--- /dev/null
+From 9f398a2ad1a3aced1955b29bac0c5fde50d55bf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:15:02 +0000
+Subject: afs: Fix dynamic root lookup DNS check
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 74cef6872ceaefb5b6c5c60641371ea28702d358 ]
+
+In the afs dynamic root directory, the ->lookup() function does a DNS check
+on the cell being asked for and if the DNS upcall reports an error it will
+report an error back to userspace (typically ENOENT).
+
+However, if a failed DNS upcall returns a new-style result, it will return
+a valid result, with the status field set appropriately to indicate the
+type of failure - and in that case, dns_query() doesn't return an error and
+we let stat() complete with no error - which can cause confusion in
+userspace as subsequent calls that trigger d_automount then fail with
+ENOENT.
+
+Fix this by checking the status result from a valid dns_query() and
+returning an error if it indicates a failure.
+
+Fixes: bbb4c4323a4d ("dns: Allow the dns resolver to retrieve a server set")
+Reported-by: Markus Suvanto <markus.suvanto@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216637
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index 4ddc4846a8072..96b404d9e13ac 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -113,6 +113,7 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ struct afs_net *net = afs_d2net(dentry);
+ const char *name = dentry->d_name.name;
+ size_t len = dentry->d_name.len;
++ char *result = NULL;
+ int ret;
+
+ /* Names prefixed with a dot are R/W mounts. */
+@@ -130,9 +131,22 @@ static int afs_probe_cell_name(struct dentry *dentry)
+ }
+
+ ret = dns_query(net->net, "afsdb", name, len, "srv=1",
+- NULL, NULL, false);
+- if (ret == -ENODATA || ret == -ENOKEY)
++ &result, NULL, false);
++ if (ret == -ENODATA || ret == -ENOKEY || ret == 0)
+ ret = -ENOENT;
++ if (ret > 0 && ret >= sizeof(struct dns_server_list_v1_header)) {
++ struct dns_server_list_v1_header *v1 = (void *)result;
++
++ if (v1->hdr.zero == 0 &&
++ v1->hdr.content == DNS_PAYLOAD_IS_SERVER_LIST &&
++ v1->hdr.version == 1 &&
++ (v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD))
++ return -ENOENT;
++
++ }
++
++ kfree(result);
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1bbafca4877663fac11afac2271978ac67fd4b03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 15:09:31 +0000
+Subject: afs: Fix overwriting of result of DNS query
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit a9e01ac8c5ff32669119c40dfdc9e80eb0b7d7aa ]
+
+In afs_update_cell(), ret is the result of the DNS lookup and the errors
+are to be handled by a switch - however, the value gets clobbered in
+between by setting it to -ENOMEM in case afs_alloc_vlserver_list()
+fails.
+
+Fix this by moving the setting of -ENOMEM into the error handling for
+OOM failure. Further, only do it if we don't have an alternative error
+to return.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE. Based
+on a patch from Anastasia Belova [1].
+
+Fixes: d5c32c89b208 ("afs: Fix cell DNS lookup")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Anastasia Belova <abelova@astralinux.ru>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+cc: lvc-project@linuxtesting.org
+Link: https://lore.kernel.org/r/20231221085849.1463-1-abelova@astralinux.ru/ [1]
+Link: https://lore.kernel.org/r/1700862.1703168632@warthog.procyon.org.uk/ # v1
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index d88407fb9bc09..b5d20a3c08294 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -409,10 +409,12 @@ static int afs_update_cell(struct afs_cell *cell)
+ if (ret == -ENOMEM)
+ goto out_wake;
+
+- ret = -ENOMEM;
+ vllist = afs_alloc_vlserver_list(0);
+- if (!vllist)
++ if (!vllist) {
++ if (ret >= 0)
++ ret = -ENOMEM;
+ goto out_wake;
++ }
+
+ switch (ret) {
+ case -ENODATA:
+--
+2.43.0
+
--- /dev/null
+From fff9418663f9e85daa0dbe68c13efca84ced0fcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 15:08:57 +0000
+Subject: afs: Fix the dynamic root's d_delete to always delete unused dentries
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 71f8b55bc30e82d6355e07811213d847981a32e2 ]
+
+Fix the afs dynamic root's d_delete function to always delete unused
+dentries rather than only deleting them if they're positive. With things
+as they stand upstream, negative dentries stemming from failed DNS lookups
+stick around preventing retries.
+
+Fixes: 66c7e1d319a5 ("afs: Split the dynroot stuff out and give it its own ops tables")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dynroot.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
+index b35c6081dbfe1..4ddc4846a8072 100644
+--- a/fs/afs/dynroot.c
++++ b/fs/afs/dynroot.c
+@@ -251,20 +251,9 @@ static int afs_dynroot_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return 1;
+ }
+
+-/*
+- * Allow the VFS to enquire as to whether a dentry should be unhashed (mustn't
+- * sleep)
+- * - called from dput() when d_count is going to 0.
+- * - return 1 to request dentry be unhashed, 0 otherwise
+- */
+-static int afs_dynroot_d_delete(const struct dentry *dentry)
+-{
+- return d_really_is_positive(dentry);
+-}
+-
+ const struct dentry_operations afs_dynroot_dentry_operations = {
+ .d_revalidate = afs_dynroot_d_revalidate,
+- .d_delete = afs_dynroot_d_delete,
++ .d_delete = always_delete_dentry,
+ .d_release = afs_d_release,
+ .d_automount = afs_d_automount,
+ };
+--
+2.43.0
+
--- /dev/null
+From 6eccd848c86ce37dbe0372c02cb0ba6fc36cd6cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 13:57:31 +0000
+Subject: afs: Fix use-after-free due to get/remove race in volume tree
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ]
+
+When an afs_volume struct is put, its refcount is reduced to 0 before
+the cell->volume_lock is taken and the volume removed from the
+cell->volumes tree.
+
+Unfortunately, this means that the lookup code can race and see a volume
+with a zero ref in the tree, resulting in a use-after-free:
+
+ refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
+ ...
+ RIP: 0010:refcount_warn_saturate+0x7a/0xda
+ ...
+ Call Trace:
+ afs_get_volume+0x3d/0x55
+ afs_create_volume+0x126/0x1de
+ afs_validate_fc+0xfe/0x130
+ afs_get_tree+0x20/0x2e5
+ vfs_get_tree+0x1d/0xc9
+ do_new_mount+0x13b/0x22e
+ do_mount+0x5d/0x8a
+ __do_sys_mount+0x100/0x12a
+ do_syscall_64+0x3a/0x94
+ entry_SYSCALL_64_after_hwframe+0x62/0x6a
+
+Fix this by:
+
+ (1) When putting, use a flag to indicate if the volume has been removed
+ from the tree and skip the rb_erase if it has.
+
+ (2) When looking up, use a conditional ref increment and if it fails
+ because the refcount is 0, replace the node in the tree and set the
+ removal flag.
+
+Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/internal.h | 2 ++
+ fs/afs/volume.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index b29e9c206f782..0c03877cdaf7e 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -589,6 +589,7 @@ struct afs_volume {
+ #define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */
+ #define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */
+ #define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */
++#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */
+ #ifdef CONFIG_AFS_FSCACHE
+ struct fscache_cookie *cache; /* caching cookie */
+ #endif
+@@ -1507,6 +1508,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *,
+ extern struct afs_volume *afs_create_volume(struct afs_fs_context *);
+ extern void afs_activate_volume(struct afs_volume *);
+ extern void afs_deactivate_volume(struct afs_volume *);
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason);
+ extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace);
+ extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace);
+ extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *);
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index 32941bffa2ec1..137a970c19fb3 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -33,8 +33,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell,
+ } else if (p->vid > volume->vid) {
+ pp = &(*pp)->rb_right;
+ } else {
+- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert);
+- goto found;
++ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) {
++ volume = p;
++ goto found;
++ }
++
++ set_bit(AFS_VOLUME_RM_TREE, &volume->flags);
++ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes);
+ }
+ }
+
+@@ -57,7 +62,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume)
+ afs_volume_trace_remove);
+ write_seqlock(&cell->volume_lock);
+ hlist_del_rcu(&volume->proc_link);
+- rb_erase(&volume->cell_node, &cell->volumes);
++ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags))
++ rb_erase(&volume->cell_node, &cell->volumes);
+ write_sequnlock(&cell->volume_lock);
+ }
+ }
+@@ -236,6 +242,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume)
+ _leave(" [destroyed]");
+ }
+
++/*
++ * Try to get a reference on a volume record.
++ */
++bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason)
++{
++ int r;
++
++ if (__refcount_inc_not_zero(&volume->ref, &r)) {
++ trace_afs_volume(volume->vid, r + 1, reason);
++ return true;
++ }
++ return false;
++}
++
+ /*
+ * Get a reference on a volume record.
+ */
+--
+2.43.0
+
--- /dev/null
+From e26ddcb71aae6a5360f7fac0469c038c1520699d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Jul 2022 10:52:14 +0100
+Subject: afs: Use refcount_t rather than atomic_t
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit c56f9ec8b20f931014574b943590c4d830109380 ]
+
+Use refcount_t rather than atomic_t in afs to make use of the count
+checking facilities provided.
+
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Link: https://lore.kernel.org/r/165911277768.3745403.423349776836296452.stgit@warthog.procyon.org.uk/ # v1
+Stable-dep-of: 9a6b294ab496 ("afs: Fix use-after-free due to get/remove race in volume tree")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/cell.c | 61 ++++++++++++++++++--------------------
+ fs/afs/cmservice.c | 2 +-
+ fs/afs/internal.h | 16 +++++-----
+ fs/afs/proc.c | 6 ++--
+ fs/afs/rxrpc.c | 26 ++++++++--------
+ fs/afs/server.c | 40 ++++++++++++++-----------
+ fs/afs/vl_list.c | 19 ++++--------
+ fs/afs/volume.c | 21 ++++++++-----
+ include/trace/events/afs.h | 26 ++++++++--------
+ 9 files changed, 110 insertions(+), 107 deletions(-)
+
+diff --git a/fs/afs/cell.c b/fs/afs/cell.c
+index b5d20a3c08294..77571372888d9 100644
+--- a/fs/afs/cell.c
++++ b/fs/afs/cell.c
+@@ -158,7 +158,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
+ cell->name[i] = tolower(name[i]);
+ cell->name[i] = 0;
+
+- atomic_set(&cell->ref, 1);
++ refcount_set(&cell->ref, 1);
+ atomic_set(&cell->active, 0);
+ INIT_WORK(&cell->manager, afs_manage_cell_work);
+ cell->volumes = RB_ROOT;
+@@ -287,7 +287,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ cell = candidate;
+ candidate = NULL;
+ atomic_set(&cell->active, 2);
+- trace_afs_cell(cell->debug_id, atomic_read(&cell->ref), 2, afs_cell_trace_insert);
++ trace_afs_cell(cell->debug_id, refcount_read(&cell->ref), 2, afs_cell_trace_insert);
+ rb_link_node_rcu(&cell->net_node, parent, pp);
+ rb_insert_color(&cell->net_node, &net->cells);
+ up_write(&net->cells_lock);
+@@ -295,7 +295,7 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
+ afs_queue_cell(cell, afs_cell_trace_get_queue_new);
+
+ wait_for_cell:
+- trace_afs_cell(cell->debug_id, atomic_read(&cell->ref), atomic_read(&cell->active),
++ trace_afs_cell(cell->debug_id, refcount_read(&cell->ref), atomic_read(&cell->active),
+ afs_cell_trace_wait);
+ _debug("wait_for_cell");
+ wait_var_event(&cell->state,
+@@ -492,13 +492,13 @@ static void afs_cell_destroy(struct rcu_head *rcu)
+ {
+ struct afs_cell *cell = container_of(rcu, struct afs_cell, rcu);
+ struct afs_net *net = cell->net;
+- int u;
++ int r;
+
+ _enter("%p{%s}", cell, cell->name);
+
+- u = atomic_read(&cell->ref);
+- ASSERTCMP(u, ==, 0);
+- trace_afs_cell(cell->debug_id, u, atomic_read(&cell->active), afs_cell_trace_free);
++ r = refcount_read(&cell->ref);
++ ASSERTCMP(r, ==, 0);
++ trace_afs_cell(cell->debug_id, r, atomic_read(&cell->active), afs_cell_trace_free);
+
+ afs_put_vlserverlist(net, rcu_access_pointer(cell->vl_servers));
+ afs_unuse_cell(net, cell->alias_of, afs_cell_trace_unuse_alias);
+@@ -541,13 +541,10 @@ void afs_cells_timer(struct timer_list *timer)
+ */
+ struct afs_cell *afs_get_cell(struct afs_cell *cell, enum afs_cell_trace reason)
+ {
+- int u;
++ int r;
+
+- if (atomic_read(&cell->ref) <= 0)
+- BUG();
+-
+- u = atomic_inc_return(&cell->ref);
+- trace_afs_cell(cell->debug_id, u, atomic_read(&cell->active), reason);
++ __refcount_inc(&cell->ref, &r);
++ trace_afs_cell(cell->debug_id, r + 1, atomic_read(&cell->active), reason);
+ return cell;
+ }
+
+@@ -558,12 +555,14 @@ void afs_put_cell(struct afs_cell *cell, enum afs_cell_trace reason)
+ {
+ if (cell) {
+ unsigned int debug_id = cell->debug_id;
+- unsigned int u, a;
++ unsigned int a;
++ bool zero;
++ int r;
+
+ a = atomic_read(&cell->active);
+- u = atomic_dec_return(&cell->ref);
+- trace_afs_cell(debug_id, u, a, reason);
+- if (u == 0) {
++ zero = __refcount_dec_and_test(&cell->ref, &r);
++ trace_afs_cell(debug_id, r - 1, a, reason);
++ if (zero) {
+ a = atomic_read(&cell->active);
+ WARN(a != 0, "Cell active count %u > 0\n", a);
+ call_rcu(&cell->rcu, afs_cell_destroy);
+@@ -576,14 +575,12 @@ void afs_put_cell(struct afs_cell *cell, enum afs_cell_trace reason)
+ */
+ struct afs_cell *afs_use_cell(struct afs_cell *cell, enum afs_cell_trace reason)
+ {
+- int u, a;
+-
+- if (atomic_read(&cell->ref) <= 0)
+- BUG();
++ int r, a;
+
+- u = atomic_read(&cell->ref);
++ r = refcount_read(&cell->ref);
++ WARN_ON(r == 0);
+ a = atomic_inc_return(&cell->active);
+- trace_afs_cell(cell->debug_id, u, a, reason);
++ trace_afs_cell(cell->debug_id, r, a, reason);
+ return cell;
+ }
+
+@@ -595,7 +592,7 @@ void afs_unuse_cell(struct afs_net *net, struct afs_cell *cell, enum afs_cell_tr
+ {
+ unsigned int debug_id;
+ time64_t now, expire_delay;
+- int u, a;
++ int r, a;
+
+ if (!cell)
+ return;
+@@ -609,9 +606,9 @@ void afs_unuse_cell(struct afs_net *net, struct afs_cell *cell, enum afs_cell_tr
+ expire_delay = afs_cell_gc_delay;
+
+ debug_id = cell->debug_id;
+- u = atomic_read(&cell->ref);
++ r = refcount_read(&cell->ref);
+ a = atomic_dec_return(&cell->active);
+- trace_afs_cell(debug_id, u, a, reason);
++ trace_afs_cell(debug_id, r, a, reason);
+ WARN_ON(a == 0);
+ if (a == 1)
+ /* 'cell' may now be garbage collected. */
+@@ -623,11 +620,11 @@ void afs_unuse_cell(struct afs_net *net, struct afs_cell *cell, enum afs_cell_tr
+ */
+ void afs_see_cell(struct afs_cell *cell, enum afs_cell_trace reason)
+ {
+- int u, a;
++ int r, a;
+
+- u = atomic_read(&cell->ref);
++ r = refcount_read(&cell->ref);
+ a = atomic_read(&cell->active);
+- trace_afs_cell(cell->debug_id, u, a, reason);
++ trace_afs_cell(cell->debug_id, r, a, reason);
+ }
+
+ /*
+@@ -753,7 +750,7 @@ static void afs_manage_cell(struct afs_cell *cell)
+ active = 1;
+ if (atomic_try_cmpxchg_relaxed(&cell->active, &active, 0)) {
+ rb_erase(&cell->net_node, &net->cells);
+- trace_afs_cell(cell->debug_id, atomic_read(&cell->ref), 0,
++ trace_afs_cell(cell->debug_id, refcount_read(&cell->ref), 0,
+ afs_cell_trace_unuse_delete);
+ smp_store_release(&cell->state, AFS_CELL_REMOVED);
+ }
+@@ -880,7 +877,7 @@ void afs_manage_cells(struct work_struct *work)
+ bool sched_cell = false;
+
+ active = atomic_read(&cell->active);
+- trace_afs_cell(cell->debug_id, atomic_read(&cell->ref),
++ trace_afs_cell(cell->debug_id, refcount_read(&cell->ref),
+ active, afs_cell_trace_manage);
+
+ ASSERTCMP(active, >=, 1);
+@@ -888,7 +885,7 @@ void afs_manage_cells(struct work_struct *work)
+ if (purging) {
+ if (test_and_clear_bit(AFS_CELL_FL_NO_GC, &cell->flags)) {
+ active = atomic_dec_return(&cell->active);
+- trace_afs_cell(cell->debug_id, atomic_read(&cell->ref),
++ trace_afs_cell(cell->debug_id, refcount_read(&cell->ref),
+ active, afs_cell_trace_unuse_pin);
+ }
+ }
+diff --git a/fs/afs/cmservice.c b/fs/afs/cmservice.c
+index a3f5de28be798..cedd627e1fae0 100644
+--- a/fs/afs/cmservice.c
++++ b/fs/afs/cmservice.c
+@@ -213,7 +213,7 @@ static void SRXAFSCB_CallBack(struct work_struct *work)
+ */
+ if (call->server) {
+ trace_afs_server(call->server,
+- atomic_read(&call->server->ref),
++ refcount_read(&call->server->ref),
+ atomic_read(&call->server->active),
+ afs_server_trace_callback);
+ afs_break_callbacks(call->server, call->count, call->request);
+diff --git a/fs/afs/internal.h b/fs/afs/internal.h
+index 183200c6ce20e..b29e9c206f782 100644
+--- a/fs/afs/internal.h
++++ b/fs/afs/internal.h
+@@ -123,7 +123,7 @@ struct afs_call {
+ };
+ struct afs_operation *op;
+ unsigned int server_index;
+- atomic_t usage;
++ refcount_t ref;
+ enum afs_call_state state;
+ spinlock_t state_lock;
+ int error; /* error code */
+@@ -368,7 +368,7 @@ struct afs_cell {
+ #endif
+ time64_t dns_expiry; /* Time AFSDB/SRV record expires */
+ time64_t last_inactive; /* Time of last drop of usage count */
+- atomic_t ref; /* Struct refcount */
++ refcount_t ref; /* Struct refcount */
+ atomic_t active; /* Active usage counter */
+ unsigned long flags;
+ #define AFS_CELL_FL_NO_GC 0 /* The cell was added manually, don't auto-gc */
+@@ -413,7 +413,7 @@ struct afs_vlserver {
+ #define AFS_VLSERVER_FL_IS_YFS 2 /* Server is YFS not AFS */
+ #define AFS_VLSERVER_FL_RESPONDING 3 /* VL server is responding */
+ rwlock_t lock; /* Lock on addresses */
+- atomic_t usage;
++ refcount_t ref;
+ unsigned int rtt; /* Server's current RTT in uS */
+
+ /* Probe state */
+@@ -449,7 +449,7 @@ struct afs_vlserver_entry {
+
+ struct afs_vlserver_list {
+ struct rcu_head rcu;
+- atomic_t usage;
++ refcount_t ref;
+ u8 nr_servers;
+ u8 index; /* Server currently in use */
+ u8 preferred; /* Preferred server */
+@@ -520,7 +520,7 @@ struct afs_server {
+ #define AFS_SERVER_FL_NO_IBULK 17 /* Fileserver doesn't support FS.InlineBulkStatus */
+ #define AFS_SERVER_FL_NO_RM2 18 /* Fileserver doesn't support YFS.RemoveFile2 */
+ #define AFS_SERVER_FL_HAS_FS64 19 /* Fileserver supports FS.{Fetch,Store}Data64 */
+- atomic_t ref; /* Object refcount */
++ refcount_t ref; /* Object refcount */
+ atomic_t active; /* Active user count */
+ u32 addr_version; /* Address list version */
+ unsigned int rtt; /* Server's current RTT in uS */
+@@ -575,7 +575,7 @@ struct afs_volume {
+ struct rcu_head rcu;
+ afs_volid_t vid; /* volume ID */
+ };
+- atomic_t usage;
++ refcount_t ref;
+ time64_t update_at; /* Time at which to next update */
+ struct afs_cell *cell; /* Cell to which belongs (pins ref) */
+ struct rb_node cell_node; /* Link in cell->volumes */
+@@ -1483,14 +1483,14 @@ extern int afs_end_vlserver_operation(struct afs_vl_cursor *);
+ */
+ static inline struct afs_vlserver *afs_get_vlserver(struct afs_vlserver *vlserver)
+ {
+- atomic_inc(&vlserver->usage);
++ refcount_inc(&vlserver->ref);
+ return vlserver;
+ }
+
+ static inline struct afs_vlserver_list *afs_get_vlserverlist(struct afs_vlserver_list *vllist)
+ {
+ if (vllist)
+- atomic_inc(&vllist->usage);
++ refcount_inc(&vllist->ref);
+ return vllist;
+ }
+
+diff --git a/fs/afs/proc.c b/fs/afs/proc.c
+index 065a28bfa3f18..254ccf1d592f0 100644
+--- a/fs/afs/proc.c
++++ b/fs/afs/proc.c
+@@ -47,7 +47,7 @@ static int afs_proc_cells_show(struct seq_file *m, void *v)
+
+ /* display one cell per line on subsequent lines */
+ seq_printf(m, "%3u %3u %6lld %2u %2u %s\n",
+- atomic_read(&cell->ref),
++ refcount_read(&cell->ref),
+ atomic_read(&cell->active),
+ cell->dns_expiry - ktime_get_real_seconds(),
+ vllist ? vllist->nr_servers : 0,
+@@ -217,7 +217,7 @@ static int afs_proc_cell_volumes_show(struct seq_file *m, void *v)
+ }
+
+ seq_printf(m, "%3d %08llx %s %s\n",
+- atomic_read(&vol->usage), vol->vid,
++ refcount_read(&vol->ref), vol->vid,
+ afs_vol_types[vol->type],
+ vol->name);
+
+@@ -388,7 +388,7 @@ static int afs_proc_servers_show(struct seq_file *m, void *v)
+ alist = rcu_dereference(server->addresses);
+ seq_printf(m, "%pU %3d %3d\n",
+ &server->uuid,
+- atomic_read(&server->ref),
++ refcount_read(&server->ref),
+ atomic_read(&server->active));
+ seq_printf(m, " - info: fl=%lx rtt=%u brk=%x\n",
+ server->flags, server->rtt, server->cb_s_break);
+diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
+index f7305f2791fef..ea40da937fcd8 100644
+--- a/fs/afs/rxrpc.c
++++ b/fs/afs/rxrpc.c
+@@ -145,7 +145,7 @@ static struct afs_call *afs_alloc_call(struct afs_net *net,
+ call->type = type;
+ call->net = net;
+ call->debug_id = atomic_inc_return(&rxrpc_debug_id);
+- atomic_set(&call->usage, 1);
++ refcount_set(&call->ref, 1);
+ INIT_WORK(&call->async_work, afs_process_async_call);
+ init_waitqueue_head(&call->waitq);
+ spin_lock_init(&call->state_lock);
+@@ -163,14 +163,15 @@ static struct afs_call *afs_alloc_call(struct afs_net *net,
+ void afs_put_call(struct afs_call *call)
+ {
+ struct afs_net *net = call->net;
+- int n = atomic_dec_return(&call->usage);
+- int o = atomic_read(&net->nr_outstanding_calls);
++ bool zero;
++ int r, o;
+
+- trace_afs_call(call, afs_call_trace_put, n, o,
++ zero = __refcount_dec_and_test(&call->ref, &r);
++ o = atomic_read(&net->nr_outstanding_calls);
++ trace_afs_call(call, afs_call_trace_put, r - 1, o,
+ __builtin_return_address(0));
+
+- ASSERTCMP(n, >=, 0);
+- if (n == 0) {
++ if (zero) {
+ ASSERT(!work_pending(&call->async_work));
+ ASSERT(call->type->name != NULL);
+
+@@ -198,9 +199,11 @@ void afs_put_call(struct afs_call *call)
+ static struct afs_call *afs_get_call(struct afs_call *call,
+ enum afs_call_trace why)
+ {
+- int u = atomic_inc_return(&call->usage);
++ int r;
+
+- trace_afs_call(call, why, u,
++ __refcount_inc(&call->ref, &r);
++
++ trace_afs_call(call, why, r + 1,
+ atomic_read(&call->net->nr_outstanding_calls),
+ __builtin_return_address(0));
+ return call;
+@@ -663,14 +666,13 @@ static void afs_wake_up_async_call(struct sock *sk, struct rxrpc_call *rxcall,
+ unsigned long call_user_ID)
+ {
+ struct afs_call *call = (struct afs_call *)call_user_ID;
+- int u;
++ int r;
+
+ trace_afs_notify_call(rxcall, call);
+ call->need_attention = true;
+
+- u = atomic_fetch_add_unless(&call->usage, 1, 0);
+- if (u != 0) {
+- trace_afs_call(call, afs_call_trace_wake, u + 1,
++ if (__refcount_inc_not_zero(&call->ref, &r)) {
++ trace_afs_call(call, afs_call_trace_wake, r + 1,
+ atomic_read(&call->net->nr_outstanding_calls),
+ __builtin_return_address(0));
+
+diff --git a/fs/afs/server.c b/fs/afs/server.c
+index 6e5b9a19b234e..ffed828622b60 100644
+--- a/fs/afs/server.c
++++ b/fs/afs/server.c
+@@ -228,7 +228,7 @@ static struct afs_server *afs_alloc_server(struct afs_cell *cell,
+ if (!server)
+ goto enomem;
+
+- atomic_set(&server->ref, 1);
++ refcount_set(&server->ref, 1);
+ atomic_set(&server->active, 1);
+ server->debug_id = atomic_inc_return(&afs_server_debug_id);
+ RCU_INIT_POINTER(server->addresses, alist);
+@@ -352,9 +352,10 @@ void afs_servers_timer(struct timer_list *timer)
+ struct afs_server *afs_get_server(struct afs_server *server,
+ enum afs_server_trace reason)
+ {
+- unsigned int u = atomic_inc_return(&server->ref);
++ int r;
+
+- trace_afs_server(server, u, atomic_read(&server->active), reason);
++ __refcount_inc(&server->ref, &r);
++ trace_afs_server(server, r + 1, atomic_read(&server->active), reason);
+ return server;
+ }
+
+@@ -364,14 +365,14 @@ struct afs_server *afs_get_server(struct afs_server *server,
+ static struct afs_server *afs_maybe_use_server(struct afs_server *server,
+ enum afs_server_trace reason)
+ {
+- unsigned int r = atomic_fetch_add_unless(&server->ref, 1, 0);
+ unsigned int a;
++ int r;
+
+- if (r == 0)
++ if (!__refcount_inc_not_zero(&server->ref, &r))
+ return NULL;
+
+ a = atomic_inc_return(&server->active);
+- trace_afs_server(server, r, a, reason);
++ trace_afs_server(server, r + 1, a, reason);
+ return server;
+ }
+
+@@ -380,10 +381,13 @@ static struct afs_server *afs_maybe_use_server(struct afs_server *server,
+ */
+ struct afs_server *afs_use_server(struct afs_server *server, enum afs_server_trace reason)
+ {
+- unsigned int r = atomic_inc_return(&server->ref);
+- unsigned int a = atomic_inc_return(&server->active);
++ unsigned int a;
++ int r;
++
++ __refcount_inc(&server->ref, &r);
++ a = atomic_inc_return(&server->active);
+
+- trace_afs_server(server, r, a, reason);
++ trace_afs_server(server, r + 1, a, reason);
+ return server;
+ }
+
+@@ -393,14 +397,15 @@ struct afs_server *afs_use_server(struct afs_server *server, enum afs_server_tra
+ void afs_put_server(struct afs_net *net, struct afs_server *server,
+ enum afs_server_trace reason)
+ {
+- unsigned int usage;
++ bool zero;
++ int r;
+
+ if (!server)
+ return;
+
+- usage = atomic_dec_return(&server->ref);
+- trace_afs_server(server, usage, atomic_read(&server->active), reason);
+- if (unlikely(usage == 0))
++ zero = __refcount_dec_and_test(&server->ref, &r);
++ trace_afs_server(server, r - 1, atomic_read(&server->active), reason);
++ if (unlikely(zero))
+ __afs_put_server(net, server);
+ }
+
+@@ -436,7 +441,7 @@ static void afs_server_rcu(struct rcu_head *rcu)
+ {
+ struct afs_server *server = container_of(rcu, struct afs_server, rcu);
+
+- trace_afs_server(server, atomic_read(&server->ref),
++ trace_afs_server(server, refcount_read(&server->ref),
+ atomic_read(&server->active), afs_server_trace_free);
+ afs_put_addrlist(rcu_access_pointer(server->addresses));
+ kfree(server);
+@@ -487,7 +492,7 @@ static void afs_gc_servers(struct afs_net *net, struct afs_server *gc_list)
+
+ active = atomic_read(&server->active);
+ if (active == 0) {
+- trace_afs_server(server, atomic_read(&server->ref),
++ trace_afs_server(server, refcount_read(&server->ref),
+ active, afs_server_trace_gc);
+ next = rcu_dereference_protected(
+ server->uuid_next, lockdep_is_held(&net->fs_lock.lock));
+@@ -553,7 +558,7 @@ void afs_manage_servers(struct work_struct *work)
+ _debug("manage %pU %u", &server->uuid, active);
+
+ if (purging) {
+- trace_afs_server(server, atomic_read(&server->ref),
++ trace_afs_server(server, refcount_read(&server->ref),
+ active, afs_server_trace_purging);
+ if (active != 0)
+ pr_notice("Can't purge s=%08x\n", server->debug_id);
+@@ -633,7 +638,8 @@ static noinline bool afs_update_server_record(struct afs_operation *op,
+
+ _enter("");
+
+- trace_afs_server(server, atomic_read(&server->ref), atomic_read(&server->active),
++ trace_afs_server(server, refcount_read(&server->ref),
++ atomic_read(&server->active),
+ afs_server_trace_update);
+
+ alist = afs_vl_lookup_addrs(op->volume->cell, op->key, &server->uuid);
+diff --git a/fs/afs/vl_list.c b/fs/afs/vl_list.c
+index 38b2ba1d9ec0d..acc48216136ae 100644
+--- a/fs/afs/vl_list.c
++++ b/fs/afs/vl_list.c
+@@ -17,7 +17,7 @@ struct afs_vlserver *afs_alloc_vlserver(const char *name, size_t name_len,
+ vlserver = kzalloc(struct_size(vlserver, name, name_len + 1),
+ GFP_KERNEL);
+ if (vlserver) {
+- atomic_set(&vlserver->usage, 1);
++ refcount_set(&vlserver->ref, 1);
+ rwlock_init(&vlserver->lock);
+ init_waitqueue_head(&vlserver->probe_wq);
+ spin_lock_init(&vlserver->probe_lock);
+@@ -39,13 +39,9 @@ static void afs_vlserver_rcu(struct rcu_head *rcu)
+
+ void afs_put_vlserver(struct afs_net *net, struct afs_vlserver *vlserver)
+ {
+- if (vlserver) {
+- unsigned int u = atomic_dec_return(&vlserver->usage);
+- //_debug("VL PUT %p{%u}", vlserver, u);
+-
+- if (u == 0)
+- call_rcu(&vlserver->rcu, afs_vlserver_rcu);
+- }
++ if (vlserver &&
++ refcount_dec_and_test(&vlserver->ref))
++ call_rcu(&vlserver->rcu, afs_vlserver_rcu);
+ }
+
+ struct afs_vlserver_list *afs_alloc_vlserver_list(unsigned int nr_servers)
+@@ -54,7 +50,7 @@ struct afs_vlserver_list *afs_alloc_vlserver_list(unsigned int nr_servers)
+
+ vllist = kzalloc(struct_size(vllist, servers, nr_servers), GFP_KERNEL);
+ if (vllist) {
+- atomic_set(&vllist->usage, 1);
++ refcount_set(&vllist->ref, 1);
+ rwlock_init(&vllist->lock);
+ }
+
+@@ -64,10 +60,7 @@ struct afs_vlserver_list *afs_alloc_vlserver_list(unsigned int nr_servers)
+ void afs_put_vlserverlist(struct afs_net *net, struct afs_vlserver_list *vllist)
+ {
+ if (vllist) {
+- unsigned int u = atomic_dec_return(&vllist->usage);
+-
+- //_debug("VLLS PUT %p{%u}", vllist, u);
+- if (u == 0) {
++ if (refcount_dec_and_test(&vllist->ref)) {
+ int i;
+
+ for (i = 0; i < vllist->nr_servers; i++) {
+diff --git a/fs/afs/volume.c b/fs/afs/volume.c
+index f84194b791d3e..32941bffa2ec1 100644
+--- a/fs/afs/volume.c
++++ b/fs/afs/volume.c
+@@ -53,7 +53,7 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume)
+ struct afs_cell *cell = volume->cell;
+
+ if (!hlist_unhashed(&volume->proc_link)) {
+- trace_afs_volume(volume->vid, atomic_read(&volume->usage),
++ trace_afs_volume(volume->vid, refcount_read(&cell->ref),
+ afs_volume_trace_remove);
+ write_seqlock(&cell->volume_lock);
+ hlist_del_rcu(&volume->proc_link);
+@@ -88,7 +88,7 @@ static struct afs_volume *afs_alloc_volume(struct afs_fs_context *params,
+ volume->type_force = params->force;
+ volume->name_len = vldb->name_len;
+
+- atomic_set(&volume->usage, 1);
++ refcount_set(&volume->ref, 1);
+ INIT_HLIST_NODE(&volume->proc_link);
+ rwlock_init(&volume->servers_lock);
+ rwlock_init(&volume->cb_v_break_lock);
+@@ -229,7 +229,7 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume)
+ afs_remove_volume_from_cell(volume);
+ afs_put_serverlist(net, rcu_access_pointer(volume->servers));
+ afs_put_cell(volume->cell, afs_cell_trace_put_vol);
+- trace_afs_volume(volume->vid, atomic_read(&volume->usage),
++ trace_afs_volume(volume->vid, refcount_read(&volume->ref),
+ afs_volume_trace_free);
+ kfree_rcu(volume, rcu);
+
+@@ -243,8 +243,10 @@ struct afs_volume *afs_get_volume(struct afs_volume *volume,
+ enum afs_volume_trace reason)
+ {
+ if (volume) {
+- int u = atomic_inc_return(&volume->usage);
+- trace_afs_volume(volume->vid, u, reason);
++ int r;
++
++ __refcount_inc(&volume->ref, &r);
++ trace_afs_volume(volume->vid, r + 1, reason);
+ }
+ return volume;
+ }
+@@ -258,9 +260,12 @@ void afs_put_volume(struct afs_net *net, struct afs_volume *volume,
+ {
+ if (volume) {
+ afs_volid_t vid = volume->vid;
+- int u = atomic_dec_return(&volume->usage);
+- trace_afs_volume(vid, u, reason);
+- if (u == 0)
++ bool zero;
++ int r;
++
++ zero = __refcount_dec_and_test(&volume->ref, &r);
++ trace_afs_volume(vid, r - 1, reason);
++ if (zero)
+ afs_destroy_volume(net, volume);
+ }
+ }
+diff --git a/include/trace/events/afs.h b/include/trace/events/afs.h
+index bca73e8c8cdec..5556c5da117f2 100644
+--- a/include/trace/events/afs.h
++++ b/include/trace/events/afs.h
+@@ -728,14 +728,14 @@ TRACE_EVENT(afs_cb_call,
+
+ TRACE_EVENT(afs_call,
+ TP_PROTO(struct afs_call *call, enum afs_call_trace op,
+- int usage, int outstanding, const void *where),
++ int ref, int outstanding, const void *where),
+
+- TP_ARGS(call, op, usage, outstanding, where),
++ TP_ARGS(call, op, ref, outstanding, where),
+
+ TP_STRUCT__entry(
+ __field(unsigned int, call )
+ __field(int, op )
+- __field(int, usage )
++ __field(int, ref )
+ __field(int, outstanding )
+ __field(const void *, where )
+ ),
+@@ -743,15 +743,15 @@ TRACE_EVENT(afs_call,
+ TP_fast_assign(
+ __entry->call = call->debug_id;
+ __entry->op = op;
+- __entry->usage = usage;
++ __entry->ref = ref;
+ __entry->outstanding = outstanding;
+ __entry->where = where;
+ ),
+
+- TP_printk("c=%08x %s u=%d o=%d sp=%pSR",
++ TP_printk("c=%08x %s r=%d o=%d sp=%pSR",
+ __entry->call,
+ __print_symbolic(__entry->op, afs_call_traces),
+- __entry->usage,
++ __entry->ref,
+ __entry->outstanding,
+ __entry->where)
+ );
+@@ -1475,36 +1475,36 @@ TRACE_EVENT(afs_volume,
+ __entry->reason = reason;
+ ),
+
+- TP_printk("V=%llx %s u=%d",
++ TP_printk("V=%llx %s ur=%d",
+ __entry->vid,
+ __print_symbolic(__entry->reason, afs_volume_traces),
+ __entry->ref)
+ );
+
+ TRACE_EVENT(afs_cell,
+- TP_PROTO(unsigned int cell_debug_id, int usage, int active,
++ TP_PROTO(unsigned int cell_debug_id, int ref, int active,
+ enum afs_cell_trace reason),
+
+- TP_ARGS(cell_debug_id, usage, active, reason),
++ TP_ARGS(cell_debug_id, ref, active, reason),
+
+ TP_STRUCT__entry(
+ __field(unsigned int, cell )
+- __field(int, usage )
++ __field(int, ref )
+ __field(int, active )
+ __field(int, reason )
+ ),
+
+ TP_fast_assign(
+ __entry->cell = cell_debug_id;
+- __entry->usage = usage;
++ __entry->ref = ref;
+ __entry->active = active;
+ __entry->reason = reason;
+ ),
+
+- TP_printk("L=%08x %s u=%d a=%d",
++ TP_printk("L=%08x %s r=%d a=%d",
+ __entry->cell,
+ __print_symbolic(__entry->reason, afs_cell_traces),
+- __entry->usage,
++ __entry->ref,
+ __entry->active)
+ );
+
+--
+2.43.0
+
--- /dev/null
+From 214853fd6a802121a42b253bb4b797398a8f5f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 12:16:04 -0600
+Subject: ARM: dts: dra7: Fix DRA7 L3 NoC node register size
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit 1e5caee2ba8f1426e8098afb4ca38dc40a0ca71b ]
+
+This node can access any part of the L3 configuration registers space,
+including CLK1 and CLK2 which are 0x800000 offset. Restore this area
+size to include these areas.
+
+Fixes: 7f2659ce657e ("ARM: dts: Move dra7 l3 noc to a separate node")
+Signed-off-by: Andrew Davis <afd@ti.com>
+Message-ID: <20231113181604.546444-1-afd@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/dra7.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/dra7.dtsi b/arch/arm/boot/dts/dra7.dtsi
+index 61a3fb3e2a2f9..0cb5ec39e33a3 100644
+--- a/arch/arm/boot/dts/dra7.dtsi
++++ b/arch/arm/boot/dts/dra7.dtsi
+@@ -144,7 +144,7 @@
+
+ l3-noc@44000000 {
+ compatible = "ti,dra7-l3-noc";
+- reg = <0x44000000 0x1000>,
++ reg = <0x44000000 0x1000000>,
+ <0x45000000 0x1000>;
+ interrupts-extended = <&crossbar_mpu GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>,
+ <&wakeupgen GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>;
+--
+2.43.0
+
--- /dev/null
+From 7418e3320ae401fbeddfd53d33aa3265de97e642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 22:52:37 +0800
+Subject: ARM: OMAP2+: Fix null pointer dereference and memory leak in
+ omap_soc_device_init
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit c72b9c33ef9695ad7ce7a6eb39a9df8a01b70796 ]
+
+kasprintf() returns a pointer to dynamically allocated memory which can
+be NULL upon failure. When 'soc_dev_attr->family' is NULL,it'll trigger
+the null pointer dereference issue, such as in 'soc_info_show'.
+
+And when 'soc_device_register' fails, it's necessary to release
+'soc_dev_attr->family' to avoid memory leaks.
+
+Fixes: 6770b2114325 ("ARM: OMAP2+: Export SoC information to userspace")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Message-ID: <20231123145237.609442-1-chentao@kylinos.cn>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap2/id.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/arch/arm/mach-omap2/id.c b/arch/arm/mach-omap2/id.c
+index 59755b5a1ad7a..75091aa7269ae 100644
+--- a/arch/arm/mach-omap2/id.c
++++ b/arch/arm/mach-omap2/id.c
+@@ -793,11 +793,16 @@ void __init omap_soc_device_init(void)
+
+ soc_dev_attr->machine = soc_name;
+ soc_dev_attr->family = omap_get_family();
++ if (!soc_dev_attr->family) {
++ kfree(soc_dev_attr);
++ return;
++ }
+ soc_dev_attr->revision = soc_rev;
+ soc_dev_attr->custom_attr_group = omap_soc_groups[0];
+
+ soc_dev = soc_device_register(soc_dev_attr);
+ if (IS_ERR(soc_dev)) {
++ kfree(soc_dev_attr->family);
+ kfree(soc_dev_attr);
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From 8f34ceeed36186e3731c03090211b9cb35bf310c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 21:04:04 +0800
+Subject: ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
+
+From: Zhipeng Lu <alexious@zju.edu.cn>
+
+[ Upstream commit 309fdb1c33fe726d92d0030481346f24e1b01f07 ]
+
+In the error handling of 'offset > adapter->ring_size', the
+tx_ring->tx_buffer allocated by kzalloc should be freed,
+instead of 'goto failed' instantly.
+
+Fixes: a6a5325239c2 ("atl1e: Atheros L1E Gigabit Ethernet driver")
+Signed-off-by: Zhipeng Lu <alexious@zju.edu.cn>
+Reviewed-by: Suman Ghosh <sumang@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+index db13311e77e73..dc1165f11b6eb 100644
+--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c
+@@ -866,10 +866,13 @@ static int atl1e_setup_ring_resources(struct atl1e_adapter *adapter)
+ netdev_err(adapter->netdev, "offset(%d) > ring size(%d) !!\n",
+ offset, adapter->ring_size);
+ err = -1;
+- goto failed;
++ goto free_buffer;
+ }
+
+ return 0;
++free_buffer:
++ kfree(tx_ring->tx_buffer);
++ tx_ring->tx_buffer = NULL;
+ failed:
+ if (adapter->ring_vir_addr != NULL) {
+ dma_free_coherent(&pdev->dev, adapter->ring_size,
+--
+2.43.0
+
--- /dev/null
+From 9882384afab94aa2b684360e028942189eacd003 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Dec 2023 00:41:55 +0000
+Subject: keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on
+ expiry
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 39299bdd2546688d92ed9db4948f6219ca1b9542 ]
+
+If a key has an expiration time, then when that time passes, the key is
+left around for a certain amount of time before being collected (5 mins by
+default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a
+problem for DNS keys because we want to redo the DNS lookup immediately at
+that point.
+
+Fix this by allowing key types to be marked such that keys of that type
+don't have this extra period, but are reclaimed as soon as they expire and
+turn this on for dns_resolver-type keys. To make this easier to handle,
+key->expiry is changed to be permanent if TIME64_MAX rather than 0.
+
+Furthermore, give such new-style negative DNS results a 1s default expiry
+if no other expiry time is set rather than allowing it to stick around
+indefinitely. This shouldn't be zero as ls will follow a failing stat call
+immediately with a second with AT_SYMLINK_NOFOLLOW added.
+
+Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Markus Suvanto <markus.suvanto@gmail.com>
+cc: Wang Lei <wang840925@gmail.com>
+cc: Jeff Layton <jlayton@redhat.com>
+cc: Steve French <smfrench@gmail.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jarkko Sakkinen <jarkko@kernel.org>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: linux-afs@lists.infradead.org
+cc: linux-cifs@vger.kernel.org
+cc: linux-nfs@vger.kernel.org
+cc: ceph-devel@vger.kernel.org
+cc: keyrings@vger.kernel.org
+cc: netdev@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/key-type.h | 1 +
+ net/dns_resolver/dns_key.c | 10 +++++++++-
+ security/keys/gc.c | 31 +++++++++++++++++++++----------
+ security/keys/internal.h | 11 ++++++++++-
+ security/keys/key.c | 15 +++++----------
+ security/keys/proc.c | 2 +-
+ 6 files changed, 47 insertions(+), 23 deletions(-)
+
+diff --git a/include/linux/key-type.h b/include/linux/key-type.h
+index 7d985a1dfe4af..5caf3ce823733 100644
+--- a/include/linux/key-type.h
++++ b/include/linux/key-type.h
+@@ -73,6 +73,7 @@ struct key_type {
+
+ unsigned int flags;
+ #define KEY_TYPE_NET_DOMAIN 0x00000001 /* Keys of this type have a net namespace domain */
++#define KEY_TYPE_INSTANT_REAP 0x00000002 /* Keys of this type don't have a delay after expiring */
+
+ /* vet a description */
+ int (*vet_description)(const char *description);
+diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
+index 3aced951d5ab8..03f8f33dc134c 100644
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -91,6 +91,7 @@ const struct cred *dns_resolver_cache;
+ static int
+ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ {
++ const struct dns_server_list_v1_header *v1;
+ const struct dns_payload_header *bin;
+ struct user_key_payload *upayload;
+ unsigned long derrno;
+@@ -122,6 +123,13 @@ dns_resolver_preparse(struct key_preparsed_payload *prep)
+ return -EINVAL;
+ }
+
++ v1 = (const struct dns_server_list_v1_header *)bin;
++ if ((v1->status != DNS_LOOKUP_GOOD &&
++ v1->status != DNS_LOOKUP_GOOD_WITH_BAD)) {
++ if (prep->expiry == TIME64_MAX)
++ prep->expiry = ktime_get_real_seconds() + 1;
++ }
++
+ result_len = datalen;
+ goto store_result;
+ }
+@@ -314,7 +322,7 @@ static long dns_resolver_read(const struct key *key,
+
+ struct key_type key_type_dns_resolver = {
+ .name = "dns_resolver",
+- .flags = KEY_TYPE_NET_DOMAIN,
++ .flags = KEY_TYPE_NET_DOMAIN | KEY_TYPE_INSTANT_REAP,
+ .preparse = dns_resolver_preparse,
+ .free_preparse = dns_resolver_free_preparse,
+ .instantiate = generic_key_instantiate,
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 3c90807476eb0..eaddaceda14ea 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -66,6 +66,19 @@ void key_schedule_gc(time64_t gc_at)
+ }
+ }
+
++/*
++ * Set the expiration time on a key.
++ */
++void key_set_expiry(struct key *key, time64_t expiry)
++{
++ key->expiry = expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ key_schedule_gc(expiry);
++ }
++}
++
+ /*
+ * Schedule a dead links collection run.
+ */
+@@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work)
+ static u8 gc_state; /* Internal persistent state */
+ #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */
+ #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */
+-#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */
+ #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */
+ #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */
+ #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */
+@@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work)
+
+ struct rb_node *cursor;
+ struct key *key;
+- time64_t new_timer, limit;
++ time64_t new_timer, limit, expiry;
+
+ kenter("[%lx,%x]", key_gc_flags, gc_state);
+
+ limit = ktime_get_real_seconds();
+- if (limit > key_gc_delay)
+- limit -= key_gc_delay;
+- else
+- limit = key_gc_delay;
+
+ /* Work out what we're going to be doing in this pass */
+ gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2;
+ gc_state <<= 1;
+ if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags))
+- gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER;
++ gc_state |= KEY_GC_REAPING_LINKS;
+
+ if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags))
+ gc_state |= KEY_GC_REAPING_DEAD_1;
+@@ -233,8 +241,11 @@ static void key_garbage_collector(struct work_struct *work)
+ }
+ }
+
+- if (gc_state & KEY_GC_SET_TIMER) {
+- if (key->expiry > limit && key->expiry < new_timer) {
++ expiry = key->expiry;
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry > limit && expiry < new_timer) {
+ kdebug("will expire %x in %lld",
+ key_serial(key), key->expiry - limit);
+ new_timer = key->expiry;
+@@ -276,7 +287,7 @@ static void key_garbage_collector(struct work_struct *work)
+ */
+ kdebug("pass complete");
+
+- if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) {
++ if (new_timer != TIME64_MAX) {
+ new_timer += key_gc_delay;
+ key_schedule_gc(new_timer);
+ }
+diff --git a/security/keys/internal.h b/security/keys/internal.h
+index 9b9cf3b6fcbb4..bede6c71ffd97 100644
+--- a/security/keys/internal.h
++++ b/security/keys/internal.h
+@@ -176,6 +176,7 @@ extern unsigned key_gc_delay;
+ extern void keyring_gc(struct key *keyring, time64_t limit);
+ extern void keyring_restriction_gc(struct key *keyring,
+ struct key_type *dead_type);
++void key_set_expiry(struct key *key, time64_t expiry);
+ extern void key_schedule_gc(time64_t gc_at);
+ extern void key_schedule_gc_links(void);
+ extern void key_gc_keytype(struct key_type *ktype);
+@@ -224,10 +225,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
+ */
+ static inline bool key_is_dead(const struct key *key, time64_t limit)
+ {
++ time64_t expiry = key->expiry;
++
++ if (expiry != TIME64_MAX) {
++ if (!(key->type->flags & KEY_TYPE_INSTANT_REAP))
++ expiry += key_gc_delay;
++ if (expiry <= limit)
++ return true;
++ }
++
+ return
+ key->flags & ((1 << KEY_FLAG_DEAD) |
+ (1 << KEY_FLAG_INVALIDATED)) ||
+- (key->expiry > 0 && key->expiry <= limit) ||
+ key->domain_tag->removed;
+ }
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index c45afdd1dfbb4..e65240641ca57 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc,
+ key->uid = uid;
+ key->gid = gid;
+ key->perm = perm;
++ key->expiry = TIME64_MAX;
+ key->restrict_link = restrict_link;
+ key->last_used_at = ktime_get_real_seconds();
+
+@@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key,
+ if (authkey)
+ key_invalidate(authkey);
+
+- if (prep->expiry != TIME64_MAX) {
+- key->expiry = prep->expiry;
+- key_schedule_gc(prep->expiry + key_gc_delay);
+- }
++ key_set_expiry(key, prep->expiry);
+ }
+ }
+
+@@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key,
+ atomic_inc(&key->user->nikeys);
+ mark_key_instantiated(key, -error);
+ notify_key(key, NOTIFY_KEY_INSTANTIATED, -error);
+- key->expiry = ktime_get_real_seconds() + timeout;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, ktime_get_real_seconds() + timeout);
+
+ if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags))
+ awaken = 1;
+@@ -722,16 +719,14 @@ struct key_type *key_type_lookup(const char *type)
+
+ void key_set_timeout(struct key *key, unsigned timeout)
+ {
+- time64_t expiry = 0;
++ time64_t expiry = TIME64_MAX;
+
+ /* make the changes with the locks held to prevent races */
+ down_write(&key->sem);
+
+ if (timeout > 0)
+ expiry = ktime_get_real_seconds() + timeout;
+-
+- key->expiry = expiry;
+- key_schedule_gc(key->expiry + key_gc_delay);
++ key_set_expiry(key, expiry);
+
+ up_write(&key->sem);
+ }
+diff --git a/security/keys/proc.c b/security/keys/proc.c
+index d0cde6685627f..4f4e2c1824f18 100644
+--- a/security/keys/proc.c
++++ b/security/keys/proc.c
+@@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v)
+
+ /* come up with a suitable timeout value */
+ expiry = READ_ONCE(key->expiry);
+- if (expiry == 0) {
++ if (expiry == TIME64_MAX) {
+ memcpy(xbuf, "perm", 5);
+ } else if (now >= expiry) {
+ memcpy(xbuf, "expd", 5);
+--
+2.43.0
+
--- /dev/null
+From 4f3d2da0d1cceae019cc9e9365fbb34556342b72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 12:53:31 +0000
+Subject: net: check dev->gso_max_size in gso_features_check()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 24ab059d2ebd62fdccc43794796f6ffbabe49ebc ]
+
+Some drivers might misbehave if TSO packets get too big.
+
+GVE for instance uses a 16bit field in its TX descriptor,
+and will do bad things if a packet is bigger than 2^16 bytes.
+
+Linux TCP stack honors dev->gso_max_size, but there are
+other ways for too big packets to reach an ndo_start_xmit()
+handler : virtio_net, af_packet, GRO...
+
+Add a generic check in gso_features_check() and fallback
+to GSO when needed.
+
+gso_max_size was added in the blamed commit.
+
+Fixes: 82cc1a7a5687 ("[NET]: Add per-connection option to set max TSO frame size")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231219125331.4127498-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 8f4f355a963f8..8501645ff67dd 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3540,6 +3540,9 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
+ if (gso_segs > dev->gso_max_segs)
+ return features & ~NETIF_F_GSO_MASK;
+
++ if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
++ return features & ~NETIF_F_GSO_MASK;
++
+ if (!skb_shinfo(skb)->gso_type) {
+ skb_warn_bad_offload(skb);
+ return features & ~NETIF_F_GSO_MASK;
+--
+2.43.0
+
--- /dev/null
+From decf42f3ccfb7a32049e484ebbf1d60b77ec48f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Dec 2023 15:52:18 +0800
+Subject: net: check vlan filter feature in vlan_vids_add_by_dev() and
+ vlan_vids_del_by_dev()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 01a564bab4876007ce35f312e16797dfe40e4823 ]
+
+I got the below warning trace:
+
+WARNING: CPU: 4 PID: 4056 at net/core/dev.c:11066 unregister_netdevice_many_notify
+CPU: 4 PID: 4056 Comm: ip Not tainted 6.7.0-rc4+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:unregister_netdevice_many_notify+0x9a4/0x9b0
+Call Trace:
+ rtnl_dellink
+ rtnetlink_rcv_msg
+ netlink_rcv_skb
+ netlink_unicast
+ netlink_sendmsg
+ __sock_sendmsg
+ ____sys_sendmsg
+ ___sys_sendmsg
+ __sys_sendmsg
+ do_syscall_64
+ entry_SYSCALL_64_after_hwframe
+
+It can be repoduced via:
+
+ ip netns add ns1
+ ip netns exec ns1 ip link add bond0 type bond mode 0
+ ip netns exec ns1 ip link add bond_slave_1 type veth peer veth2
+ ip netns exec ns1 ip link set bond_slave_1 master bond0
+[1] ip netns exec ns1 ethtool -K bond0 rx-vlan-filter off
+[2] ip netns exec ns1 ip link add link bond_slave_1 name bond_slave_1.0 type vlan id 0
+[3] ip netns exec ns1 ip link add link bond0 name bond0.0 type vlan id 0
+[4] ip netns exec ns1 ip link set bond_slave_1 nomaster
+[5] ip netns exec ns1 ip link del veth2
+ ip netns del ns1
+
+This is all caused by command [1] turning off the rx-vlan-filter function
+of bond0. The reason is the same as commit 01f4fd270870 ("bonding: Fix
+incorrect deletion of ETH_P_8021AD protocol vid from slaves"). Commands
+[2] [3] add the same vid to slave and master respectively, causing
+command [4] to empty slave->vlan_info. The following command [5] triggers
+this problem.
+
+To fix this problem, we should add VLAN_FILTER feature checks in
+vlan_vids_add_by_dev() and vlan_vids_del_by_dev() to prevent incorrect
+addition or deletion of vlan_vid information.
+
+Fixes: 348a1443cc43 ("vlan: introduce functions to do mass addition/deletion of vids by another device")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 59bc13b5f14f6..8710d5d7d3c18 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -407,6 +407,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ return 0;
+
+ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ err = vlan_vid_add(dev, vid_info->proto, vid_info->vid);
+ if (err)
+ goto unwind;
+@@ -417,6 +419,8 @@ int vlan_vids_add_by_dev(struct net_device *dev,
+ list_for_each_entry_continue_reverse(vid_info,
+ &vlan_info->vid_list,
+ list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
+ }
+
+@@ -436,8 +440,11 @@ void vlan_vids_del_by_dev(struct net_device *dev,
+ if (!vlan_info)
+ return;
+
+- list_for_each_entry(vid_info, &vlan_info->vid_list, list)
++ list_for_each_entry(vid_info, &vlan_info->vid_list, list) {
++ if (!vlan_hw_filter_capable(by_dev, vid_info->proto))
++ continue;
+ vlan_vid_del(dev, vid_info->proto, vid_info->vid);
++ }
+ }
+ EXPORT_SYMBOL(vlan_vids_del_by_dev);
+
+--
+2.43.0
+
--- /dev/null
+From 3a47c87e4cf70c735b78aba440426bf188e1ccba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Dec 2023 12:33:53 -0800
+Subject: net: mana: select PAGE_POOL
+
+From: Yury Norov <yury.norov@gmail.com>
+
+[ Upstream commit 340943fbff3d8faa44d2223ca04917df28786a07 ]
+
+Mana uses PAGE_POOL API. x86_64 defconfig doesn't select it:
+
+ld: vmlinux.o: in function `mana_create_page_pool.isra.0':
+mana_en.c:(.text+0x9ae36f): undefined reference to `page_pool_create'
+ld: vmlinux.o: in function `mana_get_rxfrag':
+mana_en.c:(.text+0x9afed1): undefined reference to `page_pool_alloc_pages'
+make[3]: *** [/home/yury/work/linux/scripts/Makefile.vmlinux:37: vmlinux] Error 1
+make[2]: *** [/home/yury/work/linux/Makefile:1154: vmlinux] Error 2
+make[1]: *** [/home/yury/work/linux/Makefile:234: __sub-make] Error 2
+make[1]: Leaving directory '/home/yury/work/build-linux-x86_64'
+make: *** [Makefile:234: __sub-make] Error 2
+
+So we need to select it explicitly.
+
+Signed-off-by: Yury Norov <yury.norov@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Fixes: ca9c54d2 ("net: mana: Add a driver for Microsoft Azure Network Adapter")
+Link: https://lore.kernel.org/r/20231215203353.635379-1-yury.norov@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig
+index fe4e7a7d9c0b5..8b6c4cc37c53c 100644
+--- a/drivers/net/ethernet/microsoft/Kconfig
++++ b/drivers/net/ethernet/microsoft/Kconfig
+@@ -19,6 +19,7 @@ config MICROSOFT_MANA
+ tristate "Microsoft Azure Network Adapter (MANA) support"
+ depends on PCI_MSI && X86_64
+ depends on PCI_HYPERV
++ select PAGE_POOL
+ help
+ This driver supports Microsoft Azure Network Adapter (MANA).
+ So far, the driver is only supported on X86_64.
+--
+2.43.0
+
--- /dev/null
+From 5beff7090b54083e3ef5c0a269ba280ab9a140c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 11:30:34 +0200
+Subject: net/mlx5: Fix fw tracer first block check
+
+From: Moshe Shemesh <moshe@nvidia.com>
+
+[ Upstream commit 4261edf11cb7c9224af713a102e5616329306932 ]
+
+While handling new traces, to verify it is not the first block being
+written, last_timestamp is checked. But instead of checking it is non
+zero it is verified to be zero. Fix to verify last_timestamp is not
+zero.
+
+Fixes: c71ad41ccb0c ("net/mlx5: FW tracer, events handling")
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Feras Daoud <ferasda@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+index b69ab30ecf03b..efa2e0a8fa1d1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+@@ -691,7 +691,7 @@ static void mlx5_fw_tracer_handle_traces(struct work_struct *work)
+
+ while (block_timestamp > tracer->last_timestamp) {
+ /* Check block override if it's not the first block */
+- if (!tracer->last_timestamp) {
++ if (tracer->last_timestamp) {
+ u64 *ts_event;
+ /* To avoid block override be the HW in case of buffer
+ * wraparound, the time stamp of the previous block
+--
+2.43.0
+
--- /dev/null
+From 76aaebf34c386b91e293e08a6b982045fe6d9bf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 15:00:22 -0800
+Subject: net/mlx5e: Correct snprintf truncation handling for fw_version buffer
+ used by representors
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit b13559b76157de9d74f04d3ca0e49d69de3b5675 ]
+
+snprintf returns the length of the formatted string, excluding the trailing
+null, without accounting for truncation. This means that is the return
+value is greater than or equal to the size parameter, the fw_version string
+was truncated.
+
+Link: https://docs.kernel.org/core-api/kernel-api.html#c.snprintf
+Fixes: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index 7a00faa62d993..de168d8cf33f7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -73,7 +73,7 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
+- if (count == sizeof(drvinfo->fw_version))
++ if (count >= sizeof(drvinfo->fw_version))
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d", fw_rev_maj(mdev),
+ fw_rev_min(mdev), fw_rev_sub(mdev));
+--
+2.43.0
+
--- /dev/null
+From d3ef61f0ecc8f2805a09e8ce0dd0a6e5c5281574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 17:40:53 +0800
+Subject: net/mlx5e: fix a potential double-free in fs_udp_create_groups
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit e75efc6466ae289e599fb12a5a86545dff245c65 ]
+
+When kcalloc() for ft->g succeeds but kvzalloc() for in fails,
+fs_udp_create_groups() will free ft->g. However, its caller
+fs_udp_create_table() will free ft->g again through calling
+mlx5e_destroy_flow_table(), which will lead to a double-free.
+Fix this by setting ft->g to NULL in fs_udp_create_groups().
+
+Fixes: 1c80bd684388 ("net/mlx5e: Introduce Flow Steering UDP API")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+index 7aa25a5e29d73..b26edbc53cad2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/fs_tt_redirect.c
+@@ -156,6 +156,7 @@ static int fs_udp_create_groups(struct mlx5e_flow_table *ft, enum fs_udp_type ty
+ in = kvzalloc(inlen, GFP_KERNEL);
+ if (!in || !ft->g) {
+ kfree(ft->g);
++ ft->g = NULL;
+ kvfree(in);
+ return -ENOMEM;
+ }
+--
+2.43.0
+
--- /dev/null
+From ca5d67667297d5dbf9538e2d863c357dce13c80c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 01:46:56 -0800
+Subject: net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
+
+From: Shifeng Li <lishifeng@sangfor.com.cn>
+
+[ Upstream commit ddb38ddff9c71026bad481b791a94d446ee37603 ]
+
+Out_sz that the size of out buffer is calculated using query_nic_vport
+_context_in structure when driver query the MAC list. However query_nic
+_vport_context_in structure is smaller than query_nic_vport_context_out.
+When allowed_list_size is greater than 96, calling ether_addr_copy() will
+trigger an slab-out-of-bounds.
+
+[ 1170.055866] BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.055869] Read of size 4 at addr ffff88bdbc57d912 by task kworker/u128:1/461
+[ 1170.055870]
+[ 1170.055932] Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core]
+[ 1170.055936] Call Trace:
+[ 1170.055949] dump_stack+0x8b/0xbb
+[ 1170.055958] print_address_description+0x6a/0x270
+[ 1170.055961] kasan_report+0x179/0x2c0
+[ 1170.056061] mlx5_query_nic_vport_mac_list+0x481/0x4d0 [mlx5_core]
+[ 1170.056162] esw_update_vport_addr_list+0x2c5/0xcd0 [mlx5_core]
+[ 1170.056257] esw_vport_change_handle_locked+0xd08/0x1a20 [mlx5_core]
+[ 1170.056377] esw_vport_change_handler+0x6b/0x90 [mlx5_core]
+[ 1170.056381] process_one_work+0x65f/0x12d0
+[ 1170.056383] worker_thread+0x87/0xb50
+[ 1170.056390] kthread+0x2e9/0x3a0
+[ 1170.056394] ret_from_fork+0x1f/0x40
+
+Fixes: e16aea2744ab ("net/mlx5: Introduce access functions to modify/query vport mac lists")
+Cc: Ding Hui <dinghui@sangfor.com.cn>
+Signed-off-by: Shifeng Li <lishifeng@sangfor.com.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/vport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/vport.c b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+index 4c1440a95ad75..0478e5ecd4913 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/vport.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/vport.c
+@@ -277,7 +277,7 @@ int mlx5_query_nic_vport_mac_list(struct mlx5_core_dev *dev,
+ req_list_size = max_list_size;
+ }
+
+- out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_in) +
++ out_sz = MLX5_ST_SZ_BYTES(query_nic_vport_context_out) +
+ req_list_size * MLX5_ST_SZ_BYTES(mac_address_layout);
+
+ out = kzalloc(out_sz, GFP_KERNEL);
+--
+2.43.0
+
--- /dev/null
+From bb5a295ad4659dec1e154b6e585ea064efddf7eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 15:27:47 +0000
+Subject: net/rose: fix races in rose_kill_by_device()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 64b8bc7d5f1434c636a40bdcfcd42b278d1714be ]
+
+syzbot found an interesting netdev refcounting issue in
+net/rose/af_rose.c, thanks to CONFIG_NET_DEV_REFCNT_TRACKER=y [1]
+
+Problem is that rose_kill_by_device() can change rose->device
+while other threads do not expect the pointer to be changed.
+
+We have to first collect sockets in a temporary array,
+then perform the changes while holding the socket
+lock and rose_list_lock spinlock (in this order)
+
+Change rose_release() to also acquire rose_list_lock
+before releasing the netdev refcount.
+
+[1]
+
+[ 1185.055088][ T7889] ref_tracker: reference already released.
+[ 1185.061476][ T7889] ref_tracker: allocated in:
+[ 1185.066081][ T7889] rose_bind+0x4ab/0xd10
+[ 1185.070446][ T7889] __sys_bind+0x1ec/0x220
+[ 1185.074818][ T7889] __x64_sys_bind+0x72/0xb0
+[ 1185.079356][ T7889] do_syscall_64+0x40/0x110
+[ 1185.083897][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.089835][ T7889] ref_tracker: freed in:
+[ 1185.094088][ T7889] rose_release+0x2f5/0x570
+[ 1185.098629][ T7889] __sock_release+0xae/0x260
+[ 1185.103262][ T7889] sock_close+0x1c/0x20
+[ 1185.107453][ T7889] __fput+0x270/0xbb0
+[ 1185.111467][ T7889] task_work_run+0x14d/0x240
+[ 1185.116085][ T7889] get_signal+0x106f/0x2790
+[ 1185.120622][ T7889] arch_do_signal_or_restart+0x90/0x7f0
+[ 1185.126205][ T7889] exit_to_user_mode_prepare+0x121/0x240
+[ 1185.131846][ T7889] syscall_exit_to_user_mode+0x1e/0x60
+[ 1185.137293][ T7889] do_syscall_64+0x4d/0x110
+[ 1185.141783][ T7889] entry_SYSCALL_64_after_hwframe+0x63/0x6b
+[ 1185.148085][ T7889] ------------[ cut here ]------------
+
+WARNING: CPU: 1 PID: 7889 at lib/ref_tracker.c:255 ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Modules linked in:
+CPU: 1 PID: 7889 Comm: syz-executor.2 Not tainted 6.7.0-rc4-syzkaller-00162-g65c95f78917e #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+RIP: 0010:ref_tracker_free+0x61a/0x810 lib/ref_tracker.c:255
+Code: 00 44 8b 6b 18 31 ff 44 89 ee e8 21 62 f5 fc 45 85 ed 0f 85 a6 00 00 00 e8 a3 66 f5 fc 48 8b 34 24 48 89 ef e8 27 5f f1 05 90 <0f> 0b 90 bb ea ff ff ff e9 52 fd ff ff e8 84 66 f5 fc 4c 8d 6d 44
+RSP: 0018:ffffc90004917850 EFLAGS: 00010202
+RAX: 0000000000000201 RBX: ffff88802618f4c0 RCX: 0000000000000000
+RDX: 0000000000000202 RSI: ffffffff8accb920 RDI: 0000000000000001
+RBP: ffff8880269ea5b8 R08: 0000000000000001 R09: fffffbfff23e35f6
+R10: ffffffff91f1afb7 R11: 0000000000000001 R12: 1ffff92000922f0c
+R13: 0000000005a2039b R14: ffff88802618f4d8 R15: 00000000ffffffff
+FS: 00007f0a720ef6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f43a819d988 CR3: 0000000076c64000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+netdev_tracker_free include/linux/netdevice.h:4127 [inline]
+netdev_put include/linux/netdevice.h:4144 [inline]
+netdev_put include/linux/netdevice.h:4140 [inline]
+rose_kill_by_device net/rose/af_rose.c:195 [inline]
+rose_device_event+0x25d/0x330 net/rose/af_rose.c:218
+notifier_call_chain+0xb6/0x3b0 kernel/notifier.c:93
+call_netdevice_notifiers_info+0xbe/0x130 net/core/dev.c:1967
+call_netdevice_notifiers_extack net/core/dev.c:2005 [inline]
+call_netdevice_notifiers net/core/dev.c:2019 [inline]
+__dev_notify_flags+0x1f5/0x2e0 net/core/dev.c:8646
+dev_change_flags+0x122/0x170 net/core/dev.c:8682
+dev_ifsioc+0x9ad/0x1090 net/core/dev_ioctl.c:529
+dev_ioctl+0x224/0x1090 net/core/dev_ioctl.c:786
+sock_do_ioctl+0x198/0x270 net/socket.c:1234
+sock_ioctl+0x22e/0x6b0 net/socket.c:1339
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
+do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7f0a7147cba9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f0a720ef0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f0a7159bf80 RCX: 00007f0a7147cba9
+RDX: 0000000020000040 RSI: 0000000000008914 RDI: 0000000000000004
+RBP: 00007f0a714c847a R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007f0a7159bf80 R15: 00007ffc8bb3a5f8
+</TASK>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Bernard Pidoux <f6bvp@free.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index b3e7a92f1ec19..1d95ff34b13c9 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -181,21 +181,47 @@ void rose_kill_by_neigh(struct rose_neigh *neigh)
+ */
+ static void rose_kill_by_device(struct net_device *dev)
+ {
+- struct sock *s;
++ struct sock *sk, *array[16];
++ struct rose_sock *rose;
++ bool rescan;
++ int i, cnt;
+
++start:
++ rescan = false;
++ cnt = 0;
+ spin_lock_bh(&rose_list_lock);
+- sk_for_each(s, &rose_list) {
+- struct rose_sock *rose = rose_sk(s);
++ sk_for_each(sk, &rose_list) {
++ rose = rose_sk(sk);
++ if (rose->device == dev) {
++ if (cnt == ARRAY_SIZE(array)) {
++ rescan = true;
++ break;
++ }
++ sock_hold(sk);
++ array[cnt++] = sk;
++ }
++ }
++ spin_unlock_bh(&rose_list_lock);
+
++ for (i = 0; i < cnt; i++) {
++ sk = array[cnt];
++ rose = rose_sk(sk);
++ lock_sock(sk);
++ spin_lock_bh(&rose_list_lock);
+ if (rose->device == dev) {
+- rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
++ rose_disconnect(sk, ENETUNREACH, ROSE_OUT_OF_ORDER, 0);
+ if (rose->neighbour)
+ rose->neighbour->use--;
+ dev_put(rose->device);
+ rose->device = NULL;
+ }
++ spin_unlock_bh(&rose_list_lock);
++ release_sock(sk);
++ sock_put(sk);
++ cond_resched();
+ }
+- spin_unlock_bh(&rose_list_lock);
++ if (rescan)
++ goto start;
+ }
+
+ /*
+@@ -655,7 +681,10 @@ static int rose_release(struct socket *sock)
+ break;
+ }
+
++ spin_lock_bh(&rose_list_lock);
+ dev_put(rose->device);
++ rose->device = NULL;
++ spin_unlock_bh(&rose_list_lock);
+ sock->sk = NULL;
+ release_sock(sk);
+ sock_put(sk);
+--
+2.43.0
+
--- /dev/null
+From 9073365816dd01fa01c1561ab58b240bd1536440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Dec 2023 11:30:38 +0000
+Subject: net: sched: ife: fix potential use-after-free
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 19391a2ca98baa7b80279306cdf7dd43f81fa595 ]
+
+ife_decode() calls pskb_may_pull() two times, we need to reload
+ifehdr after the second one, or risk use-after-free as reported
+by syzbot:
+
+BUG: KASAN: slab-use-after-free in __ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+BUG: KASAN: slab-use-after-free in ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+Read of size 2 at addr ffff88802d7300a4 by task syz-executor.5/22323
+
+CPU: 0 PID: 22323 Comm: syz-executor.5 Not tainted 6.7.0-rc3-syzkaller-00804-g074ac38d5b95 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
+Call Trace:
+<TASK>
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
+print_address_description mm/kasan/report.c:364 [inline]
+print_report+0xc4/0x620 mm/kasan/report.c:475
+kasan_report+0xda/0x110 mm/kasan/report.c:588
+__ife_tlv_meta_valid net/ife/ife.c:108 [inline]
+ife_tlv_meta_decode+0x1d1/0x210 net/ife/ife.c:131
+tcf_ife_decode net/sched/act_ife.c:739 [inline]
+tcf_ife_act+0x4e3/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+RIP: 0033:0x7fe9acc7cae9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fe9ada450c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fe9acd9bf80 RCX: 00007fe9acc7cae9
+RDX: 000000000000fce0 RSI: 00000000200002c0 RDI: 0000000000000003
+RBP: 00007fe9accc847a R08: 0000000020000140 R09: 0000000000000014
+R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000000b R14: 00007fe9acd9bf80 R15: 00007ffd5427ae78
+</TASK>
+
+Allocated by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+____kasan_kmalloc mm/kasan/common.c:374 [inline]
+__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
+kasan_kmalloc include/linux/kasan.h:198 [inline]
+__do_kmalloc_node mm/slab_common.c:1007 [inline]
+__kmalloc_node_track_caller+0x5a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Freed by task 22323:
+kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
+____kasan_slab_free mm/kasan/common.c:236 [inline]
+____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200
+kasan_slab_free include/linux/kasan.h:164 [inline]
+slab_free_hook mm/slub.c:1800 [inline]
+slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826
+slab_free mm/slub.c:3809 [inline]
+__kmem_cache_free+0xc0/0x180 mm/slub.c:3822
+skb_kfree_head net/core/skbuff.c:950 [inline]
+skb_free_head+0x110/0x1b0 net/core/skbuff.c:962
+pskb_expand_head+0x3c5/0x1170 net/core/skbuff.c:2130
+__pskb_pull_tail+0xe1/0x1830 net/core/skbuff.c:2655
+pskb_may_pull_reason include/linux/skbuff.h:2685 [inline]
+pskb_may_pull include/linux/skbuff.h:2693 [inline]
+ife_decode+0x394/0x4f0 net/ife/ife.c:82
+tcf_ife_decode net/sched/act_ife.c:727 [inline]
+tcf_ife_act+0x43b/0x1cd0 net/sched/act_ife.c:879
+tc_act include/net/tc_wrapper.h:221 [inline]
+tcf_action_exec+0x1ac/0x620 net/sched/act_api.c:1079
+tcf_exts_exec include/net/pkt_cls.h:344 [inline]
+mall_classify+0x201/0x310 net/sched/cls_matchall.c:42
+tc_classify include/net/tc_wrapper.h:227 [inline]
+__tcf_classify net/sched/cls_api.c:1703 [inline]
+tcf_classify+0x82f/0x1260 net/sched/cls_api.c:1800
+hfsc_classify net/sched/sch_hfsc.c:1147 [inline]
+hfsc_enqueue+0x315/0x1060 net/sched/sch_hfsc.c:1546
+dev_qdisc_enqueue+0x3f/0x230 net/core/dev.c:3739
+__dev_xmit_skb net/core/dev.c:3828 [inline]
+__dev_queue_xmit+0x1de1/0x3d30 net/core/dev.c:4311
+dev_queue_xmit include/linux/netdevice.h:3165 [inline]
+packet_xmit+0x237/0x350 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3081 [inline]
+packet_sendmsg+0x24aa/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+__do_sys_sendto net/socket.c:2202 [inline]
+__se_sys_sendto net/socket.c:2198 [inline]
+__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+The buggy address belongs to the object at ffff88802d730000
+which belongs to the cache kmalloc-8k of size 8192
+The buggy address is located 164 bytes inside of
+freed 8192-byte region [ffff88802d730000, ffff88802d732000)
+
+The buggy address belongs to the physical page:
+page:ffffea0000b5cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d730
+head:ffffea0000b5cc00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
+page_type: 0xffffffff()
+raw: 00fff00000000840 ffff888013042280 dead000000000122 0000000000000000
+raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 22323, tgid 22320 (syz-executor.5), ts 950317230369, free_ts 950233467461
+set_page_owner include/linux/page_owner.h:31 [inline]
+post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1544
+prep_new_page mm/page_alloc.c:1551 [inline]
+get_page_from_freelist+0xa28/0x3730 mm/page_alloc.c:3319
+__alloc_pages+0x22e/0x2420 mm/page_alloc.c:4575
+alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
+alloc_slab_page mm/slub.c:1870 [inline]
+allocate_slab mm/slub.c:2017 [inline]
+new_slab+0x283/0x3c0 mm/slub.c:2070
+___slab_alloc+0x979/0x1500 mm/slub.c:3223
+__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
+__slab_alloc_node mm/slub.c:3375 [inline]
+slab_alloc_node mm/slub.c:3468 [inline]
+__kmem_cache_alloc_node+0x131/0x310 mm/slub.c:3517
+__do_kmalloc_node mm/slab_common.c:1006 [inline]
+__kmalloc_node_track_caller+0x4a/0x90 mm/slab_common.c:1027
+kmalloc_reserve+0xef/0x260 net/core/skbuff.c:582
+__alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+alloc_skb include/linux/skbuff.h:1298 [inline]
+alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331
+sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780
+packet_alloc_skb net/packet/af_packet.c:2930 [inline]
+packet_snd net/packet/af_packet.c:3024 [inline]
+packet_sendmsg+0x1e2a/0x5200 net/packet/af_packet.c:3113
+sock_sendmsg_nosec net/socket.c:730 [inline]
+__sock_sendmsg+0xd5/0x180 net/socket.c:745
+__sys_sendto+0x255/0x340 net/socket.c:2190
+page last free stack trace:
+reset_page_owner include/linux/page_owner.h:24 [inline]
+free_pages_prepare mm/page_alloc.c:1144 [inline]
+free_unref_page_prepare+0x53c/0xb80 mm/page_alloc.c:2354
+free_unref_page+0x33/0x3b0 mm/page_alloc.c:2494
+__unfreeze_partials+0x226/0x240 mm/slub.c:2655
+qlink_free mm/kasan/quarantine.c:168 [inline]
+qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
+kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:294
+__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
+kasan_slab_alloc include/linux/kasan.h:188 [inline]
+slab_post_alloc_hook mm/slab.h:763 [inline]
+slab_alloc_node mm/slub.c:3478 [inline]
+slab_alloc mm/slub.c:3486 [inline]
+__kmem_cache_alloc_lru mm/slub.c:3493 [inline]
+kmem_cache_alloc_lru+0x219/0x6f0 mm/slub.c:3509
+alloc_inode_sb include/linux/fs.h:2937 [inline]
+ext4_alloc_inode+0x28/0x650 fs/ext4/super.c:1408
+alloc_inode+0x5d/0x220 fs/inode.c:261
+new_inode_pseudo fs/inode.c:1006 [inline]
+new_inode+0x22/0x260 fs/inode.c:1032
+__ext4_new_inode+0x333/0x5200 fs/ext4/ialloc.c:958
+ext4_symlink+0x5d7/0xa20 fs/ext4/namei.c:3398
+vfs_symlink fs/namei.c:4464 [inline]
+vfs_symlink+0x3e5/0x620 fs/namei.c:4448
+do_symlinkat+0x25f/0x310 fs/namei.c:4490
+__do_sys_symlinkat fs/namei.c:4506 [inline]
+__se_sys_symlinkat fs/namei.c:4503 [inline]
+__x64_sys_symlinkat+0x97/0xc0 fs/namei.c:4503
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
+
+Fixes: d57493d6d1be ("net: sched: ife: check on metadata length")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Alexander Aring <aahringo@redhat.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ife/ife.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ife/ife.c b/net/ife/ife.c
+index 13bbf8cb6a396..be05b690b9ef2 100644
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -82,6 +82,7 @@ void *ife_decode(struct sk_buff *skb, u16 *metalen)
+ if (unlikely(!pskb_may_pull(skb, total_pull)))
+ return NULL;
+
++ ifehdr = (struct ifeheadr *)(skb->data + skb->dev->hard_header_len);
+ skb_set_mac_header(skb, total_pull);
+ __skb_pull(skb, total_pull);
+ *metalen = ifehdrln - IFE_METAHDRLEN;
+--
+2.43.0
+
--- /dev/null
+From ee8b8ec3b2d303b72c731d3adb8699344e93e9d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 17:55:33 +0100
+Subject: reset: Fix crash when freeing non-existent optional resets
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 4a6756f56bcf8e64c87144a626ce53aea4899c0e ]
+
+When obtaining one or more optional resets, non-existent resets are
+stored as NULL pointers, and all related error and cleanup paths need to
+take this into account.
+
+Currently only reset_control_put() and reset_control_bulk_put()
+get this right. All of __reset_control_bulk_get(),
+of_reset_control_array_get(), and reset_control_array_put() lack the
+proper checking, causing NULL pointer dereferences on failure or
+release.
+
+Fix this by moving the existing check from reset_control_bulk_put() to
+__reset_control_put_internal(), so it applies to all callers.
+The double check in reset_control_put() doesn't hurt.
+
+Fixes: 17c82e206d2a3cd8 ("reset: Add APIs to manage array of resets")
+Fixes: 48d71395896d54ee ("reset: Add reset_control_bulk API")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/2440edae7ca8534628cdbaf559ded288f2998178.1701276806.git.geert+renesas@glider.be
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/reset/core.c b/drivers/reset/core.c
+index 61e6888826432..320412e513c07 100644
+--- a/drivers/reset/core.c
++++ b/drivers/reset/core.c
+@@ -806,6 +806,9 @@ static void __reset_control_put_internal(struct reset_control *rstc)
+ {
+ lockdep_assert_held(&reset_list_mutex);
+
++ if (IS_ERR_OR_NULL(rstc))
++ return;
++
+ kref_put(&rstc->refcnt, __reset_control_release);
+ }
+
+@@ -1016,11 +1019,8 @@ EXPORT_SYMBOL_GPL(reset_control_put);
+ void reset_control_bulk_put(int num_rstcs, struct reset_control_bulk_data *rstcs)
+ {
+ mutex_lock(&reset_list_mutex);
+- while (num_rstcs--) {
+- if (IS_ERR_OR_NULL(rstcs[num_rstcs].rstc))
+- continue;
++ while (num_rstcs--)
+ __reset_control_put_internal(rstcs[num_rstcs].rstc);
+- }
+ mutex_unlock(&reset_list_mutex);
+ }
+ EXPORT_SYMBOL_GPL(reset_control_bulk_put);
+--
+2.43.0
+
--- /dev/null
+From 08bc77f9d51038010461cdfbb96665a8d2993f96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:51:52 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header in update funcs"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 66ca8d4deca09bce3fc7bcf8ea7997fa1a51c33c ]
+
+This reverts commit 3a4aa3cb83563df942be49d145ee3b7ddf17d6bb.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 3a4aa3cb8356 ("net/mlx5e: fix double free of encap_header in update funcs")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/en/tc_tun.c | 20 +++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 303e6e7a5c448..44071592bd6e2 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -397,12 +397,16 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv4_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -416,10 +420,6 @@ int mlx5e_tc_tun_update_header_ipv4(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -660,12 +660,16 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto free_encap;
+
++ e->encap_size = ipv6_encap_size;
++ kfree(e->encap_header);
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+ * and not used before that.
+ */
+- goto free_encap;
++ goto release_neigh;
+ }
+
+ memset(&reformat_params, 0, sizeof(reformat_params));
+@@ -679,10 +683,6 @@ int mlx5e_tc_tun_update_header_ipv6(struct mlx5e_priv *priv,
+ goto free_encap;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- kfree(e->encap_header);
+- e->encap_header = encap_header;
+-
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From 1c283971284e0cb9d0f6d2a07681114f782ef441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Nov 2023 13:52:28 +0100
+Subject: Revert "net/mlx5e: fix double free of encap_header"
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 5d089684dc434a31e08d32f0530066d0025c52e4 ]
+
+This reverts commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1.
+
+This patch is causing a null ptr issue, the proper fix is in the next
+patch.
+
+Fixes: 6f9b1a073166 ("net/mlx5e: fix double free of encap_header")
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 44071592bd6e2..d90c6dc41c9f4 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -294,6 +294,9 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv4_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -313,8 +316,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv4_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv4_put(&attr);
+@@ -558,6 +559,9 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
++ e->encap_size = ipv6_encap_size;
++ e->encap_header = encap_header;
++
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(attr.n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -577,8 +581,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
+- e->encap_size = ipv6_encap_size;
+- e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(attr.out_dev));
+ mlx5e_route_lookup_ipv6_put(&attr);
+--
+2.43.0
+
--- /dev/null
+From 32599b126adcbf7bcb2f9d7cc21d90fc410ccd99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 15:03:15 +0100
+Subject: s390/vx: fix save/restore of fpu kernel context
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit e6b2dab41888332bf83f592131e7ea07756770a4 ]
+
+The KERNEL_FPR mask only contains a flag for the first eight vector
+registers. However floating point registers overlay parts of the first
+sixteen vector registers.
+
+This could lead to vector register corruption if a kernel fpu context uses
+any of the vector registers 8 to 15 and is interrupted or calls a
+KERNEL_FPR context. If that context uses also vector registers 8 to 15,
+their contents will be corrupted on return.
+
+Luckily this is currently not a real bug, since the kernel has only one
+KERNEL_FPR user with s390_adjust_jiffies() and it is only using floating
+point registers 0 to 2.
+
+Fix this by using the correct bits for KERNEL_FPR.
+
+Fixes: 7f79695cc1b6 ("s390/fpu: improve kernel_fpu_[begin|end]")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/fpu/api.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/include/asm/fpu/api.h b/arch/s390/include/asm/fpu/api.h
+index a959b815a58b6..b8c7e8538c855 100644
+--- a/arch/s390/include/asm/fpu/api.h
++++ b/arch/s390/include/asm/fpu/api.h
+@@ -78,7 +78,7 @@ static inline int test_fp_ctl(u32 fpc)
+ #define KERNEL_VXR_HIGH (KERNEL_VXR_V16V23|KERNEL_VXR_V24V31)
+
+ #define KERNEL_VXR (KERNEL_VXR_LOW|KERNEL_VXR_HIGH)
+-#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_V0V7)
++#define KERNEL_FPR (KERNEL_FPC|KERNEL_VXR_LOW)
+
+ struct kernel_fpu;
+
+--
+2.43.0
+
ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch
smb-client-fix-oob-in-smb2_query_reparse_point.patch
+arm-dts-dra7-fix-dra7-l3-noc-node-register-size.patch
+arm-omap2-fix-null-pointer-dereference-and-memory-le.patch
+reset-fix-crash-when-freeing-non-existent-optional-r.patch
+s390-vx-fix-save-restore-of-fpu-kernel-context.patch
+wifi-iwlwifi-pcie-add-another-missing-bh-disable-for.patch
+wifi-mac80211-mesh_plink-fix-matches_local-logic.patch
+revert-net-mlx5e-fix-double-free-of-encap_header-in-.patch
+revert-net-mlx5e-fix-double-free-of-encap_header.patch
+net-mlx5e-fix-slab-out-of-bounds-in-mlx5_query_nic_v.patch
+net-mlx5e-fix-a-potential-double-free-in-fs_udp_crea.patch
+net-mlx5-fix-fw-tracer-first-block-check.patch
+net-mlx5e-correct-snprintf-truncation-handling-for-f.patch
+net-sched-ife-fix-potential-use-after-free.patch
+ethernet-atheros-fix-a-memleak-in-atl1e_setup_ring_r.patch
+net-rose-fix-races-in-rose_kill_by_device.patch
+net-mana-select-page_pool.patch
+net-check-vlan-filter-feature-in-vlan_vids_add_by_de.patch
+afs-fix-the-dynamic-root-s-d_delete-to-always-delete.patch
+afs-fix-dynamic-root-lookup-dns-check.patch
+net-check-dev-gso_max_size-in-gso_features_check.patch
+keys-dns-allow-key-types-eg.-dns-to-be-reclaimed-imm.patch
+afs-fix-overwriting-of-result-of-dns-query.patch
+afs-use-refcount_t-rather-than-atomic_t.patch
+afs-fix-use-after-free-due-to-get-remove-race-in-vol.patch
--- /dev/null
+From 655244ea9b7d3cbf937259c9beb04ebb191dfdab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 18:32:02 +0200
+Subject: wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a4754182dc936b97ec7e9f6b08cdf7ed97ef9069 ]
+
+Evidently I had only looked at all the ones in rx.c, and missed this.
+Add bh-disable to this use of the rxq->lock as well.
+
+Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI")
+Reported-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231208183100.e79ad3dae649.I8f19713c4383707f8be7fc20ff5cc1ecf12429bb@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+index b7b2d28b3e436..8a19463bc81c1 100644
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -2960,7 +2960,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ struct iwl_rxq *rxq = &trans_pcie->rxq[0];
+ u32 i, r, j, rb_len = 0;
+
+- spin_lock(&rxq->lock);
++ spin_lock_bh(&rxq->lock);
+
+ r = le16_to_cpu(iwl_get_closed_rb_stts(trans, rxq)) & 0x0FFF;
+
+@@ -2984,7 +2984,7 @@ static u32 iwl_trans_pcie_dump_rbs(struct iwl_trans *trans,
+ *data = iwl_fw_error_next_data(*data);
+ }
+
+- spin_unlock(&rxq->lock);
++ spin_unlock_bh(&rxq->lock);
+
+ return rb_len;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0068a3297030643ac1e7e1dd13b6ef0051301ca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 09:05:31 +0200
+Subject: wifi: mac80211: mesh_plink: fix matches_local logic
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 8c386b166e2517cf3a123018e77941ec22625d0f ]
+
+During refactoring the "else" here got lost, add it back.
+
+Fixes: c99a89edb106 ("mac80211: factor out plink event gathering")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20231211085121.795480fa0e0b.I017d501196a5bbdcd9afd33338d342d6fe1edd79@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_plink.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
+index a829470dd59ed..44ce979a9fd54 100644
+--- a/net/mac80211/mesh_plink.c
++++ b/net/mac80211/mesh_plink.c
+@@ -1050,8 +1050,8 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_OPEN:
+ if (!matches_local)
+ event = OPN_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = OPN_IGNR;
+ else
+ event = OPN_ACPT;
+@@ -1059,9 +1059,9 @@ mesh_plink_get_event(struct ieee80211_sub_if_data *sdata,
+ case WLAN_SP_MESH_PEERING_CONFIRM:
+ if (!matches_local)
+ event = CNF_RJCT;
+- if (!mesh_plink_free_count(sdata) ||
+- sta->mesh->llid != llid ||
+- (sta->mesh->plid && sta->mesh->plid != plid))
++ else if (!mesh_plink_free_count(sdata) ||
++ sta->mesh->llid != llid ||
++ (sta->mesh->plid && sta->mesh->plid != plid))
+ event = CNF_IGNR;
+ else
+ event = CNF_ACPT;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
