--- /dev/null
+From fc6f716a5069180c40a8c9b63631e97da34f64a3 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Wed, 11 Oct 2023 16:33:32 -0700
+Subject: i40e: prevent crash on probe if hw registers have invalid values
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+commit fc6f716a5069180c40a8c9b63631e97da34f64a3 upstream.
+
+The hardware provides the indexes of the first and the last available
+queue and VF. From the indexes, the driver calculates the numbers of
+queues and VFs. In theory, a faulty device might say the last index is
+smaller than the first index. In that case, the driver's calculation
+would underflow, it would attempt to write to non-existent registers
+outside of the ioremapped range and crash.
+
+I ran into this not by having a faulty device, but by an operator error.
+I accidentally ran a QE test meant for i40e devices on an ice device.
+The test used 'echo i40e > /sys/...ice PCI device.../driver_override',
+bound the driver to the device and crashed in one of the wr32 calls in
+i40e_clear_hw.
+
+Add checks to prevent underflows in the calculations of num_queues and
+num_vfs. With this fix, the wrong device probing reports errors and
+returns a failure without crashing.
+
+Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts")
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Link: https://lore.kernel.org/r/20231011233334.336092-2-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
+@@ -1339,7 +1339,7 @@ void i40e_clear_hw(struct i40e_hw *hw)
+ I40E_PFLAN_QALLOC_FIRSTQ_SHIFT;
+ j = (val & I40E_PFLAN_QALLOC_LASTQ_MASK) >>
+ I40E_PFLAN_QALLOC_LASTQ_SHIFT;
+- if (val & I40E_PFLAN_QALLOC_VALID_MASK)
++ if (val & I40E_PFLAN_QALLOC_VALID_MASK && j >= base_queue)
+ num_queues = (j - base_queue) + 1;
+ else
+ num_queues = 0;
+@@ -1349,7 +1349,7 @@ void i40e_clear_hw(struct i40e_hw *hw)
+ I40E_PF_VT_PFALLOC_FIRSTVF_SHIFT;
+ j = (val & I40E_PF_VT_PFALLOC_LASTVF_MASK) >>
+ I40E_PF_VT_PFALLOC_LASTVF_SHIFT;
+- if (val & I40E_PF_VT_PFALLOC_VALID_MASK)
++ if (val & I40E_PF_VT_PFALLOC_VALID_MASK && j >= i)
+ num_vfs = (j - i) + 1;
+ else
+ num_vfs = 0;
--- /dev/null
+From 195374d893681da43a39796e53b30ac4f20400c4 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 17 Oct 2023 19:23:04 +0000
+Subject: ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 195374d893681da43a39796e53b30ac4f20400c4 upstream.
+
+syzbot reported a data-race while accessing nh->nh_saddr_genid [1]
+
+Add annotations, but leave the code lazy as intended.
+
+[1]
+BUG: KCSAN: data-race in fib_select_path / fib_select_path
+
+write to 0xffff8881387166f0 of 4 bytes by task 6778 on cpu 1:
+fib_info_update_nhc_saddr net/ipv4/fib_semantics.c:1334 [inline]
+fib_result_prefsrc net/ipv4/fib_semantics.c:1354 [inline]
+fib_select_path+0x292/0x330 net/ipv4/fib_semantics.c:2269
+ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
+ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
+__ip_route_output_key include/net/route.h:134 [inline]
+ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
+send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
+wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
+wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
+wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
+wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
+process_one_work kernel/workqueue.c:2630 [inline]
+process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
+worker_thread+0x525/0x730 kernel/workqueue.c:2784
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+read to 0xffff8881387166f0 of 4 bytes by task 6759 on cpu 0:
+fib_result_prefsrc net/ipv4/fib_semantics.c:1350 [inline]
+fib_select_path+0x1cb/0x330 net/ipv4/fib_semantics.c:2269
+ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
+ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
+__ip_route_output_key include/net/route.h:134 [inline]
+ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
+send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
+wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
+wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
+wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
+wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
+process_one_work kernel/workqueue.c:2630 [inline]
+process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
+worker_thread+0x525/0x730 kernel/workqueue.c:2784
+kthread+0x1d7/0x210 kernel/kthread.c:388
+ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+value changed: 0x959d3217 -> 0x959d3218
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 6759 Comm: kworker/u4:15 Not tainted 6.6.0-rc4-syzkaller-00029-gcbf3a2cb156a #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
+Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
+
+Fixes: 436c3b66ec98 ("ipv4: Invalidate nexthop cache nh_saddr more correctly.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20231017192304.82626-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1345,15 +1345,18 @@ __be32 fib_info_update_nhc_saddr(struct
+ unsigned char scope)
+ {
+ struct fib_nh *nh;
++ __be32 saddr;
+
+ if (nhc->nhc_family != AF_INET)
+ return inet_select_addr(nhc->nhc_dev, 0, scope);
+
+ nh = container_of(nhc, struct fib_nh, nh_common);
+- nh->nh_saddr = inet_select_addr(nh->fib_nh_dev, nh->fib_nh_gw4, scope);
+- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
++ saddr = inet_select_addr(nh->fib_nh_dev, nh->fib_nh_gw4, scope);
+
+- return nh->nh_saddr;
++ WRITE_ONCE(nh->nh_saddr, saddr);
++ WRITE_ONCE(nh->nh_saddr_genid, atomic_read(&net->ipv4.dev_addr_genid));
++
++ return saddr;
+ }
+
+ __be32 fib_result_prefsrc(struct net *net, struct fib_result *res)
+@@ -1367,8 +1370,9 @@ __be32 fib_result_prefsrc(struct net *ne
+ struct fib_nh *nh;
+
+ nh = container_of(nhc, struct fib_nh, nh_common);
+- if (nh->nh_saddr_genid == atomic_read(&net->ipv4.dev_addr_genid))
+- return nh->nh_saddr;
++ if (READ_ONCE(nh->nh_saddr_genid) ==
++ atomic_read(&net->ipv4.dev_addr_genid))
++ return READ_ONCE(nh->nh_saddr);
+ }
+
+ return fib_info_update_nhc_saddr(net, nhc, res->fi->fib_scope);
--- /dev/null
+From 2915240eddba96b37de4c7e9a3d0ac6f9548454b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 16 Oct 2023 14:49:04 +0200
+Subject: neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 2915240eddba96b37de4c7e9a3d0ac6f9548454b upstream.
+
+When CONFIG_IPV6=n, and building with W=1:
+
+ In file included from include/trace/define_trace.h:102,
+ from include/trace/events/neigh.h:255,
+ from net/core/net-traces.c:51:
+ include/trace/events/neigh.h: In function ‘trace_event_raw_event_neigh_create’:
+ include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
+ 42 | struct in6_addr *pin6;
+ | ^~~~
+ include/trace/trace_events.h:402:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
+ 402 | { assign; } \
+ | ^~~~~~
+ include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
+ 44 | PARAMS(assign), \
+ | ^~~~~~
+ include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
+ 23 | TRACE_EVENT(neigh_create,
+ | ^~~~~~~~~~~
+ include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
+ 41 | TP_fast_assign(
+ | ^~~~~~~~~~~~~~
+ In file included from include/trace/define_trace.h:103,
+ from include/trace/events/neigh.h:255,
+ from net/core/net-traces.c:51:
+ include/trace/events/neigh.h: In function ‘perf_trace_neigh_create’:
+ include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
+ 42 | struct in6_addr *pin6;
+ | ^~~~
+ include/trace/perf.h:51:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
+ 51 | { assign; } \
+ | ^~~~~~
+ include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
+ 44 | PARAMS(assign), \
+ | ^~~~~~
+ include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
+ 23 | TRACE_EVENT(neigh_create,
+ | ^~~~~~~~~~~
+ include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
+ 41 | TP_fast_assign(
+ | ^~~~~~~~~~~~~~
+
+Indeed, the variable pin6 is declared and initialized unconditionally,
+while it is only used and needlessly re-initialized when support for
+IPv6 is enabled.
+
+Fix this by dropping the unused variable initialization, and moving the
+variable declaration inside the existing section protected by a check
+for CONFIG_IPV6.
+
+Fixes: fc651001d2c5ca4f ("neighbor: Add tracepoint to __neigh_create")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/neigh.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/trace/events/neigh.h
++++ b/include/trace/events/neigh.h
+@@ -39,7 +39,6 @@ TRACE_EVENT(neigh_create,
+ ),
+
+ TP_fast_assign(
+- struct in6_addr *pin6;
+ __be32 *p32;
+
+ __entry->family = tbl->family;
+@@ -47,7 +46,6 @@ TRACE_EVENT(neigh_create,
+ __entry->entries = atomic_read(&tbl->gc_entries);
+ __entry->created = n != NULL;
+ __entry->gc_exempt = exempt_from_gc;
+- pin6 = (struct in6_addr *)__entry->primary_key6;
+ p32 = (__be32 *)__entry->primary_key4;
+
+ if (tbl->family == AF_INET)
+@@ -57,6 +55,8 @@ TRACE_EVENT(neigh_create,
+
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (tbl->family == AF_INET6) {
++ struct in6_addr *pin6;
++
+ pin6 = (struct in6_addr *)__entry->primary_key6;
+ *pin6 = *(struct in6_addr *)pkey;
+ }
--- /dev/null
+From 61b40cefe51af005c72dbdcf975a3d166c6e6406 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Wed, 11 Oct 2023 11:24:19 +0800
+Subject: net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 61b40cefe51af005c72dbdcf975a3d166c6e6406 upstream.
+
+In bcm_sf2_mdio_register(), the class_find_device() will call get_device()
+to increment reference count for priv->master_mii_bus->dev if
+of_mdio_find_bus() succeeds. If mdiobus_alloc() or mdiobus_register()
+fails, it will call get_device() twice without decrement reference count
+for the device. And it is the same if bcm_sf2_mdio_register() succeeds but
+fails in bcm_sf2_sw_probe(), or if bcm_sf2_sw_probe() succeeds. If the
+reference count has not decremented to zero, the dev related resource will
+not be freed.
+
+So remove the get_device() in bcm_sf2_mdio_register(), and call
+put_device() if mdiobus_alloc() or mdiobus_register() fails and in
+bcm_sf2_mdio_unregister() to solve the issue.
+
+And as Simon suggested, unwind from errors for bcm_sf2_mdio_register() and
+just return 0 if it succeeds to make it cleaner.
+
+Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Suggested-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20231011032419.2423290-1-ruanjinjie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -497,17 +497,16 @@ static int bcm_sf2_mdio_register(struct
+ dn = of_find_compatible_node(NULL, NULL, "brcm,unimac-mdio");
+ priv->master_mii_bus = of_mdio_find_bus(dn);
+ if (!priv->master_mii_bus) {
+- of_node_put(dn);
+- return -EPROBE_DEFER;
++ err = -EPROBE_DEFER;
++ goto err_of_node_put;
+ }
+
+- get_device(&priv->master_mii_bus->dev);
+ priv->master_mii_dn = dn;
+
+ priv->slave_mii_bus = mdiobus_alloc();
+ if (!priv->slave_mii_bus) {
+- of_node_put(dn);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto err_put_master_mii_bus_dev;
+ }
+
+ priv->slave_mii_bus->priv = priv;
+@@ -564,11 +563,17 @@ static int bcm_sf2_mdio_register(struct
+ }
+
+ err = mdiobus_register(priv->slave_mii_bus);
+- if (err && dn) {
+- mdiobus_free(priv->slave_mii_bus);
+- of_node_put(dn);
+- }
++ if (err && dn)
++ goto err_free_slave_mii_bus;
++
++ return 0;
+
++err_free_slave_mii_bus:
++ mdiobus_free(priv->slave_mii_bus);
++err_put_master_mii_bus_dev:
++ put_device(&priv->master_mii_bus->dev);
++err_of_node_put:
++ of_node_put(dn);
+ return err;
+ }
+
+@@ -576,6 +581,7 @@ static void bcm_sf2_mdio_unregister(stru
+ {
+ mdiobus_unregister(priv->slave_mii_bus);
+ mdiobus_free(priv->slave_mii_bus);
++ put_device(&priv->master_mii_bus->dev);
+ of_node_put(priv->master_mii_dn);
+ }
+
--- /dev/null
+From 513f61e2193350c7a345da98559b80f61aec4fa6 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make_ruc2021@163.com>
+Date: Mon, 9 Oct 2023 09:13:37 +0800
+Subject: net: ipv4: fix return value check in esp_remove_trailer
+
+From: Ma Ke <make_ruc2021@163.com>
+
+commit 513f61e2193350c7a345da98559b80f61aec4fa6 upstream.
+
+In esp_remove_trailer(), to avoid an unexpected result returned by
+pskb_trim, we should check the return value of pskb_trim().
+
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -741,7 +741,9 @@ static inline int esp_remove_trailer(str
+ skb->csum = csum_block_sub(skb->csum, csumdiff,
+ skb->len - trimlen);
+ }
+- pskb_trim(skb, skb->len - trimlen);
++ ret = pskb_trim(skb, skb->len - trimlen);
++ if (unlikely(ret))
++ return ret;
+
+ ret = nexthdr[1];
+
--- /dev/null
+From dad4e491e30b20f4dc615c9da65d2142d703b5c2 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make_ruc2021@163.com>
+Date: Sat, 7 Oct 2023 08:59:53 +0800
+Subject: net: ipv6: fix return value check in esp_remove_trailer
+
+From: Ma Ke <make_ruc2021@163.com>
+
+commit dad4e491e30b20f4dc615c9da65d2142d703b5c2 upstream.
+
+In esp_remove_trailer(), to avoid an unexpected result returned by
+pskb_trim, we should check the return value of pskb_trim().
+
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/esp6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -776,7 +776,9 @@ static inline int esp_remove_trailer(str
+ skb->csum = csum_block_sub(skb->csum, csumdiff,
+ skb->len - trimlen);
+ }
+- pskb_trim(skb, skb->len - trimlen);
++ ret = pskb_trim(skb, skb->len - trimlen);
++ if (unlikely(ret))
++ return ret;
+
+ ret = nexthdr[1];
+
--- /dev/null
+From 1d30162f35c7a73fc2f8cdcdcdbd690bedb99d1a Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Mon, 16 Oct 2023 14:08:59 +0000
+Subject: net: pktgen: Fix interface flags printing
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 1d30162f35c7a73fc2f8cdcdcdbd690bedb99d1a upstream.
+
+Device flags are displayed incorrectly:
+1) The comparison (i == F_FLOW_SEQ) is always false, because F_FLOW_SEQ
+is equal to (1 << FLOW_SEQ_SHIFT) == 2048, and the maximum value
+of the 'i' variable is (NR_PKT_FLAG - 1) == 17. It should be compared
+with FLOW_SEQ_SHIFT.
+
+2) Similarly to the F_IPSEC flag.
+
+3) Also add spaces to the print end of the string literal "spi:%u"
+to prevent the output from merging with the flag that follows.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: 99c6d3d20d62 ("pktgen: Remove brute-force printing of flags")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/pktgen.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/core/pktgen.c
++++ b/net/core/pktgen.c
+@@ -645,19 +645,19 @@ static int pktgen_if_show(struct seq_fil
+ seq_puts(seq, " Flags: ");
+
+ for (i = 0; i < NR_PKT_FLAGS; i++) {
+- if (i == F_FLOW_SEQ)
++ if (i == FLOW_SEQ_SHIFT)
+ if (!pkt_dev->cflows)
+ continue;
+
+- if (pkt_dev->flags & (1 << i))
++ if (pkt_dev->flags & (1 << i)) {
+ seq_printf(seq, "%s ", pkt_flag_names[i]);
+- else if (i == F_FLOW_SEQ)
+- seq_puts(seq, "FLOW_RND ");
+-
+ #ifdef CONFIG_XFRM
+- if (i == F_IPSEC && pkt_dev->spi)
+- seq_printf(seq, "spi:%u", pkt_dev->spi);
++ if (i == IPSEC_SHIFT && pkt_dev->spi)
++ seq_printf(seq, "spi:%u ", pkt_dev->spi);
+ #endif
++ } else if (i == FLOW_SEQ_SHIFT) {
++ seq_puts(seq, "FLOW_RND ");
++ }
+ }
+
+ seq_puts(seq, "\n");
--- /dev/null
+From b2f750c3a80b285cd60c9346f8c96bd0a2a66cde Mon Sep 17 00:00:00 2001
+From: Josua Mayer <josua@solid-run.com>
+Date: Wed, 4 Oct 2023 18:39:28 +0200
+Subject: net: rfkill: gpio: prevent value glitch during probe
+
+From: Josua Mayer <josua@solid-run.com>
+
+commit b2f750c3a80b285cd60c9346f8c96bd0a2a66cde upstream.
+
+When either reset- or shutdown-gpio have are initially deasserted,
+e.g. after a reboot - or when the hardware does not include pull-down,
+there will be a short toggle of both IOs to logical 0 and back to 1.
+
+It seems that the rfkill default is unblocked, so the driver should not
+glitch to output low during probe.
+It can lead e.g. to unexpected lte modem reconnect:
+
+[1] root@localhost:~# dmesg | grep "usb 2-1"
+[ 2.136124] usb 2-1: new SuperSpeed USB device number 2 using xhci-hcd
+[ 21.215278] usb 2-1: USB disconnect, device number 2
+[ 28.833977] usb 2-1: new SuperSpeed USB device number 3 using xhci-hcd
+
+The glitch has been discovered on an arm64 board, now that device-tree
+support for the rfkill-gpio driver has finally appeared :).
+
+Change the flags for devm_gpiod_get_optional from GPIOD_OUT_LOW to
+GPIOD_ASIS to avoid any glitches.
+The rfkill driver will set the intended value during rfkill_sync_work.
+
+Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver")
+Signed-off-by: Josua Mayer <josua@solid-run.com>
+Link: https://lore.kernel.org/r/20231004163928.14609-1-josua@solid-run.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/rfkill-gpio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rfkill/rfkill-gpio.c
++++ b/net/rfkill/rfkill-gpio.c
+@@ -98,13 +98,13 @@ static int rfkill_gpio_probe(struct plat
+
+ rfkill->clk = devm_clk_get(&pdev->dev, NULL);
+
+- gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_OUT_LOW);
++ gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS);
+ if (IS_ERR(gpio))
+ return PTR_ERR(gpio);
+
+ rfkill->reset_gpio = gpio;
+
+- gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_OUT_LOW);
++ gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_ASIS);
+ if (IS_ERR(gpio))
+ return PTR_ERR(gpio);
+
--- /dev/null
+From a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 Mon Sep 17 00:00:00 2001
+From: Pedro Tammela <pctammela@mojatatu.com>
+Date: Tue, 17 Oct 2023 11:36:02 -0300
+Subject: net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
+
+From: Pedro Tammela <pctammela@mojatatu.com>
+
+commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 upstream.
+
+Christian Theune says:
+ I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script,
+ leaving me with a non-functional uplink on a remote router.
+
+A 'rt' curve cannot be used as a inner curve (parent class), but we were
+allowing such configurations since the qdisc was introduced. Such
+configurations would trigger a UAF as Budimir explains:
+ The parent will have vttree_insert() called on it in init_vf(),
+ but will not have vttree_remove() called on it in update_vf()
+ because it does not have the HFSC_FSC flag set.
+
+The qdisc always assumes that inner classes have the HFSC_FSC flag set.
+This is by design as it doesn't make sense 'qdisc wise' for an 'rt'
+curve to be an inner curve.
+
+Budimir's original patch disallows users to add classes with a 'rt'
+parent, but this is too strict as it breaks users that have been using
+'rt' as a inner class. Another approach, taken by this patch, is to
+upgrade the inner 'rt' into a 'sc', warning the user in the process.
+It avoids the UAF reported by Budimir while also being more permissive
+to bad scripts/users/code using 'rt' as a inner class.
+
+Users checking the `tc class ls [...]` or `tc class get [...]` dumps would
+observe the curve change and are potentially breaking with this change.
+
+v1->v2: https://lore.kernel.org/all/20231013151057.2611860-1-pctammela@mojatatu.com/
+- Correct 'Fixes' tag and merge with revert (Jakub)
+
+Cc: Christian Theune <ct@flyingcircus.io>
+Cc: Budimir Markovic <markovicbudimir@gmail.com>
+Fixes: b3d26c5702c7 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve")
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://lore.kernel.org/r/20231017143602.3191556-1-pctammela@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_hfsc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/net/sched/sch_hfsc.c
++++ b/net/sched/sch_hfsc.c
+@@ -903,6 +903,14 @@ hfsc_change_usc(struct hfsc_class *cl, s
+ cl->cl_flags |= HFSC_USC;
+ }
+
++static void
++hfsc_upgrade_rt(struct hfsc_class *cl)
++{
++ cl->cl_fsc = cl->cl_rsc;
++ rtsc_init(&cl->cl_virtual, &cl->cl_fsc, cl->cl_vt, cl->cl_total);
++ cl->cl_flags |= HFSC_FSC;
++}
++
+ static const struct nla_policy hfsc_policy[TCA_HFSC_MAX + 1] = {
+ [TCA_HFSC_RSC] = { .len = sizeof(struct tc_service_curve) },
+ [TCA_HFSC_FSC] = { .len = sizeof(struct tc_service_curve) },
+@@ -1012,10 +1020,6 @@ hfsc_change_class(struct Qdisc *sch, u32
+ if (parent == NULL)
+ return -ENOENT;
+ }
+- if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
+- NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC");
+- return -EINVAL;
+- }
+
+ if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
+ return -EINVAL;
+@@ -1068,6 +1072,12 @@ hfsc_change_class(struct Qdisc *sch, u32
+ cl->cf_tree = RB_ROOT;
+
+ sch_tree_lock(sch);
++ /* Check if the inner class is a misconfigured 'rt' */
++ if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
++ NL_SET_ERR_MSG(extack,
++ "Forced curve change on parent 'rt' to 'sc'");
++ hfsc_upgrade_rt(parent);
++ }
+ qdisc_class_hash_insert(&q->clhash, &cl->cl_common);
+ list_add_tail(&cl->siblings, &parent->children);
+ if (parent->level == 0)
--- /dev/null
+From c53647a5df9e66dd9fedf240198e1fe50d88c286 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Mon, 16 Oct 2023 20:28:10 +0300
+Subject: net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit c53647a5df9e66dd9fedf240198e1fe50d88c286 upstream.
+
+Return a negative error code instead of success.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/147927f0-9ada-45cc-81ff-75a19dd30b76@moroto.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc95xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -863,7 +863,7 @@ static int smsc95xx_reset(struct usbnet
+
+ if (timeout >= 100) {
+ netdev_warn(dev->net, "timeout waiting for completion of Lite Reset\n");
+- return ret;
++ return -ETIMEDOUT;
+ }
+
+ ret = smsc95xx_write_reg(dev, PM_CTRL, PM_CTL_PHY_RST_);
--- /dev/null
+From d111692a59c1470ae530cbb39bcf0346c950ecc7 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 17 Oct 2023 12:28:27 +0200
+Subject: netfilter: nft_set_rbtree: .deactivate fails if element has expired
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit d111692a59c1470ae530cbb39bcf0346c950ecc7 upstream.
+
+This allows to remove an expired element which is not possible in other
+existing set backends, this is more noticeable if gc-interval is high so
+expired elements remain in the tree. On-demand gc also does not help in
+this case, because this is delete element path. Return NULL if element
+has expired.
+
+Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_rbtree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_set_rbtree.c
++++ b/net/netfilter/nft_set_rbtree.c
+@@ -570,6 +570,8 @@ static void *nft_rbtree_deactivate(const
+ nft_rbtree_interval_end(this)) {
+ parent = parent->rb_right;
+ continue;
++ } else if (nft_set_elem_expired(&rbe->ext)) {
++ break;
+ } else if (!nft_set_elem_active(&rbe->ext, genmask)) {
+ parent = parent->rb_left;
+ continue;
--- /dev/null
+From 2f3389c73832ad90b63208c0fc281ad080114c7a Mon Sep 17 00:00:00 2001
+From: Manish Chopra <manishc@marvell.com>
+Date: Fri, 13 Oct 2023 18:48:12 +0530
+Subject: qed: fix LL2 RX buffer allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Manish Chopra <manishc@marvell.com>
+
+commit 2f3389c73832ad90b63208c0fc281ad080114c7a upstream.
+
+Driver allocates the LL2 rx buffers from kmalloc()
+area to construct the skb using slab_build_skb()
+
+The required size allocation seems to have overlooked
+for accounting both skb_shared_info size and device
+placement padding bytes which results into the below
+panic when doing skb_put() for a standard MTU sized frame.
+
+skbuff: skb_over_panic: text:ffffffffc0b0225f len:1514 put:1514
+head:ff3dabceaf39c000 data:ff3dabceaf39c042 tail:0x62c end:0x566
+dev:<NULL>
+…
+skb_panic+0x48/0x4a
+skb_put.cold+0x10/0x10
+qed_ll2b_complete_rx_packet+0x14f/0x260 [qed]
+qed_ll2_rxq_handle_completion.constprop.0+0x169/0x200 [qed]
+qed_ll2_rxq_completion+0xba/0x320 [qed]
+qed_int_sp_dpc+0x1a7/0x1e0 [qed]
+
+This patch fixes this by accouting skb_shared_info and device
+placement padding size bytes when allocating the buffers.
+
+Cc: David S. Miller <davem@davemloft.net>
+Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_ll2.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+@@ -87,7 +87,10 @@ static void qed_ll2b_complete_tx_packet(
+ static int qed_ll2_alloc_buffer(struct qed_dev *cdev,
+ u8 **data, dma_addr_t *phys_addr)
+ {
+- *data = kmalloc(cdev->ll2->rx_size, GFP_ATOMIC);
++ size_t size = cdev->ll2->rx_size + NET_SKB_PAD +
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
++
++ *data = kmalloc(size, GFP_ATOMIC);
+ if (!(*data)) {
+ DP_INFO(cdev, "Failed to allocate LL2 buffer data\n");
+ return -ENOMEM;
+@@ -2541,7 +2544,7 @@ static int qed_ll2_start(struct qed_dev
+ INIT_LIST_HEAD(&cdev->ll2->list);
+ spin_lock_init(&cdev->ll2->lock);
+
+- cdev->ll2->rx_size = NET_SKB_PAD + ETH_HLEN +
++ cdev->ll2->rx_size = PRM_DMA_PAD_BYTES_NUM + ETH_HLEN +
+ L1_CACHE_BYTES + params->mtu;
+
+ /* Allocate memory for LL2.
netfilter-nft_payload-fix-wrong-mac-header-matching.patch
nvmet-tcp-fix-a-possible-uaf-in-queue-intialization-setup.patch
drm-i915-retry-gtt-fault-when-out-of-fence-registers.patch
+qed-fix-ll2-rx-buffer-allocation.patch
+xfrm-fix-a-data-race-in-xfrm_gen_index.patch
+xfrm-interface-use-dev_stats_inc.patch
+net-ipv4-fix-return-value-check-in-esp_remove_trailer.patch
+net-ipv6-fix-return-value-check-in-esp_remove_trailer.patch
+net-rfkill-gpio-prevent-value-glitch-during-probe.patch
+tcp-fix-excessive-tlp-and-rack-timeouts-from-hz-rounding.patch
+tcp-tsq-relax-tcp_small_queue_check-when-rtx-queue-contains-a-single-skb.patch
+tun-prevent-negative-ifindex.patch
+ipv4-fib-annotate-races-around-nh-nh_saddr_genid-and-nh-nh_saddr.patch
+net-usb-smsc95xx-fix-an-error-code-in-smsc95xx_reset.patch
+i40e-prevent-crash-on-probe-if-hw-registers-have-invalid-values.patch
+net-dsa-bcm_sf2-fix-possible-memory-leak-in-bcm_sf2_mdio_register.patch
+net-sched-sch_hfsc-upgrade-rt-to-sc-when-it-becomes-a-inner-curve.patch
+neighbor-tracing-move-pin6-inside-config_ipv6-y-section.patch
+netfilter-nft_set_rbtree-.deactivate-fails-if-element-has-expired.patch
+net-pktgen-fix-interface-flags-printing.patch
--- /dev/null
+From 1c2709cfff1dedbb9591e989e2f001484208d914 Mon Sep 17 00:00:00 2001
+From: Neal Cardwell <ncardwell@google.com>
+Date: Sun, 15 Oct 2023 13:47:00 -0400
+Subject: tcp: fix excessive TLP and RACK timeouts from HZ rounding
+
+From: Neal Cardwell <ncardwell@google.com>
+
+commit 1c2709cfff1dedbb9591e989e2f001484208d914 upstream.
+
+We discovered from packet traces of slow loss recovery on kernels with
+the default HZ=250 setting (and min_rtt < 1ms) that after reordering,
+when receiving a SACKed sequence range, the RACK reordering timer was
+firing after about 16ms rather than the desired value of roughly
+min_rtt/4 + 2ms. The problem is largely due to the RACK reorder timer
+calculation adding in TCP_TIMEOUT_MIN, which is 2 jiffies. On kernels
+with HZ=250, this is 2*4ms = 8ms. The TLP timer calculation has the
+exact same issue.
+
+This commit fixes the TLP transmit timer and RACK reordering timer
+floor calculation to more closely match the intended 2ms floor even on
+kernels with HZ=250. It does this by adding in a new
+TCP_TIMEOUT_MIN_US floor of 2000 us and then converting to jiffies,
+instead of the current approach of converting to jiffies and then
+adding th TCP_TIMEOUT_MIN value of 2 jiffies.
+
+Our testing has verified that on kernels with HZ=1000, as expected,
+this does not produce significant changes in behavior, but on kernels
+with the default HZ=250 the latency improvement can be large. For
+example, our tests show that for HZ=250 kernels at low RTTs this fix
+roughly halves the latency for the RACK reorder timer: instead of
+mostly firing at 16ms it mostly fires at 8ms.
+
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Fixes: bb4d991a28cc ("tcp: adjust tail loss probe timeout")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231015174700.2206872-1-ncardwell.sw@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 3 +++
+ net/ipv4/tcp_output.c | 9 +++++----
+ net/ipv4/tcp_recovery.c | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -141,6 +141,9 @@ void tcp_time_wait(struct sock *sk, int
+ #define TCP_RTO_MAX ((unsigned)(120*HZ))
+ #define TCP_RTO_MIN ((unsigned)(HZ/5))
+ #define TCP_TIMEOUT_MIN (2U) /* Min timeout for TCP timers in jiffies */
++
++#define TCP_TIMEOUT_MIN_US (2*USEC_PER_MSEC) /* Min TCP timeout in microsecs */
++
+ #define TCP_TIMEOUT_INIT ((unsigned)(1*HZ)) /* RFC6298 2.1 initial RTO value */
+ #define TCP_TIMEOUT_FALLBACK ((unsigned)(3*HZ)) /* RFC 1122 initial RTO value, now
+ * used as a fallback RTO for the
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2727,7 +2727,7 @@ bool tcp_schedule_loss_probe(struct sock
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+- u32 timeout, rto_delta_us;
++ u32 timeout, timeout_us, rto_delta_us;
+ int early_retrans;
+
+ /* Don't do any loss probe on a Fast Open connection before 3WHS
+@@ -2751,11 +2751,12 @@ bool tcp_schedule_loss_probe(struct sock
+ * sample is available then probe after TCP_TIMEOUT_INIT.
+ */
+ if (tp->srtt_us) {
+- timeout = usecs_to_jiffies(tp->srtt_us >> 2);
++ timeout_us = tp->srtt_us >> 2;
+ if (tp->packets_out == 1)
+- timeout += TCP_RTO_MIN;
++ timeout_us += tcp_rto_min_us(sk);
+ else
+- timeout += TCP_TIMEOUT_MIN;
++ timeout_us += TCP_TIMEOUT_MIN_US;
++ timeout = usecs_to_jiffies(timeout_us);
+ } else {
+ timeout = TCP_TIMEOUT_INIT;
+ }
+--- a/net/ipv4/tcp_recovery.c
++++ b/net/ipv4/tcp_recovery.c
+@@ -109,7 +109,7 @@ bool tcp_rack_mark_lost(struct sock *sk)
+ tp->rack.advanced = 0;
+ tcp_rack_detect_loss(sk, &timeout);
+ if (timeout) {
+- timeout = usecs_to_jiffies(timeout) + TCP_TIMEOUT_MIN;
++ timeout = usecs_to_jiffies(timeout + TCP_TIMEOUT_MIN_US);
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_REO_TIMEOUT,
+ timeout, inet_csk(sk)->icsk_rto);
+ }
--- /dev/null
+From f921a4a5bffa8a0005b190fb9421a7fc1fd716b6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 17 Oct 2023 12:45:26 +0000
+Subject: tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit f921a4a5bffa8a0005b190fb9421a7fc1fd716b6 upstream.
+
+In commit 75eefc6c59fd ("tcp: tsq: add a shortcut in tcp_small_queue_check()")
+we allowed to send an skb regardless of TSQ limits being hit if rtx queue
+was empty or had a single skb, in order to better fill the pipe
+when/if TX completions were slow.
+
+Then later, commit 75c119afe14f ("tcp: implement rb-tree based
+retransmit queue") accidentally removed the special case for
+one skb in rtx queue.
+
+Stefan Wahren reported a regression in single TCP flow throughput
+using a 100Mbit fec link, starting from commit 65466904b015 ("tcp: adjust
+TSO packet sizes based on min_rtt"). This last commit only made the
+regression more visible, because it locked the TCP flow on a particular
+behavior where TSQ prevented two skbs being pushed downstream,
+adding silences on the wire between each TSO packet.
+
+Many thanks to Stefan for his invaluable help !
+
+Fixes: 75c119afe14f ("tcp: implement rb-tree based retransmit queue")
+Link: https://lore.kernel.org/netdev/7f31ddc8-9971-495e-a1f6-819df542e0af@gmx.net/
+Reported-by: Stefan Wahren <wahrenst@gmx.net>
+Tested-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20231017124526.4060202-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2482,6 +2482,18 @@ static bool tcp_pacing_check(struct sock
+ return true;
+ }
+
++static bool tcp_rtx_queue_empty_or_single_skb(const struct sock *sk)
++{
++ const struct rb_node *node = sk->tcp_rtx_queue.rb_node;
++
++ /* No skb in the rtx queue. */
++ if (!node)
++ return true;
++
++ /* Only one skb in rtx queue. */
++ return !node->rb_left && !node->rb_right;
++}
++
+ /* TCP Small Queues :
+ * Control number of packets in qdisc/devices to two packets / or ~1 ms.
+ * (These limits are doubled for retransmits)
+@@ -2519,12 +2531,12 @@ static bool tcp_small_queue_check(struct
+ limit += extra_bytes;
+ }
+ if (refcount_read(&sk->sk_wmem_alloc) > limit) {
+- /* Always send skb if rtx queue is empty.
++ /* Always send skb if rtx queue is empty or has one skb.
+ * No need to wait for TX completion to call us back,
+ * after softirq/tasklet schedule.
+ * This helps when TX completions are delayed too much.
+ */
+- if (tcp_rtx_queue_empty(sk))
++ if (tcp_rtx_queue_empty_or_single_skb(sk))
+ return false;
+
+ set_bit(TSQ_THROTTLED, &sk->sk_tsq_flags);
--- /dev/null
+From cbfbfe3aee718dc4c3c837f5d2463170ee59d78c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 16 Oct 2023 18:08:51 +0000
+Subject: tun: prevent negative ifindex
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit cbfbfe3aee718dc4c3c837f5d2463170ee59d78c upstream.
+
+After commit 956db0a13b47 ("net: warn about attempts to register
+negative ifindex") syzbot is able to trigger the following splat.
+
+Negative ifindex are not supported.
+
+WARNING: CPU: 1 PID: 6003 at net/core/dev.c:9596 dev_index_reserve+0x104/0x210
+Modules linked in:
+CPU: 1 PID: 6003 Comm: syz-executor926 Not tainted 6.6.0-rc4-syzkaller-g19af4a4ed414 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : dev_index_reserve+0x104/0x210
+lr : dev_index_reserve+0x100/0x210
+sp : ffff800096a878e0
+x29: ffff800096a87930 x28: ffff0000d04380d0 x27: ffff0000d04380f8
+x26: ffff0000d04380f0 x25: 1ffff00012d50f20 x24: 1ffff00012d50f1c
+x23: dfff800000000000 x22: ffff8000929c21c0 x21: 00000000ffffffea
+x20: ffff0000d04380e0 x19: ffff800096a87900 x18: ffff800096a874c0
+x17: ffff800084df5008 x16: ffff80008051f9c4 x15: 0000000000000001
+x14: 1fffe0001a087198 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+x8 : ffff0000d41c9bc0 x7 : 0000000000000000 x6 : 0000000000000000
+x5 : ffff800091763d88 x4 : 0000000000000000 x3 : ffff800084e04748
+x2 : 0000000000000001 x1 : 00000000fead71c7 x0 : 0000000000000000
+Call trace:
+dev_index_reserve+0x104/0x210
+register_netdevice+0x598/0x1074 net/core/dev.c:10084
+tun_set_iff+0x630/0xb0c drivers/net/tun.c:2850
+__tun_chr_ioctl+0x788/0x2af8 drivers/net/tun.c:3118
+tun_chr_ioctl+0x38/0x4c drivers/net/tun.c:3403
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857
+__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
+invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
+el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
+do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
+el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
+el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
+el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
+irq event stamp: 11348
+hardirqs last enabled at (11347): [<ffff80008a716574>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
+hardirqs last enabled at (11347): [<ffff80008a716574>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
+hardirqs last disabled at (11348): [<ffff80008a627820>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:436
+softirqs last enabled at (11138): [<ffff8000887ca53c>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
+softirqs last enabled at (11138): [<ffff8000887ca53c>] release_sock+0x15c/0x1b0 net/core/sock.c:3531
+softirqs last disabled at (11136): [<ffff8000887ca41c>] spin_lock_bh include/linux/spinlock.h:356 [inline]
+softirqs last disabled at (11136): [<ffff8000887ca41c>] release_sock+0x3c/0x1b0 net/core/sock.c:3518
+
+Fixes: fb7589a16216 ("tun: Add ability to create tun device with given index")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://lore.kernel.org/r/20231016180851.3560092-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -3064,10 +3064,11 @@ static long __tun_chr_ioctl(struct file
+ struct net *net = sock_net(&tfile->sk);
+ struct tun_struct *tun;
+ void __user* argp = (void __user*)arg;
+- unsigned int ifindex, carrier;
++ unsigned int carrier;
+ struct ifreq ifr;
+ kuid_t owner;
+ kgid_t group;
++ int ifindex;
+ int sndbuf;
+ int vnet_hdr_sz;
+ int le;
+@@ -3124,7 +3125,9 @@ static long __tun_chr_ioctl(struct file
+ ret = -EFAULT;
+ if (copy_from_user(&ifindex, argp, sizeof(ifindex)))
+ goto unlock;
+-
++ ret = -EINVAL;
++ if (ifindex < 0)
++ goto unlock;
+ ret = 0;
+ tfile->ifindex = ifindex;
+ goto unlock;
--- /dev/null
+From 3e4bc23926b83c3c67e5f61ae8571602754131a6 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 8 Sep 2023 18:13:59 +0000
+Subject: xfrm: fix a data-race in xfrm_gen_index()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 3e4bc23926b83c3c67e5f61ae8571602754131a6 upstream.
+
+xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock.
+
+This means we must use a per-netns idx_generator variable,
+instead of a static one.
+Alternative would be to use an atomic variable.
+
+syzbot reported:
+
+BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert
+
+write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0:
+xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline]
+xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347
+xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
+do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
+ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
+rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
+sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
+__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
+__do_sys_setsockopt net/socket.c:2274 [inline]
+__se_sys_setsockopt net/socket.c:2271 [inline]
+__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1:
+xfrm_sk_policy_insert+0x13e/0x640
+xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
+do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
+ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
+rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
+sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
+__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
+__do_sys_setsockopt net/socket.c:2274 [inline]
+__se_sys_setsockopt net/socket.c:2271 [inline]
+__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00006ad8 -> 0x00006b18
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+
+Fixes: 1121994c803f ("netns xfrm: policy insertion in netns")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netns/xfrm.h | 1 +
+ net/xfrm/xfrm_policy.c | 6 ++----
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/include/net/netns/xfrm.h
++++ b/include/net/netns/xfrm.h
+@@ -49,6 +49,7 @@ struct netns_xfrm {
+ struct list_head policy_all;
+ struct hlist_head *policy_byidx;
+ unsigned int policy_idx_hmask;
++ unsigned int idx_generator;
+ struct hlist_head policy_inexact[XFRM_POLICY_MAX];
+ struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX];
+ unsigned int policy_count[XFRM_POLICY_MAX * 2];
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -1371,8 +1371,6 @@ EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
+ * of an absolute inpredictability of ordering of rules. This will not pass. */
+ static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
+ {
+- static u32 idx_generator;
+-
+ for (;;) {
+ struct hlist_head *list;
+ struct xfrm_policy *p;
+@@ -1380,8 +1378,8 @@ static u32 xfrm_gen_index(struct net *ne
+ int found;
+
+ if (!index) {
+- idx = (idx_generator | dir);
+- idx_generator += 8;
++ idx = (net->xfrm.idx_generator | dir);
++ net->xfrm.idx_generator += 8;
+ } else {
+ idx = index;
+ index = 0;
--- /dev/null
+From f7c4e3e5d4f6609b4725a97451948ca2e425379a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Sep 2023 13:23:03 +0000
+Subject: xfrm: interface: use DEV_STATS_INC()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit f7c4e3e5d4f6609b4725a97451948ca2e425379a upstream.
+
+syzbot/KCSAN reported data-races in xfrm whenever dev->stats fields
+are updated.
+
+It appears all of these updates can happen from multiple cpus.
+
+Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
+
+BUG: KCSAN: data-race in xfrmi_xmit / xfrmi_xmit
+
+read-write to 0xffff88813726b160 of 8 bytes by task 23986 on cpu 1:
+xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
+neigh_output include/net/neighbour.h:542 [inline]
+ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
+NF_HOOK_COND include/linux/netfilter.h:293 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
+dst_output include/net/dst.h:458 [inline]
+ip_local_out net/ipv4/ip_output.c:127 [inline]
+ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
+udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
+udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
+inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
+sock_sendmsg_nosec net/socket.c:730 [inline]
+sock_sendmsg net/socket.c:753 [inline]
+____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
+___sys_sendmsg net/socket.c:2594 [inline]
+__sys_sendmmsg+0x269/0x500 net/socket.c:2680
+__do_sys_sendmmsg net/socket.c:2709 [inline]
+__se_sys_sendmmsg net/socket.c:2706 [inline]
+__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read-write to 0xffff88813726b160 of 8 bytes by task 23987 on cpu 0:
+xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
+__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
+netdev_start_xmit include/linux/netdevice.h:4903 [inline]
+xmit_one net/core/dev.c:3544 [inline]
+dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
+__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
+dev_queue_xmit include/linux/netdevice.h:3082 [inline]
+neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
+neigh_output include/net/neighbour.h:542 [inline]
+ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
+ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
+NF_HOOK_COND include/linux/netfilter.h:293 [inline]
+ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
+dst_output include/net/dst.h:458 [inline]
+ip_local_out net/ipv4/ip_output.c:127 [inline]
+ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
+udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
+udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
+inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
+sock_sendmsg_nosec net/socket.c:730 [inline]
+sock_sendmsg net/socket.c:753 [inline]
+____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
+___sys_sendmsg net/socket.c:2594 [inline]
+__sys_sendmmsg+0x269/0x500 net/socket.c:2680
+__do_sys_sendmmsg net/socket.c:2709 [inline]
+__se_sys_sendmmsg net/socket.c:2706 [inline]
+__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x00000000000010d7 -> 0x00000000000010d8
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 23987 Comm: syz-executor.5 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
+
+Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_interface_core.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/net/xfrm/xfrm_interface_core.c
++++ b/net/xfrm/xfrm_interface_core.c
+@@ -274,8 +274,8 @@ static int xfrmi_rcv_cb(struct sk_buff *
+ skb->dev = dev;
+
+ if (err) {
+- dev->stats.rx_errors++;
+- dev->stats.rx_dropped++;
++ DEV_STATS_INC(dev, rx_errors);
++ DEV_STATS_INC(dev, rx_dropped);
+
+ return 0;
+ }
+@@ -309,7 +309,6 @@ static int
+ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
+ {
+ struct xfrm_if *xi = netdev_priv(dev);
+- struct net_device_stats *stats = &xi->dev->stats;
+ struct dst_entry *dst = skb_dst(skb);
+ unsigned int length = skb->len;
+ struct net_device *tdev;
+@@ -335,7 +334,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct
+ tdev = dst->dev;
+
+ if (tdev == dev) {
+- stats->collisions++;
++ DEV_STATS_INC(dev, collisions);
+ net_warn_ratelimited("%s: Local routing loop detected!\n",
+ dev->name);
+ goto tx_err_dst_release;
+@@ -378,13 +377,13 @@ xmit:
+ tstats->tx_packets++;
+ u64_stats_update_end(&tstats->syncp);
+ } else {
+- stats->tx_errors++;
+- stats->tx_aborted_errors++;
++ DEV_STATS_INC(dev, tx_errors);
++ DEV_STATS_INC(dev, tx_aborted_errors);
+ }
+
+ return 0;
+ tx_err_link_failure:
+- stats->tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+ dst_link_failure(skb);
+ tx_err_dst_release:
+ dst_release(dst);
+@@ -394,7 +393,6 @@ tx_err_dst_release:
+ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct xfrm_if *xi = netdev_priv(dev);
+- struct net_device_stats *stats = &xi->dev->stats;
+ struct dst_entry *dst = skb_dst(skb);
+ struct flowi fl;
+ int ret;
+@@ -411,7 +409,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_
+ dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);
+ if (dst->error) {
+ dst_release(dst);
+- stats->tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+ goto tx_err;
+ }
+ skb_dst_set(skb, dst);
+@@ -427,7 +425,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_
+ fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+ rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);
+ if (IS_ERR(rt)) {
+- stats->tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+ goto tx_err;
+ }
+ skb_dst_set(skb, &rt->dst);
+@@ -446,8 +444,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_
+ return NETDEV_TX_OK;
+
+ tx_err:
+- stats->tx_errors++;
+- stats->tx_dropped++;
++ DEV_STATS_INC(dev, tx_errors);
++ DEV_STATS_INC(dev, tx_dropped);
+ kfree_skb(skb);
+ return NETDEV_TX_OK;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
