--- /dev/null
+From 64b7f674c292207624b3d788eda2dde3dc1415df Mon Sep 17 00:00:00 2001
+From: Vladimir Zapolskiy <vladimir@tuxera.com>
+Date: Sat, 10 Oct 2020 21:25:54 +0300
+Subject: cifs: Fix incomplete memory allocation on setxattr path
+
+From: Vladimir Zapolskiy <vladimir@tuxera.com>
+
+commit 64b7f674c292207624b3d788eda2dde3dc1415df upstream.
+
+On setxattr() syscall path due to an apprent typo the size of a dynamically
+allocated memory chunk for storing struct smb2_file_full_ea_info object is
+computed incorrectly, to be more precise the first addend is the size of
+a pointer instead of the wanted object size. Coincidentally it makes no
+difference on 64-bit platforms, however on 32-bit targets the following
+memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
+
+ =============================================================================
+ BUG kmalloc-16 (Not tainted): Redzone overwritten
+ -----------------------------------------------------------------------------
+
+ Disabling lock debugging due to kernel taint
+ INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
+ INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
+ INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
+
+ Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
+ Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69 ........snrub.fi
+ Redzone 79e69a6f: 73 68 32 0a sh2.
+ Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
+ CPU: 0 PID: 8196 Comm: attr Tainted: G B 5.9.0-rc8+ #3
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
+ Call Trace:
+ dump_stack+0x54/0x6e
+ print_trailer+0x12c/0x134
+ check_bytes_and_report.cold+0x3e/0x69
+ check_object+0x18c/0x250
+ free_debug_processing+0xfe/0x230
+ __slab_free+0x1c0/0x300
+ kfree+0x1d3/0x220
+ smb2_set_ea+0x27d/0x540
+ cifs_xattr_set+0x57f/0x620
+ __vfs_setxattr+0x4e/0x60
+ __vfs_setxattr_noperm+0x4e/0x100
+ __vfs_setxattr_locked+0xae/0xd0
+ vfs_setxattr+0x4e/0xe0
+ setxattr+0x12c/0x1a0
+ path_setxattr+0xa4/0xc0
+ __ia32_sys_lsetxattr+0x1d/0x20
+ __do_fast_syscall_32+0x40/0x70
+ do_fast_syscall_32+0x29/0x60
+ do_SYSENTER_32+0x15/0x20
+ entry_SYSENTER_32+0x9f/0xf2
+
+Fixes: 5517554e4313 ("cifs: Add support for writing attributes on SMB2+")
+Signed-off-by: Vladimir Zapolskiy <vladimir@tuxera.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1208,7 +1208,7 @@ smb2_set_ea(const unsigned int xid, stru
+ rqst[1].rq_iov = si_iov;
+ rqst[1].rq_nvec = 1;
+
+- len = sizeof(ea) + ea_name_len + ea_value_len + 1;
++ len = sizeof(*ea) + ea_name_len + ea_value_len + 1;
+ ea = kzalloc(len, GFP_KERNEL);
+ if (ea == NULL) {
+ rc = -ENOMEM;
--- /dev/null
+From 4eb2e13415757a2bce5bb0d580d22bbeef1f5346 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 13 Aug 2020 16:24:04 +0200
+Subject: espintcp: restore IP CB before handing the packet to xfrm
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+commit 4eb2e13415757a2bce5bb0d580d22bbeef1f5346 upstream.
+
+Xiumei reported a bug with espintcp over IPv6 in transport mode,
+because xfrm6_transport_finish expects to find IP6CB data (struct
+inet6_skb_cb). Currently, espintcp zeroes the CB, but the relevant
+part is actually preserved by previous layers (first set up by tcp,
+then strparser only zeroes a small part of tcp_skb_tb), so we can just
+relocate it to the start of skb->cb.
+
+Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/espintcp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/espintcp.c
++++ b/net/xfrm/espintcp.c
+@@ -29,8 +29,12 @@ static void handle_nonesp(struct espintc
+
+ static void handle_esp(struct sk_buff *skb, struct sock *sk)
+ {
++ struct tcp_skb_cb *tcp_cb = (struct tcp_skb_cb *)skb->cb;
++
+ skb_reset_transport_header(skb);
+- memset(skb->cb, 0, sizeof(skb->cb));
++
++ /* restore IP CB, we need at least IP6CB->nhoff */
++ memmove(skb->cb, &tcp_cb->header, sizeof(tcp_cb->header));
+
+ rcu_read_lock();
+ skb->dev = dev_get_by_index_rcu(sock_net(sk), skb->skb_iif);
--- /dev/null
+From 28683e847e2f20eed22cdd24f185d7783db396d3 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 7 Oct 2020 10:07:49 +0200
+Subject: i2c: meson: fix clock setting overwrite
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit 28683e847e2f20eed22cdd24f185d7783db396d3 upstream.
+
+When the slave address is written in do_start(), SLAVE_ADDR is written
+completely. This may overwrite some setting related to the clock rate
+or signal filtering.
+
+Fix this by writing only the bits related to slave address. To avoid
+causing unexpected changed, explicitly disable filtering or high/low
+clock mode which may have been left over by the bootloader.
+
+Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-meson.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-meson.c
++++ b/drivers/i2c/busses/i2c-meson.c
+@@ -5,6 +5,7 @@
+ * Copyright (C) 2014 Beniamino Galvani <b.galvani@gmail.com>
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/clk.h>
+ #include <linux/completion.h>
+ #include <linux/i2c.h>
+@@ -38,6 +39,12 @@
+ #define REG_CTRL_CLKDIVEXT_SHIFT 28
+ #define REG_CTRL_CLKDIVEXT_MASK GENMASK(29, 28)
+
++#define REG_SLV_ADDR GENMASK(7, 0)
++#define REG_SLV_SDA_FILTER GENMASK(10, 8)
++#define REG_SLV_SCL_FILTER GENMASK(13, 11)
++#define REG_SLV_SCL_LOW GENMASK(27, 16)
++#define REG_SLV_SCL_LOW_EN BIT(28)
++
+ #define I2C_TIMEOUT_MS 500
+
+ enum {
+@@ -147,6 +154,9 @@ static void meson_i2c_set_clk_div(struct
+ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT_MASK,
+ (div >> 10) << REG_CTRL_CLKDIVEXT_SHIFT);
+
++ /* Disable HIGH/LOW mode */
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_SCL_LOW_EN, 0);
++
+ dev_dbg(i2c->dev, "%s: clk %lu, freq %u, div %u\n", __func__,
+ clk_rate, freq, div);
+ }
+@@ -280,7 +290,10 @@ static void meson_i2c_do_start(struct me
+ token = (msg->flags & I2C_M_RD) ? TOKEN_SLAVE_ADDR_READ :
+ TOKEN_SLAVE_ADDR_WRITE;
+
+- writel(msg->addr << 1, i2c->regs + REG_SLAVE_ADDR);
++
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_ADDR,
++ FIELD_PREP(REG_SLV_ADDR, msg->addr << 1));
++
+ meson_i2c_add_token(i2c, TOKEN_START);
+ meson_i2c_add_token(i2c, token);
+ }
+@@ -461,6 +474,10 @@ static int meson_i2c_probe(struct platfo
+ return ret;
+ }
+
++ /* Disable filtering */
++ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR,
++ REG_SLV_SDA_FILTER | REG_SLV_SCL_FILTER, 0);
++
+ meson_i2c_set_clk_div(i2c, timings.bus_freq_hz);
+
+ return 0;
--- /dev/null
+From 1334d3b4e49e35d8912a7c37ffca4c5afb9a0516 Mon Sep 17 00:00:00 2001
+From: Nicolas Belin <nbelin@baylibre.com>
+Date: Wed, 7 Oct 2020 10:07:51 +0200
+Subject: i2c: meson: fixup rate calculation with filter delay
+
+From: Nicolas Belin <nbelin@baylibre.com>
+
+commit 1334d3b4e49e35d8912a7c37ffca4c5afb9a0516 upstream.
+
+Apparently, 15 cycles of the peripheral clock are used by the controller
+for sampling and filtering. Because this was not known before, the rate
+calculation is slightly off.
+
+Clean up and fix the calculation taking this filtering delay into account.
+
+Fixes: 30021e3707a7 ("i2c: add support for Amlogic Meson I2C controller")
+Signed-off-by: Nicolas Belin <nbelin@baylibre.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-meson.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-meson.c
++++ b/drivers/i2c/busses/i2c-meson.c
+@@ -34,10 +34,8 @@
+ #define REG_CTRL_ACK_IGNORE BIT(1)
+ #define REG_CTRL_STATUS BIT(2)
+ #define REG_CTRL_ERROR BIT(3)
+-#define REG_CTRL_CLKDIV_SHIFT 12
+-#define REG_CTRL_CLKDIV_MASK GENMASK(21, 12)
+-#define REG_CTRL_CLKDIVEXT_SHIFT 28
+-#define REG_CTRL_CLKDIVEXT_MASK GENMASK(29, 28)
++#define REG_CTRL_CLKDIV GENMASK(21, 12)
++#define REG_CTRL_CLKDIVEXT GENMASK(29, 28)
+
+ #define REG_SLV_ADDR GENMASK(7, 0)
+ #define REG_SLV_SDA_FILTER GENMASK(10, 8)
+@@ -46,6 +44,7 @@
+ #define REG_SLV_SCL_LOW_EN BIT(28)
+
+ #define I2C_TIMEOUT_MS 500
++#define FILTER_DELAY 15
+
+ enum {
+ TOKEN_END = 0,
+@@ -140,19 +139,21 @@ static void meson_i2c_set_clk_div(struct
+ unsigned long clk_rate = clk_get_rate(i2c->clk);
+ unsigned int div;
+
+- div = DIV_ROUND_UP(clk_rate, freq * i2c->data->div_factor);
++ div = DIV_ROUND_UP(clk_rate, freq);
++ div -= FILTER_DELAY;
++ div = DIV_ROUND_UP(div, i2c->data->div_factor);
+
+ /* clock divider has 12 bits */
+- if (div >= (1 << 12)) {
++ if (div > GENMASK(11, 0)) {
+ dev_err(i2c->dev, "requested bus frequency too low\n");
+- div = (1 << 12) - 1;
++ div = GENMASK(11, 0);
+ }
+
+- meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIV_MASK,
+- (div & GENMASK(9, 0)) << REG_CTRL_CLKDIV_SHIFT);
++ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIV,
++ FIELD_PREP(REG_CTRL_CLKDIV, div & GENMASK(9, 0)));
+
+- meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT_MASK,
+- (div >> 10) << REG_CTRL_CLKDIVEXT_SHIFT);
++ meson_i2c_set_mask(i2c, REG_CTRL, REG_CTRL_CLKDIVEXT,
++ FIELD_PREP(REG_CTRL_CLKDIVEXT, div >> 10));
+
+ /* Disable HIGH/LOW mode */
+ meson_i2c_set_mask(i2c, REG_SLAVE_ADDR, REG_SLV_SCL_LOW_EN, 0);
--- /dev/null
+From 79e137b1540165f788394658442284d55a858984 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Wed, 7 Oct 2020 10:07:50 +0200
+Subject: i2c: meson: keep peripheral clock enabled
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+commit 79e137b1540165f788394658442284d55a858984 upstream.
+
+SCL rate appears to be different than what is expected. For example,
+We get 164kHz on i2c3 of the vim3 when 400kHz is expected. This is
+partially due to the peripheral clock being disabled when the clock is
+set.
+
+Let's keep the peripheral clock on after probe to fix the problem. This
+does not affect the SCL output which is still gated when i2c is idle.
+
+Fixes: 09af1c2fa490 ("i2c: meson: set clock divider in probe instead of setting it for each transfer")
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-meson.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-meson.c
++++ b/drivers/i2c/busses/i2c-meson.c
+@@ -370,16 +370,12 @@ static int meson_i2c_xfer_messages(struc
+ struct meson_i2c *i2c = adap->algo_data;
+ int i, ret = 0;
+
+- clk_enable(i2c->clk);
+-
+ for (i = 0; i < num; i++) {
+ ret = meson_i2c_xfer_msg(i2c, msgs + i, i == num - 1, atomic);
+ if (ret)
+ break;
+ }
+
+- clk_disable(i2c->clk);
+-
+ return ret ?: i;
+ }
+
+@@ -448,7 +444,7 @@ static int meson_i2c_probe(struct platfo
+ return ret;
+ }
+
+- ret = clk_prepare(i2c->clk);
++ ret = clk_prepare_enable(i2c->clk);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "can't prepare clock\n");
+ return ret;
+@@ -470,7 +466,7 @@ static int meson_i2c_probe(struct platfo
+
+ ret = i2c_add_adapter(&i2c->adap);
+ if (ret < 0) {
+- clk_unprepare(i2c->clk);
++ clk_disable_unprepare(i2c->clk);
+ return ret;
+ }
+
+@@ -488,7 +484,7 @@ static int meson_i2c_remove(struct platf
+ struct meson_i2c *i2c = platform_get_drvdata(pdev);
+
+ i2c_del_adapter(&i2c->adap);
+- clk_unprepare(i2c->clk);
++ clk_disable_unprepare(i2c->clk);
+
+ return 0;
+ }
--- /dev/null
+From f5b3f433641c543ebe5171285a42aa6adcdb2d22 Mon Sep 17 00:00:00 2001
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Date: Fri, 9 Oct 2020 00:44:39 +0300
+Subject: i2c: owl: Clear NACK and BUS error bits
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+commit f5b3f433641c543ebe5171285a42aa6adcdb2d22 upstream.
+
+When the NACK and BUS error bits are set by the hardware, the driver is
+responsible for clearing them by writing "1" into the corresponding
+status registers.
+
+Hence perform the necessary operations in owl_i2c_interrupt().
+
+Fixes: d211e62af466 ("i2c: Add Actions Semiconductor Owl family S900 I2C driver")
+Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-owl.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-owl.c
++++ b/drivers/i2c/busses/i2c-owl.c
+@@ -176,6 +176,9 @@ static irqreturn_t owl_i2c_interrupt(int
+ fifostat = readl(i2c_dev->base + OWL_I2C_REG_FIFOSTAT);
+ if (fifostat & OWL_I2C_FIFOSTAT_RNB) {
+ i2c_dev->err = -ENXIO;
++ /* Clear NACK error bit by writing "1" */
++ owl_i2c_update_reg(i2c_dev->base + OWL_I2C_REG_FIFOSTAT,
++ OWL_I2C_FIFOSTAT_RNB, true);
+ goto stop;
+ }
+
+@@ -183,6 +186,9 @@ static irqreturn_t owl_i2c_interrupt(int
+ stat = readl(i2c_dev->base + OWL_I2C_REG_STAT);
+ if (stat & OWL_I2C_STAT_BEB) {
+ i2c_dev->err = -EIO;
++ /* Clear BUS error bit by writing "1" */
++ owl_i2c_update_reg(i2c_dev->base + OWL_I2C_REG_STAT,
++ OWL_I2C_STAT_BEB, true);
+ goto stop;
+ }
+
--- /dev/null
+From d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 8 Oct 2020 01:38:31 -0700
+Subject: sctp: fix sctp_auth_init_hmacs() error path
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d42ee76ecb6c49d499fc5eb32ca34468d95dbc3e upstream.
+
+After freeing ep->auth_hmacs we have to clear the pointer
+or risk use-after-free as reported by syzbot:
+
+BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
+BUG: KASAN: use-after-free in sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+BUG: KASAN: use-after-free in sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
+Read of size 8 at addr ffff8880a8ff52c0 by task syz-executor941/6874
+
+CPU: 0 PID: 6874 Comm: syz-executor941 Not tainted 5.9.0-rc8-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
+ sctp_auth_destroy_hmacs net/sctp/auth.c:509 [inline]
+ sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+ sctp_auth_free+0x17e/0x1d0 net/sctp/auth.c:1070
+ sctp_endpoint_destroy+0x95/0x240 net/sctp/endpointola.c:203
+ sctp_endpoint_put net/sctp/endpointola.c:236 [inline]
+ sctp_endpoint_free+0xd6/0x110 net/sctp/endpointola.c:183
+ sctp_destroy_sock+0x9c/0x3c0 net/sctp/socket.c:4981
+ sctp_v6_destroy_sock+0x11/0x20 net/sctp/socket.c:9415
+ sk_common_release+0x64/0x390 net/core/sock.c:3254
+ sctp_close+0x4ce/0x8b0 net/sctp/socket.c:1533
+ inet_release+0x12e/0x280 net/ipv4/af_inet.c:431
+ inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:475
+ __sock_release+0xcd/0x280 net/socket.c:596
+ sock_close+0x18/0x20 net/socket.c:1277
+ __fput+0x285/0x920 fs/file_table.c:281
+ task_work_run+0xdd/0x190 kernel/task_work.c:141
+ exit_task_work include/linux/task_work.h:25 [inline]
+ do_exit+0xb7d/0x29f0 kernel/exit.c:806
+ do_group_exit+0x125/0x310 kernel/exit.c:903
+ __do_sys_exit_group kernel/exit.c:914 [inline]
+ __se_sys_exit_group kernel/exit.c:912 [inline]
+ __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:912
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x43f278
+Code: Bad RIP value.
+RSP: 002b:00007fffe0995c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f278
+RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
+RBP: 00000000004bf068 R08: 00000000000000e7 R09: ffffffffffffffd0
+R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
+
+Allocated by task 6874:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
+ kmem_cache_alloc_trace+0x174/0x300 mm/slab.c:3554
+ kmalloc include/linux/slab.h:554 [inline]
+ kmalloc_array include/linux/slab.h:593 [inline]
+ kcalloc include/linux/slab.h:605 [inline]
+ sctp_auth_init_hmacs+0xdb/0x3b0 net/sctp/auth.c:464
+ sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
+ sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
+ sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
+ __sys_setsockopt+0x2db/0x610 net/socket.c:2132
+ __do_sys_setsockopt net/socket.c:2143 [inline]
+ __se_sys_setsockopt net/socket.c:2140 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 6874:
+ kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
+ kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
+ kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
+ __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
+ __cache_free mm/slab.c:3422 [inline]
+ kfree+0x10e/0x2b0 mm/slab.c:3760
+ sctp_auth_destroy_hmacs net/sctp/auth.c:511 [inline]
+ sctp_auth_destroy_hmacs net/sctp/auth.c:501 [inline]
+ sctp_auth_init_hmacs net/sctp/auth.c:496 [inline]
+ sctp_auth_init_hmacs+0x2b7/0x3b0 net/sctp/auth.c:454
+ sctp_auth_init+0x8a/0x4a0 net/sctp/auth.c:1049
+ sctp_setsockopt_auth_supported net/sctp/socket.c:4354 [inline]
+ sctp_setsockopt+0x477e/0x97f0 net/sctp/socket.c:4631
+ __sys_setsockopt+0x2db/0x610 net/socket.c:2132
+ __do_sys_setsockopt net/socket.c:2143 [inline]
+ __se_sys_setsockopt net/socket.c:2140 [inline]
+ __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1f485649f529 ("[SCTP]: Implement SCTP-AUTH internals")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/auth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/auth.c
++++ b/net/sctp/auth.c
+@@ -494,6 +494,7 @@ int sctp_auth_init_hmacs(struct sctp_end
+ out_err:
+ /* Clean up any successful allocations */
+ sctp_auth_destroy_hmacs(ep->auth_hmacs);
++ ep->auth_hmacs = NULL;
+ return -ENOMEM;
+ }
+
net-introduce-helper-sendpage_ok-in-include-linux-net.h.patch
tcp-use-sendpage_ok-to-detect-misused-.sendpage.patch
nvme-tcp-check-page-by-sendpage_ok-before-calling-kernel_sendpage.patch
+xfrmi-drop-ignore_df-check-before-updating-pmtu.patch
+espintcp-restore-ip-cb-before-handing-the-packet-to-xfrm.patch
+cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch
+i2c-meson-fix-clock-setting-overwrite.patch
+i2c-meson-keep-peripheral-clock-enabled.patch
+i2c-meson-fixup-rate-calculation-with-filter-delay.patch
+i2c-owl-clear-nack-and-bus-error-bits.patch
+sctp-fix-sctp_auth_init_hmacs-error-path.patch
--- /dev/null
+From 45a36a18d01907710bad5258d81f76c18882ad88 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 4 Aug 2020 11:37:29 +0200
+Subject: xfrmi: drop ignore_df check before updating pmtu
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+commit 45a36a18d01907710bad5258d81f76c18882ad88 upstream.
+
+xfrm interfaces currently test for !skb->ignore_df when deciding
+whether to update the pmtu on the skb's dst. Because of this, no pmtu
+exception is created when we do something like:
+
+ ping -s 1438 <dest>
+
+By dropping this check, the pmtu exception will be created and the
+next ping attempt will work.
+
+Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_interface.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_interface.c
++++ b/net/xfrm/xfrm_interface.c
+@@ -292,7 +292,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct
+ }
+
+ mtu = dst_mtu(dst);
+- if (!skb->ignore_df && skb->len > mtu) {
++ if (skb->len > mtu) {
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
+
+ if (skb->protocol == htons(ETH_P_IPV6)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
