--- /dev/null
+From 8b59b0a53c840921b625378f137e88adfa87647e Mon Sep 17 00:00:00 2001
+From: sparkhuang <huangshaobo6@huawei.com>
+Date: Wed, 15 Dec 2021 10:08:23 +0100
+Subject: ARM: 9170/1: fix panic when kasan and kprobe are enabled
+
+From: sparkhuang <huangshaobo6@huawei.com>
+
+commit 8b59b0a53c840921b625378f137e88adfa87647e upstream.
+
+arm32 uses software to simulate the instruction replaced
+by kprobe. some instructions may be simulated by constructing
+assembly functions. therefore, before executing instruction
+simulation, it is necessary to construct assembly function
+execution environment in C language through binding registers.
+after kasan is enabled, the register binding relationship will
+be destroyed, resulting in instruction simulation errors and
+causing kernel panic.
+
+the kprobe emulate instruction function is distributed in three
+files: actions-common.c actions-arm.c actions-thumb.c, so disable
+KASAN when compiling these files.
+
+for example, use kprobe insert on cap_capable+20 after kasan
+enabled, the cap_capable assembly code is as follows:
+<cap_capable>:
+e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}
+e1a05000 mov r5, r0
+e280006c add r0, r0, #108 ; 0x6c
+e1a04001 mov r4, r1
+e1a06002 mov r6, r2
+e59fa090 ldr sl, [pc, #144] ;
+ebfc7bf8 bl c03aa4b4 <__asan_load4>
+e595706c ldr r7, [r5, #108] ; 0x6c
+e2859014 add r9, r5, #20
+......
+The emulate_ldr assembly code after enabling kasan is as follows:
+c06f1384 <emulate_ldr>:
+e92d47f0 push {r4, r5, r6, r7, r8, r9, sl, lr}
+e282803c add r8, r2, #60 ; 0x3c
+e1a05000 mov r5, r0
+e7e37855 ubfx r7, r5, #16, #4
+e1a00008 mov r0, r8
+e1a09001 mov r9, r1
+e1a04002 mov r4, r2
+ebf35462 bl c03c6530 <__asan_load4>
+e357000f cmp r7, #15
+e7e36655 ubfx r6, r5, #12, #4
+e205a00f and sl, r5, #15
+0a000001 beq c06f13bc <emulate_ldr+0x38>
+e0840107 add r0, r4, r7, lsl #2
+ebf3545c bl c03c6530 <__asan_load4>
+e084010a add r0, r4, sl, lsl #2
+ebf3545a bl c03c6530 <__asan_load4>
+e2890010 add r0, r9, #16
+ebf35458 bl c03c6530 <__asan_load4>
+e5990010 ldr r0, [r9, #16]
+e12fff30 blx r0
+e356000f cm r6, #15
+1a000014 bne c06f1430 <emulate_ldr+0xac>
+e1a06000 mov r6, r0
+e2840040 add r0, r4, #64 ; 0x40
+......
+
+when running in emulate_ldr to simulate the ldr instruction, panic
+occurred, and the log is as follows:
+Unable to handle kernel NULL pointer dereference at virtual address
+00000090
+pgd = ecb46400
+[00000090] *pgd=2e0fa003, *pmd=00000000
+Internal error: Oops: 206 [#1] SMP ARM
+PC is at cap_capable+0x14/0xb0
+LR is at emulate_ldr+0x50/0xc0
+psr: 600d0293 sp : ecd63af8 ip : 00000004 fp : c0a7c30c
+r10: 00000000 r9 : c30897f4 r8 : ecd63cd4
+r7 : 0000000f r6 : 0000000a r5 : e59fa090 r4 : ecd63c98
+r3 : c06ae294 r2 : 00000000 r1 : b7611300 r0 : bf4ec008
+Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 32c5387d Table: 2d546400 DAC: 55555555
+Process bash (pid: 1643, stack limit = 0xecd60190)
+(cap_capable) from (kprobe_handler+0x218/0x340)
+(kprobe_handler) from (kprobe_trap_handler+0x24/0x48)
+(kprobe_trap_handler) from (do_undefinstr+0x13c/0x364)
+(do_undefinstr) from (__und_svc_finish+0x0/0x30)
+(__und_svc_finish) from (cap_capable+0x18/0xb0)
+(cap_capable) from (cap_vm_enough_memory+0x38/0x48)
+(cap_vm_enough_memory) from
+(security_vm_enough_memory_mm+0x48/0x6c)
+(security_vm_enough_memory_mm) from
+(copy_process.constprop.5+0x16b4/0x25c8)
+(copy_process.constprop.5) from (_do_fork+0xe8/0x55c)
+(_do_fork) from (SyS_clone+0x1c/0x24)
+(SyS_clone) from (__sys_trace_return+0x0/0x10)
+Code: 0050a0e1 6c0080e2 0140a0e1 0260a0e1 (f801f0e7)
+
+Fixes: 35aa1df43283 ("ARM kprobes: instruction single-stepping support")
+Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
+Signed-off-by: huangshaobo <huangshaobo6@huawei.com>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/probes/kprobes/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm/probes/kprobes/Makefile
++++ b/arch/arm/probes/kprobes/Makefile
+@@ -1,4 +1,7 @@
+ # SPDX-License-Identifier: GPL-2.0
++KASAN_SANITIZE_actions-common.o := n
++KASAN_SANITIZE_actions-arm.o := n
++KASAN_SANITIZE_actions-thumb.o := n
+ obj-$(CONFIG_KPROBES) += core.o actions-common.o checkers-common.o
+ obj-$(CONFIG_ARM_KPROBES_TEST) += test-kprobes.o
+ test-kprobes-objs := test-core.o
--- /dev/null
+From 5e761a2287234bc402ba7ef07129f5103bcd775c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Sun, 16 Jan 2022 19:18:44 +0100
+Subject: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit 5e761a2287234bc402ba7ef07129f5103bcd775c upstream.
+
+The function performs a check on the "phy" input parameter, however, it
+is used before the check.
+
+Initialize the "dev" variable after the sanity check to avoid a possible
+NULL pointer dereference.
+
+Fixes: 5c8290284402b ("drm/msm/dsi: Split PHY drivers to separate files")
+Addresses-Coverity-ID: 1493860 ("Null pointer dereference")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220116181844.7400-1-jose.exposito89@gmail.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dsi/phy/dsi_phy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
++++ b/drivers/gpu/drm/msm/dsi/phy/dsi_phy.c
+@@ -554,12 +554,14 @@ void __exit msm_dsi_phy_driver_unregiste
+ int msm_dsi_phy_enable(struct msm_dsi_phy *phy, int src_pll_id,
+ struct msm_dsi_phy_clk_request *clk_req)
+ {
+- struct device *dev = &phy->pdev->dev;
++ struct device *dev;
+ int ret;
+
+ if (!phy || !phy->cfg->ops.enable)
+ return -EINVAL;
+
++ dev = &phy->pdev->dev;
++
+ ret = dsi_phy_enable_resource(phy);
+ if (ret) {
+ dev_err(dev, "%s: resource enable failed, %d\n",
--- /dev/null
+From 0a727b459ee39bd4c5ced19d6024258ac87b6b2e Mon Sep 17 00:00:00 2001
+From: Xianting Tian <xianting.tian@linux.alibaba.com>
+Date: Wed, 12 Jan 2022 20:33:34 +0800
+Subject: drm/msm: Fix wrong size calculation
+
+From: Xianting Tian <xianting.tian@linux.alibaba.com>
+
+commit 0a727b459ee39bd4c5ced19d6024258ac87b6b2e upstream.
+
+For example, memory-region in .dts as below,
+ reg = <0x0 0x50000000 0x0 0x20000000>
+
+We can get below values,
+struct resource r;
+r.start = 0x50000000;
+r.end = 0x6fffffff;
+
+So the size should be:
+size = r.end - r.start + 1 = 0x20000000
+
+Signed-off-by: Xianting Tian <xianting.tian@linux.alibaba.com>
+Fixes: 072f1f9168ed ("drm/msm: add support for "stolen" mem")
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20220112123334.749776-1-xianting.tian@linux.alibaba.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_drv.c
++++ b/drivers/gpu/drm/msm/msm_drv.c
+@@ -321,7 +321,7 @@ static int msm_init_vram(struct drm_devi
+ of_node_put(node);
+ if (ret)
+ return ret;
+- size = r.end - r.start;
++ size = r.end - r.start + 1;
+ DRM_INFO("using VRAM carveout: %lx@%pa\n", size, &r.start);
+
+ /* if we have no IOMMU, then we need to use carveout allocator.
--- /dev/null
+From a66c5ed539277b9f2363bbace0dba88b85b36c26 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Thu, 6 Jan 2022 11:48:52 -0800
+Subject: hwmon: (lm90) Reduce maximum conversion rate for G781
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit a66c5ed539277b9f2363bbace0dba88b85b36c26 upstream.
+
+According to its datasheet, G781 supports a maximum conversion rate value
+of 8 (62.5 ms). However, chips labeled G781 and G780 were found to only
+support a maximum conversion rate value of 7 (125 ms). On the other side,
+chips labeled G781-1 and G784 were found to support a conversion rate value
+of 8. There is no known means to distinguish G780 from G781 or G784; all
+chips report the same manufacturer ID and chip revision.
+Setting the conversion rate register value to 8 on chips not supporting
+it causes unexpected behavior since the real conversion rate is set to 0
+(16 seconds) if a value of 8 is written into the conversion rate register.
+Limit the conversion rate register value to 7 for all G78x chips to avoid
+the problem.
+
+Fixes: ae544f64cc7b ("hwmon: (lm90) Add support for GMT G781")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/lm90.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/lm90.c
++++ b/drivers/hwmon/lm90.c
+@@ -359,7 +359,7 @@ static const struct lm90_params lm90_par
+ .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT
+ | LM90_HAVE_BROKEN_ALERT,
+ .alert_alarms = 0x7c,
+- .max_convrate = 8,
++ .max_convrate = 7,
+ },
+ [lm86] = {
+ .flags = LM90_HAVE_OFFSET | LM90_HAVE_REM_LIMIT_EXT,
--- /dev/null
+From 23f57406b82de51809d5812afd96f210f8b627f3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 26 Jan 2022 17:10:22 -0800
+Subject: ipv4: avoid using shared IP generator for connected sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 23f57406b82de51809d5812afd96f210f8b627f3 upstream.
+
+ip_select_ident_segs() has been very conservative about using
+the connected socket private generator only for packets with IP_DF
+set, claiming it was needed for some VJ compression implementations.
+
+As mentioned in this referenced document, this can be abused.
+(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
+
+Before switching to pure random IPID generation and possibly hurt
+some workloads, lets use the private inet socket generator.
+
+Not only this will remove one vulnerability, this will also
+improve performance of TCP flows using pmtudisc==IP_PMTUDISC_DONT
+
+Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reported-by: Ray Che <xijiache@gmail.com>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -399,19 +399,18 @@ static inline void ip_select_ident_segs(
+ {
+ struct iphdr *iph = ip_hdr(skb);
+
++ /* We had many attacks based on IPID, use the private
++ * generator as much as we can.
++ */
++ if (sk && inet_sk(sk)->inet_daddr) {
++ iph->id = htons(inet_sk(sk)->inet_id);
++ inet_sk(sk)->inet_id += segs;
++ return;
++ }
+ if ((iph->frag_off & htons(IP_DF)) && !skb->ignore_df) {
+- /* This is only to work around buggy Windows95/2000
+- * VJ compression implementations. If the ID field
+- * does not change, they drop every other packet in
+- * a TCP stream using header compression.
+- */
+- if (sk && inet_sk(sk)->inet_daddr) {
+- iph->id = htons(inet_sk(sk)->inet_id);
+- inet_sk(sk)->inet_id += segs;
+- } else {
+- iph->id = 0;
+- }
++ iph->id = 0;
+ } else {
++ /* Unfortunately we need the big hammer to get a suitable IPID */
+ __ip_select_ident(net, iph, segs);
+ }
+ }
--- /dev/null
+From 6cee105e7f2ced596373951d9ea08dacc3883c68 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Thu, 20 Jan 2022 10:05:46 +0200
+Subject: ipv6_tunnel: Rate limit warning messages
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 6cee105e7f2ced596373951d9ea08dacc3883c68 upstream.
+
+The warning messages can be invoked from the data path for every packet
+transmitted through an ip6gre netdev, leading to high CPU utilization.
+
+Fix that by rate limiting the messages.
+
+Fixes: 09c6bbf090ec ("[IPV6]: Do mandatory IPv6 tunnel endpoint checks in realtime")
+Reported-by: Maksym Yaremchuk <maksymy@nvidia.com>
+Tested-by: Maksym Yaremchuk <maksymy@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Amit Cohen <amcohen@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1008,12 +1008,12 @@ int ip6_tnl_xmit_ctl(struct ip6_tnl *t,
+ ldev = dev_get_by_index_rcu(net, p->link);
+
+ if (unlikely(!ipv6_chk_addr(net, laddr, ldev, 0)))
+- pr_warn("%s xmit: Local address not yet configured!\n",
+- p->name);
++ pr_warn_ratelimited("%s xmit: Local address not yet configured!\n",
++ p->name);
+ else if (!ipv6_addr_is_multicast(raddr) &&
+ unlikely(ipv6_chk_addr(net, raddr, NULL, 0)))
+- pr_warn("%s xmit: Routing loop! Remote address found on this node!\n",
+- p->name);
++ pr_warn_ratelimited("%s xmit: Routing loop! Remote address found on this node!\n",
++ p->name);
+ else
+ ret = 1;
+ rcu_read_unlock();
--- /dev/null
+From 47934e06b65637c88a762d9c98329ae6e3238888 Mon Sep 17 00:00:00 2001
+From: Congyu Liu <liu3101@purdue.edu>
+Date: Tue, 18 Jan 2022 14:20:13 -0500
+Subject: net: fix information leakage in /proc/net/ptype
+
+From: Congyu Liu <liu3101@purdue.edu>
+
+commit 47934e06b65637c88a762d9c98329ae6e3238888 upstream.
+
+In one net namespace, after creating a packet socket without binding
+it to a device, users in other net namespaces can observe the new
+`packet_type` added by this packet socket by reading `/proc/net/ptype`
+file. This is minor information leakage as packet socket is
+namespace aware.
+
+Add a net pointer in `packet_type` to keep the net namespace of
+of corresponding packet socket. In `ptype_seq_show`, this net pointer
+must be checked when it is not NULL.
+
+Fixes: 2feb27dbe00c ("[NETNS]: Minor information leak via /proc/net/ptype file.")
+Signed-off-by: Congyu Liu <liu3101@purdue.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 1 +
+ net/core/net-procfs.c | 3 ++-
+ net/packet/af_packet.c | 2 ++
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2206,6 +2206,7 @@ struct packet_type {
+ struct net_device *);
+ bool (*id_match)(struct packet_type *ptype,
+ struct sock *sk);
++ struct net *af_packet_net;
+ void *af_packet_priv;
+ struct list_head list;
+ };
+--- a/net/core/net-procfs.c
++++ b/net/core/net-procfs.c
+@@ -279,7 +279,8 @@ static int ptype_seq_show(struct seq_fil
+
+ if (v == SEQ_START_TOKEN)
+ seq_puts(seq, "Type Device Function\n");
+- else if (pt->dev == NULL || dev_net(pt->dev) == seq_file_net(seq)) {
++ else if ((!pt->af_packet_net || net_eq(pt->af_packet_net, seq_file_net(seq))) &&
++ (!pt->dev || net_eq(dev_net(pt->dev), seq_file_net(seq)))) {
+ if (pt->type == htons(ETH_P_ALL))
+ seq_puts(seq, "ALL ");
+ else
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1756,6 +1756,7 @@ static int fanout_add(struct sock *sk, u
+ match->prot_hook.dev = po->prot_hook.dev;
+ match->prot_hook.func = packet_rcv_fanout;
+ match->prot_hook.af_packet_priv = match;
++ match->prot_hook.af_packet_net = read_pnet(&match->net);
+ match->prot_hook.id_match = match_fanout_group;
+ list_add(&match->list, &fanout_list);
+ }
+@@ -3330,6 +3331,7 @@ static int packet_create(struct net *net
+ po->prot_hook.func = packet_rcv_spkt;
+
+ po->prot_hook.af_packet_priv = sk;
++ po->prot_hook.af_packet_net = sock_net(sk);
+
+ if (proto) {
+ po->prot_hook.type = proto;
--- /dev/null
+From 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 Mon Sep 17 00:00:00 2001
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+Date: Fri, 21 Jan 2022 17:15:31 +0800
+Subject: net-procfs: show net devices bound packet types
+
+From: Jianguo Wu <wujianguo@chinatelecom.cn>
+
+commit 1d10f8a1f40b965d449e8f2d5ed7b96a7c138b77 upstream.
+
+After commit:7866a621043f ("dev: add per net_device packet type chains"),
+we can not get packet types that are bound to a specified net device by
+/proc/net/ptype, this patch fix the regression.
+
+Run "tcpdump -i ens192 udp -nns0" Before and after apply this patch:
+
+Before:
+ [root@localhost ~]# cat /proc/net/ptype
+ Type Device Function
+ 0800 ip_rcv
+ 0806 arp_rcv
+ 86dd ipv6_rcv
+
+After:
+ [root@localhost ~]# cat /proc/net/ptype
+ Type Device Function
+ ALL ens192 tpacket_rcv
+ 0800 ip_rcv
+ 0806 arp_rcv
+ 86dd ipv6_rcv
+
+v1 -> v2:
+ - fix the regression rather than adding new /proc API as
+ suggested by Stephen Hemminger.
+
+Fixes: 7866a621043f ("dev: add per net_device packet type chains")
+Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net-procfs.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+--- a/net/core/net-procfs.c
++++ b/net/core/net-procfs.c
+@@ -209,12 +209,23 @@ static const struct file_operations soft
+ .release = seq_release,
+ };
+
+-static void *ptype_get_idx(loff_t pos)
++static void *ptype_get_idx(struct seq_file *seq, loff_t pos)
+ {
++ struct list_head *ptype_list = NULL;
+ struct packet_type *pt = NULL;
++ struct net_device *dev;
+ loff_t i = 0;
+ int t;
+
++ for_each_netdev_rcu(seq_file_net(seq), dev) {
++ ptype_list = &dev->ptype_all;
++ list_for_each_entry_rcu(pt, ptype_list, list) {
++ if (i == pos)
++ return pt;
++ ++i;
++ }
++ }
++
+ list_for_each_entry_rcu(pt, &ptype_all, list) {
+ if (i == pos)
+ return pt;
+@@ -235,22 +246,40 @@ static void *ptype_seq_start(struct seq_
+ __acquires(RCU)
+ {
+ rcu_read_lock();
+- return *pos ? ptype_get_idx(*pos - 1) : SEQ_START_TOKEN;
++ return *pos ? ptype_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
+ }
+
+ static void *ptype_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+ {
++ struct net_device *dev;
+ struct packet_type *pt;
+ struct list_head *nxt;
+ int hash;
+
+ ++*pos;
+ if (v == SEQ_START_TOKEN)
+- return ptype_get_idx(0);
++ return ptype_get_idx(seq, 0);
+
+ pt = v;
+ nxt = pt->list.next;
++ if (pt->dev) {
++ if (nxt != &pt->dev->ptype_all)
++ goto found;
++
++ dev = pt->dev;
++ for_each_netdev_continue_rcu(seq_file_net(seq), dev) {
++ if (!list_empty(&dev->ptype_all)) {
++ nxt = dev->ptype_all.next;
++ goto found;
++ }
++ }
++
++ nxt = ptype_all.next;
++ goto ptype_all;
++ }
++
+ if (pt->type == htons(ETH_P_ALL)) {
++ptype_all:
+ if (nxt != &ptype_all)
+ goto found;
+ hash = 0;
--- /dev/null
+From ac795161c93699d600db16c1a8cc23a65a1eceaf Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 6 Jan 2022 18:24:02 -0500
+Subject: NFSv4: Handle case where the lookup of a directory fails
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit ac795161c93699d600db16c1a8cc23a65a1eceaf upstream.
+
+If the application sets the O_DIRECTORY flag, and tries to open a
+regular file, nfs_atomic_open() will punt to doing a regular lookup.
+If the server then returns a regular file, we will happily return a
+file descriptor with uninitialised open state.
+
+The fix is to return the expected ENOTDIR error in these cases.
+
+Reported-by: Lyu Tao <tao.lyu@epfl.ch>
+Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1607,6 +1607,19 @@ out:
+
+ no_open:
+ res = nfs_lookup(dir, dentry, lookup_flags);
++ if (!res) {
++ inode = d_inode(dentry);
++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
++ !S_ISDIR(inode->i_mode))
++ res = ERR_PTR(-ENOTDIR);
++ } else if (!IS_ERR(res)) {
++ inode = d_inode(res);
++ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
++ !S_ISDIR(inode->i_mode)) {
++ dput(res);
++ res = ERR_PTR(-ENOTDIR);
++ }
++ }
+ if (switched) {
+ d_lookup_done(dentry);
+ if (!res)
--- /dev/null
+From 1751fc1db36f6f411709e143d5393f92d12137a9 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 6 Jan 2022 18:24:03 -0500
+Subject: NFSv4: nfs_atomic_open() can race when looking up a non-regular file
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit 1751fc1db36f6f411709e143d5393f92d12137a9 upstream.
+
+If the file type changes back to being a regular file on the server
+between the failed OPEN and our LOOKUP, then we need to re-run the OPEN.
+
+Fixes: 0dd2b474d0b6 ("nfs: implement i_op->atomic_open()")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/dir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1612,12 +1612,17 @@ no_open:
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode))
+ res = ERR_PTR(-ENOTDIR);
++ else if (inode && S_ISREG(inode->i_mode))
++ res = ERR_PTR(-EOPENSTALE);
+ } else if (!IS_ERR(res)) {
+ inode = d_inode(res);
+ if ((lookup_flags & LOOKUP_DIRECTORY) && inode &&
+ !S_ISDIR(inode->i_mode)) {
+ dput(res);
+ res = ERR_PTR(-ENOTDIR);
++ } else if (inode && S_ISREG(inode->i_mode)) {
++ dput(res);
++ res = ERR_PTR(-EOPENSTALE);
+ }
+ }
+ if (switched) {
--- /dev/null
+From 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 22 Jan 2022 06:40:56 -0500
+Subject: ping: fix the sk_bound_dev_if match in ping_lookup
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 upstream.
+
+When 'ping' changes to use PING socket instead of RAW socket by:
+
+ # sysctl -w net.ipv4.ping_group_range="0 100"
+
+the selftests 'router_broadcast.sh' will fail, as such command
+
+ # ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b
+
+can't receive the response skb by the PING socket. It's caused by mismatch
+of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket,
+as dif is vrf-h1 if dif's master was set to vrf-h1.
+
+This patch is to fix this regression by also checking the sk_bound_dev_if
+against sdif so that the packets can stil be received even if the socket
+is not bound to the vrf device but to the real iif.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -225,7 +225,8 @@ static struct sock *ping_lookup(struct n
+ continue;
+ }
+
+- if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif)
++ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif &&
++ sk->sk_bound_dev_if != inet_sdif(skb))
+ continue;
+
+ sock_hold(sk);
rpmsg-char-fix-race-between-the-release-of-rpmsg_ctrldev-and-cdev.patch
rpmsg-char-fix-race-between-the-release-of-rpmsg_eptdev-and-cdev.patch
scsi-bnx2fc-flush-destroy_work-queue-before-calling-bnx2fc_interface_put.patch
+ipv6_tunnel-rate-limit-warning-messages.patch
+arm-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch
+net-fix-information-leakage-in-proc-net-ptype.patch
+ping-fix-the-sk_bound_dev_if-match-in-ping_lookup.patch
+ipv4-avoid-using-shared-ip-generator-for-connected-sockets.patch
+hwmon-lm90-reduce-maximum-conversion-rate-for-g781.patch
+nfsv4-handle-case-where-the-lookup-of-a-directory-fails.patch
+nfsv4-nfs_atomic_open-can-race-when-looking-up-a-non-regular-file.patch
+net-procfs-show-net-devices-bound-packet-types.patch
+drm-msm-fix-wrong-size-calculation.patch
+drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_enable.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
