slab_post_alloc_hook+0xb8/0x368
+ [<00000000c56cdd9a>] __kmem_cache_alloc_node+0x174/0x290
+ [<0000000046ef1b64>] kmalloc_trace+0x40/0x164
+ [<000000008565145b>] vcap_dup_rule+0x38/0x210
+ [<00000000bd9e1f12>] vcap_add_rule+0x29c/0x32c
+ [<0000000070a539b1>] test_vcap_xn_rule_creator.constprop.43+0x120/0x330
+ [<000000000b4760ff>] vcap_api_rule_remove_in_front_test+0x170/0x658
+ [<000000000f88f9cb>] kunit_try_run_case+0x50/0xac
+ [<00000000e848de5a>] kunit_generic_run_threadfn_adapter+0x20/0x2c
+ [<0000000058a88b6b>] kthread+0x124/0x130
+ [<00000000891cf28a>] ret_from_fork+0x10/0x20
+
+Fixes: dccc30cc4906 ("net: microchip: sparx5: Add KUNIT test of counters and sorted rules")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/microchip/vcap/vcap_api_kunit.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+index 99f04a53a442b..fe4e166de8a04 100644
+--- a/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
++++ b/drivers/net/ethernet/microchip/vcap/vcap_api_kunit.c
+@@ -1597,6 +1597,11 @@ static void vcap_api_rule_insert_in_order_test(struct kunit *test)
+ test_vcap_xn_rule_creator(test, 10000, VCAP_USER_QOS, 20, 400, 6, 774);
+ test_vcap_xn_rule_creator(test, 10000, VCAP_USER_QOS, 30, 300, 3, 771);
+ test_vcap_xn_rule_creator(test, 10000, VCAP_USER_QOS, 40, 200, 2, 768);
++
++ vcap_del_rule(&test_vctrl, &test_netdev, 200);
++ vcap_del_rule(&test_vctrl, &test_netdev, 300);
++ vcap_del_rule(&test_vctrl, &test_netdev, 400);
++ vcap_del_rule(&test_vctrl, &test_netdev, 500);
+ }
+
+ static void vcap_api_rule_insert_reverse_order_test(struct kunit *test)
+@@ -1655,6 +1660,11 @@ static void vcap_api_rule_insert_reverse_order_test(struct kunit *test)
+ ++idx;
+ }
+ KUNIT_EXPECT_EQ(test, 768, admin.last_used_addr);
++
++ vcap_del_rule(&test_vctrl, &test_netdev, 500);
++ vcap_del_rule(&test_vctrl, &test_netdev, 400);
++ vcap_del_rule(&test_vctrl, &test_netdev, 300);
++ vcap_del_rule(&test_vctrl, &test_netdev, 200);
+ }
+
+ static void vcap_api_rule_remove_at_end_test(struct kunit *test)
+@@ -1855,6 +1865,9 @@ static void vcap_api_rule_remove_in_front_test(struct kunit *test)
+ KUNIT_EXPECT_EQ(test, 786, test_init_start);
+ KUNIT_EXPECT_EQ(test, 8, test_init_count);
+ KUNIT_EXPECT_EQ(test, 794, admin.last_used_addr);
++
++ vcap_del_rule(&test_vctrl, &test_netdev, 200);
++ vcap_del_rule(&test_vctrl, &test_netdev, 300);
+ }
+
+ static struct kunit_case vcap_api_rule_remove_test_cases[] = {
+--
+2.40.1
+
--- /dev/null
+From ac01b4d3f7a6e64af3fca227ce35b1f5fa7aa505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 16:56:23 +0300
+Subject: net: rds: Fix possible NULL-pointer dereference
+
+From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+
+[ Upstream commit f1d95df0f31048f1c59092648997686e3f7d9478 ]
+
+In rds_rdma_cm_event_handler_cmn() check, if conn pointer exists
+before dereferencing it as rdma_set_service_type() argument
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: fd261ce6a30e ("rds: rdma: update rdma transport for tos")
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/rdma_transport.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c
+index d36f3f6b43510..b15cf316b23a2 100644
+--- a/net/rds/rdma_transport.c
++++ b/net/rds/rdma_transport.c
+@@ -86,11 +86,13 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id,
+ break;
+
+ case RDMA_CM_EVENT_ADDR_RESOLVED:
+- rdma_set_service_type(cm_id, conn->c_tos);
+- rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32);
+- /* XXX do we need to clean up if this fails? */
+- ret = rdma_resolve_route(cm_id,
+- RDS_RDMA_RESOLVE_TIMEOUT_MS);
++ if (conn) {
++ rdma_set_service_type(cm_id, conn->c_tos);
++ rdma_set_min_rnr_timer(cm_id, IB_RNR_TIMER_000_32);
++ /* XXX do we need to clean up if this fails? */
++ ret = rdma_resolve_route(cm_id,
++ RDS_RDMA_RESOLVE_TIMEOUT_MS);
++ }
+ break;
+
+ case RDMA_CM_EVENT_ROUTE_RESOLVED:
+--
+2.40.1
+
--- /dev/null
+From f95709bd896d3b73073a4c9cb07216c0a8f260f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 03:07:43 +0200
+Subject: netfilter, bpf: Adjust timeouts of non-confirmed CTs in
+ bpf_ct_insert_entry()
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 837723b22a63cfbff584655b009b9d488d0e9087 ]
+
+bpf_nf testcase fails on s390x: bpf_skb_ct_lookup() cannot find the entry
+that was added by bpf_ct_insert_entry() within the same BPF function.
+
+The reason is that this entry is deleted by nf_ct_gc_expired().
+
+The CT timeout starts ticking after the CT confirmation; therefore
+nf_conn.timeout is initially set to the timeout value, and
+__nf_conntrack_confirm() sets it to the deadline value.
+
+bpf_ct_insert_entry() sets IPS_CONFIRMED_BIT, but does not adjust the
+timeout, making its value meaningless and causing false positives.
+
+Fix the problem by making bpf_ct_insert_entry() adjust the timeout,
+like __nf_conntrack_confirm().
+
+Fixes: 2cdaa3eefed8 ("netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/bpf/20230830011128.1415752-3-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_bpf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
+index 0d36d7285e3f0..747dc22655018 100644
+--- a/net/netfilter/nf_conntrack_bpf.c
++++ b/net/netfilter/nf_conntrack_bpf.c
+@@ -380,6 +380,8 @@ __bpf_kfunc struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
+ struct nf_conn *nfct = (struct nf_conn *)nfct_i;
+ int err;
+
++ if (!nf_ct_is_confirmed(nfct))
++ nfct->timeout += nfct_time_stamp;
+ nfct->status |= IPS_CONFIRMED;
+ err = nf_conntrack_hash_check_insert(nfct);
+ if (err < 0) {
+--
+2.40.1
+
--- /dev/null
+From 48ef22293af29279cec1db0ea2656a0553fc7a58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 10:56:07 +0200
+Subject: netfilter: conntrack: fix extension size table
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 4908d5af16676b9d2901830551c2af911e452524 ]
+
+The size table is incorrect due to copypaste error,
+this reserves more size than needed.
+
+TSTAMP reserved 32 instead of 16 bytes.
+TIMEOUT reserved 16 instead of 8 bytes.
+
+Fixes: 5f31edc0676b ("netfilter: conntrack: move extension sizes into core")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_extend.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
+index 0b513f7bf9f39..dd62cc12e7750 100644
+--- a/net/netfilter/nf_conntrack_extend.c
++++ b/net/netfilter/nf_conntrack_extend.c
+@@ -40,10 +40,10 @@ static const u8 nf_ct_ext_type_len[NF_CT_EXT_NUM] = {
+ [NF_CT_EXT_ECACHE] = sizeof(struct nf_conntrack_ecache),
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
+- [NF_CT_EXT_TSTAMP] = sizeof(struct nf_conn_acct),
++ [NF_CT_EXT_TSTAMP] = sizeof(struct nf_conn_tstamp),
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+- [NF_CT_EXT_TIMEOUT] = sizeof(struct nf_conn_tstamp),
++ [NF_CT_EXT_TIMEOUT] = sizeof(struct nf_conn_timeout),
+ #endif
+ #ifdef CONFIG_NF_CONNTRACK_LABELS
+ [NF_CT_EXT_LABELS] = sizeof(struct nf_conn_labels),
+--
+2.40.1
+
--- /dev/null
+From 4a20f419bf183103ff39cc7706333996e1f022fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 20:04:45 +0200
+Subject: netfilter: ipset: Fix race between IPSET_CMD_CREATE and
+ IPSET_CMD_SWAP
+
+From: Jozsef Kadlecsik <kadlec@netfilter.org>
+
+[ Upstream commit 7433b6d2afd512d04398c73aa984d1e285be125b ]
+
+Kyle Zeng reported that there is a race between IPSET_CMD_ADD and IPSET_CMD_SWAP
+in netfilter/ip_set, which can lead to the invocation of `__ip_set_put` on a
+wrong `set`, triggering the `BUG_ON(set->ref == 0);` check in it.
+
+The race is caused by using the wrong reference counter, i.e. the ref counter instead
+of ref_netlink.
+
+Fixes: 24e227896bbf ("netfilter: ipset: Add schedule point in call_ad().")
+Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
+Closes: https://lore.kernel.org/netfilter-devel/ZPZqetxOmH+w%2Fmyc@westworld/#r
+Tested-by: Kyle Zeng <zengyhkyle@gmail.com>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipset/ip_set_core.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
+index 0b68e2e2824e1..58608460cf6df 100644
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -682,6 +682,14 @@ __ip_set_put(struct ip_set *set)
+ /* set->ref can be swapped out by ip_set_swap, netlink events (like dump) need
+ * a separate reference counter
+ */
++static void
++__ip_set_get_netlink(struct ip_set *set)
++{
++ write_lock_bh(&ip_set_ref_lock);
++ set->ref_netlink++;
++ write_unlock_bh(&ip_set_ref_lock);
++}
++
+ static void
+ __ip_set_put_netlink(struct ip_set *set)
+ {
+@@ -1693,11 +1701,11 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb,
+
+ do {
+ if (retried) {
+- __ip_set_get(set);
++ __ip_set_get_netlink(set);
+ nfnl_unlock(NFNL_SUBSYS_IPSET);
+ cond_resched();
+ nfnl_lock(NFNL_SUBSYS_IPSET);
+- __ip_set_put(set);
++ __ip_set_put_netlink(set);
+ }
+
+ ip_set_lock(set);
+--
+2.40.1
+
--- /dev/null
+From 766286e5da4ab8a1cfef2a12c2adb9e104421733 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 15:18:11 +0200
+Subject: netfilter: nf_tables: disable toggling dormant table state more than
+ once
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 ]
+
+nft -f -<<EOF
+add table ip t
+add table ip t { flags dormant; }
+add chain ip t c { type filter hook input priority 0; }
+add table ip t
+EOF
+
+Triggers a splat from nf core on next table delete because we lose
+track of right hook register state:
+
+WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
+RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
+ nf_unregister_net_hook+0xb4/0xf0
+ __nf_tables_unregister_hook+0x160/0x1d0
+[..]
+
+The above should have table in *active* state, but in fact no
+hooks were registered.
+
+Reject on/off/on games rather than attempting to fix this.
+
+Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
+Reported-by: "Lee, Cherie-Anne" <cherie.lee@starlabs.sg>
+Cc: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Cc: info@starlabs.sg
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3e6839c03bccc..976a9b763b9bb 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1219,6 +1219,10 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
+ flags & NFT_TABLE_F_OWNER))
+ return -EOPNOTSUPP;
+
++ /* No dormant off/on/off/on games in single transaction */
++ if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
++ return -EINVAL;
++
+ trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
+ sizeof(struct nft_trans_table));
+ if (trans == NULL)
+--
+2.40.1
+
--- /dev/null
+From 3914e52a79b4cefb00a7d252a46c927fbd9b9a9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Sep 2023 19:04:45 +0200
+Subject: netfilter: nf_tables: disallow element removal on anonymous sets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 ]
+
+Anonymous sets need to be populated once at creation and then they are
+bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound
+anonymous set before commit phase"), otherwise transaction reports
+EINVAL.
+
+Userspace does not need to delete elements of anonymous sets that are
+not yet bound, reject this with EOPNOTSUPP.
+
+From flush command path, skip anonymous sets, they are expected to be
+bound already. Otherwise, EINVAL is hit at the end of this transaction
+for unbound sets.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index db0a56b2da705..018cf368f6a5f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1446,8 +1446,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ if (!nft_is_active_next(ctx->net, set))
+ continue;
+
+- if (nft_set_is_anonymous(set) &&
+- !list_empty(&set->bindings))
++ if (nft_set_is_anonymous(set))
+ continue;
+
+ err = nft_delset(ctx, set);
+@@ -7188,8 +7187,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb,
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+
+- if (!list_empty(&set->bindings) &&
+- (set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
++ if (nft_set_is_anonymous(set))
++ return -EOPNOTSUPP;
++
++ if (!list_empty(&set->bindings) && (set->flags & NFT_SET_CONSTANT))
+ return -EBUSY;
+
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
+--
+2.40.1
+
--- /dev/null
+From 28349ee4dae813824f2c1ca969908966b01cacf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 08:22:33 +0200
+Subject: netfilter: nf_tables: disallow rule removal from chain binding
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit f15f29fd4779be8a418b66e9d52979bb6d6c2325 ]
+
+Chain binding only requires the rule addition/insertion command within
+the same transaction. Removal of rules from chain bindings within the
+same transaction makes no sense, userspace does not utilize this
+feature. Replace nft_chain_is_bound() check to nft_chain_binding() in
+rule deletion commands. Replace command implies a rule deletion, reject
+this command too.
+
+Rule flush command can also safely rely on this nft_chain_binding()
+check because unbound chains are not allowed since 62e1e94b246e
+("netfilter: nf_tables: reject unbound chain set before commit phase").
+
+Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
+Reported-by: Kevin Rich <kevinrich1337@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 1c2fb32bfa5f6..db0a56b2da705 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1432,7 +1432,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ if (!nft_is_active_next(ctx->net, chain))
+ continue;
+
+- if (nft_chain_is_bound(chain))
++ if (nft_chain_binding(chain))
+ continue;
+
+ ctx->chain = chain;
+@@ -1477,7 +1477,7 @@ static int nft_flush_table(struct nft_ctx *ctx)
+ if (!nft_is_active_next(ctx->net, chain))
+ continue;
+
+- if (nft_chain_is_bound(chain))
++ if (nft_chain_binding(chain))
+ continue;
+
+ ctx->chain = chain;
+@@ -2910,6 +2910,9 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
+ return PTR_ERR(chain);
+ }
+
++ if (nft_chain_binding(chain))
++ return -EOPNOTSUPP;
++
+ nft_ctx_init(&ctx, net, skb, info->nlh, family, table, chain, nla);
+
+ if (nla[NFTA_CHAIN_HOOK]) {
+@@ -3968,6 +3971,11 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
+ }
+
+ if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
++ if (nft_chain_binding(chain)) {
++ err = -EOPNOTSUPP;
++ goto err_destroy_flow_rule;
++ }
++
+ err = nft_delrule(&ctx, old_rule);
+ if (err < 0)
+ goto err_destroy_flow_rule;
+@@ -4075,7 +4083,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
+ NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN]);
+ return PTR_ERR(chain);
+ }
+- if (nft_chain_is_bound(chain))
++ if (nft_chain_binding(chain))
+ return -EOPNOTSUPP;
+ }
+
+@@ -4109,7 +4117,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info,
+ list_for_each_entry(chain, &table->chains, list) {
+ if (!nft_is_active_next(net, chain))
+ continue;
+- if (nft_chain_is_bound(chain))
++ if (nft_chain_binding(chain))
+ continue;
+
+ ctx.chain = chain;
+@@ -11070,7 +11078,7 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
+ ctx.family = table->family;
+ ctx.table = table;
+ list_for_each_entry(chain, &table->chains, list) {
+- if (nft_chain_is_bound(chain))
++ if (nft_chain_binding(chain))
+ continue;
+
+ ctx.chain = chain;
+--
+2.40.1
+
--- /dev/null
+From 25ef742469301b36a1f280bde9355dd6a5cdc9c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 15:51:36 +0200
+Subject: netfilter: nf_tables: Fix entries val in rule reset audit log
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 7fb818f248cff996180b7cdcdcb86b6b4f6e44e2 ]
+
+The value in idx and the number of rules handled in that particular
+__nf_tables_dump_rules() call is not identical. The former is a cursor
+to pick up from if multiple netlink messages are needed, so its value is
+ever increasing. Fixing this is not just a matter of subtracting s_idx
+from it, though: When resetting rules in multiple chains,
+__nf_tables_dump_rules() is called for each and cb->args[0] is not
+adjusted in between. Introduce a dedicated counter to record the number
+of rules reset in this call in a less confusing way.
+
+While being at it, prevent the direct return upon buffer exhaustion: Any
+rules previously dumped into that skb would evade audit logging
+otherwise.
+
+Fixes: 9b5ba5c9c5109 ("netfilter: nf_tables: Unbreak audit log reset")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 018cf368f6a5f..3e6839c03bccc 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3451,6 +3451,8 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
+ struct net *net = sock_net(skb->sk);
+ const struct nft_rule *rule, *prule;
+ unsigned int s_idx = cb->args[0];
++ unsigned int entries = 0;
++ int ret = 0;
+ u64 handle;
+
+ prule = NULL;
+@@ -3473,9 +3475,11 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
+ NFT_MSG_NEWRULE,
+ NLM_F_MULTI | NLM_F_APPEND,
+ table->family,
+- table, chain, rule, handle, reset) < 0)
+- return 1;
+-
++ table, chain, rule, handle, reset) < 0) {
++ ret = 1;
++ break;
++ }
++ entries++;
+ nl_dump_check_consistent(cb, nlmsg_hdr(skb));
+ cont:
+ prule = rule;
+@@ -3483,10 +3487,10 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
+ (*idx)++;
+ }
+
+- if (reset && *idx)
+- audit_log_rule_reset(table, cb->seq, *idx);
++ if (reset && entries)
++ audit_log_rule_reset(table, cb->seq, entries);
+
+- return 0;
++ return ret;
+ }
+
+ static int nf_tables_dump_rules(struct sk_buff *skb,
+--
+2.40.1
+
--- /dev/null
+From 8a52c32ed4ce30fdf5bc75a0d3dfc215a95ed375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 01:41:56 -0700
+Subject: octeon_ep: fix tx dma unmap len values in SG
+
+From: Shinas Rasheed <srasheed@marvell.com>
+
+[ Upstream commit 350db8a59eb392bf42e62b6b2a37d56b5833012b ]
+
+Lengths of SG pointers are kept in the following order in
+the SG entries in hardware.
+ 63 48|47 32|31 16|15 0
+ -----------------------------------------
+ | Len 0 | Len 1 | Len 2 | Len 3 |
+ -----------------------------------------
+ | Ptr 0 |
+ -----------------------------------------
+ | Ptr 1 |
+ -----------------------------------------
+ | Ptr 2 |
+ -----------------------------------------
+ | Ptr 3 |
+ -----------------------------------------
+Dma pointers have to be unmapped based on their
+respective lengths given in this format.
+
+Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support")
+Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeon_ep/octep_main.c | 8 ++++----
+ .../net/ethernet/marvell/octeon_ep/octep_tx.c | 8 ++++----
+ .../net/ethernet/marvell/octeon_ep/octep_tx.h | 16 +++++++++++++++-
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+index 4424de2ffd70c..dbc518ff82768 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+@@ -734,13 +734,13 @@ static netdev_tx_t octep_start_xmit(struct sk_buff *skb,
+ dma_map_sg_err:
+ if (si > 0) {
+ dma_unmap_single(iq->dev, sglist[0].dma_ptr[0],
+- sglist[0].len[0], DMA_TO_DEVICE);
+- sglist[0].len[0] = 0;
++ sglist[0].len[3], DMA_TO_DEVICE);
++ sglist[0].len[3] = 0;
+ }
+ while (si > 1) {
+ dma_unmap_page(iq->dev, sglist[si >> 2].dma_ptr[si & 3],
+- sglist[si >> 2].len[si & 3], DMA_TO_DEVICE);
+- sglist[si >> 2].len[si & 3] = 0;
++ sglist[si >> 2].len[3 - (si & 3)], DMA_TO_DEVICE);
++ sglist[si >> 2].len[3 - (si & 3)] = 0;
+ si--;
+ }
+ tx_buffer->gather = 0;
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c
+index 5a520d37bea02..d0adb82d65c31 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.c
+@@ -69,12 +69,12 @@ int octep_iq_process_completions(struct octep_iq *iq, u16 budget)
+ compl_sg++;
+
+ dma_unmap_single(iq->dev, tx_buffer->sglist[0].dma_ptr[0],
+- tx_buffer->sglist[0].len[0], DMA_TO_DEVICE);
++ tx_buffer->sglist[0].len[3], DMA_TO_DEVICE);
+
+ i = 1; /* entry 0 is main skb, unmapped above */
+ while (frags--) {
+ dma_unmap_page(iq->dev, tx_buffer->sglist[i >> 2].dma_ptr[i & 3],
+- tx_buffer->sglist[i >> 2].len[i & 3], DMA_TO_DEVICE);
++ tx_buffer->sglist[i >> 2].len[3 - (i & 3)], DMA_TO_DEVICE);
+ i++;
+ }
+
+@@ -131,13 +131,13 @@ static void octep_iq_free_pending(struct octep_iq *iq)
+
+ dma_unmap_single(iq->dev,
+ tx_buffer->sglist[0].dma_ptr[0],
+- tx_buffer->sglist[0].len[0],
++ tx_buffer->sglist[0].len[3],
+ DMA_TO_DEVICE);
+
+ i = 1; /* entry 0 is main skb, unmapped above */
+ while (frags--) {
+ dma_unmap_page(iq->dev, tx_buffer->sglist[i >> 2].dma_ptr[i & 3],
+- tx_buffer->sglist[i >> 2].len[i & 3], DMA_TO_DEVICE);
++ tx_buffer->sglist[i >> 2].len[3 - (i & 3)], DMA_TO_DEVICE);
+ i++;
+ }
+
+diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h
+index 2ef57980eb47b..21e75ff9f5e71 100644
+--- a/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h
++++ b/drivers/net/ethernet/marvell/octeon_ep/octep_tx.h
+@@ -17,7 +17,21 @@
+ #define TX_BUFTYPE_NET_SG 2
+ #define NUM_TX_BUFTYPES 3
+
+-/* Hardware format for Scatter/Gather list */
++/* Hardware format for Scatter/Gather list
++ *
++ * 63 48|47 32|31 16|15 0
++ * -----------------------------------------
++ * | Len 0 | Len 1 | Len 2 | Len 3 |
++ * -----------------------------------------
++ * | Ptr 0 |
++ * -----------------------------------------
++ * | Ptr 1 |
++ * -----------------------------------------
++ * | Ptr 2 |
++ * -----------------------------------------
++ * | Ptr 3 |
++ * -----------------------------------------
++ */
+ struct octep_tx_sglist_desc {
+ u16 len[4];
+ dma_addr_t dma_ptr[4];
+--
+2.40.1
+
--- /dev/null
+From 2073213850345758155411215cbecfc99d78a5be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 17:36:11 +0200
+Subject: octeontx2-pf: Do xdp_do_flush() after redirects.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 70b2b6892645e58ed6f051dad7f8d1083f0ad553 ]
+
+xdp_do_flush() should be invoked before leaving the NAPI poll function
+if XDP-redirect has been performed.
+
+Invoke xdp_do_flush() before leaving NAPI.
+
+Cc: Geetha sowjanya <gakula@marvell.com>
+Cc: Subbaraya Sundeep <sbhatta@marvell.com>
+Cc: Sunil Goutham <sgoutham@marvell.com>
+Cc: hariprasad <hkelam@marvell.com>
+Fixes: 06059a1a9a4a5 ("octeontx2-pf: Add XDP support to netdev PF")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Geethasowjanya Akula <gakula@marvell.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../marvell/octeontx2/nic/otx2_txrx.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+index e77d438489557..53b2a4ef52985 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+@@ -29,7 +29,8 @@
+ static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf,
+ struct bpf_prog *prog,
+ struct nix_cqe_rx_s *cqe,
+- struct otx2_cq_queue *cq);
++ struct otx2_cq_queue *cq,
++ bool *need_xdp_flush);
+
+ static int otx2_nix_cq_op_status(struct otx2_nic *pfvf,
+ struct otx2_cq_queue *cq)
+@@ -337,7 +338,7 @@ static bool otx2_check_rcv_errors(struct otx2_nic *pfvf,
+ static void otx2_rcv_pkt_handler(struct otx2_nic *pfvf,
+ struct napi_struct *napi,
+ struct otx2_cq_queue *cq,
+- struct nix_cqe_rx_s *cqe)
++ struct nix_cqe_rx_s *cqe, bool *need_xdp_flush)
+ {
+ struct nix_rx_parse_s *parse = &cqe->parse;
+ struct nix_rx_sg_s *sg = &cqe->sg;
+@@ -353,7 +354,7 @@ static void otx2_rcv_pkt_handler(struct otx2_nic *pfvf,
+ }
+
+ if (pfvf->xdp_prog)
+- if (otx2_xdp_rcv_pkt_handler(pfvf, pfvf->xdp_prog, cqe, cq))
++ if (otx2_xdp_rcv_pkt_handler(pfvf, pfvf->xdp_prog, cqe, cq, need_xdp_flush))
+ return;
+
+ skb = napi_get_frags(napi);
+@@ -388,6 +389,7 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf,
+ struct napi_struct *napi,
+ struct otx2_cq_queue *cq, int budget)
+ {
++ bool need_xdp_flush = false;
+ struct nix_cqe_rx_s *cqe;
+ int processed_cqe = 0;
+
+@@ -409,13 +411,15 @@ static int otx2_rx_napi_handler(struct otx2_nic *pfvf,
+ cq->cq_head++;
+ cq->cq_head &= (cq->cqe_cnt - 1);
+
+- otx2_rcv_pkt_handler(pfvf, napi, cq, cqe);
++ otx2_rcv_pkt_handler(pfvf, napi, cq, cqe, &need_xdp_flush);
+
+ cqe->hdr.cqe_type = NIX_XQE_TYPE_INVALID;
+ cqe->sg.seg_addr = 0x00;
+ processed_cqe++;
+ cq->pend_cqe--;
+ }
++ if (need_xdp_flush)
++ xdp_do_flush();
+
+ /* Free CQEs to HW */
+ otx2_write64(pfvf, NIX_LF_CQ_OP_DOOR,
+@@ -1354,7 +1358,8 @@ bool otx2_xdp_sq_append_pkt(struct otx2_nic *pfvf, u64 iova, int len, u16 qidx)
+ static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf,
+ struct bpf_prog *prog,
+ struct nix_cqe_rx_s *cqe,
+- struct otx2_cq_queue *cq)
++ struct otx2_cq_queue *cq,
++ bool *need_xdp_flush)
+ {
+ unsigned char *hard_start, *data;
+ int qidx = cq->cq_idx;
+@@ -1391,8 +1396,10 @@ static bool otx2_xdp_rcv_pkt_handler(struct otx2_nic *pfvf,
+
+ otx2_dma_unmap_page(pfvf, iova, pfvf->rbsize,
+ DMA_FROM_DEVICE);
+- if (!err)
++ if (!err) {
++ *need_xdp_flush = true;
+ return true;
++ }
+ put_page(page);
+ break;
+ default:
+--
+2.40.1
+
--- /dev/null
+From 4be162ffa9a59f11844ccbdd2f7da0aeb8584f6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:19 -0700
+Subject: platform/x86: intel_scu_ipc: Check status after timeout in
+ busy_loop()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit e0b4ab3bb92bda8d12f55842614362989d5b2cb3 ]
+
+It's possible for the polling loop in busy_loop() to get scheduled away
+for a long time.
+
+ status = ipc_read_status(scu); // status = IPC_STATUS_BUSY
+ <long time scheduled away>
+ if (!(status & IPC_STATUS_BUSY))
+
+If this happens, then the status bit could change while the task is
+scheduled away and this function would never read the status again after
+timing out. Instead, the function will return -ETIMEDOUT when it's
+possible that scheduling didn't work out and the status bit was cleared.
+Bit polling code should always check the bit being polled one more time
+after the timeout in case this happens.
+
+Fix this by reading the status once more after the while loop breaks.
+The readl_poll_timeout() macro implements all of this, and it is
+shorter, so use that macro here to consolidate code and fix this.
+
+There were some concerns with using readl_poll_timeout() because it uses
+timekeeping, and timekeeping isn't running early on or during the late
+stages of system suspend or early stages of system resume, but an audit
+of the code concluded that this code isn't called during those times so
+it is safe to use the macro.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Fixes: e7b7ab3847c9 ("platform/x86: intel_scu_ipc: Sleeping is fine when polling")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-2-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 6851d10d65825..4c774ee8bb1bb 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -19,6 +19,7 @@
+ #include <linux/init.h>
+ #include <linux/interrupt.h>
+ #include <linux/io.h>
++#include <linux/iopoll.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
+
+@@ -231,19 +232,15 @@ static inline u32 ipc_data_readl(struct intel_scu_ipc_dev *scu, u32 offset)
+ /* Wait till scu status is busy */
+ static inline int busy_loop(struct intel_scu_ipc_dev *scu)
+ {
+- unsigned long end = jiffies + IPC_TIMEOUT;
+-
+- do {
+- u32 status;
+-
+- status = ipc_read_status(scu);
+- if (!(status & IPC_STATUS_BUSY))
+- return (status & IPC_STATUS_ERR) ? -EIO : 0;
++ u8 status;
++ int err;
+
+- usleep_range(50, 100);
+- } while (time_before(jiffies, end));
++ err = readx_poll_timeout(ipc_read_status, scu, status, !(status & IPC_STATUS_BUSY),
++ 100, jiffies_to_usecs(IPC_TIMEOUT));
++ if (err)
++ return err;
+
+- return -ETIMEDOUT;
++ return (status & IPC_STATUS_ERR) ? -EIO : 0;
+ }
+
+ /* Wait till ipc ioc interrupt is received or timeout in 10 HZ */
+--
+2.40.1
+
--- /dev/null
+From 1fbe75dfdefc60d7ce69993e9e054463a6dace20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:20 -0700
+Subject: platform/x86: intel_scu_ipc: Check status upon timeout in
+ ipc_wait_for_interrupt()
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 427fada620733e6474d783ae6037a66eae42bf8c ]
+
+It's possible for the completion in ipc_wait_for_interrupt() to timeout,
+simply because the interrupt was delayed in being processed. A timeout
+in itself is not an error. This driver should check the status register
+upon a timeout to ensure that scheduling or interrupt processing delays
+don't affect the outcome of the IPC return value.
+
+ CPU0 SCU
+ ---- ---
+ ipc_wait_for_interrupt()
+ wait_for_completion_timeout(&scu->cmd_complete)
+ [TIMEOUT] status[IPC_STATUS_BUSY]=0
+
+Fix this problem by reading the status bit in all cases, regardless of
+the timeout. If the completion times out, we'll assume the problem was
+that the IPC_STATUS_BUSY bit was still set, but if the status bit is
+cleared in the meantime we know that we hit some scheduling delay and we
+should just check the error bit.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-3-swboyd@chromium.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 4c774ee8bb1bb..299c15312acb8 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -248,10 +248,12 @@ static inline int ipc_wait_for_interrupt(struct intel_scu_ipc_dev *scu)
+ {
+ int status;
+
+- if (!wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT))
+- return -ETIMEDOUT;
++ wait_for_completion_timeout(&scu->cmd_complete, IPC_TIMEOUT);
+
+ status = ipc_read_status(scu);
++ if (status & IPC_STATUS_BUSY)
++ return -ETIMEDOUT;
++
+ if (status & IPC_STATUS_ERR)
+ return -EIO;
+
+--
+2.40.1
+
--- /dev/null
+From c6829bb0be8bdd252099ad772beab1a1e0ed0ad8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:21 -0700
+Subject: platform/x86: intel_scu_ipc: Don't override scu in
+ intel_scu_ipc_dev_simple_command()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit efce78584e583226e9a1f6cb2fb555d6ff47c3e7 ]
+
+Andy discovered this bug during patch review. The 'scu' argument to this
+function shouldn't be overridden by the function itself. It doesn't make
+any sense. Looking at the commit history, we see that commit
+f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API")
+removed the setting of the scu to ipcdev in other functions, but not
+this one. That was an oversight. Remove this line so that we stop
+overriding the scu instance that is used by this function.
+
+Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Closes: https://lore.kernel.org/r/ZPjdZ3xNmBEBvNiS@smile.fi.intel.com
+Cc: Prashant Malani <pmalani@chromium.org>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: f57fa18583f5 ("platform/x86: intel_scu_ipc: Introduce new SCU IPC API")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-4-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 299c15312acb8..3271f81a9c007 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -443,7 +443,6 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd,
+ mutex_unlock(&ipclock);
+ return -ENODEV;
+ }
+- scu = ipcdev;
+ cmdval = sub << 12 | cmd;
+ ipc_command(scu, cmdval);
+ err = intel_scu_ipc_check_status(scu);
+--
+2.40.1
+
--- /dev/null
+From 7d6c8ca98e32e46fa4b783763d25e77f73419529 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:27:22 -0700
+Subject: platform/x86: intel_scu_ipc: Fail IPC send if still busy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+[ Upstream commit 85e654c9f722853a595fa941dca60c157b707b86 ]
+
+It's possible for interrupts to get significantly delayed to the point
+that callers of intel_scu_ipc_dev_command() and friends can call the
+function once, hit a timeout, and call it again while the interrupt
+still hasn't been processed. This driver will get seriously confused if
+the interrupt is finally processed after the second IPC has been sent
+with ipc_command(). It won't know which IPC has been completed. This
+could be quite disastrous if calling code assumes something has happened
+upon return from intel_scu_ipc_dev_simple_command() when it actually
+hasn't.
+
+Let's avoid this scenario by simply returning -EBUSY in this case.
+Hopefully higher layers will know to back off or fail gracefully when
+this happens. It's all highly unlikely anyway, but it's better to be
+correct here as we have no way to know which IPC the status register is
+telling us about if we send a second IPC while the previous IPC is still
+processing.
+
+Cc: Prashant Malani <pmalani@chromium.org>
+Cc: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Fixes: ed12f295bfd5 ("ipc: Added support for IPC interrupt mode")
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/20230913212723.3055315-5-swboyd@chromium.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel_scu_ipc.c | 40 +++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
+index 3271f81a9c007..a68df41334035 100644
+--- a/drivers/platform/x86/intel_scu_ipc.c
++++ b/drivers/platform/x86/intel_scu_ipc.c
+@@ -265,6 +265,24 @@ static int intel_scu_ipc_check_status(struct intel_scu_ipc_dev *scu)
+ return scu->irq > 0 ? ipc_wait_for_interrupt(scu) : busy_loop(scu);
+ }
+
++static struct intel_scu_ipc_dev *intel_scu_ipc_get(struct intel_scu_ipc_dev *scu)
++{
++ u8 status;
++
++ if (!scu)
++ scu = ipcdev;
++ if (!scu)
++ return ERR_PTR(-ENODEV);
++
++ status = ipc_read_status(scu);
++ if (status & IPC_STATUS_BUSY) {
++ dev_dbg(&scu->dev, "device is busy\n");
++ return ERR_PTR(-EBUSY);
++ }
++
++ return scu;
++}
++
+ /* Read/Write power control(PMIC in Langwell, MSIC in PenWell) registers */
+ static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data,
+ u32 count, u32 op, u32 id)
+@@ -278,11 +296,10 @@ static int pwr_reg_rdwr(struct intel_scu_ipc_dev *scu, u16 *addr, u8 *data,
+ memset(cbuf, 0, sizeof(cbuf));
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
+
+ for (nc = 0; nc < count; nc++, offset += 2) {
+@@ -437,12 +454,12 @@ int intel_scu_ipc_dev_simple_command(struct intel_scu_ipc_dev *scu, int cmd,
+ int err;
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
++
+ cmdval = sub << 12 | cmd;
+ ipc_command(scu, cmdval);
+ err = intel_scu_ipc_check_status(scu);
+@@ -482,11 +499,10 @@ int intel_scu_ipc_dev_command_with_size(struct intel_scu_ipc_dev *scu, int cmd,
+ return -EINVAL;
+
+ mutex_lock(&ipclock);
+- if (!scu)
+- scu = ipcdev;
+- if (!scu) {
++ scu = intel_scu_ipc_get(scu);
++ if (IS_ERR(scu)) {
+ mutex_unlock(&ipclock);
+- return -ENODEV;
++ return PTR_ERR(scu);
+ }
+
+ memcpy(inbuf, in, inlen);
+--
+2.40.1
+
--- /dev/null
+From 91a51f3aaaa5669da648f9e80bb08e49734bd138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 13:46:04 +1000
+Subject: powerpc/dexcr: Move HASHCHK trap handler
+
+From: Benjamin Gray <bgray@linux.ibm.com>
+
+[ Upstream commit c3f4309693758b13fbb34b3741c2e2801ad28769 ]
+
+Syzkaller reported a sleep in atomic context bug relating to the HASHCHK
+handler logic:
+
+ BUG: sleeping function called from invalid context at arch/powerpc/kernel/traps.c:1518
+ in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 25040, name: syz-executor
+ preempt_count: 0, expected: 0
+ RCU nest depth: 0, expected: 0
+ no locks held by syz-executor/25040.
+ irq event stamp: 34
+ hardirqs last enabled at (33): [<c000000000048b38>] prep_irq_for_enabled_exit arch/powerpc/kernel/interrupt.c:56 [inline]
+ hardirqs last enabled at (33): [<c000000000048b38>] interrupt_exit_user_prepare_main+0x148/0x600 arch/powerpc/kernel/interrupt.c:230
+ hardirqs last disabled at (34): [<c00000000003e6a4>] interrupt_enter_prepare+0x144/0x4f0 arch/powerpc/include/asm/interrupt.h:176
+ softirqs last enabled at (0): [<c000000000281954>] copy_process+0x16e4/0x4750 kernel/fork.c:2436
+ softirqs last disabled at (0): [<0000000000000000>] 0x0
+ CPU: 15 PID: 25040 Comm: syz-executor Not tainted 6.5.0-rc5-00001-g3ccdff6bb06d #3
+ Hardware name: IBM,9105-22A POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1040.00 (NL1040_021) hv:phyp pSeries
+ Call Trace:
+ [c0000000a8247ce0] [c00000000032b0e4] __might_resched+0x3b4/0x400 kernel/sched/core.c:10189
+ [c0000000a8247d80] [c0000000008c7dc8] __might_fault+0xa8/0x170 mm/memory.c:5853
+ [c0000000a8247dc0] [c00000000004160c] do_program_check+0x32c/0xb20 arch/powerpc/kernel/traps.c:1518
+ [c0000000a8247e50] [c000000000009b2c] program_check_common_virt+0x3bc/0x3c0
+
+To determine if a trap was caused by a HASHCHK instruction, we inspect
+the user instruction that triggered the trap. However this may sleep
+if the page needs to be faulted in (get_user_instr() reaches
+__get_user(), which calls might_fault() and triggers the bug message).
+
+Move the HASHCHK handler logic to after we allow IRQs, which is fine
+because we are only interested in HASHCHK if it's a user space trap.
+
+Fixes: 5bcba4e6c13f ("powerpc/dexcr: Handle hashchk exception")
+Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230915034604.45393-1-bgray@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/traps.c | 56 ++++++++++++++++++++++++-------------
+ 1 file changed, 36 insertions(+), 20 deletions(-)
+
+diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
+index 7ef147e2a20d7..109b93874df92 100644
+--- a/arch/powerpc/kernel/traps.c
++++ b/arch/powerpc/kernel/traps.c
+@@ -1512,23 +1512,11 @@ static void do_program_check(struct pt_regs *regs)
+ return;
+ }
+
+- if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) && user_mode(regs)) {
+- ppc_inst_t insn;
+-
+- if (get_user_instr(insn, (void __user *)regs->nip)) {
+- _exception(SIGSEGV, regs, SEGV_MAPERR, regs->nip);
+- return;
+- }
+-
+- if (ppc_inst_primary_opcode(insn) == 31 &&
+- get_xop(ppc_inst_val(insn)) == OP_31_XOP_HASHCHK) {
+- _exception(SIGILL, regs, ILL_ILLOPN, regs->nip);
+- return;
+- }
++ /* User mode considers other cases after enabling IRQs */
++ if (!user_mode(regs)) {
++ _exception(SIGTRAP, regs, TRAP_BRKPT, regs->nip);
++ return;
+ }
+-
+- _exception(SIGTRAP, regs, TRAP_BRKPT, regs->nip);
+- return;
+ }
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ if (reason & REASON_TM) {
+@@ -1561,16 +1549,44 @@ static void do_program_check(struct pt_regs *regs)
+
+ /*
+ * If we took the program check in the kernel skip down to sending a
+- * SIGILL. The subsequent cases all relate to emulating instructions
+- * which we should only do for userspace. We also do not want to enable
+- * interrupts for kernel faults because that might lead to further
+- * faults, and loose the context of the original exception.
++ * SIGILL. The subsequent cases all relate to user space, such as
++ * emulating instructions which we should only do for user space. We
++ * also do not want to enable interrupts for kernel faults because that
++ * might lead to further faults, and loose the context of the original
++ * exception.
+ */
+ if (!user_mode(regs))
+ goto sigill;
+
+ interrupt_cond_local_irq_enable(regs);
+
++ /*
++ * (reason & REASON_TRAP) is mostly handled before enabling IRQs,
++ * except get_user_instr() can sleep so we cannot reliably inspect the
++ * current instruction in that context. Now that we know we are
++ * handling a user space trap and can sleep, we can check if the trap
++ * was a hashchk failure.
++ */
++ if (reason & REASON_TRAP) {
++ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE)) {
++ ppc_inst_t insn;
++
++ if (get_user_instr(insn, (void __user *)regs->nip)) {
++ _exception(SIGSEGV, regs, SEGV_MAPERR, regs->nip);
++ return;
++ }
++
++ if (ppc_inst_primary_opcode(insn) == 31 &&
++ get_xop(ppc_inst_val(insn)) == OP_31_XOP_HASHCHK) {
++ _exception(SIGILL, regs, ILL_ILLOPN, regs->nip);
++ return;
++ }
++ }
++
++ _exception(SIGTRAP, regs, TRAP_BRKPT, regs->nip);
++ return;
++ }
++
+ /* (reason & REASON_ILLEGAL) would be the obvious thing here,
+ * but there seems to be a hardware bug on the 405GP (RevD)
+ * that means ESR is sometimes set incorrectly - either to
+--
+2.40.1
+
--- /dev/null
+From ac8ce20a9cfc80be6f6dad29f0c409c6ac7c1f8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 11:26:01 +0530
+Subject: powerpc/perf/hv-24x7: Update domain value check
+
+From: Kajol Jain <kjain@linux.ibm.com>
+
+[ Upstream commit 4ff3ba4db5943cac1045e3e4a3c0463ea10f6930 ]
+
+Valid domain value is in range 1 to HV_PERF_DOMAIN_MAX. Current code has
+check for domain value greater than or equal to HV_PERF_DOMAIN_MAX. But
+the check for domain value 0 is missing.
+
+Fix this issue by adding check for domain value 0.
+
+Before:
+ # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1
+ Using CPUID 00800200
+ Control descriptor is not initialized
+ Error:
+ The sys_perf_event_open() syscall returned with 5 (Input/output error) for
+ event (hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/).
+ /bin/dmesg | grep -i perf may provide additional information.
+
+ Result from dmesg:
+ [ 37.819387] hv-24x7: hcall failed: [0 0x60040000 0x100 0] => ret
+ 0xfffffffffffffffc (-4) detail=0x2000000 failing ix=0
+
+After:
+ # ./perf stat -v -e hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ sleep 1
+ Using CPUID 00800200
+ Control descriptor is not initialized
+ Warning:
+ hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/ event is not supported by the kernel.
+ failed to read counter hv_24x7/CPM_ADJUNCT_INST,domain=0,core=1/
+
+Fixes: ebd4a5a3ebd9 ("powerpc/perf/hv-24x7: Minor improvements")
+Reported-by: Krishan Gopal Sarawast <krishang@linux.vnet.ibm.com>
+Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
+Tested-by: Disha Goel <disgoel@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230825055601.360083-1-kjain@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/perf/hv-24x7.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/perf/hv-24x7.c b/arch/powerpc/perf/hv-24x7.c
+index 317175791d23c..3449be7c0d51f 100644
+--- a/arch/powerpc/perf/hv-24x7.c
++++ b/arch/powerpc/perf/hv-24x7.c
+@@ -1418,7 +1418,7 @@ static int h_24x7_event_init(struct perf_event *event)
+ }
+
+ domain = event_get_domain(event);
+- if (domain >= HV_PERF_DOMAIN_MAX) {
++ if (domain == 0 || domain >= HV_PERF_DOMAIN_MAX) {
+ pr_devel("invalid domain %d\n", domain);
+ return -EINVAL;
+ }
+--
+2.40.1
+
--- /dev/null
+From d9c1240a5d1247dee93af74535f7d907c1fdcf0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 17:11:11 +0000
+Subject: scsi: iscsi_tcp: restrict to TCP sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f4f82c52a0ead5ab363d207d06f81b967d09ffb8 ]
+
+Nothing prevents iscsi_sw_tcp_conn_bind() to receive file descriptor
+pointing to non TCP socket (af_unix for example).
+
+Return -EINVAL if this is attempted, instead of crashing the kernel.
+
+Fixes: 7ba247138907 ("[SCSI] open-iscsi/linux-iscsi-5 Initiator: Initiator code")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lee Duncan <lduncan@suse.com>
+Cc: Chris Leech <cleech@redhat.com>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Cc: open-iscsi@googlegroups.com
+Cc: linux-scsi@vger.kernel.org
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/iscsi_tcp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c
+index 9ab8555180a3a..8e14cea15f980 100644
+--- a/drivers/scsi/iscsi_tcp.c
++++ b/drivers/scsi/iscsi_tcp.c
+@@ -724,6 +724,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session,
+ return -EEXIST;
+ }
+
++ err = -EINVAL;
++ if (!sk_is_tcp(sock->sk))
++ goto free_socket;
++
+ err = iscsi_conn_bind(cls_session, cls_conn, is_leading);
+ if (err)
+ goto free_socket;
+--
+2.40.1
+
--- /dev/null
+From 29db6d06a77ac64302e05932fa0f9f094edc8277 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 14:06:31 +0200
+Subject: selftests/bpf: fix unpriv_disabled check in test_verifier
+
+From: Artem Savkov <asavkov@redhat.com>
+
+[ Upstream commit d128860dbb29cafc3c65ca2d22082745a32829dd ]
+
+Commit 1d56ade032a49 changed the function get_unpriv_disabled() to
+return its results as a bool instead of updating a global variable, but
+test_verifier was not updated to keep in line with these changes. Thus
+unpriv_disabled is always false in test_verifier and unprivileged tests
+are not properly skipped on systems with unprivileged bpf disabled.
+
+Fixes: 1d56ade032a49 ("selftests/bpf: Unprivileged tests for test_loader.c")
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20230912120631.213139-1-asavkov@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_verifier.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
+index 31f1c935cd07d..98107e0452d33 100644
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -1880,7 +1880,7 @@ int main(int argc, char **argv)
+ }
+ }
+
+- get_unpriv_disabled();
++ unpriv_disabled = get_unpriv_disabled();
+ if (unpriv && unpriv_disabled) {
+ printf("Cannot run as unprivileged user with sysctl %s.\n",
+ UNPRIV_SYSCTL);
+--
+2.40.1
+
--- /dev/null
+From 357a0c0e26d2a9c386cd19af72a4e587ed6456ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 16:16:25 +0200
+Subject: selftests: tls: swap the TX and RX sockets in some tests
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit c326ca98446e0ae4fee43a40acf79412b74cfedb ]
+
+tls.sendmsg_large and tls.sendmsg_multiple are trying to send through
+the self->cfd socket (only configured with TLS_RX) and to receive through
+the self->fd socket (only configured with TLS_TX), so they're not using
+kTLS at all. Swap the sockets.
+
+Fixes: 7f657d5bf507 ("selftests: tls: add selftests for TLS sockets")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/tls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
+index a3c57004344c6..6ec8b8335bdbf 100644
+--- a/tools/testing/selftests/net/tls.c
++++ b/tools/testing/selftests/net/tls.c
+@@ -552,11 +552,11 @@ TEST_F(tls, sendmsg_large)
+
+ msg.msg_iov = &vec;
+ msg.msg_iovlen = 1;
+- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), send_len);
++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), send_len);
+ }
+
+ while (recvs++ < sends) {
+- EXPECT_NE(recv(self->fd, mem, send_len, 0), -1);
++ EXPECT_NE(recv(self->cfd, mem, send_len, 0), -1);
+ }
+
+ free(mem);
+@@ -585,9 +585,9 @@ TEST_F(tls, sendmsg_multiple)
+ msg.msg_iov = vec;
+ msg.msg_iovlen = iov_len;
+
+- EXPECT_EQ(sendmsg(self->cfd, &msg, 0), total_len);
++ EXPECT_EQ(sendmsg(self->fd, &msg, 0), total_len);
+ buf = malloc(total_len);
+- EXPECT_NE(recv(self->fd, buf, total_len, 0), -1);
++ EXPECT_NE(recv(self->cfd, buf, total_len, 0), -1);
+ for (i = 0; i < iov_len; i++) {
+ EXPECT_EQ(memcmp(test_strs[i], buf + len_cmp,
+ strlen(test_strs[i])),
+--
+2.40.1
+
netfilter-nft_set_pipapo-stop-gc-iteration-if-gc-tra.patch
netfilter-nft_set_hash-try-later-when-gc-hits-eagain.patch
netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch
+netfilter-nf_tables-disallow-rule-removal-from-chain.patch
+asoc-meson-spdifin-start-hw-on-dai-probe.patch
+netfilter-nf_tables-disallow-element-removal-on-anon.patch
+bpf-avoid-deadlock-when-using-queue-and-stack-maps-f.patch
+bpf-avoid-dummy-bpf_offload_netdev-in-__bpf_prog_dev.patch
+alsa-docs-fix-a-typo-of-midi2_ump_probe-option-for-s.patch
+alsa-seq-avoid-delivery-of-events-for-disabled-ump-g.patch
+asoc-rt5640-revert-fix-sleep-in-atomic-context.patch
+asoc-rt5640-fix-sleep-in-atomic-context.patch
+asoc-rt5640-fix-typos.patch
+asoc-rt5640-do-not-disable-enable-irq-twice-on-suspe.patch
+asoc-rt5640-enable-the-irq-on-resume-after-configuri.patch
+asoc-rt5640-fix-irq-not-being-free-ed-for-hda-jack-d.patch
+bpf-fix-a-erroneous-check-after-snprintf.patch
+selftests-bpf-fix-unpriv_disabled-check-in-test_veri.patch
+alsa-hda-realtek-splitting-the-ux3402-into-two-separ.patch
+netfilter-conntrack-fix-extension-size-table.patch
+netfilter-nf_tables-fix-entries-val-in-rule-reset-au.patch
+compiler-attributes-counted_by-adjust-name-and-ident.patch
+uapi-stddef.h-fix-header-guard-location.patch
+uapi-stddef.h-fix-__declare_flex_array-for-c.patch
+memblock-tests-fix-compilation-errors.patch
+asoc-sof-ipc4-topology-fix-wrong-sizeof-argument.patch
+net-microchip-sparx5-fix-memory-leak-for-vcap_api_ru.patch
+net-microchip-sparx5-fix-memory-leak-for-vcap_api_ru.patch-1790
+net-microchip-sparx5-fix-possible-memory-leak-in-vca.patch
+net-microchip-sparx5-fix-possible-memory-leaks-in-te.patch
+net-microchip-sparx5-fix-possible-memory-leaks-in-vc.patch
+selftests-tls-swap-the-tx-and-rx-sockets-in-some-tes.patch
+net-core-fix-eth_p_1588-flow-dissector.patch
+alsa-seq-ump-fix-wformat-truncation-warning.patch
+asoc-hdaudio.c-add-missing-check-for-devm_kstrdup.patch
+asoc-imx-audmix-fix-return-error-with-devm_clk_get.patch
+octeon_ep-fix-tx-dma-unmap-len-values-in-sg.patch
+iavf-do-not-process-adminq-tasks-when-__iavf_in_remo.patch
+asoc-sof-core-only-call-sof_ops_free-on-remove-if-th.patch
+iavf-add-iavf_schedule_aq_request-helper.patch
+iavf-schedule-a-request-immediately-after-add-delete.patch
+i40e-fix-vf-vlan-offloading-when-port-vlan-is-config.patch
+netfilter-bpf-adjust-timeouts-of-non-confirmed-cts-i.patch
+ionic-fix-16bit-math-issue-when-page_size-64kb.patch
+igc-fix-infinite-initialization-loop-with-early-xdp-.patch
+ipv4-fix-null-deref-in-ipv4_link_failure.patch
+scsi-iscsi_tcp-restrict-to-tcp-sockets.patch
+powerpc-perf-hv-24x7-update-domain-value-check.patch
+powerpc-dexcr-move-hashchk-trap-handler.patch
+dccp-fix-dccp_v4_err-dccp_v6_err-again.patch
+x86-mm-kexec-ima-use-memblock_free_late-from-ima_fre.patch
+net-hsr-properly-parse-hsrv1-supervisor-frames.patch
+platform-x86-intel_scu_ipc-check-status-after-timeou.patch
+platform-x86-intel_scu_ipc-check-status-upon-timeout.patch
+platform-x86-intel_scu_ipc-don-t-override-scu-in-int.patch
+platform-x86-intel_scu_ipc-fail-ipc-send-if-still-bu.patch
+x86-asm-fix-build-of-uml-with-kasan.patch
+x86-srso-fix-srso_show_state-side-effect.patch
+x86-srso-set-cpuid-feature-bits-independently-of-bug.patch
+x86-srso-don-t-probe-microcode-in-a-guest.patch
+x86-srso-fix-sbpb-enablement-for-spec_rstack_overflo.patch
+net-hns3-add-cmdq-check-for-vf-periodic-service-task.patch
+net-hns3-fix-gre-checksum-offload-issue.patch
+net-hns3-only-enable-unicast-promisc-when-mac-table-.patch
+net-hns3-fix-fail-to-delete-tc-flower-rules-during-r.patch
+net-hns3-add-5ms-delay-before-clear-firmware-reset-i.patch
+net-bridge-use-dev_stats_inc.patch
+team-fix-null-ptr-deref-when-team-device-type-is-cha.patch
+locking-atomic-scripts-fix-fallback-ifdeffery.patch
+net-rds-fix-possible-null-pointer-dereference.patch
+vxlan-add-missing-entries-to-vxlan_get_size.patch
+netfilter-nf_tables-disable-toggling-dormant-table-s.patch
+netfilter-ipset-fix-race-between-ipset_cmd_create-an.patch
+net-hinic-fix-warning-hinic_set_vlan_fliter-warn-var.patch
+net-handshake-fix-memory-leak-in-__sock_create-and-s.patch
+i915-pmu-move-execlist-stats-initialization-to-execl.patch
+drm-virtio-clean-out_fence-on-complete_submit.patch
+locking-seqlock-do-the-lockdep-annotation-before-loc.patch
+net-ena-flush-xdp-packets-on-error.patch
+bnxt_en-flush-xdp-for-bnxt_poll_nitroa0-s-napi.patch
+octeontx2-pf-do-xdp_do_flush-after-redirects.patch
+igc-expose-tx-usecs-coalesce-setting-to-user.patch
--- /dev/null
+From cd9a284845cefaa51f5645f2715f3cb08a9339ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 20:30:11 +0800
+Subject: team: fix null-ptr-deref when team device type is changed
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 492032760127251e5540a5716a70996bacf2a3fd ]
+
+Get a null-ptr-deref bug as follows with reproducer [1].
+
+BUG: kernel NULL pointer dereference, address: 0000000000000228
+...
+RIP: 0010:vlan_dev_hard_header+0x35/0x140 [8021q]
+...
+Call Trace:
+ <TASK>
+ ? __die+0x24/0x70
+ ? page_fault_oops+0x82/0x150
+ ? exc_page_fault+0x69/0x150
+ ? asm_exc_page_fault+0x26/0x30
+ ? vlan_dev_hard_header+0x35/0x140 [8021q]
+ ? vlan_dev_hard_header+0x8e/0x140 [8021q]
+ neigh_connected_output+0xb2/0x100
+ ip6_finish_output2+0x1cb/0x520
+ ? nf_hook_slow+0x43/0xc0
+ ? ip6_mtu+0x46/0x80
+ ip6_finish_output+0x2a/0xb0
+ mld_sendpack+0x18f/0x250
+ mld_ifc_work+0x39/0x160
+ process_one_work+0x1e6/0x3f0
+ worker_thread+0x4d/0x2f0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0xe5/0x120
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+
+[1]
+$ teamd -t team0 -d -c '{"runner": {"name": "loadbalance"}}'
+$ ip link add name t-dummy type dummy
+$ ip link add link t-dummy name t-dummy.100 type vlan id 100
+$ ip link add name t-nlmon type nlmon
+$ ip link set t-nlmon master team0
+$ ip link set t-nlmon nomaster
+$ ip link set t-dummy up
+$ ip link set team0 up
+$ ip link set t-dummy.100 down
+$ ip link set t-dummy.100 master team0
+
+When enslave a vlan device to team device and team device type is changed
+from non-ether to ether, header_ops of team device is changed to
+vlan_header_ops. That is incorrect and will trigger null-ptr-deref
+for vlan->real_dev in vlan_dev_hard_header() because team device is not
+a vlan device.
+
+Cache eth_header_ops in team_setup(), then assign cached header_ops to
+header_ops of team net device when its type is changed from non-ether
+to ether to fix the bug.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Suggested-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230918123011.1884401-1-william.xuanziyang@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 10 +++++++++-
+ include/linux/if_team.h | 2 ++
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 382756c3fb837..1b0fc84b4d0cd 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2127,7 +2127,12 @@ static const struct ethtool_ops team_ethtool_ops = {
+ static void team_setup_by_port(struct net_device *dev,
+ struct net_device *port_dev)
+ {
+- dev->header_ops = port_dev->header_ops;
++ struct team *team = netdev_priv(dev);
++
++ if (port_dev->type == ARPHRD_ETHER)
++ dev->header_ops = team->header_ops_cache;
++ else
++ dev->header_ops = port_dev->header_ops;
+ dev->type = port_dev->type;
+ dev->hard_header_len = port_dev->hard_header_len;
+ dev->needed_headroom = port_dev->needed_headroom;
+@@ -2174,8 +2179,11 @@ static int team_dev_type_check_change(struct net_device *dev,
+
+ static void team_setup(struct net_device *dev)
+ {
++ struct team *team = netdev_priv(dev);
++
+ ether_setup(dev);
+ dev->max_mtu = ETH_MAX_MTU;
++ team->header_ops_cache = dev->header_ops;
+
+ dev->netdev_ops = &team_netdev_ops;
+ dev->ethtool_ops = &team_ethtool_ops;
+diff --git a/include/linux/if_team.h b/include/linux/if_team.h
+index 8de6b6e678295..34bcba5a70677 100644
+--- a/include/linux/if_team.h
++++ b/include/linux/if_team.h
+@@ -189,6 +189,8 @@ struct team {
+ struct net_device *dev; /* associated netdevice */
+ struct team_pcpu_stats __percpu *pcpu_stats;
+
++ const struct header_ops *header_ops_cache;
++
+ struct mutex lock; /* used for overall locking, e.g. port lists write */
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From 0900a5504c7ba22a5e24663b08cf2f6dfabad33a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:22:24 +0300
+Subject: uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit 32a4ec211d4164e667d9d0b807fadf02053cd2e9 ]
+
+__DECLARE_FLEX_ARRAY(T, member) macro expands to
+
+ struct {
+ struct {} __empty_member;
+ T member[];
+ };
+
+which is subtly wrong in C++ because sizeof(struct{}) is 1 not 0,
+changing UAPI structures layouts.
+
+This can be fixed by expanding to
+
+ T member[];
+
+Now g++ doesn't like "T member[]" either, throwing errors on
+the following code:
+
+ struct S {
+ union {
+ T1 member1[];
+ T2 member2[];
+ };
+ };
+
+or
+
+ struct S {
+ T member[];
+ };
+
+Use "T member[0];" which seems to work and does the right thing wrt
+structure layout.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Fixes: 3080ea5553cc ("stddef: Introduce DECLARE_FLEX_ARRAY() helper")
+Link: https://lore.kernel.org/r/97242381-f1ec-4a4a-9472-1a464f575657@p183
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/stddef.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
+index c027b2070d790..5c6c4269f7efe 100644
+--- a/include/uapi/linux/stddef.h
++++ b/include/uapi/linux/stddef.h
+@@ -29,6 +29,11 @@
+ struct TAG { MEMBERS } ATTRS NAME; \
+ }
+
++#ifdef __cplusplus
++/* sizeof(struct{}) is 1 in C++, not 0, can't use C version of the macro. */
++#define __DECLARE_FLEX_ARRAY(T, member) \
++ T member[0]
++#else
+ /**
+ * __DECLARE_FLEX_ARRAY() - Declare a flexible array usable in a union
+ *
+@@ -44,6 +49,7 @@
+ struct { } __empty_ ## NAME; \
+ TYPE NAME[]; \
+ }
++#endif
+
+ #ifndef __counted_by
+ #define __counted_by(m)
+--
+2.40.1
+
--- /dev/null
+From cab31c974c0324b4214af09a5be7e180a5facf2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 19:23:21 +0300
+Subject: uapi: stddef.h: Fix header guard location
+
+From: Alexey Dobriyan <adobriyan@gmail.com>
+
+[ Upstream commit 531108ec5b5cd45ec6272a6115e73275baef7d22 ]
+
+The #endif for the header guard wasn't at the end of the header. This
+was harmless since the define that escaped was already testing for its
+own redefinition. Regardless, move the #endif to the correct place.
+
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Fixes: c8248faf3ca2 ("Compiler Attributes: counted_by: Adjust name and identifier expansion")
+Link: https://lore.kernel.org/r/b1f5081e-339d-421d-81b2-cbb94e1f6f5f@p183
+Co-developed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 32a4ec211d41 ("uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/stddef.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/stddef.h b/include/uapi/linux/stddef.h
+index 7c3fc39808811..c027b2070d790 100644
+--- a/include/uapi/linux/stddef.h
++++ b/include/uapi/linux/stddef.h
+@@ -44,8 +44,9 @@
+ struct { } __empty_ ## NAME; \
+ TYPE NAME[]; \
+ }
+-#endif
+
+ #ifndef __counted_by
+ #define __counted_by(m)
+ #endif
++
++#endif /* _UAPI_LINUX_STDDEF_H */
+--
+2.40.1
+
--- /dev/null
+From 23ad56b68c2866d8872d8e63583cb289934d0472 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 11:40:15 -0400
+Subject: vxlan: Add missing entries to vxlan_get_size()
+
+From: Benjamin Poirier <bpoirier@nvidia.com>
+
+[ Upstream commit 4e4b1798cc90e376b8b61d0098b4093898a32227 ]
+
+There are some attributes added by vxlan_fill_info() which are not
+accounted for in vxlan_get_size(). Add them.
+
+I didn't find a way to trigger an actual problem from this miscalculation
+since there is usually extra space in netlink size calculations like
+if_nlmsg_size(); but maybe I just didn't search long enough.
+
+Fixes: 3511494ce2f3 ("vxlan: Group Policy extension")
+Fixes: e1e5314de08b ("vxlan: implement GPE")
+Fixes: 0ace2ca89cbd ("vxlan: Use checksum partial with remote checksum offload")
+Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
+Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index c9a9373733c01..4b2db14472e6c 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -4296,6 +4296,10 @@ static size_t vxlan_get_size(const struct net_device *dev)
+ nla_total_size(sizeof(__u8)) + /* IFLA_VXLAN_REMCSUM_TX */
+ nla_total_size(sizeof(__u8)) + /* IFLA_VXLAN_REMCSUM_RX */
+ nla_total_size(sizeof(__u8)) + /* IFLA_VXLAN_LOCALBYPASS */
++ nla_total_size(0) + /* IFLA_VXLAN_GBP */
++ nla_total_size(0) + /* IFLA_VXLAN_GPE */
++ nla_total_size(0) + /* IFLA_VXLAN_REMCSUM_NOPARTIAL */
++ nla_total_size(sizeof(__u8)) + /* IFLA_VXLAN_VNIFILTER */
+ 0;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 0d43ea314dd56bd98b946e83bb56a505cb07748e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 12:52:34 +0200
+Subject: x86/asm: Fix build of UML with KASAN
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 10f4c9b9a33b7df000f74fa0d896351fb1a61e6a ]
+
+Building UML with KASAN fails since commit 69d4c0d32186 ("entry, kasan,
+x86: Disallow overriding mem*() functions") with the following errors:
+
+ $ tools/testing/kunit/kunit.py run --kconfig_add CONFIG_KASAN=y
+ ...
+ ld: mm/kasan/shadow.o: in function `memset':
+ shadow.c:(.text+0x40): multiple definition of `memset';
+ arch/x86/lib/memset_64.o:(.noinstr.text+0x0): first defined here
+ ld: mm/kasan/shadow.o: in function `memmove':
+ shadow.c:(.text+0x90): multiple definition of `memmove';
+ arch/x86/lib/memmove_64.o:(.noinstr.text+0x0): first defined here
+ ld: mm/kasan/shadow.o: in function `memcpy':
+ shadow.c:(.text+0x110): multiple definition of `memcpy';
+ arch/x86/lib/memcpy_64.o:(.noinstr.text+0x0): first defined here
+
+UML does not use GENERIC_ENTRY and is still supposed to be allowed to
+override the mem*() functions, so use weak aliases in that case.
+
+Fixes: 69d4c0d32186 ("entry, kasan, x86: Disallow overriding mem*() functions")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20230918-uml-kasan-v3-1-7ad6db477df6@axis.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/linkage.h | 7 +++++++
+ arch/x86/lib/memcpy_64.S | 2 +-
+ arch/x86/lib/memmove_64.S | 2 +-
+ arch/x86/lib/memset_64.S | 2 +-
+ 4 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/linkage.h b/arch/x86/include/asm/linkage.h
+index 5ff49fd67732e..571fe4d2d2328 100644
+--- a/arch/x86/include/asm/linkage.h
++++ b/arch/x86/include/asm/linkage.h
+@@ -105,6 +105,13 @@
+ CFI_POST_PADDING \
+ SYM_FUNC_END(__cfi_##name)
+
++/* UML needs to be able to override memcpy() and friends for KASAN. */
++#ifdef CONFIG_UML
++# define SYM_FUNC_ALIAS_MEMFUNC SYM_FUNC_ALIAS_WEAK
++#else
++# define SYM_FUNC_ALIAS_MEMFUNC SYM_FUNC_ALIAS
++#endif
++
+ /* SYM_TYPED_FUNC_START -- use for indirectly called globals, w/ CFI type */
+ #define SYM_TYPED_FUNC_START(name) \
+ SYM_TYPED_START(name, SYM_L_GLOBAL, SYM_F_ALIGN) \
+diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
+index 8f95fb267caa7..76697df8dfd5b 100644
+--- a/arch/x86/lib/memcpy_64.S
++++ b/arch/x86/lib/memcpy_64.S
+@@ -40,7 +40,7 @@ SYM_TYPED_FUNC_START(__memcpy)
+ SYM_FUNC_END(__memcpy)
+ EXPORT_SYMBOL(__memcpy)
+
+-SYM_FUNC_ALIAS(memcpy, __memcpy)
++SYM_FUNC_ALIAS_MEMFUNC(memcpy, __memcpy)
+ EXPORT_SYMBOL(memcpy)
+
+ SYM_FUNC_START_LOCAL(memcpy_orig)
+diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
+index 0559b206fb110..ccdf3a597045e 100644
+--- a/arch/x86/lib/memmove_64.S
++++ b/arch/x86/lib/memmove_64.S
+@@ -212,5 +212,5 @@ SYM_FUNC_START(__memmove)
+ SYM_FUNC_END(__memmove)
+ EXPORT_SYMBOL(__memmove)
+
+-SYM_FUNC_ALIAS(memmove, __memmove)
++SYM_FUNC_ALIAS_MEMFUNC(memmove, __memmove)
+ EXPORT_SYMBOL(memmove)
+diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
+index 7c59a704c4584..3d818b849ec64 100644
+--- a/arch/x86/lib/memset_64.S
++++ b/arch/x86/lib/memset_64.S
+@@ -40,7 +40,7 @@ SYM_FUNC_START(__memset)
+ SYM_FUNC_END(__memset)
+ EXPORT_SYMBOL(__memset)
+
+-SYM_FUNC_ALIAS(memset, __memset)
++SYM_FUNC_ALIAS_MEMFUNC(memset, __memset)
+ EXPORT_SYMBOL(memset)
+
+ SYM_FUNC_START_LOCAL(memset_orig)
+--
+2.40.1
+
--- /dev/null
+From bede0195795fe8ad13b79013f1f52fe8ef5db04c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 13:55:58 -0400
+Subject: x86/mm, kexec, ima: Use memblock_free_late() from
+ ima_free_kexec_buffer()
+
+From: Rik van Riel <riel@surriel.com>
+
+[ Upstream commit 34cf99c250d5cd2530b93a57b0de31d3aaf8685b ]
+
+The code calling ima_free_kexec_buffer() runs long after the memblock
+allocator has already been torn down, potentially resulting in a use
+after free in memblock_isolate_range().
+
+With KASAN or KFENCE, this use after free will result in a BUG
+from the idle task, and a subsequent kernel panic.
+
+Switch ima_free_kexec_buffer() over to memblock_free_late() to avoid
+that bug.
+
+Fixes: fee3ff99bc67 ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c")
+Suggested-by: Mike Rappoport <rppt@kernel.org>
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20230817135558.67274c83@imladris.surriel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/setup.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
+index fd975a4a52006..aa0df37c1fe72 100644
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -359,15 +359,11 @@ static void __init add_early_ima_buffer(u64 phys_addr)
+ #if defined(CONFIG_HAVE_IMA_KEXEC) && !defined(CONFIG_OF_FLATTREE)
+ int __init ima_free_kexec_buffer(void)
+ {
+- int rc;
+-
+ if (!ima_kexec_buffer_size)
+ return -ENOENT;
+
+- rc = memblock_phys_free(ima_kexec_buffer_phys,
+- ima_kexec_buffer_size);
+- if (rc)
+- return rc;
++ memblock_free_late(ima_kexec_buffer_phys,
++ ima_kexec_buffer_size);
+
+ ima_kexec_buffer_phys = 0;
+ ima_kexec_buffer_size = 0;
+--
+2.40.1
+
--- /dev/null
+From 2d25e1a5b314a3032494bd6e2f53892e2ea77b28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:47 -0700
+Subject: x86/srso: Don't probe microcode in a guest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 02428d0366a27c2f33bc4361eb10467777804f29 ]
+
+To support live migration, the hypervisor sets the "lowest common
+denominator" of features. Probing the microcode isn't allowed because
+any detected features might go away after a migration.
+
+As Andy Cooper states:
+
+ "Linux must not probe microcode when virtualised. What it may see
+ instantaneously on boot (owing to MSR_PRED_CMD being fully passed
+ through) is not accurate for the lifetime of the VM."
+
+Rely on the hypervisor to set the needed IBPB_BRTYPE and SBPB bits.
+
+Fixes: 1b5277c0ea0b ("x86/srso: Add SRSO_NO support")
+Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/3938a7209606c045a3f50305d201d840e8c834c7.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index b08af929135d9..28e77c5d6484a 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -767,7 +767,7 @@ static void early_init_amd(struct cpuinfo_x86 *c)
+ if (cpu_has(c, X86_FEATURE_TOPOEXT))
+ smp_num_siblings = ((cpuid_ebx(0x8000001e) >> 8) & 0xff) + 1;
+
+- if (!cpu_has(c, X86_FEATURE_IBPB_BRTYPE)) {
++ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) && !cpu_has(c, X86_FEATURE_IBPB_BRTYPE)) {
+ if (c->x86 == 0x17 && boot_cpu_has(X86_FEATURE_AMD_IBPB))
+ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+ else if (c->x86 >= 0x19 && !wrmsrl_safe(MSR_IA32_PRED_CMD, PRED_CMD_SBPB)) {
+--
+2.40.1
+
--- /dev/null
+From 494c4bbf98fc5eafaa814930b01118ecd63a8260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:48 -0700
+Subject: x86/srso: Fix SBPB enablement for spec_rstack_overflow=off
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 01b057b2f4cc2d905a0bd92195657dbd9a7005ab ]
+
+If the user has requested no SRSO mitigation, other mitigations can use
+the lighter-weight SBPB instead of IBPB.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/b20820c3cfd1003171135ec8d762a0b957348497.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index b0ae985aa6a4a..10499bcd4e396 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2433,7 +2433,7 @@ static void __init srso_select_mitigation(void)
+
+ switch (srso_cmd) {
+ case SRSO_CMD_OFF:
+- return;
++ goto pred_cmd;
+
+ case SRSO_CMD_MICROCODE:
+ if (has_microcode) {
+--
+2.40.1
+
--- /dev/null
+From 7de6386ff79a25e104385a72aee999e0a49a3e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:45 -0700
+Subject: x86/srso: Fix srso_show_state() side effect
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit a8cf700c17d9ca6cb8ee7dc5c9330dbac3948237 ]
+
+Reading the 'spec_rstack_overflow' sysfs file can trigger an unnecessary
+MSR write, and possibly even a (handled) exception if the microcode
+hasn't been updated.
+
+Avoid all that by just checking X86_FEATURE_IBPB_BRTYPE instead, which
+gets set by srso_select_mitigation() if the updated microcode exists.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/27d128899cb8aee9eb2b57ddc996742b0c1d776b.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index f081d26616ac1..bdd3e296f72b0 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2717,7 +2717,7 @@ static ssize_t srso_show_state(char *buf)
+
+ return sysfs_emit(buf, "%s%s\n",
+ srso_strings[srso_mitigation],
+- (cpu_has_ibpb_brtype_microcode() ? "" : ", no microcode"));
++ boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) ? "" : ", no microcode");
+ }
+
+ static ssize_t gds_show_state(char *buf)
+--
+2.40.1
+
--- /dev/null
+From 13b572300658a3db983478a58ef5d376316ac0b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 22:04:46 -0700
+Subject: x86/srso: Set CPUID feature bits independently of bug or mitigation
+ status
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 91857ae20303cc98ed36720d9868fcd604a2ee75 ]
+
+Booting with mitigations=off incorrectly prevents the
+X86_FEATURE_{IBPB_BRTYPE,SBPB} CPUID bits from getting set.
+
+Also, future CPUs without X86_BUG_SRSO might still have IBPB with branch
+type prediction flushing, in which case SBPB should be used instead of
+IBPB. The current code doesn't allow for that.
+
+Also, cpu_has_ibpb_brtype_microcode() has some surprising side effects
+and the setting of these feature bits really doesn't belong in the
+mitigation code anyway. Move it to earlier.
+
+Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation")
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/869a1709abfe13b673bdd10c2f4332ca253a40bc.1693889988.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/processor.h | 2 --
+ arch/x86/kernel/cpu/amd.c | 28 +++++++++-------------------
+ arch/x86/kernel/cpu/bugs.c | 13 +------------
+ 3 files changed, 10 insertions(+), 33 deletions(-)
+
+diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
+index fd750247ca891..9e26294e415c8 100644
+--- a/arch/x86/include/asm/processor.h
++++ b/arch/x86/include/asm/processor.h
+@@ -676,12 +676,10 @@ extern u16 get_llc_id(unsigned int cpu);
+ #ifdef CONFIG_CPU_SUP_AMD
+ extern u32 amd_get_nodes_per_socket(void);
+ extern u32 amd_get_highest_perf(void);
+-extern bool cpu_has_ibpb_brtype_microcode(void);
+ extern void amd_clear_divider(void);
+ #else
+ static inline u32 amd_get_nodes_per_socket(void) { return 0; }
+ static inline u32 amd_get_highest_perf(void) { return 0; }
+-static inline bool cpu_has_ibpb_brtype_microcode(void) { return false; }
+ static inline void amd_clear_divider(void) { }
+ #endif
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 7eca6a8abbb1c..b08af929135d9 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -766,6 +766,15 @@ static void early_init_amd(struct cpuinfo_x86 *c)
+
+ if (cpu_has(c, X86_FEATURE_TOPOEXT))
+ smp_num_siblings = ((cpuid_ebx(0x8000001e) >> 8) & 0xff) + 1;
++
++ if (!cpu_has(c, X86_FEATURE_IBPB_BRTYPE)) {
++ if (c->x86 == 0x17 && boot_cpu_has(X86_FEATURE_AMD_IBPB))
++ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
++ else if (c->x86 >= 0x19 && !wrmsrl_safe(MSR_IA32_PRED_CMD, PRED_CMD_SBPB)) {
++ setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
++ setup_force_cpu_cap(X86_FEATURE_SBPB);
++ }
++ }
+ }
+
+ static void init_amd_k8(struct cpuinfo_x86 *c)
+@@ -1301,25 +1310,6 @@ void amd_check_microcode(void)
+ on_each_cpu(zenbleed_check_cpu, NULL, 1);
+ }
+
+-bool cpu_has_ibpb_brtype_microcode(void)
+-{
+- switch (boot_cpu_data.x86) {
+- /* Zen1/2 IBPB flushes branch type predictions too. */
+- case 0x17:
+- return boot_cpu_has(X86_FEATURE_AMD_IBPB);
+- case 0x19:
+- /* Poke the MSR bit on Zen3/4 to check its presence. */
+- if (!wrmsrl_safe(MSR_IA32_PRED_CMD, PRED_CMD_SBPB)) {
+- setup_force_cpu_cap(X86_FEATURE_SBPB);
+- return true;
+- } else {
+- return false;
+- }
+- default:
+- return false;
+- }
+-}
+-
+ /*
+ * Issue a DIV 0/1 insn to clear any division data from previous DIV
+ * operations.
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index bdd3e296f72b0..b0ae985aa6a4a 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -2404,26 +2404,15 @@ early_param("spec_rstack_overflow", srso_parse_cmdline);
+
+ static void __init srso_select_mitigation(void)
+ {
+- bool has_microcode;
++ bool has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE);
+
+ if (!boot_cpu_has_bug(X86_BUG_SRSO) || cpu_mitigations_off())
+ goto pred_cmd;
+
+- /*
+- * The first check is for the kernel running as a guest in order
+- * for guests to verify whether IBPB is a viable mitigation.
+- */
+- has_microcode = boot_cpu_has(X86_FEATURE_IBPB_BRTYPE) || cpu_has_ibpb_brtype_microcode();
+ if (!has_microcode) {
+ pr_warn("IBPB-extending microcode not applied!\n");
+ pr_warn(SRSO_NOTICE);
+ } else {
+- /*
+- * Enable the synthetic (even if in a real CPUID leaf)
+- * flags for guests.
+- */
+- setup_force_cpu_cap(X86_FEATURE_IBPB_BRTYPE);
+-
+ /*
+ * Zen1/2 with SMT off aren't vulnerable after the right
+ * IBPB microcode has been applied.
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
