cve reviews: more 6.7.1 and 6.7.2 reviewsHEADmaster

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

4 files changed, 585 insertions, 488 deletions

diff --git a/cve/review/mbox.6.7.1 b/cve/review/mbox.6.7.1
index 000b1705..535e7191 100644
--- a/cve/review/mbox.6.7.1
+++ b/cve/review/mbox.6.7.1
@@ -2394,3 +2394,45 @@ index c6f549f6a4ae..186da2386a06 100644
 -- 
 2.43.2
 
+From f6c30bfe5a49bc38cae985083a11016800708fea Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 6 Nov 2023 20:44:34 -0800
+Subject: [PATCH 01/29] f2fs: explicitly null-terminate the xattr list
+Status: RO
+Content-Length: 1091
+Lines: 33
+
+commit e26b6d39270f5eab0087453d9b544189a38c8564 upstream.
+
+When setting an xattr, explicitly null-terminate the xattr list.  This
+eliminates the fragile assumption that the unused xattr space is always
+zeroed.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/xattr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 47e88b4d4e7d..a8fc2cac6879 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ 		memcpy(pval, value, size);
+ 		last->e_value_size = cpu_to_le16(size);
+ 		new_hsize += newsize;
++		/*
++		 * Explicitly add the null terminator.  The unused xattr space
++		 * is supposed to always be zeroed, which would make this
++		 * unnecessary, but don't depend on that.
++		 */
++		*(u32 *)((u8 *)last + newsize) = 0;
+ 	}
+ 
+ 	error = write_all_xattrs(inode, new_hsize, base_addr, ipage);
+-- 
+2.43.2
+
diff --git a/cve/review/mbox.6.7.1.cve b/cve/review/mbox.6.7.1.cve
index dd942f83..4777e1ee 100644
--- a/cve/review/mbox.6.7.1.cve
+++ b/cve/review/mbox.6.7.1.cve
@@ -1,45 +1,3 @@
-From f6c30bfe5a49bc38cae985083a11016800708fea Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Mon, 6 Nov 2023 20:44:34 -0800
-Subject: [PATCH 01/29] f2fs: explicitly null-terminate the xattr list
-Status: RO
-Content-Length: 1091
-Lines: 33
-
-commit e26b6d39270f5eab0087453d9b544189a38c8564 upstream.
-
-When setting an xattr, explicitly null-terminate the xattr list.  This
-eliminates the fragile assumption that the unused xattr space is always
-zeroed.
-
-Signed-off-by: Eric Biggers <ebiggers@google.com>
-Reviewed-by: Chao Yu <chao@kernel.org>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/f2fs/xattr.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
-index 47e88b4d4e7d..a8fc2cac6879 100644
---- a/fs/f2fs/xattr.c
-+++ b/fs/f2fs/xattr.c
-@@ -754,6 +754,12 @@ static int __f2fs_setxattr(struct inode *inode, int index,
- 		memcpy(pval, value, size);
- 		last->e_value_size = cpu_to_le16(size);
- 		new_hsize += newsize;
-+		/*
-+		 * Explicitly add the null terminator.  The unused xattr space
-+		 * is supposed to always be zeroed, which would make this
-+		 * unnecessary, but don't depend on that.
-+		 */
-+		*(u32 *)((u8 *)last + newsize) = 0;
- 	}
- 
- 	error = write_all_xattrs(inode, new_hsize, base_addr, ipage);
--- 
-2.43.2
-
 From 4f6638562db5f9568dbfbe3a2a6ac80c4832f19e Mon Sep 17 00:00:00 2001
 From: Namjae Jeon <linkinjeon@kernel.org>
 Date: Sun, 7 Jan 2024 21:24:07 +0900
diff --git a/cve/review/mbox.6.7.2 b/cve/review/mbox.6.7.2
index 93970333..69a577d7 100644
--- a/cve/review/mbox.6.7.2
+++ b/cve/review/mbox.6.7.2
@@ -7003,6 +7003,7 @@ From c299ca356594f485e28e160378899d00cac486fc Mon Sep 17 00:00:00 2001
 From: Hangbin Liu <liuhangbin@gmail.com>
 Date: Sat, 2 Dec 2023 10:00:59 +0800
 Subject: [PATCH 133/641] selftests/net: specify the interface when do arping
+Status: RO
 Content-Length: 1976
 Lines: 40
 
@@ -7094,6 +7095,7 @@ From 1db951f27736d43bc4bb3807ed4bd96e255494e8 Mon Sep 17 00:00:00 2001
 From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
 Date: Tue, 28 Nov 2023 14:10:08 +0300
 Subject: [PATCH 135/641] scsi: fnic: Return error if vmalloc() failed
+Status: RO
 Content-Length: 1209
 Lines: 36
 
@@ -7608,6 +7610,7 @@ From: Yi-Chia Hsieh <yi-chia.hsieh@mediatek.com>
 Date: Thu, 12 Oct 2023 15:00:26 -0700
 Subject: [PATCH 146/641] wifi: mt76: mt7996: fix uninitialized variable in
  parsing txfree
+Status: RO
 Content-Length: 1077
 Lines: 27
 
@@ -7644,6 +7647,7 @@ From: Christian Marangi <ansuelsmth@gmail.com>
 Date: Wed, 18 Oct 2023 15:09:38 +0200
 Subject: [PATCH 147/641] wifi: mt76: fix typo in mt76_get_of_eeprom_from_nvmem
  function
+Status: RO
 Content-Length: 1374
 Lines: 37
 
@@ -7690,6 +7694,7 @@ From: Lorenzo Bianconi <lorenzo@kernel.org>
 Date: Fri, 20 Oct 2023 12:45:19 +0200
 Subject: [PATCH 148/641] wifi: mt76: mt7915: fallback to non-wed mode if
  platform_get_resource fails in mt7915_mmio_wed_init()
+Status: RO
 Content-Length: 1152
 Lines: 30
 
@@ -7729,6 +7734,7 @@ From: Sujuan Chen <sujuan.chen@mediatek.com>
 Date: Mon, 23 Oct 2023 23:38:49 +0800
 Subject: [PATCH 149/641] wifi: mt76: mt7996: fix the size of struct
  bss_rate_tlv
+Status: RO
 Content-Length: 963
 Lines: 28
 
@@ -7766,6 +7772,7 @@ From: MeiChia Chiu <meichia.chiu@mediatek.com>
 Date: Mon, 23 Oct 2023 23:38:54 +0800
 Subject: [PATCH 150/641] wifi: mt76: mt7996: fix rate usage of inband
  discovery frames
+Status: RO
 Content-Length: 1444
 Lines: 34
 
@@ -7808,6 +7815,7 @@ From 1c69fade102d2bcb37da4892eacc4b06bf7237d6 Mon Sep 17 00:00:00 2001
 From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
 Date: Thu, 2 Nov 2023 18:02:59 +0800
 Subject: [PATCH 151/641] wifi: mt76: mt7996: fix alignment of sta info event
+Status: RO
 Content-Length: 946
 Lines: 28
 
@@ -7845,6 +7853,7 @@ From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
 Date: Mon, 6 Nov 2023 22:38:53 +0000
 Subject: [PATCH 152/641] wifi: mt76: mt7915: fix EEPROM offset of TSSI flag on
  MT7981
+Status: RO
 Content-Length: 1175
 Lines: 30
 
@@ -7884,6 +7893,7 @@ From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
 Date: Mon, 6 Nov 2023 22:39:31 +0000
 Subject: [PATCH 153/641] wifi: mt76: mt7915: also MT7981 is 3T3R but nss2 on 5
  GHz band
+Status: RO
 Content-Length: 1464
 Lines: 33
 
@@ -7926,6 +7936,7 @@ From: Arnd Bergmann <arnd@arndb.de>
 Date: Fri, 10 Nov 2023 15:29:30 +0100
 Subject: [PATCH 154/641] wifi: mt76: mt7996: fix mt7996_mcu_all_sta_info_event
  struct packing
+Status: RO
 Content-Length: 1712
 Lines: 44
 
@@ -7979,6 +7990,7 @@ From: Wang Zhao <wang.zhao@mediatek.com>
 Date: Fri, 17 Nov 2023 20:54:49 +0800
 Subject: [PATCH 155/641] wifi: mt76: mt7921s: fix workqueue problem causes STA
  association fail
+Status: RO
 Content-Length: 6938
 Lines: 171
 
@@ -8317,6 +8329,7 @@ From: Moudy Ho <moudy.ho@mediatek.com>
 Date: Tue, 31 Oct 2023 16:33:42 +0800
 Subject: [PATCH 161/641] dt-bindings: media: mediatek: mdp3: correct RDMA and
  WROT node with generic names
+Status: RO
 Content-Length: 4383
 Lines: 116
 
@@ -8732,6 +8745,7 @@ From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
 Date: Wed, 22 Nov 2023 11:06:44 +0800
 Subject: [PATCH 166/641] wifi: mt76: mt7921: fix country count limitation for
  CLC
+Status: RO
 Content-Length: 1969
 Lines: 57
 
@@ -8798,6 +8812,7 @@ From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
 Date: Wed, 22 Nov 2023 11:06:45 +0800
 Subject: [PATCH 167/641] wifi: mt76: mt7921: fix CLC command timeout when
  suspend/resume
+Status: RO
 Content-Length: 3816
 Lines: 96
 
@@ -8902,6 +8917,7 @@ From 05534fc3de5461dec973fcdfbd0002f9ce346056 Mon Sep 17 00:00:00 2001
 From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
 Date: Wed, 22 Nov 2023 11:06:46 +0800
 Subject: [PATCH 168/641] wifi: mt76: mt7921: fix wrong 6Ghz power type
+Status: RO
 Content-Length: 2845
 Lines: 94
 
@@ -9005,6 +9021,7 @@ From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
 Date: Thu, 7 Dec 2023 04:50:08 +0200
 Subject: [PATCH 169/641] wifi: iwlwifi: don't support triggered EHT CQI
  feedback
+Status: RO
 Content-Length: 1540
 Lines: 31
 
@@ -9099,6 +9116,7 @@ From: Li Nan <linan122@huawei.com>
 Date: Mon, 11 Dec 2023 15:53:56 +0800
 Subject: [PATCH 171/641] block: Set memalloc_noio to false on
  device_add_disk() error path
+Status: RO
 Content-Length: 1176
 Lines: 31
 
@@ -9281,6 +9299,7 @@ From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
 Date: Fri, 8 Dec 2023 12:28:47 +0530
 Subject: [PATCH 175/641] scsi: ufs: qcom: Fix the return value of
  ufs_qcom_ice_program_key()
+Status: RO
 Content-Length: 1304
 Lines: 32
 
@@ -9322,6 +9341,7 @@ From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
 Date: Fri, 8 Dec 2023 12:28:48 +0530
 Subject: [PATCH 176/641] scsi: ufs: qcom: Fix the return value when
  platform_get_resource_byname() fails
+Status: RO
 Content-Length: 1215
 Lines: 31
 
@@ -9362,6 +9382,7 @@ From: Yihang Li <liyihang9@huawei.com>
 Date: Thu, 14 Dec 2023 11:45:13 +0800
 Subject: [PATCH 177/641] scsi: hisi_sas: Replace with standard error code
  return value
+Status: RO
 Content-Length: 2054
 Lines: 55
 
@@ -9425,6 +9446,7 @@ From 0cae77c61752c2ddb83f7baf4e0b886b71d50bec Mon Sep 17 00:00:00 2001
 From: Yihang Li <liyihang9@huawei.com>
 Date: Thu, 14 Dec 2023 11:45:14 +0800
 Subject: [PATCH 178/641] scsi: hisi_sas: Check before using pointer variables
+Status: RO
 Content-Length: 1717
 Lines: 43
 
@@ -9477,6 +9499,7 @@ From: Yihang Li <liyihang9@huawei.com>
 Date: Thu, 14 Dec 2023 11:45:15 +0800
 Subject: [PATCH 179/641] scsi: hisi_sas: Rollback some operations if FLR
  failed
+Status: RO
 Content-Length: 1852
 Lines: 47
 
@@ -9533,6 +9556,7 @@ From: Yihang Li <liyihang9@huawei.com>
 Date: Thu, 14 Dec 2023 11:45:16 +0800
 Subject: [PATCH 180/641] scsi: hisi_sas: Correct the number of global debugfs
  registers
+Status: RO
 Content-Length: 1397
 Lines: 34
 
@@ -9575,6 +9599,7 @@ From 1b71a3be3b7b25ce3c188d3fd09fbc867970fb13 Mon Sep 17 00:00:00 2001
 From: Tushar Vyavahare <tushar.vyavahare@intel.com>
 Date: Thu, 14 Dec 2023 13:00:07 +0000
 Subject: [PATCH 181/641] selftests/xsk: Fix for SEND_RECEIVE_UNALIGNED test
+Status: RO
 Content-Length: 3221
 Lines: 85
 
@@ -9757,6 +9782,7 @@ From: Hangbin Liu <liuhangbin@gmail.com>
 Date: Wed, 13 Dec 2023 14:08:49 +0800
 Subject: [PATCH 184/641] selftests/net: fix grep checking for
  fib_nexthop_multiprefix
+Status: RO
 Content-Length: 2419
 Lines: 60
 
@@ -9825,6 +9851,7 @@ From 7d97858e21fbc472acda7d908357c5fe54a8e439 Mon Sep 17 00:00:00 2001
 From: Leone Fernando <leone4fernando@gmail.com>
 Date: Wed, 13 Dec 2023 17:19:35 +0100
 Subject: [PATCH 185/641] ipmr: support IP_PKTINFO on cache report IGMP msg
+Status: RO
 Content-Length: 2108
 Lines: 64
 
@@ -9898,6 +9925,7 @@ From: Arseniy Krasnov <avkrasnov@salutedevices.com>
 Date: Thu, 14 Dec 2023 15:52:28 +0300
 Subject: [PATCH 186/641] virtio/vsock: fix logic which reduces credit update
  messages
+Status: RO
 Content-Length: 2501
 Lines: 61
 
@@ -9968,6 +9996,7 @@ From: Arseniy Krasnov <avkrasnov@salutedevices.com>
 Date: Thu, 14 Dec 2023 15:52:29 +0300
 Subject: [PATCH 187/641] virtio/vsock: send credit update during setting
  SO_RCVLOWAT
+Status: RO
 Content-Length: 7285
 Lines: 181
 
@@ -10158,6 +10187,7 @@ From: Joakim Zhang <joakim.zhang@cixtech.com>
 Date: Thu, 14 Dec 2023 16:25:26 +0800
 Subject: [PATCH 188/641] dma-mapping: clear dev->dma_mem to NULL after freeing
  it
+Status: RO
 Content-Length: 1184
 Lines: 36
 
@@ -10269,6 +10299,7 @@ From: Atul Dhudase <quic_adhudase@quicinc.com>
 Date: Wed, 6 Dec 2023 21:02:51 +0530
 Subject: [PATCH 192/641] soc: qcom: llcc: Fix dis_cap_alloc and retain_on_pc
  configuration
+Status: RO
 Content-Length: 2810
 Lines: 62
 
@@ -10612,6 +10643,7 @@ From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
 Date: Mon, 27 Nov 2023 15:15:48 +0100
 Subject: [PATCH 197/641] firmware: qcom: qseecom: fix memory leaks in error
  paths
+Status: RO
 Content-Length: 2912
 Lines: 74
 
@@ -10694,6 +10726,7 @@ From 62d546526c4a07aff8bcc27157f5e84a33a60ab1 Mon Sep 17 00:00:00 2001
 From: Abel Vesa <abel.vesa@linaro.org>
 Date: Thu, 12 Oct 2023 19:05:09 +0300
 Subject: [PATCH 198/641] soc: qcom: llcc: Fix LLCC_TRP_ATTR2_CFGn offset
+Status: RO
 Content-Length: 1296
 Lines: 31
 
@@ -10734,6 +10767,7 @@ From: Li Nan <linan122@huawei.com>
 Date: Tue, 19 Dec 2023 15:59:42 +0800
 Subject: [PATCH 199/641] block: add check of 'minors' and 'first_minor' in
  device_add_disk()
+Status: RO
 Content-Length: 1422
 Lines: 37
 
@@ -12297,6 +12331,7 @@ From: Florian Westphal <fw@strlen.de>
 Date: Mon, 27 Nov 2023 11:00:37 +0100
 Subject: [PATCH 221/641] netfilter: nf_tables: mark newset as dead on
  transaction abort
+Status: RO
 Content-Length: 1510
 Lines: 42
 
@@ -12348,6 +12383,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Thu, 14 Dec 2023 22:43:22 +0100
 Subject: [PATCH 222/641] netfilter: nf_tables: validate chain type update if
  available
+Status: RO
 Content-Length: 1198
 Lines: 39
 
@@ -12396,6 +12432,7 @@ From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
 Date: Thu, 30 Nov 2023 14:58:03 +0100
 Subject: [PATCH 223/641] Bluetooth: Fix bogus check for re-auth no supported
  with non-ssp
+Status: RO
 Content-Length: 3029
 Lines: 80
 
@@ -12480,148 +12517,12 @@ index ebf17b51072f..ef8c3bed7361 100644
 -- 
 2.43.2
 
-From 9efc70cf2554e7a8d5a996a44252f39e5bc4e510 Mon Sep 17 00:00:00 2001
-From: Francesco Dolcini <francesco.dolcini@toradex.com>
-Date: Mon, 11 Dec 2023 17:40:18 +0100
-Subject: [PATCH 224/641] Bluetooth: btnxpuart: fix recv_buf() return value
-Content-Length: 2609
-Lines: 61
-
-[ Upstream commit 94d05394254401e503867c16aff561d3e687dfdc ]
-
-Serdev recv_buf() callback is supposed to return the amount of bytes
-consumed, therefore an int in between 0 and count.
-
-Do not return a negative number in case of issue, just print an error
-and return count. Before this change, in case of error, the returned
-negative number was internally converted to 0 in ttyport_receive_buf,
-now when the receive buffer is corrupted we return the size of the whole
-received data (`count`). This should allow for better recovery in case
-receiver/transmitter get out of sync if some data is lost.
-
-This fixes a WARN in ttyport_receive_buf().
-
-  Bluetooth: hci0: Frame reassembly failed (-84)
-  ------------[ cut here ]------------
-  serial serial0: receive_buf returns -84 (count = 6)
-  WARNING: CPU: 0 PID: 37 at drivers/tty/serdev/serdev-ttyport.c:37 ttyport_receive_buf+0xd8/0xf8
-  Modules linked in: mwifiex_sdio(+) ...
-  CPU: 0 PID: 37 Comm: kworker/u4:2 Not tainted 6.7.0-rc2-00147-gf1a09972a45a #1
-  Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT)
-  Workqueue: events_unbound flush_to_ldisc
-  pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
-  pc : ttyport_receive_buf+0xd8/0xf8
-  lr : ttyport_receive_buf+0xd8/0xf8
-...
-  Call trace:
-   ttyport_receive_buf+0xd8/0xf8
-   flush_to_ldisc+0xbc/0x1a4
-   process_scheduled_works+0x16c/0x28c
-
-Closes: https://lore.kernel.org/all/ZWEIhcUXfutb5SY6@francesco-nb.int.toradex.com/
-Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets")
-Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/bluetooth/btnxpuart.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
-index b7e66b7ac570..951fe3014a3f 100644
---- a/drivers/bluetooth/btnxpuart.c
-+++ b/drivers/bluetooth/btnxpuart.c
-@@ -1276,11 +1276,10 @@ static int btnxpuart_receive_buf(struct serdev_device *serdev, const u8 *data,
- 	if (IS_ERR(nxpdev->rx_skb)) {
- 		int err = PTR_ERR(nxpdev->rx_skb);
- 		/* Safe to ignore out-of-sync bootloader signatures */
--		if (is_fw_downloading(nxpdev))
--			return count;
--		bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err);
-+		if (!is_fw_downloading(nxpdev))
-+			bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err);
- 		nxpdev->rx_skb = NULL;
--		return err;
-+		return count;
- 	}
- 	if (!is_fw_downloading(nxpdev))
- 		nxpdev->hdev->stat.byte_rx += count;
--- 
-2.43.2
-
-From 3e2680bd68fab7ba145393e4eb069d6c4d8a30fa Mon Sep 17 00:00:00 2001
-From: Francesco Dolcini <francesco.dolcini@toradex.com>
-Date: Mon, 11 Dec 2023 17:40:19 +0100
-Subject: [PATCH 225/641] Bluetooth: btmtkuart: fix recv_buf() return value
-Content-Length: 1991
-Lines: 60
-
-[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ]
-
-Serdev recv_buf() callback is supposed to return the amount of bytes
-consumed, therefore an int in between 0 and count.
-
-Do not return negative number in case of issue, just print an error and
-return count. This fixes a WARN in ttyport_receive_buf().
-
-Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/
-Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices")
-Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/bluetooth/btmtkuart.c | 11 +++--------
- 1 file changed, 3 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
-index 935feab815d9..203a000a84e3 100644
---- a/drivers/bluetooth/btmtkuart.c
-+++ b/drivers/bluetooth/btmtkuart.c
-@@ -336,7 +336,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count,
- 	return data;
- }
- 
--static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
-+static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
- {
- 	struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
- 	const unsigned char *p_left = data, *p_h4;
-@@ -375,25 +375,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
- 			bt_dev_err(bdev->hdev,
- 				   "Frame reassembly failed (%d)", err);
- 			bdev->rx_skb = NULL;
--			return err;
-+			return;
- 		}
- 
- 		sz_left -= sz_h4;
- 		p_left += sz_h4;
- 	}
--
--	return 0;
- }
- 
- static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data,
- 				 size_t count)
- {
- 	struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev);
--	int err;
- 
--	err = btmtkuart_recv(bdev->hdev, data, count);
--	if (err < 0)
--		return err;
-+	btmtkuart_recv(bdev->hdev, data, count);
- 
- 	bdev->hdev->stat.byte_rx += count;
- 
--- 
-2.43.2
-
 From 2600dfaac57813ab7813ea571417bcbd503c65fc Mon Sep 17 00:00:00 2001
 From: Christoph Hellwig <hch@lst.de>
 Date: Wed, 27 Dec 2023 09:23:02 +0000
 Subject: [PATCH 226/641] null_blk: don't cap max_hw_sectors to
  BLK_DEF_MAX_SECTORS
+Status: RO
 Content-Length: 2020
 Lines: 51
 
@@ -12721,6 +12622,7 @@ From: Kunwu Chan <chentao@kylinos.cn>
 Date: Tue, 12 Dec 2023 10:40:15 +0800
 Subject: [PATCH 228/641] ice: Fix some null pointer dereference issues in
  ice_ptp.c
+Status: RO
 Content-Length: 1722
 Lines: 42
 
@@ -12771,6 +12673,7 @@ From 38344519bee6b5d3c21b57683bc2c01f8802c358 Mon Sep 17 00:00:00 2001
 From: Benjamin Berg <benjamin.berg@intel.com>
 Date: Tue, 2 Jan 2024 21:35:30 +0200
 Subject: [PATCH 229/641] wifi: cfg80211: correct comment about MLD ID
+Status: RO
 Content-Length: 1626
 Lines: 38
 
@@ -12818,6 +12721,7 @@ From: Benjamin Berg <benjamin.berg@intel.com>
 Date: Tue, 2 Jan 2024 21:35:31 +0200
 Subject: [PATCH 230/641] wifi: cfg80211: parse all ML elements in an ML probe
  response
+Status: RO
 Content-Length: 3021
 Lines: 90
 
@@ -12999,6 +12903,7 @@ From 596e695a3041e6028918bf7ca848c5be1eeb33fc Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Tue, 12 Dec 2023 14:55:50 +0000
 Subject: [PATCH 232/641] sctp: support MSG_ERRQUEUE flag in recvmsg()
+Status: RO
 Content-Length: 1733
 Lines: 51
 
@@ -13058,6 +12963,7 @@ From 63b48d3554fc4bbb915decabd9ec10190cd26525 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Tue, 19 Dec 2023 17:00:17 +0000
 Subject: [PATCH 233/641] sctp: fix busy polling
+Status: RO
 Content-Length: 1548
 Lines: 46
 
@@ -13152,6 +13058,7 @@ From 77fcddb6be7ca0c8d2e36b78442e993cdbbf6608 Mon Sep 17 00:00:00 2001
 From: Ming Lei <ming.lei@redhat.com>
 Date: Tue, 19 Dec 2023 09:28:33 +0800
 Subject: [PATCH 235/641] blk-cgroup: fix rcu lockdep warning in blkg_lookup()
+Status: RO
 Content-Length: 1385
 Lines: 38
 
@@ -13194,160 +13101,11 @@ index fd482439afbc..b927a4a0ad03 100644
 -- 
 2.43.2
 
-From f5346df0591d10bc948761ca854b1fae6d2ef441 Mon Sep 17 00:00:00 2001
-From: Tao Liu <taoliu828@163.com>
-Date: Thu, 28 Dec 2023 16:14:57 +0800
-Subject: [PATCH 236/641] net/sched: act_ct: fix skb leak and crash on ooo
- frags
-Content-Length: 6310
-Lines: 141
-
-[ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ]
-
-act_ct adds skb->users before defragmentation. If frags arrive in order,
-the last frag's reference is reset in:
-
-  inet_frag_reasm_prepare
-    skb_morph
-
-which is not straightforward.
-
-However when frags arrive out of order, nobody unref the last frag, and
-all frags are leaked. The situation is even worse, as initiating packet
-capture can lead to a crash[0] when skb has been cloned and shared at the
-same time.
-
-Fix the issue by removing skb_get() before defragmentation. act_ct
-returns TC_ACT_CONSUMED when defrag failed or in progress.
-
-[0]:
-[  843.804823] ------------[ cut here ]------------
-[  843.809659] kernel BUG at net/core/skbuff.c:2091!
-[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP
-[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2
-[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022
-[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300
-[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89
-[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202
-[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820
-[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00
-[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000
-[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880
-[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900
-[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000
-[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
-[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0
-[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
-[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
-[  843.894229] PKRU: 55555554
-[  843.898539] Call Trace:
-[  843.902772]  <IRQ>
-[  843.906922]  ? __die_body+0x1e/0x60
-[  843.911032]  ? die+0x3c/0x60
-[  843.915037]  ? do_trap+0xe2/0x110
-[  843.918911]  ? pskb_expand_head+0x2ac/0x300
-[  843.922687]  ? do_error_trap+0x65/0x80
-[  843.926342]  ? pskb_expand_head+0x2ac/0x300
-[  843.929905]  ? exc_invalid_op+0x50/0x60
-[  843.933398]  ? pskb_expand_head+0x2ac/0x300
-[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20
-[  843.940226]  ? pskb_expand_head+0x2ac/0x300
-[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240
-[  843.946904]  ip_defrag+0x5d4/0x870
-[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]
-[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]
-[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]
-[  843.959657]  tcf_action_exec+0xa1/0x160
-[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]
-[  843.966010]  ? skb_clone+0x53/0xc0
-[  843.969173]  tcf_classify+0x24d/0x420
-[  843.972333]  tc_run+0x8f/0xf0
-[  843.975465]  __netif_receive_skb_core+0x67a/0x1080
-[  843.978634]  ? dev_gro_receive+0x249/0x730
-[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260
-[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0
-[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]
-[  843.991170]  napi_complete_done+0x72/0x1a0
-[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]
-[  843.997501]  __napi_poll+0x25/0x1b0
-[  844.000627]  net_rx_action+0x256/0x330
-[  844.003705]  __do_softirq+0xb3/0x29b
-[  844.006718]  irq_exit_rcu+0x9e/0xc0
-[  844.009672]  common_interrupt+0x86/0xa0
-[  844.012537]  </IRQ>
-[  844.015285]  <TASK>
-[  844.017937]  asm_common_interrupt+0x26/0x40
-[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20
-[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11
-[  844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246
-[  844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000
-[  844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64
-[  844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0
-[  844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0
-[  844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000
-[  844.045819]  acpi_idle_enter+0x7b/0xc0
-[  844.048621]  cpuidle_enter_state+0x7f/0x430
-[  844.051451]  cpuidle_enter+0x2d/0x40
-[  844.054279]  do_idle+0x1d4/0x240
-[  844.057096]  cpu_startup_entry+0x2a/0x30
-[  844.059934]  start_secondary+0x104/0x130
-[  844.062787]  secondary_startup_64_no_verify+0x16b/0x16b
-[  844.065674]  </TASK>
-
-Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
-Signed-off-by: Tao Liu <taoliu828@163.com>
-Link: https://lore.kernel.org/r/20231228081457.936732-1-taoliu828@163.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sched/act_ct.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
-index f69c47945175..3d50215985d5 100644
---- a/net/sched/act_ct.c
-+++ b/net/sched/act_ct.c
-@@ -850,7 +850,6 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
- 	if (err || !frag)
- 		return err;
- 
--	skb_get(skb);
- 	err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &mru);
- 	if (err)
- 		return err;
-@@ -999,12 +998,8 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
- 	nh_ofs = skb_network_offset(skb);
- 	skb_pull_rcsum(skb, nh_ofs);
- 	err = tcf_ct_handle_fragments(net, skb, family, p->zone, &defrag);
--	if (err == -EINPROGRESS) {
--		retval = TC_ACT_STOLEN;
--		goto out_clear;
--	}
- 	if (err)
--		goto drop;
-+		goto out_frag;
- 
- 	err = nf_ct_skb_network_trim(skb, family);
- 	if (err)
-@@ -1091,6 +1086,11 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
- 		qdisc_skb_cb(skb)->pkt_len = skb->len;
- 	return retval;
- 
-+out_frag:
-+	if (err != -EINPROGRESS)
-+		tcf_action_inc_drop_qstats(&c->common);
-+	return TC_ACT_CONSUMED;
-+
- drop:
- 	tcf_action_inc_drop_qstats(&c->common);
- 	return TC_ACT_SHOT;
--- 
-2.43.2
-
 From eb774a523b3bff499261572aa47451c19afabd96 Mon Sep 17 00:00:00 2001
 From: Asmaa Mnebhi <asmaa@nvidia.com>
 Date: Fri, 5 Jan 2024 10:59:46 -0500
 Subject: [PATCH 237/641] mlxbf_gige: Fix intermittent no ip issue
+Status: RO
 Content-Length: 3009
 Lines: 85
 
@@ -17825,6 +17583,7 @@ Subject: [PATCH 300/641] ASoC: SOF: Intel: pci-mtl: fix ARL-S definitions
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 4656
 Lines: 118
 
@@ -19468,6 +19227,7 @@ From: Arnd Bergmann <arnd@arndb.de>
 Date: Wed, 13 Dec 2023 12:23:07 +0100
 Subject: [PATCH 323/641] media: i2c: mt9m114: use fsleep() in place of
  udelay()
+Status: RO
 Content-Length: 1695
 Lines: 45
 
@@ -20923,6 +20683,7 @@ From: Xingyuan Mo <hdthky0@gmail.com>
 Date: Fri, 8 Dec 2023 21:00:59 +0800
 Subject: [PATCH 346/641] accel/habanalabs: fix information leak in
  sec_attest_info()
+Status: RO
 Content-Length: 1311
 Lines: 31
 
@@ -21063,6 +20824,7 @@ From af73be8a06d28dd691061c8bc5b7d9db11052cfb Mon Sep 17 00:00:00 2001
 From: Konrad Dybcio <konrad.dybcio@linaro.org>
 Date: Mon, 18 Dec 2023 17:02:05 +0100
 Subject: [PATCH 348/641] clk: qcom: gcc-sm8550: Mark the PCIe GDSCs votable
+Status: RO
 Content-Length: 1942
 Lines: 59
 
@@ -21131,6 +20893,7 @@ From: Konrad Dybcio <konrad.dybcio@linaro.org>
 Date: Mon, 18 Dec 2023 17:02:06 +0100
 Subject: [PATCH 349/641] clk: qcom: gcc-sm8550: use collapse-voting for PCIe
  GDSCs
+Status: RO
 Content-Length: 1911
 Lines: 62
 
@@ -23023,6 +22786,7 @@ Subject: [PATCH 370/641] kselftest/alsa - mixer-test: fix the number of
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 1987
 Lines: 46
 
@@ -23081,6 +22845,7 @@ Subject: [PATCH 371/641] kselftest/alsa - mixer-test: Fix the print format
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 2565
 Lines: 53
 
@@ -23146,6 +22911,7 @@ Subject: [PATCH 372/641] kselftest/alsa - conf: Stringify the printed errno in
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 1999
 Lines: 48
 
@@ -23603,6 +23369,7 @@ From: Geert Uytterhoeven <geert+renesas@glider.be>
 Date: Thu, 11 Jan 2024 09:50:25 +0100
 Subject: [PATCH 376/641] of: unittest: Fix of_count_phandle_with_args()
  expected value message
+Status: RO
 Content-Length: 1155
 Lines: 30
 
@@ -28267,6 +28034,7 @@ From 05f7a3475af0faa8bf77f8637c4a40349db4f78f Mon Sep 17 00:00:00 2001
 From: Mario Limonciello <mario.limonciello@amd.com>
 Date: Fri, 24 Nov 2023 09:56:32 -0600
 Subject: [PATCH 439/641] drm/amd: Enable PCIe PME from D3
+Status: RO
 Content-Length: 1133
 Lines: 33
 
@@ -28516,6 +28284,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Fri, 12 Jan 2024 23:28:45 +0100
 Subject: [PATCH 443/641] netfilter: nf_tables: check if catch-all set element
  is active in next generation
+Status: RO
 Content-Length: 1189
 Lines: 32
 
@@ -28815,6 +28584,7 @@ From: Gui-Dong Han <2045gemini@gmail.com>
 Date: Fri, 22 Dec 2023 23:12:41 +0800
 Subject: [PATCH 448/641] Bluetooth: Fix atomicity violation in
  {min,max}_key_size_set
+Status: RO
 Content-Length: 3357
 Lines: 91
 
@@ -29332,6 +29102,7 @@ Subject: [PATCH 455/641] wifi: rtlwifi: Convert LNKCTL change to PCIe cap RMW
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 2826
 Lines: 73
 
@@ -30312,6 +30083,7 @@ From 7035255bb722593441a9d81535741bd817518ddc Mon Sep 17 00:00:00 2001
 From: Tadeusz Struk <tstruk@gigaio.com>
 Date: Mon, 13 Nov 2023 19:03:25 +0100
 Subject: [PATCH 465/641] PCI/P2PDMA: Remove reference to pci_p2pdma_map_sg()
+Status: RO
 Content-Length: 1998
 Lines: 45
 
@@ -30366,6 +30138,7 @@ From: Bjorn Helgaas <bhelgaas@google.com>
 Date: Tue, 21 Nov 2023 12:36:35 -0600
 Subject: [PATCH 466/641] x86/pci: Reserve ECAM if BIOS didn't include it in
  PNP0C02 _CRS
+Status: RO
 Content-Length: 3828
 Lines: 85
 
@@ -30463,6 +30236,7 @@ Subject: [PATCH 467/641] PCI: dwc: endpoint: Fix dw_pcie_ep_raise_msix_irq()
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 1809
 Lines: 42
 
@@ -30517,6 +30291,7 @@ Subject: [PATCH 468/641] PCI: mediatek: Clear interrupt status before
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 2204
 Lines: 52
 
@@ -32056,6 +31831,7 @@ From fd8af4edef36103c317b3fa89ffde670a9b3e814 Mon Sep 17 00:00:00 2001
 From: Dang Huynh <danct12@riseup.net>
 Date: Fri, 3 Nov 2023 18:42:03 +0700
 Subject: [PATCH 485/641] leds: aw2013: Select missing dependency REGMAP_I2C
+Status: RO
 Content-Length: 1086
 Lines: 33
 
@@ -32435,6 +32211,7 @@ From 5072b4c519397a77ac45715455385957d568f54e Mon Sep 17 00:00:00 2001
 From: Vincent Whitchurch <vincent.whitchurch@axis.com>
 Date: Fri, 1 Sep 2023 15:35:43 +0200
 Subject: [PATCH 492/641] um: virt-pci: fix platform map offset
+Status: RO
 Content-Length: 944
 Lines: 28
 
@@ -32977,6 +32754,7 @@ From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
 Date: Mon, 30 Oct 2023 13:42:18 +0200
 Subject: [PATCH 503/641] PCI: Avoid potential out-of-bounds read in
  pci_dev_for_each_resource()
+Status: RO
 Content-Length: 2239
 Lines: 52
 
@@ -33133,6 +32911,7 @@ From: Nick Forrington <nick.forrington@arm.com>
 Date: Thu, 2 Nov 2023 16:22:24 +0000
 Subject: [PATCH 506/641] perf test: Remove atomics from test_loop to avoid
  test failures
+Status: RO
 Content-Length: 1778
 Lines: 50
 
@@ -33317,6 +33096,7 @@ From: Umang Jain <umang.jain@ideasonboard.com>
 Date: Wed, 29 Nov 2023 01:48:45 +0530
 Subject: [PATCH 509/641] staging: vc04_services: vchiq_core: Log through
  struct vchiq_instance
+Status: RO
 Content-Length: 2105
 Lines: 50
 
@@ -33376,6 +33156,7 @@ From: Umang Jain <umang.jain@ideasonboard.com>
 Date: Wed, 29 Nov 2023 01:49:22 +0530
 Subject: [PATCH 510/641] staging: vc04_services: Do not pass NULL to
  vchiq_log_error()
+Status: RO
 Content-Length: 2749
 Lines: 61
 
@@ -33445,6 +33226,7 @@ From 1b886bd484b631033a373df47f418f2148bb6ce2 Mon Sep 17 00:00:00 2001
 From: Veronika Molnarova <vmolnaro@redhat.com>
 Date: Fri, 1 Dec 2023 20:46:17 +0100
 Subject: [PATCH 511/641] perf test record user-regs: Fix mask for vg register
+Status: RO
 Content-Length: 2616
 Lines: 60
 
@@ -34162,6 +33944,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
 Date: Thu, 5 Oct 2023 17:38:42 +0200
 Subject: [PATCH 521/641] selftests/sgx: Fix uninitialized pointer dereference
  in error path
+Status: RO
 Content-Length: 1505
 Lines: 44
 
@@ -34215,6 +33998,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
 Date: Thu, 5 Oct 2023 17:38:43 +0200
 Subject: [PATCH 522/641] selftests/sgx: Fix uninitialized pointer dereferences
  in encl_get_entry
+Status: RO
 Content-Length: 1589
 Lines: 49
 
@@ -34273,6 +34057,7 @@ From: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
 Date: Thu, 5 Oct 2023 17:38:44 +0200
 Subject: [PATCH 523/641] selftests/sgx: Include memory clobber for inline asm
  in test enclave
+Status: RO
 Content-Length: 1676
 Lines: 48
 
@@ -34329,6 +34114,7 @@ From b68be58c31b5cb172fd1c7c690a200fbbc19aedf Mon Sep 17 00:00:00 2001
 From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
 Date: Tue, 5 Dec 2023 21:56:05 -0500
 Subject: [PATCH 524/641] selftests/sgx: Skip non X86_64 platform
+Status: RO
 Content-Length: 1681
 Lines: 41
 
@@ -35960,6 +35746,7 @@ Subject: [PATCH 537/641] PCI: epf-mhi: Fix the DMA data direction of
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 1249
 Lines: 30
 
@@ -38596,6 +38383,7 @@ Subject: [PATCH 569/641] PCI: xilinx-xdma: Fix uninitialized symbols in
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 2135
 Lines: 48
 
@@ -38656,6 +38444,7 @@ Subject: [PATCH 570/641] PCI: xilinx-xdma: Fix error code in
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 1568
 Lines: 36
 
@@ -38759,6 +38548,7 @@ Subject: [PATCH 572/641] PCI: keystone: Fix race condition when initializing
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 2161
 Lines: 53
 
@@ -38887,6 +38677,7 @@ Subject: [PATCH 574/641] PCI: mediatek-gen3: Fix translation window size
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
+Status: RO
 Content-Length: 5240
 Lines: 148
 
@@ -39090,6 +38881,7 @@ From: Niklas Schnelle <schnelle@linux.ibm.com>
 Date: Tue, 28 Nov 2023 16:22:49 +0100
 Subject: [PATCH 576/641] s390/pci: fix max size calculation in
  zpci_memcpy_toio()
+Status: RO
 Content-Length: 4920
 Lines: 137
 
@@ -41306,6 +41098,7 @@ From 2b973b5ba8792110dc047ad8ed22d87597df9797 Mon Sep 17 00:00:00 2001
 From: Benjamin Poirier <bpoirier@nvidia.com>
 Date: Wed, 10 Jan 2024 09:14:35 -0500
 Subject: [PATCH 608/641] selftests: bonding: Change script interpreter
+Status: RO
 Content-Length: 1883
 Lines: 42
 
@@ -41620,6 +41413,7 @@ From 7d2d03936a97903ecb7d9554971982947cd86f86 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Wed, 3 Jan 2024 23:34:58 +0100
 Subject: [PATCH 615/641] netfilter: nf_tables: reject invalid set policy
+Status: RO
 Content-Length: 1142
 Lines: 36
 
@@ -41664,6 +41458,7 @@ From ae6c0543ff13b892ad4092b97ff9813d9fb3ad8a Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Wed, 10 Jan 2024 00:42:37 +0100
 Subject: [PATCH 616/641] netfilter: nft_limit: do not ignore unsupported flags
+Status: RO
 Content-Length: 1703
 Lines: 58
 
@@ -41731,6 +41526,7 @@ From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 Date: Thu, 11 Jan 2024 23:06:37 +0800
 Subject: [PATCH 617/641] netfilter: nfnetlink_log: use proper helper for
  fetching physinif
+Status: RO
 Content-Length: 1571
 Lines: 44
 
@@ -41783,6 +41579,7 @@ From 108494937a67ecbd4678326761106bd3e5d2012e Mon Sep 17 00:00:00 2001
 From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 Date: Thu, 11 Jan 2024 23:06:38 +0800
 Subject: [PATCH 618/641] netfilter: nf_queue: remove excess nf_bridge variable
+Status: RO
 Content-Length: 1219
 Lines: 33
 
@@ -41824,6 +41621,7 @@ From eb4170437f45b91eef518dcb017197b115b52852 Mon Sep 17 00:00:00 2001
 From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 Date: Thu, 11 Jan 2024 23:06:39 +0800
 Subject: [PATCH 619/641] netfilter: propagate net to nf_bridge_get_physindev
+Status: RO
 Content-Length: 7360
 Lines: 181
 
@@ -42014,6 +41812,7 @@ From: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 Date: Thu, 11 Jan 2024 23:06:40 +0800
 Subject: [PATCH 620/641] netfilter: bridge: replace physindev with physinif in
  nf_bridge_info
+Status: RO
 Content-Length: 10776
 Lines: 298
 
@@ -42316,62 +42115,12 @@ index 27b2164f4c43..196dd4ecb5e2 100644
 -- 
 2.43.2
 
-From ff67e3e488090908dc015ba04d7407d8bd467f7e Mon Sep 17 00:00:00 2001
-From: Pablo Neira Ayuso <pablo@netfilter.org>
-Date: Sun, 14 Jan 2024 23:53:39 +0100
-Subject: [PATCH 621/641] netfilter: nf_tables: do not allow mismatch field
- size and set key length
-Content-Length: 1490
-Lines: 42
-
-[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ]
-
-The set description provides the size of each field in the set whose sum
-should not mismatch the set key length, bail out otherwise.
-
-I did not manage to crash nft_set_pipapo with mismatch fields and set key
-length so far, but this is UB which must be disallowed.
-
-Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/netfilter/nf_tables_api.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
-index 3912a133324c..7775bf5224ac 100644
---- a/net/netfilter/nf_tables_api.c
-+++ b/net/netfilter/nf_tables_api.c
-@@ -4811,8 +4811,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr,
- static int nft_set_desc_concat(struct nft_set_desc *desc,
- 			       const struct nlattr *nla)
- {
-+	u32 num_regs = 0, key_num_regs = 0;
- 	struct nlattr *attr;
--	u32 num_regs = 0;
- 	int rem, err, i;
- 
- 	nla_for_each_nested(attr, nla, rem) {
-@@ -4827,6 +4827,10 @@ static int nft_set_desc_concat(struct nft_set_desc *desc,
- 	for (i = 0; i < desc->field_count; i++)
- 		num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
- 
-+	key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
-+	if (key_num_regs != num_regs)
-+		return -EINVAL;
-+
- 	if (num_regs > NFT_REG32_COUNT)
- 		return -E2BIG;
- 
--- 
-2.43.2
-
 From 9f0254479da4180d194fce950cee1dc975416177 Mon Sep 17 00:00:00 2001
 From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Mon, 15 Jan 2024 00:14:38 +0100
 Subject: [PATCH 622/641] netfilter: nf_tables: skip dead set elements in
  netlink dump
+Status: RO
 Content-Length: 1523
 Lines: 39
 
@@ -42420,6 +42169,7 @@ From: Pablo Neira Ayuso <pablo@netfilter.org>
 Date: Mon, 15 Jan 2024 12:50:29 +0100
 Subject: [PATCH 623/641] netfilter: nf_tables: reject NFT_SET_CONCAT with not
  field length description
+Status: RO
 Content-Length: 1100
 Lines: 32
 
@@ -42461,6 +42211,7 @@ From: Fedor Pchelkin <pchelkin@ispras.ru>
 Date: Mon, 15 Jan 2024 17:39:22 +0300
 Subject: [PATCH 624/641] ipvs: avoid stat macros calls from preemptible
  context
+Status: RO
 Content-Length: 2567
 Lines: 75
 
@@ -42752,114 +42503,6 @@ index a79af8c25a07..b6cb101d7f19 100644
 -- 
 2.43.2
 
-From df4bb78489b85dea545c57f3d8568022dea57f2a Mon Sep 17 00:00:00 2001
-From: Christoph Hellwig <hch@lst.de>
-Date: Wed, 17 Jan 2024 18:59:01 +0100
-Subject: [PATCH 629/641] loop: fix the the direct I/O support check when used
- on top of block devices
-Content-Length: 3560
-Lines: 99
-
-[ Upstream commit baa7d536077dcdfe2b70c476a8873d1745d3de0f ]
-
-__loop_update_dio only checks the alignment requirement for block backed
-file systems, but misses them for the case where the loop device is
-created directly on top of another block device.  Due to this creating
-a loop device with default option plus the direct I/O flag on a > 512 byte
-sector size file system will lead to incorrect I/O being submitted to the
-lower block device and a lot of error from the lock layer.  This can
-be seen with xfstests generic/563.
-
-Fix the code in __loop_update_dio by factoring the alignment check into
-a helper, and calling that also for the struct block_device of a block
-device inode.
-
-Also remove the TODO comment talking about dynamically switching between
-buffered and direct I/O, which is a would be a recipe for horrible
-performance and occasional data loss.
-
-Fixes: 2e5ab5f379f9 ("block: loop: prepare for supporing direct IO")
-Signed-off-by: Christoph Hellwig <hch@lst.de>
-Reviewed-by: Ming Lei <ming.lei@redhat.com>
-Link: https://lore.kernel.org/r/20240117175901.871796-1-hch@lst.de
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/block/loop.c | 52 +++++++++++++++++++++-----------------------
- 1 file changed, 25 insertions(+), 27 deletions(-)
-
-diff --git a/drivers/block/loop.c b/drivers/block/loop.c
-index 9f2d412fc560..552f56a84a7e 100644
---- a/drivers/block/loop.c
-+++ b/drivers/block/loop.c
-@@ -165,39 +165,37 @@ static loff_t get_loop_size(struct loop_device *lo, struct file *file)
- 	return get_size(lo->lo_offset, lo->lo_sizelimit, file);
- }
- 
-+/*
-+ * We support direct I/O only if lo_offset is aligned with the logical I/O size
-+ * of backing device, and the logical block size of loop is bigger than that of
-+ * the backing device.
-+ */
-+static bool lo_bdev_can_use_dio(struct loop_device *lo,
-+		struct block_device *backing_bdev)
-+{
-+	unsigned short sb_bsize = bdev_logical_block_size(backing_bdev);
-+
-+	if (queue_logical_block_size(lo->lo_queue) < sb_bsize)
-+		return false;
-+	if (lo->lo_offset & (sb_bsize - 1))
-+		return false;
-+	return true;
-+}
-+
- static void __loop_update_dio(struct loop_device *lo, bool dio)
- {
- 	struct file *file = lo->lo_backing_file;
--	struct address_space *mapping = file->f_mapping;
--	struct inode *inode = mapping->host;
--	unsigned short sb_bsize = 0;
--	unsigned dio_align = 0;
-+	struct inode *inode = file->f_mapping->host;
-+	struct block_device *backing_bdev = NULL;
- 	bool use_dio;
- 
--	if (inode->i_sb->s_bdev) {
--		sb_bsize = bdev_logical_block_size(inode->i_sb->s_bdev);
--		dio_align = sb_bsize - 1;
--	}
-+	if (S_ISBLK(inode->i_mode))
-+		backing_bdev = I_BDEV(inode);
-+	else if (inode->i_sb->s_bdev)
-+		backing_bdev = inode->i_sb->s_bdev;
- 
--	/*
--	 * We support direct I/O only if lo_offset is aligned with the
--	 * logical I/O size of backing device, and the logical block
--	 * size of loop is bigger than the backing device's.
--	 *
--	 * TODO: the above condition may be loosed in the future, and
--	 * direct I/O may be switched runtime at that time because most
--	 * of requests in sane applications should be PAGE_SIZE aligned
--	 */
--	if (dio) {
--		if (queue_logical_block_size(lo->lo_queue) >= sb_bsize &&
--		    !(lo->lo_offset & dio_align) &&
--		    (file->f_mode & FMODE_CAN_ODIRECT))
--			use_dio = true;
--		else
--			use_dio = false;
--	} else {
--		use_dio = false;
--	}
-+	use_dio = dio && (file->f_mode & FMODE_CAN_ODIRECT) &&
-+		(!backing_bdev || lo_bdev_can_use_dio(lo, backing_bdev));
- 
- 	if (lo->use_dio == use_dio)
- 		return;
--- 
-2.43.2
-
 From 1a720f3ec16e510ff1e0d384119475bc0bdc4e26 Mon Sep 17 00:00:00 2001
 From: Amit Cohen <amcohen@nvidia.com>
 Date: Wed, 17 Jan 2024 16:04:16 +0100
@@ -43404,6 +43047,7 @@ From: Amit Cohen <amcohen@nvidia.com>
 Date: Wed, 17 Jan 2024 16:04:21 +0100
 Subject: [PATCH 634/641] selftests: mlxsw: qos_pfc: Adjust the test to support
  8 lanes
+Status: RO
 Content-Length: 3124
 Lines: 80
 
@@ -43574,6 +43218,7 @@ From a4f8ee0fbe9a089ff95e1333fa18d2062cee1bdc Mon Sep 17 00:00:00 2001
 From: Marek Szyprowski <m.szyprowski@samsung.com>
 Date: Wed, 8 Nov 2023 17:43:52 +0100
 Subject: [PATCH 636/641] i2c: s3c24xx: fix read transfers in polling mode
+Status: RO
 Content-Length: 1470
 Lines: 42
 
@@ -43625,6 +43270,7 @@ From: Marek Szyprowski <m.szyprowski@samsung.com>
 Date: Wed, 8 Nov 2023 17:43:53 +0100
 Subject: [PATCH 637/641] i2c: s3c24xx: fix transferring more than one message
  in polling mode
+Status: RO
 Content-Length: 2696
 Lines: 80
 
diff --git a/cve/review/mbox.6.7.2.cve b/cve/review/mbox.6.7.2.cve
index fc481797..0e50d3d4 100644
--- a/cve/review/mbox.6.7.2.cve
+++ b/cve/review/mbox.6.7.2.cve
@@ -4024,3 +4024,454 @@ index 6e7e57360b81..58e34ff81197 100644
 -- 
 2.43.2
 
+From 9efc70cf2554e7a8d5a996a44252f39e5bc4e510 Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Mon, 11 Dec 2023 17:40:18 +0100
+Subject: [PATCH 224/641] Bluetooth: btnxpuart: fix recv_buf() return value
+Status: RO
+Content-Length: 2609
+Lines: 61
+
+[ Upstream commit 94d05394254401e503867c16aff561d3e687dfdc ]
+
+Serdev recv_buf() callback is supposed to return the amount of bytes
+consumed, therefore an int in between 0 and count.
+
+Do not return a negative number in case of issue, just print an error
+and return count. Before this change, in case of error, the returned
+negative number was internally converted to 0 in ttyport_receive_buf,
+now when the receive buffer is corrupted we return the size of the whole
+received data (`count`). This should allow for better recovery in case
+receiver/transmitter get out of sync if some data is lost.
+
+This fixes a WARN in ttyport_receive_buf().
+
+  Bluetooth: hci0: Frame reassembly failed (-84)
+  ------------[ cut here ]------------
+  serial serial0: receive_buf returns -84 (count = 6)
+  WARNING: CPU: 0 PID: 37 at drivers/tty/serdev/serdev-ttyport.c:37 ttyport_receive_buf+0xd8/0xf8
+  Modules linked in: mwifiex_sdio(+) ...
+  CPU: 0 PID: 37 Comm: kworker/u4:2 Not tainted 6.7.0-rc2-00147-gf1a09972a45a #1
+  Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT)
+  Workqueue: events_unbound flush_to_ldisc
+  pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+  pc : ttyport_receive_buf+0xd8/0xf8
+  lr : ttyport_receive_buf+0xd8/0xf8
+...
+  Call trace:
+   ttyport_receive_buf+0xd8/0xf8
+   flush_to_ldisc+0xbc/0x1a4
+   process_scheduled_works+0x16c/0x28c
+
+Closes: https://lore.kernel.org/all/ZWEIhcUXfutb5SY6@francesco-nb.int.toradex.com/
+Fixes: 689ca16e5232 ("Bluetooth: NXP: Add protocol support for NXP Bluetooth chipsets")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btnxpuart.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
+index b7e66b7ac570..951fe3014a3f 100644
+--- a/drivers/bluetooth/btnxpuart.c
++++ b/drivers/bluetooth/btnxpuart.c
+@@ -1276,11 +1276,10 @@ static int btnxpuart_receive_buf(struct serdev_device *serdev, const u8 *data,
+ 	if (IS_ERR(nxpdev->rx_skb)) {
+ 		int err = PTR_ERR(nxpdev->rx_skb);
+ 		/* Safe to ignore out-of-sync bootloader signatures */
+-		if (is_fw_downloading(nxpdev))
+-			return count;
+-		bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err);
++		if (!is_fw_downloading(nxpdev))
++			bt_dev_err(nxpdev->hdev, "Frame reassembly failed (%d)", err);
+ 		nxpdev->rx_skb = NULL;
+-		return err;
++		return count;
+ 	}
+ 	if (!is_fw_downloading(nxpdev))
+ 		nxpdev->hdev->stat.byte_rx += count;
+-- 
+2.43.2
+
+From 3e2680bd68fab7ba145393e4eb069d6c4d8a30fa Mon Sep 17 00:00:00 2001
+From: Francesco Dolcini <francesco.dolcini@toradex.com>
+Date: Mon, 11 Dec 2023 17:40:19 +0100
+Subject: [PATCH 225/641] Bluetooth: btmtkuart: fix recv_buf() return value
+Status: RO
+Content-Length: 1991
+Lines: 60
+
+[ Upstream commit 64057f051f20c2a2184b9db7f8037d928d68a4f4 ]
+
+Serdev recv_buf() callback is supposed to return the amount of bytes
+consumed, therefore an int in between 0 and count.
+
+Do not return negative number in case of issue, just print an error and
+return count. This fixes a WARN in ttyport_receive_buf().
+
+Link: https://lore.kernel.org/all/087be419-ec6b-47ad-851a-5e1e3ea5cfcc@kernel.org/
+Fixes: 7237c4c9ec92 ("Bluetooth: mediatek: Add protocol support for MediaTek serial devices")
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btmtkuart.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c
+index 935feab815d9..203a000a84e3 100644
+--- a/drivers/bluetooth/btmtkuart.c
++++ b/drivers/bluetooth/btmtkuart.c
+@@ -336,7 +336,7 @@ mtk_stp_split(struct btmtkuart_dev *bdev, const unsigned char *data, int count,
+ 	return data;
+ }
+ 
+-static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
++static void btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
+ {
+ 	struct btmtkuart_dev *bdev = hci_get_drvdata(hdev);
+ 	const unsigned char *p_left = data, *p_h4;
+@@ -375,25 +375,20 @@ static int btmtkuart_recv(struct hci_dev *hdev, const u8 *data, size_t count)
+ 			bt_dev_err(bdev->hdev,
+ 				   "Frame reassembly failed (%d)", err);
+ 			bdev->rx_skb = NULL;
+-			return err;
++			return;
+ 		}
+ 
+ 		sz_left -= sz_h4;
+ 		p_left += sz_h4;
+ 	}
+-
+-	return 0;
+ }
+ 
+ static int btmtkuart_receive_buf(struct serdev_device *serdev, const u8 *data,
+ 				 size_t count)
+ {
+ 	struct btmtkuart_dev *bdev = serdev_device_get_drvdata(serdev);
+-	int err;
+ 
+-	err = btmtkuart_recv(bdev->hdev, data, count);
+-	if (err < 0)
+-		return err;
++	btmtkuart_recv(bdev->hdev, data, count);
+ 
+ 	bdev->hdev->stat.byte_rx += count;
+ 
+-- 
+2.43.2
+
+From f5346df0591d10bc948761ca854b1fae6d2ef441 Mon Sep 17 00:00:00 2001
+From: Tao Liu <taoliu828@163.com>
+Date: Thu, 28 Dec 2023 16:14:57 +0800
+Subject: [PATCH 236/641] net/sched: act_ct: fix skb leak and crash on ooo
+ frags
+Status: RO
+Content-Length: 6310
+Lines: 141
+
+[ Upstream commit 3f14b377d01d8357eba032b4cabc8c1149b458b6 ]
+
+act_ct adds skb->users before defragmentation. If frags arrive in order,
+the last frag's reference is reset in:
+
+  inet_frag_reasm_prepare
+    skb_morph
+
+which is not straightforward.
+
+However when frags arrive out of order, nobody unref the last frag, and
+all frags are leaked. The situation is even worse, as initiating packet
+capture can lead to a crash[0] when skb has been cloned and shared at the
+same time.
+
+Fix the issue by removing skb_get() before defragmentation. act_ct
+returns TC_ACT_CONSUMED when defrag failed or in progress.
+
+[0]:
+[  843.804823] ------------[ cut here ]------------
+[  843.809659] kernel BUG at net/core/skbuff.c:2091!
+[  843.814516] invalid opcode: 0000 [#1] PREEMPT SMP
+[  843.819296] CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G S 6.7.0-rc3 #2
+[  843.824107] Hardware name: XFUSION 1288H V6/BC13MBSBD, BIOS 1.29 11/25/2022
+[  843.828953] RIP: 0010:pskb_expand_head+0x2ac/0x300
+[  843.833805] Code: 8b 70 28 48 85 f6 74 82 48 83 c6 08 bf 01 00 00 00 e8 38 bd ff ff 8b 83 c0 00 00 00 48 03 83 c8 00 00 00 e9 62 ff ff ff 0f 0b <0f> 0b e8 8d d0 ff ff e9 b3 fd ff ff 81 7c 24 14 40 01 00 00 4c 89
+[  843.843698] RSP: 0018:ffffc9000cce07c0 EFLAGS: 00010202
+[  843.848524] RAX: 0000000000000002 RBX: ffff88811a211d00 RCX: 0000000000000820
+[  843.853299] RDX: 0000000000000640 RSI: 0000000000000000 RDI: ffff88811a211d00
+[  843.857974] RBP: ffff888127d39518 R08: 00000000bee97314 R09: 0000000000000000
+[  843.862584] R10: 0000000000000000 R11: ffff8881109f0000 R12: 0000000000000880
+[  843.867147] R13: ffff888127d39580 R14: 0000000000000640 R15: ffff888170f7b900
+[  843.871680] FS:  0000000000000000(0000) GS:ffff889ffffc0000(0000) knlGS:0000000000000000
+[  843.876242] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[  843.880778] CR2: 00007fa42affcfb8 CR3: 000000011433a002 CR4: 0000000000770ef0
+[  843.885336] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[  843.889809] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[  843.894229] PKRU: 55555554
+[  843.898539] Call Trace:
+[  843.902772]  <IRQ>
+[  843.906922]  ? __die_body+0x1e/0x60
+[  843.911032]  ? die+0x3c/0x60
+[  843.915037]  ? do_trap+0xe2/0x110
+[  843.918911]  ? pskb_expand_head+0x2ac/0x300
+[  843.922687]  ? do_error_trap+0x65/0x80
+[  843.926342]  ? pskb_expand_head+0x2ac/0x300
+[  843.929905]  ? exc_invalid_op+0x50/0x60
+[  843.933398]  ? pskb_expand_head+0x2ac/0x300
+[  843.936835]  ? asm_exc_invalid_op+0x1a/0x20
+[  843.940226]  ? pskb_expand_head+0x2ac/0x300
+[  843.943580]  inet_frag_reasm_prepare+0xd1/0x240
+[  843.946904]  ip_defrag+0x5d4/0x870
+[  843.950132]  nf_ct_handle_fragments+0xec/0x130 [nf_conntrack]
+[  843.953334]  tcf_ct_act+0x252/0xd90 [act_ct]
+[  843.956473]  ? tcf_mirred_act+0x516/0x5a0 [act_mirred]
+[  843.959657]  tcf_action_exec+0xa1/0x160
+[  843.962823]  fl_classify+0x1db/0x1f0 [cls_flower]
+[  843.966010]  ? skb_clone+0x53/0xc0
+[  843.969173]  tcf_classify+0x24d/0x420
+[  843.972333]  tc_run+0x8f/0xf0
+[  843.975465]  __netif_receive_skb_core+0x67a/0x1080
+[  843.978634]  ? dev_gro_receive+0x249/0x730
+[  843.981759]  __netif_receive_skb_list_core+0x12d/0x260
+[  843.984869]  netif_receive_skb_list_internal+0x1cb/0x2f0
+[  843.987957]  ? mlx5e_handle_rx_cqe_mpwrq_rep+0xfa/0x1a0 [mlx5_core]
+[  843.991170]  napi_complete_done+0x72/0x1a0
+[  843.994305]  mlx5e_napi_poll+0x28c/0x6d0 [mlx5_core]
+[  843.997501]  __napi_poll+0x25/0x1b0
+[  844.000627]  net_rx_action+0x256/0x330
+[  844.003705]  __do_softirq+0xb3/0x29b
+[  844.006718]  irq_exit_rcu+0x9e/0xc0
+[  844.009672]  common_interrupt+0x86/0xa0
+[  844.012537]  </IRQ>
+[  844.015285]  <TASK>
+[  844.017937]  asm_common_interrupt+0x26/0x40
+[  844.020591] RIP: 0010:acpi_safe_halt+0x1b/0x20
+[  844.023247] Code: ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 65 48 8b 04 25 00 18 03 00 48 8b 00 a8 08 75 0c 66 90 0f 00 2d 81 d0 44 00 fb f4 <fa> c3 0f 1f 00 89 fa ec 48 8b 05 ee 88 ed 00 a9 00 00 00 80 75 11
+[  844.028900] RSP: 0018:ffffc90000533e70 EFLAGS: 00000246
+[  844.031725] RAX: 0000000000004000 RBX: 0000000000000001 RCX: 0000000000000000
+[  844.034553] RDX: ffff889ffffc0000 RSI: ffffffff828b7f20 RDI: ffff88a090f45c64
+[  844.037368] RBP: ffff88a0901a2800 R08: ffff88a090f45c00 R09: 00000000000317c0
+[  844.040155] R10: 00ec812281150475 R11: ffff889fffff0e04 R12: ffffffff828b7fa0
+[  844.042962] R13: ffffffff828b7f20 R14: 0000000000000001 R15: 0000000000000000
+[  844.045819]  acpi_idle_enter+0x7b/0xc0
+[  844.048621]  cpuidle_enter_state+0x7f/0x430
+[  844.051451]  cpuidle_enter+0x2d/0x40
+[  844.054279]  do_idle+0x1d4/0x240
+[  844.057096]  cpu_startup_entry+0x2a/0x30
+[  844.059934]  start_secondary+0x104/0x130
+[  844.062787]  secondary_startup_64_no_verify+0x16b/0x16b
+[  844.065674]  </TASK>
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: Tao Liu <taoliu828@163.com>
+Link: https://lore.kernel.org/r/20231228081457.936732-1-taoliu828@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index f69c47945175..3d50215985d5 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -850,7 +850,6 @@ static int tcf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
+ 	if (err || !frag)
+ 		return err;
+ 
+-	skb_get(skb);
+ 	err = nf_ct_handle_fragments(net, skb, zone, family, &proto, &mru);
+ 	if (err)
+ 		return err;
+@@ -999,12 +998,8 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
+ 	nh_ofs = skb_network_offset(skb);
+ 	skb_pull_rcsum(skb, nh_ofs);
+ 	err = tcf_ct_handle_fragments(net, skb, family, p->zone, &defrag);
+-	if (err == -EINPROGRESS) {
+-		retval = TC_ACT_STOLEN;
+-		goto out_clear;
+-	}
+ 	if (err)
+-		goto drop;
++		goto out_frag;
+ 
+ 	err = nf_ct_skb_network_trim(skb, family);
+ 	if (err)
+@@ -1091,6 +1086,11 @@ TC_INDIRECT_SCOPE int tcf_ct_act(struct sk_buff *skb, const struct tc_action *a,
+ 		qdisc_skb_cb(skb)->pkt_len = skb->len;
+ 	return retval;
+ 
++out_frag:
++	if (err != -EINPROGRESS)
++		tcf_action_inc_drop_qstats(&c->common);
++	return TC_ACT_CONSUMED;
++
+ drop:
+ 	tcf_action_inc_drop_qstats(&c->common);
+ 	return TC_ACT_SHOT;
+-- 
+2.43.2
+
+From df4bb78489b85dea545c57f3d8568022dea57f2a Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Wed, 17 Jan 2024 18:59:01 +0100
+Subject: [PATCH 629/641] loop: fix the the direct I/O support check when used
+ on top of block devices
+Status: RO
+Content-Length: 3560
+Lines: 99
+
+[ Upstream commit baa7d536077dcdfe2b70c476a8873d1745d3de0f ]
+
+__loop_update_dio only checks the alignment requirement for block backed
+file systems, but misses them for the case where the loop device is
+created directly on top of another block device.  Due to this creating
+a loop device with default option plus the direct I/O flag on a > 512 byte
+sector size file system will lead to incorrect I/O being submitted to the
+lower block device and a lot of error from the lock layer.  This can
+be seen with xfstests generic/563.
+
+Fix the code in __loop_update_dio by factoring the alignment check into
+a helper, and calling that also for the struct block_device of a block
+device inode.
+
+Also remove the TODO comment talking about dynamically switching between
+buffered and direct I/O, which is a would be a recipe for horrible
+performance and occasional data loss.
+
+Fixes: 2e5ab5f379f9 ("block: loop: prepare for supporing direct IO")
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20240117175901.871796-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 52 +++++++++++++++++++++-----------------------
+ 1 file changed, 25 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 9f2d412fc560..552f56a84a7e 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -165,39 +165,37 @@ static loff_t get_loop_size(struct loop_device *lo, struct file *file)
+ 	return get_size(lo->lo_offset, lo->lo_sizelimit, file);
+ }
+ 
++/*
++ * We support direct I/O only if lo_offset is aligned with the logical I/O size
++ * of backing device, and the logical block size of loop is bigger than that of
++ * the backing device.
++ */
++static bool lo_bdev_can_use_dio(struct loop_device *lo,
++		struct block_device *backing_bdev)
++{
++	unsigned short sb_bsize = bdev_logical_block_size(backing_bdev);
++
++	if (queue_logical_block_size(lo->lo_queue) < sb_bsize)
++		return false;
++	if (lo->lo_offset & (sb_bsize - 1))
++		return false;
++	return true;
++}
++
+ static void __loop_update_dio(struct loop_device *lo, bool dio)
+ {
+ 	struct file *file = lo->lo_backing_file;
+-	struct address_space *mapping = file->f_mapping;
+-	struct inode *inode = mapping->host;
+-	unsigned short sb_bsize = 0;
+-	unsigned dio_align = 0;
++	struct inode *inode = file->f_mapping->host;
++	struct block_device *backing_bdev = NULL;
+ 	bool use_dio;
+ 
+-	if (inode->i_sb->s_bdev) {
+-		sb_bsize = bdev_logical_block_size(inode->i_sb->s_bdev);
+-		dio_align = sb_bsize - 1;
+-	}
++	if (S_ISBLK(inode->i_mode))
++		backing_bdev = I_BDEV(inode);
++	else if (inode->i_sb->s_bdev)
++		backing_bdev = inode->i_sb->s_bdev;
+ 
+-	/*
+-	 * We support direct I/O only if lo_offset is aligned with the
+-	 * logical I/O size of backing device, and the logical block
+-	 * size of loop is bigger than the backing device's.
+-	 *
+-	 * TODO: the above condition may be loosed in the future, and
+-	 * direct I/O may be switched runtime at that time because most
+-	 * of requests in sane applications should be PAGE_SIZE aligned
+-	 */
+-	if (dio) {
+-		if (queue_logical_block_size(lo->lo_queue) >= sb_bsize &&
+-		    !(lo->lo_offset & dio_align) &&
+-		    (file->f_mode & FMODE_CAN_ODIRECT))
+-			use_dio = true;
+-		else
+-			use_dio = false;
+-	} else {
+-		use_dio = false;
+-	}
++	use_dio = dio && (file->f_mode & FMODE_CAN_ODIRECT) &&
++		(!backing_bdev || lo_bdev_can_use_dio(lo, backing_bdev));
+ 
+ 	if (lo->use_dio == use_dio)
+ 		return;
+-- 
+2.43.2
+
+From ff67e3e488090908dc015ba04d7407d8bd467f7e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 14 Jan 2024 23:53:39 +0100
+Subject: [PATCH 621/641] netfilter: nf_tables: do not allow mismatch field
+ size and set key length
+Status: RO
+Content-Length: 1490
+Lines: 42
+
+[ Upstream commit 3ce67e3793f48c1b9635beb9bb71116ca1e51b58 ]
+
+The set description provides the size of each field in the set whose sum
+should not mismatch the set key length, bail out otherwise.
+
+I did not manage to crash nft_set_pipapo with mismatch fields and set key
+length so far, but this is UB which must be disallowed.
+
+Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 3912a133324c..7775bf5224ac 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4811,8 +4811,8 @@ static int nft_set_desc_concat_parse(const struct nlattr *attr,
+ static int nft_set_desc_concat(struct nft_set_desc *desc,
+ 			       const struct nlattr *nla)
+ {
++	u32 num_regs = 0, key_num_regs = 0;
+ 	struct nlattr *attr;
+-	u32 num_regs = 0;
+ 	int rem, err, i;
+ 
+ 	nla_for_each_nested(attr, nla, rem) {
+@@ -4827,6 +4827,10 @@ static int nft_set_desc_concat(struct nft_set_desc *desc,
+ 	for (i = 0; i < desc->field_count; i++)
+ 		num_regs += DIV_ROUND_UP(desc->field_len[i], sizeof(u32));
+ 
++	key_num_regs = DIV_ROUND_UP(desc->klen, sizeof(u32));
++	if (key_num_regs != num_regs)
++		return -EINVAL;
++
+ 	if (num_regs > NFT_REG32_COUNT)
+ 		return -E2BIG;
+ 
+-- 
+2.43.2
+