--- /dev/null
+From 69cc784e1b113e7d080e6faaf4d7ea0080ec78ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 22:23:45 +0800
+Subject: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 483bc08181827fc475643272ffb69c533007e546 ]
+
+When the sco connection is established and then, the sco socket
+is releasing, timeout_work will be scheduled to judge whether
+the sco disconnection is timeout. The sock will be deallocated
+later, but it is dereferenced again in sco_sock_timeout. As a
+result, the use-after-free bugs will happen. The root cause is
+shown below:
+
+ Cleanup Thread | Worker Thread
+sco_sock_release |
+ sco_sock_close |
+ __sco_sock_close |
+ sco_sock_set_timer |
+ schedule_delayed_work |
+ sco_sock_kill | (wait a time)
+ sock_put(sk) //FREE | sco_sock_timeout
+ | sock_hold(sk) //USE
+
+The KASAN report triggered by POC is shown below:
+
+[ 95.890016] ==================================================================
+[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0
+[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7
+...
+[ 95.890755] Workqueue: events sco_sock_timeout
+[ 95.890755] Call Trace:
+[ 95.890755] <TASK>
+[ 95.890755] dump_stack_lvl+0x45/0x110
+[ 95.890755] print_address_description+0x78/0x390
+[ 95.890755] print_report+0x11b/0x250
+[ 95.890755] ? __virt_addr_valid+0xbe/0xf0
+[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
+[ 95.890755] kasan_report+0x139/0x170
+[ 95.890755] ? update_load_avg+0xe5/0x9f0
+[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0
+[ 95.890755] kasan_check_range+0x2c3/0x2e0
+[ 95.890755] sco_sock_timeout+0x5e/0x1c0
+[ 95.890755] process_one_work+0x561/0xc50
+[ 95.890755] worker_thread+0xab2/0x13c0
+[ 95.890755] ? pr_cont_work+0x490/0x490
+[ 95.890755] kthread+0x279/0x300
+[ 95.890755] ? pr_cont_work+0x490/0x490
+[ 95.890755] ? kthread_blkcg+0xa0/0xa0
+[ 95.890755] ret_from_fork+0x34/0x60
+[ 95.890755] ? kthread_blkcg+0xa0/0xa0
+[ 95.890755] ret_from_fork_asm+0x11/0x20
+[ 95.890755] </TASK>
+[ 95.890755]
+[ 95.890755] Allocated by task 506:
+[ 95.890755] kasan_save_track+0x3f/0x70
+[ 95.890755] __kasan_kmalloc+0x86/0x90
+[ 95.890755] __kmalloc+0x17f/0x360
+[ 95.890755] sk_prot_alloc+0xe1/0x1a0
+[ 95.890755] sk_alloc+0x31/0x4e0
+[ 95.890755] bt_sock_alloc+0x2b/0x2a0
+[ 95.890755] sco_sock_create+0xad/0x320
+[ 95.890755] bt_sock_create+0x145/0x320
+[ 95.890755] __sock_create+0x2e1/0x650
+[ 95.890755] __sys_socket+0xd0/0x280
+[ 95.890755] __x64_sys_socket+0x75/0x80
+[ 95.890755] do_syscall_64+0xc4/0x1b0
+[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
+[ 95.890755]
+[ 95.890755] Freed by task 506:
+[ 95.890755] kasan_save_track+0x3f/0x70
+[ 95.890755] kasan_save_free_info+0x40/0x50
+[ 95.890755] poison_slab_object+0x118/0x180
+[ 95.890755] __kasan_slab_free+0x12/0x30
+[ 95.890755] kfree+0xb2/0x240
+[ 95.890755] __sk_destruct+0x317/0x410
+[ 95.890755] sco_sock_release+0x232/0x280
+[ 95.890755] sock_close+0xb2/0x210
+[ 95.890755] __fput+0x37f/0x770
+[ 95.890755] task_work_run+0x1ae/0x210
+[ 95.890755] get_signal+0xe17/0xf70
+[ 95.890755] arch_do_signal_or_restart+0x3f/0x520
+[ 95.890755] syscall_exit_to_user_mode+0x55/0x120
+[ 95.890755] do_syscall_64+0xd1/0x1b0
+[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f
+[ 95.890755]
+[ 95.890755] The buggy address belongs to the object at ffff88800c388000
+[ 95.890755] which belongs to the cache kmalloc-1k of size 1024
+[ 95.890755] The buggy address is located 128 bytes inside of
+[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)
+[ 95.890755]
+[ 95.890755] The buggy address belongs to the physical page:
+[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388
+[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 95.890755] anon flags: 0x100000000000840(slab|head|node=0|zone=1)
+[ 95.890755] page_type: 0xffffffff()
+[ 95.890755] raw: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
+[ 95.890755] raw: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
+[ 95.890755] head: 0100000000000840 ffff888006842dc0 0000000000000000 0000000000000001
+[ 95.890755] head: ffff88800c38a800 000000000010000a 00000001ffffffff 0000000000000000
+[ 95.890755] head: 0100000000000003 ffffea000030e201 ffffea000030e248 00000000ffffffff
+[ 95.890755] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 95.890755] page dumped because: kasan: bad access detected
+[ 95.890755]
+[ 95.890755] Memory state around the buggy address:
+[ 95.890755] ffff88800c387f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 95.890755] ffff88800c388000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 95.890755] >ffff88800c388080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 95.890755] ^
+[ 95.890755] ffff88800c388100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 95.890755] ffff88800c388180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 95.890755] ==================================================================
+
+Fix this problem by adding a check protected by sco_conn_lock to judget
+whether the conn->hcon is null. Because the conn->hcon will be set to null,
+when the sock is releasing.
+
+Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/sco.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index 2115ca6d7e178..ae788d3e0c53a 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -83,6 +83,10 @@ static void sco_sock_timeout(struct work_struct *work)
+ struct sock *sk;
+
+ sco_conn_lock(conn);
++ if (!conn->hcon) {
++ sco_conn_unlock(conn);
++ return;
++ }
+ sk = conn->sk;
+ if (sk)
+ sock_hold(sk);
+--
+2.43.0
+
--- /dev/null
+From 150a70ba9045eaadc0992736815a95be63f05238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 20:57:36 +0800
+Subject: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit adf0398cee86643b8eacde95f17d073d022f782c ]
+
+There is a race condition between l2cap_chan_timeout() and
+l2cap_chan_del(). When we use l2cap_chan_del() to delete the
+channel, the chan->conn will be set to null. But the conn could
+be dereferenced again in the mutex_lock() of l2cap_chan_timeout().
+As a result the null pointer dereference bug will happen. The
+KASAN report triggered by POC is shown below:
+
+[ 472.074580] ==================================================================
+[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0
+[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7
+[ 472.075308]
+[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36
+[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
+[ 472.075308] Workqueue: events l2cap_chan_timeout
+[ 472.075308] Call Trace:
+[ 472.075308] <TASK>
+[ 472.075308] dump_stack_lvl+0x137/0x1a0
+[ 472.075308] print_report+0x101/0x250
+[ 472.075308] ? __virt_addr_valid+0x77/0x160
+[ 472.075308] ? mutex_lock+0x68/0xc0
+[ 472.075308] kasan_report+0x139/0x170
+[ 472.075308] ? mutex_lock+0x68/0xc0
+[ 472.075308] kasan_check_range+0x2c3/0x2e0
+[ 472.075308] mutex_lock+0x68/0xc0
+[ 472.075308] l2cap_chan_timeout+0x181/0x300
+[ 472.075308] process_one_work+0x5d2/0xe00
+[ 472.075308] worker_thread+0xe1d/0x1660
+[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
+[ 472.075308] kthread+0x2b7/0x350
+[ 472.075308] ? pr_cont_work+0x5e0/0x5e0
+[ 472.075308] ? kthread_blkcg+0xd0/0xd0
+[ 472.075308] ret_from_fork+0x4d/0x80
+[ 472.075308] ? kthread_blkcg+0xd0/0xd0
+[ 472.075308] ret_from_fork_asm+0x11/0x20
+[ 472.075308] </TASK>
+[ 472.075308] ==================================================================
+[ 472.094860] Disabling lock debugging due to kernel taint
+[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158
+[ 472.096136] #PF: supervisor write access in kernel mode
+[ 472.096136] #PF: error_code(0x0002) - not-present page
+[ 472.096136] PGD 0 P4D 0
+[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
+[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36
+[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4
+[ 472.096136] Workqueue: events l2cap_chan_timeout
+[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
+[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
+[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
+[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
+[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
+[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
+[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
+[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
+[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
+[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
+[ 472.096136] Call Trace:
+[ 472.096136] <TASK>
+[ 472.096136] ? __die_body+0x8d/0xe0
+[ 472.096136] ? page_fault_oops+0x6b8/0x9a0
+[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0
+[ 472.096136] ? do_user_addr_fault+0x1027/0x1340
+[ 472.096136] ? _printk+0x7a/0xa0
+[ 472.096136] ? mutex_lock+0x68/0xc0
+[ 472.096136] ? add_taint+0x42/0xd0
+[ 472.096136] ? exc_page_fault+0x6a/0x1b0
+[ 472.096136] ? asm_exc_page_fault+0x26/0x30
+[ 472.096136] ? mutex_lock+0x75/0xc0
+[ 472.096136] ? mutex_lock+0x88/0xc0
+[ 472.096136] ? mutex_lock+0x75/0xc0
+[ 472.096136] l2cap_chan_timeout+0x181/0x300
+[ 472.096136] process_one_work+0x5d2/0xe00
+[ 472.096136] worker_thread+0xe1d/0x1660
+[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
+[ 472.096136] kthread+0x2b7/0x350
+[ 472.096136] ? pr_cont_work+0x5e0/0x5e0
+[ 472.096136] ? kthread_blkcg+0xd0/0xd0
+[ 472.096136] ret_from_fork+0x4d/0x80
+[ 472.096136] ? kthread_blkcg+0xd0/0xd0
+[ 472.096136] ret_from_fork_asm+0x11/0x20
+[ 472.096136] </TASK>
+[ 472.096136] Modules linked in:
+[ 472.096136] CR2: 0000000000000158
+[ 472.096136] ---[ end trace 0000000000000000 ]---
+[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0
+[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88
+[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246
+[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865
+[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78
+[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f
+[ 472.132932] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000
+[ 472.132932] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00
+[ 472.132932] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
+[ 472.132932] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 472.132932] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0
+[ 472.132932] Kernel panic - not syncing: Fatal exception
+[ 472.132932] Kernel Offset: disabled
+[ 472.132932] ---[ end Kernel panic - not syncing: Fatal exception ]---
+
+Add a check to judge whether the conn is null in l2cap_chan_timeout()
+in order to mitigate the bug.
+
+Fixes: 3df91ea20e74 ("Bluetooth: Revert to mutexes from RCU list")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 580b6d6b970d2..da03ca6dd9221 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -435,6 +435,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
+
+ BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
+
++ if (!conn)
++ return;
++
+ mutex_lock(&conn->chan_lock);
+ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
+ * this work. No need to call l2cap_chan_hold(chan) here again.
+--
+2.43.0
+
--- /dev/null
+From 92727faf980757563ec5156655e2f8d0eb946849 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 11:25:03 +0200
+Subject: hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock
+
+From: Aleksa Savic <savicaleksa83@gmail.com>
+
+[ Upstream commit d02abd57e79469a026213f7f5827a98d909f236a ]
+
+Through hidraw, userspace can cause a status report to be sent
+from the device. The parsing in ccp_raw_event() may happen in
+parallel to a send_usb_cmd() call (which resets the completion
+for tracking the report) if it's running on a different CPU where
+bottom half interrupts are not disabled.
+
+Add a spinlock around the complete_all() in ccp_raw_event() and
+reinit_completion() in send_usb_cmd() to prevent race issues.
+
+Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver")
+Signed-off-by: Aleksa Savic <savicaleksa83@gmail.com>
+Acked-by: Marius Zachmann <mail@mariuszachmann.de>
+Link: https://lore.kernel.org/r/20240504092504.24158-4-savicaleksa83@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/corsair-cpro.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
+index 7000a6af5092d..05df31cab2e52 100644
+--- a/drivers/hwmon/corsair-cpro.c
++++ b/drivers/hwmon/corsair-cpro.c
+@@ -16,6 +16,7 @@
+ #include <linux/module.h>
+ #include <linux/mutex.h>
+ #include <linux/slab.h>
++#include <linux/spinlock.h>
+ #include <linux/types.h>
+
+ #define USB_VENDOR_ID_CORSAIR 0x1b1c
+@@ -77,6 +78,8 @@
+ struct ccp_device {
+ struct hid_device *hdev;
+ struct device *hwmon_dev;
++ /* For reinitializing the completion below */
++ spinlock_t wait_input_report_lock;
+ struct completion wait_input_report;
+ struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */
+ u8 *cmd_buffer;
+@@ -118,7 +121,15 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2,
+ ccp->cmd_buffer[2] = byte2;
+ ccp->cmd_buffer[3] = byte3;
+
++ /*
++ * Disable raw event parsing for a moment to safely reinitialize the
++ * completion. Reinit is done because hidraw could have triggered
++ * the raw event parsing and marked the ccp->wait_input_report
++ * completion as done.
++ */
++ spin_lock_bh(&ccp->wait_input_report_lock);
+ reinit_completion(&ccp->wait_input_report);
++ spin_unlock_bh(&ccp->wait_input_report_lock);
+
+ ret = hid_hw_output_report(ccp->hdev, ccp->cmd_buffer, OUT_BUFFER_SIZE);
+ if (ret < 0)
+@@ -136,11 +147,12 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
+ struct ccp_device *ccp = hid_get_drvdata(hdev);
+
+ /* only copy buffer when requested */
+- if (completion_done(&ccp->wait_input_report))
+- return 0;
+-
+- memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
+- complete_all(&ccp->wait_input_report);
++ spin_lock(&ccp->wait_input_report_lock);
++ if (!completion_done(&ccp->wait_input_report)) {
++ memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
++ complete_all(&ccp->wait_input_report);
++ }
++ spin_unlock(&ccp->wait_input_report_lock);
+
+ return 0;
+ }
+@@ -514,7 +526,9 @@ static int ccp_probe(struct hid_device *hdev, const struct hid_device_id *id)
+
+ ccp->hdev = hdev;
+ hid_set_drvdata(hdev, ccp);
++
+ mutex_init(&ccp->mutex);
++ spin_lock_init(&ccp->wait_input_report_lock);
+ init_completion(&ccp->wait_input_report);
+
+ hid_device_io_start(hdev);
+--
+2.43.0
+
--- /dev/null
+From 201f80d2e215ef99d5ed2f7f3c5bbd730c7ee289 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 11:25:01 +0200
+Subject: hwmon: (corsair-cpro) Use a separate buffer for sending commands
+
+From: Aleksa Savic <savicaleksa83@gmail.com>
+
+[ Upstream commit e0cd85dc666cb08e1bd313d560cb4eff4d04219e ]
+
+Introduce cmd_buffer, a separate buffer for storing only
+the command that is sent to the device. Before this separation,
+the existing buffer was shared for both the command and the
+report received in ccp_raw_event(), which was copied into it.
+
+However, because of hidraw, the raw event parsing may be triggered
+in the middle of sending a command, resulting in outputting gibberish
+to the device. Using a separate buffer resolves this.
+
+Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver")
+Signed-off-by: Aleksa Savic <savicaleksa83@gmail.com>
+Acked-by: Marius Zachmann <mail@mariuszachmann.de>
+Link: https://lore.kernel.org/r/20240504092504.24158-2-savicaleksa83@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/corsair-cpro.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
+index 591929ec217a6..78c93c142fecf 100644
+--- a/drivers/hwmon/corsair-cpro.c
++++ b/drivers/hwmon/corsair-cpro.c
+@@ -79,6 +79,7 @@ struct ccp_device {
+ struct device *hwmon_dev;
+ struct completion wait_input_report;
+ struct mutex mutex; /* whenever buffer is used, lock before send_usb_cmd */
++ u8 *cmd_buffer;
+ u8 *buffer;
+ int target[6];
+ DECLARE_BITMAP(temp_cnct, NUM_TEMP_SENSORS);
+@@ -111,15 +112,15 @@ static int send_usb_cmd(struct ccp_device *ccp, u8 command, u8 byte1, u8 byte2,
+ unsigned long t;
+ int ret;
+
+- memset(ccp->buffer, 0x00, OUT_BUFFER_SIZE);
+- ccp->buffer[0] = command;
+- ccp->buffer[1] = byte1;
+- ccp->buffer[2] = byte2;
+- ccp->buffer[3] = byte3;
++ memset(ccp->cmd_buffer, 0x00, OUT_BUFFER_SIZE);
++ ccp->cmd_buffer[0] = command;
++ ccp->cmd_buffer[1] = byte1;
++ ccp->cmd_buffer[2] = byte2;
++ ccp->cmd_buffer[3] = byte3;
+
+ reinit_completion(&ccp->wait_input_report);
+
+- ret = hid_hw_output_report(ccp->hdev, ccp->buffer, OUT_BUFFER_SIZE);
++ ret = hid_hw_output_report(ccp->hdev, ccp->cmd_buffer, OUT_BUFFER_SIZE);
+ if (ret < 0)
+ return ret;
+
+@@ -491,7 +492,11 @@ static int ccp_probe(struct hid_device *hdev, const struct hid_device_id *id)
+ if (!ccp)
+ return -ENOMEM;
+
+- ccp->buffer = devm_kmalloc(&hdev->dev, OUT_BUFFER_SIZE, GFP_KERNEL);
++ ccp->cmd_buffer = devm_kmalloc(&hdev->dev, OUT_BUFFER_SIZE, GFP_KERNEL);
++ if (!ccp->cmd_buffer)
++ return -ENOMEM;
++
++ ccp->buffer = devm_kmalloc(&hdev->dev, IN_BUFFER_SIZE, GFP_KERNEL);
+ if (!ccp->buffer)
+ return -ENOMEM;
+
+--
+2.43.0
+
--- /dev/null
+From e5e14686366129ab9a202141f7177f5d6816ab96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 11:25:02 +0200
+Subject: hwmon: (corsair-cpro) Use complete_all() instead of complete() in
+ ccp_raw_event()
+
+From: Aleksa Savic <savicaleksa83@gmail.com>
+
+[ Upstream commit 3a034a7b0715eb51124a5263890b1ed39978ed3a ]
+
+In ccp_raw_event(), the ccp->wait_input_report completion is
+completed once. Since we're waiting for exactly one report in
+send_usb_cmd(), use complete_all() instead of complete()
+to mark the completion as spent.
+
+Fixes: 40c3a4454225 ("hwmon: add Corsair Commander Pro driver")
+Signed-off-by: Aleksa Savic <savicaleksa83@gmail.com>
+Acked-by: Marius Zachmann <mail@mariuszachmann.de>
+Link: https://lore.kernel.org/r/20240504092504.24158-3-savicaleksa83@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/corsair-cpro.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
+index 78c93c142fecf..7000a6af5092d 100644
+--- a/drivers/hwmon/corsair-cpro.c
++++ b/drivers/hwmon/corsair-cpro.c
+@@ -140,7 +140,7 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
+ return 0;
+
+ memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
+- complete(&ccp->wait_input_report);
++ complete_all(&ccp->wait_input_report);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From b7cdf3e9c0f7bb62aec449dc3bd51e4b65d5c547 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 16:31:45 +0000
+Subject: ipv6: fib6_rules: avoid possible NULL dereference in
+ fib6_rule_action()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d101291b2681e5ab938554e3e323f7a7ee33e3aa ]
+
+syzbot is able to trigger the following crash [1],
+caused by unsafe ip6_dst_idev() use.
+
+Indeed ip6_dst_idev() can return NULL, and must always be checked.
+
+[1]
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 0 PID: 31648 Comm: syz-executor.0 Not tainted 6.9.0-rc4-next-20240417-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+ RIP: 0010:__fib6_rule_action net/ipv6/fib6_rules.c:237 [inline]
+ RIP: 0010:fib6_rule_action+0x241/0x7b0 net/ipv6/fib6_rules.c:267
+Code: 02 00 00 49 8d 9f d8 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 20 00 74 08 48 89 df e8 f9 32 bf f7 48 8b 1b 48 89 d8 48 c1 e8 03 <42> 80 3c 20 00 74 08 48 89 df e8 e0 32 bf f7 4c 8b 03 48 89 ef 4c
+RSP: 0018:ffffc9000fc1f2f0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 1a772f98c8186700
+RDX: 0000000000000003 RSI: ffffffff8bcac4e0 RDI: ffffffff8c1f9760
+RBP: ffff8880673fb980 R08: ffffffff8fac15ef R09: 1ffffffff1f582bd
+R10: dffffc0000000000 R11: fffffbfff1f582be R12: dffffc0000000000
+R13: 0000000000000080 R14: ffff888076509000 R15: ffff88807a029a00
+FS: 00007f55e82ca6c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b31d23000 CR3: 0000000022b66000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ fib_rules_lookup+0x62c/0xdb0 net/core/fib_rules.c:317
+ fib6_rule_lookup+0x1fd/0x790 net/ipv6/fib6_rules.c:108
+ ip6_route_output_flags_noref net/ipv6/route.c:2637 [inline]
+ ip6_route_output_flags+0x38e/0x610 net/ipv6/route.c:2649
+ ip6_route_output include/net/ip6_route.h:93 [inline]
+ ip6_dst_lookup_tail+0x189/0x11a0 net/ipv6/ip6_output.c:1120
+ ip6_dst_lookup_flow+0xb9/0x180 net/ipv6/ip6_output.c:1250
+ sctp_v6_get_dst+0x792/0x1e20 net/sctp/ipv6.c:326
+ sctp_transport_route+0x12c/0x2e0 net/sctp/transport.c:455
+ sctp_assoc_add_peer+0x614/0x15c0 net/sctp/associola.c:662
+ sctp_connect_new_asoc+0x31d/0x6c0 net/sctp/socket.c:1099
+ __sctp_connect+0x66d/0xe30 net/sctp/socket.c:1197
+ sctp_connect net/sctp/socket.c:4819 [inline]
+ sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834
+ __sys_connect_file net/socket.c:2048 [inline]
+ __sys_connect+0x2df/0x310 net/socket.c:2065
+ __do_sys_connect net/socket.c:2075 [inline]
+ __se_sys_connect net/socket.c:2072 [inline]
+ __x64_sys_connect+0x7a/0x90 net/socket.c:2072
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 5e5f3f0f8013 ("[IPV6] ADDRCONF: Convert ipv6_get_saddr() to ipv6_dev_get_saddr().")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240507163145.835254-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/fib6_rules.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
+index 55cd23b7a9357..cf9a44fb8243d 100644
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -232,8 +232,12 @@ static int __fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
+ rt = pol_lookup_func(lookup,
+ net, table, flp6, arg->lookup_data, flags);
+ if (rt != net->ipv6.ip6_null_entry) {
++ struct inet6_dev *idev = ip6_dst_idev(&rt->dst);
++
++ if (!idev)
++ goto again;
+ err = fib6_rule_saddr(net, rule, flags, flp6,
+- ip6_dst_idev(&rt->dst)->dev);
++ idev->dev);
+
+ if (err == -EAGAIN)
+ goto again;
+--
+2.43.0
+
--- /dev/null
+From 57766cf88e5f7852270638050ab572e1292a8f82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 18:31:24 +0100
+Subject: kcov: Remove kcov include from sched.h and move it to its users.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 183f47fcaa54a5ffe671d990186d330ac8c63b10 ]
+
+The recent addition of in_serving_softirq() to kconv.h results in
+compile failure on PREEMPT_RT because it requires
+task_struct::softirq_disable_cnt. This is not available if kconv.h is
+included from sched.h.
+
+It is not needed to include kconv.h from sched.h. All but the net/ user
+already include the kconv header file.
+
+Move the include of the kconv.h header from sched.h it its users.
+Additionally include sched.h from kconv.h to ensure that everything
+task_struct related is available.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Johannes Berg <johannes@sipsolutions.net>
+Acked-by: Andrey Konovalov <andreyknvl@google.com>
+Link: https://lkml.kernel.org/r/20210218173124.iy5iyqv3a4oia4vv@linutronix.de
+Stable-dep-of: 19e35f24750d ("nfc: nci: Fix kcov check in nci_rx_work()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/usbip_common.h | 1 +
+ include/linux/kcov.h | 1 +
+ include/linux/sched.h | 1 -
+ net/core/skbuff.c | 1 +
+ net/mac80211/iface.c | 1 +
+ net/mac80211/rx.c | 1 +
+ 6 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h
+index a7e6ce96f62c7..02cd91cb3f831 100644
+--- a/drivers/usb/usbip/usbip_common.h
++++ b/drivers/usb/usbip/usbip_common.h
+@@ -18,6 +18,7 @@
+ #include <linux/usb.h>
+ #include <linux/wait.h>
+ #include <linux/sched/task.h>
++#include <linux/kcov.h>
+ #include <uapi/linux/usbip.h>
+
+ #undef pr_fmt
+diff --git a/include/linux/kcov.h b/include/linux/kcov.h
+index a10e84707d820..b48128b717f1f 100644
+--- a/include/linux/kcov.h
++++ b/include/linux/kcov.h
+@@ -2,6 +2,7 @@
+ #ifndef _LINUX_KCOV_H
+ #define _LINUX_KCOV_H
+
++#include <linux/sched.h>
+ #include <uapi/linux/kcov.h>
+
+ struct task_struct;
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index aa015416c5693..3613c3f43b83e 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -14,7 +14,6 @@
+ #include <linux/pid.h>
+ #include <linux/sem.h>
+ #include <linux/shm.h>
+-#include <linux/kcov.h>
+ #include <linux/mutex.h>
+ #include <linux/plist.h>
+ #include <linux/hrtimer.h>
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index fd53b66f2ca1d..b0c2d6f018003 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -60,6 +60,7 @@
+ #include <linux/prefetch.h>
+ #include <linux/if_vlan.h>
+ #include <linux/mpls.h>
++#include <linux/kcov.h>
+
+ #include <net/protocol.h>
+ #include <net/dst.h>
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 3a15ef8dd3228..06ce138eedf1b 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -15,6 +15,7 @@
+ #include <linux/if_arp.h>
+ #include <linux/netdevice.h>
+ #include <linux/rtnetlink.h>
++#include <linux/kcov.h>
+ #include <net/mac80211.h>
+ #include <net/ieee80211_radiotap.h>
+ #include "ieee80211_i.h"
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 97a63b940482d..65fea564c9c00 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -17,6 +17,7 @@
+ #include <linux/etherdevice.h>
+ #include <linux/rcupdate.h>
+ #include <linux/export.h>
++#include <linux/kcov.h>
+ #include <linux/bitops.h>
+ #include <net/mac80211.h>
+ #include <net/ieee80211_radiotap.h>
+--
+2.43.0
+
--- /dev/null
+From 41b5528da82176293450cbcd7828aa73da9634b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 May 2024 20:42:38 +0200
+Subject: net: bridge: fix corrupted ethernet header on multicast-to-unicast
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 86b29d830ad69eecff25b22dc96c14c6573718e6 ]
+
+The change from skb_copy to pskb_copy unfortunately changed the data
+copying to omit the ethernet header, since it was pulled before reaching
+this point. Fix this by calling __skb_push/pull around pskb_copy.
+
+Fixes: 59c878cbcdd8 ("net: bridge: fix multicast-to-unicast with fraglist GSO")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_forward.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
+index 3a70682e63524..ada03d49e7c1a 100644
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -245,6 +245,7 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+ {
+ struct net_device *dev = BR_INPUT_SKB_CB(skb)->brdev;
+ const unsigned char *src = eth_hdr(skb)->h_source;
++ struct sk_buff *nskb;
+
+ if (!should_deliver(p, skb))
+ return;
+@@ -253,12 +254,16 @@ static void maybe_deliver_addr(struct net_bridge_port *p, struct sk_buff *skb,
+ if (skb->dev == p->dev && ether_addr_equal(src, addr))
+ return;
+
+- skb = pskb_copy(skb, GFP_ATOMIC);
+- if (!skb) {
++ __skb_push(skb, ETH_HLEN);
++ nskb = pskb_copy(skb, GFP_ATOMIC);
++ __skb_pull(skb, ETH_HLEN);
++ if (!nskb) {
+ DEV_STATS_INC(dev, tx_dropped);
+ return;
+ }
+
++ skb = nskb;
++ __skb_pull(skb, ETH_HLEN);
+ if (!is_broadcast_ether_addr(addr))
+ memcpy(eth_hdr(skb)->h_dest, addr, ETH_ALEN);
+
+--
+2.43.0
+
--- /dev/null
+From dfcd36f19534b56a7cd37d52636aeb28f18054a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 21:42:22 +0800
+Subject: net: hns3: use appropriate barrier function after setting a bit value
+
+From: Peiyang Wang <wangpeiyang1@huawei.com>
+
+[ Upstream commit 094c281228529d333458208fd02fcac3b139d93b ]
+
+There is a memory barrier in followed case. When set the port down,
+hclgevf_set_timmer will set DOWN in state. Meanwhile, the service task has
+different behaviour based on whether the state is DOWN. Thus, to make sure
+service task see DOWN, use smp_mb__after_atomic after calling set_bit().
+
+ CPU0 CPU1
+========================== ===================================
+hclgevf_set_timer_task() hclgevf_periodic_service_task()
+ set_bit(DOWN,state) test_bit(DOWN,state)
+
+pf also has this issue.
+
+Fixes: ff200099d271 ("net: hns3: remove unnecessary work in hclgevf_main")
+Fixes: 1c6dfe6fc6f7 ("net: hns3: remove mailbox and reset work in hclge_main")
+Signed-off-by: Peiyang Wang <wangpeiyang1@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +--
+ drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index c14c391a0cec6..5dbee850fef53 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -7005,8 +7005,7 @@ static void hclge_set_timer_task(struct hnae3_handle *handle, bool enable)
+ /* Set the DOWN flag here to disable link updating */
+ set_bit(HCLGE_STATE_DOWN, &hdev->state);
+
+- /* flush memory to make sure DOWN is seen by service task */
+- smp_mb__before_atomic();
++ smp_mb__after_atomic(); /* flush memory to make sure DOWN is seen by service task */
+ hclge_flush_link_update(hdev);
+ }
+ }
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 2bb0ce1761fb0..be41117ec1465 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -2583,8 +2583,7 @@ static void hclgevf_set_timer_task(struct hnae3_handle *handle, bool enable)
+ } else {
+ set_bit(HCLGEVF_STATE_DOWN, &hdev->state);
+
+- /* flush memory to make sure DOWN is seen by service task */
+- smp_mb__before_atomic();
++ smp_mb__after_atomic(); /* flush memory to make sure DOWN is seen by service task */
+ hclgevf_flush_link_update(hdev);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From ac5222464465454623afe79cb1926e6f0ce077aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Oct 2022 16:03:37 +0100
+Subject: nfc: Add KCOV annotations
+
+From: Dmitry Vyukov <dvyukov@google.com>
+
+[ Upstream commit 7e8cdc97148c6ba66671e88ad9f7d434f4df3438 ]
+
+Add remote KCOV annotations for NFC processing that is done
+in background threads. This enables efficient coverage-guided
+fuzzing of the NFC subsystem.
+
+The intention is to add annotations to background threads that
+process skb's that were allocated in syscall context
+(thus have a KCOV handle associated with the current fuzz test).
+This includes nci_recv_frame() that is called by the virtual nci
+driver in the syscall context.
+
+Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Bongsu Jeon <bongsu.jeon@samsung.com>
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Cc: netdev@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 19e35f24750d ("nfc: nci: Fix kcov check in nci_rx_work()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 8 +++++++-
+ net/nfc/nci/hci.c | 4 +++-
+ net/nfc/rawsock.c | 3 +++
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index d8002065baaef..a5dbd0a43a186 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -24,6 +24,7 @@
+ #include <linux/sched.h>
+ #include <linux/bitops.h>
+ #include <linux/skbuff.h>
++#include <linux/kcov.h>
+
+ #include "../nfc.h"
+ #include <net/nfc/nci.h>
+@@ -1471,6 +1472,7 @@ static void nci_tx_work(struct work_struct *work)
+ skb = skb_dequeue(&ndev->tx_q);
+ if (!skb)
+ return;
++ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
+ /* Check if data flow control is used */
+ if (atomic_read(&conn_info->credits_cnt) !=
+@@ -1486,6 +1488,7 @@ static void nci_tx_work(struct work_struct *work)
+
+ mod_timer(&ndev->data_timer,
+ jiffies + msecs_to_jiffies(NCI_DATA_TIMEOUT));
++ kcov_remote_stop();
+ }
+ }
+
+@@ -1496,7 +1499,8 @@ static void nci_rx_work(struct work_struct *work)
+ struct nci_dev *ndev = container_of(work, struct nci_dev, rx_work);
+ struct sk_buff *skb;
+
+- while ((skb = skb_dequeue(&ndev->rx_q))) {
++ for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
++ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
+ /* Send copy to sniffer */
+ nfc_send_to_raw_sock(ndev->nfc_dev, skb,
+@@ -1555,6 +1559,7 @@ static void nci_cmd_work(struct work_struct *work)
+ if (!skb)
+ return;
+
++ kcov_remote_start_common(skb_get_kcov_handle(skb));
+ atomic_dec(&ndev->cmd_cnt);
+
+ pr_debug("NCI TX: MT=cmd, PBF=%d, GID=0x%x, OID=0x%x, plen=%d\n",
+@@ -1567,6 +1572,7 @@ static void nci_cmd_work(struct work_struct *work)
+
+ mod_timer(&ndev->cmd_timer,
+ jiffies + msecs_to_jiffies(NCI_CMD_TIMEOUT));
++ kcov_remote_stop();
+ }
+ }
+
+diff --git a/net/nfc/nci/hci.c b/net/nfc/nci/hci.c
+index 4fe336ff2bfa1..05546c6e035f0 100644
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -14,6 +14,7 @@
+ #include <net/nfc/nci.h>
+ #include <net/nfc/nci_core.h>
+ #include <linux/nfc.h>
++#include <linux/kcov.h>
+
+ struct nci_data {
+ u8 conn_id;
+@@ -414,7 +415,8 @@ static void nci_hci_msg_rx_work(struct work_struct *work)
+ struct nci_hcp_message *message;
+ u8 pipe, type, instruction;
+
+- while ((skb = skb_dequeue(&hdev->msg_rx_queue)) != NULL) {
++ for (; (skb = skb_dequeue(&hdev->msg_rx_queue)); kcov_remote_stop()) {
++ kcov_remote_start_common(skb_get_kcov_handle(skb));
+ pipe = NCI_HCP_MSG_GET_PIPE(skb->data[0]);
+ skb_pull(skb, NCI_HCI_HCP_PACKET_HEADER_LEN);
+ message = (struct nci_hcp_message *)skb->data;
+diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
+index 5f1d438a0a23f..8cdaebf81f20b 100644
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -12,6 +12,7 @@
+ #include <net/tcp_states.h>
+ #include <linux/nfc.h>
+ #include <linux/export.h>
++#include <linux/kcov.h>
+
+ #include "nfc.h"
+
+@@ -189,6 +190,7 @@ static void rawsock_tx_work(struct work_struct *work)
+ }
+
+ skb = skb_dequeue(&sk->sk_write_queue);
++ kcov_remote_start_common(skb_get_kcov_handle(skb));
+
+ sock_hold(sk);
+ rc = nfc_data_exchange(dev, target_idx, skb,
+@@ -197,6 +199,7 @@ static void rawsock_tx_work(struct work_struct *work)
+ rawsock_report_error(sk, rc);
+ sock_put(sk);
+ }
++ kcov_remote_stop();
+ }
+
+ static int rawsock_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+--
+2.43.0
+
--- /dev/null
+From a2bfe7a7bf93b563e6966f23080d5df6c905649b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 May 2024 19:36:49 +0900
+Subject: nfc: nci: Fix kcov check in nci_rx_work()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ]
+
+Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added
+kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(),
+with an assumption that kcov_remote_stop() is called upon continue of
+the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in
+nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before
+break of the for loop.
+
+Reported-by: syzbot <syzbot+0438378d6f157baae1a2@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2
+Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
+Suggested-by: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index a5dbd0a43a186..cc40f6ebd96a6 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1508,6 +1508,7 @@ static void nci_rx_work(struct work_struct *work)
+
+ if (!nci_plen(skb->data)) {
+ kfree_skb(skb);
++ kcov_remote_stop();
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From c2396ccbb99329d9e20e8f09b75acbf4ffcc0c8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 16:17:00 +0000
+Subject: phonet: fix rtm_phonet_notify() skb allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d8cac8568618dcb8a51af3db1103e8d4cc4aeea7 ]
+
+fill_route() stores three components in the skb:
+
+- struct rtmsg
+- RTA_DST (u8)
+- RTA_OIF (u32)
+
+Therefore, rtm_phonet_notify() should use
+
+NLMSG_ALIGN(sizeof(struct rtmsg)) +
+nla_total_size(1) +
+nla_total_size(4)
+
+Fixes: f062f41d0657 ("Phonet: routing table Netlink interface")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: RĂ©mi Denis-Courmont <courmisch@gmail.com>
+Link: https://lore.kernel.org/r/20240502161700.1804476-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/phonet/pn_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
+index 59aebe2968907..dd4c7e9a634fb 100644
+--- a/net/phonet/pn_netlink.c
++++ b/net/phonet/pn_netlink.c
+@@ -193,7 +193,7 @@ void rtm_phonet_notify(int event, struct net_device *dev, u8 dst)
+ struct sk_buff *skb;
+ int err = -ENOBUFS;
+
+- skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct ifaddrmsg)) +
++ skb = nlmsg_new(NLMSG_ALIGN(sizeof(struct rtmsg)) +
+ nla_total_size(1) + nla_total_size(4), GFP_KERNEL);
+ if (skb == NULL)
+ goto errout;
+--
+2.43.0
+
--- /dev/null
+From 6f66058fdaea6899c3348877ca6e703fb006bd92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 18:57:51 +0300
+Subject: rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
+
+From: Roded Zats <rzats@paloaltonetworks.com>
+
+[ Upstream commit 1aec77b2bb2ed1db0f5efc61c4c1ca3813307489 ]
+
+Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
+struct ifla_vf_vlan_info so the size of such attribute needs to be at least
+of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
+The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
+which is less than sizeof(struct ifla_vf_vlan_info) so this validation
+is not enough and a too small attribute might be cast to a
+struct ifla_vf_vlan_info, this might result in an out of bands
+read access when accessing the saved (casted) entry in ivvl.
+
+Fixes: 79aab093a0b5 ("net: Update API for VF vlan protocol 802.1ad support")
+Signed-off-by: Roded Zats <rzats@paloaltonetworks.com>
+Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
+Link: https://lore.kernel.org/r/20240502155751.75705-1-rzats@paloaltonetworks.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 8938320f7ba3b..2806b9ed63879 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2379,7 +2379,7 @@ static int do_setvfinfo(struct net_device *dev, struct nlattr **tb)
+
+ nla_for_each_nested(attr, tb[IFLA_VF_VLAN_LIST], rem) {
+ if (nla_type(attr) != IFLA_VF_VLAN_INFO ||
+- nla_len(attr) < NLA_HDRLEN) {
++ nla_len(attr) < sizeof(struct ifla_vf_vlan_info)) {
+ return -EINVAL;
+ }
+ if (len >= MAX_VLAN_LIST_LEN)
+--
+2.43.0
+
net-usb-qmi_wwan-support-rolling-modules.patch
asoc-meson-axg-card-fix-nonatomic-links.patch
asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch
+xfrm-preserve-vlan-tags-for-transport-mode-software-.patch
+tcp-defer-shutdown-send_shutdown-for-tcp_syn_recv-so.patch
+tcp-use-refcount_inc_not_zero-in-tcp_twsk_unique.patch
+bluetooth-fix-use-after-free-bugs-caused-by-sco_sock.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_chan_tim.patch
+rtnetlink-correct-nested-ifla_vf_vlan_list-attribute.patch
+hwmon-corsair-cpro-use-a-separate-buffer-for-sending.patch
+hwmon-corsair-cpro-use-complete_all-instead-of-compl.patch
+hwmon-corsair-cpro-protect-ccp-wait_input_report-wit.patch
+phonet-fix-rtm_phonet_notify-skb-allocation.patch
+kcov-remove-kcov-include-from-sched.h-and-move-it-to.patch
+nfc-add-kcov-annotations.patch
+nfc-nci-fix-kcov-check-in-nci_rx_work.patch
+net-bridge-fix-corrupted-ethernet-header-on-multicas.patch
+ipv6-fib6_rules-avoid-possible-null-dereference-in-f.patch
+net-hns3-use-appropriate-barrier-function-after-sett.patch
--- /dev/null
+From 87fcc51aaf344d47c5a41848dee0f749205fe0f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 12:54:48 +0000
+Subject: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 94062790aedb505bdda209b10bea47b294d6394f ]
+
+TCP_SYN_RECV state is really special, it is only used by
+cross-syn connections, mostly used by fuzzers.
+
+In the following crash [1], syzbot managed to trigger a divide
+by zero in tcp_rcv_space_adjust()
+
+A socket makes the following state transitions,
+without ever calling tcp_init_transfer(),
+meaning tcp_init_buffer_space() is also not called.
+
+ TCP_CLOSE
+connect()
+ TCP_SYN_SENT
+ TCP_SYN_RECV
+shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN)
+ TCP_FIN_WAIT1
+
+To fix this issue, change tcp_shutdown() to not
+perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition,
+which makes no sense anyway.
+
+When tcp_rcv_state_process() later changes socket state
+from TCP_SYN_RECV to TCP_ESTABLISH, then look at
+sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state,
+and send a FIN packet from a sane socket state.
+
+This means tcp_send_fin() can now be called from BH
+context, and must use GFP_ATOMIC allocations.
+
+[1]
+divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+ RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767
+Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48
+RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246
+RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7
+R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30
+R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da
+FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0
+Call Trace:
+ <TASK>
+ tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513
+ tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578
+ inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680
+ sock_recvmsg_nosec net/socket.c:1046 [inline]
+ sock_recvmsg+0x109/0x280 net/socket.c:1068
+ ____sys_recvmsg+0x1db/0x470 net/socket.c:2803
+ ___sys_recvmsg net/socket.c:2845 [inline]
+ do_recvmmsg+0x474/0xae0 net/socket.c:2939
+ __sys_recvmmsg net/socket.c:3018 [inline]
+ __do_sys_recvmmsg net/socket.c:3041 [inline]
+ __se_sys_recvmmsg net/socket.c:3034 [inline]
+ __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7faeb6363db9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9
+RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005
+RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c
+R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20240501125448.896529-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 4 ++--
+ net/ipv4/tcp_input.c | 2 ++
+ net/ipv4/tcp_output.c | 4 +++-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index ac6cb2dc60380..4ed0d303791a1 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2493,7 +2493,7 @@ void tcp_shutdown(struct sock *sk, int how)
+ /* If we've already sent a FIN, or it's a closed state, skip this. */
+ if ((1 << sk->sk_state) &
+ (TCPF_ESTABLISHED | TCPF_SYN_SENT |
+- TCPF_SYN_RECV | TCPF_CLOSE_WAIT)) {
++ TCPF_CLOSE_WAIT)) {
+ /* Clear out any half completed packets. FIN if needed. */
+ if (tcp_close_state(sk))
+ tcp_send_fin(sk);
+@@ -2604,7 +2604,7 @@ void __tcp_close(struct sock *sk, long timeout)
+ * machine. State transitions:
+ *
+ * TCP_ESTABLISHED -> TCP_FIN_WAIT1
+- * TCP_SYN_RECV -> TCP_FIN_WAIT1 (forget it, it's impossible)
++ * TCP_SYN_RECV -> TCP_FIN_WAIT1 (it is difficult)
+ * TCP_CLOSE_WAIT -> TCP_LAST_ACK
+ *
+ * are legal only when FIN has been sent (i.e. in window),
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 0f9fe5edad142..512f8dc051c61 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6516,6 +6516,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
+
+ tcp_initialize_rcv_mss(sk);
+ tcp_fast_path_on(tp);
++ if (sk->sk_shutdown & SEND_SHUTDOWN)
++ tcp_shutdown(sk, SEND_SHUTDOWN);
+ break;
+
+ case TCP_FIN_WAIT1: {
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index f0df14782ee01..68f1633c477ae 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3440,7 +3440,9 @@ void tcp_send_fin(struct sock *sk)
+ return;
+ }
+ } else {
+- skb = alloc_skb_fclone(MAX_TCP_HEADER, sk->sk_allocation);
++ skb = alloc_skb_fclone(MAX_TCP_HEADER,
++ sk_gfp_mask(sk, GFP_ATOMIC |
++ __GFP_NOWARN));
+ if (unlikely(!skb))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From ee594cc304ad4c130d5a902d6581cf9b64aecba2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 14:31:45 -0700
+Subject: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit f2db7230f73a80dbb179deab78f88a7947f0ab7e ]
+
+Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()
+with nice analysis.
+
+Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation for
+timewait hashdance"), inet_twsk_hashdance() sets TIME-WAIT socket's
+sk_refcnt after putting it into ehash and releasing the bucket lock.
+
+Thus, there is a small race window where other threads could try to
+reuse the port during connect() and call sock_hold() in tcp_twsk_unique()
+for the TIME-WAIT socket with zero refcnt.
+
+If that happens, the refcnt taken by tcp_twsk_unique() is overwritten
+and sock_put() will cause underflow, triggering a real use-after-free
+somewhere else.
+
+To avoid the use-after-free, we need to use refcount_inc_not_zero() in
+tcp_twsk_unique() and give up on reusing the port if it returns false.
+
+[0]:
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 0 PID: 1039313 at lib/refcount.c:25 refcount_warn_saturate+0xe5/0x110
+CPU: 0 PID: 1039313 Comm: trigger Not tainted 6.8.6-200.fc39.x86_64 #1
+Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
+RIP: 0010:refcount_warn_saturate+0xe5/0x110
+Code: 42 8e ff 0f 0b c3 cc cc cc cc 80 3d aa 13 ea 01 00 0f 85 5e ff ff ff 48 c7 c7 f8 8e b7 82 c6 05 96 13 ea 01 01 e8 7b 42 8e ff <0f> 0b c3 cc cc cc cc 48 c7 c7 50 8f b7 82 c6 05 7a 13 ea 01 01 e8
+RSP: 0018:ffffc90006b43b60 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff888009bb3ef0 RCX: 0000000000000027
+RDX: ffff88807be218c8 RSI: 0000000000000001 RDI: ffff88807be218c0
+RBP: 0000000000069d70 R08: 0000000000000000 R09: ffffc90006b439f0
+R10: ffffc90006b439e8 R11: 0000000000000003 R12: ffff8880029ede84
+R13: 0000000000004e20 R14: ffffffff84356dc0 R15: ffff888009bb3ef0
+FS: 00007f62c10926c0(0000) GS:ffff88807be00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020ccb000 CR3: 000000004628c005 CR4: 0000000000f70ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? refcount_warn_saturate+0xe5/0x110
+ ? __warn+0x81/0x130
+ ? refcount_warn_saturate+0xe5/0x110
+ ? report_bug+0x171/0x1a0
+ ? refcount_warn_saturate+0xe5/0x110
+ ? handle_bug+0x3c/0x80
+ ? exc_invalid_op+0x17/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? refcount_warn_saturate+0xe5/0x110
+ tcp_twsk_unique+0x186/0x190
+ __inet_check_established+0x176/0x2d0
+ __inet_hash_connect+0x74/0x7d0
+ ? __pfx___inet_check_established+0x10/0x10
+ tcp_v4_connect+0x278/0x530
+ __inet_stream_connect+0x10f/0x3d0
+ inet_stream_connect+0x3a/0x60
+ __sys_connect+0xa8/0xd0
+ __x64_sys_connect+0x18/0x20
+ do_syscall_64+0x83/0x170
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+RIP: 0033:0x7f62c11a885d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a3 45 0c 00 f7 d8 64 89 01 48
+RSP: 002b:00007f62c1091e58 EFLAGS: 00000296 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000020ccb004 RCX: 00007f62c11a885d
+RDX: 0000000000000010 RSI: 0000000020ccb000 RDI: 0000000000000003
+RBP: 00007f62c1091e90 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000296 R12: 00007f62c10926c0
+R13: ffffffffffffff88 R14: 0000000000000000 R15: 00007ffe237885b0
+ </TASK>
+
+Fixes: ec94c2696f0b ("tcp/dccp: avoid one atomic operation for timewait hashdance")
+Reported-by: Anderson Nascimento <anderson@allelesecurity.com>
+Closes: https://lore.kernel.org/netdev/37a477a6-d39e-486b-9577-3463f655a6b7@allelesecurity.com/
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240501213145.62261-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_ipv4.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 7a94acbd9f142..85d8688933f3c 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -153,6 +153,12 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
+ if (tcptw->tw_ts_recent_stamp &&
+ (!twp || (reuse && time_after32(ktime_get_seconds(),
+ tcptw->tw_ts_recent_stamp)))) {
++ /* inet_twsk_hashdance() sets sk_refcnt after putting twsk
++ * and releasing the bucket lock.
++ */
++ if (unlikely(!refcount_inc_not_zero(&sktw->sk_refcnt)))
++ return 0;
++
+ /* In case of repair and re-using TIME-WAIT sockets we still
+ * want to be sure that it is safe as above but honor the
+ * sequence numbers and time stamps set as part of the repair
+@@ -173,7 +179,7 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
+ tp->rx_opt.ts_recent = tcptw->tw_ts_recent;
+ tp->rx_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
+ }
+- sock_hold(sktw);
++
+ return 1;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 10160039cbc12155b2886c8c11458b2cb4497454 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:00:24 +1200
+Subject: xfrm: Preserve vlan tags for transport mode software GRO
+
+From: Paul Davey <paul.davey@alliedtelesis.co.nz>
+
+[ Upstream commit 58fbfecab965014b6e3cc956a76b4a96265a1add ]
+
+The software GRO path for esp transport mode uses skb_mac_header_rebuild
+prior to re-injecting the packet via the xfrm_napi_dev. This only
+copies skb->mac_len bytes of header which may not be sufficient if the
+packet contains 802.1Q tags or other VLAN tags. Worse copying only the
+initial header will leave a packet marked as being VLAN tagged but
+without the corresponding tag leading to mangling when it is later
+untagged.
+
+The VLAN tags are important when receiving the decrypted esp transport
+mode packet after GRO processing to ensure it is received on the correct
+interface.
+
+Therefore record the full mac header length in xfrm*_transport_input for
+later use in corresponding xfrm*_transport_finish to copy the entire mac
+header when rebuilding the mac header for GRO. The skb->data pointer is
+left pointing skb->mac_header bytes after the start of the mac header as
+is expected by the network stack and network and transport header
+offsets reset to this location.
+
+Fixes: 7785bba299a8 ("esp: Add a software GRO codepath")
+Signed-off-by: Paul Davey <paul.davey@alliedtelesis.co.nz>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 15 +++++++++++++++
+ include/net/xfrm.h | 3 +++
+ net/ipv4/xfrm4_input.c | 6 +++++-
+ net/ipv6/xfrm6_input.c | 6 +++++-
+ net/xfrm/xfrm_input.c | 8 ++++++++
+ 5 files changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index a210f19958621..31755d496b01d 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2607,6 +2607,21 @@ static inline void skb_mac_header_rebuild(struct sk_buff *skb)
+ }
+ }
+
++/* Move the full mac header up to current network_header.
++ * Leaves skb->data pointing at offset skb->mac_len into the mac_header.
++ * Must be provided the complete mac header length.
++ */
++static inline void skb_mac_header_rebuild_full(struct sk_buff *skb, u32 full_mac_len)
++{
++ if (skb_mac_header_was_set(skb)) {
++ const unsigned char *old_mac = skb_mac_header(skb);
++
++ skb_set_mac_header(skb, -full_mac_len);
++ memmove(skb_mac_header(skb), old_mac, full_mac_len);
++ __skb_push(skb, full_mac_len - skb->mac_len);
++ }
++}
++
+ static inline int skb_checksum_start_offset(const struct sk_buff *skb)
+ {
+ return skb->csum_start - skb_headroom(skb);
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 7865db2f827e6..6fbaf304648f6 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -1028,6 +1028,9 @@ struct xfrm_offload {
+ #define CRYPTO_INVALID_PACKET_SYNTAX 64
+ #define CRYPTO_INVALID_PROTOCOL 128
+
++ /* Used to keep whole l2 header for transport mode GRO */
++ __u32 orig_mac_len;
++
+ __u8 proto;
+ };
+
+diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
+index eac206a290d05..1f50517289fd9 100644
+--- a/net/ipv4/xfrm4_input.c
++++ b/net/ipv4/xfrm4_input.c
+@@ -61,7 +61,11 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
+ ip_send_check(iph);
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+- skb_mac_header_rebuild(skb);
++ /* The full l2 header needs to be preserved so that re-injecting the packet at l2
++ * works correctly in the presence of vlan tags.
++ */
++ skb_mac_header_rebuild_full(skb, xo->orig_mac_len);
++ skb_reset_network_header(skb);
+ skb_reset_transport_header(skb);
+ return 0;
+ }
+diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
+index 4907ab241d6be..7dbefbb338ca5 100644
+--- a/net/ipv6/xfrm6_input.c
++++ b/net/ipv6/xfrm6_input.c
+@@ -56,7 +56,11 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
+ skb_postpush_rcsum(skb, skb_network_header(skb), nhlen);
+
+ if (xo && (xo->flags & XFRM_GRO)) {
+- skb_mac_header_rebuild(skb);
++ /* The full l2 header needs to be preserved so that re-injecting the packet at l2
++ * works correctly in the presence of vlan tags.
++ */
++ skb_mac_header_rebuild_full(skb, xo->orig_mac_len);
++ skb_reset_network_header(skb);
+ skb_reset_transport_header(skb);
+ return 0;
+ }
+diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
+index f3bccab983f05..0c3fa01ec67a7 100644
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -399,11 +399,15 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
+ */
+ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
++ struct xfrm_offload *xo = xfrm_offload(skb);
+ int ihl = skb->data - skb_transport_header(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+ skb_network_header(skb), ihl);
++ if (xo)
++ xo->orig_mac_len =
++ skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
+ skb->network_header = skb->transport_header;
+ }
+ ip_hdr(skb)->tot_len = htons(skb->len + ihl);
+@@ -414,11 +418,15 @@ static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
++ struct xfrm_offload *xo = xfrm_offload(skb);
+ int ihl = skb->data - skb_transport_header(skb);
+
+ if (skb->transport_header != skb->network_header) {
+ memmove(skb_transport_header(skb),
+ skb_network_header(skb), ihl);
++ if (xo)
++ xo->orig_mac_len =
++ skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
+ skb->network_header = skb->transport_header;
+ }
+ ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
