--- /dev/null
+From f6c91a2ce9f5a2ac04b38e68c0d5de05a8ddb251 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 18:07:52 +0200
+Subject: cipso: fix total option length computation
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+[ Upstream commit 9f36169912331fa035d7b73a91252d7c2512eb1a ]
+
+As evident from the definition of ip_options_get(), the IP option
+IPOPT_END is used to pad the IP option data array, not IPOPT_NOP. Yet
+the loop that walks the IP options to determine the total IP options
+length in cipso_v4_delopt() doesn't take IPOPT_END into account.
+
+Fix it by recognizing the IPOPT_END value as the end of actual options.
+
+Fixes: 014ab19a69c3 ("selinux: Set socket NetLabel based on connection endpoint")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/cipso_ipv4.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 8dcf9aec7b77d..4a86cf05a3480 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -2029,12 +2029,16 @@ static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr)
+ * from there we can determine the new total option length */
+ iter = 0;
+ optlen_new = 0;
+- while (iter < opt->opt.optlen)
+- if (opt->opt.__data[iter] != IPOPT_NOP) {
++ while (iter < opt->opt.optlen) {
++ if (opt->opt.__data[iter] == IPOPT_END) {
++ break;
++ } else if (opt->opt.__data[iter] == IPOPT_NOP) {
++ iter++;
++ } else {
+ iter += opt->opt.__data[iter + 1];
+ optlen_new = iter;
+- } else
+- iter++;
++ }
++ }
+ hdr_delta = opt->opt.optlen;
+ opt->opt.optlen = (optlen_new + 3) & ~3;
+ hdr_delta -= opt->opt.optlen;
+--
+2.43.0
+
--- /dev/null
+From 4d931db27634cbed86aa7cdb593dbeceee5b53d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 15:14:54 +0000
+Subject: ipv6: prevent possible NULL dereference in rt6_probe()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b86762dbe19a62e785c189f313cda5b989931f37 ]
+
+syzbot caught a NULL dereference in rt6_probe() [1]
+
+Bail out if __in6_dev_get() returns NULL.
+
+[1]
+Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cb: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000658-0x000000000000065f]
+CPU: 1 PID: 22444 Comm: syz-executor.0 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+ RIP: 0010:rt6_probe net/ipv6/route.c:656 [inline]
+ RIP: 0010:find_match+0x8c4/0xf50 net/ipv6/route.c:758
+Code: 14 fd f7 48 8b 85 38 ff ff ff 48 c7 45 b0 00 00 00 00 48 8d b8 5c 06 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 19
+RSP: 0018:ffffc900034af070 EFLAGS: 00010203
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004521000
+RDX: 00000000000000cb RSI: ffffffff8990d0cd RDI: 000000000000065c
+RBP: ffffc900034af150 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000002 R12: 000000000000000a
+R13: 1ffff92000695e18 R14: ffff8880244a1d20 R15: 0000000000000000
+FS: 00007f4844a5a6c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b31b27000 CR3: 000000002d42c000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ rt6_nh_find_match+0xfa/0x1a0 net/ipv6/route.c:784
+ nexthop_for_each_fib6_nh+0x26d/0x4a0 net/ipv4/nexthop.c:1496
+ __find_rr_leaf+0x6e7/0xe00 net/ipv6/route.c:825
+ find_rr_leaf net/ipv6/route.c:853 [inline]
+ rt6_select net/ipv6/route.c:897 [inline]
+ fib6_table_lookup+0x57e/0xa30 net/ipv6/route.c:2195
+ ip6_pol_route+0x1cd/0x1150 net/ipv6/route.c:2231
+ pol_lookup_func include/net/ip6_fib.h:616 [inline]
+ fib6_rule_lookup+0x386/0x720 net/ipv6/fib6_rules.c:121
+ ip6_route_output_flags_noref net/ipv6/route.c:2639 [inline]
+ ip6_route_output_flags+0x1d0/0x640 net/ipv6/route.c:2651
+ ip6_dst_lookup_tail.constprop.0+0x961/0x1760 net/ipv6/ip6_output.c:1147
+ ip6_dst_lookup_flow+0x99/0x1d0 net/ipv6/ip6_output.c:1250
+ rawv6_sendmsg+0xdab/0x4340 net/ipv6/raw.c:898
+ inet_sendmsg+0x119/0x140 net/ipv4/af_inet.c:853
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ sock_write_iter+0x4b8/0x5c0 net/socket.c:1160
+ new_sync_write fs/read_write.c:497 [inline]
+ vfs_write+0x6b6/0x1140 fs/read_write.c:590
+ ksys_write+0x1f8/0x260 fs/read_write.c:643
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 52e1635631b3 ("[IPV6]: ROUTE: Add router_probe_interval sysctl.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240615151454.166404-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index d060b22554a22..e6e401990e050 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -546,6 +546,8 @@ static void rt6_probe(struct fib6_info *rt)
+ rcu_read_lock_bh();
+ last_probe = READ_ONCE(rt->last_probe);
+ idev = __in6_dev_get(dev);
++ if (!idev)
++ goto out;
+ neigh = __ipv6_neigh_lookup_noref(dev, nh_gw);
+ if (neigh) {
+ if (neigh->nud_state & NUD_VALID)
+--
+2.43.0
+
--- /dev/null
+From 231391e103de6841f8104265a9f8d310714859c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 15:07:00 +0300
+Subject: MIPS: Routerboard 532: Fix vendor retry check code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit ae9daffd9028f2500c9ac1517e46d4f2b57efb80 ]
+
+read_config_dword() contains strange condition checking ret for a
+number of values. The ret variable, however, is always zero because
+config_access() never returns anything else. Thus, the retry is always
+taken until number of tries is exceeded.
+
+The code looks like it wants to check *val instead of ret to see if the
+read gave an error response.
+
+Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/pci/ops-rc32434.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/mips/pci/ops-rc32434.c b/arch/mips/pci/ops-rc32434.c
+index 874ed6df97683..34b9323bdabb0 100644
+--- a/arch/mips/pci/ops-rc32434.c
++++ b/arch/mips/pci/ops-rc32434.c
+@@ -112,8 +112,8 @@ static int read_config_dword(struct pci_bus *bus, unsigned int devfn,
+ * gives them time to settle
+ */
+ if (where == PCI_VENDOR_ID) {
+- if (ret == 0xffffffff || ret == 0x00000000 ||
+- ret == 0x0000ffff || ret == 0xffff0000) {
++ if (*val == 0xffffffff || *val == 0x00000000 ||
++ *val == 0x0000ffff || *val == 0xffff0000) {
+ if (delay > 4)
+ return 0;
+ delay *= 2;
+--
+2.43.0
+
--- /dev/null
+From dde77b402a0a727ea1ae67131109c12476ea876c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jun 2024 15:28:03 +0200
+Subject: net: usb: rtl8150 fix unintiatilzed variables in
+ rtl8150_get_link_ksettings
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit fba383985354e83474f95f36d7c65feb75dba19d ]
+
+This functions retrieves values by passing a pointer. As the function
+that retrieves them can fail before touching the pointers, the variables
+must be initialized.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+5186630949e3c55f0799@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20240619132816.11526-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rtl8150.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
+index 933d1a74bcdb3..9534c2f6dcef6 100644
+--- a/drivers/net/usb/rtl8150.c
++++ b/drivers/net/usb/rtl8150.c
+@@ -804,7 +804,8 @@ static int rtl8150_get_link_ksettings(struct net_device *netdev,
+ struct ethtool_link_ksettings *ecmd)
+ {
+ rtl8150_t *dev = netdev_priv(netdev);
+- short lpa, bmcr;
++ short lpa = 0;
++ short bmcr = 0;
+ u32 supported;
+
+ supported = (SUPPORTED_10baseT_Half |
+--
+2.43.0
+
--- /dev/null
+From 22033205f236f15a1a28afbaa2df5f5ccb86c5b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 08:23:00 +0000
+Subject: netrom: Fix a memory leak in nr_heartbeat_expiry()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+[ Upstream commit 0b9130247f3b6a1122478471ff0e014ea96bb735 ]
+
+syzbot reported a memory leak in nr_create() [0].
+
+Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
+added sock_hold() to the nr_heartbeat_expiry() function, where
+a) a socket has a SOCK_DESTROY flag or
+b) a listening socket has a SOCK_DEAD flag.
+
+But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
+has already been closed and the nr_release() function has been called.
+So it makes no sense to hold the reference count because no one will
+call another nr_destroy_socket() and put it as in the case "b."
+
+nr_connect
+ nr_establish_data_link
+ nr_start_heartbeat
+
+nr_release
+ switch (nr->state)
+ case NR_STATE_3
+ nr->state = NR_STATE_2
+ sock_set_flag(sk, SOCK_DESTROY);
+
+ nr_rx_frame
+ nr_process_rx_frame
+ switch (nr->state)
+ case NR_STATE_2
+ nr_state2_machine()
+ nr_disconnect()
+ nr_sk(sk)->state = NR_STATE_0
+ sock_set_flag(sk, SOCK_DEAD)
+
+ nr_heartbeat_expiry
+ switch (nr->state)
+ case NR_STATE_0
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN
+ && sock_flag(sk, SOCK_DEAD)))
+ sock_hold() // ( !!! )
+ nr_destroy_socket()
+
+To fix the memory leak, let's call sock_hold() only for a listening socket.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller.
+
+[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
+
+Reported-by: syzbot+d327a1f3b12e1e206c16@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
+Fixes: 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
+Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netrom/nr_timer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
+index 2bf99bd5be58c..67d012e0badeb 100644
+--- a/net/netrom/nr_timer.c
++++ b/net/netrom/nr_timer.c
+@@ -124,7 +124,8 @@ static void nr_heartbeat_expiry(struct timer_list *t)
+ is accepted() it isn't 'dead' so doesn't get removed. */
+ if (sock_flag(sk, SOCK_DESTROY) ||
+ (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) {
+- sock_hold(sk);
++ if (sk->sk_state == TCP_LISTEN)
++ sock_hold(sk);
+ bh_unlock_sock(sk);
+ nr_destroy_socket(sk);
+ goto out;
+--
+2.43.0
+
udf-udftime-prevent-overflow-in-udf_disk_stamp_to_ti.patch
pci-pm-avoid-d3cold-for-hp-pavilion-17-pc-1972-pcie-.patch
mips-octeon-add-pcie-link-status-check.patch
+mips-routerboard-532-fix-vendor-retry-check-code.patch
+cipso-fix-total-option-length-computation.patch
+netrom-fix-a-memory-leak-in-nr_heartbeat_expiry.patch
+ipv6-prevent-possible-null-dereference-in-rt6_probe.patch
+xfrm6-check-ip6_dst_idev-return-value-in-xfrm6_get_s.patch
+virtio-net-ethtool-configurable-lro.patch
+virtio_net-checksum-offloading-handling-fix.patch
+net-usb-rtl8150-fix-unintiatilzed-variables-in-rtl81.patch
--- /dev/null
+From 2ca7d15d6339c81cb8fca2e218f99ef724fd85fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Dec 2018 17:14:54 -0500
+Subject: virtio-net: ethtool configurable LRO
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit a02e8964eaf9271a8a5fcc0c55bd13f933bafc56 ]
+
+Virtio-net devices negotiate LRO support with the host.
+Display the initially negotiated state with ethtool -k.
+
+Also allow configuring it with ethtool -K, reusing the existing
+virtnet_set_guest_offloads helper that configures LRO for XDP.
+This is conditional on VIRTIO_NET_F_CTRL_GUEST_OFFLOADS.
+
+Virtio-net negotiates TSO4 and TSO6 separately, but ethtool does not
+distinguish between the two. Display LRO as on only if any offload
+is active.
+
+RTNL is held while calling virtnet_set_features, same as on the path
+from virtnet_xdp_set.
+
+Changes v1 -> v2
+ - allow ethtool config (-K) only if VIRTIO_NET_F_CTRL_GUEST_OFFLOADS
+ - show LRO as enabled if any LRO variant is enabled
+ - do not allow configuration while XDP is active
+ - differentiate current features from the capable set, to restore
+ on XDP down only those features that were active on XDP up
+ - move test out of VIRTIO_NET_F_CSUM/TSO branch, which is tx only
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 604141c036e1 ("virtio_net: checksum offloading handling fix")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index 2b012d7165cd0..cbe7be1b8452e 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -238,6 +238,7 @@ struct virtnet_info {
+ u32 speed;
+
+ unsigned long guest_offloads;
++ unsigned long guest_offloads_capable;
+
+ /* failover when STANDBY feature enabled */
+ struct failover *failover;
+@@ -2548,6 +2549,31 @@ static int virtnet_get_phys_port_name(struct net_device *dev, char *buf,
+ return 0;
+ }
+
++static int virtnet_set_features(struct net_device *dev,
++ netdev_features_t features)
++{
++ struct virtnet_info *vi = netdev_priv(dev);
++ u64 offloads;
++ int err;
++
++ if ((dev->features ^ features) & NETIF_F_LRO) {
++ if (vi->xdp_queue_pairs)
++ return -EBUSY;
++
++ if (features & NETIF_F_LRO)
++ offloads = vi->guest_offloads_capable;
++ else
++ offloads = 0;
++
++ err = virtnet_set_guest_offloads(vi, offloads);
++ if (err)
++ return err;
++ vi->guest_offloads = offloads;
++ }
++
++ return 0;
++}
++
+ static const struct net_device_ops virtnet_netdev = {
+ .ndo_open = virtnet_open,
+ .ndo_stop = virtnet_close,
+@@ -2562,6 +2588,7 @@ static const struct net_device_ops virtnet_netdev = {
+ .ndo_xdp_xmit = virtnet_xdp_xmit,
+ .ndo_features_check = passthru_features_check,
+ .ndo_get_phys_port_name = virtnet_get_phys_port_name,
++ .ndo_set_features = virtnet_set_features,
+ };
+
+ static void virtnet_config_changed_work(struct work_struct *work)
+@@ -3022,6 +3049,11 @@ static int virtnet_probe(struct virtio_device *vdev)
+ }
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
+ dev->features |= NETIF_F_RXCSUM;
++ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6))
++ dev->features |= NETIF_F_LRO;
++ if (virtio_has_feature(vdev, VIRTIO_NET_F_CTRL_GUEST_OFFLOADS))
++ dev->hw_features |= NETIF_F_LRO;
+
+ dev->vlan_features = dev->features;
+
+@@ -3157,6 +3189,7 @@ static int virtnet_probe(struct virtio_device *vdev)
+ for (i = 0; i < ARRAY_SIZE(guest_offloads); i++)
+ if (virtio_has_feature(vi->vdev, guest_offloads[i]))
+ set_bit(guest_offloads[i], &vi->guest_offloads);
++ vi->guest_offloads_capable = vi->guest_offloads;
+
+ pr_debug("virtnet: registered device %s with %d RX and TX vq's\n",
+ dev->name, max_queue_pairs);
+--
+2.43.0
+
--- /dev/null
+From e222186d033fae45916f846b0301b2fcc2c0c089 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 21:15:23 +0800
+Subject: virtio_net: checksum offloading handling fix
+
+From: Heng Qi <hengqi@linux.alibaba.com>
+
+[ Upstream commit 604141c036e1b636e2a71cf6e1aa09d1e45f40c2 ]
+
+In virtio spec 0.95, VIRTIO_NET_F_GUEST_CSUM was designed to handle
+partially checksummed packets, and the validation of fully checksummed
+packets by the device is independent of VIRTIO_NET_F_GUEST_CSUM
+negotiation. However, the specification erroneously stated:
+
+ "If VIRTIO_NET_F_GUEST_CSUM is not negotiated, the device MUST set flags
+ to zero and SHOULD supply a fully checksummed packet to the driver."
+
+This statement is inaccurate because even without VIRTIO_NET_F_GUEST_CSUM
+negotiation, the device can still set the VIRTIO_NET_HDR_F_DATA_VALID flag.
+Essentially, the device can facilitate the validation of these packets'
+checksums - a process known as RX checksum offloading - removing the need
+for the driver to do so.
+
+This scenario is currently not implemented in the driver and requires
+correction. The necessary specification correction[1] has been made and
+approved in the virtio TC vote.
+[1] https://lists.oasis-open.org/archives/virtio-comment/202401/msg00011.html
+
+Fixes: 4f49129be6fa ("virtio-net: Set RXCSUM feature if GUEST_CSUM is available")
+Signed-off-by: Heng Qi <hengqi@linux.alibaba.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/virtio_net.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
+index cbe7be1b8452e..7a6ebd2400526 100644
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -3047,8 +3047,16 @@ static int virtnet_probe(struct virtio_device *vdev)
+ dev->features |= dev->hw_features & NETIF_F_ALL_TSO;
+ /* (!csum && gso) case will be fixed by register_netdev() */
+ }
+- if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_CSUM))
+- dev->features |= NETIF_F_RXCSUM;
++
++ /* 1. With VIRTIO_NET_F_GUEST_CSUM negotiation, the driver doesn't
++ * need to calculate checksums for partially checksummed packets,
++ * as they're considered valid by the upper layer.
++ * 2. Without VIRTIO_NET_F_GUEST_CSUM negotiation, the driver only
++ * receives fully checksummed packets. The device may assist in
++ * validating these packets' checksums, so the driver won't have to.
++ */
++ dev->features |= NETIF_F_RXCSUM;
++
+ if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) ||
+ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6))
+ dev->features |= NETIF_F_LRO;
+--
+2.43.0
+
--- /dev/null
+From fe40d3a30c259998628335f8899c5ac98c50a912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 15:42:31 +0000
+Subject: xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d46401052c2d5614da8efea5788532f0401cb164 ]
+
+ip6_dst_idev() can return NULL, xfrm6_get_saddr() must act accordingly.
+
+syzbot reported:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+CPU: 1 PID: 12 Comm: kworker/u8:1 Not tainted 6.10.0-rc2-syzkaller-00383-gb8481381d4e2 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
+ RIP: 0010:xfrm6_get_saddr+0x93/0x130 net/ipv6/xfrm6_policy.c:64
+Code: df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 97 00 00 00 4c 8b ab d8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 86 00 00 00 4d 8b 6d 00 e8 ca 13 47 01 48 b8 00
+RSP: 0018:ffffc90000117378 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff88807b079dc0 RCX: ffffffff89a0d6d7
+RDX: 0000000000000000 RSI: ffffffff89a0d6e9 RDI: ffff88807b079e98
+RBP: ffff88807ad73248 R08: 0000000000000007 R09: fffffffffffff000
+R10: ffff88807b079dc0 R11: 0000000000000007 R12: ffffc90000117480
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f4586d00440 CR3: 0000000079042000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ xfrm_get_saddr net/xfrm/xfrm_policy.c:2452 [inline]
+ xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2481 [inline]
+ xfrm_tmpl_resolve+0xa26/0xf10 net/xfrm/xfrm_policy.c:2541
+ xfrm_resolve_and_create_bundle+0x140/0x2570 net/xfrm/xfrm_policy.c:2835
+ xfrm_bundle_lookup net/xfrm/xfrm_policy.c:3070 [inline]
+ xfrm_lookup_with_ifid+0x4d1/0x1e60 net/xfrm/xfrm_policy.c:3201
+ xfrm_lookup net/xfrm/xfrm_policy.c:3298 [inline]
+ xfrm_lookup_route+0x3b/0x200 net/xfrm/xfrm_policy.c:3309
+ ip6_dst_lookup_flow+0x15c/0x1d0 net/ipv6/ip6_output.c:1256
+ send6+0x611/0xd20 drivers/net/wireguard/socket.c:139
+ wg_socket_send_skb_to_peer+0xf9/0x220 drivers/net/wireguard/socket.c:178
+ wg_socket_send_buffer_to_peer+0x12b/0x190 drivers/net/wireguard/socket.c:200
+ wg_packet_send_handshake_initiation+0x227/0x360 drivers/net/wireguard/send.c:40
+ wg_packet_handshake_send_worker+0x1c/0x30 drivers/net/wireguard/send.c:51
+ process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20240615154231.234442-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_policy.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
+index a1dfe4f5ed3a4..086f34d2051a1 100644
+--- a/net/ipv6/xfrm6_policy.c
++++ b/net/ipv6/xfrm6_policy.c
+@@ -60,12 +60,18 @@ static int xfrm6_get_saddr(struct net *net, int oif,
+ {
+ struct dst_entry *dst;
+ struct net_device *dev;
++ struct inet6_dev *idev;
+
+ dst = xfrm6_dst_lookup(net, 0, oif, NULL, daddr, mark);
+ if (IS_ERR(dst))
+ return -EHOSTUNREACH;
+
+- dev = ip6_dst_idev(dst)->dev;
++ idev = ip6_dst_idev(dst);
++ if (!idev) {
++ dst_release(dst);
++ return -EHOSTUNREACH;
++ }
++ dev = idev->dev;
+ ipv6_dev_get_saddr(dev_net(dev), dev, &daddr->in6, 0, &saddr->in6);
+ dst_release(dst);
+ return 0;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
