--- /dev/null
+From 79717ef45f51ab97a06693a3e7480b02d351f2de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 17:16:03 -0700
+Subject: ARM: OMAP: timer32K: fix all kernel-doc warnings
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 7eeca8ccd1066c68d6002dbbe26433f8c17c53eb ]
+
+Fix kernel-doc warnings reported by the kernel test robot:
+
+timer32k.c:186: warning: cannot understand function prototype: 'struct timespec64 persistent_ts; '
+timer32k.c:191: warning: Function parameter or member 'ts' not described in 'omap_read_persistent_clock64'
+timer32k.c:216: warning: Function parameter or member 'vbase' not described in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'pbase' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: Excess function parameter 'size' description in 'omap_init_clocksource_32k'
+timer32k.c:216: warning: No description found for return value of 'omap_init_clocksource_32k'
+
+Fixes: a451570c008b ("ARM: OMAP: 32k counter: Provide y2038-safe omap_read_persistent_clock() replacement")
+Fixes: 1fe97c8f6a1d ("ARM: OMAP: Make OMAP clocksource source selection using kernel param")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/all/202310070106.8QSyJOm3-lkp@intel.com/
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Vaibhav Hiremath <hvaibhav@ti.com>
+Cc: Felipe Balbi <balbi@ti.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Xunlei Pang <pang.xunlei@linaro.org>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Aaro Koskinen <aaro.koskinen@iki.fi>
+Cc: Janusz Krzysztofik <jmkrzyszt@gmail.com>
+Cc: linux-omap@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Message-ID: <20231007001603.24972-1-rdunlap@infradead.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/timer32k.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c
+index 11958ccd894dc..747899083f238 100644
+--- a/arch/arm/mach-omap1/timer32k.c
++++ b/arch/arm/mach-omap1/timer32k.c
+@@ -176,17 +176,18 @@ static u64 notrace omap_32k_read_sched_clock(void)
+ return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
+ }
+
++static struct timespec64 persistent_ts;
++static cycles_t cycles;
++static unsigned int persistent_mult, persistent_shift;
++
+ /**
+ * omap_read_persistent_clock64 - Return time from a persistent clock.
++ * @ts: &struct timespec64 for the returned time
+ *
+ * Reads the time from a source which isn't disabled during PM, the
+ * 32k sync timer. Convert the cycles elapsed since last read into
+ * nsecs and adds to a monotonically increasing timespec64.
+ */
+-static struct timespec64 persistent_ts;
+-static cycles_t cycles;
+-static unsigned int persistent_mult, persistent_shift;
+-
+ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ {
+ unsigned long long nsecs;
+@@ -206,10 +207,9 @@ static void omap_read_persistent_clock64(struct timespec64 *ts)
+ /**
+ * omap_init_clocksource_32k - setup and register counter 32k as a
+ * kernel clocksource
+- * @pbase: base addr of counter_32k module
+- * @size: size of counter_32k to map
++ * @vbase: base addr of counter_32k module
+ *
+- * Returns 0 upon success or negative error code upon failure.
++ * Returns: %0 upon success or negative error code upon failure.
+ *
+ */
+ int __init omap_init_clocksource_32k(void __iomem *vbase)
+--
+2.42.0
+
--- /dev/null
+From 85166f1cd7f9b5757bd09dd8ec1afdbbe93640ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2019 13:57:31 +0200
+Subject: ARM: omap1: move 32k counter from plat-omap to mach-omap1
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit d379e8899a8da1041c347ae5b792773c48a559a9 ]
+
+omap2 stopped using this code with commit 8d39ff3d1696 ("ARM: OMAP2+:
+Remove unused legacy code for timer"), so just move it to mach-omap1 now,
+along with the other half of that driver.
+
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Stable-dep-of: 7eeca8ccd106 ("ARM: OMAP: timer32K: fix all kernel-doc warnings")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-omap1/Kconfig | 16 +++
+ arch/arm/mach-omap1/timer32k.c | 96 ++++++++++++++-
+ arch/arm/plat-omap/Kconfig | 17 ---
+ arch/arm/plat-omap/Makefile | 2 +-
+ arch/arm/plat-omap/counter_32k.c | 114 ------------------
+ arch/arm/plat-omap/include/plat/counter-32k.h | 1 -
+ 6 files changed, 110 insertions(+), 136 deletions(-)
+ delete mode 100644 arch/arm/plat-omap/counter_32k.c
+ delete mode 100644 arch/arm/plat-omap/include/plat/counter-32k.h
+
+diff --git a/arch/arm/mach-omap1/Kconfig b/arch/arm/mach-omap1/Kconfig
+index 9536b8f3c07db..5b28f747c10d2 100644
+--- a/arch/arm/mach-omap1/Kconfig
++++ b/arch/arm/mach-omap1/Kconfig
+@@ -53,6 +53,22 @@ config OMAP_MUX_WARNINGS
+ to change the pin multiplexing setup. When there are no warnings
+ printed, it's safe to deselect OMAP_MUX for your product.
+
++config OMAP_32K_TIMER
++ bool "Use 32KHz timer"
++ depends on ARCH_OMAP16XX
++ default ARCH_OMAP16XX
++ help
++ Select this option if you want to enable the OMAP 32KHz timer.
++ This timer saves power compared to the OMAP_MPU_TIMER, and has
++ support for no tick during idle. The 32KHz timer provides less
++ intra-tick resolution than OMAP_MPU_TIMER. The 32KHz timer is
++ currently only available for OMAP16XX, 24XX, 34XX, OMAP4/5 and DRA7XX.
++
++ On OMAP2PLUS this value is only used for CONFIG_HZ and
++ CLOCK_TICK_RATE compile time calculation.
++ The actual timer selection is done in the board file
++ through the (DT_)MACHINE_START structure.
++
+ comment "OMAP Board Type"
+
+ config MACH_OMAP_INNOVATOR
+diff --git a/arch/arm/mach-omap1/timer32k.c b/arch/arm/mach-omap1/timer32k.c
+index 780fdf03c3cee..11958ccd894dc 100644
+--- a/arch/arm/mach-omap1/timer32k.c
++++ b/arch/arm/mach-omap1/timer32k.c
+@@ -45,15 +45,13 @@
+ #include <linux/clocksource.h>
+ #include <linux/clockchips.h>
+ #include <linux/io.h>
++#include <linux/sched_clock.h>
+
+ #include <asm/irq.h>
+ #include <asm/mach/irq.h>
+ #include <asm/mach/time.h>
+
+-#include <plat/counter-32k.h>
+-
+ #include <mach/hardware.h>
+-
+ #include "common.h"
+
+ /*
+@@ -159,6 +157,98 @@ static __init void omap_init_32k_timer(void)
+ OMAP_32K_TICKS_PER_SEC, 1, 0xfffffffe);
+ }
+
++/* OMAP2_32KSYNCNT_CR_OFF: offset of 32ksync counter register */
++#define OMAP2_32KSYNCNT_REV_OFF 0x0
++#define OMAP2_32KSYNCNT_REV_SCHEME (0x3 << 30)
++#define OMAP2_32KSYNCNT_CR_OFF_LOW 0x10
++#define OMAP2_32KSYNCNT_CR_OFF_HIGH 0x30
++
++/*
++ * 32KHz clocksource ... always available, on pretty most chips except
++ * OMAP 730 and 1510. Other timers could be used as clocksources, with
++ * higher resolution in free-running counter modes (e.g. 12 MHz xtal),
++ * but systems won't necessarily want to spend resources that way.
++ */
++static void __iomem *sync32k_cnt_reg;
++
++static u64 notrace omap_32k_read_sched_clock(void)
++{
++ return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
++}
++
++/**
++ * omap_read_persistent_clock64 - Return time from a persistent clock.
++ *
++ * Reads the time from a source which isn't disabled during PM, the
++ * 32k sync timer. Convert the cycles elapsed since last read into
++ * nsecs and adds to a monotonically increasing timespec64.
++ */
++static struct timespec64 persistent_ts;
++static cycles_t cycles;
++static unsigned int persistent_mult, persistent_shift;
++
++static void omap_read_persistent_clock64(struct timespec64 *ts)
++{
++ unsigned long long nsecs;
++ cycles_t last_cycles;
++
++ last_cycles = cycles;
++ cycles = sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
++
++ nsecs = clocksource_cyc2ns(cycles - last_cycles,
++ persistent_mult, persistent_shift);
++
++ timespec64_add_ns(&persistent_ts, nsecs);
++
++ *ts = persistent_ts;
++}
++
++/**
++ * omap_init_clocksource_32k - setup and register counter 32k as a
++ * kernel clocksource
++ * @pbase: base addr of counter_32k module
++ * @size: size of counter_32k to map
++ *
++ * Returns 0 upon success or negative error code upon failure.
++ *
++ */
++int __init omap_init_clocksource_32k(void __iomem *vbase)
++{
++ int ret;
++
++ /*
++ * 32k sync Counter IP register offsets vary between the
++ * highlander version and the legacy ones.
++ * The 'SCHEME' bits(30-31) of the revision register is used
++ * to identify the version.
++ */
++ if (readl_relaxed(vbase + OMAP2_32KSYNCNT_REV_OFF) &
++ OMAP2_32KSYNCNT_REV_SCHEME)
++ sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_HIGH;
++ else
++ sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_LOW;
++
++ /*
++ * 120000 rough estimate from the calculations in
++ * __clocksource_update_freq_scale.
++ */
++ clocks_calc_mult_shift(&persistent_mult, &persistent_shift,
++ 32768, NSEC_PER_SEC, 120000);
++
++ ret = clocksource_mmio_init(sync32k_cnt_reg, "32k_counter", 32768,
++ 250, 32, clocksource_mmio_readl_up);
++ if (ret) {
++ pr_err("32k_counter: can't register clocksource\n");
++ return ret;
++ }
++
++ sched_clock_register(omap_32k_read_sched_clock, 32, 32768);
++ register_persistent_clock(omap_read_persistent_clock64);
++ pr_info("OMAP clocksource: 32k_counter at 32768 Hz\n");
++
++ return 0;
++}
++
+ /*
+ * ---------------------------------------------------------------------------
+ * Timer initialization
+diff --git a/arch/arm/plat-omap/Kconfig b/arch/arm/plat-omap/Kconfig
+index 272670ef1e92d..dfa19d5030e35 100644
+--- a/arch/arm/plat-omap/Kconfig
++++ b/arch/arm/plat-omap/Kconfig
+@@ -72,23 +72,6 @@ config OMAP_MPU_TIMER
+ timer provides more intra-tick resolution than the 32KHz timer,
+ but consumes more power.
+
+-config OMAP_32K_TIMER
+- bool "Use 32KHz timer"
+- depends on ARCH_OMAP16XX || ARCH_OMAP2PLUS
+- default y if (ARCH_OMAP16XX || ARCH_OMAP2PLUS)
+- help
+- Select this option if you want to enable the OMAP 32KHz timer.
+- This timer saves power compared to the OMAP_MPU_TIMER, and has
+- support for no tick during idle. The 32KHz timer provides less
+- intra-tick resolution than OMAP_MPU_TIMER. The 32KHz timer is
+- currently only available for OMAP16XX, 24XX, 34XX, OMAP4/5 and DRA7XX.
+-
+- On OMAP2PLUS this value is only used for CONFIG_HZ and
+- CLOCK_TICK_RATE compile time calculation.
+- The actual timer selection is done in the board file
+- through the (DT_)MACHINE_START structure.
+-
+-
+ config OMAP3_L2_AUX_SECURE_SAVE_RESTORE
+ bool "OMAP3 HS/EMU save and restore for L2 AUX control register"
+ depends on ARCH_OMAP3 && PM
+diff --git a/arch/arm/plat-omap/Makefile b/arch/arm/plat-omap/Makefile
+index 371f2ed00eda2..98a7b607873a2 100644
+--- a/arch/arm/plat-omap/Makefile
++++ b/arch/arm/plat-omap/Makefile
+@@ -6,7 +6,7 @@
+ ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/arch/arm/plat-omap/include
+
+ # Common support
+-obj-y := sram.o dma.o counter_32k.o
++obj-y := sram.o dma.o
+
+ # omap_device support (OMAP2+ only at the moment)
+
+diff --git a/arch/arm/plat-omap/counter_32k.c b/arch/arm/plat-omap/counter_32k.c
+deleted file mode 100644
+index 7a729ade21057..0000000000000
+--- a/arch/arm/plat-omap/counter_32k.c
++++ /dev/null
+@@ -1,114 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0-only
+-/*
+- * OMAP 32ksynctimer/counter_32k-related code
+- *
+- * Copyright (C) 2009 Texas Instruments
+- * Copyright (C) 2010 Nokia Corporation
+- * Tony Lindgren <tony@atomide.com>
+- * Added OMAP4 support - Santosh Shilimkar <santosh.shilimkar@ti.com>
+- *
+- * NOTE: This timer is not the same timer as the old OMAP1 MPU timer.
+- */
+-#include <linux/kernel.h>
+-#include <linux/init.h>
+-#include <linux/clk.h>
+-#include <linux/err.h>
+-#include <linux/io.h>
+-#include <linux/clocksource.h>
+-#include <linux/sched_clock.h>
+-
+-#include <asm/mach/time.h>
+-
+-#include <plat/counter-32k.h>
+-
+-/* OMAP2_32KSYNCNT_CR_OFF: offset of 32ksync counter register */
+-#define OMAP2_32KSYNCNT_REV_OFF 0x0
+-#define OMAP2_32KSYNCNT_REV_SCHEME (0x3 << 30)
+-#define OMAP2_32KSYNCNT_CR_OFF_LOW 0x10
+-#define OMAP2_32KSYNCNT_CR_OFF_HIGH 0x30
+-
+-/*
+- * 32KHz clocksource ... always available, on pretty most chips except
+- * OMAP 730 and 1510. Other timers could be used as clocksources, with
+- * higher resolution in free-running counter modes (e.g. 12 MHz xtal),
+- * but systems won't necessarily want to spend resources that way.
+- */
+-static void __iomem *sync32k_cnt_reg;
+-
+-static u64 notrace omap_32k_read_sched_clock(void)
+-{
+- return sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
+-}
+-
+-/**
+- * omap_read_persistent_clock64 - Return time from a persistent clock.
+- *
+- * Reads the time from a source which isn't disabled during PM, the
+- * 32k sync timer. Convert the cycles elapsed since last read into
+- * nsecs and adds to a monotonically increasing timespec64.
+- */
+-static struct timespec64 persistent_ts;
+-static cycles_t cycles;
+-static unsigned int persistent_mult, persistent_shift;
+-
+-static void omap_read_persistent_clock64(struct timespec64 *ts)
+-{
+- unsigned long long nsecs;
+- cycles_t last_cycles;
+-
+- last_cycles = cycles;
+- cycles = sync32k_cnt_reg ? readl_relaxed(sync32k_cnt_reg) : 0;
+-
+- nsecs = clocksource_cyc2ns(cycles - last_cycles,
+- persistent_mult, persistent_shift);
+-
+- timespec64_add_ns(&persistent_ts, nsecs);
+-
+- *ts = persistent_ts;
+-}
+-
+-/**
+- * omap_init_clocksource_32k - setup and register counter 32k as a
+- * kernel clocksource
+- * @pbase: base addr of counter_32k module
+- * @size: size of counter_32k to map
+- *
+- * Returns 0 upon success or negative error code upon failure.
+- *
+- */
+-int __init omap_init_clocksource_32k(void __iomem *vbase)
+-{
+- int ret;
+-
+- /*
+- * 32k sync Counter IP register offsets vary between the
+- * highlander version and the legacy ones.
+- * The 'SCHEME' bits(30-31) of the revision register is used
+- * to identify the version.
+- */
+- if (readl_relaxed(vbase + OMAP2_32KSYNCNT_REV_OFF) &
+- OMAP2_32KSYNCNT_REV_SCHEME)
+- sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_HIGH;
+- else
+- sync32k_cnt_reg = vbase + OMAP2_32KSYNCNT_CR_OFF_LOW;
+-
+- /*
+- * 120000 rough estimate from the calculations in
+- * __clocksource_update_freq_scale.
+- */
+- clocks_calc_mult_shift(&persistent_mult, &persistent_shift,
+- 32768, NSEC_PER_SEC, 120000);
+-
+- ret = clocksource_mmio_init(sync32k_cnt_reg, "32k_counter", 32768,
+- 250, 32, clocksource_mmio_readl_up);
+- if (ret) {
+- pr_err("32k_counter: can't register clocksource\n");
+- return ret;
+- }
+-
+- sched_clock_register(omap_32k_read_sched_clock, 32, 32768);
+- register_persistent_clock(omap_read_persistent_clock64);
+- pr_info("OMAP clocksource: 32k_counter at 32768 Hz\n");
+-
+- return 0;
+-}
+diff --git a/arch/arm/plat-omap/include/plat/counter-32k.h b/arch/arm/plat-omap/include/plat/counter-32k.h
+deleted file mode 100644
+index da000d482ff26..0000000000000
+--- a/arch/arm/plat-omap/include/plat/counter-32k.h
++++ /dev/null
+@@ -1 +0,0 @@
+-int omap_init_clocksource_32k(void __iomem *vbase);
+--
+2.42.0
+
--- /dev/null
+From 944fc8822f6a81699c2fd25ac27b278b305f52ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 08:34:10 +0200
+Subject: drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
+
+From: Lukasz Majczak <lma@semihalf.com>
+
+[ Upstream commit 3d887d512494d678b17c57b835c32f4e48d34f26 ]
+
+As drm_dp_get_mst_branch_device_by_guid() is called from
+drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked,
+otherwise NULL dereference may occur in the call to
+the memcpy() and cause following:
+
+[12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049
+[12579.365878] #PF: supervisor read access in kernel mode
+[12579.365880] #PF: error_code(0x0000) - not-present page
+[12579.365882] PGD 0 P4D 0
+[12579.365887] Oops: 0000 [#1] PREEMPT SMP NOPTI
+...
+[12579.365895] Workqueue: events_long drm_dp_mst_up_req_work
+[12579.365899] RIP: 0010:memcmp+0xb/0x29
+[12579.365921] Call Trace:
+[12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64
+[12579.365930] drm_dp_mst_up_req_work+0x137/0x416
+[12579.365933] process_one_work+0x1d0/0x419
+[12579.365935] worker_thread+0x11a/0x289
+[12579.365938] kthread+0x13e/0x14f
+[12579.365941] ? process_one_work+0x419/0x419
+[12579.365943] ? kthread_blkcg+0x31/0x31
+[12579.365946] ret_from_fork+0x1f/0x30
+
+As get_mst_branch_device_by_guid_helper() is recursive, moving condition
+to the first line allow to remove a similar one for step over of NULL elements
+inside a loop.
+
+Fixes: 5e93b8208d3c ("drm/dp/mst: move GUID storage from mgr, port to only mst branch")
+Cc: <stable@vger.kernel.org> # 4.14+
+Signed-off-by: Lukasz Majczak <lma@semihalf.com>
+Reviewed-by: Radoslaw Biernacki <rad@chromium.org>
+Signed-off-by: Manasi Navare <navaremanasi@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230922063410.23626-1-lma@semihalf.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index b5e15933cb5f4..27305f3398819 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -2612,14 +2612,14 @@ static struct drm_dp_mst_branch *get_mst_branch_device_by_guid_helper(
+ struct drm_dp_mst_branch *found_mstb;
+ struct drm_dp_mst_port *port;
+
++ if (!mstb)
++ return NULL;
++
+ if (memcmp(mstb->guid, guid, 16) == 0)
+ return mstb;
+
+
+ list_for_each_entry(port, &mstb->ports, next) {
+- if (!port->mstb)
+- continue;
+-
+ found_mstb = get_mst_branch_device_by_guid_helper(port->mstb, guid);
+
+ if (found_mstb)
+--
+2.42.0
+
--- /dev/null
+From 0e537a3bf94bfe1ef15f1da4cb0b2f5c61249f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:18 +0200
+Subject: gtp: fix fragmentation needed check with gso
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ]
+
+Call skb_gso_validate_network_len() to check if packet is over PMTU.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/gtp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
+index 05ea3a18552b6..ed247cba22916 100644
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -538,8 +538,9 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev,
+
+ rt->dst.ops->update_pmtu(&rt->dst, NULL, skb, mtu, false);
+
+- if (!skb_is_gso(skb) && (iph->frag_off & htons(IP_DF)) &&
+- mtu < ntohs(iph->tot_len)) {
++ if (iph->frag_off & htons(IP_DF) &&
++ ((!skb_is_gso(skb) && skb->len > mtu) ||
++ (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu)))) {
+ netdev_dbg(dev, "packet too big, fragmentation needed\n");
+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+ htonl(mtu));
+--
+2.42.0
+
--- /dev/null
+From 1ec85c5e26e0d07057ad0279098e23da3fbc5de9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Oct 2023 22:25:17 +0200
+Subject: gtp: uapi: fix GTPA_MAX
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ]
+
+Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2.
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/gtp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/uapi/linux/gtp.h b/include/uapi/linux/gtp.h
+index 79f9191bbb24c..82d0e58ec3ce2 100644
+--- a/include/uapi/linux/gtp.h
++++ b/include/uapi/linux/gtp.h
+@@ -32,6 +32,6 @@ enum gtp_attrs {
+ GTPA_PAD,
+ __GTPA_MAX,
+ };
+-#define GTPA_MAX (__GTPA_MAX + 1)
++#define GTPA_MAX (__GTPA_MAX - 1)
+
+ #endif /* _UAPI_LINUX_GTP_H_ */
+--
+2.42.0
+
--- /dev/null
+From 439af6f1affb159b03acf67071db2f0686f1e8eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Oct 2023 14:27:14 -0700
+Subject: i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ]
+
+The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one.
+
+Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+index 43be33d87e391..88d8f17cefd8e 100644
+--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+@@ -2663,7 +2663,7 @@ int i40e_napi_poll(struct napi_struct *napi, int budget)
+ return budget;
+ }
+
+- if (vsi->back->flags & I40E_TXR_FLAGS_WB_ON_ITR)
++ if (q_vector->tx.ring[0].flags & I40E_TXR_FLAGS_WB_ON_ITR)
+ q_vector->arm_wb_state = false;
+
+ /* Exit the polling mode, but don't re-enable interrupts if stack might
+--
+2.42.0
+
--- /dev/null
+From 34b7bdec18a09572706d2a67c21b1a69de256d34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:40:35 -0700
+Subject: igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
+
+From: Mateusz Palczewski <mateusz.palczewski@intel.com>
+
+[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ]
+
+Add check for return of igb_update_ethtool_nfc_entry so that in case
+of any potential errors the memory alocated for input will be freed.
+
+Fixes: 0e71def25281 ("igb: add support of RX network flow classification")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index d9de3b8115431..2d1d9090f2cbf 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -2987,11 +2987,15 @@ static int igb_add_ethtool_nfc_entry(struct igb_adapter *adapter,
+ if (err)
+ goto err_out_w_lock;
+
+- igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ err = igb_update_ethtool_nfc_entry(adapter, input, input->sw_idx);
++ if (err)
++ goto err_out_input_filter;
+
+ spin_unlock(&adapter->nfc_lock);
+ return 0;
+
++err_out_input_filter:
++ igb_erase_filter(adapter, input);
+ err_out_w_lock:
+ spin_unlock(&adapter->nfc_lock);
+ err_out:
+--
+2.42.0
+
--- /dev/null
+From c981a6214ef186064329e8ac6e118ca150e76a6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 13:36:41 -0700
+Subject: igc: Fix ambiguity in the ethtool advertising
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ]
+
+The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to
+advertise 2500M speed support and TP (twisted pair) properly. Convert to
+'ethtool_link_ksettings_test_link_mode' to advertise supported speed and
+eliminate ambiguity.
+
+Fixes: 8c5ad0dae93c ("igc: Add ethtool support")
+Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
+Suggested-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ethtool.c | 35 ++++++++++++++------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ethtool.c b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+index d28ac3a025ab1..9b01912c6e171 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ethtool.c
++++ b/drivers/net/ethernet/intel/igc/igc_ethtool.c
+@@ -1775,7 +1775,7 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ struct igc_adapter *adapter = netdev_priv(netdev);
+ struct net_device *dev = adapter->netdev;
+ struct igc_hw *hw = &adapter->hw;
+- u32 advertising;
++ u16 advertised = 0;
+
+ /* When adapter in resetting mode, autoneg/speed/duplex
+ * cannot be changed
+@@ -1800,18 +1800,33 @@ igc_ethtool_set_link_ksettings(struct net_device *netdev,
+ while (test_and_set_bit(__IGC_RESETTING, &adapter->state))
+ usleep_range(1000, 2000);
+
+- ethtool_convert_link_mode_to_legacy_u32(&advertising,
+- cmd->link_modes.advertising);
+- /* Converting to legacy u32 drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT.
+- * We have to check this and convert it to ADVERTISE_2500_FULL
+- * (aka ETHTOOL_LINK_MODE_2500baseX_Full_BIT) explicitly.
+- */
+- if (ethtool_link_ksettings_test_link_mode(cmd, advertising, 2500baseT_Full))
+- advertising |= ADVERTISE_2500_FULL;
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 2500baseT_Full))
++ advertised |= ADVERTISE_2500_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 1000baseT_Full))
++ advertised |= ADVERTISE_1000_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Full))
++ advertised |= ADVERTISE_100_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 100baseT_Half))
++ advertised |= ADVERTISE_100_HALF;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Full))
++ advertised |= ADVERTISE_10_FULL;
++
++ if (ethtool_link_ksettings_test_link_mode(cmd, advertising,
++ 10baseT_Half))
++ advertised |= ADVERTISE_10_HALF;
+
+ if (cmd->base.autoneg == AUTONEG_ENABLE) {
+ hw->mac.autoneg = 1;
+- hw->phy.autoneg_advertised = advertising;
++ hw->phy.autoneg_advertised = advertised;
+ if (adapter->fc_autoneg)
+ hw->fc.requested_mode = igc_fc_default;
+ } else {
+--
+2.42.0
+
--- /dev/null
+From f91b53649d5f6d880603a3f9327bb0539f2a7f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 12:21:04 +0000
+Subject: neighbour: fix various data-races
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ]
+
+1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval
+ can be written from sysfs.
+
+2) tbl->last_flush is read locklessly from neigh_alloc()
+
+3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info()
+
+4) neightbl_fill_info() reads cpu stats that can be changed concurrently.
+
+Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 67 +++++++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 32 deletions(-)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 15267428c4f83..4c43183a8d93a 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -224,7 +224,8 @@ bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl)
+
+ static int neigh_forced_gc(struct neigh_table *tbl)
+ {
+- int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2;
++ int max_clean = atomic_read(&tbl->gc_entries) -
++ READ_ONCE(tbl->gc_thresh2);
+ unsigned long tref = jiffies - 5 * HZ;
+ struct neighbour *n, *tmp;
+ int shrunk = 0;
+@@ -253,7 +254,7 @@ static int neigh_forced_gc(struct neigh_table *tbl)
+ }
+ }
+
+- tbl->last_flush = jiffies;
++ WRITE_ONCE(tbl->last_flush, jiffies);
+
+ write_unlock_bh(&tbl->lock);
+
+@@ -409,17 +410,17 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl,
+ {
+ struct neighbour *n = NULL;
+ unsigned long now = jiffies;
+- int entries;
++ int entries, gc_thresh3;
+
+ if (exempt_from_gc)
+ goto do_alloc;
+
+ entries = atomic_inc_return(&tbl->gc_entries) - 1;
+- if (entries >= tbl->gc_thresh3 ||
+- (entries >= tbl->gc_thresh2 &&
+- time_after(now, tbl->last_flush + 5 * HZ))) {
+- if (!neigh_forced_gc(tbl) &&
+- entries >= tbl->gc_thresh3) {
++ gc_thresh3 = READ_ONCE(tbl->gc_thresh3);
++ if (entries >= gc_thresh3 ||
++ (entries >= READ_ONCE(tbl->gc_thresh2) &&
++ time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) {
++ if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) {
+ net_info_ratelimited("%s: neighbor table overflow!\n",
+ tbl->id);
+ NEIGH_CACHE_STAT_INC(tbl, table_fulls);
+@@ -902,13 +903,14 @@ static void neigh_periodic_work(struct work_struct *work)
+
+ if (time_after(jiffies, tbl->last_rand + 300 * HZ)) {
+ struct neigh_parms *p;
+- tbl->last_rand = jiffies;
++
++ WRITE_ONCE(tbl->last_rand, jiffies);
+ list_for_each_entry(p, &tbl->parms_list, list)
+ p->reachable_time =
+ neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
+ }
+
+- if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
++ if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1))
+ goto out;
+
+ for (i = 0 ; i < (1 << nht->hash_shift); i++) {
+@@ -2055,15 +2057,16 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ ndtmsg->ndtm_pad2 = 0;
+
+ if (nla_put_string(skb, NDTA_NAME, tbl->id) ||
+- nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) ||
+- nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) ||
+- nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) ||
+- nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3))
++ nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval),
++ NDTA_PAD) ||
++ nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) ||
++ nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) ||
++ nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3)))
+ goto nla_put_failure;
+ {
+ unsigned long now = jiffies;
+- long flush_delta = now - tbl->last_flush;
+- long rand_delta = now - tbl->last_rand;
++ long flush_delta = now - READ_ONCE(tbl->last_flush);
++ long rand_delta = now - READ_ONCE(tbl->last_rand);
+ struct neigh_hash_table *nht;
+ struct ndt_config ndc = {
+ .ndtc_key_len = tbl->key_len,
+@@ -2071,7 +2074,7 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ .ndtc_entries = atomic_read(&tbl->entries),
+ .ndtc_last_flush = jiffies_to_msecs(flush_delta),
+ .ndtc_last_rand = jiffies_to_msecs(rand_delta),
+- .ndtc_proxy_qlen = tbl->proxy_queue.qlen,
++ .ndtc_proxy_qlen = READ_ONCE(tbl->proxy_queue.qlen),
+ };
+
+ rcu_read_lock_bh();
+@@ -2094,17 +2097,17 @@ static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
+ struct neigh_statistics *st;
+
+ st = per_cpu_ptr(tbl->stats, cpu);
+- ndst.ndts_allocs += st->allocs;
+- ndst.ndts_destroys += st->destroys;
+- ndst.ndts_hash_grows += st->hash_grows;
+- ndst.ndts_res_failed += st->res_failed;
+- ndst.ndts_lookups += st->lookups;
+- ndst.ndts_hits += st->hits;
+- ndst.ndts_rcv_probes_mcast += st->rcv_probes_mcast;
+- ndst.ndts_rcv_probes_ucast += st->rcv_probes_ucast;
+- ndst.ndts_periodic_gc_runs += st->periodic_gc_runs;
+- ndst.ndts_forced_gc_runs += st->forced_gc_runs;
+- ndst.ndts_table_fulls += st->table_fulls;
++ ndst.ndts_allocs += READ_ONCE(st->allocs);
++ ndst.ndts_destroys += READ_ONCE(st->destroys);
++ ndst.ndts_hash_grows += READ_ONCE(st->hash_grows);
++ ndst.ndts_res_failed += READ_ONCE(st->res_failed);
++ ndst.ndts_lookups += READ_ONCE(st->lookups);
++ ndst.ndts_hits += READ_ONCE(st->hits);
++ ndst.ndts_rcv_probes_mcast += READ_ONCE(st->rcv_probes_mcast);
++ ndst.ndts_rcv_probes_ucast += READ_ONCE(st->rcv_probes_ucast);
++ ndst.ndts_periodic_gc_runs += READ_ONCE(st->periodic_gc_runs);
++ ndst.ndts_forced_gc_runs += READ_ONCE(st->forced_gc_runs);
++ ndst.ndts_table_fulls += READ_ONCE(st->table_fulls);
+ }
+
+ if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst,
+@@ -2328,16 +2331,16 @@ static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
+ goto errout_tbl_lock;
+
+ if (tb[NDTA_THRESH1])
+- tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]);
++ WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1]));
+
+ if (tb[NDTA_THRESH2])
+- tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]);
++ WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2]));
+
+ if (tb[NDTA_THRESH3])
+- tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]);
++ WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3]));
+
+ if (tb[NDTA_GC_INTERVAL])
+- tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]);
++ WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL]));
+
+ err = 0;
+
+--
+2.42.0
+
--- /dev/null
+From 975daf9db039b1645c8bfd0b0c4220e3e02f8dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 20:03:53 +0200
+Subject: net: ieee802154: adf7242: Fix some potential buffer overflow in
+ adf7242_stats_show()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ca082f019d8fbb983f03080487946da714154bae ]
+
+strncat() usage in adf7242_debugfs_init() is wrong.
+The size given to strncat() is the maximum number of bytes that can be
+written, excluding the trailing NULL.
+
+Here, the size that is passed, DNAME_INLINE_LEN, does not take into account
+the size of "adf7242-" that is already in the array.
+
+In order to fix it, use snprintf() instead.
+
+Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/adf7242.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
+index 07adbeec19787..14cf8b0dfad90 100644
+--- a/drivers/net/ieee802154/adf7242.c
++++ b/drivers/net/ieee802154/adf7242.c
+@@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *file, void *offset)
+
+ static void adf7242_debugfs_init(struct adf7242_local *lp)
+ {
+- char debugfs_dir_name[DNAME_INLINE_LEN + 1] = "adf7242-";
++ char debugfs_dir_name[DNAME_INLINE_LEN + 1];
+
+- strncat(debugfs_dir_name, dev_name(&lp->spi->dev), DNAME_INLINE_LEN);
++ snprintf(debugfs_dir_name, sizeof(debugfs_dir_name),
++ "adf7242-%s", dev_name(&lp->spi->dev));
+
+ lp->debugfs_root = debugfs_create_dir(debugfs_dir_name, NULL);
+
+--
+2.42.0
+
--- /dev/null
+From 4179f96bd42c5ed595a360d1bcd9e4782ea2000f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 02:03:44 +0900
+Subject: net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ]
+
+syzbot reported the following uninit-value access issue [1]:
+
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32
+smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD
+=====================================================
+BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+ usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750
+ usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207
+ usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238
+ usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293
+ really_probe+0x506/0xf40 drivers/base/dd.c:658
+ __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800
+ driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830
+ __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958
+ bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457
+ __device_attach+0x3bd/0x640 drivers/base/dd.c:1030
+ device_initial_probe+0x32/0x40 drivers/base/dd.c:1079
+ bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532
+ device_add+0x16ae/0x1f20 drivers/base/core.c:3622
+ usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589
+ hub_port_connect drivers/usb/core/hub.c:5440 [inline]
+ hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
+ port_event drivers/usb/core/hub.c:5740 [inline]
+ hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822
+ process_one_work kernel/workqueue.c:2630 [inline]
+ process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703
+ worker_thread+0xf45/0x1490 kernel/workqueue.c:2784
+ kthread+0x3e8/0x540 kernel/kthread.c:388
+ ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
+
+Local variable buf.i225 created at:
+ smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline]
+ smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892
+ smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131
+
+CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+Workqueue: usb_hub_wq hub_event
+=====================================================
+
+Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in
+__smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads
+less bytes than requested (zero byte in the reproducer). In this case,
+'buf' is not properly filled.
+
+This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads
+less bytes than requested.
+
+sysbot reported similar uninit-value access issue [2]. The root cause is
+the same as mentioned above, and this patch addresses it as well.
+
+Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
+Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1]
+Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2]
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc95xx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c
+index 9297f2078fd2c..569be01700aa1 100644
+--- a/drivers/net/usb/smsc95xx.c
++++ b/drivers/net/usb/smsc95xx.c
+@@ -86,7 +86,9 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index,
+ ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN
+ | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, index, &buf, 4);
+- if (ret < 0) {
++ if (ret < 4) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ if (ret != -ENODEV)
+ netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n",
+ index, ret);
+--
+2.42.0
+
--- /dev/null
+From 4e53dcd1df7b8b2be5ac1bec858d5003ff63b2f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:54 -0700
+Subject: r8152: Cancel hw_phy_work if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ]
+
+The error handling in rtl8152_probe() is missing a call to cancel the
+hw_phy_work. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 517334aab278a..beb1fb6f72735 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -6825,6 +6825,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+--
+2.42.0
+
--- /dev/null
+From fdb135615b3d221baf4ca84cfb76dc72c25a67f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:52 -0700
+Subject: r8152: Increase USB control msg timeout to 5000ms as per spec
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ]
+
+According to the comment next to USB_CTRL_GET_TIMEOUT and
+USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is
+usually quite fast, the spec allows them to take up to 5 seconds.
+Let's increase the timeout in the Realtek driver from 500ms to 5000ms
+(using the #defines) to account for this.
+
+This is not just a theoretical change. The need for the longer timeout
+was seen in testing. Specifically, if you drop a sc7180-trogdor based
+Chromebook into the kdb debugger and then "go" again after sitting in
+the debugger for a while, the next USB control message takes a long
+time. Out of ~40 tests the slowest USB control message was 4.5
+seconds.
+
+While dropping into kdb is not exactly an end-user scenario, the above
+is similar to what could happen due to an temporary interrupt storm,
+what could happen if there was a host controller (HW or SW) issue, or
+what could happen if the Realtek device got into a confused state and
+needed time to recover.
+
+This change is fairly critical since the r8152 driver in Linux doesn't
+expect register reads/writes (which are backed by USB control
+messages) to fail.
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Suggested-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index cc7c86debfa27..d0ab761dad189 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1042,7 +1042,7 @@ int get_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, usb_rcvctrlpipe(tp->udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_GET_TIMEOUT);
+ if (ret < 0)
+ memset(data, 0xff, size);
+ else
+@@ -1065,7 +1065,7 @@ int set_registers(struct r8152 *tp, u16 value, u16 index, u16 size, void *data)
+
+ ret = usb_control_msg(tp->udev, usb_sndctrlpipe(tp->udev, 0),
+ RTL8152_REQ_SET_REGS, RTL8152_REQT_WRITE,
+- value, index, tmp, size, 500);
++ value, index, tmp, size, USB_CTRL_SET_TIMEOUT);
+
+ kfree(tmp);
+
+@@ -6615,7 +6615,8 @@ static u8 rtl_get_version(struct usb_interface *intf)
+
+ ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+ RTL8152_REQ_GET_REGS, RTL8152_REQT_READ,
+- PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp), 500);
++ PLA_TCR0, MCU_TYPE_PLA, tmp, sizeof(*tmp),
++ USB_CTRL_GET_TIMEOUT);
+ if (ret > 0)
+ ocp_data = (__le32_to_cpu(*tmp) >> 16) & VERSION_MASK;
+
+--
+2.42.0
+
--- /dev/null
+From d52a2356c0562d1a5d1c2cf3ce0a2f49ea8753f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:55 -0700
+Subject: r8152: Release firmware if we have an error in probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ]
+
+The error handling in rtl8152_probe() is missing a call to release
+firmware. Add it in to match what's in the cleanup code in
+rtl8152_disconnect().
+
+Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index beb1fb6f72735..0d6f10c9bb139 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -6828,6 +6828,7 @@ static int rtl8152_probe(struct usb_interface *intf,
+ cancel_delayed_work_sync(&tp->hw_phy_work);
+ if (tp->rtl_ops.unload)
+ tp->rtl_ops.unload(tp);
++ rtl8152_release_firmware(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From 3b6e8772498d3034c1494d930804bf2490bc9195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 14:06:53 -0700
+Subject: r8152: Run the unload routine if we have errors during probe
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ]
+
+The rtl8152_probe() function lacks a call to the chip-specific
+unload() routine when it sees an error in probe. Add it in to match
+the cleanup code in rtl8152_disconnect().
+
+Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Grant Grundler <grundler@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index d0ab761dad189..517334aab278a 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -6825,6 +6825,8 @@ static int rtl8152_probe(struct usb_interface *intf,
+
+ out1:
+ tasklet_kill(&tp->tx_tl);
++ if (tp->rtl_ops.unload)
++ tp->rtl_ops.unload(tp);
+ usb_set_intfdata(intf, NULL);
+ out:
+ free_netdev(netdev);
+--
+2.42.0
+
--- /dev/null
+From f156a3a56793dbd0c6d4bbe5135807d3969e9d99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:38 +0200
+Subject: r8169: fix the KCSAN reported data race in rtl_rx while reading
+ desc->opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ]
+
+KCSAN reported the following data-race bug:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+
+race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0x80003fff -> 0x3402805f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+drivers/net/ethernet/realtek/r8169_main.c:
+==========================================
+ 4429
+ → 4430 status = le32_to_cpu(desc->opts1);
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+ 4434 /* This barrier is needed to keep us from reading
+ 4435 * any other fields out of the Rx descriptor until
+ 4436 * we know the status of DescOwn
+ 4437 */
+ 4438 dma_rmb();
+ 4439
+ 4440 if (unlikely(status & RxRES)) {
+ 4441 if (net_ratelimit())
+ 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n",
+
+Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to
+desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from
+happening:
+
+ 4429
+ → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1));
+ 4431 if (status & DescOwn)
+ 4432 break;
+ 4433
+
+As the consequence of this fix, this KCSAN warning was eliminated.
+
+Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private")
+Suggested-by: Marco Elver <elver@google.com>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index d47adc7725ad5..37e34d8f7946e 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4544,7 +4544,7 @@ static int rtl_rx(struct net_device *dev, struct rtl8169_private *tp, u32 budget
+ dma_addr_t addr;
+ u32 status;
+
+- status = le32_to_cpu(desc->opts1);
++ status = le32_to_cpu(READ_ONCE(desc->opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
--- /dev/null
+From 5ac4fb36710b2994db7bfdceb024245d8bd803d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 21:34:36 +0200
+Subject: r8169: fix the KCSAN reported data-race in rtl_tx while reading
+ TxDescArray[entry].opts1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+[ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ]
+
+KCSAN reported the following data-race:
+
+==================================================================
+BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+
+race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21:
+rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169
+__napi_poll (net/core/dev.c:6527)
+net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727)
+__do_softirq (kernel/softirq.c:553)
+__irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632)
+irq_exit_rcu (kernel/softirq.c:647)
+sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14))
+asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645)
+cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291)
+cpuidle_enter (drivers/cpuidle/cpuidle.c:390)
+call_cpuidle (kernel/sched/idle.c:135)
+do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282)
+cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1))
+start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294)
+secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433)
+
+value changed: 0xb0000042 -> 0x00000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41
+Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023
+==================================================================
+
+The read side is in
+
+drivers/net/ethernet/realtek/r8169_main.c
+=========================================
+ 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ 4356 int budget)
+ 4357 {
+ 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0;
+ 4359 struct sk_buff *skb;
+ 4360
+ 4361 dirty_tx = tp->dirty_tx;
+ 4362
+ 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) {
+ 4364 unsigned int entry = dirty_tx % NUM_TX_DESC;
+ 4365 u32 status;
+ 4366
+ → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1);
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+ 4371 skb = tp->tx_skb[entry].skb;
+ 4372 rtl8169_unmap_tx_skb(tp, entry);
+ 4373
+ 4374 if (skb) {
+ 4375 pkts_compl++;
+ 4376 bytes_compl += skb->len;
+ 4377 napi_consume_skb(skb, budget);
+ 4378 }
+ 4379 dirty_tx++;
+ 4380 }
+ 4381
+ 4382 if (tp->dirty_tx != dirty_tx) {
+ 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl);
+ 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx);
+ 4385
+ 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl,
+ 4387 rtl_tx_slots_avail(tp),
+ 4388 R8169_TX_START_THRS);
+ 4389 /*
+ 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are
+ 4391 * too close. Let's kick an extra TxPoll request when a burst
+ 4392 * of start_xmit activity is detected (if it is not detected,
+ 4393 * it is slow enough). -- FR
+ 4394 * If skb is NULL then we come here again once a tx irq is
+ 4395 * triggered after the last fragment is marked transmitted.
+ 4396 */
+ 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb)
+ 4398 rtl8169_doorbell(tp);
+ 4399 }
+ 4400 }
+
+tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes
+this KCSAN warning.
+
+ 4366
+ → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ 4368 if (status & DescOwn)
+ 4369 break;
+ 4370
+
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: nic_swsd@realtek.com
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Marco Elver <elver@google.com>
+Cc: netdev@vger.kernel.org
+Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Acked-by: Marco Elver <elver@google.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
+index c025dadcce289..d47adc7725ad5 100644
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -4470,7 +4470,7 @@ static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp,
+ struct sk_buff *skb = tp->tx_skb[entry].skb;
+ u32 status;
+
+- status = le32_to_cpu(tp->TxDescArray[entry].opts1);
++ status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1));
+ if (status & DescOwn)
+ break;
+
+--
+2.42.0
+
virtio-mmio-fix-memory-leak-of-vm_dev.patch
mm-page_alloc-correct-start-page-when-guard-page-debug-is-enabled.patch
mmc-renesas_sdhi-use-custom-mask-for-tmio_mask_all.patch
+drm-dp_mst-fix-null-deref-in-get_mst_branch_device_b.patch
+arm-omap1-move-32k-counter-from-plat-omap-to-mach-om.patch
+arm-omap-timer32k-fix-all-kernel-doc-warnings.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_tx-whi.patch
+r8169-fix-the-kcsan-reported-data-race-in-rtl_rx-whi.patch
+treewide-spelling-fix-in-comment.patch
+igb-fix-potential-memory-leak-in-igb_add_ethtool_nfc.patch
+neighbour-fix-various-data-races.patch
+igc-fix-ambiguity-in-the-ethtool-advertising.patch
+net-ieee802154-adf7242-fix-some-potential-buffer-ove.patch
+net-usb-smsc95xx-fix-uninit-value-access-in-smsc95xx.patch
+r8152-increase-usb-control-msg-timeout-to-5000ms-as-.patch
+r8152-run-the-unload-routine-if-we-have-errors-durin.patch
+r8152-cancel-hw_phy_work-if-we-have-an-error-in-prob.patch
+r8152-release-firmware-if-we-have-an-error-in-probe.patch
+tcp-fix-wrong-rto-timeout-when-received-sack-renegin.patch
+gtp-uapi-fix-gtpa_max.patch
+gtp-fix-fragmentation-needed-check-with-gso.patch
+i40e-fix-wrong-check-for-i40e_txr_flags_wb_on_itr.patch
--- /dev/null
+From 1c3d45597c3a6a2ea5f6cb8f46807c1c493bf5f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Oct 2023 08:19:47 +0800
+Subject: tcp: fix wrong RTO timeout when received SACK reneging
+
+From: Fred Chen <fred.chenchen03@gmail.com>
+
+[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ]
+
+This commit fix wrong RTO timeout when received SACK reneging.
+
+When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging()
+will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future.
+
+But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when
+CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer()
+is moved after tcp_fastretrans_alert()(which do the SACK reneging check),
+so the RTO timeout will be overwrited by tcp_set_xmit_timer() with
+icsk_rto instead of 1/2*srtt.
+
+Here is a packetdrill script to check this bug:
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
++0 bind(3, ..., ...) = 0
++0 listen(3, 1) = 0
+
+// simulate srtt to 100ms
++0 < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7>
++0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
++.1 < . 1:1(0) ack 1 win 1024
+
++0 accept(3, ..., ...) = 4
+
++0 write(4, ..., 10000) = 10000
++0 > P. 1:10001(10000) ack 1
+
+// inject sack
++.1 < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop>
++0 > . 1:1001(1000) ack 1
+
+// inject sack reneging
++.1 < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop>
+
+// we expect rto fired in 1/2*srtt (50ms)
++.05 > . 1001:2001(1000) ack 1
+
+This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when
+tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid
+being overwrited later.
+
+Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN")
+Signed-off-by: Fred Chen <fred.chenchen03@gmail.com>
+Reviewed-by: Neal Cardwell <ncardwell@google.com>
+Tested-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_input.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 3f2b6a3adf6a9..0c935904ced82 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2185,16 +2185,17 @@ void tcp_enter_loss(struct sock *sk)
+ * restore sanity to the SACK scoreboard. If the apparent reneging
+ * persists until this RTO then we'll clear the SACK scoreboard.
+ */
+-static bool tcp_check_sack_reneging(struct sock *sk, int flag)
++static bool tcp_check_sack_reneging(struct sock *sk, int *ack_flag)
+ {
+- if (flag & FLAG_SACK_RENEGING &&
+- flag & FLAG_SND_UNA_ADVANCED) {
++ if (*ack_flag & FLAG_SACK_RENEGING &&
++ *ack_flag & FLAG_SND_UNA_ADVANCED) {
+ struct tcp_sock *tp = tcp_sk(sk);
+ unsigned long delay = max(usecs_to_jiffies(tp->srtt_us >> 4),
+ msecs_to_jiffies(10));
+
+ inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
+ delay, TCP_RTO_MAX);
++ *ack_flag &= ~FLAG_SET_XMIT_TIMER;
+ return true;
+ }
+ return false;
+@@ -2950,7 +2951,7 @@ static void tcp_fastretrans_alert(struct sock *sk, const u32 prior_snd_una,
+ tp->prior_ssthresh = 0;
+
+ /* B. In all the states check for reneging SACKs. */
+- if (tcp_check_sack_reneging(sk, flag))
++ if (tcp_check_sack_reneging(sk, ack_flag))
+ return;
+
+ /* C. Check consistency of the current state. */
+--
+2.42.0
+
--- /dev/null
+From 11286544d2208c6811ee7bee244bb4ecd2f30be7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 17:31:56 +0800
+Subject: treewide: Spelling fix in comment
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ]
+
+reques -> request
+
+Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3")
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/toshiba/ps3_gelic_wireless.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+index dc14a66583ff3..44488c153ea25 100644
+--- a/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
++++ b/drivers/net/ethernet/toshiba/ps3_gelic_wireless.c
+@@ -1217,7 +1217,7 @@ static int gelic_wl_set_encodeext(struct net_device *netdev,
+ key_index = wl->current_key;
+
+ if (!enc->length && (ext->ext_flags & IW_ENCODE_EXT_SET_TX_KEY)) {
+- /* reques to change default key index */
++ /* request to change default key index */
+ pr_debug("%s: request to change default key to %d\n",
+ __func__, key_index);
+ wl->current_key = key_index;
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
