--- /dev/null
+From 3f65b1e2f424f44585bd701024a3bfd0b1e0ade2 Mon Sep 17 00:00:00 2001
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Date: Tue, 26 Apr 2022 14:12:14 -0700
+Subject: drm/msm/dp: remove fail safe mode related code
+
+From: Kuogee Hsieh <quic_khsieh@quicinc.com>
+
+commit 3f65b1e2f424f44585bd701024a3bfd0b1e0ade2 upstream.
+
+Current DP driver implementation has adding safe mode done at
+dp_hpd_plug_handle() which is expected to be executed under event
+thread context.
+
+However there is possible circular locking happen (see blow stack trace)
+after edp driver call dp_hpd_plug_handle() from dp_bridge_enable() which
+is executed under drm_thread context.
+
+After review all possibilities methods and as discussed on
+https://patchwork.freedesktop.org/patch/483155/, supporting EDID
+compliance tests in the driver is quite hacky. As seen with other
+vendor drivers, supporting these will be much easier with IGT. Hence
+removing all the related fail safe code for it so that no possibility
+of circular lock will happen.
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+======================================================
+ WARNING: possible circular locking dependency detected
+ 5.15.35-lockdep #6 Tainted: G W
+ ------------------------------------------------------
+ frecon/429 is trying to acquire lock:
+ ffffff808dc3c4e8 (&dev->mode_config.mutex){+.+.}-{3:3}, at:
+dp_panel_add_fail_safe_mode+0x4c/0xa0
+
+ but task is already holding lock:
+ ffffff808dc441e0 (&kms->commit_lock[i]){+.+.}-{3:3}, at: lock_crtcs+0xb4/0x124
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #3 (&kms->commit_lock[i]){+.+.}-{3:3}:
+ __mutex_lock_common+0x174/0x1a64
+ mutex_lock_nested+0x98/0xac
+ lock_crtcs+0xb4/0x124
+ msm_atomic_commit_tail+0x330/0x748
+ commit_tail+0x19c/0x278
+ drm_atomic_helper_commit+0x1dc/0x1f0
+ drm_atomic_commit+0xc0/0xd8
+ drm_atomic_helper_set_config+0xb4/0x134
+ drm_mode_setcrtc+0x688/0x1248
+ drm_ioctl_kernel+0x1e4/0x338
+ drm_ioctl+0x3a4/0x684
+ __arm64_sys_ioctl+0x118/0x154
+ invoke_syscall+0x78/0x224
+ el0_svc_common+0x178/0x200
+ do_el0_svc+0x94/0x13c
+ el0_svc+0x5c/0xec
+ el0t_64_sync_handler+0x78/0x108
+ el0t_64_sync+0x1a4/0x1a8
+
+ -> #2 (crtc_ww_class_mutex){+.+.}-{3:3}:
+ __mutex_lock_common+0x174/0x1a64
+ ww_mutex_lock+0xb8/0x278
+ modeset_lock+0x304/0x4ac
+ drm_modeset_lock+0x4c/0x7c
+ drmm_mode_config_init+0x4a8/0xc50
+ msm_drm_init+0x274/0xac0
+ msm_drm_bind+0x20/0x2c
+ try_to_bring_up_master+0x3dc/0x470
+ __component_add+0x18c/0x3c0
+ component_add+0x1c/0x28
+ dp_display_probe+0x954/0xa98
+ platform_probe+0x124/0x15c
+ really_probe+0x1b0/0x5f8
+ __driver_probe_device+0x174/0x20c
+ driver_probe_device+0x70/0x134
+ __device_attach_driver+0x130/0x1d0
+ bus_for_each_drv+0xfc/0x14c
+ __device_attach+0x1bc/0x2bc
+ device_initial_probe+0x1c/0x28
+ bus_probe_device+0x94/0x178
+ deferred_probe_work_func+0x1a4/0x1f0
+ process_one_work+0x5d4/0x9dc
+ worker_thread+0x898/0xccc
+ kthread+0x2d4/0x3d4
+ ret_from_fork+0x10/0x20
+
+ -> #1 (crtc_ww_class_acquire){+.+.}-{0:0}:
+ ww_acquire_init+0x1c4/0x2c8
+ drm_modeset_acquire_init+0x44/0xc8
+ drm_helper_probe_single_connector_modes+0xb0/0x12dc
+ drm_mode_getconnector+0x5dc/0xfe8
+ drm_ioctl_kernel+0x1e4/0x338
+ drm_ioctl+0x3a4/0x684
+ __arm64_sys_ioctl+0x118/0x154
+ invoke_syscall+0x78/0x224
+ el0_svc_common+0x178/0x200
+ do_el0_svc+0x94/0x13c
+ el0_svc+0x5c/0xec
+ el0t_64_sync_handler+0x78/0x108
+ el0t_64_sync+0x1a4/0x1a8
+
+ -> #0 (&dev->mode_config.mutex){+.+.}-{3:3}:
+ __lock_acquire+0x2650/0x672c
+ lock_acquire+0x1b4/0x4ac
+ __mutex_lock_common+0x174/0x1a64
+ mutex_lock_nested+0x98/0xac
+ dp_panel_add_fail_safe_mode+0x4c/0xa0
+ dp_hpd_plug_handle+0x1f0/0x280
+ dp_bridge_enable+0x94/0x2b8
+ drm_atomic_bridge_chain_enable+0x11c/0x168
+ drm_atomic_helper_commit_modeset_enables+0x500/0x740
+ msm_atomic_commit_tail+0x3e4/0x748
+ commit_tail+0x19c/0x278
+ drm_atomic_helper_commit+0x1dc/0x1f0
+ drm_atomic_commit+0xc0/0xd8
+ drm_atomic_helper_set_config+0xb4/0x134
+ drm_mode_setcrtc+0x688/0x1248
+ drm_ioctl_kernel+0x1e4/0x338
+ drm_ioctl+0x3a4/0x684
+ __arm64_sys_ioctl+0x118/0x154
+ invoke_syscall+0x78/0x224
+ el0_svc_common+0x178/0x200
+ do_el0_svc+0x94/0x13c
+ el0_svc+0x5c/0xec
+ el0t_64_sync_handler+0x78/0x108
+ el0t_64_sync+0x1a4/0x1a8
+
+Changes in v2:
+-- re text commit title
+-- remove all fail safe mode
+
+Changes in v3:
+-- remove dp_panel_add_fail_safe_mode() from dp_panel.h
+-- add Fixes
+
+Changes in v5:
+-- to=dianders@chromium.org
+
+Changes in v6:
+-- fix Fixes commit ID
+
+Fixes: 8b2c181e3dcf ("drm/msm/dp: add fail safe mode outside of event_mutex context")
+Reported-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
+Link: https://lore.kernel.org/r/1651007534-31842-1-git-send-email-quic_khsieh@quicinc.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/dp/dp_display.c | 6 ------
+ drivers/gpu/drm/msm/dp/dp_panel.c | 11 -----------
+ drivers/gpu/drm/msm/dp/dp_panel.h | 1 -
+ 3 files changed, 18 deletions(-)
+
+--- a/drivers/gpu/drm/msm/dp/dp_display.c
++++ b/drivers/gpu/drm/msm/dp/dp_display.c
+@@ -551,12 +551,6 @@ static int dp_hpd_plug_handle(struct dp_
+
+ mutex_unlock(&dp->event_mutex);
+
+- /*
+- * add fail safe mode outside event_mutex scope
+- * to avoid potiential circular lock with drm thread
+- */
+- dp_panel_add_fail_safe_mode(dp->dp_display.connector);
+-
+ /* uevent will complete connection part */
+ return 0;
+ };
+--- a/drivers/gpu/drm/msm/dp/dp_panel.c
++++ b/drivers/gpu/drm/msm/dp/dp_panel.c
+@@ -151,15 +151,6 @@ static int dp_panel_update_modes(struct
+ return rc;
+ }
+
+-void dp_panel_add_fail_safe_mode(struct drm_connector *connector)
+-{
+- /* fail safe edid */
+- mutex_lock(&connector->dev->mode_config.mutex);
+- if (drm_add_modes_noedid(connector, 640, 480))
+- drm_set_preferred_mode(connector, 640, 480);
+- mutex_unlock(&connector->dev->mode_config.mutex);
+-}
+-
+ int dp_panel_read_sink_caps(struct dp_panel *dp_panel,
+ struct drm_connector *connector)
+ {
+@@ -215,8 +206,6 @@ int dp_panel_read_sink_caps(struct dp_pa
+ rc = -ETIMEDOUT;
+ goto end;
+ }
+-
+- dp_panel_add_fail_safe_mode(connector);
+ }
+
+ if (panel->aux_cfg_update_done) {
+--- a/drivers/gpu/drm/msm/dp/dp_panel.h
++++ b/drivers/gpu/drm/msm/dp/dp_panel.h
+@@ -59,7 +59,6 @@ int dp_panel_init_panel_info(struct dp_p
+ int dp_panel_deinit(struct dp_panel *dp_panel);
+ int dp_panel_timing_cfg(struct dp_panel *dp_panel);
+ void dp_panel_dump_regs(struct dp_panel *dp_panel);
+-void dp_panel_add_fail_safe_mode(struct drm_connector *connector);
+ int dp_panel_read_sink_caps(struct dp_panel *dp_panel,
+ struct drm_connector *connector);
+ u32 dp_panel_get_mode_bpp(struct dp_panel *dp_panel, u32 mode_max_bpp,
--- /dev/null
+From 95098d5ac2551769807031444e55a0da5d4f0952 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Fri, 29 Apr 2022 09:53:37 +0800
+Subject: net: cpsw: add missing of_node_put() in cpsw_probe_dt()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 95098d5ac2551769807031444e55a0da5d4f0952 upstream.
+
+'tmp_node' need be put before returning from cpsw_probe_dt(),
+so add missing of_node_put() in error path.
+
+Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw_new.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw_new.c
++++ b/drivers/net/ethernet/ti/cpsw_new.c
+@@ -1246,8 +1246,10 @@ static int cpsw_probe_dt(struct cpsw_com
+ data->slave_data = devm_kcalloc(dev, CPSW_SLAVE_PORTS_NUM,
+ sizeof(struct cpsw_slave_data),
+ GFP_KERNEL);
+- if (!data->slave_data)
++ if (!data->slave_data) {
++ of_node_put(tmp_node);
+ return -ENOMEM;
++ }
+
+ /* Populate all the child nodes here...
+ */
+@@ -1341,6 +1343,7 @@ static int cpsw_probe_dt(struct cpsw_com
+
+ err_node_put:
+ of_node_put(port_np);
++ of_node_put(tmp_node);
+ return ret;
+ }
+
--- /dev/null
+From a9e9b091a1c14ecd8bd9d3214a62142a1786fe30 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Thu, 28 Apr 2022 17:53:17 +0800
+Subject: net: dsa: mt7530: add missing of_node_put() in mt7530_setup()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit a9e9b091a1c14ecd8bd9d3214a62142a1786fe30 upstream.
+
+Add of_node_put() if of_get_phy_mode() fails in mt7530_setup()
+
+Fixes: 0c65b2b90d13 ("net: of_get_phy_mode: Change API to solve int/unit warnings")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220428095317.538829-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -2224,6 +2224,7 @@ mt7530_setup(struct dsa_switch *ds)
+ ret = of_get_phy_mode(mac_np, &interface);
+ if (ret && ret != -ENODEV) {
+ of_node_put(mac_np);
++ of_node_put(phy_node);
+ return ret;
+ }
+ id = of_mdio_parse_addr(ds->dev, phy_node);
--- /dev/null
+From 7a6bc33ab54923d325d9a1747ec9652c4361ebd1 Mon Sep 17 00:00:00 2001
+From: Shravya Kumbham <shravya.kumbham@xilinx.com>
+Date: Mon, 2 May 2022 12:57:50 +0530
+Subject: net: emaclite: Add error handling for of_address_to_resource()
+
+From: Shravya Kumbham <shravya.kumbham@xilinx.com>
+
+commit 7a6bc33ab54923d325d9a1747ec9652c4361ebd1 upstream.
+
+check the return value of of_address_to_resource() and also add
+missing of_node_put() for np and npp nodes.
+
+Fixes: e0a3bc65448c ("net: emaclite: Support multiple phys connected to one MDIO bus")
+Addresses-Coverity: Event check_return value.
+Signed-off-by: Shravya Kumbham <shravya.kumbham@xilinx.com>
+Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/xilinx_emaclite.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+@@ -823,10 +823,10 @@ static int xemaclite_mdio_write(struct m
+ static int xemaclite_mdio_setup(struct net_local *lp, struct device *dev)
+ {
+ struct mii_bus *bus;
+- int rc;
+ struct resource res;
+ struct device_node *np = of_get_parent(lp->phy_node);
+ struct device_node *npp;
++ int rc, ret;
+
+ /* Don't register the MDIO bus if the phy_node or its parent node
+ * can't be found.
+@@ -836,8 +836,14 @@ static int xemaclite_mdio_setup(struct n
+ return -ENODEV;
+ }
+ npp = of_get_parent(np);
+-
+- of_address_to_resource(npp, 0, &res);
++ ret = of_address_to_resource(npp, 0, &res);
++ of_node_put(npp);
++ if (ret) {
++ dev_err(dev, "%s resource error!\n",
++ dev->of_node->full_name);
++ of_node_put(np);
++ return ret;
++ }
+ if (lp->ndev->mem_start != res.start) {
+ struct phy_device *phydev;
+ phydev = of_phy_find_device(lp->phy_node);
+@@ -846,6 +852,7 @@ static int xemaclite_mdio_setup(struct n
+ "MDIO of the phy is not registered yet\n");
+ else
+ put_device(&phydev->mdio.dev);
++ of_node_put(np);
+ return 0;
+ }
+
+@@ -858,6 +865,7 @@ static int xemaclite_mdio_setup(struct n
+ bus = mdiobus_alloc();
+ if (!bus) {
+ dev_err(dev, "Failed to allocate mdiobus\n");
++ of_node_put(np);
+ return -ENOMEM;
+ }
+
+@@ -870,6 +878,7 @@ static int xemaclite_mdio_setup(struct n
+ bus->parent = dev;
+
+ rc = of_mdiobus_register(bus, np);
++ of_node_put(np);
+ if (rc) {
+ dev_err(dev, "Failed to register mdio bus.\n");
+ goto err_register;
--- /dev/null
+From ff5265d45345d01fefc98fcb9ae891b59633c919 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Thu, 28 Apr 2022 14:25:43 +0800
+Subject: net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit ff5265d45345d01fefc98fcb9ae891b59633c919 upstream.
+
+The node pointer returned by of_parse_phandle() with refcount incremented,
+so add of_node_put() after using it in mtk_sgmii_init().
+
+Fixes: 9ffee4a8276c ("net: ethernet: mediatek: Extend SGMII related functions")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220428062543.64883-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mediatek/mtk_sgmii.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mediatek/mtk_sgmii.c
++++ b/drivers/net/ethernet/mediatek/mtk_sgmii.c
+@@ -26,6 +26,7 @@ int mtk_sgmii_init(struct mtk_sgmii *ss,
+ break;
+
+ ss->regmap[i] = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(ss->regmap[i]))
+ return PTR_ERR(ss->regmap[i]);
+ }
--- /dev/null
+From dba5bdd57bea587ea4f0b79b03c71135f84a7e8b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 Apr 2022 08:42:57 -0700
+Subject: net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit dba5bdd57bea587ea4f0b79b03c71135f84a7e8b upstream.
+
+syzbot reported an UAF in ip_mc_sf_allow() [1]
+
+Whenever RCU protected list replaces an object,
+the pointer to the new object needs to be updated
+_before_ the call to kfree_rcu() or call_rcu()
+
+Because kfree_rcu(ptr, rcu) got support for NULL ptr
+only recently in commit 12edff045bc6 ("rcu: Make kfree_rcu()
+ignore NULL pointers"), I chose to use the conditional
+to make sure stable backports won't miss this detail.
+
+if (psl)
+ kfree_rcu(psl, rcu);
+
+net/ipv6/mcast.c has similar issues, addressed in a separate patch.
+
+[1]
+BUG: KASAN: use-after-free in ip_mc_sf_allow+0x6bb/0x6d0 net/ipv4/igmp.c:2655
+Read of size 4 at addr ffff88807d37b904 by task syz-executor.5/908
+
+CPU: 0 PID: 908 Comm: syz-executor.5 Not tainted 5.18.0-rc4-syzkaller-00064-g8f4dd16603ce #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
+ print_report mm/kasan/report.c:429 [inline]
+ kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
+ ip_mc_sf_allow+0x6bb/0x6d0 net/ipv4/igmp.c:2655
+ raw_v4_input net/ipv4/raw.c:190 [inline]
+ raw_local_deliver+0x4d1/0xbe0 net/ipv4/raw.c:218
+ ip_protocol_deliver_rcu+0xcf/0xb30 net/ipv4/ip_input.c:193
+ ip_local_deliver_finish+0x2ee/0x4c0 net/ipv4/ip_input.c:233
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip_local_deliver+0x1b3/0x200 net/ipv4/ip_input.c:254
+ dst_input include/net/dst.h:461 [inline]
+ ip_rcv_finish+0x1cb/0x2f0 net/ipv4/ip_input.c:437
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip_rcv+0xaa/0xd0 net/ipv4/ip_input.c:556
+ __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405
+ __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519
+ netif_receive_skb_internal net/core/dev.c:5605 [inline]
+ netif_receive_skb+0x13e/0x8e0 net/core/dev.c:5664
+ tun_rx_batched.isra.0+0x460/0x720 drivers/net/tun.c:1534
+ tun_get_user+0x28b7/0x3e30 drivers/net/tun.c:1985
+ tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2015
+ call_write_iter include/linux/fs.h:2050 [inline]
+ new_sync_write+0x38a/0x560 fs/read_write.c:504
+ vfs_write+0x7c0/0xac0 fs/read_write.c:591
+ ksys_write+0x127/0x250 fs/read_write.c:644
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f3f12c3bbff
+Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 99 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 cc fd ff ff 48
+RSP: 002b:00007f3f13ea9130 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00007f3f12d9bf60 RCX: 00007f3f12c3bbff
+RDX: 0000000000000036 RSI: 0000000020002ac0 RDI: 00000000000000c8
+RBP: 00007f3f12ce308d R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000036 R11: 0000000000000293 R12: 0000000000000000
+R13: 00007fffb68dd79f R14: 00007f3f13ea9300 R15: 0000000000022000
+ </TASK>
+
+Allocated by task 908:
+ kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:45 [inline]
+ set_alloc_info mm/kasan/common.c:436 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:515 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:474 [inline]
+ __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
+ kasan_kmalloc include/linux/kasan.h:234 [inline]
+ __do_kmalloc mm/slab.c:3710 [inline]
+ __kmalloc+0x209/0x4d0 mm/slab.c:3719
+ kmalloc include/linux/slab.h:586 [inline]
+ sock_kmalloc net/core/sock.c:2501 [inline]
+ sock_kmalloc+0xb5/0x100 net/core/sock.c:2492
+ ip_mc_source+0xba2/0x1100 net/ipv4/igmp.c:2392
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1296 [inline]
+ ip_setsockopt+0x2312/0x3ab0 net/ipv4/ip_sockglue.c:1432
+ raw_setsockopt+0x274/0x2c0 net/ipv4/raw.c:861
+ __sys_setsockopt+0x2db/0x6a0 net/socket.c:2180
+ __do_sys_setsockopt net/socket.c:2191 [inline]
+ __se_sys_setsockopt net/socket.c:2188 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 753:
+ kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
+ kasan_set_track+0x21/0x30 mm/kasan/common.c:45
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
+ ____kasan_slab_free mm/kasan/common.c:366 [inline]
+ ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328
+ kasan_slab_free include/linux/kasan.h:200 [inline]
+ __cache_free mm/slab.c:3439 [inline]
+ kmem_cache_free_bulk+0x69/0x460 mm/slab.c:3774
+ kfree_bulk include/linux/slab.h:437 [inline]
+ kfree_rcu_work+0x51c/0xa10 kernel/rcu/tree.c:3318
+ process_one_work+0x996/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+
+Last potentially related work creation:
+ kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
+ __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
+ kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3595
+ ip_mc_msfilter+0x712/0xb60 net/ipv4/igmp.c:2510
+ do_ip_setsockopt net/ipv4/ip_sockglue.c:1257 [inline]
+ ip_setsockopt+0x32e1/0x3ab0 net/ipv4/ip_sockglue.c:1432
+ raw_setsockopt+0x274/0x2c0 net/ipv4/raw.c:861
+ __sys_setsockopt+0x2db/0x6a0 net/socket.c:2180
+ __do_sys_setsockopt net/socket.c:2191 [inline]
+ __se_sys_setsockopt net/socket.c:2188 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
+ __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
+ call_rcu+0x99/0x790 kernel/rcu/tree.c:3074
+ mpls_dev_notify+0x552/0x8a0 net/mpls/af_mpls.c:1656
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1938
+ call_netdevice_notifiers_extack net/core/dev.c:1976 [inline]
+ call_netdevice_notifiers net/core/dev.c:1990 [inline]
+ unregister_netdevice_many+0x92e/0x1890 net/core/dev.c:10751
+ default_device_exit_batch+0x449/0x590 net/core/dev.c:11245
+ ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
+ cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
+ process_one_work+0x996/0x1610 kernel/workqueue.c:2289
+ worker_thread+0x665/0x1080 kernel/workqueue.c:2436
+ kthread+0x2e9/0x3a0 kernel/kthread.c:376
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
+
+The buggy address belongs to the object at ffff88807d37b900
+ which belongs to the cache kmalloc-64 of size 64
+The buggy address is located 4 bytes inside of
+ 64-byte region [ffff88807d37b900, ffff88807d37b940)
+
+The buggy address belongs to the physical page:
+page:ffffea0001f4dec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88807d37b180 pfn:0x7d37b
+flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000200 ffff888010c41340 ffffea0001c795c8 ffff888010c40200
+raw: ffff88807d37b180 ffff88807d37b000 000000010000001f 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x342040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 2963, tgid 2963 (udevd), ts 139732238007, free_ts 139730893262
+ prep_new_page mm/page_alloc.c:2441 [inline]
+ get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
+ __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
+ __alloc_pages_node include/linux/gfp.h:587 [inline]
+ kmem_getpages mm/slab.c:1378 [inline]
+ cache_grow_begin+0x75/0x350 mm/slab.c:2584
+ cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
+ ____cache_alloc mm/slab.c:3040 [inline]
+ ____cache_alloc mm/slab.c:3023 [inline]
+ __do_cache_alloc mm/slab.c:3267 [inline]
+ slab_alloc mm/slab.c:3309 [inline]
+ __do_kmalloc mm/slab.c:3708 [inline]
+ __kmalloc+0x3b3/0x4d0 mm/slab.c:3719
+ kmalloc include/linux/slab.h:586 [inline]
+ kzalloc include/linux/slab.h:714 [inline]
+ tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
+ tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
+ tomoyo_encode+0x28/0x50 security/tomoyo/realpath.c:80
+ tomoyo_realpath_from_path+0x186/0x620 security/tomoyo/realpath.c:288
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
+ security_inode_getattr+0xcf/0x140 security/security.c:1350
+ vfs_getattr fs/stat.c:157 [inline]
+ vfs_statx+0x16a/0x390 fs/stat.c:232
+ vfs_fstatat+0x8c/0xb0 fs/stat.c:255
+ __do_sys_newfstatat+0x91/0x110 fs/stat.c:425
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1356 [inline]
+ free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406
+ free_unref_page_prepare mm/page_alloc.c:3328 [inline]
+ free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423
+ __vunmap+0x85d/0xd30 mm/vmalloc.c:2667
+ __vfree+0x3c/0xd0 mm/vmalloc.c:2715
+ vfree+0x5a/0x90 mm/vmalloc.c:2746
+ __do_replace+0x16b/0x890 net/ipv6/netfilter/ip6_tables.c:1117
+ do_replace net/ipv6/netfilter/ip6_tables.c:1157 [inline]
+ do_ip6t_set_ctl+0x90d/0xb90 net/ipv6/netfilter/ip6_tables.c:1639
+ nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
+ ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1026
+ tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3696
+ __sys_setsockopt+0x2db/0x6a0 net/socket.c:2180
+ __do_sys_setsockopt net/socket.c:2191 [inline]
+ __se_sys_setsockopt net/socket.c:2188 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Memory state around the buggy address:
+ ffff88807d37b800: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+ ffff88807d37b880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+>ffff88807d37b900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffff88807d37b980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff88807d37ba00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: c85bb41e9318 ("igmp: fix ip_mc_sf_allow race [v5]")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Flavio Leitner <fbl@sysclose.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -2403,9 +2403,10 @@ int ip_mc_source(int add, int omode, str
+ /* decrease mem now to avoid the memleak warning */
+ atomic_sub(struct_size(psl, sl_addr, psl->sl_max),
+ &sk->sk_omem_alloc);
+- kfree_rcu(psl, rcu);
+ }
+ rcu_assign_pointer(pmc->sflist, newpsl);
++ if (psl)
++ kfree_rcu(psl, rcu);
+ psl = newpsl;
+ }
+ rv = 1; /* > 0 for insert logic below if sl_count is 0 */
+@@ -2507,11 +2508,13 @@ int ip_mc_msfilter(struct sock *sk, stru
+ /* decrease mem now to avoid the memleak warning */
+ atomic_sub(struct_size(psl, sl_addr, psl->sl_max),
+ &sk->sk_omem_alloc);
+- kfree_rcu(psl, rcu);
+- } else
++ } else {
+ (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
+ 0, NULL, 0);
++ }
+ rcu_assign_pointer(pmc->sflist, newpsl);
++ if (psl)
++ kfree_rcu(psl, rcu);
+ pmc->sfmode = msf->imsf_fmode;
+ err = 0;
+ done:
--- /dev/null
+From e87f66b38e66dffdec9daa9f8f0eb044e9a62e3b Mon Sep 17 00:00:00 2001
+From: Niels Dossche <dossche.niels@gmail.com>
+Date: Thu, 28 Apr 2022 23:19:32 +0200
+Subject: net: mdio: Fix ENOMEM return value in BCM6368 mux bus controller
+
+From: Niels Dossche <dossche.niels@gmail.com>
+
+commit e87f66b38e66dffdec9daa9f8f0eb044e9a62e3b upstream.
+
+Error values inside the probe function must be < 0. The ENOMEM return
+value has the wrong sign: it is positive instead of negative.
+Add a minus sign.
+
+Fixes: e239756717b5 ("net: mdio: Add BCM6368 MDIO mux bus controller")
+Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220428211931.8130-1-dossche.niels@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/mdio/mdio-mux-bcm6368.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/mdio/mdio-mux-bcm6368.c
++++ b/drivers/net/mdio/mdio-mux-bcm6368.c
+@@ -115,7 +115,7 @@ static int bcm6368_mdiomux_probe(struct
+ md->mii_bus = devm_mdiobus_alloc(&pdev->dev);
+ if (!md->mii_bus) {
+ dev_err(&pdev->dev, "mdiomux bus alloc failed\n");
+- return ENOMEM;
++ return -ENOMEM;
+ }
+
+ bus = md->mii_bus;
--- /dev/null
+From 3a58f13a881ed351198ffab4cf9953cf19d2ab3a Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 2 May 2022 10:40:18 +0900
+Subject: net: rds: acquire refcount on TCP sockets
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 3a58f13a881ed351198ffab4cf9953cf19d2ab3a upstream.
+
+syzbot is reporting use-after-free read in tcp_retransmit_timer() [1],
+for TCP socket used by RDS is accessing sock_net() without acquiring a
+refcount on net namespace. Since TCP's retransmission can happen after
+a process which created net namespace terminated, we need to explicitly
+acquire a refcount.
+
+Link: https://syzkaller.appspot.com/bug?extid=694120e1002c117747ed [1]
+Reported-by: syzbot <syzbot+694120e1002c117747ed@syzkaller.appspotmail.com>
+Fixes: 26abe14379f8e2fa ("net: Modify sk_alloc to not reference count the netns of kernel sockets.")
+Fixes: 8a68173691f03661 ("net: sk_clone_lock() should only do get_net() if the parent is not a kernel socket")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Tested-by: syzbot <syzbot+694120e1002c117747ed@syzkaller.appspotmail.com>
+Link: https://lore.kernel.org/r/a5fb1fc4-2284-3359-f6a0-e4e390239d7b@I-love.SAKURA.ne.jp
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/tcp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/rds/tcp.c
++++ b/net/rds/tcp.c
+@@ -495,6 +495,14 @@ void rds_tcp_tune(struct socket *sock)
+
+ tcp_sock_set_nodelay(sock->sk);
+ lock_sock(sk);
++ /* TCP timer functions might access net namespace even after
++ * a process which created this net namespace terminated.
++ */
++ if (!sk->sk_net_refcnt) {
++ sk->sk_net_refcnt = 1;
++ get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
++ sock_inuse_add(net, 1);
++ }
+ if (rtn->sndbuf_size > 0) {
+ sk->sk_sndbuf = rtn->sndbuf_size;
+ sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
--- /dev/null
+From 1a15267b7be77e0792cf0c7b36ca65c8eb2df0d8 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Thu, 28 Apr 2022 17:57:16 +0800
+Subject: net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 1a15267b7be77e0792cf0c7b36ca65c8eb2df0d8 upstream.
+
+The node pointer returned by of_get_child_by_name() with refcount incremented,
+so add of_node_put() after using it.
+
+Fixes: 634db83b8265 ("net: stmmac: dwmac-sun8i: Handle integrated/external MDIOs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20220428095716.540452-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -916,6 +916,7 @@ static int sun8i_dwmac_register_mdio_mux
+
+ ret = mdio_mux_init(priv->device, mdio_mux, mdio_mux_syscon_switch_fn,
+ &gmac->mux_handle, priv, priv->mii);
++ of_node_put(mdio_mux);
+ return ret;
+ }
+
--- /dev/null
+From 97926d5a847ca1758ad8702ce591e3b05a701e0d Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 2 May 2022 11:46:37 +0200
+Subject: selftests/net: so_txtime: fix parsing of start time stamp on 32 bit systems
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 97926d5a847ca1758ad8702ce591e3b05a701e0d upstream.
+
+This patch fixes the parsing of the cmd line supplied start time on 32
+bit systems. A "long" on 32 bit systems is only 32 bit wide and cannot
+hold a timestamp in nano second resolution.
+
+Fixes: 040806343bb4 ("selftests/net: so_txtime multi-host support")
+Cc: Carlos Llamas <cmllamas@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20220502094638.1921702-2-mkl@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/so_txtime.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/so_txtime.c
++++ b/tools/testing/selftests/net/so_txtime.c
+@@ -475,7 +475,7 @@ static void parse_opts(int argc, char **
+ cfg_rx = true;
+ break;
+ case 't':
+- cfg_start_time_ns = strtol(optarg, NULL, 0);
++ cfg_start_time_ns = strtoll(optarg, NULL, 0);
+ break;
+ case 'm':
+ cfg_mark = strtol(optarg, NULL, 0);
--- /dev/null
+From f5c2174a3775491e890ce285df52f5715fbef875 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Mon, 2 May 2022 11:46:38 +0200
+Subject: selftests/net: so_txtime: usage(): fix documentation of default clock
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit f5c2174a3775491e890ce285df52f5715fbef875 upstream.
+
+The program uses CLOCK_TAI as default clock since it was added to the
+Linux repo. In commit:
+| 040806343bb4 ("selftests/net: so_txtime multi-host support")
+a help text stating the wrong default clock was added.
+
+This patch fixes the help text.
+
+Fixes: 040806343bb4 ("selftests/net: so_txtime multi-host support")
+Cc: Carlos Llamas <cmllamas@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20220502094638.1921702-3-mkl@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/so_txtime.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/so_txtime.c
++++ b/tools/testing/selftests/net/so_txtime.c
+@@ -421,7 +421,7 @@ static void usage(const char *progname)
+ "Options:\n"
+ " -4 only IPv4\n"
+ " -6 only IPv6\n"
+- " -c <clock> monotonic (default) or tai\n"
++ " -c <clock> monotonic or tai (default)\n"
+ " -D <addr> destination IP address (server)\n"
+ " -S <addr> source IP address (client)\n"
+ " -r run rx mode\n"
rdma-irdma-reduce-iwarp-qp-destroy-time.patch
rdma-irdma-fix-possible-crash-due-to-null-netdev-in-notifier.patch
nfsv4-don-t-invalidate-inode-attributes-on-delegation-return.patch
+net-ethernet-mediatek-add-missing-of_node_put-in-mtk_sgmii_init.patch
+net-dsa-mt7530-add-missing-of_node_put-in-mt7530_setup.patch
+net-stmmac-dwmac-sun8i-add-missing-of_node_put-in-sun8i_dwmac_register_mdio_mux.patch
+net-mdio-fix-enomem-return-value-in-bcm6368-mux-bus-controller.patch
+net-cpsw-add-missing-of_node_put-in-cpsw_probe_dt.patch
+net-igmp-respect-rcu-rules-in-ip_mc_source-and-ip_mc_msfilter.patch
+net-rds-acquire-refcount-on-tcp-sockets.patch
+net-emaclite-add-error-handling-for-of_address_to_resource.patch
+selftests-net-so_txtime-fix-parsing-of-start-time-stamp-on-32-bit-systems.patch
+selftests-net-so_txtime-usage-fix-documentation-of-default-clock.patch
+drm-msm-dp-remove-fail-safe-mode-related-code.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
