--- /dev/null
+From a826b04303a40d52439aa141035fca5654ccaccd Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@microsoft.com>
+Date: Fri, 15 Jan 2021 19:42:08 +0100
+Subject: ipv6: create multicast route with RTPROT_KERNEL
+
+From: Matteo Croce <mcroce@microsoft.com>
+
+commit a826b04303a40d52439aa141035fca5654ccaccd upstream.
+
+The ff00::/8 multicast route is created without specifying the fc_protocol
+field, so the default RTPROT_BOOT value is used:
+
+ $ ip -6 -d route
+ unicast ::1 dev lo proto kernel scope global metric 256 pref medium
+ unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
+ unicast ff00::/8 dev eth0 proto boot scope global metric 256 pref medium
+
+As the documentation says, this value identifies routes installed during
+boot, but the route is created when interface is set up.
+Change the value to RTPROT_KERNEL which is a better value.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Matteo Croce <mcroce@microsoft.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2397,6 +2397,7 @@ static void addrconf_add_mroute(struct n
+ .fc_flags = RTF_UP,
+ .fc_type = RTN_UNICAST,
+ .fc_nlinfo.nl_net = dev_net(dev),
++ .fc_protocol = RTPROT_KERNEL,
+ };
+
+ ipv6_addr_set(&cfg.fc_dst, htonl(0xFF000000), 0, 0, 0);
--- /dev/null
+From ceed9038b2783d14e0422bdc6fd04f70580efb4c Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@microsoft.com>
+Date: Fri, 15 Jan 2021 19:42:09 +0100
+Subject: ipv6: set multicast flag on the multicast route
+
+From: Matteo Croce <mcroce@microsoft.com>
+
+commit ceed9038b2783d14e0422bdc6fd04f70580efb4c upstream.
+
+The multicast route ff00::/8 is created with type RTN_UNICAST:
+
+ $ ip -6 -d route
+ unicast ::1 dev lo proto kernel scope global metric 256 pref medium
+ unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
+ unicast ff00::/8 dev eth0 proto kernel scope global metric 256 pref medium
+
+Set the type to RTN_MULTICAST which is more appropriate.
+
+Fixes: e8478e80e5a7 ("net/ipv6: Save route type in rt6_info")
+Signed-off-by: Matteo Croce <mcroce@microsoft.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2395,7 +2395,7 @@ static void addrconf_add_mroute(struct n
+ .fc_ifindex = dev->ifindex,
+ .fc_dst_len = 8,
+ .fc_flags = RTF_UP,
+- .fc_type = RTN_UNICAST,
++ .fc_type = RTN_MULTICAST,
+ .fc_nlinfo.nl_net = dev_net(dev),
+ .fc_protocol = RTPROT_KERNEL,
+ };
--- /dev/null
+From 5dabd1712cd056814f9ab15f1d68157ceb04e741 Mon Sep 17 00:00:00 2001
+From: Lecopzer Chen <lecopzer@gmail.com>
+Date: Sat, 23 Jan 2021 21:01:29 -0800
+Subject: kasan: fix incorrect arguments passing in kasan_add_zero_shadow
+
+From: Lecopzer Chen <lecopzer@gmail.com>
+
+commit 5dabd1712cd056814f9ab15f1d68157ceb04e741 upstream.
+
+kasan_remove_zero_shadow() shall use original virtual address, start and
+size, instead of shadow address.
+
+Link: https://lkml.kernel.org/r/20210103063847.5963-1-lecopzer@gmail.com
+Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
+Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/kasan_init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/kasan/kasan_init.c
++++ b/mm/kasan/kasan_init.c
+@@ -487,7 +487,6 @@ int kasan_add_zero_shadow(void *start, u
+
+ ret = kasan_populate_zero_shadow(shadow_start, shadow_end);
+ if (ret)
+- kasan_remove_zero_shadow(shadow_start,
+- size >> KASAN_SHADOW_SCALE_SHIFT);
++ kasan_remove_zero_shadow(start, size);
+ return ret;
+ }
--- /dev/null
+From a11a496ee6e2ab6ed850233c96b94caf042af0b9 Mon Sep 17 00:00:00 2001
+From: Lecopzer Chen <lecopzer@gmail.com>
+Date: Sat, 23 Jan 2021 21:01:25 -0800
+Subject: kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
+
+From: Lecopzer Chen <lecopzer@gmail.com>
+
+commit a11a496ee6e2ab6ed850233c96b94caf042af0b9 upstream.
+
+During testing kasan_populate_early_shadow and kasan_remove_zero_shadow,
+if the shadow start and end address in kasan_remove_zero_shadow() is not
+aligned to PMD_SIZE, the remain unaligned PTE won't be removed.
+
+In the test case for kasan_remove_zero_shadow():
+
+ shadow_start: 0xffffffb802000000, shadow end: 0xffffffbfbe000000
+
+ 3-level page table:
+ PUD_SIZE: 0x40000000 PMD_SIZE: 0x200000 PAGE_SIZE: 4K
+
+0xffffffbf80000000 ~ 0xffffffbfbdf80000 will not be removed because in
+kasan_remove_pud_table(), kasan_pmd_table(*pud) is true but the next
+address is 0xffffffbfbdf80000 which is not aligned to PUD_SIZE.
+
+In the correct condition, this should fallback to the next level
+kasan_remove_pmd_table() but the condition flow always continue to skip
+the unaligned part.
+
+Fix by correcting the condition when next and addr are neither aligned.
+
+Link: https://lkml.kernel.org/r/20210103135621.83129-1-lecopzer@gmail.com
+Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
+Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: YJ Chiang <yj.chiang@mediatek.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/kasan_init.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/mm/kasan/kasan_init.c
++++ b/mm/kasan/kasan_init.c
+@@ -372,9 +372,10 @@ static void kasan_remove_pmd_table(pmd_t
+
+ if (kasan_pte_table(*pmd)) {
+ if (IS_ALIGNED(addr, PMD_SIZE) &&
+- IS_ALIGNED(next, PMD_SIZE))
++ IS_ALIGNED(next, PMD_SIZE)) {
+ pmd_clear(pmd);
+- continue;
++ continue;
++ }
+ }
+ pte = pte_offset_kernel(pmd, addr);
+ kasan_remove_pte_table(pte, addr, next);
+@@ -397,9 +398,10 @@ static void kasan_remove_pud_table(pud_t
+
+ if (kasan_pmd_table(*pud)) {
+ if (IS_ALIGNED(addr, PUD_SIZE) &&
+- IS_ALIGNED(next, PUD_SIZE))
++ IS_ALIGNED(next, PUD_SIZE)) {
+ pud_clear(pud);
+- continue;
++ continue;
++ }
+ }
+ pmd = pmd_offset(pud, addr);
+ pmd_base = pmd_offset(pud, 0);
+@@ -423,9 +425,10 @@ static void kasan_remove_p4d_table(p4d_t
+
+ if (kasan_pud_table(*p4d)) {
+ if (IS_ALIGNED(addr, P4D_SIZE) &&
+- IS_ALIGNED(next, P4D_SIZE))
++ IS_ALIGNED(next, P4D_SIZE)) {
+ p4d_clear(p4d);
+- continue;
++ continue;
++ }
+ }
+ pud = pud_offset(p4d, addr);
+ kasan_remove_pud_table(pud, addr, next);
+@@ -457,9 +460,10 @@ void kasan_remove_zero_shadow(void *star
+
+ if (kasan_p4d_table(*pgd)) {
+ if (IS_ALIGNED(addr, PGDIR_SIZE) &&
+- IS_ALIGNED(next, PGDIR_SIZE))
++ IS_ALIGNED(next, PGDIR_SIZE)) {
+ pgd_clear(pgd);
+- continue;
++ continue;
++ }
+ }
+
+ p4d = p4d_offset(pgd, addr);
--- /dev/null
+From a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 Mon Sep 17 00:00:00 2001
+From: Tariq Toukan <tariqt@nvidia.com>
+Date: Sun, 17 Jan 2021 17:15:38 +0200
+Subject: net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
+
+From: Tariq Toukan <tariqt@nvidia.com>
+
+commit a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 upstream.
+
+With NETIF_F_HW_TLS_RX packets are decrypted in HW. This cannot be
+logically done when RXCSUM offload is off.
+
+Fixes: 14136564c8ee ("net: Add TLS RX offload feature")
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Boris Pismenny <borisp@nvidia.com>
+Link: https://lore.kernel.org/r/20210117151538.9411-1-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -8351,6 +8351,11 @@ static netdev_features_t netdev_fix_feat
+ }
+ }
+
++ if ((features & NETIF_F_HW_TLS_RX) && !(features & NETIF_F_RXCSUM)) {
++ netdev_dbg(dev, "Dropping TLS RX HW offload feature since no RXCSUM feature.\n");
++ features &= ~NETIF_F_HW_TLS_RX;
++ }
++
+ return features;
+ }
+
--- /dev/null
+From 8e4052c32d6b4b39c1e13c652c7e33748d447409 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 19 Jan 2021 17:48:03 +0300
+Subject: net: dsa: b53: fix an off by one in checking "vlan->vid"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8e4052c32d6b4b39c1e13c652c7e33748d447409 upstream.
+
+The > comparison should be >= to prevent accessing one element beyond
+the end of the dev->vlans[] array in the caller function, b53_vlan_add().
+The "dev->vlans" array is allocated in the b53_switch_init() function
+and it has "dev->num_vlans" elements.
+
+Fixes: a2482d2ce349 ("net: dsa: b53: Plug in VLAN support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/YAbxI97Dl/pmBy5V@mwanda
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1142,7 +1142,7 @@ int b53_vlan_prepare(struct dsa_switch *
+ if ((is5325(dev) || is5365(dev)) && vlan->vid_begin == 0)
+ return -EOPNOTSUPP;
+
+- if (vlan->vid_end > dev->num_vlans)
++ if (vlan->vid_end >= dev->num_vlans)
+ return -ERANGE;
+
+ b53_enable_vlan(dev, true, dev->vlan_filtering_enabled);
--- /dev/null
+From 87fe04367d842c4d97a77303242d4dd4ac351e46 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Sat, 16 Jan 2021 03:39:35 +0100
+Subject: net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+commit 87fe04367d842c4d97a77303242d4dd4ac351e46 upstream.
+
+mv88e6xxx_port_vlan_join checks whether the VTU already contains an
+entry for the given vid (via mv88e6xxx_vtu_getnext), and if so, merely
+changes the relevant .member[] element and loads the updated entry
+into the VTU.
+
+However, at least for the mv88e6250, the on-stack struct
+mv88e6xxx_vtu_entry vlan never has its .state[] array explicitly
+initialized, neither in mv88e6xxx_port_vlan_join() nor inside the
+getnext implementation. So the new entry has random garbage for the
+STU bits, breaking VLAN filtering.
+
+When the VTU entry is initially created, those bits are all zero, and
+we should make sure to keep them that way when the entry is updated.
+
+Fixes: 92307069a96c (net: dsa: mv88e6xxx: Avoid VTU corruption on 6097)
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Tobias Waldekranz <tobias@waldekranz.com>
+Tested-by: Tobias Waldekranz <tobias@waldekranz.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/mv88e6xxx/global1_vtu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c
++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+@@ -357,6 +357,10 @@ int mv88e6185_g1_vtu_getnext(struct mv88
+ if (err)
+ return err;
+
++ err = mv88e6185_g1_stu_data_read(chip, entry);
++ if (err)
++ return err;
++
+ /* VTU DBNum[3:0] are located in VTU Operation 3:0
+ * VTU DBNum[7:4] are located in VTU Operation 11:8
+ */
--- /dev/null
+From 79267ae22615496655feee2db0848f6786bcf67a Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Mon, 18 Jan 2021 15:52:10 +0200
+Subject: net: mscc: ocelot: allow offloading of bridge on top of LAG
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 79267ae22615496655feee2db0848f6786bcf67a upstream.
+
+The blamed commit was too aggressive, and it made ocelot_netdevice_event
+react only to network interface events emitted for the ocelot switch
+ports.
+
+In fact, only the PRECHANGEUPPER should have had that check.
+
+When we ignore all events that are not for us, we miss the fact that the
+upper of the LAG changes, and the bonding interface gets enslaved to a
+bridge. This is an operation we could offload under certain conditions.
+
+Fixes: 7afb3e575e5a ("net: mscc: ocelot: don't handle netdev events for other netdevs")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210118135210.2666246-1-olteanv@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mscc/ocelot.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1549,10 +1549,8 @@ static int ocelot_netdevice_event(struct
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ int ret = 0;
+
+- if (!ocelot_netdevice_dev_check(dev))
+- return 0;
+-
+ if (event == NETDEV_PRECHANGEUPPER &&
++ ocelot_netdevice_dev_check(dev) &&
+ netif_is_lag_master(info->upper_dev)) {
+ struct netdev_lag_upper_info *lag_upper_info = info->upper_info;
+ struct netlink_ext_ack *extack;
--- /dev/null
+From bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 14 Jan 2021 10:52:29 -0800
+Subject: net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 upstream.
+
+tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT
+attribute is not silly.
+
+UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29
+shift exponent 255 is too large for 32-bit type 'int'
+CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ valid_perfect_hash net/sched/cls_tcindex.c:260 [inline]
+ tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425
+ tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546
+ tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127
+ rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2390
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/cls_tcindex.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -339,9 +339,13 @@ tcindex_set_parms(struct net *net, struc
+ if (tb[TCA_TCINDEX_MASK])
+ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
+
+- if (tb[TCA_TCINDEX_SHIFT])
++ if (tb[TCA_TCINDEX_SHIFT]) {
+ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
+-
++ if (cp->shift > 16) {
++ err = -EINVAL;
++ goto errout;
++ }
++ }
+ if (!cp->hash) {
+ /* Hash not specified, use perfect hash if the upper limit
+ * of the hashing index is below the threshold.
--- /dev/null
+From e4bedf48aaa5552bc1f49703abd17606e7e6e82a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 14 Jan 2021 08:06:37 -0800
+Subject: net_sched: reject silly cell_log in qdisc_get_rtab()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e4bedf48aaa5552bc1f49703abd17606e7e6e82a upstream.
+
+iproute2 probably never goes beyond 8 for the cell exponent,
+but stick to the max shift exponent for signed 32bit.
+
+UBSAN reported:
+UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22
+shift exponent 130 is too large for 32-bit type 'int'
+CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x183/0x22e lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:148 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
+ __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389
+ qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435
+ cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180
+ qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246
+ tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662
+ rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345
+ ___sys_sendmsg net/socket.c:2399 [inline]
+ __sys_sendmsg+0x319/0x400 net/socket.c:2432
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/sch_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -398,7 +398,8 @@ struct qdisc_rate_table *qdisc_get_rtab(
+ {
+ struct qdisc_rate_table *rtab;
+
+- if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
++ if (tab == NULL || r->rate == 0 ||
++ r->cell_log == 0 || r->cell_log >= 32 ||
+ nla_len(tab) != TC_RTAB_SIZE) {
+ NL_SET_ERR_MSG(extack, "Invalid rate table parameters for searching");
+ return NULL;
--- /dev/null
+From 2e5a6266fbb11ae93c468dfecab169aca9c27b43 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sat, 16 Jan 2021 11:44:26 +0100
+Subject: netfilter: rpfilter: mask ecn bits before fib lookup
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit 2e5a6266fbb11ae93c468dfecab169aca9c27b43 upstream.
+
+RT_TOS() only masks one of the two ECN bits. Therefore rpfilter_mt()
+treats Not-ECT or ECT(1) packets in a different way than those with
+ECT(0) or CE.
+
+Reproducer:
+
+ Create two netns, connected with a veth:
+ $ ip netns add ns0
+ $ ip netns add ns1
+ $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
+ $ ip -netns ns0 link set dev veth01 up
+ $ ip -netns ns1 link set dev veth10 up
+ $ ip -netns ns0 address add 192.0.2.10/32 dev veth01
+ $ ip -netns ns1 address add 192.0.2.11/32 dev veth10
+
+ Add a route to ns1 in ns0:
+ $ ip -netns ns0 route add 192.0.2.11/32 dev veth01
+
+ In ns1, only packets with TOS 4 can be routed to ns0:
+ $ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10
+
+ Ping from ns0 to ns1 works regardless of the ECN bits, as long as TOS
+ is 4:
+ $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
+ ... 0% packet loss ...
+
+ Now use iptable's rpfilter module in ns1:
+ $ ip netns exec ns1 iptables-legacy -t raw -A PREROUTING -m rpfilter --invert -j DROP
+
+ Not-ECT and ECT(1) packets still pass:
+ $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
+ ... 0% packet loss ...
+
+ But ECT(0) and ECN packets are dropped:
+ $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
+ ... 100% packet loss ...
+ $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
+ ... 100% packet loss ...
+
+After this patch, rpfilter doesn't drop ECT(0) and CE packets anymore.
+
+Fixes: 8f97339d3feb ("netfilter: add ipv4 reverse path filter match")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/ipt_rpfilter.c
++++ b/net/ipv4/netfilter/ipt_rpfilter.c
+@@ -94,7 +94,7 @@ static bool rpfilter_mt(const struct sk_
+ flow.daddr = iph->saddr;
+ flow.saddr = rpfilter_get_saddr(iph->daddr);
+ flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+- flow.flowi4_tos = RT_TOS(iph->tos);
++ flow.flowi4_tos = iph->tos & IPTOS_RT_MASK;
+ flow.flowi4_scope = RT_SCOPE_UNIVERSE;
+ flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par));
+
xhci-make-sure-trb-is-fully-written-before-giving-it-to-the-controller.patch
xhci-tegra-delay-for-disabling-lfps-detector.patch
driver-core-extend-device_is_dependent.patch
+netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch
+sh-dma-fix-kconfig-dependency-for-g2_dma.patch
+net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch
+sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch
+skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch
+kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch
+kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch
+udp-mask-tos-bits-in-udp_v4_early_demux.patch
+ipv6-create-multicast-route-with-rtprot_kernel.patch
+net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch
+net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch
+ipv6-set-multicast-flag-on-the-multicast-route.patch
+net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch
+net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch
+net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch
--- /dev/null
+From f477a538c14d07f8c45e554c8c5208d588514e98 Mon Sep 17 00:00:00 2001
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Date: Thu, 17 Sep 2020 18:45:48 +0300
+Subject: sh: dma: fix kconfig dependency for G2_DMA
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+commit f477a538c14d07f8c45e554c8c5208d588514e98 upstream.
+
+When G2_DMA is enabled and SH_DMA is disabled, it results in the following
+Kbuild warning:
+
+WARNING: unmet direct dependencies detected for SH_DMA_API
+ Depends on [n]: SH_DMA [=n]
+ Selected by [y]:
+ - G2_DMA [=y] && SH_DREAMCAST [=y]
+
+The reason is that G2_DMA selects SH_DMA_API without depending on or
+selecting SH_DMA while SH_DMA_API depends on SH_DMA.
+
+When G2_DMA was first introduced with commit 40f49e7ed77f
+("sh: dma: Make G2 DMA configurable."), this wasn't an issue since
+SH_DMA_API didn't have such dependency, and this way was the only way to
+enable it since SH_DMA_API was non-visible. However, later SH_DMA_API was
+made visible and dependent on SH_DMA with commit d8902adcc1a9
+("dmaengine: sh: Add Support SuperH DMA Engine driver").
+
+Let G2_DMA depend on SH_DMA_API instead to avoid Kbuild issues.
+
+Fixes: d8902adcc1a9 ("dmaengine: sh: Add Support SuperH DMA Engine driver")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/drivers/dma/Kconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/sh/drivers/dma/Kconfig
++++ b/arch/sh/drivers/dma/Kconfig
+@@ -63,8 +63,7 @@ config PVR2_DMA
+
+ config G2_DMA
+ tristate "G2 Bus DMA support"
+- depends on SH_DREAMCAST
+- select SH_DMA_API
++ depends on SH_DREAMCAST && SH_DMA_API
+ help
+ This enables support for the DMA controller for the Dreamcast's
+ G2 bus. Drivers that want this will generally enable this on
--- /dev/null
+From f6a2e94b3f9d89cb40771ff746b16b5687650cbb Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 18 Jan 2021 16:08:12 +0100
+Subject: sh_eth: Fix power down vs. is_opened flag ordering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit f6a2e94b3f9d89cb40771ff746b16b5687650cbb upstream.
+
+sh_eth_close() does a synchronous power down of the device before
+marking it closed. Revert the order, to make sure the device is never
+marked opened while suspended.
+
+While at it, use pm_runtime_put() instead of pm_runtime_put_sync(), as
+there is no reason to do a synchronous power down.
+
+Fixes: 7fa2955ff70ce453 ("sh_eth: Fix sleeping function called from invalid context")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/20210118150812.796791-1-geert+renesas@glider.be
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2620,10 +2620,10 @@ static int sh_eth_close(struct net_devic
+ /* Free all the skbuffs in the Rx queue and the DMA buffer. */
+ sh_eth_ring_free(ndev);
+
+- pm_runtime_put_sync(&mdp->pdev->dev);
+-
+ mdp->is_opened = 0;
+
++ pm_runtime_put(&mdp->pdev->dev);
++
+ return 0;
+ }
+
--- /dev/null
+From 66c556025d687dbdd0f748c5e1df89c977b6c02a Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Fri, 15 Jan 2021 15:04:40 +0000
+Subject: skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 66c556025d687dbdd0f748c5e1df89c977b6c02a upstream.
+
+Commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for
+tiny skbs") ensured that skbs with data size lower than 1025 bytes
+will be kmalloc'ed to avoid excessive page cache fragmentation and
+memory consumption.
+However, the fix adressed only __napi_alloc_skb() (primarily for
+virtio_net and napi_get_frags()), but the issue can still be achieved
+through __netdev_alloc_skb(), which is still used by several drivers.
+Drivers often allocate a tiny skb for headers and place the rest of
+the frame to frags (so-called copybreak).
+Mirror the condition to __netdev_alloc_skb() to handle this case too.
+
+Since v1 [0]:
+ - fix "Fixes:" tag;
+ - refine commit message (mention copybreak usecase).
+
+[0] https://lore.kernel.org/netdev/20210114235423.232737-1-alobakin@pm.me
+
+Fixes: a1c7fff7e18f ("net: netdev_alloc_skb() use build_skb()")
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Link: https://lore.kernel.org/r/20210115150354.85967-1-alobakin@pm.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -398,7 +398,11 @@ struct sk_buff *__netdev_alloc_skb(struc
+
+ len += NET_SKB_PAD;
+
+- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) ||
++ /* If requested length is either too small or too big,
++ * we use kmalloc() for skb->head allocation.
++ */
++ if (len <= SKB_WITH_OVERHEAD(1024) ||
++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
+ (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
+ skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
+ if (!skb)
--- /dev/null
+From 8d2b51b008c25240914984208b2ced57d1dd25a5 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sat, 16 Jan 2021 11:44:22 +0100
+Subject: udp: mask TOS bits in udp_v4_early_demux()
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit 8d2b51b008c25240914984208b2ced57d1dd25a5 upstream.
+
+udp_v4_early_demux() is the only function that calls
+ip_mc_validate_source() with a TOS that hasn't been masked with
+IPTOS_RT_MASK.
+
+This results in different behaviours for incoming multicast UDPv4
+packets, depending on if ip_mc_validate_source() is called from the
+early-demux path (udp_v4_early_demux) or from the regular input path
+(ip_route_input_noref).
+
+ECN would normally not be used with UDP multicast packets, so the
+practical consequences should be limited on that side. However,
+IPTOS_RT_MASK is used to also masks the TOS' high order bits, to align
+with the non-early-demux path behaviour.
+
+Reproducer:
+
+ Setup two netns, connected with veth:
+ $ ip netns add ns0
+ $ ip netns add ns1
+ $ ip -netns ns0 link set dev lo up
+ $ ip -netns ns1 link set dev lo up
+ $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
+ $ ip -netns ns0 link set dev veth01 up
+ $ ip -netns ns1 link set dev veth10 up
+ $ ip -netns ns0 address add 192.0.2.10 peer 192.0.2.11/32 dev veth01
+ $ ip -netns ns1 address add 192.0.2.11 peer 192.0.2.10/32 dev veth10
+
+ In ns0, add route to multicast address 224.0.2.0/24 using source
+ address 198.51.100.10:
+ $ ip -netns ns0 address add 198.51.100.10/32 dev lo
+ $ ip -netns ns0 route add 224.0.2.0/24 dev veth01 src 198.51.100.10
+
+ In ns1, define route to 198.51.100.10, only for packets with TOS 4:
+ $ ip -netns ns1 route add 198.51.100.10/32 tos 4 dev veth10
+
+ Also activate rp_filter in ns1, so that incoming packets not matching
+ the above route get dropped:
+ $ ip netns exec ns1 sysctl -wq net.ipv4.conf.veth10.rp_filter=1
+
+ Now try to receive packets on 224.0.2.11:
+ $ ip netns exec ns1 socat UDP-RECVFROM:1111,ip-add-membership=224.0.2.11:veth10,ignoreeof -
+
+ In ns0, send packet to 224.0.2.11 with TOS 4 and ECT(0) (that is,
+ tos 6 for socat):
+ $ echo test0 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
+
+ The "test0" message is properly received by socat in ns1, because
+ early-demux has no cached dst to use, so source address validation
+ is done by ip_route_input_mc(), which receives a TOS that has the
+ ECN bits masked.
+
+ Now send another packet to 224.0.2.11, still with TOS 4 and ECT(0):
+ $ echo test1 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
+
+ The "test1" message isn't received by socat in ns1, because, now,
+ early-demux has a cached dst to use and calls ip_mc_validate_source()
+ immediately, without masking the ECN bits.
+
+Fixes: bc044e8db796 ("udp: perform source validation for mcast early demux")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/udp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2416,7 +2416,8 @@ int udp_v4_early_demux(struct sk_buff *s
+ */
+ if (!inet_sk(sk)->inet_daddr && in_dev)
+ return ip_mc_validate_source(skb, iph->daddr,
+- iph->saddr, iph->tos,
++ iph->saddr,
++ iph->tos & IPTOS_RT_MASK,
+ skb->dev, in_dev, &itag);
+ }
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
