--- /dev/null
+From 6468bff3488919b4fb83b73e08ce60456736c295 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 09:47:32 +0200
+Subject: i40e: fix misleading debug logs
+
+From: Andrii Staikov <andrii.staikov@intel.com>
+
+[ Upstream commit 2f2beb8874cb0844e84ad26e990f05f4f13ff63f ]
+
+Change "write" into the actual "read" word.
+Change parameters description.
+
+Fixes: 7073f46e443e ("i40e: Add AQ commands for NVM Update for X722")
+Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Andrii Staikov <andrii.staikov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_nvm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_nvm.c b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+index d591b3e6bd7c5..cba97e68be402 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_nvm.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_nvm.c
+@@ -233,11 +233,11 @@ static i40e_status i40e_read_nvm_word_srctl(struct i40e_hw *hw, u16 offset,
+ * @hw: pointer to the HW structure.
+ * @module_pointer: module pointer location in words from the NVM beginning
+ * @offset: offset in words from module start
+- * @words: number of words to write
+- * @data: buffer with words to write to the Shadow RAM
++ * @words: number of words to read
++ * @data: buffer with words to read to the Shadow RAM
+ * @last_command: tells the AdminQ that this is the last command
+ *
+- * Writes a 16 bit words buffer to the Shadow RAM using the admin command.
++ * Reads a 16 bit words buffer to the Shadow RAM using the admin command.
+ **/
+ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw, u8 module_pointer,
+ u32 offset, u16 words, void *data,
+@@ -256,18 +256,18 @@ static i40e_status i40e_read_nvm_aq(struct i40e_hw *hw, u8 module_pointer,
+ */
+ if ((offset + words) > hw->nvm.sr_size)
+ i40e_debug(hw, I40E_DEBUG_NVM,
+- "NVM write error: offset %d beyond Shadow RAM limit %d\n",
++ "NVM read error: offset %d beyond Shadow RAM limit %d\n",
+ (offset + words), hw->nvm.sr_size);
+ else if (words > I40E_SR_SECTOR_SIZE_IN_WORDS)
+- /* We can write only up to 4KB (one sector), in one AQ write */
++ /* We can read only up to 4KB (one sector), in one AQ write */
+ i40e_debug(hw, I40E_DEBUG_NVM,
+- "NVM write fail error: tried to write %d words, limit is %d.\n",
++ "NVM read fail error: tried to read %d words, limit is %d.\n",
+ words, I40E_SR_SECTOR_SIZE_IN_WORDS);
+ else if (((offset + (words - 1)) / I40E_SR_SECTOR_SIZE_IN_WORDS)
+ != (offset / I40E_SR_SECTOR_SIZE_IN_WORDS))
+- /* A single write cannot spread over two sectors */
++ /* A single read cannot spread over two sectors */
+ i40e_debug(hw, I40E_DEBUG_NVM,
+- "NVM write error: cannot spread over two sectors in a single write offset=%d words=%d\n",
++ "NVM read error: cannot spread over two sectors in a single read offset=%d words=%d\n",
+ offset, words);
+ else
+ ret_code = i40e_aq_read_nvm(hw, module_pointer,
+--
+2.40.1
+
--- /dev/null
+From 5bf0c025c15243d5d8170d4b4997e41a989fe88b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:40:52 +0800
+Subject: ip6_vti: fix slab-use-after-free in decode_session6
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 9fd41f1ba638938c9a1195d09bc6fa3be2712f25 ]
+
+When ipv6_vti device is set to the qdisc of the sfb type, the cb field
+of the sent skb may be modified during enqueuing. Then,
+slab-use-after-free may occur when ipv6_vti device sends IPv6 packets.
+
+The stack information is as follows:
+BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890
+Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
+Call Trace:
+<IRQ>
+dump_stack_lvl+0xd9/0x150
+print_address_description.constprop.0+0x2c/0x3c0
+kasan_report+0x11d/0x130
+decode_session6+0x103f/0x1890
+__xfrm_decode_session+0x54/0xb0
+vti6_tnl_xmit+0x3e6/0x1ee0
+dev_hard_start_xmit+0x187/0x700
+sch_direct_xmit+0x1a3/0xc30
+__qdisc_run+0x510/0x17a0
+__dev_queue_xmit+0x2215/0x3b10
+neigh_connected_output+0x3c2/0x550
+ip6_finish_output2+0x55a/0x1550
+ip6_finish_output+0x6b9/0x1270
+ip6_output+0x1f1/0x540
+ndisc_send_skb+0xa63/0x1890
+ndisc_send_rs+0x132/0x6f0
+addrconf_rs_timer+0x3f1/0x870
+call_timer_fn+0x1a0/0x580
+expire_timers+0x29b/0x4b0
+run_timer_softirq+0x326/0x910
+__do_softirq+0x1d4/0x905
+irq_exit_rcu+0xb7/0x120
+sysvec_apic_timer_interrupt+0x97/0xc0
+</IRQ>
+Allocated by task 9176:
+kasan_save_stack+0x22/0x40
+kasan_set_track+0x25/0x30
+__kasan_slab_alloc+0x7f/0x90
+kmem_cache_alloc_node+0x1cd/0x410
+kmalloc_reserve+0x165/0x270
+__alloc_skb+0x129/0x330
+netlink_sendmsg+0x9b1/0xe30
+sock_sendmsg+0xde/0x190
+____sys_sendmsg+0x739/0x920
+___sys_sendmsg+0x110/0x1b0
+__sys_sendmsg+0xf7/0x1c0
+do_syscall_64+0x39/0xb0
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+Freed by task 9176:
+kasan_save_stack+0x22/0x40
+kasan_set_track+0x25/0x30
+kasan_save_free_info+0x2b/0x40
+____kasan_slab_free+0x160/0x1c0
+slab_free_freelist_hook+0x11b/0x220
+kmem_cache_free+0xf0/0x490
+skb_free_head+0x17f/0x1b0
+skb_release_data+0x59c/0x850
+consume_skb+0xd2/0x170
+netlink_unicast+0x54f/0x7f0
+netlink_sendmsg+0x926/0xe30
+sock_sendmsg+0xde/0x190
+____sys_sendmsg+0x739/0x920
+___sys_sendmsg+0x110/0x1b0
+__sys_sendmsg+0xf7/0x1c0
+do_syscall_64+0x39/0xb0
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+The buggy address belongs to the object at ffff88802e08ed00
+which belongs to the cache skbuff_small_head of size 640
+The buggy address is located 194 bytes inside of
+freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80)
+
+As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
+_decode_session6.") showed, xfrm_decode_session was originally intended
+only for the receive path. IP6CB(skb)->nhoff is not set during
+transmission. Therefore, set the cb field in the skb to 0 before
+sending packets.
+
+Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_vti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
+index a4ba470186482..976199055e85b 100644
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -570,12 +570,12 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ vti6_addr_conflict(t, ipv6h))
+ goto tx_err;
+
+- xfrm_decode_session(skb, &fl, AF_INET6);
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++ xfrm_decode_session(skb, &fl, AF_INET6);
+ break;
+ case htons(ETH_P_IP):
+- xfrm_decode_session(skb, &fl, AF_INET);
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++ xfrm_decode_session(skb, &fl, AF_INET);
+ break;
+ default:
+ goto tx_err;
+--
+2.40.1
+
--- /dev/null
+From 12d0b0044075d40f4a16925c4a30f3b84a112634 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jul 2023 17:40:53 +0800
+Subject: ip_vti: fix potential slab-use-after-free in decode_session6
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit 6018a266279b1a75143c7c0804dd08a5fc4c3e0b ]
+
+When ip_vti device is set to the qdisc of the sfb type, the cb field
+of the sent skb may be modified during enqueuing. Then,
+slab-use-after-free may occur when ip_vti device sends IPv6 packets.
+As commit f855691975bb ("xfrm6: Fix the nexthdr offset in
+_decode_session6.") showed, xfrm_decode_session was originally intended
+only for the receive path. IP6CB(skb)->nhoff is not set during
+transmission. Therefore, set the cb field in the skb to 0 before
+sending packets.
+
+Fixes: f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_vti.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index 33a85269a9f26..d43180dd543e3 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -325,12 +325,12 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ switch (skb->protocol) {
+ case htons(ETH_P_IP):
+- xfrm_decode_session(skb, &fl, AF_INET);
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++ xfrm_decode_session(skb, &fl, AF_INET);
+ break;
+ case htons(ETH_P_IPV6):
+- xfrm_decode_session(skb, &fl, AF_INET6);
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++ xfrm_decode_session(skb, &fl, AF_INET6);
+ break;
+ default:
+ dev->stats.tx_errors++;
+--
+2.40.1
+
--- /dev/null
+From d1f936e5d05658cc33a4200d8ea7258068f9e24f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 11:39:54 +0800
+Subject: net: af_key: fix sadb_x_filter validation
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 75065a8929069bc93181848818e23f147a73f83a ]
+
+When running xfrm_state_walk_init(), the xfrm_address_filter being used
+is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3.
+This commit replaces >= to > to make sure the boundary checking is
+correct.
+
+Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/key/af_key.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/key/af_key.c b/net/key/af_key.c
+index 49813e6d05ed7..197990b9b97df 100644
+--- a/net/key/af_key.c
++++ b/net/key/af_key.c
+@@ -1858,9 +1858,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
+ if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
+ struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
+
+- if ((xfilter->sadb_x_filter_splen >=
++ if ((xfilter->sadb_x_filter_splen >
+ (sizeof(xfrm_address_t) << 3)) ||
+- (xfilter->sadb_x_filter_dplen >=
++ (xfilter->sadb_x_filter_dplen >
+ (sizeof(xfrm_address_t) << 3))) {
+ mutex_unlock(&pfk->dump_lock);
+ return -EINVAL;
+--
+2.40.1
+
--- /dev/null
+From 8e43c9618769dc6d2ef3736e1b97ba037044493f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 14:21:58 +0000
+Subject: net: do not allow gso_size to be set to GSO_BY_FRAGS
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b616be6b97688f2f2bd7c4a47ab32f27f94fb2a9 ]
+
+One missing check in virtio_net_hdr_to_skb() allowed
+syzbot to crash kernels again [1]
+
+Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
+because this magic value is used by the kernel.
+
+[1]
+general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
+CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
+Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
+RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
+RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
+RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
+R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
+R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
+FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<TASK>
+udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
+ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
+skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
+__skb_gso_segment+0x339/0x710 net/core/gso.c:124
+skb_gso_segment include/net/gso.h:83 [inline]
+validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
+__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+packet_xmit+0x257/0x380 net/packet/af_packet.c:276
+packet_snd net/packet/af_packet.c:3087 [inline]
+packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
+sock_sendmsg_nosec net/socket.c:727 [inline]
+sock_sendmsg+0xd9/0x180 net/socket.c:750
+____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
+___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
+__sys_sendmsg+0x117/0x1e0 net/socket.c:2579
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+RIP: 0033:0x7ff27cdb34d9
+
+Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Xin Long <lucien.xin@gmail.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_net.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index db8ab0fac81a2..7517dd15f87b4 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -146,6 +146,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ if (gso_type & SKB_GSO_UDP)
+ nh_off -= thlen;
+
++ /* Kernel has a special handling for GSO_BY_FRAGS. */
++ if (gso_size == GSO_BY_FRAGS)
++ return -EINVAL;
++
+ /* Too small packets are not really GSO ones. */
+ if (skb->len - nh_off > gso_size) {
+ shinfo->gso_size = gso_size;
+--
+2.40.1
+
--- /dev/null
+From 534b6d1b4b67ef527e33d9c65e1ea4dc325de928 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Jun 2023 11:31:38 +0800
+Subject: net: xfrm: Fix xfrm_address_filter OOB read
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit dfa73c17d55b921e1d4e154976de35317e43a93a ]
+
+We found below OOB crash:
+
+[ 44.211730] ==================================================================
+[ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
+[ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
+[ 44.212045]
+[ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
+[ 44.212045] Call Trace:
+[ 44.212045] <TASK>
+[ 44.212045] dump_stack_lvl+0x37/0x50
+[ 44.212045] print_report+0xcc/0x620
+[ 44.212045] ? __virt_addr_valid+0xf3/0x170
+[ 44.212045] ? memcmp+0x8b/0xb0
+[ 44.212045] kasan_report+0xb2/0xe0
+[ 44.212045] ? memcmp+0x8b/0xb0
+[ 44.212045] kasan_check_range+0x39/0x1c0
+[ 44.212045] memcmp+0x8b/0xb0
+[ 44.212045] xfrm_state_walk+0x21c/0x420
+[ 44.212045] ? __pfx_dump_one_state+0x10/0x10
+[ 44.212045] xfrm_dump_sa+0x1e2/0x290
+[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
+[ 44.212045] ? __kernel_text_address+0xd/0x40
+[ 44.212045] ? kasan_unpoison+0x27/0x60
+[ 44.212045] ? mutex_lock+0x60/0xe0
+[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
+[ 44.212045] ? kasan_save_stack+0x22/0x50
+[ 44.212045] netlink_dump+0x322/0x6c0
+[ 44.212045] ? __pfx_netlink_dump+0x10/0x10
+[ 44.212045] ? mutex_unlock+0x7f/0xd0
+[ 44.212045] ? __pfx_mutex_unlock+0x10/0x10
+[ 44.212045] __netlink_dump_start+0x353/0x430
+[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
+[ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
+[ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10
+[ 44.212045] ? __stack_depot_save+0x382/0x4e0
+[ 44.212045] ? filter_irq_stacks+0x1c/0x70
+[ 44.212045] ? kasan_save_stack+0x32/0x50
+[ 44.212045] ? kasan_save_stack+0x22/0x50
+[ 44.212045] ? kasan_set_track+0x25/0x30
+[ 44.212045] ? __kasan_slab_alloc+0x59/0x70
+[ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260
+[ 44.212045] ? kmalloc_reserve+0xab/0x120
+[ 44.212045] ? __alloc_skb+0xcf/0x210
+[ 44.212045] ? netlink_sendmsg+0x509/0x700
+[ 44.212045] ? sock_sendmsg+0xde/0xe0
+[ 44.212045] ? __sys_sendto+0x18d/0x230
+[ 44.212045] ? __x64_sys_sendto+0x71/0x90
+[ 44.212045] ? do_syscall_64+0x3f/0x90
+[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 44.212045] ? netlink_sendmsg+0x509/0x700
+[ 44.212045] ? sock_sendmsg+0xde/0xe0
+[ 44.212045] ? __sys_sendto+0x18d/0x230
+[ 44.212045] ? __x64_sys_sendto+0x71/0x90
+[ 44.212045] ? do_syscall_64+0x3f/0x90
+[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 44.212045] ? kasan_save_stack+0x22/0x50
+[ 44.212045] ? kasan_set_track+0x25/0x30
+[ 44.212045] ? kasan_save_free_info+0x2e/0x50
+[ 44.212045] ? __kasan_slab_free+0x10a/0x190
+[ 44.212045] ? kmem_cache_free+0x9c/0x340
+[ 44.212045] ? netlink_recvmsg+0x23c/0x660
+[ 44.212045] ? sock_recvmsg+0xeb/0xf0
+[ 44.212045] ? __sys_recvfrom+0x13c/0x1f0
+[ 44.212045] ? __x64_sys_recvfrom+0x71/0x90
+[ 44.212045] ? do_syscall_64+0x3f/0x90
+[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 44.212045] ? copyout+0x3e/0x50
+[ 44.212045] netlink_rcv_skb+0xd6/0x210
+[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+[ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10
+[ 44.212045] ? __pfx_sock_has_perm+0x10/0x10
+[ 44.212045] ? mutex_lock+0x8d/0xe0
+[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
+[ 44.212045] xfrm_netlink_rcv+0x44/0x50
+[ 44.212045] netlink_unicast+0x36f/0x4c0
+[ 44.212045] ? __pfx_netlink_unicast+0x10/0x10
+[ 44.212045] ? netlink_recvmsg+0x500/0x660
+[ 44.212045] netlink_sendmsg+0x3b7/0x700
+[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
+[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
+[ 44.212045] sock_sendmsg+0xde/0xe0
+[ 44.212045] __sys_sendto+0x18d/0x230
+[ 44.212045] ? __pfx___sys_sendto+0x10/0x10
+[ 44.212045] ? rcu_core+0x44a/0xe10
+[ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740
+[ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0
+[ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10
+[ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
+[ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
+[ 44.212045] ? __pfx_task_work_run+0x10/0x10
+[ 44.212045] __x64_sys_sendto+0x71/0x90
+[ 44.212045] do_syscall_64+0x3f/0x90
+[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 44.212045] RIP: 0033:0x44b7da
+[ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
+[ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
+[ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
+[ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+[ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
+[ 44.212045] </TASK>
+[ 44.212045]
+[ 44.212045] Allocated by task 97:
+[ 44.212045] kasan_save_stack+0x22/0x50
+[ 44.212045] kasan_set_track+0x25/0x30
+[ 44.212045] __kasan_kmalloc+0x7f/0x90
+[ 44.212045] __kmalloc_node_track_caller+0x5b/0x140
+[ 44.212045] kmemdup+0x21/0x50
+[ 44.212045] xfrm_dump_sa+0x17d/0x290
+[ 44.212045] netlink_dump+0x322/0x6c0
+[ 44.212045] __netlink_dump_start+0x353/0x430
+[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
+[ 44.212045] netlink_rcv_skb+0xd6/0x210
+[ 44.212045] xfrm_netlink_rcv+0x44/0x50
+[ 44.212045] netlink_unicast+0x36f/0x4c0
+[ 44.212045] netlink_sendmsg+0x3b7/0x700
+[ 44.212045] sock_sendmsg+0xde/0xe0
+[ 44.212045] __sys_sendto+0x18d/0x230
+[ 44.212045] __x64_sys_sendto+0x71/0x90
+[ 44.212045] do_syscall_64+0x3f/0x90
+[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+[ 44.212045]
+[ 44.212045] The buggy address belongs to the object at ffff88800870f300
+[ 44.212045] which belongs to the cache kmalloc-64 of size 64
+[ 44.212045] The buggy address is located 32 bytes inside of
+[ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324)
+[ 44.212045]
+[ 44.212045] The buggy address belongs to the physical page:
+[ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
+[ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
+[ 44.212045] page_type: 0xffffffff()
+[ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
+[ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
+[ 44.212045] page dumped because: kasan: bad access detected
+[ 44.212045]
+[ 44.212045] Memory state around the buggy address:
+[ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+[ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
+[ 44.212045] ^
+[ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 44.212045] ==================================================================
+
+By investigating the code, we find the root cause of this OOB is the lack
+of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
+arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
+the attacker can achieve 8 bytes heap OOB read, which causes info leak.
+
+ if (attrs[XFRMA_ADDRESS_FILTER]) {
+ filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
+ sizeof(*filter), GFP_KERNEL);
+ if (filter == NULL)
+ return -ENOMEM;
+ // NO MORE CHECKS HERE !!!
+ }
+
+This patch fixes the OOB by adding necessary boundary checks, just like
+the code in pfkey_dump() function.
+
+Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index ad30e0d8b28e9..c932ec65cfa09 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1000,6 +1000,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
+ sizeof(*filter), GFP_KERNEL);
+ if (filter == NULL)
+ return -ENOMEM;
++
++ /* see addr_match(), (prefix length >> 5) << 2
++ * will be used to compare xfrm_address_t
++ */
++ if (filter->splen > (sizeof(xfrm_address_t) << 3) ||
++ filter->dplen > (sizeof(xfrm_address_t) << 3)) {
++ kfree(filter);
++ return -EINVAL;
++ }
+ }
+
+ if (attrs[XFRMA_PROTO])
+--
+2.40.1
+
--- /dev/null
+From 41e950d7d36bd1b12361f6d319ee0b0daab9d970 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Aug 2023 15:39:02 +0200
+Subject: netfilter: nft_dynset: disallow object maps
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 23185c6aed1ffb8fc44087880ba2767aba493779 ]
+
+Do not allow to insert elements from datapath to objects maps.
+
+Fixes: 8aeff920dcc9 ("netfilter: nf_tables: add stateful object reference to set elements")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_dynset.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
+index d1dc5c8937a56..461bdecbe7fc2 100644
+--- a/net/netfilter/nft_dynset.c
++++ b/net/netfilter/nft_dynset.c
+@@ -137,6 +137,9 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
+ if (IS_ERR(set))
+ return PTR_ERR(set);
+
++ if (set->flags & NFT_SET_OBJECT)
++ return -EOPNOTSUPP;
++
+ if (set->ops->update == NULL)
+ return -EOPNOTSUPP;
+
+--
+2.40.1
+
drm-amdgpu-fix-potential-fence-use-after-free-v2.patch
fbdev-mmp-fix-value-check-in-mmphw_probe.patch
powerpc-rtas_flash-allow-user-copy-to-flash-block-cache-objects.patch
+net-xfrm-fix-xfrm_address_filter-oob-read.patch
+net-af_key-fix-sadb_x_filter-validation.patch
+ip6_vti-fix-slab-use-after-free-in-decode_session6.patch
+ip_vti-fix-potential-slab-use-after-free-in-decode_s.patch
+xfrm-add-null-check-in-xfrm_update_ae_params.patch
+netfilter-nft_dynset-disallow-object-maps.patch
+team-fix-incorrect-deletion-of-eth_p_8021ad-protocol.patch
+i40e-fix-misleading-debug-logs.patch
+sock-fix-misuse-of-sk_under_memory_pressure.patch
+net-do-not-allow-gso_size-to-be-set-to-gso_by_frags.patch
--- /dev/null
+From 928ac876972bf7d7f8918a44272a3a3ed96ca143 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 17:12:22 +0800
+Subject: sock: Fix misuse of sk_under_memory_pressure()
+
+From: Abel Wu <wuyun.abel@bytedance.com>
+
+[ Upstream commit 2d0c88e84e483982067a82073f6125490ddf3614 ]
+
+The status of global socket memory pressure is updated when:
+
+ a) __sk_mem_raise_allocated():
+
+ enter: sk_memory_allocated(sk) > sysctl_mem[1]
+ leave: sk_memory_allocated(sk) <= sysctl_mem[0]
+
+ b) __sk_mem_reduce_allocated():
+
+ leave: sk_under_memory_pressure(sk) &&
+ sk_memory_allocated(sk) < sysctl_mem[0]
+
+So the conditions of leaving global pressure are inconstant, which
+may lead to the situation that one pressured net-memcg prevents the
+global pressure from being cleared when there is indeed no global
+pressure, thus the global constrains are still in effect unexpectedly
+on the other sockets.
+
+This patch fixes this by ignoring the net-memcg's pressure when
+deciding whether should leave global memory pressure.
+
+Fixes: e1aab161e013 ("socket: initial cgroup code.")
+Signed-off-by: Abel Wu <wuyun.abel@bytedance.com>
+Acked-by: Shakeel Butt <shakeelb@google.com>
+Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 6 ++++++
+ net/core/sock.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index def9dc1ddda11..1937deba0849b 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1211,6 +1211,12 @@ static inline bool sk_has_memory_pressure(const struct sock *sk)
+ return sk->sk_prot->memory_pressure != NULL;
+ }
+
++static inline bool sk_under_global_memory_pressure(const struct sock *sk)
++{
++ return sk->sk_prot->memory_pressure &&
++ !!*sk->sk_prot->memory_pressure;
++}
++
+ static inline bool sk_under_memory_pressure(const struct sock *sk)
+ {
+ if (!sk->sk_prot->memory_pressure)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 0ff80718f194d..a7a0bc9c2a9f0 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2459,7 +2459,7 @@ void __sk_mem_reduce_allocated(struct sock *sk, int amount)
+ if (mem_cgroup_sockets_enabled && sk->sk_memcg)
+ mem_cgroup_uncharge_skmem(sk->sk_memcg, amount);
+
+- if (sk_under_memory_pressure(sk) &&
++ if (sk_under_global_memory_pressure(sk) &&
+ (sk_memory_allocated(sk) < sk_prot_mem_limits(sk, 0)))
+ sk_leave_memory_pressure(sk);
+ }
+--
+2.40.1
+
--- /dev/null
+From 1f5059ce0e54fde1cbe6bb0c5aa872dbe4a50c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Aug 2023 11:23:01 +0800
+Subject: team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit dafcbce07136d799edc4c67f04f9fd69ff1eac1f ]
+
+Similar to commit 01f4fd270870 ("bonding: Fix incorrect deletion of
+ETH_P_8021AD protocol vid from slaves"), we can trigger BUG_ON(!vlan_info)
+in unregister_vlan_dev() with the following testcase:
+
+ # ip netns add ns1
+ # ip netns exec ns1 ip link add team1 type team
+ # ip netns exec ns1 ip link add team_slave type veth peer veth2
+ # ip netns exec ns1 ip link set team_slave master team1
+ # ip netns exec ns1 ip link add link team_slave name team_slave.10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link add link team1 name team1.10 type vlan id 10 protocol 802.1ad
+ # ip netns exec ns1 ip link set team_slave nomaster
+ # ip netns del ns1
+
+Add S-VLAN tag related features support to team driver. So the team driver
+will always propagate the VLAN info to its slaves.
+
+Fixes: 8ad227ff89a7 ("net: vlan: add 802.1ad support")
+Suggested-by: Ido Schimmel <idosch@idosch.org>
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20230814032301.2804971-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index b318464a4fcad..7b6cae28f6d3d 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2160,7 +2160,9 @@ static void team_setup(struct net_device *dev)
+
+ dev->hw_features = TEAM_VLAN_FEATURES |
+ NETIF_F_HW_VLAN_CTAG_RX |
+- NETIF_F_HW_VLAN_CTAG_FILTER;
++ NETIF_F_HW_VLAN_CTAG_FILTER |
++ NETIF_F_HW_VLAN_STAG_RX |
++ NETIF_F_HW_VLAN_STAG_FILTER;
+
+ dev->hw_features |= NETIF_F_GSO_ENCAP_ALL;
+ dev->features |= dev->hw_features;
+--
+2.40.1
+
--- /dev/null
+From ee7fd689ec7c2a4f1576b02af038070a3363d0af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 22:51:03 +0800
+Subject: xfrm: add NULL check in xfrm_update_ae_params
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 00374d9b6d9f932802b55181be9831aa948e5b7c ]
+
+Normally, x->replay_esn and x->preplay_esn should be allocated at
+xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the
+xfrm_update_ae_params(...) is okay to update them. However, the current
+implementation of xfrm_new_ae(...) allows a malicious user to directly
+dereference a NULL pointer and crash the kernel like below.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 8253067 P4D 8253067 PUD 8e0e067 PMD 0
+Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
+CPU: 0 PID: 98 Comm: poc.npd Not tainted 6.4.0-rc7-00072-gdad9774deaf1 #8
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.o4
+RIP: 0010:memcpy_orig+0xad/0x140
+Code: e8 4c 89 5f e0 48 8d 7f e0 73 d2 83 c2 20 48 29 d6 48 29 d7 83 fa 10 72 34 4c 8b 06 4c 8b 4e 08 c
+RSP: 0018:ffff888008f57658 EFLAGS: 00000202
+RAX: 0000000000000000 RBX: ffff888008bd0000 RCX: ffffffff8238e571
+RDX: 0000000000000018 RSI: ffff888007f64844 RDI: 0000000000000000
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff888008f57818
+R13: ffff888007f64aa4 R14: 0000000000000000 R15: 0000000000000000
+FS: 00000000014013c0(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000000 CR3: 00000000054d8000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ ? __die+0x1f/0x70
+ ? page_fault_oops+0x1e8/0x500
+ ? __pfx_is_prefetch.constprop.0+0x10/0x10
+ ? __pfx_page_fault_oops+0x10/0x10
+ ? _raw_spin_unlock_irqrestore+0x11/0x40
+ ? fixup_exception+0x36/0x460
+ ? _raw_spin_unlock_irqrestore+0x11/0x40
+ ? exc_page_fault+0x5e/0xc0
+ ? asm_exc_page_fault+0x26/0x30
+ ? xfrm_update_ae_params+0xd1/0x260
+ ? memcpy_orig+0xad/0x140
+ ? __pfx__raw_spin_lock_bh+0x10/0x10
+ xfrm_update_ae_params+0xe7/0x260
+ xfrm_new_ae+0x298/0x4e0
+ ? __pfx_xfrm_new_ae+0x10/0x10
+ ? __pfx_xfrm_new_ae+0x10/0x10
+ xfrm_user_rcv_msg+0x25a/0x410
+ ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+ ? __alloc_skb+0xcf/0x210
+ ? stack_trace_save+0x90/0xd0
+ ? filter_irq_stacks+0x1c/0x70
+ ? __stack_depot_save+0x39/0x4e0
+ ? __kasan_slab_free+0x10a/0x190
+ ? kmem_cache_free+0x9c/0x340
+ ? netlink_recvmsg+0x23c/0x660
+ ? sock_recvmsg+0xeb/0xf0
+ ? __sys_recvfrom+0x13c/0x1f0
+ ? __x64_sys_recvfrom+0x71/0x90
+ ? do_syscall_64+0x3f/0x90
+ ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
+ ? copyout+0x3e/0x50
+ netlink_rcv_skb+0xd6/0x210
+ ? __pfx_xfrm_user_rcv_msg+0x10/0x10
+ ? __pfx_netlink_rcv_skb+0x10/0x10
+ ? __pfx_sock_has_perm+0x10/0x10
+ ? mutex_lock+0x8d/0xe0
+ ? __pfx_mutex_lock+0x10/0x10
+ xfrm_netlink_rcv+0x44/0x50
+ netlink_unicast+0x36f/0x4c0
+ ? __pfx_netlink_unicast+0x10/0x10
+ ? netlink_recvmsg+0x500/0x660
+ netlink_sendmsg+0x3b7/0x700
+
+This Null-ptr-deref bug is assigned CVE-2023-3772. And this commit
+adds additional NULL check in xfrm_update_ae_params to fix the NPD.
+
+Fixes: d8647b79c3b7 ("xfrm: Add user interface for esn and big anti-replay windows")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index c932ec65cfa09..224f627e0f6df 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -521,7 +521,7 @@ static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs,
+ struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+ struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+
+- if (re) {
++ if (re && x->replay_esn && x->preplay_esn) {
+ struct xfrm_replay_state_esn *replay_esn;
+ replay_esn = nla_data(re);
+ memcpy(x->replay_esn, replay_esn,
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
