--- /dev/null
+From 1904f848a471f68b12b5a82641909e69bc252d78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:08 -0700
+Subject: af_unix: Fix data race around sk->sk_err.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ]
+
+As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be
+read locklessly by unix_dgram_sendmsg().
+
+Let's use READ_ONCE() for sk_err as well.
+
+Note that the writer side is marked by commit cc04410af7de ("af_unix:
+annotate lockless accesses to sk->sk_err").
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 79d61be285186..9979cd602dfac 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2225,7 +2225,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ break;
+ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+- if (sk->sk_err)
++ if (READ_ONCE(sk->sk_err))
+ break;
+ timeo = schedule_timeout(timeo);
+ }
+--
+2.40.1
+
--- /dev/null
+From e55c243e26b2263a11a4b72d0a4e1530a177b173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:06 -0700
+Subject: af_unix: Fix data-race around unix_tot_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit ade32bd8a738d7497ffe9743c46728db26740f78 ]
+
+unix_tot_inflight is changed under spin_lock(unix_gc_lock), but
+unix_release_sock() reads it locklessly.
+
+Let's use READ_ONCE() for unix_tot_inflight.
+
+Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix:
+annote lockless accesses to unix_tot_inflight & gc_in_progress")
+
+BUG: KCSAN: data-race in unix_inflight / unix_release_sock
+
+write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1:
+ unix_inflight+0x130/0x180 net/unix/scm.c:64
+ unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1832 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955
+ sock_sendmsg_nosec net/socket.c:724 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:747
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2547
+ __sys_sendmsg+0x94/0x140 net/socket.c:2576
+ __do_sys_sendmsg net/socket.c:2585 [inline]
+ __se_sys_sendmsg net/socket.c:2583 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0:
+ unix_release_sock+0x608/0x910 net/unix/af_unix.c:671
+ unix_release+0x59/0x80 net/unix/af_unix.c:1058
+ __sock_release+0x7d/0x170 net/socket.c:653
+ sock_close+0x19/0x30 net/socket.c:1385
+ __fput+0x179/0x5e0 fs/file_table.c:321
+ ____fput+0x15/0x20 fs/file_table.c:349
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+value changed: 0x00000000 -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 9305cfa4443d ("[AF_UNIX]: Make unix_tot_inflight counter non-atomic")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index baf0af49c5bd4..304eb26b34dca 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -589,7 +589,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ * What the above comment does talk about? --ANK(980817)
+ */
+
+- if (unix_tot_inflight)
++ if (READ_ONCE(unix_tot_inflight))
+ unix_gc(); /* Garbage collect fds */
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 8cd54cceef555142c1e70cc257265af7b2c47c92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:07 -0700
+Subject: af_unix: Fix data-races around sk->sk_shutdown.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit afe8764f76346ba838d4f162883e23d2fcfaa90e ]
+
+sk->sk_shutdown is changed under unix_state_lock(sk), but
+unix_dgram_sendmsg() calls two functions to read sk_shutdown locklessly.
+
+ sock_alloc_send_pskb
+ `- sock_wait_for_wmem
+
+Let's use READ_ONCE() there.
+
+Note that the writer side was marked by commit e1d09c2c2f57 ("af_unix:
+Fix data races around sk->sk_shutdown.").
+
+BUG: KCSAN: data-race in sock_alloc_send_pskb / unix_release_sock
+
+write (marked) to 0xffff8880069af12c of 1 bytes by task 1 on cpu 1:
+ unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631
+ unix_release+0x59/0x80 net/unix/af_unix.c:1053
+ __sock_release+0x7d/0x170 net/socket.c:654
+ sock_close+0x19/0x30 net/socket.c:1386
+ __fput+0x2a3/0x680 fs/file_table.c:384
+ ____fput+0x15/0x20 fs/file_table.c:412
+ task_work_run+0x116/0x1a0 kernel/task_work.c:179
+ resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
+ exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
+ syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
+ do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffff8880069af12c of 1 bytes by task 28650 on cpu 0:
+ sock_alloc_send_pskb+0xd2/0x620 net/core/sock.c:2767
+ unix_dgram_sendmsg+0x2f8/0x14f0 net/unix/af_unix.c:1944
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x00 -> 0x03
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 28650 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1fed45f29e0ec..79d61be285186 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2223,7 +2223,7 @@ static long sock_wait_for_wmem(struct sock *sk, long timeo)
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+ if (refcount_read(&sk->sk_wmem_alloc) < READ_ONCE(sk->sk_sndbuf))
+ break;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ break;
+ if (sk->sk_err)
+ break;
+@@ -2253,7 +2253,7 @@ struct sk_buff *sock_alloc_send_pskb(struct sock *sk, unsigned long header_len,
+ goto failure;
+
+ err = -EPIPE;
+- if (sk->sk_shutdown & SEND_SHUTDOWN)
++ if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
+ goto failure;
+
+ if (sk_wmem_alloc_get(sk) < READ_ONCE(sk->sk_sndbuf))
+--
+2.40.1
+
--- /dev/null
+From 25db5c8048418970d07ddf92853ae8e404a0a65c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 17:27:05 -0700
+Subject: af_unix: Fix data-races around user->unix_inflight.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0bc36c0650b21df36fbec8136add83936eaf0607 ]
+
+user->unix_inflight is changed under spin_lock(unix_gc_lock),
+but too_many_unix_fds() reads it locklessly.
+
+Let's annotate the write/read accesses to user->unix_inflight.
+
+BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
+
+write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
+ unix_inflight+0x157/0x180 net/unix/scm.c:66
+ unix_attach_fds+0x147/0x1e0 net/unix/scm.c:123
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+read to 0xffffffff8546f2d0 of 8 bytes by task 44814 on cpu 0:
+ too_many_unix_fds net/unix/scm.c:101 [inline]
+ unix_attach_fds+0x54/0x1e0 net/unix/scm.c:110
+ unix_scm_to_skb net/unix/af_unix.c:1827 [inline]
+ unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1950
+ unix_seqpacket_sendmsg net/unix/af_unix.c:2308 [inline]
+ unix_seqpacket_sendmsg+0xba/0x130 net/unix/af_unix.c:2292
+ sock_sendmsg_nosec net/socket.c:725 [inline]
+ sock_sendmsg+0x148/0x160 net/socket.c:748
+ ____sys_sendmsg+0x4e4/0x610 net/socket.c:2494
+ ___sys_sendmsg+0xc6/0x140 net/socket.c:2548
+ __sys_sendmsg+0x94/0x140 net/socket.c:2577
+ __do_sys_sendmsg net/socket.c:2586 [inline]
+ __se_sys_sendmsg net/socket.c:2584 [inline]
+ __x64_sys_sendmsg+0x45/0x50 net/socket.c:2584
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+value changed: 0x000000000000000c -> 0x000000000000000d
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 44814 Comm: systemd-coredum Not tainted 6.4.0-11989-g6843306689af #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+
+Fixes: 712f4aad406b ("unix: properly account for FDs passed over unix sockets")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/scm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/scm.c b/net/unix/scm.c
+index ce700b22eccee..e881a6e78af53 100644
+--- a/net/unix/scm.c
++++ b/net/unix/scm.c
+@@ -62,7 +62,7 @@ void unix_inflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
+ }
+- user->unix_inflight++;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight + 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -83,7 +83,7 @@ void unix_notinflight(struct user_struct *user, struct file *fp)
+ /* Paired with READ_ONCE() in wait_for_unix_gc() */
+ WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
+ }
+- user->unix_inflight--;
++ WRITE_ONCE(user->unix_inflight, user->unix_inflight - 1);
+ spin_unlock(&unix_gc_lock);
+ }
+
+@@ -97,7 +97,7 @@ static inline bool too_many_unix_fds(struct task_struct *p)
+ {
+ struct user_struct *user = current_user();
+
+- if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
++ if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return false;
+ }
+--
+2.40.1
+
--- /dev/null
+From 011d1bd7ed567d42834d7387d2a3fda34c3f2692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Aug 2023 20:33:17 +0300
+Subject: idr: fix param name in idr_alloc_cyclic() doc
+
+From: Ariel Marcovitch <arielmarcovitch@gmail.com>
+
+[ Upstream commit 2a15de80dd0f7e04a823291aa9eb49c5294f56af ]
+
+The relevant parameter is 'start' and not 'nextid'
+
+Fixes: 460488c58ca8 ("idr: Remove idr_alloc_ext")
+Signed-off-by: Ariel Marcovitch <arielmarcovitch@gmail.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/idr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/idr.c b/lib/idr.c
+index b2bc190431ddf..a91ca1dfe1431 100644
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -100,7 +100,7 @@ EXPORT_SYMBOL_GPL(idr_alloc);
+ * @end: The maximum ID (exclusive).
+ * @gfp: Memory allocation flags.
+ *
+- * Allocates an unused ID in the range specified by @nextid and @end. If
++ * Allocates an unused ID in the range specified by @start and @end. If
+ * @end is <= 0, it is treated as one larger than %INT_MAX. This allows
+ * callers to use @start + N as @end as long as N is within integer range.
+ * The search for an unused ID will start at the last ID allocated and will
+--
+2.40.1
+
--- /dev/null
+From 979222eedefcbc5ff9983a83e66f0f57f55c48e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:58 +0200
+Subject: igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 6319685bdc8ad5310890add907b7c42f89302886 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igb devices can use as low as 64 descriptors.
+This change will unify igb with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb.h b/drivers/net/ethernet/intel/igb/igb.h
+index 33cbe4f70d590..e6d99759d95a1 100644
+--- a/drivers/net/ethernet/intel/igb/igb.h
++++ b/drivers/net/ethernet/intel/igb/igb.h
+@@ -32,11 +32,11 @@ struct igb_adapter;
+ /* TX/RX descriptor defines */
+ #define IGB_DEFAULT_TXD 256
+ #define IGB_DEFAULT_TX_WORK 128
+-#define IGB_MIN_TXD 80
++#define IGB_MIN_TXD 64
+ #define IGB_MAX_TXD 4096
+
+ #define IGB_DEFAULT_RXD 256
+-#define IGB_MIN_RXD 80
++#define IGB_MIN_RXD 64
+ #define IGB_MAX_RXD 4096
+
+ #define IGB_DEFAULT_ITR 3 /* dynamic */
+--
+2.40.1
+
--- /dev/null
+From c7407d6196afd8b29aa8361bfbf9a1c70481faf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 14:19:13 +0200
+Subject: igb: disable virtualization features on 82580
+
+From: Corinna Vinschen <vinschen@redhat.com>
+
+[ Upstream commit fa09bc40b21a33937872c4c4cf0f266ec9fa4869 ]
+
+Disable virtualization features on 82580 just as on i210/i211.
+This avoids that virt functions are acidentally called on 82850.
+
+Fixes: 55cac248caa4 ("igb: Add full support for 82580 devices")
+Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index b8113235f281f..6638d314c811c 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -3710,8 +3710,9 @@ static void igb_probe_vfs(struct igb_adapter *adapter)
+ struct pci_dev *pdev = adapter->pdev;
+ struct e1000_hw *hw = &adapter->hw;
+
+- /* Virtualization features not supported on i210 family. */
+- if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211))
++ /* Virtualization features not supported on i210 and 82580 family. */
++ if ((hw->mac.type == e1000_i210) || (hw->mac.type == e1000_i211) ||
++ (hw->mac.type == e1000_82580))
+ return;
+
+ /* Of the below we really only want the effect of getting
+--
+2.40.1
+
--- /dev/null
+From 849a1b41d97763266fa638080e08d1f65e304fcf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:57 +0200
+Subject: igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 8360717524a24a421c36ef8eb512406dbd42160a ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igbvf devices can use as low as 64 descriptors.
+This change will unify igbvf with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: d4e0fe01a38a ("igbvf: add new driver to support 82576 virtual functions")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igbvf/igbvf.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igbvf/igbvf.h b/drivers/net/ethernet/intel/igbvf/igbvf.h
+index eee26a3be90ba..52545cb25d058 100644
+--- a/drivers/net/ethernet/intel/igbvf/igbvf.h
++++ b/drivers/net/ethernet/intel/igbvf/igbvf.h
+@@ -39,11 +39,11 @@ enum latency_range {
+ /* Tx/Rx descriptor defines */
+ #define IGBVF_DEFAULT_TXD 256
+ #define IGBVF_MAX_TXD 4096
+-#define IGBVF_MIN_TXD 80
++#define IGBVF_MIN_TXD 64
+
+ #define IGBVF_DEFAULT_RXD 256
+ #define IGBVF_MAX_RXD 4096
+-#define IGBVF_MIN_RXD 80
++#define IGBVF_MIN_RXD 64
+
+ #define IGBVF_MIN_ITR_USECS 10 /* 100000 irq/sec */
+ #define IGBVF_MAX_ITR_USECS 10000 /* 100 irq/sec */
+--
+2.40.1
+
--- /dev/null
+From 300fecc3fb55817665b18ffe3270c50712c8f225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Jul 2023 10:10:56 +0200
+Subject: igc: Change IGC_MIN to allow set rx/tx value between 64 and 80
+
+From: Olga Zaborska <olga.zaborska@intel.com>
+
+[ Upstream commit 5aa48279712e1f134aac908acde4df798955a955 ]
+
+Change the minimum value of RX/TX descriptors to 64 to enable setting the rx/tx
+value between 64 and 80. All igc devices can use as low as 64 descriptors.
+This change will unify igc with other drivers.
+Based on commit 7b1be1987c1e ("e1000e: lower ring minimum size to 64")
+
+Fixes: 0507ef8a0372 ("igc: Add transmit and receive fastpath and interrupt handlers")
+Signed-off-by: Olga Zaborska <olga.zaborska@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index aec998c82b694..a46eca3ffbcc5 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -78,11 +78,11 @@ extern char igc_driver_version[];
+ /* TX/RX descriptor defines */
+ #define IGC_DEFAULT_TXD 256
+ #define IGC_DEFAULT_TX_WORK 128
+-#define IGC_MIN_TXD 80
++#define IGC_MIN_TXD 64
+ #define IGC_MAX_TXD 4096
+
+ #define IGC_DEFAULT_RXD 256
+-#define IGC_MIN_RXD 80
++#define IGC_MIN_RXD 64
+ #define IGC_MAX_RXD 4096
+
+ /* Transmit and receive queues */
+--
+2.40.1
+
--- /dev/null
+From 66208d1f38815591f91443859c2a6563a087e625 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 13:40:46 +0000
+Subject: ip_tunnels: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9b271ebaf9a2c5c566a54bc6cd915962e8241130 ]
+
+syzbot/KCSAN reported data-races in iptunnel_xmit_stats() [1]
+
+This can run from multiple cpus without mutual exclusion.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+[1]
+BUG: KCSAN: data-race in iptunnel_xmit / iptunnel_xmit
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30263 on cpu 1:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read-write to 0xffff8881353df170 of 8 bytes by task 30249 on cpu 0:
+iptunnel_xmit_stats include/net/ip_tunnels.h:493 [inline]
+iptunnel_xmit+0x432/0x4a0 net/ipv4/ip_tunnel_core.c:87
+ip_tunnel_xmit+0x1477/0x1750 net/ipv4/ip_tunnel.c:831
+__gre_xmit net/ipv4/ip_gre.c:469 [inline]
+ipgre_xmit+0x516/0x570 net/ipv4/ip_gre.c:662
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+__bpf_tx_skb net/core/filter.c:2129 [inline]
+__bpf_redirect_no_mac net/core/filter.c:2159 [inline]
+__bpf_redirect+0x723/0x9c0 net/core/filter.c:2182
+____bpf_clone_redirect net/core/filter.c:2453 [inline]
+bpf_clone_redirect+0x16c/0x1d0 net/core/filter.c:2425
+___bpf_prog_run+0xd7d/0x41e0 kernel/bpf/core.c:1954
+__bpf_prog_run512+0x74/0xa0 kernel/bpf/core.c:2195
+bpf_dispatcher_nop_func include/linux/bpf.h:1181 [inline]
+__bpf_prog_run include/linux/filter.h:609 [inline]
+bpf_prog_run include/linux/filter.h:616 [inline]
+bpf_test_run+0x15d/0x3d0 net/bpf/test_run.c:423
+bpf_prog_test_run_skb+0x77b/0xa00 net/bpf/test_run.c:1045
+bpf_prog_test_run+0x265/0x3d0 kernel/bpf/syscall.c:3996
+__sys_bpf+0x3af/0x780 kernel/bpf/syscall.c:5353
+__do_sys_bpf kernel/bpf/syscall.c:5439 [inline]
+__se_sys_bpf kernel/bpf/syscall.c:5437 [inline]
+__x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5437
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x0000000000018830 -> 0x0000000000018831
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 30249 Comm: syz-executor.4 Not tainted 6.5.0-syzkaller-11704-g3f86ed6ec0b3 #0
+
+Fixes: 039f50629b7f ("ip_tunnel: Move stats update to iptunnel_xmit()")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/ip_tunnels.h | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
+index 8d063e23aa408..36376f8b84dac 100644
+--- a/include/net/ip_tunnels.h
++++ b/include/net/ip_tunnels.h
+@@ -449,15 +449,14 @@ static inline void iptunnel_xmit_stats(struct net_device *dev, int pkt_len)
+ tstats->tx_packets++;
+ u64_stats_update_end(&tstats->syncp);
+ put_cpu_ptr(tstats);
++ return;
++ }
++
++ if (pkt_len < 0) {
++ DEV_STATS_INC(dev, tx_errors);
++ DEV_STATS_INC(dev, tx_aborted_errors);
+ } else {
+- struct net_device_stats *err_stats = &dev->stats;
+-
+- if (pkt_len < 0) {
+- err_stats->tx_errors++;
+- err_stats->tx_aborted_errors++;
+- } else {
+- err_stats->tx_dropped++;
+- }
++ DEV_STATS_INC(dev, tx_dropped);
+ }
+ }
+
+--
+2.40.1
+
--- /dev/null
+From e3547e0a317b660f8b368aa8f602c426f413fe45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:55:20 +0000
+Subject: ipv4: annotate data-races around fi->fib_dead
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fce92af1c29d90184dfec638b5738831097d66e9 ]
+
+syzbot complained about a data-race in fib_table_lookup() [1]
+
+Add appropriate annotations to document it.
+
+[1]
+BUG: KCSAN: data-race in fib_release_info / fib_table_lookup
+
+write to 0xffff888150f31744 of 1 bytes by task 1189 on cpu 0:
+fib_release_info+0x3a0/0x460 net/ipv4/fib_semantics.c:281
+fib_table_delete+0x8d2/0x900 net/ipv4/fib_trie.c:1777
+fib_magic+0x1c1/0x1f0 net/ipv4/fib_frontend.c:1106
+fib_del_ifaddr+0x8cf/0xa60 net/ipv4/fib_frontend.c:1317
+fib_inetaddr_event+0x77/0x200 net/ipv4/fib_frontend.c:1448
+notifier_call_chain kernel/notifier.c:93 [inline]
+blocking_notifier_call_chain+0x90/0x200 kernel/notifier.c:388
+__inet_del_ifa+0x4df/0x800 net/ipv4/devinet.c:432
+inet_del_ifa net/ipv4/devinet.c:469 [inline]
+inetdev_destroy net/ipv4/devinet.c:322 [inline]
+inetdev_event+0x553/0xaf0 net/ipv4/devinet.c:1606
+notifier_call_chain kernel/notifier.c:93 [inline]
+raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1962 [inline]
+call_netdevice_notifiers_mtu+0xd2/0x130 net/core/dev.c:2037
+dev_set_mtu_ext+0x30b/0x3e0 net/core/dev.c:8673
+do_setlink+0x5be/0x2430 net/core/rtnetlink.c:2837
+rtnl_setlink+0x255/0x300 net/core/rtnetlink.c:3177
+rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6445
+netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2549
+rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6463
+netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
+netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
+netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1914
+sock_sendmsg_nosec net/socket.c:725 [inline]
+sock_sendmsg net/socket.c:748 [inline]
+sock_write_iter+0x1aa/0x230 net/socket.c:1129
+do_iter_write+0x4b4/0x7b0 fs/read_write.c:860
+vfs_writev+0x1a8/0x320 fs/read_write.c:933
+do_writev+0xf8/0x220 fs/read_write.c:976
+__do_sys_writev fs/read_write.c:1049 [inline]
+__se_sys_writev fs/read_write.c:1046 [inline]
+__x64_sys_writev+0x45/0x50 fs/read_write.c:1046
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffff888150f31744 of 1 bytes by task 21839 on cpu 1:
+fib_table_lookup+0x2bf/0xd50 net/ipv4/fib_trie.c:1585
+fib_lookup include/net/ip_fib.h:383 [inline]
+ip_route_output_key_hash_rcu+0x38c/0x12c0 net/ipv4/route.c:2751
+ip_route_output_key_hash net/ipv4/route.c:2641 [inline]
+__ip_route_output_key include/net/route.h:134 [inline]
+ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2869
+send4+0x1e7/0x500 drivers/net/wireguard/socket.c:61
+wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
+wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
+wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
+wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
+process_one_work+0x434/0x860 kernel/workqueue.c:2600
+worker_thread+0x5f2/0xa10 kernel/workqueue.c:2751
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x00 -> 0x01
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 21839 Comm: kworker/u4:18 Tainted: G W 6.5.0-syzkaller #0
+
+Fixes: dccd9ecc3744 ("ipv4: Do not use dead fib_info entries.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20230830095520.1046984-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fib_semantics.c | 5 ++++-
+ net/ipv4/fib_trie.c | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 42a4ee192f8dc..51cfb650060ba 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -275,7 +275,8 @@ void fib_release_info(struct fib_info *fi)
+ hlist_del(&nexthop_nh->nh_hash);
+ } endfor_nexthops(fi)
+ }
+- fi->fib_dead = 1;
++ /* Paired with READ_ONCE() from fib_table_lookup() */
++ WRITE_ONCE(fi->fib_dead, 1);
+ fib_info_put(fi);
+ }
+ spin_unlock_bh(&fib_info_lock);
+@@ -1586,6 +1587,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+ link_it:
+ ofi = fib_find_info(fi);
+ if (ofi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ ofi->fib_treeref++;
+@@ -1623,6 +1625,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
+
+ failure:
+ if (fi) {
++ /* fib_table_lookup() should not see @fi yet. */
+ fi->fib_dead = 1;
+ free_fib_info(fi);
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index a1f830da4ad30..7f933ead3bf4c 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1448,7 +1448,8 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
+ }
+ if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos)
+ continue;
+- if (fi->fib_dead)
++ /* Paired with WRITE_ONCE() in fib_release_info() */
++ if (READ_ONCE(fi->fib_dead))
+ continue;
+ if (fa->fa_info->fib_scope < flp->flowi4_scope)
+ continue;
+--
+2.40.1
+
--- /dev/null
+From f6c21a27f36ea9cfb88bc60eff74aeb3ac982f3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Sep 2023 02:07:08 +0900
+Subject: kcm: Destroy mutex in kcm_exit_net()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ]
+
+kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially
+needed if CONFIG_DEBUG_MUTEXES is enabled.
+
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/kcm/kcmsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
+index 1975403ce8bee..50bcfc71389ab 100644
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1984,6 +1984,8 @@ static __net_exit void kcm_exit_net(struct net *net)
+ * that all multiplexors and psocks have been destroyed.
+ */
+ WARN_ON(!list_empty(&knet->mux_list));
++
++ mutex_destroy(&knet->mutex);
+ }
+
+ static struct pernet_operations kcm_net_ops = {
+--
+2.40.1
+
--- /dev/null
+From 8ef64e4ea07d5ca53e6337b099278b92ac0e57b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 17:59:14 +0800
+Subject: kconfig: fix possible buffer overflow
+
+From: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+
+[ Upstream commit a3b7039bb2b22fcd2ad20d59c00ed4e606ce3754 ]
+
+Buffer 'new_argv' is accessed without bound check after accessing with
+bound check via 'new_argc' index.
+
+Fixes: e298f3b49def ("kconfig: add built-in function support")
+Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com>
+Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/preprocess.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c
+index 748da578b418c..d1f5bcff4b62d 100644
+--- a/scripts/kconfig/preprocess.c
++++ b/scripts/kconfig/preprocess.c
+@@ -396,6 +396,9 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[])
+
+ p++;
+ }
++
++ if (new_argc >= FUNCTION_MAX_ARGS)
++ pperror("too many function arguments");
+ new_argv[new_argc++] = prev;
+
+ /*
+--
+2.40.1
+
--- /dev/null
+From 4a6237411af7421f4c7e040fb124cacf28d9ca36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Sep 2023 15:20:17 +0800
+Subject: net: hns3: fix the port information display when sfp is absent
+
+From: Yisen Zhuang <yisen.zhuang@huawei.com>
+
+[ Upstream commit 674d9591a32d01df75d6b5fffed4ef942a294376 ]
+
+When sfp is absent or unidentified, the port type should be
+displayed as PORT_OTHERS, rather than PORT_FIBRE.
+
+Fixes: 88d10bd6f730 ("net: hns3: add support for multiple media type")
+Signed-off-by: Yisen Zhuang <yisen.zhuang@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+index 34e5448d59f6f..4ea19f546df08 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+@@ -676,7 +676,9 @@ static int hns3_get_link_ksettings(struct net_device *netdev,
+ hns3_get_ksettings(h, cmd);
+ break;
+ case HNAE3_MEDIA_TYPE_FIBER:
+- if (module_type == HNAE3_MODULE_TYPE_CR)
++ if (module_type == HNAE3_MODULE_TYPE_UNKNOWN)
++ cmd->base.port = PORT_OTHER;
++ else if (module_type == HNAE3_MODULE_TYPE_CR)
+ cmd->base.port = PORT_DA;
+ else
+ cmd->base.port = PORT_FIBRE;
+--
+2.40.1
+
--- /dev/null
+From 57a7da80df2a092390f7dd1794f4b8896e5e7667 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 22:41:27 -0600
+Subject: net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
+
+From: Alex Henrie <alexhenrie24@gmail.com>
+
+[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ]
+
+The existing code incorrectly casted a negative value (the result of a
+subtraction) to an unsigned value without checking. For example, if
+/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred
+lifetime would jump to 4 billion seconds. On my machine and network the
+shortest lifetime that avoided underflow was 3 seconds.
+
+Fixes: 76506a986dc3 ("IPv6: fix DESYNC_FACTOR")
+Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index a4c3cb72bdc6a..c523236d934eb 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1367,7 +1367,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp,
+ * idev->desync_factor if it's larger
+ */
+ cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft);
+- max_desync_factor = min_t(__u32,
++ max_desync_factor = min_t(long,
+ idev->cnf.max_desync_factor,
+ cnf_temp_preferred_lft - regen_advance);
+
+--
+2.40.1
+
--- /dev/null
+From 411bf23be9b5b5b8ec530c0014648a30a4c29a27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 10:12:44 +0000
+Subject: net: read sk->sk_family once in sk_mc_loop()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a3e0fdf71bbe031de845e8e08ed7fba49f9c702c ]
+
+syzbot is playing with IPV6_ADDRFORM quite a lot these days,
+and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop()
+
+We have many more similar issues to fix.
+
+WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260
+Modules linked in:
+CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+Workqueue: events_power_efficient gc_worker
+RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782
+Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48
+RSP: 0018:ffffc90000388530 EFLAGS: 00010246
+RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980
+RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011
+RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65
+R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000
+R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000
+FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<IRQ>
+[<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83
+[<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline]
+[<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342
+[<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline]
+[<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415
+[<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125
+[<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247
+[<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599
+[<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline]
+[<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683
+[<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695
+
+Fixes: 7ad6848c7e81 ("ip: fix mc_loop checks for tunnels with multicast outer addresses")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://lore.kernel.org/r/20230830101244.1146934-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 69b4158a29f74..1fed45f29e0ec 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -701,7 +701,8 @@ bool sk_mc_loop(struct sock *sk)
+ return false;
+ if (!sk)
+ return true;
+- switch (sk->sk_family) {
++ /* IPV6_ADDRFORM can change sk->sk_family under us. */
++ switch (READ_ONCE(sk->sk_family)) {
+ case AF_INET:
+ return inet_sk(sk)->mc_loop;
+ #if IS_ENABLED(CONFIG_IPV6)
+--
+2.40.1
+
--- /dev/null
+From 02c51dff80c18d2f5fef12430c8db633b8af6751 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:22:37 -0400
+Subject: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
+
+From: valis <sec@valis.email>
+
+[ Upstream commit 8fc134fee27f2263988ae38920bc03da416b03d8 ]
+
+When the plug qdisc is used as a class of the qfq qdisc it could trigger a
+UAF. This issue can be reproduced with following commands:
+
+ tc qdisc add dev lo root handle 1: qfq
+ tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512
+ tc qdisc add dev lo parent 1:1 handle 2: plug
+ tc filter add dev lo parent 1: basic classid 1:1
+ ping -c1 127.0.0.1
+
+and boom:
+
+[ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0
+[ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144
+[ 285.355903]
+[ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4
+[ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+[ 285.358376] Call Trace:
+[ 285.358773] <IRQ>
+[ 285.359109] dump_stack_lvl+0x44/0x60
+[ 285.359708] print_address_description.constprop.0+0x2c/0x3c0
+[ 285.360611] kasan_report+0x10c/0x120
+[ 285.361195] ? qfq_dequeue+0xa7/0x7f0
+[ 285.361780] qfq_dequeue+0xa7/0x7f0
+[ 285.362342] __qdisc_run+0xf1/0x970
+[ 285.362903] net_tx_action+0x28e/0x460
+[ 285.363502] __do_softirq+0x11b/0x3de
+[ 285.364097] do_softirq.part.0+0x72/0x90
+[ 285.364721] </IRQ>
+[ 285.365072] <TASK>
+[ 285.365422] __local_bh_enable_ip+0x77/0x90
+[ 285.366079] __dev_queue_xmit+0x95f/0x1550
+[ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10
+[ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10
+[ 285.368259] ? __build_skb_around+0x129/0x190
+[ 285.368960] ? ip_generic_getfrag+0x12c/0x170
+[ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10
+[ 285.370390] ? csum_partial+0x8/0x20
+[ 285.370961] ? raw_getfrag+0xe5/0x140
+[ 285.371559] ip_finish_output2+0x539/0xa40
+[ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10
+[ 285.372954] ip_output+0x113/0x1e0
+[ 285.373512] ? __pfx_ip_output+0x10/0x10
+[ 285.374130] ? icmp_out_count+0x49/0x60
+[ 285.374739] ? __pfx_ip_finish_output+0x10/0x10
+[ 285.375457] ip_push_pending_frames+0xf3/0x100
+[ 285.376173] raw_sendmsg+0xef5/0x12d0
+[ 285.376760] ? do_syscall_64+0x40/0x90
+[ 285.377359] ? __static_call_text_end+0x136578/0x136578
+[ 285.378173] ? do_syscall_64+0x40/0x90
+[ 285.378772] ? kasan_enable_current+0x11/0x20
+[ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10
+[ 285.380137] ? __sock_create+0x13e/0x270
+[ 285.380673] ? __sys_socket+0xf3/0x180
+[ 285.381174] ? __x64_sys_socket+0x3d/0x50
+[ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.382425] ? __rcu_read_unlock+0x48/0x70
+[ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380
+[ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10
+[ 285.384295] ? preempt_count_sub+0x14/0xc0
+[ 285.384844] ? __list_del_entry_valid+0x76/0x140
+[ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0
+[ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10
+[ 285.386645] ? release_sock+0xa0/0xd0
+[ 285.387148] ? preempt_count_sub+0x14/0xc0
+[ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0
+[ 285.388341] ? aa_sk_perm+0x177/0x390
+[ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10
+[ 285.389441] ? check_stack_object+0x22/0x70
+[ 285.390032] ? inet_send_prepare+0x2f/0x120
+[ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10
+[ 285.391172] sock_sendmsg+0xcc/0xe0
+[ 285.391667] __sys_sendto+0x190/0x230
+[ 285.392168] ? __pfx___sys_sendto+0x10/0x10
+[ 285.392727] ? kvm_clock_get_cycles+0x14/0x30
+[ 285.393328] ? set_normalized_timespec64+0x57/0x70
+[ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40
+[ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160
+[ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10
+[ 285.395908] ? _copy_to_user+0x3e/0x60
+[ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.397734] ? do_syscall_64+0x71/0x90
+[ 285.398258] __x64_sys_sendto+0x74/0x90
+[ 285.398786] do_syscall_64+0x64/0x90
+[ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120
+[ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50
+[ 285.400605] ? do_syscall_64+0x71/0x90
+[ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.401807] RIP: 0033:0x495726
+[ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09
+[ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726
+[ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000
+[ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c
+[ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634
+[ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000
+[ 285.410403] </TASK>
+[ 285.410704]
+[ 285.410929] Allocated by task 144:
+[ 285.411402] kasan_save_stack+0x1e/0x40
+[ 285.411926] kasan_set_track+0x21/0x30
+[ 285.412442] __kasan_slab_alloc+0x55/0x70
+[ 285.412973] kmem_cache_alloc_node+0x187/0x3d0
+[ 285.413567] __alloc_skb+0x1b4/0x230
+[ 285.414060] __ip_append_data+0x17f7/0x1b60
+[ 285.414633] ip_append_data+0x97/0xf0
+[ 285.415144] raw_sendmsg+0x5a8/0x12d0
+[ 285.415640] sock_sendmsg+0xcc/0xe0
+[ 285.416117] __sys_sendto+0x190/0x230
+[ 285.416626] __x64_sys_sendto+0x74/0x90
+[ 285.417145] do_syscall_64+0x64/0x90
+[ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 285.418306]
+[ 285.418531] Freed by task 144:
+[ 285.418960] kasan_save_stack+0x1e/0x40
+[ 285.419469] kasan_set_track+0x21/0x30
+[ 285.419988] kasan_save_free_info+0x27/0x40
+[ 285.420556] ____kasan_slab_free+0x109/0x1a0
+[ 285.421146] kmem_cache_free+0x1c2/0x450
+[ 285.421680] __netif_receive_skb_core+0x2ce/0x1870
+[ 285.422333] __netif_receive_skb_one_core+0x97/0x140
+[ 285.423003] process_backlog+0x100/0x2f0
+[ 285.423537] __napi_poll+0x5c/0x2d0
+[ 285.424023] net_rx_action+0x2be/0x560
+[ 285.424510] __do_softirq+0x11b/0x3de
+[ 285.425034]
+[ 285.425254] The buggy address belongs to the object at ffff8880bad31280
+[ 285.425254] which belongs to the cache skbuff_head_cache of size 224
+[ 285.426993] The buggy address is located 40 bytes inside of
+[ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360)
+[ 285.428572]
+[ 285.428798] The buggy address belongs to the physical page:
+[ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31
+[ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1)
+[ 285.431447] page_type: 0xffffffff()
+[ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000
+[ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
+[ 285.433562] page dumped because: kasan: bad access detected
+[ 285.434144]
+[ 285.434320] Memory state around the buggy address:
+[ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 285.436777] ^
+[ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+[ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 285.438126] ==================================================================
+[ 285.438662] Disabling lock debugging due to kernel taint
+
+Fix this by:
+1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a
+function compatible with non-work-conserving qdiscs
+2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq.
+
+Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
+Reported-by: valis <sec@valis.email>
+Signed-off-by: valis <sec@valis.email>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_plug.c | 2 +-
+ net/sched/sch_qfq.c | 22 +++++++++++++++++-----
+ 2 files changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/net/sched/sch_plug.c b/net/sched/sch_plug.c
+index cbc2ebca4548c..339990bb59817 100644
+--- a/net/sched/sch_plug.c
++++ b/net/sched/sch_plug.c
+@@ -210,7 +210,7 @@ static struct Qdisc_ops plug_qdisc_ops __read_mostly = {
+ .priv_size = sizeof(struct plug_sched_data),
+ .enqueue = plug_enqueue,
+ .dequeue = plug_dequeue,
+- .peek = qdisc_peek_head,
++ .peek = qdisc_peek_dequeued,
+ .init = plug_init,
+ .change = plug_change,
+ .reset = qdisc_reset_queue,
+diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
+index 34a54dcd95f23..6e9e3405f26b9 100644
+--- a/net/sched/sch_qfq.c
++++ b/net/sched/sch_qfq.c
+@@ -975,10 +975,13 @@ static void qfq_update_eligible(struct qfq_sched *q)
+ }
+
+ /* Dequeue head packet of the head class in the DRR queue of the aggregate. */
+-static void agg_dequeue(struct qfq_aggregate *agg,
+- struct qfq_class *cl, unsigned int len)
++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg,
++ struct qfq_class *cl, unsigned int len)
+ {
+- qdisc_dequeue_peeked(cl->qdisc);
++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc);
++
++ if (!skb)
++ return NULL;
+
+ cl->deficit -= (int) len;
+
+@@ -988,6 +991,8 @@ static void agg_dequeue(struct qfq_aggregate *agg,
+ cl->deficit += agg->lmax;
+ list_move_tail(&cl->alist, &agg->active);
+ }
++
++ return skb;
+ }
+
+ static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg,
+@@ -1133,11 +1138,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
+ if (!skb)
+ return NULL;
+
+- qdisc_qstats_backlog_dec(sch, skb);
+ sch->q.qlen--;
++
++ skb = agg_dequeue(in_serv_agg, cl, len);
++
++ if (!skb) {
++ sch->q.qlen++;
++ return NULL;
++ }
++
++ qdisc_qstats_backlog_dec(sch, skb);
+ qdisc_bstats_update(sch, skb);
+
+- agg_dequeue(in_serv_agg, cl, len);
+ /* If lmax is lowered, through qfq_change_class, for a class
+ * owning pending packets with larger size than the new value
+ * of lmax, then the following condition may hold.
+--
+2.40.1
+
--- /dev/null
+From d6b63b4d34b921939304640d770854524687ce9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 10:50:20 -0300
+Subject: netfilter: nfnetlink_osf: avoid OOB read
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ]
+
+The opt_num field is controlled by user mode and is not currently
+validated inside the kernel. An attacker can take advantage of this to
+trigger an OOB read and potentially leak information.
+
+BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+Read of size 2 at addr ffff88804bc64272 by task poc/6431
+
+CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
+Call Trace:
+ nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
+ nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
+ nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:214
+ nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
+ nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
+ [..]
+
+Also add validation to genre, subtype and version fields.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Reported-by: Lucas Leong <wmliang@infosec.exchange>
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_osf.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
+index 9dbaa5ce24e51..573a372e760f4 100644
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
+
+ f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
+
++ if (f->opt_num > ARRAY_SIZE(f->opt))
++ return -EINVAL;
++
++ if (!memchr(f->genre, 0, MAXGENRELEN) ||
++ !memchr(f->subtype, 0, MAXGENRELEN) ||
++ !memchr(f->version, 0, MAXGENRELEN))
++ return -EINVAL;
++
+ kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
+ if (!kf)
+ return -ENOMEM;
+--
+2.40.1
+
--- /dev/null
+From 3c220cba19878ea475edbdad098dbe867c45c149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 18:22:14 -0300
+Subject: perf annotate bpf: Don't enclose non-debug code with an assert()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 979e9c9fc9c2a761303585e07fe2699bdd88182f ]
+
+In 616b14b47a86d880 ("perf build: Conditionally define NDEBUG") we
+started using NDEBUG=1 when DEBUG=1 isn't present, so code that is
+enclosed with assert() is not called.
+
+In dd317df072071903 ("perf build: Make binutil libraries opt in") we
+stopped linking against binutils-devel, for licensing reasons.
+
+Recently people asked me why annotation of BPF programs wasn't working,
+i.e. this:
+
+ $ perf annotate bpf_prog_5280546344e3f45c_kfree_skb
+
+was returning:
+
+ case SYMBOL_ANNOTATE_ERRNO__NO_LIBOPCODES_FOR_BPF:
+ scnprintf(buf, buflen, "Please link with binutils's libopcode to enable BPF annotation");
+
+This was on a fedora rpm, so its new enough that I had to try to test by
+rebuilding using BUILD_NONDISTRO=1, only to get it segfaulting on me.
+
+This combination made this libopcode function not to be called:
+
+ assert(bfd_check_format(bfdf, bfd_object));
+
+Changing it to:
+
+ if (!bfd_check_format(bfdf, bfd_object))
+ abort();
+
+Made it work, looking at this "check" function made me realize it
+changes the 'bfdf' internal state, i.e. we better call it.
+
+So stop using assert() on it, just call it and abort if it fails.
+
+Probably it is better to propagate the error, etc, but it seems it is
+unlikely to fail from the usage done so far and we really need to stop
+using libopcodes, so do the quick fix above and move on.
+
+With it we have BPF annotation back working when built with
+BUILD_NONDISTRO=1:
+
+ ⬢[acme@toolbox perf-tools-next]$ perf annotate --stdio2 bpf_prog_5280546344e3f45c_kfree_skb | head
+ No kallsyms or vmlinux with build-id 939bc71a1a51cdc434e60af93c7e734f7d5c0e7e was found
+ Samples: 12 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 3000000, [percent: local period]
+ bpf_prog_5280546344e3f45c_kfree_skb() bpf_prog_5280546344e3f45c_kfree_skb
+ Percent int kfree_skb(struct trace_event_raw_kfree_skb *args) {
+ nop
+ 33.33 xchg %ax,%ax
+ push %rbp
+ mov %rsp,%rbp
+ sub $0x180,%rsp
+ push %rbx
+ push %r13
+ ⬢[acme@toolbox perf-tools-next]$
+
+Fixes: 6987561c9e86eace ("perf annotate: Enable annotation of BPF programs")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Mohamed Mahmoud <mmahmoud@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Dave Tucker <datucker@redhat.com>
+Cc: Derek Barbosa <debarbos@redhat.com>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/lkml/ZMrMzoQBe0yqMek1@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/annotate.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/annotate.c b/tools/perf/util/annotate.c
+index e42bf572358c7..bd71cb0b52cf6 100644
+--- a/tools/perf/util/annotate.c
++++ b/tools/perf/util/annotate.c
+@@ -1741,8 +1741,11 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ perf_exe(tpath, sizeof(tpath));
+
+ bfdf = bfd_openr(tpath, NULL);
+- assert(bfdf);
+- assert(bfd_check_format(bfdf, bfd_object));
++ if (bfdf == NULL)
++ abort();
++
++ if (!bfd_check_format(bfdf, bfd_object))
++ abort();
+
+ s = open_memstream(&buf, &buf_size);
+ if (!s) {
+@@ -1790,7 +1793,8 @@ static int symbol__disassemble_bpf(struct symbol *sym,
+ #else
+ disassemble = disassembler(bfdf);
+ #endif
+- assert(disassemble);
++ if (disassemble == NULL)
++ abort();
+
+ fflush(s);
+ do {
+--
+2.40.1
+
--- /dev/null
+From 5bd4daf266ccd0a4ce1023e96c7b672be53f8ce5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 09:11:21 -0300
+Subject: perf top: Don't pass an ERR_PTR() directly to perf_session__delete()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit ef23cb593304bde0cc046fd4cc83ae7ea2e24f16 ]
+
+While debugging a segfault on 'perf lock contention' without an
+available perf.data file I noticed that it was basically calling:
+
+ perf_session__delete(ERR_PTR(-1))
+
+Resulting in:
+
+ (gdb) run lock contention
+ Starting program: /root/bin/perf lock contention
+ [Thread debugging using libthread_db enabled]
+ Using host libthread_db library "/lib64/libthread_db.so.1".
+ failed to open perf.data: No such file or directory (try 'perf record' first)
+ Initializing perf session failed
+
+ Program received signal SIGSEGV, Segmentation fault.
+ 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ 2858 if (!session->auxtrace)
+ (gdb) p session
+ $1 = (struct perf_session *) 0xffffffffffffffff
+ (gdb) bt
+ #0 0x00000000005e7515 in auxtrace__free (session=0xffffffffffffffff) at util/auxtrace.c:2858
+ #1 0x000000000057bb4d in perf_session__delete (session=0xffffffffffffffff) at util/session.c:300
+ #2 0x000000000047c421 in __cmd_contention (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2161
+ #3 0x000000000047dc95 in cmd_lock (argc=0, argv=0x7fffffffe200) at builtin-lock.c:2604
+ #4 0x0000000000501466 in run_builtin (p=0xe597a8 <commands+552>, argc=2, argv=0x7fffffffe200) at perf.c:322
+ #5 0x00000000005016d5 in handle_internal_command (argc=2, argv=0x7fffffffe200) at perf.c:375
+ #6 0x0000000000501824 in run_argv (argcp=0x7fffffffe02c, argv=0x7fffffffe020) at perf.c:419
+ #7 0x0000000000501b11 in main (argc=2, argv=0x7fffffffe200) at perf.c:535
+ (gdb)
+
+So just set it to NULL after using PTR_ERR(session) to decode the error
+as perf_session__delete(NULL) is supported.
+
+The same problem was found in 'perf top' after an audit of all
+perf_session__new() failure handling.
+
+Fixes: 6ef81c55a2b6584c ("perf session: Return error code for perf_session__new() function on failure")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jeremie Galarneau <jeremie.galarneau@efficios.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Mamatha Inamdar <mamatha4@linux.vnet.ibm.com>
+Cc: Mukesh Ojha <mojha@codeaurora.org>
+Cc: Nageswara R Sastry <rnsastry@linux.vnet.ibm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Shawn Landden <shawn@git.icu>
+Cc: Song Liu <songliubraving@fb.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tzvetomir Stoyanov <tstoyanov@vmware.com>
+Link: https://lore.kernel.org/lkml/ZN4Q2rxxsL08A8rd@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index a30d62186f5e9..b83a861fab2ed 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -1679,6 +1679,7 @@ int cmd_top(int argc, const char **argv)
+ top.session = perf_session__new(NULL, false, NULL);
+ if (IS_ERR(top.session)) {
+ status = PTR_ERR(top.session);
++ top.session = NULL;
+ goto out_delete_evlist;
+ }
+
+--
+2.40.1
+
--- /dev/null
+From 283e2a60cf3d29f60a0b160a179b621bb2799e97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jul 2023 17:52:57 +0200
+Subject: pwm: lpc32xx: Remove handling of PWM channels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Zapolskiy <vz@mleia.com>
+
+[ Upstream commit 4aae44f65827f0213a7361cf9c32cfe06114473f ]
+
+Because LPC32xx PWM controllers have only a single output which is
+registered as the only PWM device/channel per controller, it is known in
+advance that pwm->hwpwm value is always 0. On basis of this fact
+simplify the code by removing operations with pwm->hwpwm, there is no
+controls which require channel number as input.
+
+Even though I wasn't aware at the time when I forward ported that patch,
+this fixes a null pointer dereference as lpc32xx->chip.pwms is NULL
+before devm_pwmchip_add() is called.
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Fixes: 3d2813fb17e5 ("pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered")
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lpc32xx.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pwm/pwm-lpc32xx.c b/drivers/pwm/pwm-lpc32xx.c
+index 522f862eca526..504a8f506195a 100644
+--- a/drivers/pwm/pwm-lpc32xx.c
++++ b/drivers/pwm/pwm-lpc32xx.c
+@@ -51,10 +51,10 @@ static int lpc32xx_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ if (duty_cycles > 255)
+ duty_cycles = 255;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~0xFFFF;
+ val |= (period_cycles << 8) | duty_cycles;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -69,9 +69,9 @@ static int lpc32xx_pwm_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+ if (ret)
+ return ret;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val |= PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ return 0;
+ }
+@@ -81,9 +81,9 @@ static void lpc32xx_pwm_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+ struct lpc32xx_pwm_chip *lpc32xx = to_lpc32xx_pwm_chip(chip);
+ u32 val;
+
+- val = readl(lpc32xx->base + (pwm->hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_ENABLE;
+- writel(val, lpc32xx->base + (pwm->hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ clk_disable_unprepare(lpc32xx->clk);
+ }
+@@ -121,9 +121,9 @@ static int lpc32xx_pwm_probe(struct platform_device *pdev)
+ lpc32xx->chip.base = -1;
+
+ /* If PWM is disabled, configure the output to the default value */
+- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ val = readl(lpc32xx->base);
+ val &= ~PWM_PIN_LEVEL;
+- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2));
++ writel(val, lpc32xx->base);
+
+ ret = pwmchip_add(&lpc32xx->chip);
+ if (ret < 0) {
+--
+2.40.1
+
--- /dev/null
+From 709f0f747fa789234d55ef19d897aeae12471703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 13:59:59 +0300
+Subject: s390/zcrypt: don't leak memory if dev_set_name() fails
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 6252f47b78031979ad919f971dc8468b893488bd ]
+
+When dev_set_name() fails, zcdn_create() doesn't free the newly
+allocated resources. Do it.
+
+Fixes: 00fab2350e6b ("s390/zcrypt: multiple zcrypt device nodes support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20230831110000.24279-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/zcrypt_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/s390/crypto/zcrypt_api.c b/drivers/s390/crypto/zcrypt_api.c
+index ec41a8a76398c..f376dfcd7dbeb 100644
+--- a/drivers/s390/crypto/zcrypt_api.c
++++ b/drivers/s390/crypto/zcrypt_api.c
+@@ -397,6 +397,7 @@ static int zcdn_create(const char *name)
+ ZCRYPT_NAME "_%d", (int) MINOR(devt));
+ nodename[sizeof(nodename)-1] = '\0';
+ if (dev_set_name(&zcdndev->device, nodename)) {
++ kfree(zcdndev);
+ rc = -EINVAL;
+ goto unlockout;
+ }
+--
+2.40.1
+
--- /dev/null
+From a5be0f12ac8a474d8cfbeded6864272c0f00f1f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 09:45:19 +0000
+Subject: sctp: annotate data-races around sk->sk_wmem_queued
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit dc9511dd6f37fe803f6b15b61b030728d7057417 ]
+
+sk->sk_wmem_queued can be read locklessly from sctp_poll()
+
+Use sk_wmem_queued_add() when the field is changed,
+and add READ_ONCE() annotations in sctp_writeable()
+and sctp_assocs_seq_show()
+
+syzbot reported:
+
+BUG: KCSAN: data-race in sctp_poll / sctp_wfree
+
+read-write to 0xffff888149d77810 of 4 bytes by interrupt on cpu 0:
+sctp_wfree+0x170/0x4a0 net/sctp/socket.c:9147
+skb_release_head_state+0xb7/0x1a0 net/core/skbuff.c:988
+skb_release_all net/core/skbuff.c:1000 [inline]
+__kfree_skb+0x16/0x140 net/core/skbuff.c:1016
+consume_skb+0x57/0x180 net/core/skbuff.c:1232
+sctp_chunk_destroy net/sctp/sm_make_chunk.c:1503 [inline]
+sctp_chunk_put+0xcd/0x130 net/sctp/sm_make_chunk.c:1530
+sctp_datamsg_put+0x29a/0x300 net/sctp/chunk.c:128
+sctp_chunk_free+0x34/0x50 net/sctp/sm_make_chunk.c:1515
+sctp_outq_sack+0xafa/0xd70 net/sctp/outqueue.c:1381
+sctp_cmd_process_sack net/sctp/sm_sideeffect.c:834 [inline]
+sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1366 [inline]
+sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline]
+sctp_do_sm+0x12c7/0x31b0 net/sctp/sm_sideeffect.c:1169
+sctp_assoc_bh_rcv+0x2b2/0x430 net/sctp/associola.c:1051
+sctp_inq_push+0x108/0x120 net/sctp/inqueue.c:80
+sctp_rcv+0x116e/0x1340 net/sctp/input.c:243
+sctp6_rcv+0x25/0x40 net/sctp/ipv6.c:1120
+ip6_protocol_deliver_rcu+0x92f/0xf30 net/ipv6/ip6_input.c:437
+ip6_input_finish net/ipv6/ip6_input.c:482 [inline]
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ip6_input+0xbd/0x1b0 net/ipv6/ip6_input.c:491
+dst_input include/net/dst.h:468 [inline]
+ip6_rcv_finish+0x1e2/0x2e0 net/ipv6/ip6_input.c:79
+NF_HOOK include/linux/netfilter.h:303 [inline]
+ipv6_rcv+0x74/0x150 net/ipv6/ip6_input.c:309
+__netif_receive_skb_one_core net/core/dev.c:5452 [inline]
+__netif_receive_skb+0x90/0x1b0 net/core/dev.c:5566
+process_backlog+0x21f/0x380 net/core/dev.c:5894
+__napi_poll+0x60/0x3b0 net/core/dev.c:6460
+napi_poll net/core/dev.c:6527 [inline]
+net_rx_action+0x32b/0x750 net/core/dev.c:6660
+__do_softirq+0xc1/0x265 kernel/softirq.c:553
+run_ksoftirqd+0x17/0x20 kernel/softirq.c:921
+smpboot_thread_fn+0x30a/0x4a0 kernel/smpboot.c:164
+kthread+0x1d7/0x210 kernel/kthread.c:389
+ret_from_fork+0x2e/0x40 arch/x86/kernel/process.c:145
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read to 0xffff888149d77810 of 4 bytes by task 17828 on cpu 1:
+sctp_writeable net/sctp/socket.c:9304 [inline]
+sctp_poll+0x265/0x410 net/sctp/socket.c:8671
+sock_poll+0x253/0x270 net/socket.c:1374
+vfs_poll include/linux/poll.h:88 [inline]
+do_pollfd fs/select.c:873 [inline]
+do_poll fs/select.c:921 [inline]
+do_sys_poll+0x636/0xc00 fs/select.c:1015
+__do_sys_ppoll fs/select.c:1121 [inline]
+__se_sys_ppoll+0x1af/0x1f0 fs/select.c:1101
+__x64_sys_ppoll+0x67/0x80 fs/select.c:1101
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00019e80 -> 0x0000cc80
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 17828 Comm: syz-executor.1 Not tainted 6.5.0-rc7-syzkaller-00185-g28f20a19294d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://lore.kernel.org/r/20230830094519.950007-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/proc.c | 2 +-
+ net/sctp/socket.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/sctp/proc.c b/net/sctp/proc.c
+index 982a87b3e11f8..963b94517ec20 100644
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -284,7 +284,7 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
+ assoc->init_retries, assoc->shutdown_retries,
+ assoc->rtx_data_chunks,
+ refcount_read(&sk->sk_wmem_alloc),
+- sk->sk_wmem_queued,
++ READ_ONCE(sk->sk_wmem_queued),
+ sk->sk_sndbuf,
+ sk->sk_rcvbuf);
+ seq_printf(seq, "\n");
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 431b9399a781f..d1dd261e8b010 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -68,7 +68,7 @@
+ #include <net/sctp/stream_sched.h>
+
+ /* Forward declarations for internal helper functions. */
+-static bool sctp_writeable(struct sock *sk);
++static bool sctp_writeable(const struct sock *sk);
+ static void sctp_wfree(struct sk_buff *skb);
+ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ size_t msg_len);
+@@ -138,7 +138,7 @@ static inline void sctp_set_owner_w(struct sctp_chunk *chunk)
+
+ refcount_add(sizeof(struct sctp_chunk), &sk->sk_wmem_alloc);
+ asoc->sndbuf_used += chunk->skb->truesize + sizeof(struct sctp_chunk);
+- sk->sk_wmem_queued += chunk->skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, chunk->skb->truesize + sizeof(struct sctp_chunk));
+ sk_mem_charge(sk, chunk->skb->truesize);
+ }
+
+@@ -8997,7 +8997,7 @@ static void sctp_wfree(struct sk_buff *skb)
+ struct sock *sk = asoc->base.sk;
+
+ sk_mem_uncharge(sk, skb->truesize);
+- sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
++ sk_wmem_queued_add(sk, -(skb->truesize + sizeof(struct sctp_chunk)));
+ asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
+ WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
+ &sk->sk_wmem_alloc));
+@@ -9152,9 +9152,9 @@ void sctp_write_space(struct sock *sk)
+ * UDP-style sockets or TCP-style sockets, this code should work.
+ * - Daisy
+ */
+-static bool sctp_writeable(struct sock *sk)
++static bool sctp_writeable(const struct sock *sk)
+ {
+- return sk->sk_sndbuf > sk->sk_wmem_queued;
++ return READ_ONCE(sk->sk_sndbuf) > READ_ONCE(sk->sk_wmem_queued);
+ }
+
+ /* Wait for an association to go into ESTABLISHED state. If timeout is 0,
+--
+2.40.1
+
clk-qcom-gcc-mdm9615-use-proper-parent-for-pll0_vote-clock.patch
soc-qcom-qmi_encdec-restrict-string-length-in-decode.patch
nfsv4-pnfs-minor-fix-for-cleanup-path-in-nfs4_get_device_info.patch
+kconfig-fix-possible-buffer-overflow.patch
+perf-annotate-bpf-don-t-enclose-non-debug-code-with-.patch
+x86-virt-drop-unnecessary-check-on-extended-cpuid-le.patch
+perf-top-don-t-pass-an-err_ptr-directly-to-perf_sess.patch
+watchdog-intel-mid_wdt-add-module_alias-to-allow-aut.patch
+pwm-lpc32xx-remove-handling-of-pwm-channels.patch
+sctp-annotate-data-races-around-sk-sk_wmem_queued.patch
+ipv4-annotate-data-races-around-fi-fib_dead.patch
+net-read-sk-sk_family-once-in-sk_mc_loop.patch
+igb-disable-virtualization-features-on-82580.patch
+veth-fixing-transmit-return-status-for-dropped-packe.patch
+net-ipv6-addrconf-avoid-integer-underflow-in-ipv6_cr.patch
+af_unix-fix-data-races-around-user-unix_inflight.patch
+af_unix-fix-data-race-around-unix_tot_inflight.patch
+af_unix-fix-data-races-around-sk-sk_shutdown.patch
+af_unix-fix-data-race-around-sk-sk_err.patch
+net-sched-sch_qfq-fix-uaf-in-qfq_dequeue.patch
+kcm-destroy-mutex-in-kcm_exit_net.patch
+igc-change-igc_min-to-allow-set-rx-tx-value-between-.patch
+igbvf-change-igbvf_min-to-allow-set-rx-tx-value-betw.patch
+igb-change-igb_min-to-allow-set-rx-tx-value-between-.patch
+s390-zcrypt-don-t-leak-memory-if-dev_set_name-fails.patch
+idr-fix-param-name-in-idr_alloc_cyclic-doc.patch
+ip_tunnels-use-dev_stats_inc.patch
+netfilter-nfnetlink_osf-avoid-oob-read.patch
+net-hns3-fix-the-port-information-display-when-sfp-i.patch
+sh-boards-fix-ceu-buffer-size-passed-to-dma_declare_.patch
--- /dev/null
+From 98e2baf62307ac799d9bce88112b9e2908309e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 14:07:42 +0200
+Subject: sh: boards: Fix CEU buffer size passed to
+ dma_declare_coherent_memory()
+
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+
+[ Upstream commit fb60211f377b69acffead3147578f86d0092a7a5 ]
+
+In all these cases, the last argument to dma_declare_coherent_memory() is
+the buffer end address, but the expected value should be the size of the
+reserved region.
+
+Fixes: 39fb993038e1 ("media: arch: sh: ap325rxa: Use new renesas-ceu camera driver")
+Fixes: c2f9b05fd5c1 ("media: arch: sh: ecovec: Use new renesas-ceu camera driver")
+Fixes: f3590dc32974 ("media: arch: sh: kfr2r09: Use new renesas-ceu camera driver")
+Fixes: 186c446f4b84 ("media: arch: sh: migor: Use new renesas-ceu camera driver")
+Fixes: 1a3c230b4151 ("media: arch: sh: ms7724se: Use new renesas-ceu camera driver")
+Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20230724120742.2187-1-petrtesarik@huaweicloud.com
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/sh/boards/mach-ap325rxa/setup.c | 2 +-
+ arch/sh/boards/mach-ecovec24/setup.c | 6 ++----
+ arch/sh/boards/mach-kfr2r09/setup.c | 2 +-
+ arch/sh/boards/mach-migor/setup.c | 2 +-
+ arch/sh/boards/mach-se/7724/setup.c | 6 ++----
+ 5 files changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/arch/sh/boards/mach-ap325rxa/setup.c b/arch/sh/boards/mach-ap325rxa/setup.c
+index 665cad452798b..a80e2369f42b2 100644
+--- a/arch/sh/boards/mach-ap325rxa/setup.c
++++ b/arch/sh/boards/mach-ap325rxa/setup.c
+@@ -529,7 +529,7 @@ static int __init ap325rxa_devices_setup(void)
+ device_initialize(&ap325rxa_ceu_device.dev);
+ dma_declare_coherent_memory(&ap325rxa_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&ap325rxa_ceu_device);
+
+diff --git a/arch/sh/boards/mach-ecovec24/setup.c b/arch/sh/boards/mach-ecovec24/setup.c
+index acaa97459531c..3286afe2ea3dc 100644
+--- a/arch/sh/boards/mach-ecovec24/setup.c
++++ b/arch/sh/boards/mach-ecovec24/setup.c
+@@ -1442,15 +1442,13 @@ static int __init arch_setup(void)
+ device_initialize(&ecovec_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[0]);
+
+ device_initialize(&ecovec_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ecovec_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ecovec_ceu_devices[1]);
+
+ gpiod_add_lookup_table(&cn12_power_gpiod_table);
+diff --git a/arch/sh/boards/mach-kfr2r09/setup.c b/arch/sh/boards/mach-kfr2r09/setup.c
+index 96538ba3aa323..90b876194124f 100644
+--- a/arch/sh/boards/mach-kfr2r09/setup.c
++++ b/arch/sh/boards/mach-kfr2r09/setup.c
+@@ -603,7 +603,7 @@ static int __init kfr2r09_devices_setup(void)
+ device_initialize(&kfr2r09_ceu_device.dev);
+ dma_declare_coherent_memory(&kfr2r09_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&kfr2r09_ceu_device);
+
+diff --git a/arch/sh/boards/mach-migor/setup.c b/arch/sh/boards/mach-migor/setup.c
+index 9ed369dad62df..8598290932eab 100644
+--- a/arch/sh/boards/mach-migor/setup.c
++++ b/arch/sh/boards/mach-migor/setup.c
+@@ -604,7 +604,7 @@ static int __init migor_devices_setup(void)
+ device_initialize(&migor_ceu_device.dev);
+ dma_declare_coherent_memory(&migor_ceu_device.dev,
+ ceu_dma_membase, ceu_dma_membase,
+- ceu_dma_membase + CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+
+ platform_device_add(&migor_ceu_device);
+
+diff --git a/arch/sh/boards/mach-se/7724/setup.c b/arch/sh/boards/mach-se/7724/setup.c
+index 32f5dd9448894..9e7b7cac36dc8 100644
+--- a/arch/sh/boards/mach-se/7724/setup.c
++++ b/arch/sh/boards/mach-se/7724/setup.c
+@@ -939,15 +939,13 @@ static int __init devices_setup(void)
+ device_initialize(&ms7724se_ceu_devices[0]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[0]->dev,
+ ceu0_dma_membase, ceu0_dma_membase,
+- ceu0_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[0]);
+
+ device_initialize(&ms7724se_ceu_devices[1]->dev);
+ dma_declare_coherent_memory(&ms7724se_ceu_devices[1]->dev,
+ ceu1_dma_membase, ceu1_dma_membase,
+- ceu1_dma_membase +
+- CEU_BUFFER_MEMORY_SIZE - 1);
++ CEU_BUFFER_MEMORY_SIZE);
+ platform_device_add(ms7724se_ceu_devices[1]);
+
+ return platform_add_devices(ms7724se_devices,
+--
+2.40.1
+
--- /dev/null
+From fa322c58585ba8213fde6d5d3bc971b9ff72985c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Sep 2023 12:09:21 +0800
+Subject: veth: Fixing transmit return status for dropped packets
+
+From: Liang Chen <liangchen.linux@gmail.com>
+
+[ Upstream commit 151e887d8ff97e2e42110ffa1fb1e6a2128fb364 ]
+
+The veth_xmit function returns NETDEV_TX_OK even when packets are dropped.
+This behavior leads to incorrect calculations of statistics counts, as
+well as things like txq->trans_start updates.
+
+Fixes: e314dbdc1c0d ("[NET]: Virtual ethernet device driver.")
+Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index a6445bba4f942..cae7247a397aa 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -238,6 +238,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct veth_priv *rcv_priv, *priv = netdev_priv(dev);
+ struct veth_rq *rq = NULL;
++ int ret = NETDEV_TX_OK;
+ struct net_device *rcv;
+ int length = skb->len;
+ bool rcv_xdp = false;
+@@ -270,6 +271,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+ } else {
+ drop:
+ atomic64_inc(&priv->dropped);
++ ret = NET_XMIT_DROP;
+ }
+
+ if (rcv_xdp)
+@@ -277,7 +279,7 @@ static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)
+
+ rcu_read_unlock();
+
+- return NETDEV_TX_OK;
++ return ret;
+ }
+
+ static u64 veth_stats_tx(struct pcpu_lstats *result, struct net_device *dev)
+--
+2.40.1
+
--- /dev/null
+From ea92b4f921e1a18fd82170d032fe52bd0446a4ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Aug 2023 17:32:20 +0530
+Subject: watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
+
+From: Raag Jadav <raag.jadav@intel.com>
+
+[ Upstream commit cf38e7691c85f1b09973b22a0b89bf1e1228d2f9 ]
+
+When built with CONFIG_INTEL_MID_WATCHDOG=m, currently the driver
+needs to be loaded manually, for the lack of module alias.
+This causes unintended resets in cases where watchdog timer is
+set-up by bootloader and the driver is not explicitly loaded.
+Add MODULE_ALIAS() to load the driver automatically at boot and
+avoid this issue.
+
+Fixes: 87a1ef8058d9 ("watchdog: add Intel MID watchdog driver support")
+Signed-off-by: Raag Jadav <raag.jadav@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20230811120220.31578-1-raag.jadav@intel.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/intel-mid_wdt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/watchdog/intel-mid_wdt.c b/drivers/watchdog/intel-mid_wdt.c
+index 2cdbd37c700cf..7ee355c286284 100644
+--- a/drivers/watchdog/intel-mid_wdt.c
++++ b/drivers/watchdog/intel-mid_wdt.c
+@@ -181,3 +181,4 @@ module_platform_driver(mid_wdt_driver);
+ MODULE_AUTHOR("David Cohen <david.a.cohen@linux.intel.com>");
+ MODULE_DESCRIPTION("Watchdog Driver for Intel MID platform");
+ MODULE_LICENSE("GPL");
++MODULE_ALIAS("platform:intel_mid_wdt");
+--
+2.40.1
+
--- /dev/null
+From a7d3b61723614d33e31796a8aaadacb2b75188b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jul 2023 13:18:52 -0700
+Subject: x86/virt: Drop unnecessary check on extended CPUID level in
+ cpu_has_svm()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 5df8ecfe3632d5879d1f154f7aa8de441b5d1c89 ]
+
+Drop the explicit check on the extended CPUID level in cpu_has_svm(), the
+kernel's cached CPUID info will leave the entire SVM leaf unset if said
+leaf is not supported by hardware. Prior to using cached information,
+the check was needed to avoid false positives due to Intel's rather crazy
+CPUID behavior of returning the values of the maximum supported leaf if
+the specified leaf is unsupported.
+
+Fixes: 682a8108872f ("x86/kvm/svm: Simplify cpu_has_svm()")
+Link: https://lore.kernel.org/r/20230721201859.2307736-13-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/virtext.h | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/x86/include/asm/virtext.h b/arch/x86/include/asm/virtext.h
+index 8eefa3386d8ce..331474296e6f1 100644
+--- a/arch/x86/include/asm/virtext.h
++++ b/arch/x86/include/asm/virtext.h
+@@ -95,12 +95,6 @@ static inline int cpu_has_svm(const char **msg)
+ return 0;
+ }
+
+- if (boot_cpu_data.extended_cpuid_level < SVM_CPUID_FUNC) {
+- if (msg)
+- *msg = "can't execute cpuid_8000000a";
+- return 0;
+- }
+-
+ if (!boot_cpu_has(X86_FEATURE_SVM)) {
+ if (msg)
+ *msg = "svm not available";
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
