--- /dev/null
+From 1e23a7ea663071fefb1a1606ac7cc17eb593db5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Aug 2023 16:13:13 +0800
+Subject: Bluetooth: Delete unused hci_req_prepare_suspend() declaration
+
+From: Yao Xiao <xiaoyao@rock-chips.com>
+
+[ Upstream commit cbaabbcdcbd355f0a1ccc09a925575c51c270750 ]
+
+hci_req_prepare_suspend() has been deprecated in favor of
+hci_suspend_sync().
+
+Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
+Signed-off-by: Yao Xiao <xiaoyao@rock-chips.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_request.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h
+index b9c5a98238374..0be75cf0efed8 100644
+--- a/net/bluetooth/hci_request.h
++++ b/net/bluetooth/hci_request.h
+@@ -71,7 +71,5 @@ struct sk_buff *hci_prepare_cmd(struct hci_dev *hdev, u16 opcode, u32 plen,
+ void hci_req_add_le_scan_disable(struct hci_request *req, bool rpa_le_conn);
+ void hci_req_add_le_passive_scan(struct hci_request *req);
+
+-void hci_req_prepare_suspend(struct hci_dev *hdev, enum suspended_state next);
+-
+ void hci_request_setup(struct hci_dev *hdev);
+ void hci_request_cancel_all(struct hci_dev *hdev);
+--
+2.40.1
+
--- /dev/null
+From 04ccb12162d600467a8b7797bc70620b75f20357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 14:11:51 +0000
+Subject: Bluetooth: Fix hci_link_tx_to RCU lock usage
+
+From: Ying Hsu <yinghsu@chromium.org>
+
+[ Upstream commit c7eaf80bfb0c8cef852cce9501b95dd5a6bddcb9 ]
+
+Syzbot found a bug "BUG: sleeping function called from invalid context
+at kernel/locking/mutex.c:580". It is because hci_link_tx_to holds an
+RCU read lock and calls hci_disconnect which would hold a mutex lock
+since the commit a13f316e90fd ("Bluetooth: hci_conn: Consolidate code
+for aborting connections"). Here's an example call trace:
+
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xfc/0x174 lib/dump_stack.c:106
+ ___might_sleep+0x4a9/0x4d3 kernel/sched/core.c:9663
+ __mutex_lock_common kernel/locking/mutex.c:576 [inline]
+ __mutex_lock+0xc7/0x6e7 kernel/locking/mutex.c:732
+ hci_cmd_sync_queue+0x3a/0x287 net/bluetooth/hci_sync.c:388
+ hci_abort_conn+0x2cd/0x2e4 net/bluetooth/hci_conn.c:1812
+ hci_disconnect+0x207/0x237 net/bluetooth/hci_conn.c:244
+ hci_link_tx_to net/bluetooth/hci_core.c:3254 [inline]
+ __check_timeout net/bluetooth/hci_core.c:3419 [inline]
+ __check_timeout+0x310/0x361 net/bluetooth/hci_core.c:3399
+ hci_sched_le net/bluetooth/hci_core.c:3602 [inline]
+ hci_tx_work+0xe8f/0x12d0 net/bluetooth/hci_core.c:3652
+ process_one_work+0x75c/0xba1 kernel/workqueue.c:2310
+ worker_thread+0x5b2/0x73a kernel/workqueue.c:2457
+ kthread+0x2f7/0x30b kernel/kthread.c:319
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+
+This patch releases RCU read lock before calling hci_disconnect and
+reacquires it afterward to fix the bug.
+
+Fixes: a13f316e90fd ("Bluetooth: hci_conn: Consolidate code for aborting connections")
+Signed-off-by: Ying Hsu <yinghsu@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 29ae9b254a34e..e57d7c25511f4 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3418,7 +3418,12 @@ static void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
+ if (c->type == type && c->sent) {
+ bt_dev_err(hdev, "killing stalled connection %pMR",
+ &c->dst);
++ /* hci_disconnect might sleep, so, we have to release
++ * the RCU read lock before calling it.
++ */
++ rcu_read_unlock();
+ hci_disconnect(c, HCI_ERROR_REMOTE_USER_TERM);
++ rcu_read_lock();
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From f0f41cc96e1d7b73784d28b0e2a563a0d2b6efea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Aug 2023 13:05:45 -0700
+Subject: Bluetooth: ISO: Fix handling of listen for unicast
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit e0275ea52169412b8faccb4e2f4fed8a057844c6 ]
+
+iso_listen_cis shall only return -EADDRINUSE if the listening socket has
+the destination set to BDADDR_ANY otherwise if the destination is set to
+a specific address it is for broadcast which shall be ignored.
+
+Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/iso.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
+index 9b6a7eb2015f0..42f7b257bdfbc 100644
+--- a/net/bluetooth/iso.c
++++ b/net/bluetooth/iso.c
+@@ -499,7 +499,7 @@ static void iso_recv_frame(struct iso_conn *conn, struct sk_buff *skb)
+ }
+
+ /* -------- Socket interface ---------- */
+-static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *ba)
++static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *src, bdaddr_t *dst)
+ {
+ struct sock *sk;
+
+@@ -507,7 +507,10 @@ static struct sock *__iso_get_sock_listen_by_addr(bdaddr_t *ba)
+ if (sk->sk_state != BT_LISTEN)
+ continue;
+
+- if (!bacmp(&iso_pi(sk)->src, ba))
++ if (bacmp(&iso_pi(sk)->dst, dst))
++ continue;
++
++ if (!bacmp(&iso_pi(sk)->src, src))
+ return sk;
+ }
+
+@@ -965,7 +968,7 @@ static int iso_listen_cis(struct sock *sk)
+
+ write_lock(&iso_sk_list.lock);
+
+- if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src))
++ if (__iso_get_sock_listen_by_addr(&iso_pi(sk)->src, &iso_pi(sk)->dst))
+ err = -EADDRINUSE;
+
+ write_unlock(&iso_sk_list.lock);
+--
+2.40.1
+
--- /dev/null
+From 287ee069cc0173eae5148a3e854999db7e1d2569 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Sep 2023 23:38:46 +0800
+Subject: bpf: Fix tr dereferencing
+
+From: Leon Hwang <hffilwlqm@gmail.com>
+
+[ Upstream commit b724a6418f1f853bcb39c8923bf14a50c7bdbd07 ]
+
+Fix 'tr' dereferencing bug when CONFIG_BPF_JIT is turned off.
+
+When CONFIG_BPF_JIT is turned off, 'bpf_trampoline_get()' returns NULL,
+which is same as the cases when CONFIG_BPF_JIT is turned on.
+
+Closes: https://lore.kernel.org/r/202309131936.5Nc8eUD0-lkp@intel.com/
+Fixes: f7b12b6fea00 ("bpf: verifier: refactor check_attach_btf_id()")
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20230917153846.88732-1-hffilwlqm@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/bpf.h b/include/linux/bpf.h
+index 477d91b926b35..6ba9d3ed8f0b0 100644
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -1294,7 +1294,7 @@ static inline int bpf_trampoline_unlink_prog(struct bpf_tramp_link *link,
+ static inline struct bpf_trampoline *bpf_trampoline_get(u64 key,
+ struct bpf_attach_target_info *tgt_info)
+ {
+- return ERR_PTR(-EOPNOTSUPP);
++ return NULL;
+ }
+ static inline void bpf_trampoline_put(struct bpf_trampoline *tr) {}
+ #define DEFINE_BPF_DISPATCHER(name)
+--
+2.40.1
+
--- /dev/null
+From 4c7577da359b1848b7ebe21ad1273bcbb999b140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 20:52:59 -0700
+Subject: bpf, sockmap: Do not inc copied_seq when PEEK flag set
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit da9e915eaf5dadb1963b7738cdfa42ed55212445 ]
+
+When data is peek'd off the receive queue we shouldn't considered it
+copied from tcp_sock side. When we increment copied_seq this will confuse
+tcp_data_ready() because copied_seq can be arbitrarily increased. From
+application side it results in poll() operations not waking up when
+expected.
+
+Notice tcp stack without BPF recvmsg programs also does not increment
+copied_seq.
+
+We broke this when we moved copied_seq into recvmsg to only update when
+actual copy was happening. But, it wasn't working correctly either before
+because the tcp_data_ready() tried to use the copied_seq value to see
+if data was read by user yet. See fixes tags.
+
+Fixes: e5c6de5fa0258 ("bpf, sockmap: Incorrectly handling copied_seq")
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230926035300.135096-3-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 81f0dff69e0b6..3272682030015 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -222,6 +222,7 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ int *addr_len)
+ {
+ struct tcp_sock *tcp = tcp_sk(sk);
++ int peek = flags & MSG_PEEK;
+ u32 seq = tcp->copied_seq;
+ struct sk_psock *psock;
+ int copied = 0;
+@@ -311,7 +312,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ copied = -EAGAIN;
+ }
+ out:
+- WRITE_ONCE(tcp->copied_seq, seq);
++ if (!peek)
++ WRITE_ONCE(tcp->copied_seq, seq);
+ tcp_rcv_space_adjust(sk);
+ if (copied > 0)
+ __tcp_cleanup_rbuf(sk, copied);
+--
+2.40.1
+
--- /dev/null
+From 3ff49e8f1f554ca6b851b0395aeb50f176a97827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 12:20:55 +0200
+Subject: bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+[ Upstream commit b80e31baa43614e086a9d29dc1151932b1bd7fc5 ]
+
+With a SOCKMAP/SOCKHASH map and an sk_msg program user can steer messages
+sent from one TCP socket (s1) to actually egress from another TCP
+socket (s2):
+
+tcp_bpf_sendmsg(s1) // = sk_prot->sendmsg
+ tcp_bpf_send_verdict(s1) // __SK_REDIRECT case
+ tcp_bpf_sendmsg_redir(s2)
+ tcp_bpf_push_locked(s2)
+ tcp_bpf_push(s2)
+ tcp_rate_check_app_limited(s2) // expects tcp_sock
+ tcp_sendmsg_locked(s2) // ditto
+
+There is a hard-coded assumption in the call-chain, that the egress
+socket (s2) is a TCP socket.
+
+However in commit 122e6c79efe1 ("sock_map: Update sock type checks for
+UDP") we have enabled redirects to non-TCP sockets. This was done for the
+sake of BPF sk_skb programs. There was no indention to support sk_msg
+send-to-egress use case.
+
+As a result, attempts to send-to-egress through a non-TCP socket lead to a
+crash due to invalid downcast from sock to tcp_sock:
+
+ BUG: kernel NULL pointer dereference, address: 000000000000002f
+ ...
+ Call Trace:
+ <TASK>
+ ? show_regs+0x60/0x70
+ ? __die+0x1f/0x70
+ ? page_fault_oops+0x80/0x160
+ ? do_user_addr_fault+0x2d7/0x800
+ ? rcu_is_watching+0x11/0x50
+ ? exc_page_fault+0x70/0x1c0
+ ? asm_exc_page_fault+0x27/0x30
+ ? tcp_tso_segs+0x14/0xa0
+ tcp_write_xmit+0x67/0xce0
+ __tcp_push_pending_frames+0x32/0xf0
+ tcp_push+0x107/0x140
+ tcp_sendmsg_locked+0x99f/0xbb0
+ tcp_bpf_push+0x19d/0x3a0
+ tcp_bpf_sendmsg_redir+0x55/0xd0
+ tcp_bpf_send_verdict+0x407/0x550
+ tcp_bpf_sendmsg+0x1a1/0x390
+ inet_sendmsg+0x6a/0x70
+ sock_sendmsg+0x9d/0xc0
+ ? sockfd_lookup_light+0x12/0x80
+ __sys_sendto+0x10e/0x160
+ ? syscall_enter_from_user_mode+0x20/0x60
+ ? __this_cpu_preempt_check+0x13/0x20
+ ? lockdep_hardirqs_on+0x82/0x110
+ __x64_sys_sendto+0x1f/0x30
+ do_syscall_64+0x38/0x90
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Reject selecting a non-TCP sockets as redirect target from a BPF sk_msg
+program to prevent the crash. When attempted, user will receive an EACCES
+error from send/sendto/sendmsg() syscall.
+
+Fixes: 122e6c79efe1 ("sock_map: Update sock type checks for UDP")
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20230920102055.42662-1-jakub@cloudflare.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock_map.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 8f07fea39d9ea..3fc4086a414ea 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -668,6 +668,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg,
+ sk = __sock_map_lookup_elem(map, key);
+ if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+ return SK_DROP;
++ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
++ return SK_DROP;
+
+ msg->flags = flags;
+ msg->sk_redir = sk;
+@@ -1267,6 +1269,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg,
+ sk = __sock_hash_lookup_elem(map, key);
+ if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
+ return SK_DROP;
++ if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
++ return SK_DROP;
+
+ msg->flags = flags;
+ msg->sk_redir = sk;
+--
+2.40.1
+
--- /dev/null
+From cda142636621f4423ca14781c98976b4c1bd508c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 20:52:58 -0700
+Subject: bpf: tcp_read_skb needs to pop skb regardless of seq
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 9b7177b1df64b8d7f85700027c324aadd6aded00 ]
+
+Before fix e5c6de5fa0258 tcp_read_skb() would increment the tp->copied-seq
+value. This (as described in the commit) would cause an error for apps
+because once that is incremented the application might believe there is no
+data to be read. Then some apps would stall or abort believing no data is
+available.
+
+However, the fix is incomplete because it introduces another issue in
+the skb dequeue. The loop does tcp_recv_skb() in a while loop to consume
+as many skbs as possible. The problem is the call is ...
+
+ tcp_recv_skb(sk, seq, &offset)
+
+... where 'seq' is:
+
+ u32 seq = tp->copied_seq;
+
+Now we can hit a case where we've yet incremented copied_seq from BPF side,
+but then tcp_recv_skb() fails this test ...
+
+ if (offset < skb->len || (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN))
+
+... so that instead of returning the skb we call tcp_eat_recv_skb() which
+frees the skb. This is because the routine believes the SKB has been collapsed
+per comment:
+
+ /* This looks weird, but this can happen if TCP collapsing
+ * splitted a fat GRO packet, while we released socket lock
+ * in skb_splice_bits()
+ */
+
+This can't happen here we've unlinked the full SKB and orphaned it. Anyways
+it would confuse any BPF programs if the data were suddenly moved underneath
+it.
+
+To fix this situation do simpler operation and just skb_peek() the data
+of the queue followed by the unlink. It shouldn't need to check this
+condition and tcp_read_skb() reads entire skbs so there is no need to
+handle the 'offset!=0' case as we would see in tcp_read_sock().
+
+Fixes: e5c6de5fa0258 ("bpf, sockmap: Incorrectly handling copied_seq")
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230926035300.135096-2-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 75f24b931a185..9cfc07d1e4252 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1618,16 +1618,13 @@ EXPORT_SYMBOL(tcp_read_sock);
+
+ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
+ {
+- struct tcp_sock *tp = tcp_sk(sk);
+- u32 seq = tp->copied_seq;
+ struct sk_buff *skb;
+ int copied = 0;
+- u32 offset;
+
+ if (sk->sk_state == TCP_LISTEN)
+ return -ENOTCONN;
+
+- while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) {
++ while ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) {
+ u8 tcp_flags;
+ int used;
+
+@@ -1640,13 +1637,10 @@ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
+ copied = used;
+ break;
+ }
+- seq += used;
+ copied += used;
+
+- if (tcp_flags & TCPHDR_FIN) {
+- ++seq;
++ if (tcp_flags & TCPHDR_FIN)
+ break;
+- }
+ }
+ return copied;
+ }
+--
+2.40.1
+
--- /dev/null
+From 842ebdaf6c091003bc4d28bf7e8eaf432f98aab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 14:01:10 -0700
+Subject: bpf: unconditionally reset backtrack_state masks on global func exit
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 81335f90e8a88b81932df011105c46e708744f44 ]
+
+In mark_chain_precision() logic, when we reach the entry to a global
+func, it is expected that R1-R5 might be still requested to be marked
+precise. This would correspond to some integer input arguments being
+tracked as precise. This is all expected and handled as a special case.
+
+What's not expected is that we'll leave backtrack_state structure with
+some register bits set. This is because for subsequent precision
+propagations backtrack_state is reused without clearing masks, as all
+code paths are carefully written in a way to leave empty backtrack_state
+with zeroed out masks, for speed.
+
+The fix is trivial, we always clear register bit in the register mask, and
+then, optionally, set reg->precise if register is SCALAR_VALUE type.
+
+Reported-by: Chris Mason <clm@meta.com>
+Fixes: be2ef8161572 ("bpf: allow precision tracking for programs with subprogs")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20230918210110.2241458-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 9cdba4ce23d2b..93fd32f2957b7 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -4039,11 +4039,9 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno)
+ bitmap_from_u64(mask, bt_reg_mask(bt));
+ for_each_set_bit(i, mask, 32) {
+ reg = &st->frame[0]->regs[i];
+- if (reg->type != SCALAR_VALUE) {
+- bt_clear_reg(bt, i);
+- continue;
+- }
+- reg->precise = true;
++ bt_clear_reg(bt, i);
++ if (reg->type == SCALAR_VALUE)
++ reg->precise = true;
+ }
+ return 0;
+ }
+--
+2.40.1
+
--- /dev/null
+From 830189ade0c0f19685f4e49032ee357d8940e308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 17:25:02 +0300
+Subject: drivers/net: process the result of hdlc_open() and add call of
+ hdlc_close() in uhdlc_close()
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+[ Upstream commit a59addacf899b1b21a7b7449a1c52c98704c2472 ]
+
+Process the result of hdlc_open() and call uhdlc_close()
+in case of an error. It is necessary to pass the error
+code up the control flow, similar to a possible
+error in request_irq().
+Also add a hdlc_close() call to the uhdlc_close()
+because the comment to hdlc_close() says it must be called
+by the hardware driver when the HDLC device is being closed
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC")
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c
+index 47c2ad7a3e429..fd50bb313b924 100644
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -34,6 +34,8 @@
+ #define TDM_PPPOHT_SLIC_MAXIN
+ #define RX_BD_ERRORS (R_CD_S | R_OV_S | R_CR_S | R_AB_S | R_NO_S | R_LG_S)
+
++static int uhdlc_close(struct net_device *dev);
++
+ static struct ucc_tdm_info utdm_primary_info = {
+ .uf_info = {
+ .tsa = 0,
+@@ -708,6 +710,7 @@ static int uhdlc_open(struct net_device *dev)
+ hdlc_device *hdlc = dev_to_hdlc(dev);
+ struct ucc_hdlc_private *priv = hdlc->priv;
+ struct ucc_tdm *utdm = priv->utdm;
++ int rc = 0;
+
+ if (priv->hdlc_busy != 1) {
+ if (request_irq(priv->ut_info->uf_info.irq,
+@@ -731,10 +734,13 @@ static int uhdlc_open(struct net_device *dev)
+ napi_enable(&priv->napi);
+ netdev_reset_queue(dev);
+ netif_start_queue(dev);
+- hdlc_open(dev);
++
++ rc = hdlc_open(dev);
++ if (rc)
++ uhdlc_close(dev);
+ }
+
+- return 0;
++ return rc;
+ }
+
+ static void uhdlc_memclean(struct ucc_hdlc_private *priv)
+@@ -824,6 +830,8 @@ static int uhdlc_close(struct net_device *dev)
+ netdev_reset_queue(dev);
+ priv->hdlc_busy = 0;
+
++ hdlc_close(dev);
++
+ return 0;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From dc70e568297472a081ac7b1348245573dc266029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 16:27:28 +0800
+Subject: erofs: allow empty device tags in flatdev mode
+
+From: Jingbo Xu <jefflexu@linux.alibaba.com>
+
+[ Upstream commit f939aeea7ab7d96cd321e7ac107f5a070836b66f ]
+
+Device tags aren't actually required in flatdev mode, thus fix mount
+failure due to empty device tags in flatdev mode.
+
+Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Fixes: 8b465fecc35a ("erofs: support flattened block device for multi-blob images")
+Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230915082728.56588-1-jefflexu@linux.alibaba.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/erofs/super.c b/fs/erofs/super.c
+index 566f68ddfa36e..31a103399412e 100644
+--- a/fs/erofs/super.c
++++ b/fs/erofs/super.c
+@@ -238,7 +238,7 @@ static int erofs_init_device(struct erofs_buf *buf, struct super_block *sb,
+ return PTR_ERR(ptr);
+ dis = ptr + erofs_blkoff(sb, *pos);
+
+- if (!dif->path) {
++ if (!sbi->devs->flatdev && !dif->path) {
+ if (!dis->tag[0]) {
+ erofs_err(sb, "empty device tag @ pos %llu", *pos);
+ return -EINVAL;
+--
+2.40.1
+
--- /dev/null
+From 4d87268a09d337221869ce6bcc2fecdc6f57fd81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 13:05:42 +0800
+Subject: erofs: fix memory leak of LZMA global compressed deduplication
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 75a5221630fe5aa3fedba7a06be618db0f79ba1e ]
+
+When stressing microLZMA EROFS images with the new global compressed
+deduplication feature enabled (`-Ededupe`), I found some short-lived
+temporary pages weren't properly released, which could slowly cause
+unexpected OOMs hours later.
+
+Let's fix it now (LZ4 and DEFLATE don't have this issue.)
+
+Fixes: 5c2a64252c5d ("erofs: introduce partial-referenced pclusters")
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230907050542.97152-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/decompressor_lzma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/erofs/decompressor_lzma.c b/fs/erofs/decompressor_lzma.c
+index 73091fbe3ea45..dee10d22ada96 100644
+--- a/fs/erofs/decompressor_lzma.c
++++ b/fs/erofs/decompressor_lzma.c
+@@ -217,9 +217,12 @@ int z_erofs_lzma_decompress(struct z_erofs_decompress_req *rq,
+ strm->buf.out_size = min_t(u32, outlen,
+ PAGE_SIZE - pageofs);
+ outlen -= strm->buf.out_size;
+- if (!rq->out[no] && rq->fillgaps) /* deduped */
++ if (!rq->out[no] && rq->fillgaps) { /* deduped */
+ rq->out[no] = erofs_allocpage(pagepool,
+ GFP_KERNEL | __GFP_NOFAIL);
++ set_page_private(rq->out[no],
++ Z_EROFS_SHORTLIVED_PAGE);
++ }
+ if (rq->out[no])
+ strm->buf.out = kmap(rq->out[no]) + pageofs;
+ pageofs = 0;
+--
+2.40.1
+
--- /dev/null
+From 32462b23634b844a10f671d676ba9b991bba7f9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 10:15:48 +0530
+Subject: ethtool: plca: fix plca enable data type while parsing the value
+
+From: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+
+[ Upstream commit 8957261cd8149ed9d0738c01c0320bcbff989407 ]
+
+The ETHTOOL_A_PLCA_ENABLED data type is u8. But while parsing the
+value from the attribute, nla_get_u32() is used in the plca_update_sint()
+function instead of nla_get_u8(). So plca_cfg.enabled variable is updated
+with some garbage value instead of 0 or 1 and always enables plca even
+though plca is disabled through ethtool application. This bug has been
+fixed by parsing the values based on the attributes type in the policy.
+
+Fixes: 8580e16c28f3 ("net/ethtool: add netlink interface for the PLCA RS")
+Signed-off-by: Parthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230908044548.5878-1-Parthiban.Veerasooran@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ethtool/plca.c | 45 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 29 insertions(+), 16 deletions(-)
+
+diff --git a/net/ethtool/plca.c b/net/ethtool/plca.c
+index 5a8cab4df0c9c..a9334937ace26 100644
+--- a/net/ethtool/plca.c
++++ b/net/ethtool/plca.c
+@@ -21,16 +21,6 @@ struct plca_reply_data {
+ #define PLCA_REPDATA(__reply_base) \
+ container_of(__reply_base, struct plca_reply_data, base)
+
+-static void plca_update_sint(int *dst, const struct nlattr *attr,
+- bool *mod)
+-{
+- if (!attr)
+- return;
+-
+- *dst = nla_get_u32(attr);
+- *mod = true;
+-}
+-
+ // PLCA get configuration message ------------------------------------------- //
+
+ const struct nla_policy ethnl_plca_get_cfg_policy[] = {
+@@ -38,6 +28,29 @@ const struct nla_policy ethnl_plca_get_cfg_policy[] = {
+ NLA_POLICY_NESTED(ethnl_header_policy),
+ };
+
++static void plca_update_sint(int *dst, struct nlattr **tb, u32 attrid,
++ bool *mod)
++{
++ const struct nlattr *attr = tb[attrid];
++
++ if (!attr ||
++ WARN_ON_ONCE(attrid >= ARRAY_SIZE(ethnl_plca_set_cfg_policy)))
++ return;
++
++ switch (ethnl_plca_set_cfg_policy[attrid].type) {
++ case NLA_U8:
++ *dst = nla_get_u8(attr);
++ break;
++ case NLA_U32:
++ *dst = nla_get_u32(attr);
++ break;
++ default:
++ WARN_ON_ONCE(1);
++ }
++
++ *mod = true;
++}
++
+ static int plca_get_cfg_prepare_data(const struct ethnl_req_info *req_base,
+ struct ethnl_reply_data *reply_base,
+ struct genl_info *info)
+@@ -144,13 +157,13 @@ ethnl_set_plca(struct ethnl_req_info *req_info, struct genl_info *info)
+ return -EOPNOTSUPP;
+
+ memset(&plca_cfg, 0xff, sizeof(plca_cfg));
+- plca_update_sint(&plca_cfg.enabled, tb[ETHTOOL_A_PLCA_ENABLED], &mod);
+- plca_update_sint(&plca_cfg.node_id, tb[ETHTOOL_A_PLCA_NODE_ID], &mod);
+- plca_update_sint(&plca_cfg.node_cnt, tb[ETHTOOL_A_PLCA_NODE_CNT], &mod);
+- plca_update_sint(&plca_cfg.to_tmr, tb[ETHTOOL_A_PLCA_TO_TMR], &mod);
+- plca_update_sint(&plca_cfg.burst_cnt, tb[ETHTOOL_A_PLCA_BURST_CNT],
++ plca_update_sint(&plca_cfg.enabled, tb, ETHTOOL_A_PLCA_ENABLED, &mod);
++ plca_update_sint(&plca_cfg.node_id, tb, ETHTOOL_A_PLCA_NODE_ID, &mod);
++ plca_update_sint(&plca_cfg.node_cnt, tb, ETHTOOL_A_PLCA_NODE_CNT, &mod);
++ plca_update_sint(&plca_cfg.to_tmr, tb, ETHTOOL_A_PLCA_TO_TMR, &mod);
++ plca_update_sint(&plca_cfg.burst_cnt, tb, ETHTOOL_A_PLCA_BURST_CNT,
+ &mod);
+- plca_update_sint(&plca_cfg.burst_tmr, tb[ETHTOOL_A_PLCA_BURST_TMR],
++ plca_update_sint(&plca_cfg.burst_tmr, tb, ETHTOOL_A_PLCA_BURST_TMR,
+ &mod);
+ if (!mod)
+ return 0;
+--
+2.40.1
+
--- /dev/null
+From 7b677f94166a61b92b96db00baaa3018b7cd1b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 08:53:32 -0700
+Subject: HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+[ Upstream commit 8f02139ad9a7e6e5c05712f8c1501eebed8eacfd ]
+
+The EHL (Elkhart Lake) based platforms provide a OOB (Out of band)
+service, which allows to wakup device when the system is in S5 (Soft-Off
+state). This OOB service can be enabled/disabled from BIOS settings. When
+enabled, the ISH device gets PME wake capability. To enable PME wakeup,
+driver also needs to enable ACPI GPE bit.
+
+On resume, BIOS will clear the wakeup bit. So driver need to re-enable it
+in resume function to keep the next wakeup capability. But this BIOS
+clearing of wakeup bit doesn't decrement internal OS GPE reference count,
+so this reenabling on every resume will cause reference count to overflow.
+
+So first disable and reenable ACPI GPE bit using acpi_disable_gpe().
+
+Fixes: 2e23a70edabe ("HID: intel-ish-hid: ipc: finish power flow for EHL OOB")
+Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Closes: https://lore.kernel.org/lkml/CAAd53p4=oLYiH2YbVSmrPNj1zpMcfp=Wxbasb5vhMXOWCArLCg@mail.gmail.com/T/
+Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/intel-ish-hid/ipc/pci-ish.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/hid/intel-ish-hid/ipc/pci-ish.c b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+index 55cb25038e632..710fda5f19e1c 100644
+--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
++++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+@@ -133,6 +133,14 @@ static int enable_gpe(struct device *dev)
+ }
+ wakeup = &adev->wakeup;
+
++ /*
++ * Call acpi_disable_gpe(), so that reference count
++ * gpe_event_info->runtime_count doesn't overflow.
++ * When gpe_event_info->runtime_count = 0, the call
++ * to acpi_disable_gpe() simply return.
++ */
++ acpi_disable_gpe(wakeup->gpe_device, wakeup->gpe_number);
++
+ acpi_sts = acpi_enable_gpe(wakeup->gpe_device, wakeup->gpe_number);
+ if (ACPI_FAILURE(acpi_sts)) {
+ dev_err(dev, "enable ose_gpe failed\n");
+--
+2.40.1
+
--- /dev/null
+From 956fcfe749d60f7dec4b9938963a20ac8b902931 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 17:05:17 -0700
+Subject: HID: nvidia-shield: add LEDS_CLASS dependency
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 058574879853260a22bbec1f94221dfc5149d85c ]
+
+The hid-nvidia-shield driver uses functions that are built
+only when LEDS_CLASS is set, so make the driver depend on that
+symbol to prevent build errors.
+
+riscv32-linux-ld: drivers/hid/hid-nvidia-shield.o: in function `.L11':
+hid-nvidia-shield.c:(.text+0x192): undefined reference to `led_classdev_unregister'
+riscv32-linux-ld: drivers/hid/hid-nvidia-shield.o: in function `.L113':
+hid-nvidia-shield.c:(.text+0xfa4): undefined reference to `led_classdev_register_ext'
+
+Fixes: 09308562d4af ("HID: nvidia-shield: Initial driver implementation with Thunderstrike support")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Cc: Jiri Kosina <jkosina@suse.cz>
+Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Cc: linux-input@vger.kernel.org
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig
+index e11c1c8036769..dc456c86e9569 100644
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -792,6 +792,7 @@ config HID_NVIDIA_SHIELD
+ tristate "NVIDIA SHIELD devices"
+ depends on USB_HID
+ depends on BT_HIDP
++ depends on LEDS_CLASS
+ help
+ Support for NVIDIA SHIELD accessories.
+
+--
+2.40.1
+
--- /dev/null
+From e60a7575252c9d9d5ad3c16590cfd51c4a1d3d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 04:54:30 -0700
+Subject: HID: nvidia-shield: Fix a missing led_classdev_unregister() in the
+ probe error handling path
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b07b6b27a50e3a740c9aa6260ee4bb3ab29515ab ]
+
+The commit in Fixes updated the error handling path of
+thunderstrike_create() and the remove function but not the error handling
+path of shield_probe(), should an error occur after a successful
+thunderstrike_create() call.
+
+Add the missing call. Make sure it is safe to call in the probe error
+handling path by preventing the led_classdev from attempting to set the LED
+brightness to the off state on unregister.
+
+Fixes: f88af60e74a5 ("HID: nvidia-shield: Support LED functionality for Thunderstrike")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-nvidia-shield.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-nvidia-shield.c b/drivers/hid/hid-nvidia-shield.c
+index 9c44974135079..1ce9e42f57c71 100644
+--- a/drivers/hid/hid-nvidia-shield.c
++++ b/drivers/hid/hid-nvidia-shield.c
+@@ -482,7 +482,7 @@ static inline int thunderstrike_led_create(struct thunderstrike *ts)
+
+ led->name = "thunderstrike:blue:led";
+ led->max_brightness = 1;
+- led->flags = LED_CORE_SUSPENDRESUME;
++ led->flags = LED_CORE_SUSPENDRESUME | LED_RETAIN_AT_SHUTDOWN;
+ led->brightness_get = &thunderstrike_led_get_brightness;
+ led->brightness_set = &thunderstrike_led_set_brightness;
+
+@@ -694,6 +694,7 @@ static int shield_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ err_haptics:
+ if (ts->haptics_dev)
+ input_unregister_device(ts->haptics_dev);
++ led_classdev_unregister(&ts->led_dev);
+ return ret;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From ec0975974061df7ddd17f572e8b4b74920703872 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 18:04:00 +0200
+Subject: HID: sony: Fix a potential memory leak in sony_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit e1cd4004cde7c9b694bbdd8def0e02288ee58c74 ]
+
+If an error occurs after a successful usb_alloc_urb() call, usb_free_urb()
+should be called.
+
+Fixes: fb1a79a6b6e1 ("HID: sony: fix freeze when inserting ghlive ps3/wii dongles")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-sony.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index dd942061fd775..a02046a78b2da 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -2155,6 +2155,9 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ return ret;
+
+ err:
++ if (sc->ghl_urb)
++ usb_free_urb(sc->ghl_urb);
++
+ hid_hw_stop(hdev);
+ return ret;
+ }
+--
+2.40.1
+
--- /dev/null
+From 28de6516fff7f7a7c4a8a58f9512636dd78c600e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 21:10:41 +0200
+Subject: HID: sony: remove duplicate NULL check before calling usb_free_urb()
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+[ Upstream commit b328dd02e19cb9d3b35de4322f5363516a20ac8c ]
+
+usb_free_urb() does the NULL check itself, so there is no need to duplicate
+it prior to calling.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: e1cd4004cde7c9 ("HID: sony: Fix a potential memory leak in sony_probe()")
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-sony.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
+index a02046a78b2da..ebc0aa4e4345f 100644
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -2155,8 +2155,7 @@ static int sony_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ return ret;
+
+ err:
+- if (sc->ghl_urb)
+- usb_free_urb(sc->ghl_urb);
++ usb_free_urb(sc->ghl_urb);
+
+ hid_hw_stop(hdev);
+ return ret;
+--
+2.40.1
+
--- /dev/null
+From 7320c7dc9f31011a7e4e679e46899f2b19e6c52e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 16:42:51 -0500
+Subject: ibmveth: Remove condition to recompute TCP header checksum.
+
+From: David Wilder <dwilder@us.ibm.com>
+
+[ Upstream commit 51e7a66666e0ca9642c59464ef8359f0ac604d41 ]
+
+In some OVS environments the TCP pseudo header checksum may need to be
+recomputed. Currently this is only done when the interface instance is
+configured for "Trunk Mode". We found the issue also occurs in some
+Kubernetes environments, these environments do not use "Trunk Mode",
+therefor the condition is removed.
+
+Performance tests with this change show only a fractional decrease in
+throughput (< 0.2%).
+
+Fixes: 7525de2516fb ("ibmveth: Set CHECKSUM_PARTIAL if NULL TCP CSUM.")
+Signed-off-by: David Wilder <dwilder@us.ibm.com>
+Reviewed-by: Nick Child <nnac123@linux.ibm.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmveth.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c
+index 832a2ae019509..a8d79ee350f8d 100644
+--- a/drivers/net/ethernet/ibm/ibmveth.c
++++ b/drivers/net/ethernet/ibm/ibmveth.c
+@@ -1303,24 +1303,23 @@ static void ibmveth_rx_csum_helper(struct sk_buff *skb,
+ * the user space for finding a flow. During this process, OVS computes
+ * checksum on the first packet when CHECKSUM_PARTIAL flag is set.
+ *
+- * So, re-compute TCP pseudo header checksum when configured for
+- * trunk mode.
++ * So, re-compute TCP pseudo header checksum.
+ */
++
+ if (iph_proto == IPPROTO_TCP) {
+ struct tcphdr *tcph = (struct tcphdr *)(skb->data + iphlen);
++
+ if (tcph->check == 0x0000) {
+ /* Recompute TCP pseudo header checksum */
+- if (adapter->is_active_trunk) {
+- tcphdrlen = skb->len - iphlen;
+- if (skb_proto == ETH_P_IP)
+- tcph->check =
+- ~csum_tcpudp_magic(iph->saddr,
+- iph->daddr, tcphdrlen, iph_proto, 0);
+- else if (skb_proto == ETH_P_IPV6)
+- tcph->check =
+- ~csum_ipv6_magic(&iph6->saddr,
+- &iph6->daddr, tcphdrlen, iph_proto, 0);
+- }
++ tcphdrlen = skb->len - iphlen;
++ if (skb_proto == ETH_P_IP)
++ tcph->check =
++ ~csum_tcpudp_magic(iph->saddr,
++ iph->daddr, tcphdrlen, iph_proto, 0);
++ else if (skb_proto == ETH_P_IPV6)
++ tcph->check =
++ ~csum_ipv6_magic(&iph6->saddr,
++ &iph6->daddr, tcphdrlen, iph_proto, 0);
+ /* Setup SKB fields for checksum offload */
+ skb_partial_csum_set(skb, iphlen,
+ offsetof(struct tcphdr, check));
+--
+2.40.1
+
--- /dev/null
+From 5fdadee1fd217f53059d0e58c3f332839556c7ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 13:54:38 +0200
+Subject: ice: always add legacy 32byte RXDID in supported_rxdids
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+[ Upstream commit c070e51db5e2a98d3aef7c324b15209ba47f3dca ]
+
+When the PF and VF drivers both support flexible rx descriptors and have
+negotiated the VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC capability, the VF driver
+queries the PF for the list of supported descriptor formats
+(VIRTCHNL_OP_GET_SUPPORTED_RXDIDS). The PF driver is supposed to set the
+supported_rxdids bits that correspond to the descriptor formats the
+firmware implements. The legacy 32-byte rx desc format is always
+supported, even though it is not expressed in GLFLXP_RXDID_FLAGS.
+
+The ice driver does not advertise the legacy 32-byte rx desc support,
+which leads to this failure to bring up the VF using the Intel
+out-of-tree iavf driver:
+ iavf 0000:41:01.0: PF does not list support for default Rx descriptor format
+ ...
+ iavf 0000:41:01.0: PF returned error -5 (VIRTCHNL_STATUS_ERR_PARAM) to our request 6
+
+The in-tree iavf driver does not expose this bug, because it does not
+yet implement VIRTCHNL_VF_OFFLOAD_RX_FLEX_DESC.
+
+The ice driver must always set the ICE_RXDID_LEGACY_1 bit in
+supported_rxdids. The Intel out-of-tree ice driver and the ice driver in
+DPDK both do this.
+
+I copied this piece of the code and the comment text from the Intel
+out-of-tree driver.
+
+Fixes: e753df8fbca5 ("ice: Add support Flex RXD")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Link: https://lore.kernel.org/r/20230920115439.61172-1-mschmidt@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl.c b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+index dcf628b1fccd9..33ac6c4a8928f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -2615,12 +2615,14 @@ static int ice_vc_query_rxdid(struct ice_vf *vf)
+ goto err;
+ }
+
+- /* Read flexiflag registers to determine whether the
+- * corresponding RXDID is configured and supported or not.
+- * Since Legacy 16byte descriptor format is not supported,
+- * start from Legacy 32byte descriptor.
++ /* RXDIDs supported by DDP package can be read from the register
++ * to get the supported RXDID bitmap. But the legacy 32byte RXDID
++ * is not listed in DDP package, add it in the bitmap manually.
++ * Legacy 16byte descriptor is not supported.
+ */
+- for (i = ICE_RXDID_LEGACY_1; i < ICE_FLEX_DESC_RXDID_MAX_NUM; i++) {
++ rxdid->supported_rxdids |= BIT(ICE_RXDID_LEGACY_1);
++
++ for (i = ICE_RXDID_FLEX_NIC; i < ICE_FLEX_DESC_RXDID_MAX_NUM; i++) {
+ regval = rd32(hw, GLFLXP_RXDID_FLAGS(i, 0));
+ if ((regval >> GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_S)
+ & GLFLXP_RXDID_FLAGS_FLEXIFLAG_4N_M)
+--
+2.40.1
+
--- /dev/null
+From 85ffeb6003aecd1b0aeb92763506ca6e25b04bf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 06:45:05 +0000
+Subject: ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig
+
+From: Oleksandr Tymoshenko <ovt@google.com>
+
+[ Upstream commit be210c6d3597faf330cb9af33b9f1591d7b2a983 ]
+
+The removal of IMA_TRUSTED_KEYRING made IMA_LOAD_X509
+and IMA_BLACKLIST_KEYRING unavailable because the latter
+two depend on the former. Since IMA_TRUSTED_KEYRING was
+deprecated in favor of INTEGRITY_TRUSTED_KEYRING use it
+as a dependency for the two Kconfigs affected by the
+deprecation.
+
+Fixes: 5087fd9e80e5 ("ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig")
+Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
+Reviewed-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
+index c17660bf5f347..e6df7c930397c 100644
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -268,7 +268,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
+ config IMA_BLACKLIST_KEYRING
+ bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
+ depends on SYSTEM_TRUSTED_KEYRING
+- depends on IMA_TRUSTED_KEYRING
++ depends on INTEGRITY_TRUSTED_KEYRING
+ default n
+ help
+ This option creates an IMA blacklist keyring, which contains all
+@@ -278,7 +278,7 @@ config IMA_BLACKLIST_KEYRING
+
+ config IMA_LOAD_X509
+ bool "Load X509 certificate onto the '.ima' trusted keyring"
+- depends on IMA_TRUSTED_KEYRING
++ depends on INTEGRITY_TRUSTED_KEYRING
+ default n
+ help
+ File signature verification is based on the public keys
+--
+2.40.1
+
--- /dev/null
+From e87be7ffdab2acb92d2f5041d753f3d3c0714305 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 09:22:14 +0200
+Subject: ima: rework CONFIG_IMA dependency block
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 91e326563ee34509c35267808a4b1b3ea3db62a8 ]
+
+Changing the direct dependencies of IMA_BLACKLIST_KEYRING and
+IMA_LOAD_X509 caused them to no longer depend on IMA, but a
+a configuration without IMA results in link failures:
+
+arm-linux-gnueabi-ld: security/integrity/iint.o: in function `integrity_load_keys':
+iint.c:(.init.text+0xd8): undefined reference to `ima_load_x509'
+
+aarch64-linux-ld: security/integrity/digsig_asymmetric.o: in function `asymmetric_verify':
+digsig_asymmetric.c:(.text+0x104): undefined reference to `ima_blacklist_keyring'
+
+Adding explicit dependencies on IMA would fix this, but a more reliable
+way to do this is to enclose the entire Kconfig file in an 'if IMA' block.
+This also allows removing the existing direct dependencies.
+
+Fixes: be210c6d3597f ("ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/Kconfig | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
+index e6df7c930397c..6ef7bde551263 100644
+--- a/security/integrity/ima/Kconfig
++++ b/security/integrity/ima/Kconfig
+@@ -29,9 +29,11 @@ config IMA
+ to learn more about IMA.
+ If unsure, say N.
+
++if IMA
++
+ config IMA_KEXEC
+ bool "Enable carrying the IMA measurement list across a soft boot"
+- depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
++ depends on TCG_TPM && HAVE_IMA_KEXEC
+ default n
+ help
+ TPM PCRs are only reset on a hard reboot. In order to validate
+@@ -43,7 +45,6 @@ config IMA_KEXEC
+
+ config IMA_MEASURE_PCR_IDX
+ int
+- depends on IMA
+ range 8 14
+ default 10
+ help
+@@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX
+
+ config IMA_LSM_RULES
+ bool
+- depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
++ depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
+ default y
+ help
+ Disabling this option will disregard LSM based policy rules.
+@@ -61,7 +62,6 @@ config IMA_LSM_RULES
+ choice
+ prompt "Default template"
+ default IMA_NG_TEMPLATE
+- depends on IMA
+ help
+ Select the default IMA measurement template.
+
+@@ -80,14 +80,12 @@ endchoice
+
+ config IMA_DEFAULT_TEMPLATE
+ string
+- depends on IMA
+ default "ima-ng" if IMA_NG_TEMPLATE
+ default "ima-sig" if IMA_SIG_TEMPLATE
+
+ choice
+ prompt "Default integrity hash algorithm"
+ default IMA_DEFAULT_HASH_SHA1
+- depends on IMA
+ help
+ Select the default hash algorithm used for the measurement
+ list, integrity appraisal and audit log. The compiled default
+@@ -117,7 +115,6 @@ endchoice
+
+ config IMA_DEFAULT_HASH
+ string
+- depends on IMA
+ default "sha1" if IMA_DEFAULT_HASH_SHA1
+ default "sha256" if IMA_DEFAULT_HASH_SHA256
+ default "sha512" if IMA_DEFAULT_HASH_SHA512
+@@ -126,7 +123,6 @@ config IMA_DEFAULT_HASH
+
+ config IMA_WRITE_POLICY
+ bool "Enable multiple writes to the IMA policy"
+- depends on IMA
+ default n
+ help
+ IMA policy can now be updated multiple times. The new rules get
+@@ -137,7 +133,6 @@ config IMA_WRITE_POLICY
+
+ config IMA_READ_POLICY
+ bool "Enable reading back the current IMA policy"
+- depends on IMA
+ default y if IMA_WRITE_POLICY
+ default n if !IMA_WRITE_POLICY
+ help
+@@ -147,7 +142,6 @@ config IMA_READ_POLICY
+
+ config IMA_APPRAISE
+ bool "Appraise integrity measurements"
+- depends on IMA
+ default n
+ help
+ This option enables local measurement integrity appraisal.
+@@ -303,7 +297,6 @@ config IMA_APPRAISE_SIGNED_INIT
+
+ config IMA_MEASURE_ASYMMETRIC_KEYS
+ bool
+- depends on IMA
+ depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
+ default y
+
+@@ -322,7 +315,8 @@ config IMA_SECURE_AND_OR_TRUSTED_BOOT
+
+ config IMA_DISABLE_HTABLE
+ bool "Disable htable to allow measurement of duplicate records"
+- depends on IMA
+ default n
+ help
+ This option disables htable to allow measurement of duplicate records.
++
++endif
+--
+2.40.1
+
--- /dev/null
+From f132e3618f90770d9d2bc1fee1bfb1d764ba6231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Aug 2023 16:14:43 +0800
+Subject: iommu/mediatek: Fix share pgtable for iova over 4GB
+
+From: Yong Wu <yong.wu@mediatek.com>
+
+[ Upstream commit b07eba71a512eb196cbcc29765c29c8c29b11b59 ]
+
+In mt8192/mt8186, there is only one MM IOMMU that supports 16GB iova
+space, which is shared by display, vcodec and camera. These two SoC use
+one pgtable and have not the flag SHARE_PGTABLE, we should also keep
+share pgtable for this case.
+
+In mtk_iommu_domain_finalise, MM IOMMU always share pgtable, thus remove
+the flag SHARE_PGTABLE checking. Infra IOMMU always uses independent
+pgtable.
+
+Fixes: cf69ef46dbd9 ("iommu/mediatek: Fix two IOMMU share pagetable issue")
+Reported-by: Laura Nao <laura.nao@collabora.com>
+Closes: https://lore.kernel.org/linux-iommu/20230818154156.314742-1-laura.nao@collabora.com/
+Signed-off-by: Yong Wu <yong.wu@mediatek.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Tested-by: Laura Nao <laura.nao@collabora.com>
+Link: https://lore.kernel.org/r/20230819081443.8333-1-yong.wu@mediatek.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index c2764891a779c..ef27f9f1e17ef 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -258,7 +258,7 @@ struct mtk_iommu_data {
+ struct device *smicomm_dev;
+
+ struct mtk_iommu_bank_data *bank;
+- struct mtk_iommu_domain *share_dom; /* For 2 HWs share pgtable */
++ struct mtk_iommu_domain *share_dom;
+
+ struct regmap *pericfg;
+ struct mutex mutex; /* Protect m4u_group/m4u_dom above */
+@@ -625,8 +625,8 @@ static int mtk_iommu_domain_finalise(struct mtk_iommu_domain *dom,
+ struct mtk_iommu_domain *share_dom = data->share_dom;
+ const struct mtk_iommu_iova_region *region;
+
+- /* Always use share domain in sharing pgtable case */
+- if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE) && share_dom) {
++ /* Share pgtable when 2 MM IOMMU share the pgtable or one IOMMU use multiple iova ranges */
++ if (share_dom) {
+ dom->iop = share_dom->iop;
+ dom->cfg = share_dom->cfg;
+ dom->domain.pgsize_bitmap = share_dom->cfg.pgsize_bitmap;
+@@ -659,8 +659,7 @@ static int mtk_iommu_domain_finalise(struct mtk_iommu_domain *dom,
+ /* Update our support page sizes bitmap */
+ dom->domain.pgsize_bitmap = dom->cfg.pgsize_bitmap;
+
+- if (MTK_IOMMU_HAS_FLAG(data->plat_data, SHARE_PGTABLE))
+- data->share_dom = dom;
++ data->share_dom = dom;
+
+ update_iova_region:
+ /* Update the iova region for this domain */
+--
+2.40.1
+
--- /dev/null
+From 5f468c0bf640fe03f2837d39c4612a5ce341c440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 11:41:19 +0100
+Subject: ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 ]
+
+Including the transhdrlen in length is a problem when the packet is
+partially filled (e.g. something like send(MSG_MORE) happened previously)
+when appending to an IPv4 or IPv6 packet as we don't want to repeat the
+transport header or account for it twice. This can happen under some
+circumstances, such as splicing into an L2TP socket.
+
+The symptom observed is a warning in __ip6_append_data():
+
+ WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
+
+that occurs when MSG_SPLICE_PAGES is used to append more data to an already
+partially occupied skbuff. The warning occurs when 'copy' is larger than
+the amount of data in the message iterator. This is because the requested
+length includes the transport header length when it shouldn't. This can be
+triggered by, for example:
+
+ sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
+ bind(sfd, ...); // ::1
+ connect(sfd, ...); // ::1 port 7
+ send(sfd, buffer, 4100, MSG_MORE);
+ sendfile(sfd, dfd, NULL, 1024);
+
+Fix this by only adding transhdrlen into the length if the write queue is
+empty in l2tp_ip6_sendmsg(), analogously to how UDP does things.
+
+l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds
+the UDP packet itself.
+
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Reported-by: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/0000000000001c12b30605378ce8@google.com/
+Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Eric Dumazet <edumazet@google.com>
+cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+cc: "David S. Miller" <davem@davemloft.net>
+cc: David Ahern <dsahern@kernel.org>
+cc: Paolo Abeni <pabeni@redhat.com>
+cc: Jakub Kicinski <kuba@kernel.org>
+cc: netdev@vger.kernel.org
+cc: bpf@vger.kernel.org
+cc: syzkaller-bugs@googlegroups.com
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/l2tp/l2tp_ip6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
+index ed8ebb6f59097..11f3d375cec00 100644
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -507,7 +507,6 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+ */
+ if (len > INT_MAX - transhdrlen)
+ return -EMSGSIZE;
+- ulen = len + transhdrlen;
+
+ /* Mirror BSD error message compatibility */
+ if (msg->msg_flags & MSG_OOB)
+@@ -628,6 +627,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
+
+ back_from_confirm:
+ lock_sock(sk);
++ ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
+ err = ip6_append_data(sk, ip_generic_getfrag, msg,
+ ulen, transhdrlen, &ipc6,
+ &fl6, (struct rt6_info *)dst,
+--
+2.40.1
+
--- /dev/null
+From d64f94ce00894804582d4d35d57e8ea40ee50d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 14:27:30 -0400
+Subject: ipv4: Set offload_failed flag in fibmatch results
+
+From: Benjamin Poirier <bpoirier@nvidia.com>
+
+[ Upstream commit 0add5c597f3253a9c6108a0a81d57f44ab0d9d30 ]
+
+Due to a small omission, the offload_failed flag is missing from ipv4
+fibmatch results. Make sure it is set correctly.
+
+The issue can be witnessed using the following commands:
+echo "1 1" > /sys/bus/netdevsim/new_device
+ip link add dummy1 up type dummy
+ip route add 192.0.2.0/24 dev dummy1
+echo 1 > /sys/kernel/debug/netdevsim/netdevsim1/fib/fail_route_offload
+ip route add 198.51.100.0/24 dev dummy1
+ip route
+ # 192.168.15.0/24 has rt_trap
+ # 198.51.100.0/24 has rt_offload_failed
+ip route get 192.168.15.1 fibmatch
+ # Result has rt_trap
+ip route get 198.51.100.1 fibmatch
+ # Result differs from the route shown by `ip route`, it is missing
+ # rt_offload_failed
+ip link del dev dummy1
+echo 1 > /sys/bus/netdevsim/del_device
+
+Fixes: 36c5100e859d ("IPv4: Add "offload failed" indication to routes")
+Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230926182730.231208-1-bpoirier@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 0a53ca6ebb0d5..14fbc5cd157ef 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -3417,6 +3417,8 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
+ fa->fa_type == fri.type) {
+ fri.offload = READ_ONCE(fa->offload);
+ fri.trap = READ_ONCE(fa->trap);
++ fri.offload_failed =
++ READ_ONCE(fa->offload_failed);
+ break;
+ }
+ }
+--
+2.40.1
+
--- /dev/null
+From 6007df17475c7a1cd4c6f8a7e0397a6ce8824387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 23:04:58 +0200
+Subject: ipv6: tcp: add a missing nf_reset_ct() in 3WHS handling
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit 9593c7cb6cf670ef724d17f7f9affd7a8d2ad0c5 ]
+
+Commit b0e214d21203 ("netfilter: keep conntrack reference until
+IPsecv6 policy checks are done") is a direct copy of the old
+commit b59c270104f0 ("[NETFILTER]: Keep conntrack reference until
+IPsec policy checks are done") but for IPv6. However, it also
+copies a bug that this old commit had. That is: when the third
+packet of 3WHS connection establishment contains payload, it is
+added into socket receive queue without the XFRM check and the
+drop of connection tracking context.
+
+That leads to nf_conntrack module being impossible to unload as
+it waits for all the conntrack references to be dropped while
+the packet release is deferred in per-cpu cache indefinitely, if
+not consumed by the application.
+
+The issue for IPv4 was fixed in commit 6f0012e35160 ("tcp: add a
+missing nf_reset_ct() in 3WHS handling") by adding a missing XFRM
+check and correctly dropping the conntrack context. However, the
+issue was introduced to IPv6 code afterwards. Fixing it the
+same way for IPv6 now.
+
+Fixes: b0e214d21203 ("netfilter: keep conntrack reference until IPsecv6 policy checks are done")
+Link: https://lore.kernel.org/netdev/d589a999-d4dd-2768-b2d5-89dec64a4a42@ovn.org/
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Acked-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20230922210530.2045146-1-i.maximets@ovn.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/tcp_ipv6.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 3a88545a265d6..44b6949d72b22 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1640,9 +1640,12 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
+ struct sock *nsk;
+
+ sk = req->rsk_listener;
+- drop_reason = tcp_inbound_md5_hash(sk, skb,
+- &hdr->saddr, &hdr->daddr,
+- AF_INET6, dif, sdif);
++ if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
++ drop_reason = SKB_DROP_REASON_XFRM_POLICY;
++ else
++ drop_reason = tcp_inbound_md5_hash(sk, skb,
++ &hdr->saddr, &hdr->daddr,
++ AF_INET6, dif, sdif);
+ if (drop_reason) {
+ sk_drops_add(sk, skb);
+ reqsk_put(req);
+@@ -1689,6 +1692,7 @@ INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
+ }
+ goto discard_and_relse;
+ }
++ nf_reset_ct(skb);
+ if (nsk == sk) {
+ reqsk_put(req);
+ tcp_v6_restore_cb(skb);
+--
+2.40.1
+
--- /dev/null
+From 85495b7fd253f6785c7bcaed46c8b3fefe68b9f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 16:29:57 +0300
+Subject: iwlwifi: mvm: handle PS changes in vif_cfg_changed
+
+From: Gregory Greenman <gregory.greenman@intel.com>
+
+[ Upstream commit 2d4caa1dbe915654d0e8845758d9c96e721377a8 ]
+
+Handling of BSS_CHANGED_PS was missing in vif_cfg_changed
+callback. Fix it.
+
+Fixes: 22c588343529 ("wifi: iwlwifi: mvm: replace bss_info_changed() with vif_cfg/link_info_changed()")
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230905162939.5ef0c8230de6.Ieed265014988c50ec68fbff6d33821e4215f987f@changeid
+[note: patch looks bigger than it is due to reindentation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../wireless/intel/iwlwifi/mvm/mld-mac80211.c | 121 +++++++++---------
+ 1 file changed, 63 insertions(+), 58 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
+index 8b6c641772ee6..b719843e94576 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-mac80211.c
+@@ -731,73 +731,78 @@ static void iwl_mvm_mld_vif_cfg_changed_station(struct iwl_mvm *mvm,
+
+ mvmvif->associated = vif->cfg.assoc;
+
+- if (!(changes & BSS_CHANGED_ASSOC))
+- return;
+-
+- if (vif->cfg.assoc) {
+- /* clear statistics to get clean beacon counter */
+- iwl_mvm_request_statistics(mvm, true);
+- iwl_mvm_sf_update(mvm, vif, false);
+- iwl_mvm_power_vif_assoc(mvm, vif);
+-
+- for_each_mvm_vif_valid_link(mvmvif, i) {
+- memset(&mvmvif->link[i]->beacon_stats, 0,
+- sizeof(mvmvif->link[i]->beacon_stats));
++ if (changes & BSS_CHANGED_ASSOC) {
++ if (vif->cfg.assoc) {
++ /* clear statistics to get clean beacon counter */
++ iwl_mvm_request_statistics(mvm, true);
++ iwl_mvm_sf_update(mvm, vif, false);
++ iwl_mvm_power_vif_assoc(mvm, vif);
++
++ for_each_mvm_vif_valid_link(mvmvif, i) {
++ memset(&mvmvif->link[i]->beacon_stats, 0,
++ sizeof(mvmvif->link[i]->beacon_stats));
++
++ if (vif->p2p) {
++ iwl_mvm_update_smps(mvm, vif,
++ IWL_MVM_SMPS_REQ_PROT,
++ IEEE80211_SMPS_DYNAMIC, i);
++ }
++
++ rcu_read_lock();
++ link_conf = rcu_dereference(vif->link_conf[i]);
++ if (link_conf && !link_conf->dtim_period)
++ protect = true;
++ rcu_read_unlock();
++ }
+
+- if (vif->p2p) {
+- iwl_mvm_update_smps(mvm, vif,
+- IWL_MVM_SMPS_REQ_PROT,
+- IEEE80211_SMPS_DYNAMIC, i);
++ if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) &&
++ protect) {
++ /* If we're not restarting and still haven't
++ * heard a beacon (dtim period unknown) then
++ * make sure we still have enough minimum time
++ * remaining in the time event, since the auth
++ * might actually have taken quite a while
++ * (especially for SAE) and so the remaining
++ * time could be small without us having heard
++ * a beacon yet.
++ */
++ iwl_mvm_protect_assoc(mvm, vif, 0);
+ }
+
+- rcu_read_lock();
+- link_conf = rcu_dereference(vif->link_conf[i]);
+- if (link_conf && !link_conf->dtim_period)
+- protect = true;
+- rcu_read_unlock();
+- }
++ iwl_mvm_sf_update(mvm, vif, false);
++
++ /* FIXME: need to decide about misbehaving AP handling */
++ iwl_mvm_power_vif_assoc(mvm, vif);
++ } else if (iwl_mvm_mld_vif_have_valid_ap_sta(mvmvif)) {
++ iwl_mvm_mei_host_disassociated(mvm);
+
+- if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) &&
+- protect) {
+- /* If we're not restarting and still haven't
+- * heard a beacon (dtim period unknown) then
+- * make sure we still have enough minimum time
+- * remaining in the time event, since the auth
+- * might actually have taken quite a while
+- * (especially for SAE) and so the remaining
+- * time could be small without us having heard
+- * a beacon yet.
++ /* If update fails - SF might be running in associated
++ * mode while disassociated - which is forbidden.
+ */
+- iwl_mvm_protect_assoc(mvm, vif, 0);
++ ret = iwl_mvm_sf_update(mvm, vif, false);
++ WARN_ONCE(ret &&
++ !test_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED,
++ &mvm->status),
++ "Failed to update SF upon disassociation\n");
++
++ /* If we get an assert during the connection (after the
++ * station has been added, but before the vif is set
++ * to associated), mac80211 will re-add the station and
++ * then configure the vif. Since the vif is not
++ * associated, we would remove the station here and
++ * this would fail the recovery.
++ */
++ iwl_mvm_mld_vif_delete_all_stas(mvm, vif);
+ }
+
+- iwl_mvm_sf_update(mvm, vif, false);
+-
+- /* FIXME: need to decide about misbehaving AP handling */
+- iwl_mvm_power_vif_assoc(mvm, vif);
+- } else if (iwl_mvm_mld_vif_have_valid_ap_sta(mvmvif)) {
+- iwl_mvm_mei_host_disassociated(mvm);
+-
+- /* If update fails - SF might be running in associated
+- * mode while disassociated - which is forbidden.
+- */
+- ret = iwl_mvm_sf_update(mvm, vif, false);
+- WARN_ONCE(ret &&
+- !test_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED,
+- &mvm->status),
+- "Failed to update SF upon disassociation\n");
+-
+- /* If we get an assert during the connection (after the
+- * station has been added, but before the vif is set
+- * to associated), mac80211 will re-add the station and
+- * then configure the vif. Since the vif is not
+- * associated, we would remove the station here and
+- * this would fail the recovery.
+- */
+- iwl_mvm_mld_vif_delete_all_stas(mvm, vif);
++ iwl_mvm_bss_info_changed_station_assoc(mvm, vif, changes);
+ }
+
+- iwl_mvm_bss_info_changed_station_assoc(mvm, vif, changes);
++ if (changes & BSS_CHANGED_PS) {
++ ret = iwl_mvm_power_update_mac(mvm);
++ if (ret)
++ IWL_ERR(mvm, "failed to update power mode\n");
++ }
+ }
+
+ static void
+--
+2.40.1
+
--- /dev/null
+From 39148dc360da5fb62495261d2df585a6b065975d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 16:07:24 +0200
+Subject: leds: Drop BUG_ON check for LED_COLOR_ID_MULTI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+[ Upstream commit 9dc1664fab2246bc2c3e9bf2cf21518a857f9b5b ]
+
+Commit c3f853184bed ("leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that
+is always false") fixed a no-op BUG_ON. This turned out to cause a
+regression, since some in-tree device-tree files already use
+LED_COLOR_ID_MULTI.
+
+Drop the BUG_ON altogether.
+
+Fixes: c3f853184bed ("leds: Fix BUG_ON check for LED_COLOR_ID_MULTI that is always false")
+Reported-by: Da Xue <da@libre.computer>
+Closes: https://lore.kernel.org/linux-leds/ZQLelWcNjjp2xndY@duo.ucw.cz/T/
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Link: https://lore.kernel.org/r/20230918140724.18634-1-kabel@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/led-core.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/leds/led-core.c b/drivers/leds/led-core.c
+index 04f9ea675f2ce..214ed81eb0e92 100644
+--- a/drivers/leds/led-core.c
++++ b/drivers/leds/led-core.c
+@@ -479,10 +479,6 @@ int led_compose_name(struct device *dev, struct led_init_data *init_data,
+
+ led_parse_fwnode_props(dev, fwnode, &props);
+
+- /* We want to label LEDs that can produce full range of colors
+- * as RGB, not multicolor */
+- BUG_ON(props.color == LED_COLOR_ID_MULTI);
+-
+ if (props.label) {
+ /*
+ * If init_data.devicename is NULL, then it indicates that
+--
+2.40.1
+
--- /dev/null
+From 2508a9f6e011d510de5cd7dd6766d438a1021ae6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 17:28:07 -0300
+Subject: modpost: add missing else to the "of" check
+
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+[ Upstream commit cbc3d00cf88fda95dbcafee3b38655b7a8f2650a ]
+
+Without this 'else' statement, an "usb" name goes into two handlers:
+the first/previous 'if' statement _AND_ the for-loop over 'devtable',
+but the latter is useless as it has no 'usb' device_id entry anyway.
+
+Tested with allmodconfig before/after patch; no changes to *.mod.c:
+
+ git checkout v6.6-rc3
+ make -j$(nproc) allmodconfig
+ make -j$(nproc) olddefconfig
+
+ make -j$(nproc)
+ find . -name '*.mod.c' | cpio -pd /tmp/before
+
+ # apply patch
+
+ make -j$(nproc)
+ find . -name '*.mod.c' | cpio -pd /tmp/after
+
+ diff -r /tmp/before/ /tmp/after/
+ # no difference
+
+Fixes: acbef7b76629 ("modpost: fix module autoloading for OF devices with generic compatible property")
+Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/file2alias.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mod/file2alias.c b/scripts/mod/file2alias.c
+index 38120f932b0dc..7056751c29b1f 100644
+--- a/scripts/mod/file2alias.c
++++ b/scripts/mod/file2alias.c
+@@ -1604,7 +1604,7 @@ void handle_moddevtable(struct module *mod, struct elf_info *info,
+ /* First handle the "special" cases */
+ if (sym_is(name, namelen, "usb"))
+ do_usb_table(symval, sym->st_size, mod);
+- if (sym_is(name, namelen, "of"))
++ else if (sym_is(name, namelen, "of"))
+ do_of_table(symval, sym->st_size, mod);
+ else if (sym_is(name, namelen, "pnp"))
+ do_pnp_device_entry(symval, sym->st_size, mod);
+--
+2.40.1
+
--- /dev/null
+From 8e403d780d52f7f5bac907500040845019c40e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 09:27:13 +0000
+Subject: neighbour: fix data-races around n->output
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5baa0433a15eadd729625004c37463acb982eca7 ]
+
+n->output field can be read locklessly, while a writer
+might change the pointer concurrently.
+
+Add missing annotations to prevent load-store tearing.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/neighbour.h | 2 +-
+ net/bridge/br_netfilter_hooks.c | 2 +-
+ net/core/neighbour.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index f6a8ecc6b1fa7..ccc4a0f8b4ad8 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -541,7 +541,7 @@ static inline int neigh_output(struct neighbour *n, struct sk_buff *skb,
+ READ_ONCE(hh->hh_len))
+ return neigh_hh_output(hh, skb);
+
+- return n->output(n, skb);
++ return READ_ONCE(n->output)(n, skb);
+ }
+
+ static inline struct neighbour *
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 1a801fab9543e..0be889905c2b6 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -294,7 +294,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
+ /* tell br_dev_xmit to continue with forwarding */
+ nf_bridge->bridged_dnat = 1;
+ /* FIXME Need to refragment */
+- ret = neigh->output(neigh, skb);
++ ret = READ_ONCE(neigh->output)(neigh, skb);
+ }
+ neigh_release(neigh);
+ return ret;
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index b57d3ea3ccc9e..f16ec0e8a0348 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -410,7 +410,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
+ */
+ __skb_queue_purge(&n->arp_queue);
+ n->arp_queue_len_bytes = 0;
+- n->output = neigh_blackhole;
++ WRITE_ONCE(n->output, neigh_blackhole);
+ if (n->nud_state & NUD_VALID)
+ n->nud_state = NUD_NOARP;
+ else
+@@ -920,7 +920,7 @@ static void neigh_suspect(struct neighbour *neigh)
+ {
+ neigh_dbg(2, "neigh %p is suspected\n", neigh);
+
+- neigh->output = neigh->ops->output;
++ WRITE_ONCE(neigh->output, neigh->ops->output);
+ }
+
+ /* Neighbour state is OK;
+@@ -932,7 +932,7 @@ static void neigh_connect(struct neighbour *neigh)
+ {
+ neigh_dbg(2, "neigh %p is connected\n", neigh);
+
+- neigh->output = neigh->ops->connected_output;
++ WRITE_ONCE(neigh->output, neigh->ops->connected_output);
+ }
+
+ static void neigh_periodic_work(struct work_struct *work)
+@@ -1449,7 +1449,7 @@ static int __neigh_update(struct neighbour *neigh, const u8 *lladdr,
+ if (n2)
+ n1 = n2;
+ }
+- n1->output(n1, skb);
++ READ_ONCE(n1->output)(n1, skb);
+ if (n2)
+ neigh_release(n2);
+ rcu_read_unlock();
+@@ -3155,7 +3155,7 @@ int neigh_xmit(int index, struct net_device *dev,
+ rcu_read_unlock();
+ goto out_kfree_skb;
+ }
+- err = neigh->output(neigh, skb);
++ err = READ_ONCE(neigh->output)(neigh, skb);
+ rcu_read_unlock();
+ }
+ else if (index == NEIGH_LINK_TABLE) {
+--
+2.40.1
+
--- /dev/null
+From edbf941ba00ed430e32f0dec029fde0f84e52542 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 09:47:41 -0300
+Subject: net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent
+
+From: Fabio Estevam <festevam@denx.de>
+
+[ Upstream commit 6ccf50d4d4741e064ba35511a95402c63bbe21a8 ]
+
+Since commit 23d775f12dcd ("net: dsa: mv88e6xxx: Wait for EEPROM done
+before HW reset") the following error is seen on a imx8mn board with
+a 88E6320 switch:
+
+mv88e6085 30be0000.ethernet-1:00: Timeout waiting for EEPROM done
+
+This board does not have an EEPROM attached to the switch though.
+
+This problem is well explained by Andrew Lunn:
+
+"If there is an EEPROM, and the EEPROM contains a lot of data, it could
+be that when we perform a hardware reset towards the end of probe, it
+interrupts an I2C bus transaction, leaving the I2C bus in a bad state,
+and future reads of the EEPROM do not work.
+
+The work around for this was to poll the EEInt status and wait for it
+to go true before performing the hardware reset.
+
+However, we have discovered that for some boards which do not have an
+EEPROM, EEInt never indicates complete. As a result,
+mv88e6xxx_g1_wait_eeprom_done() spins for a second and then prints a
+warning.
+
+We probably need a different solution than calling
+mv88e6xxx_g1_wait_eeprom_done(). The datasheet for 6352 documents the
+EEPROM Command register:
+
+bit 15 is:
+
+ EEPROM Unit Busy. This bit must be set to a one to start an EEPROM
+ operation (see EEOp below). Only one EEPROM operation can be
+ executing at one time so this bit must be zero before setting it to
+ a one. When the requested EEPROM operation completes this bit will
+ automatically be cleared to a zero. The transition of this bit from
+ a one to a zero can be used to generate an interrupt (the EEInt in
+ Global 1, offset 0x00).
+
+and more interesting is bit 11:
+
+ Register Loader Running. This bit is set to one whenever the
+ register loader is busy executing instructions contained in the
+ EEPROM."
+
+Change to using mv88e6xxx_g2_eeprom_wait() to fix the timeout error
+when the EEPROM chip is not present.
+
+Fixes: 23d775f12dcd ("net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset")
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 6 ++++--
+ drivers/net/dsa/mv88e6xxx/global1.c | 31 -----------------------------
+ drivers/net/dsa/mv88e6xxx/global1.h | 1 -
+ drivers/net/dsa/mv88e6xxx/global2.c | 2 +-
+ drivers/net/dsa/mv88e6xxx/global2.h | 1 +
+ 5 files changed, 6 insertions(+), 35 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 7af2f08a62f14..0d4b236d1e344 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3040,14 +3040,16 @@ static void mv88e6xxx_hardware_reset(struct mv88e6xxx_chip *chip)
+ * from the wrong location resulting in the switch booting
+ * to wrong mode and inoperable.
+ */
+- mv88e6xxx_g1_wait_eeprom_done(chip);
++ if (chip->info->ops->get_eeprom)
++ mv88e6xxx_g2_eeprom_wait(chip);
+
+ gpiod_set_value_cansleep(gpiod, 1);
+ usleep_range(10000, 20000);
+ gpiod_set_value_cansleep(gpiod, 0);
+ usleep_range(10000, 20000);
+
+- mv88e6xxx_g1_wait_eeprom_done(chip);
++ if (chip->info->ops->get_eeprom)
++ mv88e6xxx_g2_eeprom_wait(chip);
+ }
+ }
+
+diff --git a/drivers/net/dsa/mv88e6xxx/global1.c b/drivers/net/dsa/mv88e6xxx/global1.c
+index 2fa55a6435910..174c773b38c2b 100644
+--- a/drivers/net/dsa/mv88e6xxx/global1.c
++++ b/drivers/net/dsa/mv88e6xxx/global1.c
+@@ -75,37 +75,6 @@ static int mv88e6xxx_g1_wait_init_ready(struct mv88e6xxx_chip *chip)
+ return mv88e6xxx_g1_wait_bit(chip, MV88E6XXX_G1_STS, bit, 1);
+ }
+
+-void mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip)
+-{
+- const unsigned long timeout = jiffies + 1 * HZ;
+- u16 val;
+- int err;
+-
+- /* Wait up to 1 second for the switch to finish reading the
+- * EEPROM.
+- */
+- while (time_before(jiffies, timeout)) {
+- err = mv88e6xxx_g1_read(chip, MV88E6XXX_G1_STS, &val);
+- if (err) {
+- dev_err(chip->dev, "Error reading status");
+- return;
+- }
+-
+- /* If the switch is still resetting, it may not
+- * respond on the bus, and so MDIO read returns
+- * 0xffff. Differentiate between that, and waiting for
+- * the EEPROM to be done by bit 0 being set.
+- */
+- if (val != 0xffff &&
+- val & BIT(MV88E6XXX_G1_STS_IRQ_EEPROM_DONE))
+- return;
+-
+- usleep_range(1000, 2000);
+- }
+-
+- dev_err(chip->dev, "Timeout waiting for EEPROM done");
+-}
+-
+ /* Offset 0x01: Switch MAC Address Register Bytes 0 & 1
+ * Offset 0x02: Switch MAC Address Register Bytes 2 & 3
+ * Offset 0x03: Switch MAC Address Register Bytes 4 & 5
+diff --git a/drivers/net/dsa/mv88e6xxx/global1.h b/drivers/net/dsa/mv88e6xxx/global1.h
+index c99ddd117fe6e..1095261f5b490 100644
+--- a/drivers/net/dsa/mv88e6xxx/global1.h
++++ b/drivers/net/dsa/mv88e6xxx/global1.h
+@@ -282,7 +282,6 @@ int mv88e6xxx_g1_set_switch_mac(struct mv88e6xxx_chip *chip, u8 *addr);
+ int mv88e6185_g1_reset(struct mv88e6xxx_chip *chip);
+ int mv88e6352_g1_reset(struct mv88e6xxx_chip *chip);
+ int mv88e6250_g1_reset(struct mv88e6xxx_chip *chip);
+-void mv88e6xxx_g1_wait_eeprom_done(struct mv88e6xxx_chip *chip);
+
+ int mv88e6185_g1_ppu_enable(struct mv88e6xxx_chip *chip);
+ int mv88e6185_g1_ppu_disable(struct mv88e6xxx_chip *chip);
+diff --git a/drivers/net/dsa/mv88e6xxx/global2.c b/drivers/net/dsa/mv88e6xxx/global2.c
+index 937a01f2ba75e..b2b5f6ba438f4 100644
+--- a/drivers/net/dsa/mv88e6xxx/global2.c
++++ b/drivers/net/dsa/mv88e6xxx/global2.c
+@@ -340,7 +340,7 @@ int mv88e6xxx_g2_pot_clear(struct mv88e6xxx_chip *chip)
+ * Offset 0x15: EEPROM Addr (for 8-bit data access)
+ */
+
+-static int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip)
++int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip)
+ {
+ int bit = __bf_shf(MV88E6XXX_G2_EEPROM_CMD_BUSY);
+ int err;
+diff --git a/drivers/net/dsa/mv88e6xxx/global2.h b/drivers/net/dsa/mv88e6xxx/global2.h
+index 7e091965582b7..d9434f7cae538 100644
+--- a/drivers/net/dsa/mv88e6xxx/global2.h
++++ b/drivers/net/dsa/mv88e6xxx/global2.h
+@@ -365,6 +365,7 @@ int mv88e6xxx_g2_trunk_clear(struct mv88e6xxx_chip *chip);
+
+ int mv88e6xxx_g2_device_mapping_write(struct mv88e6xxx_chip *chip, int target,
+ int port);
++int mv88e6xxx_g2_eeprom_wait(struct mv88e6xxx_chip *chip);
+
+ extern const struct mv88e6xxx_irq_ops mv88e6097_watchdog_ops;
+ extern const struct mv88e6xxx_irq_ops mv88e6250_watchdog_ops;
+--
+2.40.1
+
--- /dev/null
+From a9178178d6e4738ac04f234d5e5a9fbbd1dcccfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 17:04:43 +0300
+Subject: net: ethernet: ti: am65-cpsw: Fix error code in
+ am65_cpsw_nuss_init_tx_chns()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 37d4f55567982e445f86dc0ff4ecfa72921abfe8 ]
+
+This accidentally returns success, but it should return a negative error
+code.
+
+Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index bebcfd5e6b579..a3d952f67ae32 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -1749,6 +1749,7 @@ static int am65_cpsw_nuss_init_tx_chns(struct am65_cpsw_common *common)
+ if (tx_chn->irq <= 0) {
+ dev_err(dev, "Failed to get tx dma irq %d\n",
+ tx_chn->irq);
++ ret = tx_chn->irq ?: -ENXIO;
+ goto err;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From f7cd927ad339682f164a442f89bc8cb97909817d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 08:46:26 +0000
+Subject: net: fix possible store tearing in neigh_periodic_work()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ]
+
+While looking at a related syzbot report involving neigh_periodic_work(),
+I found that I forgot to add an annotation when deleting an
+RCU protected item from a list.
+
+Readers use rcu_deference(*np), we need to use either
+rcu_assign_pointer() or WRITE_ONCE() on writer side
+to prevent store tearing.
+
+I use rcu_assign_pointer() to have lockdep support,
+this was the choice made in neigh_flush_dev().
+
+Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index ddd0f32de20ef..b57d3ea3ccc9e 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -988,7 +988,9 @@ static void neigh_periodic_work(struct work_struct *work)
+ (state == NUD_FAILED ||
+ !time_in_range_open(jiffies, n->used,
+ n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
+- *np = n->next;
++ rcu_assign_pointer(*np,
++ rcu_dereference_protected(n->next,
++ lockdep_is_held(&tbl->lock)));
+ neigh_mark_dead(n);
+ write_unlock(&n->lock);
+ neigh_cleanup_and_release(n);
+--
+2.40.1
+
--- /dev/null
+From 013f547e2c2a458780af361fab6789d3fc9229ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Oct 2023 12:35:44 -0700
+Subject: net: lan743x: also select PHYLIB
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 566aeed6871ac2189b5bfe03e1a5b3b7be5eca38 ]
+
+Since FIXED_PHY depends on PHYLIB, PHYLIB needs to be set to avoid
+a kconfig warning:
+
+WARNING: unmet direct dependencies detected for FIXED_PHY
+ Depends on [n]: NETDEVICES [=y] && PHYLIB [=n]
+ Selected by [y]:
+ - LAN743X [=y] && NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_MICROCHIP [=y] && PCI [=y] && PTP_1588_CLOCK_OPTIONAL [=y]
+
+Fixes: 73c4d1b307ae ("net: lan743x: select FIXED_PHY")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: lore.kernel.org/r/202309261802.JPbRHwti-lkp@intel.com
+Cc: Bryan Whitehead <bryan.whitehead@microchip.com>
+Cc: UNGLinuxDriver@microchip.com
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Link: https://lore.kernel.org/r/20231002193544.14529-1-rdunlap@infradead.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/microchip/Kconfig b/drivers/net/ethernet/microchip/Kconfig
+index 329e374b9539c..43ba71e82260c 100644
+--- a/drivers/net/ethernet/microchip/Kconfig
++++ b/drivers/net/ethernet/microchip/Kconfig
+@@ -46,6 +46,7 @@ config LAN743X
+ tristate "LAN743x support"
+ depends on PCI
+ depends on PTP_1588_CLOCK_OPTIONAL
++ select PHYLIB
+ select FIXED_PHY
+ select CRC16
+ select CRC32
+--
+2.40.1
+
--- /dev/null
+From c526375c7a53adfe601c626b9c8c41c6b9711620 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 13:42:27 -0700
+Subject: net: mana: Fix oversized sge0 for GSO packets
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit a43e8e9ffa0d1de058964edf1a0622cbb7e27cfe ]
+
+Handle the case when GSO SKB linear length is too large.
+
+MANA NIC requires GSO packets to put only the header part to SGE0,
+otherwise the TX queue may stop at the HW level.
+
+So, use 2 SGEs for the skb linear part which contains more than the
+packet header.
+
+Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 191 +++++++++++++-----
+ include/net/mana/mana.h | 5 +-
+ 2 files changed, 138 insertions(+), 58 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
+index 9f9bd3571da16..6d23a815ddeb6 100644
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -89,63 +89,137 @@ static unsigned int mana_checksum_info(struct sk_buff *skb)
+ return 0;
+ }
+
++static void mana_add_sge(struct mana_tx_package *tp, struct mana_skb_head *ash,
++ int sg_i, dma_addr_t da, int sge_len, u32 gpa_mkey)
++{
++ ash->dma_handle[sg_i] = da;
++ ash->size[sg_i] = sge_len;
++
++ tp->wqe_req.sgl[sg_i].address = da;
++ tp->wqe_req.sgl[sg_i].mem_key = gpa_mkey;
++ tp->wqe_req.sgl[sg_i].size = sge_len;
++}
++
+ static int mana_map_skb(struct sk_buff *skb, struct mana_port_context *apc,
+- struct mana_tx_package *tp)
++ struct mana_tx_package *tp, int gso_hs)
+ {
+ struct mana_skb_head *ash = (struct mana_skb_head *)skb->head;
++ int hsg = 1; /* num of SGEs of linear part */
+ struct gdma_dev *gd = apc->ac->gdma_dev;
++ int skb_hlen = skb_headlen(skb);
++ int sge0_len, sge1_len = 0;
+ struct gdma_context *gc;
+ struct device *dev;
+ skb_frag_t *frag;
+ dma_addr_t da;
++ int sg_i;
+ int i;
+
+ gc = gd->gdma_context;
+ dev = gc->dev;
+- da = dma_map_single(dev, skb->data, skb_headlen(skb), DMA_TO_DEVICE);
+
++ if (gso_hs && gso_hs < skb_hlen) {
++ sge0_len = gso_hs;
++ sge1_len = skb_hlen - gso_hs;
++ } else {
++ sge0_len = skb_hlen;
++ }
++
++ da = dma_map_single(dev, skb->data, sge0_len, DMA_TO_DEVICE);
+ if (dma_mapping_error(dev, da))
+ return -ENOMEM;
+
+- ash->dma_handle[0] = da;
+- ash->size[0] = skb_headlen(skb);
++ mana_add_sge(tp, ash, 0, da, sge0_len, gd->gpa_mkey);
+
+- tp->wqe_req.sgl[0].address = ash->dma_handle[0];
+- tp->wqe_req.sgl[0].mem_key = gd->gpa_mkey;
+- tp->wqe_req.sgl[0].size = ash->size[0];
++ if (sge1_len) {
++ sg_i = 1;
++ da = dma_map_single(dev, skb->data + sge0_len, sge1_len,
++ DMA_TO_DEVICE);
++ if (dma_mapping_error(dev, da))
++ goto frag_err;
++
++ mana_add_sge(tp, ash, sg_i, da, sge1_len, gd->gpa_mkey);
++ hsg = 2;
++ }
+
+ for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
++ sg_i = hsg + i;
++
+ frag = &skb_shinfo(skb)->frags[i];
+ da = skb_frag_dma_map(dev, frag, 0, skb_frag_size(frag),
+ DMA_TO_DEVICE);
+-
+ if (dma_mapping_error(dev, da))
+ goto frag_err;
+
+- ash->dma_handle[i + 1] = da;
+- ash->size[i + 1] = skb_frag_size(frag);
+-
+- tp->wqe_req.sgl[i + 1].address = ash->dma_handle[i + 1];
+- tp->wqe_req.sgl[i + 1].mem_key = gd->gpa_mkey;
+- tp->wqe_req.sgl[i + 1].size = ash->size[i + 1];
++ mana_add_sge(tp, ash, sg_i, da, skb_frag_size(frag),
++ gd->gpa_mkey);
+ }
+
+ return 0;
+
+ frag_err:
+- for (i = i - 1; i >= 0; i--)
+- dma_unmap_page(dev, ash->dma_handle[i + 1], ash->size[i + 1],
++ for (i = sg_i - 1; i >= hsg; i--)
++ dma_unmap_page(dev, ash->dma_handle[i], ash->size[i],
+ DMA_TO_DEVICE);
+
+- dma_unmap_single(dev, ash->dma_handle[0], ash->size[0], DMA_TO_DEVICE);
++ for (i = hsg - 1; i >= 0; i--)
++ dma_unmap_single(dev, ash->dma_handle[i], ash->size[i],
++ DMA_TO_DEVICE);
+
+ return -ENOMEM;
+ }
+
++/* Handle the case when GSO SKB linear length is too large.
++ * MANA NIC requires GSO packets to put only the packet header to SGE0.
++ * So, we need 2 SGEs for the skb linear part which contains more than the
++ * header.
++ * Return a positive value for the number of SGEs, or a negative value
++ * for an error.
++ */
++static int mana_fix_skb_head(struct net_device *ndev, struct sk_buff *skb,
++ int gso_hs)
++{
++ int num_sge = 1 + skb_shinfo(skb)->nr_frags;
++ int skb_hlen = skb_headlen(skb);
++
++ if (gso_hs < skb_hlen) {
++ num_sge++;
++ } else if (gso_hs > skb_hlen) {
++ if (net_ratelimit())
++ netdev_err(ndev,
++ "TX nonlinear head: hs:%d, skb_hlen:%d\n",
++ gso_hs, skb_hlen);
++
++ return -EINVAL;
++ }
++
++ return num_sge;
++}
++
++/* Get the GSO packet's header size */
++static int mana_get_gso_hs(struct sk_buff *skb)
++{
++ int gso_hs;
++
++ if (skb->encapsulation) {
++ gso_hs = skb_inner_tcp_all_headers(skb);
++ } else {
++ if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) {
++ gso_hs = skb_transport_offset(skb) +
++ sizeof(struct udphdr);
++ } else {
++ gso_hs = skb_tcp_all_headers(skb);
++ }
++ }
++
++ return gso_hs;
++}
++
+ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ {
+ enum mana_tx_pkt_format pkt_fmt = MANA_SHORT_PKT_FMT;
+ struct mana_port_context *apc = netdev_priv(ndev);
++ int gso_hs = 0; /* zero for non-GSO pkts */
+ u16 txq_idx = skb_get_queue_mapping(skb);
+ struct gdma_dev *gd = apc->ac->gdma_dev;
+ bool ipv4 = false, ipv6 = false;
+@@ -157,7 +231,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ struct mana_txq *txq;
+ struct mana_cq *cq;
+ int err, len;
+- u16 ihs;
+
+ if (unlikely(!apc->port_is_up))
+ goto tx_drop;
+@@ -207,19 +280,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ pkg.wqe_req.client_data_unit = 0;
+
+ pkg.wqe_req.num_sge = 1 + skb_shinfo(skb)->nr_frags;
+- WARN_ON_ONCE(pkg.wqe_req.num_sge > MAX_TX_WQE_SGL_ENTRIES);
+-
+- if (pkg.wqe_req.num_sge <= ARRAY_SIZE(pkg.sgl_array)) {
+- pkg.wqe_req.sgl = pkg.sgl_array;
+- } else {
+- pkg.sgl_ptr = kmalloc_array(pkg.wqe_req.num_sge,
+- sizeof(struct gdma_sge),
+- GFP_ATOMIC);
+- if (!pkg.sgl_ptr)
+- goto tx_drop_count;
+-
+- pkg.wqe_req.sgl = pkg.sgl_ptr;
+- }
+
+ if (skb->protocol == htons(ETH_P_IP))
+ ipv4 = true;
+@@ -227,6 +287,26 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ ipv6 = true;
+
+ if (skb_is_gso(skb)) {
++ int num_sge;
++
++ gso_hs = mana_get_gso_hs(skb);
++
++ num_sge = mana_fix_skb_head(ndev, skb, gso_hs);
++ if (num_sge > 0)
++ pkg.wqe_req.num_sge = num_sge;
++ else
++ goto tx_drop_count;
++
++ u64_stats_update_begin(&tx_stats->syncp);
++ if (skb->encapsulation) {
++ tx_stats->tso_inner_packets++;
++ tx_stats->tso_inner_bytes += skb->len - gso_hs;
++ } else {
++ tx_stats->tso_packets++;
++ tx_stats->tso_bytes += skb->len - gso_hs;
++ }
++ u64_stats_update_end(&tx_stats->syncp);
++
+ pkg.tx_oob.s_oob.is_outer_ipv4 = ipv4;
+ pkg.tx_oob.s_oob.is_outer_ipv6 = ipv6;
+
+@@ -250,26 +330,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ &ipv6_hdr(skb)->daddr, 0,
+ IPPROTO_TCP, 0);
+ }
+-
+- if (skb->encapsulation) {
+- ihs = skb_inner_tcp_all_headers(skb);
+- u64_stats_update_begin(&tx_stats->syncp);
+- tx_stats->tso_inner_packets++;
+- tx_stats->tso_inner_bytes += skb->len - ihs;
+- u64_stats_update_end(&tx_stats->syncp);
+- } else {
+- if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) {
+- ihs = skb_transport_offset(skb) + sizeof(struct udphdr);
+- } else {
+- ihs = skb_tcp_all_headers(skb);
+- }
+-
+- u64_stats_update_begin(&tx_stats->syncp);
+- tx_stats->tso_packets++;
+- tx_stats->tso_bytes += skb->len - ihs;
+- u64_stats_update_end(&tx_stats->syncp);
+- }
+-
+ } else if (skb->ip_summed == CHECKSUM_PARTIAL) {
+ csum_type = mana_checksum_info(skb);
+
+@@ -292,11 +352,25 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ } else {
+ /* Can't do offload of this type of checksum */
+ if (skb_checksum_help(skb))
+- goto free_sgl_ptr;
++ goto tx_drop_count;
+ }
+ }
+
+- if (mana_map_skb(skb, apc, &pkg)) {
++ WARN_ON_ONCE(pkg.wqe_req.num_sge > MAX_TX_WQE_SGL_ENTRIES);
++
++ if (pkg.wqe_req.num_sge <= ARRAY_SIZE(pkg.sgl_array)) {
++ pkg.wqe_req.sgl = pkg.sgl_array;
++ } else {
++ pkg.sgl_ptr = kmalloc_array(pkg.wqe_req.num_sge,
++ sizeof(struct gdma_sge),
++ GFP_ATOMIC);
++ if (!pkg.sgl_ptr)
++ goto tx_drop_count;
++
++ pkg.wqe_req.sgl = pkg.sgl_ptr;
++ }
++
++ if (mana_map_skb(skb, apc, &pkg, gso_hs)) {
+ u64_stats_update_begin(&tx_stats->syncp);
+ tx_stats->mana_map_err++;
+ u64_stats_update_end(&tx_stats->syncp);
+@@ -1254,11 +1328,16 @@ static void mana_unmap_skb(struct sk_buff *skb, struct mana_port_context *apc)
+ struct mana_skb_head *ash = (struct mana_skb_head *)skb->head;
+ struct gdma_context *gc = apc->ac->gdma_dev->gdma_context;
+ struct device *dev = gc->dev;
+- int i;
++ int hsg, i;
++
++ /* Number of SGEs of linear part */
++ hsg = (skb_is_gso(skb) && skb_headlen(skb) > ash->size[0]) ? 2 : 1;
+
+- dma_unmap_single(dev, ash->dma_handle[0], ash->size[0], DMA_TO_DEVICE);
++ for (i = 0; i < hsg; i++)
++ dma_unmap_single(dev, ash->dma_handle[i], ash->size[i],
++ DMA_TO_DEVICE);
+
+- for (i = 1; i < skb_shinfo(skb)->nr_frags + 1; i++)
++ for (i = hsg; i < skb_shinfo(skb)->nr_frags + hsg; i++)
+ dma_unmap_page(dev, ash->dma_handle[i], ash->size[i],
+ DMA_TO_DEVICE);
+ }
+diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
+index 024ad8ddb27e5..571cc011b0ec5 100644
+--- a/include/net/mana/mana.h
++++ b/include/net/mana/mana.h
+@@ -101,9 +101,10 @@ struct mana_txq {
+
+ /* skb data and frags dma mappings */
+ struct mana_skb_head {
+- dma_addr_t dma_handle[MAX_SKB_FRAGS + 1];
++ /* GSO pkts may have 2 SGEs for the linear part*/
++ dma_addr_t dma_handle[MAX_SKB_FRAGS + 2];
+
+- u32 size[MAX_SKB_FRAGS + 1];
++ u32 size[MAX_SKB_FRAGS + 2];
+ };
+
+ #define MANA_HEADROOM sizeof(struct mana_skb_head)
+--
+2.40.1
+
--- /dev/null
+From 1c510795b8723aefc25ee0a9cc4e6710ea5cb67d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 13:42:26 -0700
+Subject: net: mana: Fix the tso_bytes calculation
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 7a54de92657455210d0ca71d4176b553952c871a ]
+
+sizeof(struct hop_jumbo_hdr) is not part of tso_bytes, so remove
+the subtraction from header size.
+
+Cc: stable@vger.kernel.org
+Fixes: bd7fc6e1957c ("net: mana: Add new MANA VF performance counters for easier troubleshooting")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a43e8e9ffa0d ("net: mana: Fix oversized sge0 for GSO packets")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
+index c2ad0921e893c..9f9bd3571da16 100644
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -262,8 +262,6 @@ netdev_tx_t mana_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ ihs = skb_transport_offset(skb) + sizeof(struct udphdr);
+ } else {
+ ihs = skb_tcp_all_headers(skb);
+- if (ipv6_has_hopopt_jumbo(skb))
+- ihs -= sizeof(struct hop_jumbo_hdr);
+ }
+
+ u64_stats_update_begin(&tx_stats->syncp);
+--
+2.40.1
+
--- /dev/null
+From 9c79802cee011b056cdfd1966d23274c16116252 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 19:58:53 -0400
+Subject: net: nfc: llcp: Add lock when modifying device list
+
+From: Jeremy Cline <jeremy@jcline.org>
+
+[ Upstream commit dfc7f7a988dad34c3bf4c053124fb26aa6c5f916 ]
+
+The device list needs its associated lock held when modifying it, or the
+list could become corrupted, as syzbot discovered.
+
+Reported-and-tested-by: syzbot+c1d0a03d305972dbbe14@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c1d0a03d305972dbbe14
+Signed-off-by: Jeremy Cline <jeremy@jcline.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 6709d4b7bc2e ("net: nfc: Fix use-after-free caused by nfc_llcp_find_local")
+Link: https://lore.kernel.org/r/20230908235853.1319596-1-jeremy@jcline.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/llcp_core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c
+index f60e424e06076..6705bb895e239 100644
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -1636,7 +1636,9 @@ int nfc_llcp_register_device(struct nfc_dev *ndev)
+ timer_setup(&local->sdreq_timer, nfc_llcp_sdreq_timer, 0);
+ INIT_WORK(&local->sdreq_timeout_work, nfc_llcp_sdreq_timeout_work);
+
++ spin_lock(&llcp_devices_lock);
+ list_add(&local->list, &llcp_devices);
++ spin_unlock(&llcp_devices_lock);
+
+ return 0;
+ }
+--
+2.40.1
+
--- /dev/null
+From 7b688849a9099feb40f6555c22ba0a90534f694d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 10:49:36 +0900
+Subject: net: renesas: rswitch: Add spin lock protection for irq {un}mask
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit c4f922e86c8e0f7c5fe94e0547e9835fc9711f08 ]
+
+Add spin lock protection for irq {un}mask registers' control.
+
+After napi_complete_done() and this protection were applied,
+a lot of redundant interrupts no longer occur.
+
+For example: when "iperf3 -c <ipaddr> -R" on R-Car S4-8 Spider
+ Before the patches are applied: about 800,000 times happened
+ After the patches were applied: about 100,000 times happened
+
+Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Stable-dep-of: a0c55bba0d0d ("rswitch: Fix PHY station management clock setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 12 ++++++++++++
+ drivers/net/ethernet/renesas/rswitch.h | 2 ++
+ 2 files changed, 14 insertions(+)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 449ed1f5624c9..215854812f80a 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -799,6 +799,7 @@ static int rswitch_poll(struct napi_struct *napi, int budget)
+ struct net_device *ndev = napi->dev;
+ struct rswitch_private *priv;
+ struct rswitch_device *rdev;
++ unsigned long flags;
+ int quota = budget;
+
+ rdev = netdev_priv(ndev);
+@@ -817,8 +818,10 @@ static int rswitch_poll(struct napi_struct *napi, int budget)
+ netif_wake_subqueue(ndev, 0);
+
+ if (napi_complete_done(napi, budget - quota)) {
++ spin_lock_irqsave(&priv->lock, flags);
+ rswitch_enadis_data_irq(priv, rdev->tx_queue->index, true);
+ rswitch_enadis_data_irq(priv, rdev->rx_queue->index, true);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+ out:
+@@ -835,8 +838,10 @@ static void rswitch_queue_interrupt(struct net_device *ndev)
+ struct rswitch_device *rdev = netdev_priv(ndev);
+
+ if (napi_schedule_prep(&rdev->napi)) {
++ spin_lock(&rdev->priv->lock);
+ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false);
+ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false);
++ spin_unlock(&rdev->priv->lock);
+ __napi_schedule(&rdev->napi);
+ }
+ }
+@@ -1430,14 +1435,17 @@ static void rswitch_ether_port_deinit_all(struct rswitch_private *priv)
+ static int rswitch_open(struct net_device *ndev)
+ {
+ struct rswitch_device *rdev = netdev_priv(ndev);
++ unsigned long flags;
+
+ phy_start(ndev->phydev);
+
+ napi_enable(&rdev->napi);
+ netif_start_queue(ndev);
+
++ spin_lock_irqsave(&rdev->priv->lock, flags);
+ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, true);
+ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, true);
++ spin_unlock_irqrestore(&rdev->priv->lock, flags);
+
+ if (bitmap_empty(rdev->priv->opened_ports, RSWITCH_NUM_PORTS))
+ iowrite32(GWCA_TS_IRQ_BIT, rdev->priv->addr + GWTSDIE);
+@@ -1451,6 +1459,7 @@ static int rswitch_stop(struct net_device *ndev)
+ {
+ struct rswitch_device *rdev = netdev_priv(ndev);
+ struct rswitch_gwca_ts_info *ts_info, *ts_info2;
++ unsigned long flags;
+
+ netif_tx_stop_all_queues(ndev);
+ bitmap_clear(rdev->priv->opened_ports, rdev->port, 1);
+@@ -1466,8 +1475,10 @@ static int rswitch_stop(struct net_device *ndev)
+ kfree(ts_info);
+ }
+
++ spin_lock_irqsave(&rdev->priv->lock, flags);
+ rswitch_enadis_data_irq(rdev->priv, rdev->tx_queue->index, false);
+ rswitch_enadis_data_irq(rdev->priv, rdev->rx_queue->index, false);
++ spin_unlock_irqrestore(&rdev->priv->lock, flags);
+
+ phy_stop(ndev->phydev);
+ napi_disable(&rdev->napi);
+@@ -1869,6 +1880,7 @@ static int renesas_eth_sw_probe(struct platform_device *pdev)
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
++ spin_lock_init(&priv->lock);
+
+ priv->ptp_priv = rcar_gen4_ptp_alloc(pdev);
+ if (!priv->ptp_priv)
+diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h
+index bb9ed971a97ca..9740398067140 100644
+--- a/drivers/net/ethernet/renesas/rswitch.h
++++ b/drivers/net/ethernet/renesas/rswitch.h
+@@ -1011,6 +1011,8 @@ struct rswitch_private {
+ struct rswitch_etha etha[RSWITCH_NUM_PORTS];
+ struct rswitch_mfwd mfwd;
+
++ spinlock_t lock; /* lock interrupt registers' control */
++
+ bool gwca_halt;
+ };
+
+--
+2.40.1
+
--- /dev/null
+From 6ec6f765ee8090edcedaffe73adda7ba3fbd4835 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 13:57:49 -0400
+Subject: net: stmmac: dwmac-stm32: fix resume on STM32 MCU
+
+From: Ben Wolsieffer <ben.wolsieffer@hefring.com>
+
+[ Upstream commit 6f195d6b0da3b689922ba9e302af2f49592fa9fc ]
+
+The STM32MP1 keeps clk_rx enabled during suspend, and therefore the
+driver does not enable the clock in stm32_dwmac_init() if the device was
+suspended. The problem is that this same code runs on STM32 MCUs, which
+do disable clk_rx during suspend, causing the clock to never be
+re-enabled on resume.
+
+This patch adds a variant flag to indicate that clk_rx remains enabled
+during suspend, and uses this to decide whether to enable the clock in
+stm32_dwmac_init() if the device was suspended.
+
+This approach fixes this specific bug with limited opportunity for
+unintended side-effects, but I have a follow up patch that will refactor
+the clock configuration and hopefully make it less error prone.
+
+Fixes: 6528e02cc9ff ("net: ethernet: stmmac: add adaptation for stm32mp157c.")
+Signed-off-by: Ben Wolsieffer <ben.wolsieffer@hefring.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20230927175749.1419774-1-ben.wolsieffer@hefring.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c
+index bdb4de59a6727..28c8ca5fba6c5 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-stm32.c
+@@ -105,6 +105,7 @@ struct stm32_ops {
+ int (*parse_data)(struct stm32_dwmac *dwmac,
+ struct device *dev);
+ u32 syscfg_eth_mask;
++ bool clk_rx_enable_in_suspend;
+ };
+
+ static int stm32_dwmac_init(struct plat_stmmacenet_data *plat_dat)
+@@ -122,7 +123,8 @@ static int stm32_dwmac_init(struct plat_stmmacenet_data *plat_dat)
+ if (ret)
+ return ret;
+
+- if (!dwmac->dev->power.is_suspended) {
++ if (!dwmac->ops->clk_rx_enable_in_suspend ||
++ !dwmac->dev->power.is_suspended) {
+ ret = clk_prepare_enable(dwmac->clk_rx);
+ if (ret) {
+ clk_disable_unprepare(dwmac->clk_tx);
+@@ -514,7 +516,8 @@ static struct stm32_ops stm32mp1_dwmac_data = {
+ .suspend = stm32mp1_suspend,
+ .resume = stm32mp1_resume,
+ .parse_data = stm32mp1_parse_data,
+- .syscfg_eth_mask = SYSCFG_MP1_ETH_MASK
++ .syscfg_eth_mask = SYSCFG_MP1_ETH_MASK,
++ .clk_rx_enable_in_suspend = true
+ };
+
+ static const struct of_device_id stm32_dwmac_match[] = {
+--
+2.40.1
+
--- /dev/null
+From 67a3a9fb61001205c011a380e072262133e21d52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 14:24:43 +0800
+Subject: net: stmmac: platform: fix the incorrect parameter
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+[ Upstream commit 6b09edc1b31762af58d3d95754354ca6a92d39c0 ]
+
+The second parameter of stmmac_pltfr_init() needs the pointer of
+"struct plat_stmmacenet_data". So, correct the parameter typo when calling the
+function.
+
+Otherwise, it may cause this alignment exception when doing suspend/resume.
+[ 49.067201] CPU1 is up
+[ 49.135258] Internal error: SP/PC alignment exception: 000000008a000000 [#1] PREEMPT SMP
+[ 49.143346] Modules linked in: soc_imx9 crct10dif_ce polyval_ce nvmem_imx_ocotp_fsb_s400 polyval_generic layerscape_edac_mod snd_soc_fsl_asoc_card snd_soc_imx_audmux snd_soc_imx_card snd_soc_wm8962 el_enclave snd_soc_fsl_micfil rtc_pcf2127 rtc_pcf2131 flexcan can_dev snd_soc_fsl_xcvr snd_soc_fsl_sai imx8_media_dev(C) snd_soc_fsl_utils fuse
+[ 49.173393] CPU: 0 PID: 565 Comm: sh Tainted: G C 6.5.0-rc4-next-20230804-05047-g5781a6249dae #677
+[ 49.183721] Hardware name: NXP i.MX93 11X11 EVK board (DT)
+[ 49.189190] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 49.196140] pc : 0x80800052
+[ 49.198931] lr : stmmac_pltfr_resume+0x34/0x50
+[ 49.203368] sp : ffff800082f8bab0
+[ 49.206670] x29: ffff800082f8bab0 x28: ffff0000047d0ec0 x27: ffff80008186c170
+[ 49.213794] x26: 0000000b5e4ff1ba x25: ffff800081e5fa74 x24: 0000000000000010
+[ 49.220918] x23: ffff800081fe0000 x22: 0000000000000000 x21: 0000000000000000
+[ 49.228042] x20: ffff0000001b4010 x19: ffff0000001b4010 x18: 0000000000000006
+[ 49.235166] x17: ffff7ffffe007000 x16: ffff800080000000 x15: 0000000000000000
+[ 49.242290] x14: 00000000000000fc x13: 0000000000000000 x12: 0000000000000000
+[ 49.249414] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff800082f8b8c0
+[ 49.256538] x8 : 0000000000000008 x7 : 0000000000000001 x6 : 000000005f54a200
+[ 49.263662] x5 : 0000000001000000 x4 : ffff800081b93680 x3 : ffff800081519be0
+[ 49.270786] x2 : 0000000080800052 x1 : 0000000000000000 x0 : ffff0000001b4000
+[ 49.277911] Call trace:
+[ 49.280346] 0x80800052
+[ 49.282781] platform_pm_resume+0x2c/0x68
+[ 49.286785] dpm_run_callback.constprop.0+0x74/0x134
+[ 49.291742] device_resume+0x88/0x194
+[ 49.295391] dpm_resume+0x10c/0x230
+[ 49.298866] dpm_resume_end+0x18/0x30
+[ 49.302515] suspend_devices_and_enter+0x2b8/0x624
+[ 49.307299] pm_suspend+0x1fc/0x348
+[ 49.310774] state_store+0x80/0x104
+[ 49.314258] kobj_attr_store+0x18/0x2c
+[ 49.318002] sysfs_kf_write+0x44/0x54
+[ 49.321659] kernfs_fop_write_iter+0x120/0x1ec
+[ 49.326088] vfs_write+0x1bc/0x300
+[ 49.329485] ksys_write+0x70/0x104
+[ 49.332874] __arm64_sys_write+0x1c/0x28
+[ 49.336783] invoke_syscall+0x48/0x114
+[ 49.340527] el0_svc_common.constprop.0+0xc4/0xe4
+[ 49.345224] do_el0_svc+0x38/0x98
+[ 49.348526] el0_svc+0x2c/0x84
+[ 49.351568] el0t_64_sync_handler+0x100/0x12c
+[ 49.355910] el0t_64_sync+0x190/0x194
+[ 49.359567] Code: ???????? ???????? ???????? ???????? (????????)
+[ 49.365644] ---[ end trace 0000000000000000 ]---
+
+Fixes: 97117eb51ec8 ("net: stmmac: platform: provide stmmac_pltfr_init()")
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index 231152ee5a323..5a3bd30d6c220 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -901,7 +901,7 @@ static int __maybe_unused stmmac_pltfr_resume(struct device *dev)
+ struct platform_device *pdev = to_platform_device(dev);
+ int ret;
+
+- ret = stmmac_pltfr_init(pdev, priv->plat->bsp_priv);
++ ret = stmmac_pltfr_init(pdev, priv->plat);
+ if (ret)
+ return ret;
+
+--
+2.40.1
+
--- /dev/null
+From 4f9a7b3e7459acd40fc2180ff74cfc5dc55464f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Sep 2023 02:35:49 +0900
+Subject: net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit e9c65989920f7c28775ec4e0c11b483910fb67b8 ]
+
+syzbot reported the following uninit-value access issue:
+
+=====================================================
+BUG: KMSAN: uninit-value in smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
+BUG: KMSAN: uninit-value in smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
+CPU: 0 PID: 8696 Comm: kworker/0:3 Not tainted 5.8.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:975 [inline]
+ smsc75xx_bind+0x5c9/0x11e0 drivers/net/usb/smsc75xx.c:1482
+ usbnet_probe+0x1152/0x3f90 drivers/net/usb/usbnet.c:1737
+ usb_probe_interface+0xece/0x1550 drivers/usb/core/driver.c:374
+ really_probe+0xf20/0x20b0 drivers/base/dd.c:529
+ driver_probe_device+0x293/0x390 drivers/base/dd.c:701
+ __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
+ bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
+ __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
+ bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
+ device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
+ usb_set_configuration+0x380f/0x3f10 drivers/usb/core/message.c:2032
+ usb_generic_driver_probe+0x138/0x300 drivers/usb/core/generic.c:241
+ usb_probe_device+0x311/0x490 drivers/usb/core/driver.c:272
+ really_probe+0xf20/0x20b0 drivers/base/dd.c:529
+ driver_probe_device+0x293/0x390 drivers/base/dd.c:701
+ __device_attach_driver+0x63f/0x830 drivers/base/dd.c:807
+ bus_for_each_drv+0x2ca/0x3f0 drivers/base/bus.c:431
+ __device_attach+0x4e2/0x7f0 drivers/base/dd.c:873
+ device_initial_probe+0x4a/0x60 drivers/base/dd.c:920
+ bus_probe_device+0x177/0x3d0 drivers/base/bus.c:491
+ device_add+0x3b0e/0x40d0 drivers/base/core.c:2680
+ usb_new_device+0x1bd4/0x2a30 drivers/usb/core/hub.c:2554
+ hub_port_connect drivers/usb/core/hub.c:5208 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5348 [inline]
+ port_event drivers/usb/core/hub.c:5494 [inline]
+ hub_event+0x5e7b/0x8a70 drivers/usb/core/hub.c:5576
+ process_one_work+0x1688/0x2140 kernel/workqueue.c:2269
+ worker_thread+0x10bc/0x2730 kernel/workqueue.c:2415
+ kthread+0x551/0x590 kernel/kthread.c:292
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
+
+Local variable ----buf.i87@smsc75xx_bind created at:
+ __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
+ smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
+ smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
+ __smsc75xx_read_reg drivers/net/usb/smsc75xx.c:83 [inline]
+ smsc75xx_wait_ready drivers/net/usb/smsc75xx.c:968 [inline]
+ smsc75xx_bind+0x485/0x11e0 drivers/net/usb/smsc75xx.c:1482
+
+This issue is caused because usbnet_read_cmd() reads less bytes than requested
+(zero byte in the reproducer). In this case, 'buf' is not properly filled.
+
+This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
+less bytes than requested.
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Reported-and-tested-by: syzbot+6966546b78d050bb0b5d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6966546b78d050bb0b5d
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230923173549.3284502-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 5d6454fedb3f1..78ad2da3ee29b 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -90,7 +90,9 @@ static int __must_check __smsc75xx_read_reg(struct usbnet *dev, u32 index,
+ ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN
+ | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, index, &buf, 4);
+- if (unlikely(ret < 0)) {
++ if (unlikely(ret < 4)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n",
+ index, ret);
+ return ret;
+--
+2.40.1
+
--- /dev/null
+From 2885afbe0879d711716fd7b49d15e5efe49516e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 13:17:53 -0400
+Subject: netfilter: handle the connecting collision properly in
+ nf_conntrack_proto_sctp
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 8e56b063c86569e51eed1c5681ce6361fa97fc7a ]
+
+In Scenario A and B below, as the delayed INIT_ACK always changes the peer
+vtag, SCTP ct with the incorrect vtag may cause packet loss.
+
+Scenario A: INIT_ACK is delayed until the peer receives its own INIT_ACK
+
+ 192.168.1.2 > 192.168.1.1: [INIT] [init tag: 1328086772]
+ 192.168.1.1 > 192.168.1.2: [INIT] [init tag: 1414468151]
+ 192.168.1.2 > 192.168.1.1: [INIT ACK] [init tag: 1328086772]
+ 192.168.1.1 > 192.168.1.2: [INIT ACK] [init tag: 1650211246] *
+ 192.168.1.2 > 192.168.1.1: [COOKIE ECHO]
+ 192.168.1.1 > 192.168.1.2: [COOKIE ECHO]
+ 192.168.1.2 > 192.168.1.1: [COOKIE ACK]
+
+Scenario B: INIT_ACK is delayed until the peer completes its own handshake
+
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]
+ 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021] *
+
+This patch fixes it as below:
+
+In SCTP_CID_INIT processing:
+- clear ct->proto.sctp.init[!dir] if ct->proto.sctp.init[dir] &&
+ ct->proto.sctp.init[!dir]. (Scenario E)
+- set ct->proto.sctp.init[dir].
+
+In SCTP_CID_INIT_ACK processing:
+- drop it if !ct->proto.sctp.init[!dir] && ct->proto.sctp.vtag[!dir] &&
+ ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario B, Scenario C)
+- drop it if ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] &&
+ ct->proto.sctp.vtag[!dir] != ih->init_tag. (Scenario A)
+
+In SCTP_CID_COOKIE_ACK processing:
+- clear ct->proto.sctp.init[dir] and ct->proto.sctp.init[!dir].
+ (Scenario D)
+
+Also, it's important to allow the ct state to move forward with cookie_echo
+and cookie_ack from the opposite dir for the collision scenarios.
+
+There are also other Scenarios where it should allow the packet through,
+addressed by the processing above:
+
+Scenario C: new CT is created by INIT_ACK.
+
+Scenario D: start INIT on the existing ESTABLISHED ct.
+
+Scenario E: start INIT after the old collision on the existing ESTABLISHED
+ct.
+
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
+ (both side are stopped, then start new connection again in hours)
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 242308742]
+
+Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/netfilter/nf_conntrack_sctp.h | 1 +
+ net/netfilter/nf_conntrack_proto_sctp.c | 43 ++++++++++++++++-----
+ 2 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
+index 625f491b95de8..fb31312825ae5 100644
+--- a/include/linux/netfilter/nf_conntrack_sctp.h
++++ b/include/linux/netfilter/nf_conntrack_sctp.h
+@@ -9,6 +9,7 @@ struct ip_ct_sctp {
+ enum sctp_conntrack state;
+
+ __be32 vtag[IP_CT_DIR_MAX];
++ u8 init[IP_CT_DIR_MAX];
+ u8 last_dir;
+ u8 flags;
+ };
+diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
+index b6bcc8f2f46b7..c6bd533983c1f 100644
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -112,7 +112,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
+ /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA, sSA},
+ /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't have Stale cookie*/
+ /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA, sCL},/* 5.2.4 - Big TODO */
+-/* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */
++/* cookie_ack */ {sCL, sCL, sCW, sES, sES, sSS, sSR, sSA, sCL},/* Can't come in orig dir */
+ /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL, sCL},
+ /* heartbeat */ {sHS, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
+ /* heartbeat_ack*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
+@@ -126,7 +126,7 @@ static const u8 sctp_conntracks[2][11][SCTP_CONNTRACK_MAX] = {
+ /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV},
+ /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV},
+ /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA, sIV},
+-/* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */
++/* cookie_echo */ {sIV, sCL, sCE, sCE, sES, sSS, sSR, sSA, sIV},/* Can't come in reply dir */
+ /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA, sIV},
+ /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL, sIV},
+ /* heartbeat */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS},
+@@ -412,6 +412,9 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
+ /* (D) vtag must be same as init_vtag as found in INIT_ACK */
+ if (sh->vtag != ct->proto.sctp.vtag[dir])
+ goto out_unlock;
++ } else if (sch->type == SCTP_CID_COOKIE_ACK) {
++ ct->proto.sctp.init[dir] = 0;
++ ct->proto.sctp.init[!dir] = 0;
+ } else if (sch->type == SCTP_CID_HEARTBEAT) {
+ if (ct->proto.sctp.vtag[dir] == 0) {
+ pr_debug("Setting %d vtag %x for dir %d\n", sch->type, sh->vtag, dir);
+@@ -461,16 +464,18 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
+ }
+
+ /* If it is an INIT or an INIT ACK note down the vtag */
+- if (sch->type == SCTP_CID_INIT ||
+- sch->type == SCTP_CID_INIT_ACK) {
+- struct sctp_inithdr _inithdr, *ih;
++ if (sch->type == SCTP_CID_INIT) {
++ struct sctp_inithdr _ih, *ih;
+
+- ih = skb_header_pointer(skb, offset + sizeof(_sch),
+- sizeof(_inithdr), &_inithdr);
+- if (ih == NULL)
++ ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih);
++ if (!ih)
+ goto out_unlock;
+- pr_debug("Setting vtag %x for dir %d\n",
+- ih->init_tag, !dir);
++
++ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir])
++ ct->proto.sctp.init[!dir] = 0;
++ ct->proto.sctp.init[dir] = 1;
++
++ pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
+ ct->proto.sctp.vtag[!dir] = ih->init_tag;
+
+ /* don't renew timeout on init retransmit so
+@@ -481,6 +486,24 @@ int nf_conntrack_sctp_packet(struct nf_conn *ct,
+ old_state == SCTP_CONNTRACK_CLOSED &&
+ nf_ct_is_confirmed(ct))
+ ignore = true;
++ } else if (sch->type == SCTP_CID_INIT_ACK) {
++ struct sctp_inithdr _ih, *ih;
++ __be32 vtag;
++
++ ih = skb_header_pointer(skb, offset + sizeof(_sch), sizeof(*ih), &_ih);
++ if (!ih)
++ goto out_unlock;
++
++ vtag = ct->proto.sctp.vtag[!dir];
++ if (!ct->proto.sctp.init[!dir] && vtag && vtag != ih->init_tag)
++ goto out_unlock;
++ /* collision */
++ if (ct->proto.sctp.init[dir] && ct->proto.sctp.init[!dir] &&
++ vtag != ih->init_tag)
++ goto out_unlock;
++
++ pr_debug("Setting vtag %x for dir %d\n", ih->init_tag, !dir);
++ ct->proto.sctp.vtag[!dir] = ih->init_tag;
+ }
+
+ ct->proto.sctp.state = new_state;
+--
+2.40.1
+
--- /dev/null
+From e92efdb697e0863657ef4a665a3fa62af7651a13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Sep 2023 03:53:50 +0200
+Subject: netfilter: nf_tables: Deduplicate nft_register_obj audit logs
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 0d880dc6f032e0b541520e9926f398a77d3d433c ]
+
+When adding/updating an object, the transaction handler emits suitable
+audit log entries already, the one in nft_obj_notify() is redundant. To
+fix that (and retain the audit logging from objects' 'update' callback),
+Introduce an "audit log free" variant for internal use.
+
+Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
+Acked-by: Paul Moore <paul@paul-moore.com> (Audit)
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 44 ++++++++++++-------
+ .../testing/selftests/netfilter/nft_audit.sh | 20 +++++++++
+ 2 files changed, 48 insertions(+), 16 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 976a9b763b9bb..be5869366c7d3 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7868,24 +7868,14 @@ static int nf_tables_delobj(struct sk_buff *skb, const struct nfnl_info *info,
+ return nft_delobj(&ctx, obj);
+ }
+
+-void nft_obj_notify(struct net *net, const struct nft_table *table,
+- struct nft_object *obj, u32 portid, u32 seq, int event,
+- u16 flags, int family, int report, gfp_t gfp)
++static void
++__nft_obj_notify(struct net *net, const struct nft_table *table,
++ struct nft_object *obj, u32 portid, u32 seq, int event,
++ u16 flags, int family, int report, gfp_t gfp)
+ {
+ struct nftables_pernet *nft_net = nft_pernet(net);
+ struct sk_buff *skb;
+ int err;
+- char *buf = kasprintf(gfp, "%s:%u",
+- table->name, nft_net->base_seq);
+-
+- audit_log_nfcfg(buf,
+- family,
+- obj->handle,
+- event == NFT_MSG_NEWOBJ ?
+- AUDIT_NFT_OP_OBJ_REGISTER :
+- AUDIT_NFT_OP_OBJ_UNREGISTER,
+- gfp);
+- kfree(buf);
+
+ if (!report &&
+ !nfnetlink_has_listeners(net, NFNLGRP_NFTABLES))
+@@ -7908,13 +7898,35 @@ void nft_obj_notify(struct net *net, const struct nft_table *table,
+ err:
+ nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS);
+ }
++
++void nft_obj_notify(struct net *net, const struct nft_table *table,
++ struct nft_object *obj, u32 portid, u32 seq, int event,
++ u16 flags, int family, int report, gfp_t gfp)
++{
++ struct nftables_pernet *nft_net = nft_pernet(net);
++ char *buf = kasprintf(gfp, "%s:%u",
++ table->name, nft_net->base_seq);
++
++ audit_log_nfcfg(buf,
++ family,
++ obj->handle,
++ event == NFT_MSG_NEWOBJ ?
++ AUDIT_NFT_OP_OBJ_REGISTER :
++ AUDIT_NFT_OP_OBJ_UNREGISTER,
++ gfp);
++ kfree(buf);
++
++ __nft_obj_notify(net, table, obj, portid, seq, event,
++ flags, family, report, gfp);
++}
+ EXPORT_SYMBOL_GPL(nft_obj_notify);
+
+ static void nf_tables_obj_notify(const struct nft_ctx *ctx,
+ struct nft_object *obj, int event)
+ {
+- nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid, ctx->seq, event,
+- ctx->flags, ctx->family, ctx->report, GFP_KERNEL);
++ __nft_obj_notify(ctx->net, ctx->table, obj, ctx->portid,
++ ctx->seq, event, ctx->flags, ctx->family,
++ ctx->report, GFP_KERNEL);
+ }
+
+ /*
+diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
+index 0b3255e7b3538..bb34329e02a7f 100755
+--- a/tools/testing/selftests/netfilter/nft_audit.sh
++++ b/tools/testing/selftests/netfilter/nft_audit.sh
+@@ -85,6 +85,26 @@ do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \
+ do_test "nft add element t1 s3 $setelem" \
+ "table=t1 family=2 entries=3 op=nft_register_setelem"
+
++# adding counters
++
++do_test 'nft add counter t1 c1' \
++'table=t1 family=2 entries=1 op=nft_register_obj'
++
++do_test 'nft add counter t2 c1; add counter t2 c2' \
++'table=t2 family=2 entries=2 op=nft_register_obj'
++
++# adding/updating quotas
++
++do_test 'nft add quota t1 q1 { 10 bytes }' \
++'table=t1 family=2 entries=1 op=nft_register_obj'
++
++do_test 'nft add quota t2 q1 { 10 bytes }; add quota t2 q2 { 10 bytes }' \
++'table=t2 family=2 entries=2 op=nft_register_obj'
++
++# changing the quota value triggers obj update path
++do_test 'nft add quota t1 q1 { 20 bytes }' \
++'table=t1 family=2 entries=1 op=nft_register_obj'
++
+ # resetting rules
+
+ do_test 'nft reset rules t1 c2' \
+--
+2.40.1
+
--- /dev/null
+From d4ec00c5c8d784fcec2d94b2d317002042146893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 15:12:44 +0200
+Subject: netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 087388278e0f301f4c61ddffb1911d3a180f84b8 ]
+
+nft_rbtree_gc_elem() walks back and removes the end interval element that
+comes before the expired element.
+
+There is a small chance that we've cached this element as 'rbe_ge'.
+If this happens, we hold and test a pointer that has been queued for
+freeing.
+
+It also causes spurious insertion failures:
+
+$ cat test-testcases-sets-0044interval_overlap_0.1/testout.log
+Error: Could not process rule: File exists
+add element t s { 0 - 2 }
+ ^^^^^^
+Failed to insert 0 - 2 given:
+table ip t {
+ set s {
+ type inet_service
+ flags interval,timeout
+ timeout 2s
+ gc-interval 2s
+ }
+}
+
+The set (rbtree) is empty. The 'failure' doesn't happen on next attempt.
+
+Reason is that when we try to insert, the tree may hold an expired
+element that collides with the range we're adding.
+While we do evict/erase this element, we can trip over this check:
+
+if (rbe_ge && nft_rbtree_interval_end(rbe_ge) && nft_rbtree_interval_end(new))
+ return -ENOTEMPTY;
+
+rbe_ge was erased by the synchronous gc, we should not have done this
+check. Next attempt won't find it, so retry results in successful
+insertion.
+
+Restart in-kernel to avoid such spurious errors.
+
+Such restart are rare, unless userspace intentionally adds very large
+numbers of elements with very short timeouts while setting a huge
+gc interval.
+
+Even in this case, this cannot loop forever, on each retry an existing
+element has been removed.
+
+As the caller is holding the transaction mutex, its impossible
+for a second entity to add more expiring elements to the tree.
+
+After this it also becomes feasible to remove the async gc worker
+and perform all garbage collection from the commit path.
+
+Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_rbtree.c | 46 +++++++++++++++++++++-------------
+ 1 file changed, 29 insertions(+), 17 deletions(-)
+
+diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
+index 487572dcd6144..2660ceab3759d 100644
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -233,10 +233,9 @@ static void nft_rbtree_gc_remove(struct net *net, struct nft_set *set,
+ rb_erase(&rbe->node, &priv->root);
+ }
+
+-static int nft_rbtree_gc_elem(const struct nft_set *__set,
+- struct nft_rbtree *priv,
+- struct nft_rbtree_elem *rbe,
+- u8 genmask)
++static const struct nft_rbtree_elem *
++nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv,
++ struct nft_rbtree_elem *rbe, u8 genmask)
+ {
+ struct nft_set *set = (struct nft_set *)__set;
+ struct rb_node *prev = rb_prev(&rbe->node);
+@@ -246,7 +245,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+
+ gc = nft_trans_gc_alloc(set, 0, GFP_ATOMIC);
+ if (!gc)
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ /* search for end interval coming before this element.
+ * end intervals don't carry a timeout extension, they
+@@ -261,6 +260,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ prev = rb_prev(prev);
+ }
+
++ rbe_prev = NULL;
+ if (prev) {
+ rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
+ nft_rbtree_gc_remove(net, set, priv, rbe_prev);
+@@ -272,7 +272,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ */
+ gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
+ if (WARN_ON_ONCE(!gc))
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ nft_trans_gc_elem_add(gc, rbe_prev);
+ }
+@@ -280,13 +280,13 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
+ nft_rbtree_gc_remove(net, set, priv, rbe);
+ gc = nft_trans_gc_queue_sync(gc, GFP_ATOMIC);
+ if (WARN_ON_ONCE(!gc))
+- return -ENOMEM;
++ return ERR_PTR(-ENOMEM);
+
+ nft_trans_gc_elem_add(gc, rbe);
+
+ nft_trans_gc_queue_sync_done(gc);
+
+- return 0;
++ return rbe_prev;
+ }
+
+ static bool nft_rbtree_update_first(const struct nft_set *set,
+@@ -314,7 +314,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ struct nft_rbtree *priv = nft_set_priv(set);
+ u8 cur_genmask = nft_genmask_cur(net);
+ u8 genmask = nft_genmask_next(net);
+- int d, err;
++ int d;
+
+ /* Descend the tree to search for an existing element greater than the
+ * key value to insert that is greater than the new element. This is the
+@@ -363,9 +363,14 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ */
+ if (nft_set_elem_expired(&rbe->ext) &&
+ nft_set_elem_active(&rbe->ext, cur_genmask)) {
+- err = nft_rbtree_gc_elem(set, priv, rbe, genmask);
+- if (err < 0)
+- return err;
++ const struct nft_rbtree_elem *removed_end;
++
++ removed_end = nft_rbtree_gc_elem(set, priv, rbe, genmask);
++ if (IS_ERR(removed_end))
++ return PTR_ERR(removed_end);
++
++ if (removed_end == rbe_le || removed_end == rbe_ge)
++ return -EAGAIN;
+
+ continue;
+ }
+@@ -486,11 +491,18 @@ static int nft_rbtree_insert(const struct net *net, const struct nft_set *set,
+ struct nft_rbtree_elem *rbe = elem->priv;
+ int err;
+
+- write_lock_bh(&priv->lock);
+- write_seqcount_begin(&priv->count);
+- err = __nft_rbtree_insert(net, set, rbe, ext);
+- write_seqcount_end(&priv->count);
+- write_unlock_bh(&priv->lock);
++ do {
++ if (fatal_signal_pending(current))
++ return -EINTR;
++
++ cond_resched();
++
++ write_lock_bh(&priv->lock);
++ write_seqcount_begin(&priv->count);
++ err = __nft_rbtree_insert(net, set, rbe, ext);
++ write_seqcount_end(&priv->count);
++ write_unlock_bh(&priv->lock);
++ } while (err == -EAGAIN);
+
+ return err;
+ }
+--
+2.40.1
+
--- /dev/null
+From 3fc45d8d26a3862f01940745edfed47e2b2064e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 10:42:10 +0200
+Subject: netfilter: nft_payload: rebuild vlan header on h_proto access
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit af84f9e447a65b4b9f79e7e5d69e19039b431c56 ]
+
+nft can perform merging of adjacent payload requests.
+This means that:
+
+ether saddr 00:11 ... ether type 8021ad ...
+
+is a single payload expression, for 8 bytes, starting at the
+ethernet source offset.
+
+Check that offset+length is fully within the source/destination mac
+addersses.
+
+This bug prevents 'ether type' from matching the correct h_proto in case
+vlan tag got stripped.
+
+Fixes: de6843be3082 ("netfilter: nft_payload: rebuild vlan header when needed")
+Reported-by: David Ward <david.ward@ll.mit.edu>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_payload.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
+index 8cb8009899479..120f6d395b98b 100644
+--- a/net/netfilter/nft_payload.c
++++ b/net/netfilter/nft_payload.c
+@@ -154,6 +154,17 @@ int nft_payload_inner_offset(const struct nft_pktinfo *pkt)
+ return pkt->inneroff;
+ }
+
++static bool nft_payload_need_vlan_copy(const struct nft_payload *priv)
++{
++ unsigned int len = priv->offset + priv->len;
++
++ /* data past ether src/dst requested, copy needed */
++ if (len > offsetof(struct ethhdr, h_proto))
++ return true;
++
++ return false;
++}
++
+ void nft_payload_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+@@ -172,7 +183,7 @@ void nft_payload_eval(const struct nft_expr *expr,
+ goto err;
+
+ if (skb_vlan_tag_present(skb) &&
+- priv->offset >= offsetof(struct ethhdr, h_proto)) {
++ nft_payload_need_vlan_copy(priv)) {
+ if (!nft_payload_copy_vlan(dest, skb,
+ priv->offset, priv->len))
+ goto err;
+--
+2.40.1
+
--- /dev/null
+From d0f5ab9be620d7ed96f12992a849156a1c4b03ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Oct 2023 18:34:55 +0000
+Subject: netlink: annotate data-races around sk->sk_err
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d0f95894fda7d4f895b29c1097f92d7fee278cb2 ]
+
+syzbot caught another data-race in netlink when
+setting sk->sk_err.
+
+Annotate all of them for good measure.
+
+BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
+
+write to 0xffff8881613bb220 of 4 bytes by task 28147 on cpu 0:
+netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994
+sock_recvmsg_nosec net/socket.c:1027 [inline]
+sock_recvmsg net/socket.c:1049 [inline]
+__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229
+__do_sys_recvfrom net/socket.c:2247 [inline]
+__se_sys_recvfrom net/socket.c:2243 [inline]
+__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+write to 0xffff8881613bb220 of 4 bytes by task 28146 on cpu 1:
+netlink_recvmsg+0x448/0x780 net/netlink/af_netlink.c:1994
+sock_recvmsg_nosec net/socket.c:1027 [inline]
+sock_recvmsg net/socket.c:1049 [inline]
+__sys_recvfrom+0x1f4/0x2e0 net/socket.c:2229
+__do_sys_recvfrom net/socket.c:2247 [inline]
+__se_sys_recvfrom net/socket.c:2243 [inline]
+__x64_sys_recvfrom+0x78/0x90 net/socket.c:2243
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00000000 -> 0x00000016
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 28146 Comm: syz-executor.0 Not tainted 6.6.0-rc3-syzkaller-00055-g9ed22ae6be81 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20231003183455.3410550-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 20082171f24a3..9c6bc47bc7f7b 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -352,7 +352,7 @@ static void netlink_overrun(struct sock *sk)
+ if (!nlk_test_bit(RECV_NO_ENOBUFS, sk)) {
+ if (!test_and_set_bit(NETLINK_S_CONGESTED,
+ &nlk_sk(sk)->state)) {
+- sk->sk_err = ENOBUFS;
++ WRITE_ONCE(sk->sk_err, ENOBUFS);
+ sk_error_report(sk);
+ }
+ }
+@@ -1577,7 +1577,7 @@ static int do_one_set_err(struct sock *sk, struct netlink_set_err_data *p)
+ goto out;
+ }
+
+- sk->sk_err = p->code;
++ WRITE_ONCE(sk->sk_err, p->code);
+ sk_error_report(sk);
+ out:
+ return ret;
+@@ -1966,7 +1966,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
+ ret = netlink_dump(sk);
+ if (ret) {
+- sk->sk_err = -ret;
++ WRITE_ONCE(sk->sk_err, -ret);
+ sk_error_report(sk);
+ }
+ }
+@@ -2485,7 +2485,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
+ err_bad_put:
+ nlmsg_free(skb);
+ err_skb:
+- NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
++ WRITE_ONCE(NETLINK_CB(in_skb).sk->sk_err, ENOBUFS);
+ sk_error_report(NETLINK_CB(in_skb).sk);
+ }
+ EXPORT_SYMBOL(netlink_ack);
+--
+2.40.1
+
--- /dev/null
+From ef631955e9a44e020f70d4cc675fe462da7d5920 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Sep 2023 19:05:50 -0400
+Subject: NFSv4: Fix a nfs4_state_manager() race
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit ed1cc05aa1f7fe8197d300e914afc28ab9818f89 ]
+
+If the NFS4CLNT_RUN_MANAGER flag got set just before we cleared
+NFS4CLNT_MANAGER_RUNNING, then we might have won the race against
+nfs4_schedule_state_manager(), and are responsible for handling the
+recovery situation.
+
+Fixes: aeabb3c96186 ("NFSv4: Fix a NFSv4 state manager deadlock")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4state.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
+index 597ae4535fe33..9a5d911a7edc7 100644
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -2714,6 +2714,13 @@ static void nfs4_state_manager(struct nfs_client *clp)
+ nfs4_end_drain_session(clp);
+ nfs4_clear_state_manager_bit(clp);
+
++ if (test_bit(NFS4CLNT_RUN_MANAGER, &clp->cl_state) &&
++ !test_and_set_bit(NFS4CLNT_MANAGER_RUNNING,
++ &clp->cl_state)) {
++ memflags = memalloc_nofs_save();
++ continue;
++ }
++
+ if (!test_and_set_bit(NFS4CLNT_RECALL_RUNNING, &clp->cl_state)) {
+ if (test_and_clear_bit(NFS4CLNT_DELEGRETURN, &clp->cl_state)) {
+ nfs_client_return_marked_delegations(clp);
+--
+2.40.1
+
--- /dev/null
+From b2025886886287e85fb8138dd4802b3bf4216902 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Oct 2023 03:36:43 +0100
+Subject: ovl: fetch inode once in ovl_dentry_revalidate_common()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit c54719c92aa3129f330cce81b88cf34f1627f756 ]
+
+d_inode_rcu() is right - we might be in rcu pathwalk;
+however, OVL_E() hides plain d_inode() on the same dentry...
+
+Fixes: a6ff2bc0be17 ("ovl: use OVL_E() and OVL_E_FLAGS() accessors")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index 8e9c1cf83df24..1090c68e5b051 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -101,8 +101,8 @@ static int ovl_revalidate_real(struct dentry *d, unsigned int flags, bool weak)
+ static int ovl_dentry_revalidate_common(struct dentry *dentry,
+ unsigned int flags, bool weak)
+ {
+- struct ovl_entry *oe = OVL_E(dentry);
+- struct ovl_path *lowerstack = ovl_lowerstack(oe);
++ struct ovl_entry *oe;
++ struct ovl_path *lowerstack;
+ struct inode *inode = d_inode_rcu(dentry);
+ struct dentry *upper;
+ unsigned int i;
+@@ -112,6 +112,8 @@ static int ovl_dentry_revalidate_common(struct dentry *dentry,
+ if (!inode)
+ return -ECHILD;
+
++ oe = OVL_I_E(inode);
++ lowerstack = ovl_lowerstack(oe);
+ upper = ovl_i_dentry_upper(inode);
+ if (upper)
+ ret = ovl_revalidate_real(upper, flags, weak);
+--
+2.40.1
+
--- /dev/null
+From 2ff67718b0d8054df84f1e24dc72cc8fb7ee1b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Oct 2023 03:36:13 +0100
+Subject: ovl: move freeing ovl_entry past rcu delay
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d9e8319a6e3538b430f692b5625a76ffa0758adc ]
+
+... into ->free_inode(), that is.
+
+Fixes: 0af950f57fef "ovl: move ovl_entry into ovl_inode"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index cc8977498c483..8e9c1cf83df24 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -164,6 +164,7 @@ static void ovl_free_inode(struct inode *inode)
+ struct ovl_inode *oi = OVL_I(inode);
+
+ kfree(oi->redirect);
++ kfree(oi->oe);
+ mutex_destroy(&oi->lock);
+ kmem_cache_free(ovl_inode_cachep, oi);
+ }
+@@ -173,7 +174,7 @@ static void ovl_destroy_inode(struct inode *inode)
+ struct ovl_inode *oi = OVL_I(inode);
+
+ dput(oi->__upperdentry);
+- ovl_free_entry(oi->oe);
++ ovl_stack_put(ovl_lowerstack(oi->oe), ovl_numlower(oi->oe));
+ if (S_ISDIR(inode->i_mode))
+ ovl_dir_cache_free(inode);
+ else
+--
+2.40.1
+
--- /dev/null
+From 940b795b4972d82ef36f4afe28c62a29742484a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 19:36:04 +0530
+Subject: perf/x86/amd/core: Fix overflow reset on hotplug
+
+From: Sandipan Das <sandipan.das@amd.com>
+
+[ Upstream commit 23d2626b841c2adccdeb477665313c02dff02dc3 ]
+
+Kernels older than v5.19 do not support PerfMonV2 and the PMI handler
+does not clear the overflow bits of the PerfCntrGlobalStatus register.
+Because of this, loading a recent kernel using kexec from an older
+kernel can result in inconsistent register states on Zen 4 systems.
+
+The PMI handler of the new kernel gets confused and shows a warning when
+an overflow occurs because some of the overflow bits are set even if the
+corresponding counters are inactive. These are remnants from overflows
+that were handled by the older kernel.
+
+During CPU hotplug, the PerfCntrGlobalCtl and PerfCntrGlobalStatus
+registers should always be cleared for PerfMonV2-capable processors.
+However, a condition used for NB event constaints applicable only to
+older processors currently prevents this from happening. Move the reset
+sequence to an appropriate place and also clear the LBR Freeze bit.
+
+Fixes: 21d59e3e2c40 ("perf/x86/amd/core: Detect PerfMonV2 support")
+Signed-off-by: Sandipan Das <sandipan.das@amd.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/882a87511af40792ba69bb0e9026f19a2e71e8a3.1694696888.git.sandipan.das@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/core.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
+index abadd5f234254..ed626bfa1eedb 100644
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -534,8 +534,12 @@ static void amd_pmu_cpu_reset(int cpu)
+ /* Clear enable bits i.e. PerfCntrGlobalCtl.PerfCntrEn */
+ wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_CTL, 0);
+
+- /* Clear overflow bits i.e. PerfCntrGLobalStatus.PerfCntrOvfl */
+- wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR, amd_pmu_global_cntr_mask);
++ /*
++ * Clear freeze and overflow bits i.e. PerfCntrGLobalStatus.LbrFreeze
++ * and PerfCntrGLobalStatus.PerfCntrOvfl
++ */
++ wrmsrl(MSR_AMD64_PERF_CNTR_GLOBAL_STATUS_CLR,
++ GLOBAL_STATUS_LBRS_FROZEN | amd_pmu_global_cntr_mask);
+ }
+
+ static int amd_pmu_cpu_prepare(int cpu)
+@@ -570,6 +574,7 @@ static void amd_pmu_cpu_starting(int cpu)
+ int i, nb_id;
+
+ cpuc->perf_ctr_virt_mask = AMD64_EVENTSEL_HOSTONLY;
++ amd_pmu_cpu_reset(cpu);
+
+ if (!x86_pmu.amd_nb_constraints)
+ return;
+@@ -591,8 +596,6 @@ static void amd_pmu_cpu_starting(int cpu)
+
+ cpuc->amd_nb->nb_id = nb_id;
+ cpuc->amd_nb->refcnt++;
+-
+- amd_pmu_cpu_reset(cpu);
+ }
+
+ static void amd_pmu_cpu_dead(int cpu)
+@@ -601,6 +604,7 @@ static void amd_pmu_cpu_dead(int cpu)
+
+ kfree(cpuhw->lbr_sel);
+ cpuhw->lbr_sel = NULL;
++ amd_pmu_cpu_reset(cpu);
+
+ if (!x86_pmu.amd_nb_constraints)
+ return;
+@@ -613,8 +617,6 @@ static void amd_pmu_cpu_dead(int cpu)
+
+ cpuhw->amd_nb = NULL;
+ }
+-
+- amd_pmu_cpu_reset(cpu);
+ }
+
+ static inline void amd_pmu_set_global_ctl(u64 ctl)
+--
+2.40.1
+
--- /dev/null
+From 280bb8b77f2ec5665b5a5837312c2e1bf808462a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Sep 2023 19:58:40 +0530
+Subject: perf/x86/amd: Do not WARN() on every IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 599522d9d2e19d6240e4312577f1c5f3ffca22f6 ]
+
+Zen 4 systems running buggy microcode can hit a WARN_ON() in the PMI
+handler, as shown below, several times while perf runs. A simple
+`perf top` run is enough to render the system unusable:
+
+ WARNING: CPU: 18 PID: 20608 at arch/x86/events/amd/core.c:944 amd_pmu_v2_handle_irq+0x1be/0x2b0
+
+This happens because the Performance Counter Global Status Register
+(PerfCntGlobalStatus) has one or more bits set which are considered
+reserved according to the "AMD64 Architecture Programmer’s Manual,
+Volume 2: System Programming, 24593":
+
+ https://www.amd.com/system/files/TechDocs/24593.pdf
+
+To make this less intrusive, warn just once if any reserved bit is set
+and prompt the user to update the microcode. Also sanitize the value to
+what the code is handling, so that the overflow events continue to be
+handled for the number of counters that are known to be sane.
+
+Going forward, the following microcode patch levels are recommended
+for Zen 4 processors in order to avoid such issues with reserved bits:
+
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e
+ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212
+
+Commit f2eb058afc57 ("linux-firmware: Update AMD cpu microcode") from
+the linux-firmware tree has binaries that meet the minimum required
+patch levels.
+
+ [ sandipan: - add message to prompt users to update microcode
+ - rework commit message and call out required microcode levels ]
+
+Fixes: 7685665c390d ("perf/x86/amd/core: Add PerfMonV2 overflow handling")
+Reported-by: Jirka Hladky <jhladky@redhat.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Signed-off-by: Sandipan Das <sandipan.das@amd.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/all/3540f985652f41041e54ee82aa53e7dbd55739ae.1694696888.git.sandipan.das@amd.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/events/amd/core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
+index ed626bfa1eedb..e24976593a298 100644
+--- a/arch/x86/events/amd/core.c
++++ b/arch/x86/events/amd/core.c
+@@ -886,7 +886,7 @@ static int amd_pmu_v2_handle_irq(struct pt_regs *regs)
+ struct hw_perf_event *hwc;
+ struct perf_event *event;
+ int handled = 0, idx;
+- u64 status, mask;
++ u64 reserved, status, mask;
+ bool pmu_enabled;
+
+ /*
+@@ -911,6 +911,14 @@ static int amd_pmu_v2_handle_irq(struct pt_regs *regs)
+ status &= ~GLOBAL_STATUS_LBRS_FROZEN;
+ }
+
++ reserved = status & ~amd_pmu_global_cntr_mask;
++ if (reserved)
++ pr_warn_once("Reserved PerfCntrGlobalStatus bits are set (0x%llx), please consider updating microcode\n",
++ reserved);
++
++ /* Clear any reserved bits set by buggy microcode */
++ status &= amd_pmu_global_cntr_mask;
++
+ for (idx = 0; idx < x86_pmu.num_counters; idx++) {
+ if (!test_bit(idx, cpuc->active_mask))
+ continue;
+--
+2.40.1
+
--- /dev/null
+From 4be405806c8f2c51e56bd16e73059d8f3121b3d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 17:40:44 +0800
+Subject: ptp: ocp: Fix error handling in ptp_ocp_device_init
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+[ Upstream commit caa0578c1d487d39e4bb947a1b4965417053b409 ]
+
+When device_add() fails, ptp_ocp_dev_release() will be called
+after put_device(). Therefore, it seems that the
+ptp_ocp_dev_release() before put_device() is redundant.
+
+Fixes: 773bda964921 ("ptp: ocp: Expose various resources on the timecard.")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Vadim Feodrenko <vadim.fedorenko@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_ocp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
+index 20a974ced8d6c..a7a6947ab4bc5 100644
+--- a/drivers/ptp/ptp_ocp.c
++++ b/drivers/ptp/ptp_ocp.c
+@@ -3998,7 +3998,6 @@ ptp_ocp_device_init(struct ptp_ocp *bp, struct pci_dev *pdev)
+ return 0;
+
+ out:
+- ptp_ocp_dev_release(&bp->dev);
+ put_device(&bp->dev);
+ return err;
+ }
+--
+2.40.1
+
--- /dev/null
+From 59fb72cd3df498ceaa4808f8a09dedee85183d44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 16:37:11 +0100
+Subject: regmap: rbtree: Fix wrong register marked as in-cache when creating
+ new node
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 7a795ac8d49e2433e1b97caf5e99129daf8e1b08 ]
+
+When regcache_rbtree_write() creates a new rbtree_node it was passing the
+wrong bit number to regcache_rbtree_set_register(). The bit number is the
+offset __in number of registers__, but in the case of creating a new block
+regcache_rbtree_write() was not dividing by the address stride to get the
+number of registers.
+
+Fix this by dividing by map->reg_stride.
+Compare with regcache_rbtree_read() where the bit is checked.
+
+This bug meant that the wrong register was marked as present. The register
+that was written to the cache could not be read from the cache because it
+was not marked as cached. But a nearby register could be marked as having
+a cached value even if it was never written to the cache.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 3f4ff561bc88 ("regmap: rbtree: Make cache_present bitmap per node")
+Link: https://lore.kernel.org/r/20230922153711.28103-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regcache-rbtree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/regmap/regcache-rbtree.c b/drivers/base/regmap/regcache-rbtree.c
+index 06788965aa293..31d7bc682910c 100644
+--- a/drivers/base/regmap/regcache-rbtree.c
++++ b/drivers/base/regmap/regcache-rbtree.c
+@@ -453,7 +453,8 @@ static int regcache_rbtree_write(struct regmap *map, unsigned int reg,
+ if (!rbnode)
+ return -ENOMEM;
+ regcache_rbtree_set_register(map, rbnode,
+- reg - rbnode->base_reg, value);
++ (reg - rbnode->base_reg) / map->reg_stride,
++ value);
+ regcache_rbtree_insert(map, &rbtree_ctx->root, rbnode);
+ rbtree_ctx->cached_rbnode = rbnode;
+ }
+--
+2.40.1
+
--- /dev/null
+From e2fe0d487077bbd04f4f57ca1752f74ca792eabb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 00:50:26 +0200
+Subject: regulator/core: regulator_register: set device->class earlier
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit 8adb4e647a83cb5928c05dae95b010224aea0705 ]
+
+When fixing a memory leak in commit d3c731564e09 ("regulator: plug
+of_node leak in regulator_register()'s error path") it moved the
+device_initialize() call earlier, but did not move the `dev->class`
+initialization. The bug was spotted and fixed by reverting part of
+the commit (in commit 5f4b204b6b81 "regulator: core: fix kobject
+release warning and memory leak in regulator_register()") but
+introducing a different bug: now early error paths use `kfree(dev)`
+instead of `put_device()` for an already initialized `struct device`.
+
+Move the missing assignments to just after `device_initialize()`.
+
+Fixes: d3c731564e09 ("regulator: plug of_node leak in regulator_register()'s error path")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Link: https://lore.kernel.org/r/b5b19cb458c40c9d02f3d5a7bd1ba7d97ba17279.1695077303.git.mirq-linux@rere.qmqm.pl
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
+index d8e1caaf207e1..2820badc7a126 100644
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -5542,6 +5542,8 @@ regulator_register(struct device *dev,
+ goto rinse;
+ }
+ device_initialize(&rdev->dev);
++ dev_set_drvdata(&rdev->dev, rdev);
++ rdev->dev.class = ®ulator_class;
+ spin_lock_init(&rdev->err_lock);
+
+ /*
+@@ -5603,11 +5605,9 @@ regulator_register(struct device *dev,
+ rdev->supply_name = regulator_desc->supply_name;
+
+ /* register with sysfs */
+- rdev->dev.class = ®ulator_class;
+ rdev->dev.parent = config->dev;
+ dev_set_name(&rdev->dev, "regulator.%lu",
+ (unsigned long) atomic_inc_return(®ulator_no));
+- dev_set_drvdata(&rdev->dev, rdev);
+
+ /* set regulator constraints */
+ if (init_data)
+--
+2.40.1
+
--- /dev/null
+From 88d4a115224c4652bab35a741fcdbf7f2fd6ef92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Sep 2023 16:53:34 +0800
+Subject: regulator: mt6358: split ops for buck and linear range LDO regulators
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 7e37c851374eca2d1f6128de03195c9f7b4baaf2 ]
+
+The buck and linear range LDO (VSRAM_*) regulators share one set of ops.
+This set includes support for get/set mode. However this only makes
+sense for buck regulators, not LDOs. The callbacks were not checking
+whether the register offset and/or mask for mode setting was valid or
+not. This ends up making the kernel report "normal" mode operation for
+the LDOs.
+
+Create a new set of ops without the get/set mode callbacks for the
+linear range LDO regulators.
+
+Fixes: f67ff1bd58f0 ("regulator: mt6358: Add support for MT6358 regulator")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20230920085336.136238-1-wenst@chromium.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/mt6358-regulator.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/regulator/mt6358-regulator.c b/drivers/regulator/mt6358-regulator.c
+index b9cda2210c330..65fbd95f1dbb0 100644
+--- a/drivers/regulator/mt6358-regulator.c
++++ b/drivers/regulator/mt6358-regulator.c
+@@ -43,7 +43,7 @@ struct mt6358_regulator_info {
+ .desc = { \
+ .name = #vreg, \
+ .of_match = of_match_ptr(match), \
+- .ops = &mt6358_volt_range_ops, \
++ .ops = &mt6358_buck_ops, \
+ .type = REGULATOR_VOLTAGE, \
+ .id = MT6358_ID_##vreg, \
+ .owner = THIS_MODULE, \
+@@ -139,7 +139,7 @@ struct mt6358_regulator_info {
+ .desc = { \
+ .name = #vreg, \
+ .of_match = of_match_ptr(match), \
+- .ops = &mt6358_volt_range_ops, \
++ .ops = &mt6358_buck_ops, \
+ .type = REGULATOR_VOLTAGE, \
+ .id = MT6366_ID_##vreg, \
+ .owner = THIS_MODULE, \
+@@ -450,7 +450,7 @@ static unsigned int mt6358_regulator_get_mode(struct regulator_dev *rdev)
+ }
+ }
+
+-static const struct regulator_ops mt6358_volt_range_ops = {
++static const struct regulator_ops mt6358_buck_ops = {
+ .list_voltage = regulator_list_voltage_linear,
+ .map_voltage = regulator_map_voltage_linear,
+ .set_voltage_sel = regulator_set_voltage_sel_regmap,
+@@ -464,6 +464,18 @@ static const struct regulator_ops mt6358_volt_range_ops = {
+ .get_mode = mt6358_regulator_get_mode,
+ };
+
++static const struct regulator_ops mt6358_volt_range_ops = {
++ .list_voltage = regulator_list_voltage_linear,
++ .map_voltage = regulator_map_voltage_linear,
++ .set_voltage_sel = regulator_set_voltage_sel_regmap,
++ .get_voltage_sel = mt6358_get_buck_voltage_sel,
++ .set_voltage_time_sel = regulator_set_voltage_time_sel,
++ .enable = regulator_enable_regmap,
++ .disable = regulator_disable_regmap,
++ .is_enabled = regulator_is_enabled_regmap,
++ .get_status = mt6358_get_status,
++};
++
+ static const struct regulator_ops mt6358_volt_table_ops = {
+ .list_voltage = regulator_list_voltage_table,
+ .map_voltage = regulator_map_voltage_iterate,
+--
+2.40.1
+
--- /dev/null
+From c94aac90f1da5a289170b178085e2e33f0ec1259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 21:30:54 +0900
+Subject: rswitch: Fix PHY station management clock setting
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit a0c55bba0d0d0b5591083f65f830940d8ae63f31 ]
+
+Fix the MPIC.PSMCS value following the programming example in the
+section 6.4.2 Management Data Clock (MDC) Setting, Ethernet MAC IP,
+S4 Hardware User Manual Rev.1.00.
+
+The value is calculated by
+ MPIC.PSMCS = clk[MHz] / (MDC frequency[MHz] * 2) - 1
+with the input clock frequency from clk_get_rate() and MDC frequency
+of 2.5MHz. Otherwise, this driver cannot communicate PHYs on the R-Car
+S4 Starter Kit board.
+
+Fixes: 3590918b5d07 ("net: ethernet: renesas: Add support for "Ethernet Switch"")
+Reported-by: Tam Nguyen <tam.nguyen.xa@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20230926123054.3976752-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/rswitch.c | 13 ++++++++++++-
+ drivers/net/ethernet/renesas/rswitch.h | 2 ++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/rswitch.c b/drivers/net/ethernet/renesas/rswitch.c
+index 215854812f80a..660cbfe344d2c 100644
+--- a/drivers/net/ethernet/renesas/rswitch.c
++++ b/drivers/net/ethernet/renesas/rswitch.c
+@@ -4,6 +4,7 @@
+ * Copyright (C) 2022 Renesas Electronics Corporation
+ */
+
++#include <linux/clk.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/err.h>
+ #include <linux/etherdevice.h>
+@@ -1049,7 +1050,7 @@ static void rswitch_rmac_setting(struct rswitch_etha *etha, const u8 *mac)
+ static void rswitch_etha_enable_mii(struct rswitch_etha *etha)
+ {
+ rswitch_modify(etha->addr, MPIC, MPIC_PSMCS_MASK | MPIC_PSMHT_MASK,
+- MPIC_PSMCS(0x05) | MPIC_PSMHT(0x06));
++ MPIC_PSMCS(etha->psmcs) | MPIC_PSMHT(0x06));
+ rswitch_modify(etha->addr, MPSM, 0, MPSM_MFF_C45);
+ }
+
+@@ -1681,6 +1682,12 @@ static void rswitch_etha_init(struct rswitch_private *priv, int index)
+ etha->index = index;
+ etha->addr = priv->addr + RSWITCH_ETHA_OFFSET + index * RSWITCH_ETHA_SIZE;
+ etha->coma_addr = priv->addr;
++
++ /* MPIC.PSMCS = (clk [MHz] / (MDC frequency [MHz] * 2) - 1.
++ * Calculating PSMCS value as MDC frequency = 2.5MHz. So, multiply
++ * both the numerator and the denominator by 10.
++ */
++ etha->psmcs = clk_get_rate(priv->clk) / 100000 / (25 * 2) - 1;
+ }
+
+ static int rswitch_device_alloc(struct rswitch_private *priv, int index)
+@@ -1882,6 +1889,10 @@ static int renesas_eth_sw_probe(struct platform_device *pdev)
+ return -ENOMEM;
+ spin_lock_init(&priv->lock);
+
++ priv->clk = devm_clk_get(&pdev->dev, NULL);
++ if (IS_ERR(priv->clk))
++ return PTR_ERR(priv->clk);
++
+ priv->ptp_priv = rcar_gen4_ptp_alloc(pdev);
+ if (!priv->ptp_priv)
+ return -ENOMEM;
+diff --git a/drivers/net/ethernet/renesas/rswitch.h b/drivers/net/ethernet/renesas/rswitch.h
+index 9740398067140..13a401cebd8b7 100644
+--- a/drivers/net/ethernet/renesas/rswitch.h
++++ b/drivers/net/ethernet/renesas/rswitch.h
+@@ -915,6 +915,7 @@ struct rswitch_etha {
+ bool external_phy;
+ struct mii_bus *mii;
+ phy_interface_t phy_interface;
++ u32 psmcs;
+ u8 mac_addr[MAX_ADDR_LEN];
+ int link;
+ int speed;
+@@ -1012,6 +1013,7 @@ struct rswitch_private {
+ struct rswitch_mfwd mfwd;
+
+ spinlock_t lock; /* lock interrupt registers' control */
++ struct clk *clk;
+
+ bool gwca_halt;
+ };
+--
+2.40.1
+
--- /dev/null
+From 81aef2098c153817879f21e1b8972c47a931d81c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 15:02:32 +0200
+Subject: rtla/timerlat: Do not stop user-space if a cpu is offline
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+[ Upstream commit e8c44d3b713b96cda055a23b21e8c4f931dd159f ]
+
+If no CPU list is passed, timerlat in user-space will dispatch
+one thread per sysconf(_SC_NPROCESSORS_CONF). However, not all
+CPU might be available, for instance, if HT is disabled.
+
+Currently, rtla timerlat is stopping the session if an user-space
+thread cannot set affinity to a CPU, or if a running user-space
+thread is killed. However, this is too restrictive.
+
+So, reduce the error to a debug message, and rtla timerlat run as
+long as there is at least one user-space thread alive.
+
+Link: https://lore.kernel.org/lkml/59cf2c882900ab7de91c6ee33b382ac7fa6b4ed0.1694781909.git.bristot@kernel.org
+
+Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_u.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tracing/rtla/src/timerlat_u.c b/tools/tracing/rtla/src/timerlat_u.c
+index 05e310696dd5c..01dbf9a6b5a51 100644
+--- a/tools/tracing/rtla/src/timerlat_u.c
++++ b/tools/tracing/rtla/src/timerlat_u.c
+@@ -45,7 +45,7 @@ static int timerlat_u_main(int cpu, struct timerlat_u_params *params)
+
+ retval = sched_setaffinity(gettid(), sizeof(set), &set);
+ if (retval == -1) {
+- err_msg("Error setting user thread affinity\n");
++ debug_msg("Error setting user thread affinity %d, is the CPU online?\n", cpu);
+ exit(1);
+ }
+
+@@ -193,7 +193,9 @@ void *timerlat_u_dispatcher(void *data)
+ procs_count--;
+ }
+ }
+- break;
++
++ if (!procs_count)
++ break;
+ }
+
+ sleep(1);
+--
+2.40.1
+
--- /dev/null
+From b01d61f4a9644f359e4bf2412dfed8d511fa9c29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 17:52:12 +0200
+Subject: rtla/timerlat_aa: Fix negative IRQ delay
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+[ Upstream commit 6c73daf26420b97fb8b4a620e4ffee5c1f9d44d1 ]
+
+When estimating the IRQ timer delay, we are dealing with two different
+clock sources: the external clock source that timerlat uses as a reference
+and the clock used by the tracer. There are also two moments: the time
+reading the clock and the timer in which the event is placed in the
+buffer (the trace event timestamp).
+
+If the processor is slow or there is some hardware noise, the difference
+between the timestamp and the external clock, read can be longer than the
+IRQ handler delay, resulting in a negative time.
+
+If so, set IRQ to start delay as 0. In the end, it is less near-zero and relevant
+then the noise.
+
+Link: https://lore.kernel.org/lkml/a066fb667c7136d86dcddb3c7ccd72587db3e7c7.1691162043.git.bristot@kernel.org
+
+Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_aa.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c
+index dec5b4c4511e1..baf1efda0581d 100644
+--- a/tools/tracing/rtla/src/timerlat_aa.c
++++ b/tools/tracing/rtla/src/timerlat_aa.c
+@@ -338,7 +338,23 @@ static int timerlat_aa_irq_handler(struct trace_seq *s, struct tep_record *recor
+ taa_data->timer_irq_start_time = start;
+ taa_data->timer_irq_duration = duration;
+
+- taa_data->timer_irq_start_delay = taa_data->timer_irq_start_time - expected_start;
++ /*
++ * We are dealing with two different clock sources: the
++ * external clock source that timerlat uses as a reference
++ * and the clock used by the tracer. There are also two
++ * moments: the time reading the clock and the timer in
++ * which the event is placed in the buffer (the trace
++ * event timestamp). If the processor is slow or there
++ * is some hardware noise, the difference between the
++ * timestamp and the external clock read can be longer
++ * than the IRQ handler delay, resulting in a negative
++ * time. If so, set IRQ start delay as 0. In the end,
++ * it is less relevant than the noise.
++ */
++ if (expected_start < taa_data->timer_irq_start_time)
++ taa_data->timer_irq_start_delay = taa_data->timer_irq_start_time - expected_start;
++ else
++ taa_data->timer_irq_start_delay = 0;
+
+ /*
+ * not exit from idle.
+--
+2.40.1
+
--- /dev/null
+From 32d1d6c52b443906f6261c8a6b262b32ed82201d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 17:52:13 +0200
+Subject: rtla/timerlat_aa: Fix previous IRQ delay for IRQs that happens after
+ thread sample
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+[ Upstream commit 301deca09b254965661d3e971f1a60ac2ce41f5f ]
+
+timerlat auto-analysis takes note of all IRQs, before or after the
+execution of the timerlat thread.
+
+Because we cannot go backward in the trace (we will fix it when
+moving to trace-cmd lib?), timerlat aa take note of the last IRQ
+execution in the waiting for the IRQ state, and then print it
+if it is executed after the expected timer IRQ starting time.
+
+After the thread sample, the timerlat starts recording the next IRQs as
+"previous" irq for the next occurrence.
+
+However, if an IRQ happens after the thread measurement but before the
+tracing stops, it is classified as a previous IRQ. That is not
+wrong, as it can be "previous" for the subsequent activation. What is
+wrong is considering it as a potential source for the last activation.
+
+Ignore the IRQ interference that happens after the IRQ starting time for
+now. A future improvement for timerlat can be either keeping a list of
+previous IRQ execution or using the trace-cmd library. Still, it requires
+further investigation - it is a new feature.
+
+Link: https://lore.kernel.org/lkml/a44a3f5c801dcc697bacf7325b65d4a5b0460537.1691162043.git.bristot@kernel.org
+
+Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_aa.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c
+index baf1efda0581d..7093fd5333beb 100644
+--- a/tools/tracing/rtla/src/timerlat_aa.c
++++ b/tools/tracing/rtla/src/timerlat_aa.c
+@@ -545,7 +545,7 @@ static int timerlat_aa_kworker_start_handler(struct trace_seq *s, struct tep_rec
+ static void timerlat_thread_analysis(struct timerlat_aa_data *taa_data, int cpu,
+ int irq_thresh, int thread_thresh)
+ {
+- unsigned long long exp_irq_ts;
++ long long exp_irq_ts;
+ int total;
+ int irq;
+
+@@ -562,12 +562,15 @@ static void timerlat_thread_analysis(struct timerlat_aa_data *taa_data, int cpu,
+
+ /*
+ * Expected IRQ arrival time using the trace clock as the base.
++ *
++ * TODO: Add a list of previous IRQ, and then run the list backwards.
+ */
+ exp_irq_ts = taa_data->timer_irq_start_time - taa_data->timer_irq_start_delay;
+-
+- if (exp_irq_ts < taa_data->prev_irq_timstamp + taa_data->prev_irq_duration)
+- printf(" Previous IRQ interference: \t\t up to %9.2f us\n",
+- ns_to_usf(taa_data->prev_irq_duration));
++ if (exp_irq_ts < taa_data->prev_irq_timstamp + taa_data->prev_irq_duration) {
++ if (taa_data->prev_irq_timstamp < taa_data->timer_irq_start_time)
++ printf(" Previous IRQ interference: \t\t up to %9.2f us\n",
++ ns_to_usf(taa_data->prev_irq_duration));
++ }
+
+ /*
+ * The delay that the IRQ suffered before starting.
+--
+2.40.1
+
--- /dev/null
+From 5d7381c35db50b78101bcd6d65e7b517d11c11ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 17:52:11 +0200
+Subject: rtla/timerlat_aa: Zero thread sum after every sample analysis
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+[ Upstream commit 02d89917ef68acbe65c7cc2323f1db4429879878 ]
+
+The thread thread_thread_sum accounts for thread interference
+during a single activation. It was not being zeroed, so it was
+accumulating thread interference over all activations.
+
+It was not that visible when timerlat was the highest priority.
+
+Link: https://lore.kernel.org/lkml/97bff55b0141f2d01b47d9450a5672fde147b89a.1691162043.git.bristot@kernel.org
+
+Fixes: 27e348b221f6 ("rtla/timerlat: Add auto-analysis core")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_aa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/tracing/rtla/src/timerlat_aa.c b/tools/tracing/rtla/src/timerlat_aa.c
+index e0ffe69c271c6..dec5b4c4511e1 100644
+--- a/tools/tracing/rtla/src/timerlat_aa.c
++++ b/tools/tracing/rtla/src/timerlat_aa.c
+@@ -159,6 +159,7 @@ static int timerlat_aa_irq_latency(struct timerlat_aa_data *taa_data,
+ taa_data->thread_nmi_sum = 0;
+ taa_data->thread_irq_sum = 0;
+ taa_data->thread_softirq_sum = 0;
++ taa_data->thread_thread_sum = 0;
+ taa_data->thread_blocking_duration = 0;
+ taa_data->timer_irq_start_time = 0;
+ taa_data->timer_irq_duration = 0;
+--
+2.40.1
+
--- /dev/null
+From d10a17429162accce0e9031e2af6bdbcc074f4de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 23:02:57 -0700
+Subject: s390/bpf: Let arch_prepare_bpf_trampoline return program size
+
+From: Song Liu <song@kernel.org>
+
+[ Upstream commit cf094baa3e0f19f1f80ceaf205c80402b024386c ]
+
+arch_prepare_bpf_trampoline() for s390 currently returns 0 on success. This
+is not a problem for regular trampoline. However, struct_ops relies on the
+return value to advance "image" pointer:
+
+bpf_struct_ops_map_update_elem() {
+ ...
+ for_each_member(i, t, member) {
+ ...
+ err = bpf_struct_ops_prepare_trampoline();
+ ...
+ image += err;
+ }
+}
+
+When arch_prepare_bpf_trampoline returns 0 on success, all members of the
+struct_ops will point to the same trampoline (the last one).
+
+Fix this by returning the program size in arch_prepare_bpf_trampoline (on
+success). This is the same behavior as other architectures.
+
+Signed-off-by: Song Liu <song@kernel.org>
+Fixes: 528eb2cb87bc ("s390/bpf: Implement arch_prepare_bpf_trampoline()")
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20230919060258.3237176-2-song@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index de2fb12120d2e..2861e3360affc 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -2513,7 +2513,7 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image,
+ return -E2BIG;
+ }
+
+- return ret;
++ return tjit.common.prg;
+ }
+
+ bool bpf_jit_supports_subprog_tailcalls(void)
+--
+2.40.1
+
--- /dev/null
+From 9a81d8467f34e2301d9db646b92605a571850cab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 15:58:48 -0700
+Subject: scsi: target: core: Fix deadlock due to recursive locking
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+[ Upstream commit a154f5f643c6ecddd44847217a7a3845b4350003 ]
+
+The following call trace shows a deadlock issue due to recursive locking of
+mutex "device_mutex". First lock acquire is in target_for_each_device() and
+second in target_free_device().
+
+ PID: 148266 TASK: ffff8be21ffb5d00 CPU: 10 COMMAND: "iscsi_ttx"
+ #0 [ffffa2bfc9ec3b18] __schedule at ffffffffa8060e7f
+ #1 [ffffa2bfc9ec3ba0] schedule at ffffffffa8061224
+ #2 [ffffa2bfc9ec3bb8] schedule_preempt_disabled at ffffffffa80615ee
+ #3 [ffffa2bfc9ec3bc8] __mutex_lock at ffffffffa8062fd7
+ #4 [ffffa2bfc9ec3c40] __mutex_lock_slowpath at ffffffffa80631d3
+ #5 [ffffa2bfc9ec3c50] mutex_lock at ffffffffa806320c
+ #6 [ffffa2bfc9ec3c68] target_free_device at ffffffffc0935998 [target_core_mod]
+ #7 [ffffa2bfc9ec3c90] target_core_dev_release at ffffffffc092f975 [target_core_mod]
+ #8 [ffffa2bfc9ec3ca0] config_item_put at ffffffffa79d250f
+ #9 [ffffa2bfc9ec3cd0] config_item_put at ffffffffa79d2583
+ #10 [ffffa2bfc9ec3ce0] target_devices_idr_iter at ffffffffc0933f3a [target_core_mod]
+ #11 [ffffa2bfc9ec3d00] idr_for_each at ffffffffa803f6fc
+ #12 [ffffa2bfc9ec3d60] target_for_each_device at ffffffffc0935670 [target_core_mod]
+ #13 [ffffa2bfc9ec3d98] transport_deregister_session at ffffffffc0946408 [target_core_mod]
+ #14 [ffffa2bfc9ec3dc8] iscsit_close_session at ffffffffc09a44a6 [iscsi_target_mod]
+ #15 [ffffa2bfc9ec3df0] iscsit_close_connection at ffffffffc09a4a88 [iscsi_target_mod]
+ #16 [ffffa2bfc9ec3df8] finish_task_switch at ffffffffa76e5d07
+ #17 [ffffa2bfc9ec3e78] iscsit_take_action_for_connection_exit at ffffffffc0991c23 [iscsi_target_mod]
+ #18 [ffffa2bfc9ec3ea0] iscsi_target_tx_thread at ffffffffc09a403b [iscsi_target_mod]
+ #19 [ffffa2bfc9ec3f08] kthread at ffffffffa76d8080
+ #20 [ffffa2bfc9ec3f50] ret_from_fork at ffffffffa8200364
+
+Fixes: 36d4cb460bcb ("scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion")
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Link: https://lore.kernel.org/r/20230918225848.66463-1-junxiao.bi@oracle.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_device.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
+index b7ac60f4a2194..b6523d4b9259e 100644
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -843,7 +843,6 @@ sector_t target_to_linux_sector(struct se_device *dev, sector_t lb)
+ EXPORT_SYMBOL(target_to_linux_sector);
+
+ struct devices_idr_iter {
+- struct config_item *prev_item;
+ int (*fn)(struct se_device *dev, void *data);
+ void *data;
+ };
+@@ -853,11 +852,9 @@ static int target_devices_idr_iter(int id, void *p, void *data)
+ {
+ struct devices_idr_iter *iter = data;
+ struct se_device *dev = p;
++ struct config_item *item;
+ int ret;
+
+- config_item_put(iter->prev_item);
+- iter->prev_item = NULL;
+-
+ /*
+ * We add the device early to the idr, so it can be used
+ * by backend modules during configuration. We do not want
+@@ -867,12 +864,13 @@ static int target_devices_idr_iter(int id, void *p, void *data)
+ if (!target_dev_configured(dev))
+ return 0;
+
+- iter->prev_item = config_item_get_unless_zero(&dev->dev_group.cg_item);
+- if (!iter->prev_item)
++ item = config_item_get_unless_zero(&dev->dev_group.cg_item);
++ if (!item)
+ return 0;
+ mutex_unlock(&device_mutex);
+
+ ret = iter->fn(dev, iter->data);
++ config_item_put(item);
+
+ mutex_lock(&device_mutex);
+ return ret;
+@@ -895,7 +893,6 @@ int target_for_each_device(int (*fn)(struct se_device *dev, void *data),
+ mutex_lock(&device_mutex);
+ ret = idr_for_each(&devices_idr, target_devices_idr_iter, &iter);
+ mutex_unlock(&device_mutex);
+- config_item_put(iter.prev_item);
+ return ret;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 3d5d6b49a77252d940be8c704124cac669b03259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 11:04:20 -0400
+Subject: sctp: update hb timer immediately after users change hb_interval
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 1f4e803cd9c9166eb8b6c8b0b8e4124f7499fc07 ]
+
+Currently, when hb_interval is changed by users, it won't take effect
+until the next expiry of hb timer. As the default value is 30s, users
+have to wait up to 30s to wait its hb_interval update to work.
+
+This becomes pretty bad in containers where a much smaller value is
+usually set on hb_interval. This patch improves it by resetting the
+hb timer immediately once the value of hb_interval is updated by users.
+
+Note that we don't address the already existing 'problem' when sending
+a heartbeat 'on demand' if one hb has just been sent(from the timer)
+mentioned in:
+
+ https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg590224.html
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/75465785f8ee5df2fb3acdca9b8fafdc18984098.1696172660.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 7cf207706eb66..652af155966f1 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -2450,6 +2450,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
+ if (trans) {
+ trans->hbinterval =
+ msecs_to_jiffies(params->spp_hbinterval);
++ sctp_transport_reset_hb_timer(trans);
+ } else if (asoc) {
+ asoc->hbinterval =
+ msecs_to_jiffies(params->spp_hbinterval);
+--
+2.40.1
+
--- /dev/null
+From 802b42dc972b9e5863e008ec85d27ad1cef2c2c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 10:58:45 -0400
+Subject: sctp: update transport state when processing a dupcook packet
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 2222a78075f0c19ca18db53fd6623afb4aff602d ]
+
+During the 4-way handshake, the transport's state is set to ACTIVE in
+sctp_process_init() when processing INIT_ACK chunk on client or
+COOKIE_ECHO chunk on server.
+
+In the collision scenario below:
+
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
+ 192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]
+ 192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]
+ 192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021]
+
+when processing COOKIE_ECHO on 192.168.1.2, as it's in COOKIE_WAIT state,
+sctp_sf_do_dupcook_b() is called by sctp_sf_do_5_2_4_dupcook() where it
+creates a new association and sets its transport to ACTIVE then updates
+to the old association in sctp_assoc_update().
+
+However, in sctp_assoc_update(), it will skip the transport update if it
+finds a transport with the same ipaddr already existing in the old asoc,
+and this causes the old asoc's transport state not to move to ACTIVE
+after the handshake.
+
+This means if DATA retransmission happens at this moment, it won't be able
+to enter PF state because of the check 'transport->state == SCTP_ACTIVE'
+in sctp_do_8_2_transport_strike().
+
+This patch fixes it by updating the transport in sctp_assoc_update() with
+sctp_assoc_add_peer() where it updates the transport state if there is
+already a transport with the same ipaddr exists in the old asoc.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://lore.kernel.org/r/fd17356abe49713ded425250cc1ae51e9f5846c6.1696172325.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/associola.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/sctp/associola.c b/net/sctp/associola.c
+index 796529167e8d2..c45c192b78787 100644
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1159,8 +1159,7 @@ int sctp_assoc_update(struct sctp_association *asoc,
+ /* Add any peer addresses from the new association. */
+ list_for_each_entry(trans, &new->peer.transport_addr_list,
+ transports)
+- if (!sctp_assoc_lookup_paddr(asoc, &trans->ipaddr) &&
+- !sctp_assoc_add_peer(asoc, &trans->ipaddr,
++ if (!sctp_assoc_add_peer(asoc, &trans->ipaddr,
+ GFP_ATOMIC, trans->state))
+ return -ENOMEM;
+
+--
+2.40.1
+
--- /dev/null
+From cf5f02195f6e42bacb90500438a0e59049edf421 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Sep 2023 03:53:49 +0200
+Subject: selftests: netfilter: Extend nft_audit.sh
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit 203bb9d39866d3c5a8135433ce3742fe4f9d5741 ]
+
+Add tests for sets and elements and deletion of all kinds. Also
+reorder rule reset tests: By moving the bulk rule add command up, the
+two 'reset rules' tests become identical.
+
+While at it, fix for a failing bulk rule add test's error status getting
+lost due to its use in a pipe. Avoid this by using a temporary file.
+
+Headings in diff output for failing tests contain no useful data, strip
+them.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Stable-dep-of: 0d880dc6f032 ("netfilter: nf_tables: Deduplicate nft_register_obj audit logs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/netfilter/nft_audit.sh | 97 ++++++++++++++++---
+ 1 file changed, 81 insertions(+), 16 deletions(-)
+
+diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
+index 83c271b1c7352..0b3255e7b3538 100755
+--- a/tools/testing/selftests/netfilter/nft_audit.sh
++++ b/tools/testing/selftests/netfilter/nft_audit.sh
+@@ -12,10 +12,11 @@ nft --version >/dev/null 2>&1 || {
+ }
+
+ logfile=$(mktemp)
++rulefile=$(mktemp)
+ echo "logging into $logfile"
+ ./audit_logread >"$logfile" &
+ logread_pid=$!
+-trap 'kill $logread_pid; rm -f $logfile' EXIT
++trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
+ exec 3<"$logfile"
+
+ do_test() { # (cmd, log)
+@@ -26,12 +27,14 @@ do_test() { # (cmd, log)
+ res=$(diff -a -u <(echo "$2") - <&3)
+ [ $? -eq 0 ] && { echo "OK"; return; }
+ echo "FAIL"
+- echo "$res"
+- ((RC++))
++ grep -v '^\(---\|+++\|@@\)' <<< "$res"
++ ((RC--))
+ }
+
+ nft flush ruleset
+
++# adding tables, chains and rules
++
+ for table in t1 t2; do
+ do_test "nft add table $table" \
+ "table=$table family=2 entries=1 op=nft_register_table"
+@@ -62,6 +65,28 @@ for table in t1 t2; do
+ "table=$table family=2 entries=6 op=nft_register_rule"
+ done
+
++for ((i = 0; i < 500; i++)); do
++ echo "add rule t2 c3 counter accept comment \"rule $i\""
++done >$rulefile
++do_test "nft -f $rulefile" \
++'table=t2 family=2 entries=500 op=nft_register_rule'
++
++# adding sets and elements
++
++settype='type inet_service; counter'
++setelem='{ 22, 80, 443 }'
++setblock="{ $settype; elements = $setelem; }"
++do_test "nft add set t1 s $setblock" \
++"table=t1 family=2 entries=4 op=nft_register_set"
++
++do_test "nft add set t1 s2 $setblock; add set t1 s3 { $settype; }" \
++"table=t1 family=2 entries=5 op=nft_register_set"
++
++do_test "nft add element t1 s3 $setelem" \
++"table=t1 family=2 entries=3 op=nft_register_setelem"
++
++# resetting rules
++
+ do_test 'nft reset rules t1 c2' \
+ 'table=t1 family=2 entries=3 op=nft_reset_rule'
+
+@@ -70,19 +95,6 @@ do_test 'nft reset rules table t1' \
+ table=t1 family=2 entries=3 op=nft_reset_rule
+ table=t1 family=2 entries=3 op=nft_reset_rule'
+
+-do_test 'nft reset rules' \
+-'table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t1 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule
+-table=t2 family=2 entries=3 op=nft_reset_rule'
+-
+-for ((i = 0; i < 500; i++)); do
+- echo "add rule t2 c3 counter accept comment \"rule $i\""
+-done | do_test 'nft -f -' \
+-'table=t2 family=2 entries=500 op=nft_register_rule'
+-
+ do_test 'nft reset rules t2 c3' \
+ 'table=t2 family=2 entries=189 op=nft_reset_rule
+ table=t2 family=2 entries=188 op=nft_reset_rule
+@@ -105,4 +117,57 @@ table=t2 family=2 entries=180 op=nft_reset_rule
+ table=t2 family=2 entries=188 op=nft_reset_rule
+ table=t2 family=2 entries=135 op=nft_reset_rule'
+
++# resetting sets and elements
++
++elem=(22 ,80 ,443)
++relem=""
++for i in {1..3}; do
++ relem+="${elem[((i - 1))]}"
++ do_test "nft reset element t1 s { $relem }" \
++ "table=t1 family=2 entries=$i op=nft_reset_setelem"
++done
++
++do_test 'nft reset set t1 s' \
++'table=t1 family=2 entries=3 op=nft_reset_setelem'
++
++# deleting rules
++
++readarray -t handles < <(nft -a list chain t1 c1 | \
++ sed -n 's/.*counter.* handle \(.*\)$/\1/p')
++
++do_test "nft delete rule t1 c1 handle ${handles[0]}" \
++'table=t1 family=2 entries=1 op=nft_unregister_rule'
++
++cmd='delete rule t1 c1 handle'
++do_test "nft $cmd ${handles[1]}; $cmd ${handles[2]}" \
++'table=t1 family=2 entries=2 op=nft_unregister_rule'
++
++do_test 'nft flush chain t1 c2' \
++'table=t1 family=2 entries=3 op=nft_unregister_rule'
++
++do_test 'nft flush table t2' \
++'table=t2 family=2 entries=509 op=nft_unregister_rule'
++
++# deleting chains
++
++do_test 'nft delete chain t2 c2' \
++'table=t2 family=2 entries=1 op=nft_unregister_chain'
++
++# deleting sets and elements
++
++do_test 'nft delete element t1 s { 22 }' \
++'table=t1 family=2 entries=1 op=nft_unregister_setelem'
++
++do_test 'nft delete element t1 s { 80, 443 }' \
++'table=t1 family=2 entries=2 op=nft_unregister_setelem'
++
++do_test 'nft flush set t1 s2' \
++'table=t1 family=2 entries=3 op=nft_unregister_setelem'
++
++do_test 'nft delete set t1 s2' \
++'table=t1 family=2 entries=1 op=nft_unregister_set'
++
++do_test 'nft delete set t1 s3' \
++'table=t1 family=2 entries=1 op=nft_unregister_set'
++
+ exit $RC
+--
+2.40.1
+
--- /dev/null
+From d5a6feb2dd3a4e9b16f199dcd41dd410313b3299 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 15:51:37 +0200
+Subject: selftests: netfilter: Test nf_tables audit logging
+
+From: Phil Sutter <phil@nwl.cc>
+
+[ Upstream commit e8dbde59ca3fe925d0105bfb380e8429928b16dd ]
+
+Compare NETFILTER_CFG type audit logs emitted from kernel upon ruleset
+modifications against expected output.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Stable-dep-of: 0d880dc6f032 ("netfilter: nf_tables: Deduplicate nft_register_obj audit logs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/netfilter/.gitignore | 1 +
+ tools/testing/selftests/netfilter/Makefile | 4 +-
+ .../selftests/netfilter/audit_logread.c | 165 ++++++++++++++++++
+ tools/testing/selftests/netfilter/config | 1 +
+ .../testing/selftests/netfilter/nft_audit.sh | 108 ++++++++++++
+ 5 files changed, 277 insertions(+), 2 deletions(-)
+ create mode 100644 tools/testing/selftests/netfilter/audit_logread.c
+ create mode 100755 tools/testing/selftests/netfilter/nft_audit.sh
+
+diff --git a/tools/testing/selftests/netfilter/.gitignore b/tools/testing/selftests/netfilter/.gitignore
+index 4cb887b574138..4b2928e1c19d8 100644
+--- a/tools/testing/selftests/netfilter/.gitignore
++++ b/tools/testing/selftests/netfilter/.gitignore
+@@ -1,3 +1,4 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ nf-queue
+ connect_close
++audit_logread
+diff --git a/tools/testing/selftests/netfilter/Makefile b/tools/testing/selftests/netfilter/Makefile
+index 3686bfa6c58d7..321db8850da00 100644
+--- a/tools/testing/selftests/netfilter/Makefile
++++ b/tools/testing/selftests/netfilter/Makefile
+@@ -6,13 +6,13 @@ TEST_PROGS := nft_trans_stress.sh nft_fib.sh nft_nat.sh bridge_brouter.sh \
+ nft_concat_range.sh nft_conntrack_helper.sh \
+ nft_queue.sh nft_meta.sh nf_nat_edemux.sh \
+ ipip-conntrack-mtu.sh conntrack_tcp_unreplied.sh \
+- conntrack_vrf.sh nft_synproxy.sh rpath.sh
++ conntrack_vrf.sh nft_synproxy.sh rpath.sh nft_audit.sh
+
+ HOSTPKG_CONFIG := pkg-config
+
+ CFLAGS += $(shell $(HOSTPKG_CONFIG) --cflags libmnl 2>/dev/null)
+ LDLIBS += $(shell $(HOSTPKG_CONFIG) --libs libmnl 2>/dev/null || echo -lmnl)
+
+-TEST_GEN_FILES = nf-queue connect_close
++TEST_GEN_FILES = nf-queue connect_close audit_logread
+
+ include ../lib.mk
+diff --git a/tools/testing/selftests/netfilter/audit_logread.c b/tools/testing/selftests/netfilter/audit_logread.c
+new file mode 100644
+index 0000000000000..a0a880fc2d9de
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/audit_logread.c
+@@ -0,0 +1,165 @@
++// SPDX-License-Identifier: GPL-2.0
++
++#define _GNU_SOURCE
++#include <errno.h>
++#include <fcntl.h>
++#include <poll.h>
++#include <signal.h>
++#include <stdint.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/socket.h>
++#include <unistd.h>
++#include <linux/audit.h>
++#include <linux/netlink.h>
++
++static int fd;
++
++#define MAX_AUDIT_MESSAGE_LENGTH 8970
++struct audit_message {
++ struct nlmsghdr nlh;
++ union {
++ struct audit_status s;
++ char data[MAX_AUDIT_MESSAGE_LENGTH];
++ } u;
++};
++
++int audit_recv(int fd, struct audit_message *rep)
++{
++ struct sockaddr_nl addr;
++ socklen_t addrlen = sizeof(addr);
++ int ret;
++
++ do {
++ ret = recvfrom(fd, rep, sizeof(*rep), 0,
++ (struct sockaddr *)&addr, &addrlen);
++ } while (ret < 0 && errno == EINTR);
++
++ if (ret < 0 ||
++ addrlen != sizeof(addr) ||
++ addr.nl_pid != 0 ||
++ rep->nlh.nlmsg_type == NLMSG_ERROR) /* short-cut for now */
++ return -1;
++
++ return ret;
++}
++
++int audit_send(int fd, uint16_t type, uint32_t key, uint32_t val)
++{
++ static int seq = 0;
++ struct audit_message msg = {
++ .nlh = {
++ .nlmsg_len = NLMSG_SPACE(sizeof(msg.u.s)),
++ .nlmsg_type = type,
++ .nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK,
++ .nlmsg_seq = ++seq,
++ },
++ .u.s = {
++ .mask = key,
++ .enabled = key == AUDIT_STATUS_ENABLED ? val : 0,
++ .pid = key == AUDIT_STATUS_PID ? val : 0,
++ }
++ };
++ struct sockaddr_nl addr = {
++ .nl_family = AF_NETLINK,
++ };
++ int ret;
++
++ do {
++ ret = sendto(fd, &msg, msg.nlh.nlmsg_len, 0,
++ (struct sockaddr *)&addr, sizeof(addr));
++ } while (ret < 0 && errno == EINTR);
++
++ if (ret != (int)msg.nlh.nlmsg_len)
++ return -1;
++ return 0;
++}
++
++int audit_set(int fd, uint32_t key, uint32_t val)
++{
++ struct audit_message rep = { 0 };
++ int ret;
++
++ ret = audit_send(fd, AUDIT_SET, key, val);
++ if (ret)
++ return ret;
++
++ ret = audit_recv(fd, &rep);
++ if (ret < 0)
++ return ret;
++ return 0;
++}
++
++int readlog(int fd)
++{
++ struct audit_message rep = { 0 };
++ int ret = audit_recv(fd, &rep);
++ const char *sep = "";
++ char *k, *v;
++
++ if (ret < 0)
++ return ret;
++
++ if (rep.nlh.nlmsg_type != AUDIT_NETFILTER_CFG)
++ return 0;
++
++ /* skip the initial "audit(...): " part */
++ strtok(rep.u.data, " ");
++
++ while ((k = strtok(NULL, "="))) {
++ v = strtok(NULL, " ");
++
++ /* these vary and/or are uninteresting, ignore */
++ if (!strcmp(k, "pid") ||
++ !strcmp(k, "comm") ||
++ !strcmp(k, "subj"))
++ continue;
++
++ /* strip the varying sequence number */
++ if (!strcmp(k, "table"))
++ *strchrnul(v, ':') = '\0';
++
++ printf("%s%s=%s", sep, k, v);
++ sep = " ";
++ }
++ if (*sep) {
++ printf("\n");
++ fflush(stdout);
++ }
++ return 0;
++}
++
++void cleanup(int sig)
++{
++ audit_set(fd, AUDIT_STATUS_ENABLED, 0);
++ close(fd);
++ if (sig)
++ exit(0);
++}
++
++int main(int argc, char **argv)
++{
++ struct sigaction act = {
++ .sa_handler = cleanup,
++ };
++
++ fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
++ if (fd < 0) {
++ perror("Can't open netlink socket");
++ return -1;
++ }
++
++ if (sigaction(SIGTERM, &act, NULL) < 0 ||
++ sigaction(SIGINT, &act, NULL) < 0) {
++ perror("Can't set signal handler");
++ close(fd);
++ return -1;
++ }
++
++ audit_set(fd, AUDIT_STATUS_ENABLED, 1);
++ audit_set(fd, AUDIT_STATUS_PID, getpid());
++
++ while (1)
++ readlog(fd);
++}
+diff --git a/tools/testing/selftests/netfilter/config b/tools/testing/selftests/netfilter/config
+index 4faf2ce021d90..7c42b1b2c69b4 100644
+--- a/tools/testing/selftests/netfilter/config
++++ b/tools/testing/selftests/netfilter/config
+@@ -6,3 +6,4 @@ CONFIG_NFT_REDIR=m
+ CONFIG_NFT_MASQ=m
+ CONFIG_NFT_FLOW_OFFLOAD=m
+ CONFIG_NF_CT_NETLINK=m
++CONFIG_AUDIT=y
+diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
+new file mode 100755
+index 0000000000000..83c271b1c7352
+--- /dev/null
++++ b/tools/testing/selftests/netfilter/nft_audit.sh
+@@ -0,0 +1,108 @@
++#!/bin/bash
++# SPDX-License-Identifier: GPL-2.0
++#
++# Check that audit logs generated for nft commands are as expected.
++
++SKIP_RC=4
++RC=0
++
++nft --version >/dev/null 2>&1 || {
++ echo "SKIP: missing nft tool"
++ exit $SKIP_RC
++}
++
++logfile=$(mktemp)
++echo "logging into $logfile"
++./audit_logread >"$logfile" &
++logread_pid=$!
++trap 'kill $logread_pid; rm -f $logfile' EXIT
++exec 3<"$logfile"
++
++do_test() { # (cmd, log)
++ echo -n "testing for cmd: $1 ... "
++ cat <&3 >/dev/null
++ $1 >/dev/null || exit 1
++ sleep 0.1
++ res=$(diff -a -u <(echo "$2") - <&3)
++ [ $? -eq 0 ] && { echo "OK"; return; }
++ echo "FAIL"
++ echo "$res"
++ ((RC++))
++}
++
++nft flush ruleset
++
++for table in t1 t2; do
++ do_test "nft add table $table" \
++ "table=$table family=2 entries=1 op=nft_register_table"
++
++ do_test "nft add chain $table c1" \
++ "table=$table family=2 entries=1 op=nft_register_chain"
++
++ do_test "nft add chain $table c2; add chain $table c3" \
++ "table=$table family=2 entries=2 op=nft_register_chain"
++
++ cmd="add rule $table c1 counter"
++
++ do_test "nft $cmd" \
++ "table=$table family=2 entries=1 op=nft_register_rule"
++
++ do_test "nft $cmd; $cmd" \
++ "table=$table family=2 entries=2 op=nft_register_rule"
++
++ cmd=""
++ sep=""
++ for chain in c2 c3; do
++ for i in {1..3}; do
++ cmd+="$sep add rule $table $chain counter"
++ sep=";"
++ done
++ done
++ do_test "nft $cmd" \
++ "table=$table family=2 entries=6 op=nft_register_rule"
++done
++
++do_test 'nft reset rules t1 c2' \
++'table=t1 family=2 entries=3 op=nft_reset_rule'
++
++do_test 'nft reset rules table t1' \
++'table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule'
++
++do_test 'nft reset rules' \
++'table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule'
++
++for ((i = 0; i < 500; i++)); do
++ echo "add rule t2 c3 counter accept comment \"rule $i\""
++done | do_test 'nft -f -' \
++'table=t2 family=2 entries=500 op=nft_register_rule'
++
++do_test 'nft reset rules t2 c3' \
++'table=t2 family=2 entries=189 op=nft_reset_rule
++table=t2 family=2 entries=188 op=nft_reset_rule
++table=t2 family=2 entries=126 op=nft_reset_rule'
++
++do_test 'nft reset rules t2' \
++'table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=186 op=nft_reset_rule
++table=t2 family=2 entries=188 op=nft_reset_rule
++table=t2 family=2 entries=129 op=nft_reset_rule'
++
++do_test 'nft reset rules' \
++'table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule
++table=t1 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=3 op=nft_reset_rule
++table=t2 family=2 entries=180 op=nft_reset_rule
++table=t2 family=2 entries=188 op=nft_reset_rule
++table=t2 family=2 entries=135 op=nft_reset_rule'
++
++exit $RC
+--
+2.40.1
+
iommu-arm-smmu-v3-avoid-constructing-invalid-range-c.patch
maple_tree-reduce-resets-during-store-setup.patch
maple_tree-add-mas_underflow-and-mas_overflow-states.patch
+hid-sony-fix-a-potential-memory-leak-in-sony_probe.patch
+wifi-mt76-fix-lock-dependency-problem-for-wed_lock.patch
+ubi-refuse-attaching-if-mtd-s-erasesize-is-0.patch
+erofs-fix-memory-leak-of-lzma-global-compressed-dedu.patch
+wifi-cfg80211-mac80211-hold-link-bsses-when-assoc-fa.patch
+iwlwifi-mvm-handle-ps-changes-in-vif_cfg_changed.patch
+wifi-iwlwifi-dbg_ini-fix-structure-packing.patch
+wifi-iwlwifi-mvm-fix-a-memory-corruption-issue.patch
+wifi-cfg80211-fix-cqm_config-access-race.patch
+rtla-timerlat_aa-zero-thread-sum-after-every-sample-.patch
+rtla-timerlat_aa-fix-negative-irq-delay.patch
+rtla-timerlat_aa-fix-previous-irq-delay-for-irqs-tha.patch
+wifi-cfg80211-add-missing-kernel-doc-for-cqm_rssi_wo.patch
+wifi-mac80211-fix-mesh-id-corruption-on-32-bit-syste.patch
+wifi-mwifiex-fix-oob-check-condition-in-mwifiex_proc.patch
+hid-nvidia-shield-add-leds_class-dependency.patch
+erofs-allow-empty-device-tags-in-flatdev-mode.patch
+s390-bpf-let-arch_prepare_bpf_trampoline-return-prog.patch
+leds-drop-bug_on-check-for-led_color_id_multi.patch
+bpf-fix-tr-dereferencing.patch
+bpf-unconditionally-reset-backtrack_state-masks-on-g.patch
+regulator-mt6358-split-ops-for-buck-and-linear-range.patch
+bluetooth-delete-unused-hci_req_prepare_suspend-decl.patch
+bluetooth-fix-hci_link_tx_to-rcu-lock-usage.patch
+bluetooth-iso-fix-handling-of-listen-for-unicast.patch
+drivers-net-process-the-result-of-hdlc_open-and-add-.patch
+wifi-mt76-mt76x02-fix-mt76x0-external-lna-gain-handl.patch
+perf-x86-amd-core-fix-overflow-reset-on-hotplug.patch
+rtla-timerlat-do-not-stop-user-space-if-a-cpu-is-off.patch
+regmap-rbtree-fix-wrong-register-marked-as-in-cache-.patch
+wifi-mac80211-fix-potential-key-use-after-free.patch
+perf-x86-amd-do-not-warn-on-every-irq.patch
+iommu-mediatek-fix-share-pgtable-for-iova-over-4gb.patch
+wifi-mac80211-create-resources-for-disabled-links.patch
+regulator-core-regulator_register-set-device-class-e.patch
+ima-finish-deprecation-of-ima_trusted_keyring-kconfi.patch
+wifi-iwlwifi-mvm-fix-incorrect-usage-of-scan-api.patch
+scsi-target-core-fix-deadlock-due-to-recursive-locki.patch
+ima-rework-config_ima-dependency-block.patch
+nfsv4-fix-a-nfs4_state_manager-race.patch
+ice-always-add-legacy-32byte-rxdid-in-supported_rxdi.patch
+bpf-tcp_read_skb-needs-to-pop-skb-regardless-of-seq.patch
+bpf-sockmap-do-not-inc-copied_seq-when-peek-flag-set.patch
+bpf-sockmap-reject-sk_msg-egress-redirects-to-non-tc.patch
+modpost-add-missing-else-to-the-of-check.patch
+net-stmmac-platform-fix-the-incorrect-parameter.patch
+net-fix-possible-store-tearing-in-neigh_periodic_wor.patch
+neighbour-fix-data-races-around-n-output.patch
+ipv4-ipv6-fix-handling-of-transhdrlen-in-__ip-6-_app.patch
+ptp-ocp-fix-error-handling-in-ptp_ocp_device_init.patch
+net-dsa-mv88e6xxx-avoid-eeprom-timeout-when-eeprom-i.patch
+ovl-move-freeing-ovl_entry-past-rcu-delay.patch
+ovl-fetch-inode-once-in-ovl_dentry_revalidate_common.patch
+ipv6-tcp-add-a-missing-nf_reset_ct-in-3whs-handling.patch
+net-usb-smsc75xx-fix-uninit-value-access-in-__smsc75.patch
+ethtool-plca-fix-plca-enable-data-type-while-parsing.patch
+net-nfc-llcp-add-lock-when-modifying-device-list.patch
+net-renesas-rswitch-add-spin-lock-protection-for-irq.patch
+rswitch-fix-phy-station-management-clock-setting.patch
+net-ethernet-ti-am65-cpsw-fix-error-code-in-am65_cps.patch
+ibmveth-remove-condition-to-recompute-tcp-header-che.patch
+netfilter-nft_payload-rebuild-vlan-header-on-h_proto.patch
+netfilter-handle-the-connecting-collision-properly-i.patch
+selftests-netfilter-test-nf_tables-audit-logging.patch
+selftests-netfilter-extend-nft_audit.sh.patch
+netfilter-nf_tables-deduplicate-nft_register_obj-aud.patch
+netfilter-nf_tables-nft_set_rbtree-fix-spurious-inse.patch
+ipv4-set-offload_failed-flag-in-fibmatch-results.patch
+net-stmmac-dwmac-stm32-fix-resume-on-stm32-mcu.patch
+tipc-fix-a-potential-deadlock-on-tx-lock.patch
+tcp-fix-quick-ack-counting-to-count-actual-acks-of-n.patch
+tcp-fix-delayed-acks-for-mss-boundary-condition.patch
+sctp-update-transport-state-when-processing-a-dupcoo.patch
+sctp-update-hb-timer-immediately-after-users-change-.patch
+netlink-annotate-data-races-around-sk-sk_err.patch
+net-mana-fix-the-tso_bytes-calculation.patch
+net-mana-fix-oversized-sge0-for-gso-packets.patch
+hid-nvidia-shield-fix-a-missing-led_classdev_unregis.patch
+hid-sony-remove-duplicate-null-check-before-calling-.patch
+hid-intel-ish-hid-ipc-disable-and-reenable-acpi-gpe-.patch
+net-lan743x-also-select-phylib.patch
--- /dev/null
+From 348fdd1ffce9ea3cfe08dd230aa6cc3c006b5f0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 11:12:39 -0400
+Subject: tcp: fix delayed ACKs for MSS boundary condition
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 4720852ed9afb1c5ab84e96135cb5b73d5afde6f ]
+
+This commit fixes poor delayed ACK behavior that can cause poor TCP
+latency in a particular boundary condition: when an application makes
+a TCP socket write that is an exact multiple of the MSS size.
+
+The problem is that there is painful boundary discontinuity in the
+current delayed ACK behavior. With the current delayed ACK behavior,
+we have:
+
+(1) If an app reads data when > 1*MSS is unacknowledged, then
+ tcp_cleanup_rbuf() ACKs immediately because of:
+
+ tp->rcv_nxt - tp->rcv_wup > icsk->icsk_ack.rcv_mss ||
+
+(2) If an app reads all received data, and the packets were < 1*MSS,
+ and either (a) the app is not ping-pong or (b) we received two
+ packets < 1*MSS, then tcp_cleanup_rbuf() ACKs immediately beecause
+ of:
+
+ ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED2) ||
+ ((icsk->icsk_ack.pending & ICSK_ACK_PUSHED) &&
+ !inet_csk_in_pingpong_mode(sk))) &&
+
+(3) *However*: if an app reads exactly 1*MSS of data,
+ tcp_cleanup_rbuf() does not send an immediate ACK. This is true
+ even if the app is not ping-pong and the 1*MSS of data had the PSH
+ bit set, suggesting the sending application completed an
+ application write.
+
+Thus if the app is not ping-pong, we have this painful case where
+>1*MSS gets an immediate ACK, and <1*MSS gets an immediate ACK, but a
+write whose last skb is an exact multiple of 1*MSS can get a 40ms
+delayed ACK. This means that any app that transfers data in one
+direction and takes care to align write size or packet size with MSS
+can suffer this problem. With receive zero copy making 4KB MSS values
+more common, it is becoming more common to have application writes
+naturally align with MSS, and more applications are likely to
+encounter this delayed ACK problem.
+
+The fix in this commit is to refine the delayed ACK heuristics with a
+simple check: immediately ACK a received 1*MSS skb with PSH bit set if
+the app reads all data. Why? If an skb has a len of exactly 1*MSS and
+has the PSH bit set then it is likely the end of an application
+write. So more data may not be arriving soon, and yet the data sender
+may be waiting for an ACK if cwnd-bound or using TX zero copy. Thus we
+set ICSK_ACK_PUSHED in this case so that tcp_cleanup_rbuf() will send
+an ACK immediately if the app reads all of the data and is not
+ping-pong. Note that this logic is also executed for the case where
+len > MSS, but in that case this logic does not matter (and does not
+hurt) because tcp_cleanup_rbuf() will always ACK immediately if the
+app reads data and there is more than an MSS of unACKed data.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Guo <guoxin0309@gmail.com>
+Link: https://lore.kernel.org/r/20231001151239.1866845-2-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 48c2b96b08435..a5781f86ac375 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -243,6 +243,19 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb)
+ if (unlikely(len > icsk->icsk_ack.rcv_mss +
+ MAX_TCP_OPTION_SPACE))
+ tcp_gro_dev_warn(sk, skb, len);
++ /* If the skb has a len of exactly 1*MSS and has the PSH bit
++ * set then it is likely the end of an application write. So
++ * more data may not be arriving soon, and yet the data sender
++ * may be waiting for an ACK if cwnd-bound or using TX zero
++ * copy. So we set ICSK_ACK_PUSHED here so that
++ * tcp_cleanup_rbuf() will send an ACK immediately if the app
++ * reads all of the data and is not ping-pong. If len > MSS
++ * then this logic does not matter (and does not hurt) because
++ * tcp_cleanup_rbuf() will always ACK immediately if the app
++ * reads data and there is more than an MSS of unACKed data.
++ */
++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_PSH)
++ icsk->icsk_ack.pending |= ICSK_ACK_PUSHED;
+ } else {
+ /* Otherwise, we make more careful check taking into account,
+ * that SACKs block is variable.
+--
+2.40.1
+
--- /dev/null
+From 6ca414058761864b36130171a57bd1dbddc60e38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 11:12:38 -0400
+Subject: tcp: fix quick-ack counting to count actual ACKs of new data
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit 059217c18be6757b95bfd77ba53fb50b48b8a816 ]
+
+This commit fixes quick-ack counting so that it only considers that a
+quick-ack has been provided if we are sending an ACK that newly
+acknowledges data.
+
+The code was erroneously using the number of data segments in outgoing
+skbs when deciding how many quick-ack credits to remove. This logic
+does not make sense, and could cause poor performance in
+request-response workloads, like RPC traffic, where requests or
+responses can be multi-segment skbs.
+
+When a TCP connection decides to send N quick-acks, that is to
+accelerate the cwnd growth of the congestion control module
+controlling the remote endpoint of the TCP connection. That quick-ack
+decision is purely about the incoming data and outgoing ACKs. It has
+nothing to do with the outgoing data or the size of outgoing data.
+
+And in particular, an ACK only serves the intended purpose of allowing
+the remote congestion control to grow the congestion window quickly if
+the ACK is ACKing or SACKing new data.
+
+The fix is simple: only count packets as serving the goal of the
+quickack mechanism if they are ACKing/SACKing new data. We can tell
+whether this is the case by checking inet_csk_ack_scheduled(), since
+we schedule an ACK exactly when we are ACKing/SACKing new data.
+
+Fixes: fc6415bcb0f5 ("[TCP]: Fix quick-ack decrementing with TSO.")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231001151239.1866845-1-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h | 6 ++++--
+ net/ipv4/tcp_output.c | 7 +++----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 10fc5c5928f71..b1b1e01c69839 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -350,12 +350,14 @@ ssize_t tcp_splice_read(struct socket *sk, loff_t *ppos,
+ struct sk_buff *tcp_stream_alloc_skb(struct sock *sk, gfp_t gfp,
+ bool force_schedule);
+
+-static inline void tcp_dec_quickack_mode(struct sock *sk,
+- const unsigned int pkts)
++static inline void tcp_dec_quickack_mode(struct sock *sk)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (icsk->icsk_ack.quick) {
++ /* How many ACKs S/ACKing new data have we sent? */
++ const unsigned int pkts = inet_csk_ack_scheduled(sk) ? 1 : 0;
++
+ if (pkts >= icsk->icsk_ack.quick) {
+ icsk->icsk_ack.quick = 0;
+ /* Leaving quickack mode we deflate ATO. */
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 9f9ca68c47026..37fd9537423f1 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -177,8 +177,7 @@ static void tcp_event_data_sent(struct tcp_sock *tp,
+ }
+
+ /* Account for an ACK we sent. */
+-static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts,
+- u32 rcv_nxt)
++static inline void tcp_event_ack_sent(struct sock *sk, u32 rcv_nxt)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
+
+@@ -192,7 +191,7 @@ static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts,
+
+ if (unlikely(rcv_nxt != tp->rcv_nxt))
+ return; /* Special ACK sent by DCTCP to reflect ECN */
+- tcp_dec_quickack_mode(sk, pkts);
++ tcp_dec_quickack_mode(sk);
+ inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK);
+ }
+
+@@ -1372,7 +1371,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
+ sk, skb);
+
+ if (likely(tcb->tcp_flags & TCPHDR_ACK))
+- tcp_event_ack_sent(sk, tcp_skb_pcount(skb), rcv_nxt);
++ tcp_event_ack_sent(sk, rcv_nxt);
+
+ if (skb->len != tcp_header_size) {
+ tcp_event_data_sent(tp, sk);
+--
+2.40.1
+
--- /dev/null
+From 19521237f120a5a168bdb01514f35b44ac1af8d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 18:14:14 +0000
+Subject: tipc: fix a potential deadlock on &tx->lock
+
+From: Chengfeng Ye <dg573847474@gmail.com>
+
+[ Upstream commit 08e50cf071847323414df0835109b6f3560d44f5 ]
+
+It seems that tipc_crypto_key_revoke() could be be invoked by
+wokequeue tipc_crypto_work_rx() under process context and
+timer/rx callback under softirq context, thus the lock acquisition
+on &tx->lock seems better use spin_lock_bh() to prevent possible
+deadlock.
+
+This flaw was found by an experimental static analysis tool I am
+developing for irq-related deadlock.
+
+tipc_crypto_work_rx() <workqueue>
+--> tipc_crypto_key_distr()
+--> tipc_bcast_xmit()
+--> tipc_bcbase_xmit()
+--> tipc_bearer_bc_xmit()
+--> tipc_crypto_xmit()
+--> tipc_ehdr_build()
+--> tipc_crypto_key_revoke()
+--> spin_lock(&tx->lock)
+<timer interrupt>
+ --> tipc_disc_timeout()
+ --> tipc_bearer_xmit_skb()
+ --> tipc_crypto_xmit()
+ --> tipc_ehdr_build()
+ --> tipc_crypto_key_revoke()
+ --> spin_lock(&tx->lock) <deadlock here>
+
+Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Link: https://lore.kernel.org/r/20230927181414.59928-1-dg573847474@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index 302fd749c4249..43c3f1c971b8f 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -1441,14 +1441,14 @@ static int tipc_crypto_key_revoke(struct net *net, u8 tx_key)
+ struct tipc_crypto *tx = tipc_net(net)->crypto_tx;
+ struct tipc_key key;
+
+- spin_lock(&tx->lock);
++ spin_lock_bh(&tx->lock);
+ key = tx->key;
+ WARN_ON(!key.active || tx_key != key.active);
+
+ /* Free the active key */
+ tipc_crypto_key_set_state(tx, key.passive, 0, key.pending);
+ tipc_crypto_key_detach(tx->aead[key.active], &tx->lock);
+- spin_unlock(&tx->lock);
++ spin_unlock_bh(&tx->lock);
+
+ pr_warn("%s: key is revoked\n", tx->name);
+ return -EKEYREVOKED;
+--
+2.40.1
+
--- /dev/null
+From 2ee91cb640cc1b4e27e13646960f773a668368b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Apr 2023 19:10:41 +0800
+Subject: ubi: Refuse attaching if mtd's erasesize is 0
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 017c73a34a661a861712f7cc1393a123e5b2208c ]
+
+There exists mtd devices with zero erasesize, which will trigger a
+divide-by-zero exception while attaching ubi device.
+Fix it by refusing attaching if mtd's erasesize is 0.
+
+Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
+Reported-by: Yu Hao <yhao016@ucr.edu>
+Link: https://lore.kernel.org/lkml/977347543.226888.1682011999468.JavaMail.zimbra@nod.at/T/
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/build.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
+index 8b91a55ec0d28..8ee51e49fced5 100644
+--- a/drivers/mtd/ubi/build.c
++++ b/drivers/mtd/ubi/build.c
+@@ -894,6 +894,13 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num,
+ return -EINVAL;
+ }
+
++ /* UBI cannot work on flashes with zero erasesize. */
++ if (!mtd->erasesize) {
++ pr_err("ubi: refuse attaching mtd%d - zero erasesize flash is not supported\n",
++ mtd->index);
++ return -EINVAL;
++ }
++
+ if (ubi_num == UBI_DEV_NUM_AUTO) {
+ /* Search for an empty slot in the @ubi_devices array */
+ for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
+--
+2.40.1
+
--- /dev/null
+From 1bb05f20077877f639fafa5480086d51eb52a346 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 09:36:57 +0200
+Subject: wifi: cfg80211: add missing kernel-doc for cqm_rssi_work
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d1383077c225ceb87ac7a3b56b2c505193f77ed7 ]
+
+As reported by Stephen, I neglected to add the kernel-doc
+for the new struct member. Fix that.
+
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 0debc3c9364e8..641c6edc9b81d 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -5942,6 +5942,7 @@ void wiphy_delayed_work_cancel(struct wiphy *wiphy,
+ * @event_lock: (private) lock for event list
+ * @owner_nlportid: (private) owner socket port ID
+ * @nl_owner_dead: (private) owner socket went away
++ * @cqm_rssi_work: (private) CQM RSSI reporting work
+ * @cqm_config: (private) nl80211 RSSI monitor state
+ * @pmsr_list: (private) peer measurement requests
+ * @pmsr_lock: (private) peer measurements requests/results lock
+--
+2.40.1
+
--- /dev/null
+From 67e1c9eec9797ffc64df9c7aadfc554dd7a99fc5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 15:38:04 +0200
+Subject: wifi: cfg80211: fix cqm_config access race
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 37c20b2effe987b806c8de6d12978e4ffeff026f ]
+
+Max Schulze reports crashes with brcmfmac. The reason seems
+to be a race between userspace removing the CQM config and
+the driver calling cfg80211_cqm_rssi_notify(), where if the
+data is freed while cfg80211_cqm_rssi_notify() runs it will
+crash since it assumes wdev->cqm_config is set. This can't
+be fixed with a simple non-NULL check since there's nothing
+we can do for locking easily, so use RCU instead to protect
+the pointer, but that requires pulling the updates out into
+an asynchronous worker so they can sleep and call back into
+the driver.
+
+Since we need to change the free anyway, also change it to
+go back to the old settings if changing the settings fails.
+
+Reported-and-tested-by: Max Schulze <max.schulze@online.de>
+Closes: https://lore.kernel.org/r/ac96309a-8d8d-4435-36e6-6d152eb31876@online.de
+Fixes: 4a4b8169501b ("cfg80211: Accept multiple RSSI thresholds for CQM")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 3 +-
+ net/wireless/core.c | 14 +++----
+ net/wireless/core.h | 7 +++-
+ net/wireless/nl80211.c | 93 +++++++++++++++++++++++++++---------------
+ 4 files changed, 75 insertions(+), 42 deletions(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 3f03f9b375e56..0debc3c9364e8 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -6014,7 +6014,8 @@ struct wireless_dev {
+ } wext;
+ #endif
+
+- struct cfg80211_cqm_config *cqm_config;
++ struct wiphy_work cqm_rssi_work;
++ struct cfg80211_cqm_config __rcu *cqm_config;
+
+ struct list_head pmsr_list;
+ spinlock_t pmsr_lock;
+diff --git a/net/wireless/core.c b/net/wireless/core.c
+index 25bc2e50a0615..64e8616171104 100644
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1181,16 +1181,11 @@ void wiphy_rfkill_set_hw_state_reason(struct wiphy *wiphy, bool blocked,
+ }
+ EXPORT_SYMBOL(wiphy_rfkill_set_hw_state_reason);
+
+-void cfg80211_cqm_config_free(struct wireless_dev *wdev)
+-{
+- kfree(wdev->cqm_config);
+- wdev->cqm_config = NULL;
+-}
+-
+ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev,
+ bool unregister_netdev)
+ {
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
++ struct cfg80211_cqm_config *cqm_config;
+ unsigned int link_id;
+
+ ASSERT_RTNL();
+@@ -1227,7 +1222,10 @@ static void _cfg80211_unregister_wdev(struct wireless_dev *wdev,
+ kfree_sensitive(wdev->wext.keys);
+ wdev->wext.keys = NULL;
+ #endif
+- cfg80211_cqm_config_free(wdev);
++ wiphy_work_cancel(wdev->wiphy, &wdev->cqm_rssi_work);
++ /* deleted from the list, so can't be found from nl80211 any more */
++ cqm_config = rcu_access_pointer(wdev->cqm_config);
++ kfree_rcu(cqm_config, rcu_head);
+
+ /*
+ * Ensure that all events have been processed and
+@@ -1379,6 +1377,8 @@ void cfg80211_init_wdev(struct wireless_dev *wdev)
+ wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
+ #endif
+
++ wiphy_work_init(&wdev->cqm_rssi_work, cfg80211_cqm_rssi_notify_work);
++
+ if (wdev->wiphy->flags & WIPHY_FLAG_PS_ON_BY_DEFAULT)
+ wdev->ps = true;
+ else
+diff --git a/net/wireless/core.h b/net/wireless/core.h
+index 8a807b609ef73..86f209abc06ab 100644
+--- a/net/wireless/core.h
++++ b/net/wireless/core.h
+@@ -295,12 +295,17 @@ struct cfg80211_beacon_registration {
+ };
+
+ struct cfg80211_cqm_config {
++ struct rcu_head rcu_head;
+ u32 rssi_hyst;
+ s32 last_rssi_event_value;
++ enum nl80211_cqm_rssi_threshold_event last_rssi_event_type;
+ int n_rssi_thresholds;
+ s32 rssi_thresholds[];
+ };
+
++void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy,
++ struct wiphy_work *work);
++
+ void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev);
+
+ /* free object */
+@@ -566,8 +571,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+ #define CFG80211_DEV_WARN_ON(cond) ({bool __r = (cond); __r; })
+ #endif
+
+-void cfg80211_cqm_config_free(struct wireless_dev *wdev);
+-
+ void cfg80211_release_pmsr(struct wireless_dev *wdev, u32 portid);
+ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev);
+ void cfg80211_pmsr_free_wk(struct work_struct *work);
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 4dcbc40d07c85..705d1cf048309 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12797,7 +12797,8 @@ static int nl80211_set_cqm_txe(struct genl_info *info,
+ }
+
+ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+- struct net_device *dev)
++ struct net_device *dev,
++ struct cfg80211_cqm_config *cqm_config)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ s32 last, low, high;
+@@ -12806,7 +12807,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ int err;
+
+ /* RSSI reporting disabled? */
+- if (!wdev->cqm_config)
++ if (!cqm_config)
+ return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
+
+ /*
+@@ -12815,7 +12816,7 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+ * connection is established and enough beacons received to calculate
+ * the average.
+ */
+- if (!wdev->cqm_config->last_rssi_event_value &&
++ if (!cqm_config->last_rssi_event_value &&
+ wdev->links[0].client.current_bss &&
+ rdev->ops->get_station) {
+ struct station_info sinfo = {};
+@@ -12829,30 +12830,30 @@ static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
+
+ cfg80211_sinfo_release_content(&sinfo);
+ if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
+- wdev->cqm_config->last_rssi_event_value =
++ cqm_config->last_rssi_event_value =
+ (s8) sinfo.rx_beacon_signal_avg;
+ }
+
+- last = wdev->cqm_config->last_rssi_event_value;
+- hyst = wdev->cqm_config->rssi_hyst;
+- n = wdev->cqm_config->n_rssi_thresholds;
++ last = cqm_config->last_rssi_event_value;
++ hyst = cqm_config->rssi_hyst;
++ n = cqm_config->n_rssi_thresholds;
+
+ for (i = 0; i < n; i++) {
+ i = array_index_nospec(i, n);
+- if (last < wdev->cqm_config->rssi_thresholds[i])
++ if (last < cqm_config->rssi_thresholds[i])
+ break;
+ }
+
+ low_index = i - 1;
+ if (low_index >= 0) {
+ low_index = array_index_nospec(low_index, n);
+- low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
++ low = cqm_config->rssi_thresholds[low_index] - hyst;
+ } else {
+ low = S32_MIN;
+ }
+ if (i < n) {
+ i = array_index_nospec(i, n);
+- high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
++ high = cqm_config->rssi_thresholds[i] + hyst - 1;
+ } else {
+ high = S32_MAX;
+ }
+@@ -12865,6 +12866,7 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
+ u32 hysteresis)
+ {
+ struct cfg80211_registered_device *rdev = info->user_ptr[0];
++ struct cfg80211_cqm_config *cqm_config = NULL, *old;
+ struct net_device *dev = info->user_ptr[1];
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+ int i, err;
+@@ -12882,10 +12884,6 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
+ wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
+ return -EOPNOTSUPP;
+
+- wdev_lock(wdev);
+- cfg80211_cqm_config_free(wdev);
+- wdev_unlock(wdev);
+-
+ if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
+ if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
+ return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
+@@ -12902,9 +12900,10 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
+ n_thresholds = 0;
+
+ wdev_lock(wdev);
+- if (n_thresholds) {
+- struct cfg80211_cqm_config *cqm_config;
++ old = rcu_dereference_protected(wdev->cqm_config,
++ lockdep_is_held(&wdev->mtx));
+
++ if (n_thresholds) {
+ cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
+ n_thresholds),
+ GFP_KERNEL);
+@@ -12919,11 +12918,18 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
+ flex_array_size(cqm_config, rssi_thresholds,
+ n_thresholds));
+
+- wdev->cqm_config = cqm_config;
++ rcu_assign_pointer(wdev->cqm_config, cqm_config);
++ } else {
++ RCU_INIT_POINTER(wdev->cqm_config, NULL);
+ }
+
+- err = cfg80211_cqm_rssi_update(rdev, dev);
+-
++ err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
++ if (err) {
++ rcu_assign_pointer(wdev->cqm_config, old);
++ kfree_rcu(cqm_config, rcu_head);
++ } else {
++ kfree_rcu(old, rcu_head);
++ }
+ unlock:
+ wdev_unlock(wdev);
+
+@@ -19074,9 +19080,8 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev,
+ enum nl80211_cqm_rssi_threshold_event rssi_event,
+ s32 rssi_level, gfp_t gfp)
+ {
+- struct sk_buff *msg;
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+- struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
++ struct cfg80211_cqm_config *cqm_config;
+
+ trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
+
+@@ -19084,18 +19089,41 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev,
+ rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
+ return;
+
+- if (wdev->cqm_config) {
+- wdev->cqm_config->last_rssi_event_value = rssi_level;
++ rcu_read_lock();
++ cqm_config = rcu_dereference(wdev->cqm_config);
++ if (cqm_config) {
++ cqm_config->last_rssi_event_value = rssi_level;
++ cqm_config->last_rssi_event_type = rssi_event;
++ wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
++ }
++ rcu_read_unlock();
++}
++EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
++
++void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
++{
++ struct wireless_dev *wdev = container_of(work, struct wireless_dev,
++ cqm_rssi_work);
++ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
++ enum nl80211_cqm_rssi_threshold_event rssi_event;
++ struct cfg80211_cqm_config *cqm_config;
++ struct sk_buff *msg;
++ s32 rssi_level;
+
+- cfg80211_cqm_rssi_update(rdev, dev);
++ wdev_lock(wdev);
++ cqm_config = rcu_dereference_protected(wdev->cqm_config,
++ lockdep_is_held(&wdev->mtx));
++ if (!wdev->cqm_config)
++ goto unlock;
+
+- if (rssi_level == 0)
+- rssi_level = wdev->cqm_config->last_rssi_event_value;
+- }
++ cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
+
+- msg = cfg80211_prepare_cqm(dev, NULL, gfp);
++ rssi_level = cqm_config->last_rssi_event_value;
++ rssi_event = cqm_config->last_rssi_event_type;
++
++ msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
+ if (!msg)
+- return;
++ goto unlock;
+
+ if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
+ rssi_event))
+@@ -19105,14 +19133,15 @@ void cfg80211_cqm_rssi_notify(struct net_device *dev,
+ rssi_level))
+ goto nla_put_failure;
+
+- cfg80211_send_cqm(msg, gfp);
++ cfg80211_send_cqm(msg, GFP_KERNEL);
+
+- return;
++ goto unlock;
+
+ nla_put_failure:
+ nlmsg_free(msg);
++ unlock:
++ wdev_unlock(wdev);
+ }
+-EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
+
+ void cfg80211_cqm_txe_notify(struct net_device *dev,
+ const u8 *peer, u32 num_packets,
+--
+2.40.1
+
--- /dev/null
+From c731bd687aec7d83e3e31e528192a1a3b1d470bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 03:00:55 -0400
+Subject: wifi: cfg80211/mac80211: hold link BSSes when assoc fails for MLO
+ connection
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 234249d88b091d006b82f8d570343aae5f383736 ]
+
+When connect to MLO AP with more than one link, and the assoc response of
+AP is not success, then cfg80211_unhold_bss() is not called for all the
+links' cfg80211_bss except the primary link which means the link used by
+the latest successful association request. Thus the hold value of the
+cfg80211_bss is not reset to 0 after the assoc fail, and then the
+__cfg80211_unlink_bss() will not be called for the cfg80211_bss by
+__cfg80211_bss_expire().
+
+Then the AP always looks exist even the AP is shutdown or reconfigured
+to another type, then it will lead error while connecting it again.
+
+The detail info are as below.
+
+When connect with muti-links AP, cfg80211_hold_bss() is called by
+cfg80211_mlme_assoc() for each cfg80211_bss of all the links. When
+assoc response from AP is not success(such as status_code==1), the
+ieee80211_link_data of non-primary link(sdata->link[link_id]) is NULL
+because ieee80211_assoc_success()->ieee80211_vif_update_links() is
+not called for the links.
+
+Then struct cfg80211_rx_assoc_resp resp in cfg80211_rx_assoc_resp() and
+struct cfg80211_connect_resp_params cr in __cfg80211_connect_result()
+will only have the data of the primary link, and finally function
+cfg80211_connect_result_release_bsses() only call cfg80211_unhold_bss()
+for the primary link. Then cfg80211_bss of the other links will never free
+because its hold is always > 0 now.
+
+Hence assign value for the bss and status from assoc_data since it is
+valid for this case. Also assign value of addr from assoc_data when the
+link is NULL because the addrs of assoc_data and link both represent the
+local link addr and they are same value for success connection.
+
+Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link")
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Link: https://lore.kernel.org/r/20230825070055.28164-1-quic_wgong@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 2 +-
+ net/mac80211/mlme.c | 11 ++++++-----
+ net/wireless/mlme.c | 3 ++-
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index d6fa7c8767ad3..3f03f9b375e56 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -7232,7 +7232,7 @@ struct cfg80211_rx_assoc_resp {
+ int uapsd_queues;
+ const u8 *ap_mld_addr;
+ struct {
+- const u8 *addr;
++ u8 addr[ETH_ALEN] __aligned(2);
+ struct cfg80211_bss *bss;
+ u16 status;
+ } links[IEEE80211_MLD_MAX_NUM_LINKS];
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index f93eb38ae0b8d..46d46cfab6c84 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5429,17 +5429,18 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
+ for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS; link_id++) {
+ struct ieee80211_link_data *link;
+
+- link = sdata_dereference(sdata->link[link_id], sdata);
+- if (!link)
+- continue;
+-
+ if (!assoc_data->link[link_id].bss)
+ continue;
+
+ resp.links[link_id].bss = assoc_data->link[link_id].bss;
+- resp.links[link_id].addr = link->conf->addr;
++ ether_addr_copy(resp.links[link_id].addr,
++ assoc_data->link[link_id].addr);
+ resp.links[link_id].status = assoc_data->link[link_id].status;
+
++ link = sdata_dereference(sdata->link[link_id], sdata);
++ if (!link)
++ continue;
++
+ /* get uapsd queues configuration - same for all links */
+ resp.uapsd_queues = 0;
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++)
+diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
+index 775cac4d61006..3e2c398abddcc 100644
+--- a/net/wireless/mlme.c
++++ b/net/wireless/mlme.c
+@@ -52,7 +52,8 @@ void cfg80211_rx_assoc_resp(struct net_device *dev,
+ cr.links[link_id].bssid = data->links[link_id].bss->bssid;
+ cr.links[link_id].addr = data->links[link_id].addr;
+ /* need to have local link addresses for MLO connections */
+- WARN_ON(cr.ap_mld_addr && !cr.links[link_id].addr);
++ WARN_ON(cr.ap_mld_addr &&
++ !is_valid_ether_addr(cr.links[link_id].addr));
+
+ BUG_ON(!cr.links[link_id].bss->channel);
+
+--
+2.40.1
+
--- /dev/null
+From e5532839702e162f02320431a2719c8adc2b7507 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Jun 2023 11:03:34 +0200
+Subject: wifi: iwlwifi: dbg_ini: fix structure packing
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 424c82e8ad56756bb98b08268ffcf68d12d183eb ]
+
+The iwl_fw_ini_error_dump_range structure has conflicting alignment
+requirements for the inner union and the outer struct:
+
+In file included from drivers/net/wireless/intel/iwlwifi/fw/dbg.c:9:
+drivers/net/wireless/intel/iwlwifi/fw/error-dump.h:312:2: error: field within 'struct iwl_fw_ini_error_dump_range' is less aligned than 'union iwl_fw_ini_error_dump_range::(anonymous at drivers/net/wireless/intel/iwlwifi/fw/error-dump.h:312:2)' and is usually due to 'struct iwl_fw_ini_error_dump_range' being packed, which can lead to unaligned accesses [-Werror,-Wunaligned-access]
+ union {
+
+As the original intention was apparently to make the entire structure
+unaligned, mark the innermost members the same way so the union
+becomes packed as well.
+
+Fixes: 973193554cae6 ("iwlwifi: dbg_ini: dump headers cleanup")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230616090343.2454061-1-arnd@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/error-dump.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h b/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h
+index f5e08988dc7bf..06d6f7f664308 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/error-dump.h
+@@ -310,9 +310,9 @@ struct iwl_fw_ini_fifo_hdr {
+ struct iwl_fw_ini_error_dump_range {
+ __le32 range_data_size;
+ union {
+- __le32 internal_base_addr;
+- __le64 dram_base_addr;
+- __le32 page_num;
++ __le32 internal_base_addr __packed;
++ __le64 dram_base_addr __packed;
++ __le32 page_num __packed;
+ struct iwl_fw_ini_fifo_hdr fifo_hdr;
+ struct iwl_cmd_header fw_pkt_hdr;
+ };
+--
+2.40.1
+
--- /dev/null
+From 55e40e92b1955de22c8f17ff560ae74db85c5edf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jul 2023 22:24:59 +0200
+Subject: wifi: iwlwifi: mvm: Fix a memory corruption issue
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 8ba438ef3cacc4808a63ed0ce24d4f0942cfe55d ]
+
+A few lines above, space is kzalloc()'ed for:
+ sizeof(struct iwl_nvm_data) +
+ sizeof(struct ieee80211_channel) +
+ sizeof(struct ieee80211_rate)
+
+'mvm->nvm_data' is a 'struct iwl_nvm_data', so it is fine.
+
+At the end of this structure, there is the 'channels' flex array.
+Each element is of type 'struct ieee80211_channel'.
+So only 1 element is allocated in this array.
+
+When doing:
+ mvm->nvm_data->bands[0].channels = mvm->nvm_data->channels;
+We point at the first element of the 'channels' flex array.
+So this is fine.
+
+However, when doing:
+ mvm->nvm_data->bands[0].bitrates =
+ (void *)((u8 *)mvm->nvm_data->channels + 1);
+because of the "(u8 *)" cast, we add only 1 to the address of the beginning
+of the flex array.
+
+It is likely that we want point at the 'struct ieee80211_rate' allocated
+just after.
+
+Remove the spurious casting so that the pointer arithmetic works as
+expected.
+
+Fixes: 8ca151b568b6 ("iwlwifi: add the MVM driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/23f0ec986ef1529055f4f93dcb3940a6cf8d9a94.1690143750.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index 1f5db65a088d3..1d5ee4330f29f 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -802,7 +802,7 @@ int iwl_run_init_mvm_ucode(struct iwl_mvm *mvm)
+ mvm->nvm_data->bands[0].n_channels = 1;
+ mvm->nvm_data->bands[0].n_bitrates = 1;
+ mvm->nvm_data->bands[0].bitrates =
+- (void *)((u8 *)mvm->nvm_data->channels + 1);
++ (void *)(mvm->nvm_data->channels + 1);
+ mvm->nvm_data->bands[0].bitrates->hw_value = 10;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 9b27bf133ea934ba1c396ecf2bc4984a2c0357ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 16:55:50 +0300
+Subject: wifi: iwlwifi: mvm: Fix incorrect usage of scan API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 22061bfc57fe08c77141dc876b4af75603c4d61d ]
+
+The support for using link ID in the scan request API was only
+added in version 16. However, the code wrongly enabled this
+API usage also for older versions. Fix it.
+
+Reported-by: Antoine Beaupré <anarcat@debian.org>
+Fixes: e98b23d0d7b8 ("wifi: iwlwifi: mvm: Add support for SCAN API version 16")
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230926165546.086e635fbbe6.Ia660f35ca0b1079f2c2ea92fd8d14d8101a89d03@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index c1d9ce7534688..3cbe2c0b8d6bc 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -2342,7 +2342,7 @@ iwl_mvm_scan_umac_fill_general_p_v12(struct iwl_mvm *mvm,
+ if (gen_flags & IWL_UMAC_SCAN_GEN_FLAGS_V2_FRAGMENTED_LMAC2)
+ gp->num_of_fragments[SCAN_HB_LMAC_IDX] = IWL_SCAN_NUM_OF_FRAGS;
+
+- if (version < 12) {
++ if (version < 16) {
+ gp->scan_start_mac_or_link_id = scan_vif->id;
+ } else {
+ struct iwl_mvm_vif_link_info *link_info;
+--
+2.40.1
+
--- /dev/null
+From 4757359f5cdfa9b8b82241ca3df972686b9ff6d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 17:30:29 +0200
+Subject: wifi: mac80211: Create resources for disabled links
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit aaba3cd33fc9593a858beeee419c0e6671ee9551 ]
+
+When associating to an MLD AP, links may be disabled. Create all
+resources associated with a disabled link so that we can later enable it
+without having to create these resources on the fly.
+
+Fixes: 6d543b34dbcf ("wifi: mac80211: Support disabled links during association")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://lore.kernel.org/r/20230925173028.f9afdb26f6c7.I4e6e199aaefc1bf017362d64f3869645fa6830b5@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mlme.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 46d46cfab6c84..24b2833e0e475 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -5107,9 +5107,10 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
+ continue;
+
+ valid_links |= BIT(link_id);
+- if (assoc_data->link[link_id].disabled) {
++ if (assoc_data->link[link_id].disabled)
+ dormant_links |= BIT(link_id);
+- } else if (link_id != assoc_data->assoc_link_id) {
++
++ if (link_id != assoc_data->assoc_link_id) {
+ err = ieee80211_sta_allocate_link(sta, link_id);
+ if (err)
+ goto out_err;
+@@ -5124,7 +5125,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_link_data *link;
+ struct link_sta_info *link_sta;
+
+- if (!cbss || assoc_data->link[link_id].disabled)
++ if (!cbss)
+ continue;
+
+ link = sdata_dereference(sdata->link[link_id], sdata);
+--
+2.40.1
+
--- /dev/null
+From 44df07e1d70d75d8a883cc63c99d0255123fbd21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 07:01:34 +0200
+Subject: wifi: mac80211: fix mesh id corruption on 32 bit systems
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 6e48ebffc2db5419b3a51cfc509bde442252b356 ]
+
+Since the changed field size was increased to u64, mesh_bss_info_changed
+pulls invalid bits from the first 3 bytes of the mesh id, clears them, and
+passes them on to ieee80211_link_info_change_notify, because
+ifmsh->mbss_changed was not updated to match its size.
+Fix this by turning into ifmsh->mbss_changed into an unsigned long array with
+64 bit size.
+
+Fixes: 15ddba5f4311 ("wifi: mac80211: consistently use u64 for BSS changes")
+Reported-by: Thomas Hühn <thomas.huehn@hs-nordhausen.de>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20230913050134.53536-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ net/mac80211/mesh.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 91633a0b723e0..f8cd94ba55ccc 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -676,7 +676,7 @@ struct ieee80211_if_mesh {
+ struct timer_list mesh_path_root_timer;
+
+ unsigned long wrkq_flags;
+- unsigned long mbss_changed;
++ unsigned long mbss_changed[64 / BITS_PER_LONG];
+
+ bool userspace_handles_dfs;
+
+diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
+index af8c5fc2db149..e31c312c124a1 100644
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -1175,7 +1175,7 @@ void ieee80211_mbss_info_change_notify(struct ieee80211_sub_if_data *sdata,
+
+ /* if we race with running work, worst case this work becomes a noop */
+ for_each_set_bit(bit, &bits, sizeof(changed) * BITS_PER_BYTE)
+- set_bit(bit, &ifmsh->mbss_changed);
++ set_bit(bit, ifmsh->mbss_changed);
+ set_bit(MESH_WORK_MBSS_CHANGED, &ifmsh->wrkq_flags);
+ wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
+ }
+@@ -1257,7 +1257,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
+
+ /* clear any mesh work (for next join) we may have accrued */
+ ifmsh->wrkq_flags = 0;
+- ifmsh->mbss_changed = 0;
++ memset(ifmsh->mbss_changed, 0, sizeof(ifmsh->mbss_changed));
+
+ local->fif_other_bss--;
+ atomic_dec(&local->iff_allmultis);
+@@ -1724,9 +1724,9 @@ static void mesh_bss_info_changed(struct ieee80211_sub_if_data *sdata)
+ u32 bit;
+ u64 changed = 0;
+
+- for_each_set_bit(bit, &ifmsh->mbss_changed,
++ for_each_set_bit(bit, ifmsh->mbss_changed,
+ sizeof(changed) * BITS_PER_BYTE) {
+- clear_bit(bit, &ifmsh->mbss_changed);
++ clear_bit(bit, ifmsh->mbss_changed);
+ changed |= BIT(bit);
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 3d26f447a9c83157eda209ebed59efbbe46615f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 08:34:15 +0200
+Subject: wifi: mac80211: fix potential key use-after-free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 31db78a4923ef5e2008f2eed321811ca79e7f71b ]
+
+When ieee80211_key_link() is called by ieee80211_gtk_rekey_add()
+but returns 0 due to KRACK protection (identical key reinstall),
+ieee80211_gtk_rekey_add() will still return a pointer into the
+key, in a potential use-after-free. This normally doesn't happen
+since it's only called by iwlwifi in case of WoWLAN rekey offload
+which has its own KRACK protection, but still better to fix, do
+that by returning an error code and converting that to success on
+the cfg80211 boundary only, leaving the error for bad callers of
+ieee80211_gtk_rekey_add().
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 3 +++
+ net/mac80211/key.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 45e7a5d9c7d94..e883c41a2163b 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -566,6 +566,9 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
+ }
+
+ err = ieee80211_key_link(key, link, sta);
++ /* KRACK protection, shouldn't happen but just silently accept key */
++ if (err == -EALREADY)
++ err = 0;
+
+ out_unlock:
+ mutex_unlock(&local->sta_mtx);
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index 21cf5a2089101..f719abe33a328 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -905,7 +905,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ */
+ if (ieee80211_key_identical(sdata, old_key, key)) {
+ ieee80211_key_free_unused(key);
+- ret = 0;
++ ret = -EALREADY;
+ goto out;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 1adf727722140647de6d1ad1b86061e00c7ea946 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Aug 2023 15:16:11 +0200
+Subject: wifi: mt76: fix lock dependency problem for wed_lock
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 195273147e520844c1aae9fbf85cb6eb0bc0fdd7 ]
+
+Fix the following kernel depency lock holding wed_lock with BH disabled.
+
+[ 40.579696] mt798x-wmac 18000000.wifi: attaching wed device 0 version 2
+[ 40.604648] platform 15010000.wed: MTK WED WO Firmware Version: DEV_000000, Build Time: 20221208202138
+[ 40.613972] platform 15010000.wed: MTK WED WO Chip ID 00 Region 3
+[ 40.943617]
+[ 40.945118] ========================================================
+[ 40.951457] WARNING: possible irq lock inversion dependency detected
+[ 40.957797] 5.15.127 #0 Not tainted
+[ 40.961276] --------------------------------------------------------
+[ 40.967614] insmod/2329 just changed the state of lock:
+[ 40.972827] ffffff8004003b08 (&dev->wed_lock){+.+.}-{2:2}, at: mt76_get_rxwi+0x1c/0xac [mt76]
+[ 40.981387] but this lock was taken by another, SOFTIRQ-safe lock in the past:
+[ 40.988592] (&q->lock){+.-.}-{2:2}
+[ 40.988602]
+[ 40.988602]
+[ 40.988602] and interrupts could create inverse lock ordering between them.
+[ 40.988602]
+[ 41.003445]
+[ 41.003445] other info that might help us debug this:
+[ 41.009957] Possible interrupt unsafe locking scenario:
+[ 41.009957]
+[ 41.016729] CPU0 CPU1
+[ 41.021245] ---- ----
+[ 41.025761] lock(&dev->wed_lock);
+[ 41.029241] local_irq_disable();
+[ 41.035145] lock(&q->lock);
+[ 41.040620] lock(&dev->wed_lock);
+[ 41.046616] <Interrupt>
+[ 41.049223] lock(&q->lock);
+[ 41.052356]
+[ 41.052356] *** DEADLOCK ***
+[ 41.052356]
+[ 41.058260] 1 lock held by insmod/2329:
+[ 41.062085] #0: ffffff80003b9988 (&dev->mutex){....}-{3:3}, at: __driver_attach+0x88/0x190
+[ 41.070442]
+[ 41.070442] the shortest dependencies between 2nd lock and 1st lock:
+[ 41.078257] -> (&q->lock){+.-.}-{2:2} {
+[ 41.082177] HARDIRQ-ON-W at:
+[ 41.085396] lock_acquire+0xfc/0x2c0
+[ 41.090787] _raw_spin_lock_bh+0x84/0xa0
+[ 41.096525] mt76_dma_cleanup+0x24c/0x650 [mt76]
+[ 41.102977] mt76_dma_cleanup+0x614/0x650 [mt76]
+[ 41.109428] mt7915_eeprom_get_power_delta+0x1168/0x2464 [mt7915e]
+[ 41.117435] mt7915_eeprom_init+0x40/0x340 [mt7915e]
+[ 41.124222] cleanup_module+0x94/0xb28 [mt7915e]
+[ 41.130662] platform_probe+0x64/0xbc
+[ 41.136139] really_probe.part.0+0x98/0x2f4
+[ 41.142134] __driver_probe_device+0x94/0x16c
+[ 41.148303] driver_probe_device+0x40/0x120
+[ 41.154299] __driver_attach+0x94/0x190
+[ 41.159947] bus_for_each_dev+0x5c/0x94
+[ 41.165594] driver_attach+0x20/0x30
+[ 41.170983] bus_add_driver+0x104/0x1f4
+[ 41.176631] driver_register+0x74/0x120
+[ 41.182280] __platform_driver_register+0x24/0x30
+[ 41.188797] 0xffffffc000cb1074
+[ 41.193754] do_one_initcall+0x70/0x2cc
+[ 41.199403] do_init_module+0x44/0x240
+[ 41.204968] load_module+0x1f5c/0x2874
+[ 41.210532] __do_sys_init_module+0x1d8/0x2ac
+[ 41.216702] __arm64_sys_init_module+0x18/0x20
+[ 41.222958] invoke_syscall.constprop.0+0x4c/0xe0
+[ 41.229474] do_el0_svc+0x50/0xf0
+[ 41.234602] el0_svc+0x4c/0xcc
+[ 41.239471] el0t_64_sync_handler+0xe0/0x110
+[ 41.245556] el0t_64_sync+0x15c/0x160
+[ 41.251029] IN-SOFTIRQ-W at:
+[ 41.254249] lock_acquire+0xfc/0x2c0
+[ 41.259638] _raw_spin_lock_bh+0x84/0xa0
+[ 41.265372] mt76_queue_tx_complete+0x34/0x70 [mt76]
+[ 41.272170] mt76_free_pending_rxwi+0x36c/0x5d0 [mt76]
+[ 41.279140] mt76_free_pending_rxwi+0x5c0/0x5d0 [mt76]
+[ 41.286111] mt7915_eeprom_get_power_delta+0x620/0x2464 [mt7915e]
+[ 41.294026] __napi_poll.constprop.0+0x5c/0x230
+[ 41.300372] net_rx_action+0xe4/0x294
+[ 41.305847] _stext+0x154/0x4cc
+[ 41.310801] do_softirq+0xa4/0xbc
+[ 41.315930] __local_bh_enable_ip+0x168/0x174
+[ 41.322097] napi_threaded_poll+0xbc/0x140
+[ 41.328007] kthread+0x13c/0x150
+[ 41.333049] ret_from_fork+0x10/0x20
+[ 41.338437] INITIAL USE at:
+[ 41.341568] lock_acquire+0xfc/0x2c0
+[ 41.346869] _raw_spin_lock_bh+0x84/0xa0
+[ 41.352519] mt76_dma_cleanup+0x24c/0x650 [mt76]
+[ 41.358882] mt76_dma_cleanup+0x614/0x650 [mt76]
+[ 41.365245] mt7915_eeprom_get_power_delta+0x1168/0x2464 [mt7915e]
+[ 41.373160] mt7915_eeprom_init+0x40/0x340 [mt7915e]
+[ 41.379860] cleanup_module+0x94/0xb28 [mt7915e]
+[ 41.386213] platform_probe+0x64/0xbc
+[ 41.391602] really_probe.part.0+0x98/0x2f4
+[ 41.397511] __driver_probe_device+0x94/0x16c
+[ 41.403594] driver_probe_device+0x40/0x120
+[ 41.409502] __driver_attach+0x94/0x190
+[ 41.415063] bus_for_each_dev+0x5c/0x94
+[ 41.420625] driver_attach+0x20/0x30
+[ 41.425926] bus_add_driver+0x104/0x1f4
+[ 41.431487] driver_register+0x74/0x120
+[ 41.437049] __platform_driver_register+0x24/0x30
+[ 41.443479] 0xffffffc000cb1074
+[ 41.448346] do_one_initcall+0x70/0x2cc
+[ 41.453907] do_init_module+0x44/0x240
+[ 41.459383] load_module+0x1f5c/0x2874
+[ 41.464860] __do_sys_init_module+0x1d8/0x2ac
+[ 41.470944] __arm64_sys_init_module+0x18/0x20
+[ 41.477113] invoke_syscall.constprop.0+0x4c/0xe0
+[ 41.483542] do_el0_svc+0x50/0xf0
+[ 41.488582] el0_svc+0x4c/0xcc
+[ 41.493364] el0t_64_sync_handler+0xe0/0x110
+[ 41.499361] el0t_64_sync+0x15c/0x160
+[ 41.504748] }
+[ 41.506489] ... key at: [<ffffffc000c65ba0>] __this_module+0x3e0/0xffffffffffffa840 [mt76]
+[ 41.515371] ... acquired at:
+[ 41.518413] _raw_spin_lock+0x60/0x74
+[ 41.522240] mt76_get_rxwi+0x1c/0xac [mt76]
+[ 41.526608] mt76_dma_cleanup+0x3e0/0x650 [mt76]
+[ 41.531410] mt76_dma_cleanup+0x614/0x650 [mt76]
+[ 41.536211] mt7915_dma_init+0x408/0x7b0 [mt7915e]
+[ 41.541177] mt7915_register_device+0x310/0x620 [mt7915e]
+[ 41.546749] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e]
+[ 41.551973] platform_probe+0x64/0xbc
+[ 41.555802] really_probe.part.0+0x98/0x2f4
+[ 41.560149] __driver_probe_device+0x94/0x16c
+[ 41.564670] driver_probe_device+0x40/0x120
+[ 41.569017] __driver_attach+0x94/0x190
+[ 41.573019] bus_for_each_dev+0x5c/0x94
+[ 41.577018] driver_attach+0x20/0x30
+[ 41.580758] bus_add_driver+0x104/0x1f4
+[ 41.584758] driver_register+0x74/0x120
+[ 41.588759] __platform_driver_register+0x24/0x30
+[ 41.593628] init_module+0x74/0x1000 [mt7915e]
+[ 41.598248] do_one_initcall+0x70/0x2cc
+[ 41.602248] do_init_module+0x44/0x240
+[ 41.606162] load_module+0x1f5c/0x2874
+[ 41.610078] __do_sys_init_module+0x1d8/0x2ac
+[ 41.614600] __arm64_sys_init_module+0x18/0x20
+[ 41.619209] invoke_syscall.constprop.0+0x4c/0xe0
+[ 41.624076] do_el0_svc+0x50/0xf0
+[ 41.627555] el0_svc+0x4c/0xcc
+[ 41.630776] el0t_64_sync_handler+0xe0/0x110
+[ 41.635211] el0t_64_sync+0x15c/0x160
+[ 41.639037]
+[ 41.640517] -> (&dev->wed_lock){+.+.}-{2:2} {
+[ 41.644872] HARDIRQ-ON-W at:
+[ 41.648003] lock_acquire+0xfc/0x2c0
+[ 41.653219] _raw_spin_lock+0x60/0x74
+[ 41.658520] mt76_free_pending_rxwi+0xc0/0x5d0 [mt76]
+[ 41.665232] mt76_dma_cleanup+0x1dc/0x650 [mt76]
+[ 41.671508] mt7915_eeprom_get_power_delta+0x1830/0x2464 [mt7915e]
+[ 41.679336] mt7915_unregister_device+0x5b4/0x910 [mt7915e]
+[ 41.686555] mt7915_eeprom_get_target_power+0xb8/0x230 [mt7915e]
+[ 41.694209] mt7986_wmac_enable+0xc30/0xcd0 [mt7915e]
+[ 41.700909] platform_remove+0x4c/0x64
+[ 41.706298] __device_release_driver+0x194/0x240
+[ 41.712554] driver_detach+0xc0/0x100
+[ 41.717857] bus_remove_driver+0x54/0xac
+[ 41.723418] driver_unregister+0x2c/0x54
+[ 41.728980] platform_driver_unregister+0x10/0x20
+[ 41.735323] mt7915_ops+0x244/0xffffffffffffed58 [mt7915e]
+[ 41.742457] __arm64_sys_delete_module+0x170/0x23c
+[ 41.748887] invoke_syscall.constprop.0+0x4c/0xe0
+[ 41.755229] do_el0_svc+0x50/0xf0
+[ 41.760183] el0_svc+0x4c/0xcc
+[ 41.764878] el0t_64_sync_handler+0xe0/0x110
+[ 41.770788] el0t_64_sync+0x15c/0x160
+[ 41.776088] SOFTIRQ-ON-W at:
+[ 41.779220] lock_acquire+0xfc/0x2c0
+[ 41.784435] _raw_spin_lock+0x60/0x74
+[ 41.789737] mt76_get_rxwi+0x1c/0xac [mt76]
+[ 41.795580] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e]
+[ 41.802540] mtk_wed_start+0x970/0xaa0
+[ 41.807929] mt7915_dma_start+0x26c/0x630 [mt7915e]
+[ 41.814455] mt7915_dma_start+0x5a4/0x630 [mt7915e]
+[ 41.820981] mt7915_dma_init+0x45c/0x7b0 [mt7915e]
+[ 41.827420] mt7915_register_device+0x310/0x620 [mt7915e]
+[ 41.834467] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e]
+[ 41.841167] platform_probe+0x64/0xbc
+[ 41.846469] really_probe.part.0+0x98/0x2f4
+[ 41.852291] __driver_probe_device+0x94/0x16c
+[ 41.858286] driver_probe_device+0x40/0x120
+[ 41.864107] __driver_attach+0x94/0x190
+[ 41.869582] bus_for_each_dev+0x5c/0x94
+[ 41.875056] driver_attach+0x20/0x30
+[ 41.880270] bus_add_driver+0x104/0x1f4
+[ 41.885745] driver_register+0x74/0x120
+[ 41.891221] __platform_driver_register+0x24/0x30
+[ 41.897564] init_module+0x74/0x1000 [mt7915e]
+[ 41.903657] do_one_initcall+0x70/0x2cc
+[ 41.909130] do_init_module+0x44/0x240
+[ 41.914520] load_module+0x1f5c/0x2874
+[ 41.919909] __do_sys_init_module+0x1d8/0x2ac
+[ 41.925905] __arm64_sys_init_module+0x18/0x20
+[ 41.931989] invoke_syscall.constprop.0+0x4c/0xe0
+[ 41.938331] do_el0_svc+0x50/0xf0
+[ 41.943285] el0_svc+0x4c/0xcc
+[ 41.947981] el0t_64_sync_handler+0xe0/0x110
+[ 41.953892] el0t_64_sync+0x15c/0x160
+[ 41.959192] INITIAL USE at:
+[ 41.962238] lock_acquire+0xfc/0x2c0
+[ 41.967365] _raw_spin_lock+0x60/0x74
+[ 41.972580] mt76_free_pending_rxwi+0xc0/0x5d0 [mt76]
+[ 41.979206] mt76_dma_cleanup+0x1dc/0x650 [mt76]
+[ 41.985395] mt7915_eeprom_get_power_delta+0x1830/0x2464 [mt7915e]
+[ 41.993137] mt7915_unregister_device+0x5b4/0x910 [mt7915e]
+[ 42.000270] mt7915_eeprom_get_target_power+0xb8/0x230 [mt7915e]
+[ 42.007837] mt7986_wmac_enable+0xc30/0xcd0 [mt7915e]
+[ 42.014450] platform_remove+0x4c/0x64
+[ 42.019753] __device_release_driver+0x194/0x240
+[ 42.025922] driver_detach+0xc0/0x100
+[ 42.031137] bus_remove_driver+0x54/0xac
+[ 42.036612] driver_unregister+0x2c/0x54
+[ 42.042087] platform_driver_unregister+0x10/0x20
+[ 42.048344] mt7915_ops+0x244/0xffffffffffffed58 [mt7915e]
+[ 42.055391] __arm64_sys_delete_module+0x170/0x23c
+[ 42.061735] invoke_syscall.constprop.0+0x4c/0xe0
+[ 42.067990] do_el0_svc+0x50/0xf0
+[ 42.072857] el0_svc+0x4c/0xcc
+[ 42.077466] el0t_64_sync_handler+0xe0/0x110
+[ 42.083289] el0t_64_sync+0x15c/0x160
+[ 42.088503] }
+[ 42.090157] ... key at: [<ffffffc000c65c10>] __this_module+0x450/0xffffffffffffa840 [mt76]
+[ 42.098951] ... acquired at:
+[ 42.101907] __lock_acquire+0x718/0x1df0
+[ 42.105994] lock_acquire+0xfc/0x2c0
+[ 42.109734] _raw_spin_lock+0x60/0x74
+[ 42.113561] mt76_get_rxwi+0x1c/0xac [mt76]
+[ 42.117929] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e]
+[ 42.123415] mtk_wed_start+0x970/0xaa0
+[ 42.127328] mt7915_dma_start+0x26c/0x630 [mt7915e]
+[ 42.132379] mt7915_dma_start+0x5a4/0x630 [mt7915e]
+[ 42.137430] mt7915_dma_init+0x45c/0x7b0 [mt7915e]
+[ 42.142395] mt7915_register_device+0x310/0x620 [mt7915e]
+[ 42.147967] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e]
+[ 42.153192] platform_probe+0x64/0xbc
+[ 42.157019] really_probe.part.0+0x98/0x2f4
+[ 42.161367] __driver_probe_device+0x94/0x16c
+[ 42.165887] driver_probe_device+0x40/0x120
+[ 42.170234] __driver_attach+0x94/0x190
+[ 42.174235] bus_for_each_dev+0x5c/0x94
+[ 42.178235] driver_attach+0x20/0x30
+[ 42.181974] bus_add_driver+0x104/0x1f4
+[ 42.185974] driver_register+0x74/0x120
+[ 42.189974] __platform_driver_register+0x24/0x30
+[ 42.194842] init_module+0x74/0x1000 [mt7915e]
+[ 42.199460] do_one_initcall+0x70/0x2cc
+[ 42.203460] do_init_module+0x44/0x240
+[ 42.207376] load_module+0x1f5c/0x2874
+[ 42.211290] __do_sys_init_module+0x1d8/0x2ac
+[ 42.215813] __arm64_sys_init_module+0x18/0x20
+[ 42.220421] invoke_syscall.constprop.0+0x4c/0xe0
+[ 42.225288] do_el0_svc+0x50/0xf0
+[ 42.228768] el0_svc+0x4c/0xcc
+[ 42.231989] el0t_64_sync_handler+0xe0/0x110
+[ 42.236424] el0t_64_sync+0x15c/0x160
+[ 42.240249]
+[ 42.241730]
+[ 42.241730] stack backtrace:
+[ 42.246074] CPU: 1 PID: 2329 Comm: insmod Not tainted 5.15.127 #0
+[ 42.252157] Hardware name: GainStrong Oolite-MT7981B V1 Dev Board (NAND boot) (DT)
+[ 42.259712] Call trace:
+[ 42.262147] dump_backtrace+0x0/0x174
+[ 42.265802] show_stack+0x14/0x20
+[ 42.269108] dump_stack_lvl+0x84/0xac
+[ 42.272761] dump_stack+0x14/0x2c
+[ 42.276066] print_irq_inversion_bug.part.0+0x1b0/0x1c4
+[ 42.281285] mark_lock+0x8b8/0x8bc
+[ 42.284678] __lock_acquire+0x718/0x1df0
+[ 42.288592] lock_acquire+0xfc/0x2c0
+[ 42.292158] _raw_spin_lock+0x60/0x74
+[ 42.295811] mt76_get_rxwi+0x1c/0xac [mt76]
+[ 42.300008] mt7915_debugfs_rx_log+0x804/0xb74 [mt7915e]
+[ 42.305320] mtk_wed_start+0x970/0xaa0
+[ 42.309059] mt7915_dma_start+0x26c/0x630 [mt7915e]
+[ 42.313937] mt7915_dma_start+0x5a4/0x630 [mt7915e]
+[ 42.318815] mt7915_dma_init+0x45c/0x7b0 [mt7915e]
+[ 42.323606] mt7915_register_device+0x310/0x620 [mt7915e]
+[ 42.329005] mt7915_mmio_probe+0xcec/0x1d44 [mt7915e]
+[ 42.334056] platform_probe+0x64/0xbc
+[ 42.337711] really_probe.part.0+0x98/0x2f4
+[ 42.341885] __driver_probe_device+0x94/0x16c
+[ 42.346232] driver_probe_device+0x40/0x120
+[ 42.350407] __driver_attach+0x94/0x190
+[ 42.354234] bus_for_each_dev+0x5c/0x94
+[ 42.358061] driver_attach+0x20/0x30
+[ 42.361627] bus_add_driver+0x104/0x1f4
+[ 42.365454] driver_register+0x74/0x120
+[ 42.369282] __platform_driver_register+0x24/0x30
+[ 42.373977] init_module+0x74/0x1000 [mt7915e]
+[ 42.378423] do_one_initcall+0x70/0x2cc
+[ 42.382249] do_init_module+0x44/0x240
+[ 42.385990] load_module+0x1f5c/0x2874
+[ 42.389733] __do_sys_init_module+0x1d8/0x2ac
+[ 42.394082] __arm64_sys_init_module+0x18/0x20
+[ 42.398518] invoke_syscall.constprop.0+0x4c/0xe0
+[ 42.403211] do_el0_svc+0x50/0xf0
+[ 42.406517] el0_svc+0x4c/0xcc
+[ 42.409565] el0t_64_sync_handler+0xe0/0x110
+[ 42.413827] el0t_64_sync+0x15c/0x160
+[ 42.674858] mt798x-wmac 18000000.wifi: HW/SW Version: 0x8a108a10, Build Time: 20221208201745a
+[ 42.674858]
+[ 42.692078] mt798x-wmac 18000000.wifi: WM Firmware Version: ____000000, Build Time: 20221208201806
+[ 42.735606] mt798x-wmac 18000000.wifi: WA Firmware Version: DEV_000000, Build Time: 20221208202048
+
+Tested-by: Daniel Golle <daniel@makrotopia.org>
+Fixes: 2666bece0905 ("wifi: mt76: introduce rxwi and rx token utility routines")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/ee80be41c2a8d8749d83c6950a272a5e77aadd45.1693228333.git.lorenzo@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
+index 465190ebaf1c4..f539913aadf86 100644
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -93,13 +93,13 @@ __mt76_get_rxwi(struct mt76_dev *dev)
+ {
+ struct mt76_txwi_cache *t = NULL;
+
+- spin_lock(&dev->wed_lock);
++ spin_lock_bh(&dev->wed_lock);
+ if (!list_empty(&dev->rxwi_cache)) {
+ t = list_first_entry(&dev->rxwi_cache, struct mt76_txwi_cache,
+ list);
+ list_del(&t->list);
+ }
+- spin_unlock(&dev->wed_lock);
++ spin_unlock_bh(&dev->wed_lock);
+
+ return t;
+ }
+@@ -145,9 +145,9 @@ mt76_put_rxwi(struct mt76_dev *dev, struct mt76_txwi_cache *t)
+ if (!t)
+ return;
+
+- spin_lock(&dev->wed_lock);
++ spin_lock_bh(&dev->wed_lock);
+ list_add(&t->list, &dev->rxwi_cache);
+- spin_unlock(&dev->wed_lock);
++ spin_unlock_bh(&dev->wed_lock);
+ }
+ EXPORT_SYMBOL_GPL(mt76_put_rxwi);
+
+--
+2.40.1
+
--- /dev/null
+From 90a2307ff4b6a70debe8838eeef0558dd4dc1223 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 21:47:47 +0200
+Subject: wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 684e45e120b82deccaf8b85633905304a3bbf56d ]
+
+On MT76x0, LNA gain should be applied for both external and internal LNA.
+On MT76x2, LNA gain should be treated as 0 for external LNA.
+Move the LNA type based logic to mt76x2 in order to fix mt76x0.
+
+Fixes: 2daa67588f34 ("mt76x0: unify lna_gain parsing")
+Reported-by: Shiji Yang <yangshiji66@outlook.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230919194747.31647-1-nbd@nbd.name
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c | 7 -------
+ drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c | 13 +++++++++++--
+ 2 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c b/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c
+index 0acabba2d1a50..5d402cf2951cb 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_eeprom.c
+@@ -131,15 +131,8 @@ u8 mt76x02_get_lna_gain(struct mt76x02_dev *dev,
+ s8 *lna_2g, s8 *lna_5g,
+ struct ieee80211_channel *chan)
+ {
+- u16 val;
+ u8 lna;
+
+- val = mt76x02_eeprom_get(dev, MT_EE_NIC_CONF_1);
+- if (val & MT_EE_NIC_CONF_1_LNA_EXT_2G)
+- *lna_2g = 0;
+- if (val & MT_EE_NIC_CONF_1_LNA_EXT_5G)
+- memset(lna_5g, 0, sizeof(s8) * 3);
+-
+ if (chan->band == NL80211_BAND_2GHZ)
+ lna = *lna_2g;
+ else if (chan->hw_value <= 64)
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c b/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c
+index d5809408d1d37..8c01855885ce3 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/eeprom.c
+@@ -256,7 +256,8 @@ void mt76x2_read_rx_gain(struct mt76x02_dev *dev)
+ struct ieee80211_channel *chan = dev->mphy.chandef.chan;
+ int channel = chan->hw_value;
+ s8 lna_5g[3], lna_2g;
+- u8 lna;
++ bool use_lna;
++ u8 lna = 0;
+ u16 val;
+
+ if (chan->band == NL80211_BAND_2GHZ)
+@@ -275,7 +276,15 @@ void mt76x2_read_rx_gain(struct mt76x02_dev *dev)
+ dev->cal.rx.mcu_gain |= (lna_5g[1] & 0xff) << 16;
+ dev->cal.rx.mcu_gain |= (lna_5g[2] & 0xff) << 24;
+
+- lna = mt76x02_get_lna_gain(dev, &lna_2g, lna_5g, chan);
++ val = mt76x02_eeprom_get(dev, MT_EE_NIC_CONF_1);
++ if (chan->band == NL80211_BAND_2GHZ)
++ use_lna = !(val & MT_EE_NIC_CONF_1_LNA_EXT_2G);
++ else
++ use_lna = !(val & MT_EE_NIC_CONF_1_LNA_EXT_5G);
++
++ if (use_lna)
++ lna = mt76x02_get_lna_gain(dev, &lna_2g, lna_5g, chan);
++
+ dev->cal.rx.lna_gain = mt76x02_sign_extend(lna, 8);
+ }
+ EXPORT_SYMBOL_GPL(mt76x2_read_rx_gain);
+--
+2.40.1
+
--- /dev/null
+From 635905492a3f4175102741569f544c2f81691316 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:41:12 +0800
+Subject: wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
+
+From: Pin-yen Lin <treapking@chromium.org>
+
+[ Upstream commit aef7a0300047e7b4707ea0411dc9597cba108fc8 ]
+
+Only skip the code path trying to access the rfc1042 headers when the
+buffer is too small, so the driver can still process packets without
+rfc1042 headers.
+
+Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets")
+Signed-off-by: Pin-yen Lin <treapking@chromium.org>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Matthew Wang <matthewmwang@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230908104308.1546501-1-treapking@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/sta_rx.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/sta_rx.c b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
+index 65420ad674167..257737137cd70 100644
+--- a/drivers/net/wireless/marvell/mwifiex/sta_rx.c
++++ b/drivers/net/wireless/marvell/mwifiex/sta_rx.c
+@@ -86,7 +86,8 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv,
+ rx_pkt_len = le16_to_cpu(local_rx_pd->rx_pkt_length);
+ rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_off;
+
+- if (sizeof(*rx_pkt_hdr) + rx_pkt_off > skb->len) {
++ if (sizeof(rx_pkt_hdr->eth803_hdr) + sizeof(rfc1042_header) +
++ rx_pkt_off > skb->len) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "wrong rx packet offset: len=%d, rx_pkt_off=%d\n",
+ skb->len, rx_pkt_off);
+@@ -95,12 +96,13 @@ int mwifiex_process_rx_packet(struct mwifiex_private *priv,
+ return -1;
+ }
+
+- if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
+- sizeof(bridge_tunnel_header))) ||
+- (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
+- sizeof(rfc1042_header)) &&
+- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
+- ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX)) {
++ if (sizeof(*rx_pkt_hdr) + rx_pkt_off <= skb->len &&
++ ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header,
++ sizeof(bridge_tunnel_header))) ||
++ (!memcmp(&rx_pkt_hdr->rfc1042_hdr, rfc1042_header,
++ sizeof(rfc1042_header)) &&
++ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_AARP &&
++ ntohs(rx_pkt_hdr->rfc1042_hdr.snap_type) != ETH_P_IPX))) {
+ /*
+ * Replace the 803 header and rfc1042 header (llc/snap) with an
+ * EthernetII header, keep the src/dst and snap_type
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
