--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Oliver Herms <oliver.peter.herms@gmail.com>
+Date: Tue, 3 Nov 2020 11:41:33 +0100
+Subject: IPv6: Set SIT tunnel hard_header_len to zero
+
+From: Oliver Herms <oliver.peter.herms@gmail.com>
+
+[ Upstream commit 8ef9ba4d666614497a057d09b0a6eafc1e34eadf ]
+
+Due to the legacy usage of hard_header_len for SIT tunnels while
+already using infrastructure from net/ipv4/ip_tunnel.c the
+calculation of the path MTU in tnl_update_pmtu is incorrect.
+This leads to unnecessary creation of MTU exceptions for any
+flow going over a SIT tunnel.
+
+As SIT tunnels do not have a header themsevles other than their
+transport (L3, L2) headers we're leaving hard_header_len set to zero
+as tnl_update_pmtu is already taking care of the transport headers
+sizes.
+
+This will also help avoiding unnecessary IPv6 GC runs and spinlock
+contention seen when using SIT tunnels and for more than
+net.ipv6.route.gc_thresh flows.
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Oliver Herms <oliver.peter.herms@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20201103104133.GA1573211@tws
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1088,7 +1088,6 @@ static void ipip6_tunnel_bind_dev(struct
+ if (tdev && !netif_is_l3_master(tdev)) {
+ int t_hlen = tunnel->hlen + sizeof(struct iphdr);
+
+- dev->hard_header_len = tdev->hard_header_len + sizeof(struct iphdr);
+ dev->mtu = tdev->mtu - t_hlen;
+ if (dev->mtu < IPV6_MIN_MTU)
+ dev->mtu = IPV6_MIN_MTU;
+@@ -1378,7 +1377,6 @@ static void ipip6_tunnel_setup(struct ne
+ dev->priv_destructor = ipip6_dev_free;
+
+ dev->type = ARPHRD_SIT;
+- dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+ dev->mtu = ETH_DATA_LEN - t_hlen;
+ dev->min_mtu = IPV6_MIN_MTU;
+ dev->max_mtu = IP6_MAX_MTU - t_hlen;
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Mon, 9 Nov 2020 08:57:05 +0100
+Subject: net/af_iucv: fix null pointer dereference on shutdown
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit 4031eeafa71eaf22ae40a15606a134ae86345daf ]
+
+syzbot reported the following KASAN finding:
+
+BUG: KASAN: nullptr-dereference in iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385
+Read of size 2 at addr 000000000000021e by task syz-executor907/519
+
+CPU: 0 PID: 519 Comm: syz-executor907 Not tainted 5.9.0-syzkaller-07043-gbcf9877ad213 #0
+Hardware name: IBM 3906 M04 701 (KVM/Linux)
+Call Trace:
+ [<00000000c576af60>] unwind_start arch/s390/include/asm/unwind.h:65 [inline]
+ [<00000000c576af60>] show_stack+0x180/0x228 arch/s390/kernel/dumpstack.c:135
+ [<00000000c9dcd1f8>] __dump_stack lib/dump_stack.c:77 [inline]
+ [<00000000c9dcd1f8>] dump_stack+0x268/0x2f0 lib/dump_stack.c:118
+ [<00000000c5fed016>] print_address_description.constprop.0+0x5e/0x218 mm/kasan/report.c:383
+ [<00000000c5fec82a>] __kasan_report mm/kasan/report.c:517 [inline]
+ [<00000000c5fec82a>] kasan_report+0x11a/0x168 mm/kasan/report.c:534
+ [<00000000c98b5b60>] iucv_send_ctrl+0x390/0x3f0 net/iucv/af_iucv.c:385
+ [<00000000c98b6262>] iucv_sock_shutdown+0x44a/0x4c0 net/iucv/af_iucv.c:1457
+ [<00000000c89d3a54>] __sys_shutdown+0x12c/0x1c8 net/socket.c:2204
+ [<00000000c89d3b70>] __do_sys_shutdown net/socket.c:2212 [inline]
+ [<00000000c89d3b70>] __s390x_sys_shutdown+0x38/0x48 net/socket.c:2210
+ [<00000000c9e36eac>] system_call+0xe0/0x28c arch/s390/kernel/entry.S:415
+
+There is nothing to shutdown if a connection has never been established.
+Besides that iucv->hs_dev is not yet initialized if a socket is in
+IUCV_OPEN state and iucv->path is not yet initialized if socket is in
+IUCV_BOUND state.
+So, just skip the shutdown calls for a socket in these states.
+
+Fixes: eac3731bd04c ("[S390]: Add AF_IUCV socket support")
+Fixes: 82492a355fac ("af_iucv: add shutdown for HS transport")
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+[jwi: correct one Fixes tag]
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1574,7 +1574,8 @@ static int iucv_sock_shutdown(struct soc
+ break;
+ }
+
+- if (how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) {
++ if ((how == SEND_SHUTDOWN || how == SHUTDOWN_MASK) &&
++ sk->sk_state == IUCV_CONNECTED) {
+ if (iucv->transport == AF_IUCV_TRANS_IUCV) {
+ txmsg.class = 0;
+ txmsg.tag = 0;
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Wed, 11 Nov 2020 20:45:25 +0000
+Subject: net: udp: fix UDP header access on Fast/frag0 UDP GRO
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+[ Upstream commit 4b1a86281cc1d0de46df3ad2cb8c1f86ac07681c ]
+
+UDP GRO uses udp_hdr(skb) in its .gro_receive() callback. While it's
+probably OK for non-frag0 paths (when all headers or even the entire
+frame are already in skb head), this inline points to junk when
+using Fast GRO (napi_gro_frags() or napi_gro_receive() with only
+Ethernet header in skb head and all the rest in the frags) and breaks
+GRO packet compilation and the packet flow itself.
+To support both modes, skb_gro_header_fast() + skb_gro_header_slow()
+are typically used. UDP even has an inline helper that makes use of
+them, udp_gro_udphdr(). Use that instead of troublemaking udp_hdr()
+to get rid of the out-of-order delivers.
+
+Present since the introduction of plain UDP GRO in 5.0-rc1.
+
+Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp_offload.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -349,7 +349,7 @@ out:
+ static struct sk_buff *udp_gro_receive_segment(struct list_head *head,
+ struct sk_buff *skb)
+ {
+- struct udphdr *uh = udp_hdr(skb);
++ struct udphdr *uh = udp_gro_udphdr(skb);
+ struct sk_buff *pp = NULL;
+ struct udphdr *uh2;
+ struct sk_buff *p;
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Mao Wenan <wenan.mao@linux.alibaba.com>
+Date: Tue, 10 Nov 2020 08:16:31 +0800
+Subject: net: Update window_clamp if SOCK_RCVBUF is set
+
+From: Mao Wenan <wenan.mao@linux.alibaba.com>
+
+[ Upstream commit 909172a149749242990a6e64cb55d55460d4e417 ]
+
+When net.ipv4.tcp_syncookies=1 and syn flood is happened,
+cookie_v4_check or cookie_v6_check tries to redo what
+tcp_v4_send_synack or tcp_v6_send_synack did,
+rsk_window_clamp will be changed if SOCK_RCVBUF is set,
+which will make rcv_wscale is different, the client
+still operates with initial window scale and can overshot
+granted window, the client use the initial scale but local
+server use new scale to advertise window value, and session
+work abnormally.
+
+Fixes: e88c64f0a425 ("tcp: allow effective reduction of TCP's rcv-buffer via setsockopt")
+Signed-off-by: Mao Wenan <wenan.mao@linux.alibaba.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/1604967391-123737-1-git-send-email-wenan.mao@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/syncookies.c | 9 +++++++--
+ net/ipv6/syncookies.c | 10 ++++++++--
+ 2 files changed, 15 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -291,7 +291,7 @@ struct sock *cookie_v4_check(struct sock
+ __u32 cookie = ntohl(th->ack_seq) - 1;
+ struct sock *ret = sk;
+ struct request_sock *req;
+- int mss;
++ int full_space, mss;
+ struct rtable *rt;
+ __u8 rcv_wscale;
+ struct flowi4 fl4;
+@@ -386,8 +386,13 @@ struct sock *cookie_v4_check(struct sock
+
+ /* Try to redo what tcp_v4_send_synack did. */
+ req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
++ /* limit the window selection if the user enforce a smaller rx buffer */
++ full_space = tcp_full_space(sk);
++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK &&
++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0))
++ req->rsk_window_clamp = full_space;
+
+- tcp_select_initial_window(sk, tcp_full_space(sk), req->mss,
++ tcp_select_initial_window(sk, full_space, req->mss,
+ &req->rsk_rcv_wnd, &req->rsk_window_clamp,
+ ireq->wscale_ok, &rcv_wscale,
+ dst_metric(&rt->dst, RTAX_INITRWND));
+--- a/net/ipv6/syncookies.c
++++ b/net/ipv6/syncookies.c
+@@ -136,7 +136,7 @@ struct sock *cookie_v6_check(struct sock
+ __u32 cookie = ntohl(th->ack_seq) - 1;
+ struct sock *ret = sk;
+ struct request_sock *req;
+- int mss;
++ int full_space, mss;
+ struct dst_entry *dst;
+ __u8 rcv_wscale;
+ u32 tsoff = 0;
+@@ -241,7 +241,13 @@ struct sock *cookie_v6_check(struct sock
+ }
+
+ req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW);
+- tcp_select_initial_window(sk, tcp_full_space(sk), req->mss,
++ /* limit the window selection if the user enforce a smaller rx buffer */
++ full_space = tcp_full_space(sk);
++ if (sk->sk_userlocks & SOCK_RCVBUF_LOCK &&
++ (req->rsk_window_clamp > full_space || req->rsk_window_clamp == 0))
++ req->rsk_window_clamp = full_space;
++
++ tcp_select_initial_window(sk, full_space, req->mss,
+ &req->rsk_rcv_wnd, &req->rsk_window_clamp,
+ ireq->wscale_ok, &rcv_wscale,
+ dst_metric(dst, RTAX_INITRWND));
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Martin Schiller <ms@dev.tdt.de>
+Date: Mon, 9 Nov 2020 07:54:49 +0100
+Subject: net/x25: Fix null-ptr-deref in x25_connect
+
+From: Martin Schiller <ms@dev.tdt.de>
+
+[ Upstream commit 361182308766a265b6c521879b34302617a8c209 ]
+
+This fixes a regression for blocking connects introduced by commit
+4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect").
+
+The x25->neighbour is already set to "NULL" by x25_disconnect() now,
+while a blocking connect is waiting in
+x25_wait_for_connection_establishment(). Therefore x25->neighbour must
+not be accessed here again and x25->state is also already set to
+X25_STATE_0 by x25_disconnect().
+
+Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect")
+Signed-off-by: Martin Schiller <ms@dev.tdt.de>
+Reviewed-by: Xie He <xie.he.0141@gmail.com>
+Link: https://lore.kernel.org/r/20201109065449.9014-1-ms@dev.tdt.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/x25/af_x25.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -819,7 +819,7 @@ static int x25_connect(struct socket *so
+ sock->state = SS_CONNECTED;
+ rc = 0;
+ out_put_neigh:
+- if (rc) {
++ if (rc && x25->neighbour) {
+ read_lock_bh(&x25_list_lock);
+ x25_neigh_put(x25->neighbour);
+ x25->neighbour = NULL;
--- /dev/null
+From 06abe8291bc31839950f7d0362d9979edc88a666 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coiby.xu@gmail.com>
+Date: Fri, 6 Nov 2020 07:19:09 +0800
+Subject: pinctrl: amd: fix incorrect way to disable debounce filter
+
+From: Coiby Xu <coiby.xu@gmail.com>
+
+commit 06abe8291bc31839950f7d0362d9979edc88a666 upstream.
+
+The correct way to disable debounce filter is to clear bit 5 and 6
+of the register.
+
+Cc: stable@vger.kerne.org
+Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/linux-gpio/df2c008b-e7b5-4fdd-42ea-4d1c62b52139@redhat.com/
+Link: https://lore.kernel.org/r/20201105231912.69527-2-coiby.xu@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-amd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -163,14 +163,14 @@ static int amd_gpio_set_debounce(struct
+ pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF);
+ pin_reg |= BIT(DB_TMR_LARGE_OFF);
+ } else {
+- pin_reg &= ~DB_CNTRl_MASK;
++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF);
+ ret = -EINVAL;
+ }
+ } else {
+ pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF);
+ pin_reg &= ~BIT(DB_TMR_LARGE_OFF);
+ pin_reg &= ~DB_TMR_OUT_MASK;
+- pin_reg &= ~DB_CNTRl_MASK;
++ pin_reg &= ~(DB_CNTRl_MASK << DB_CNTRL_OFF);
+ }
+ writel(pin_reg, gpio_dev->base + offset * 4);
+ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
--- /dev/null
+From c64a6a0d4a928c63e5bc3b485552a8903a506c36 Mon Sep 17 00:00:00 2001
+From: Coiby Xu <coiby.xu@gmail.com>
+Date: Fri, 6 Nov 2020 07:19:10 +0800
+Subject: pinctrl: amd: use higher precision for 512 RtcClk
+
+From: Coiby Xu <coiby.xu@gmail.com>
+
+commit c64a6a0d4a928c63e5bc3b485552a8903a506c36 upstream.
+
+RTC is 32.768kHz thus 512 RtcClk equals 15625 usec. The documentation
+likely has dropped precision and that's why the driver mistakenly took
+the slightly deviated value.
+
+Cc: stable@vger.kernel.org
+Reported-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Suggested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/linux-gpio/2f4706a1-502f-75f0-9596-cc25b4933b6c@redhat.com/
+Link: https://lore.kernel.org/r/20201105231912.69527-3-coiby.xu@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -153,7 +153,7 @@ static int amd_gpio_set_debounce(struct
+ pin_reg |= BIT(DB_TMR_OUT_UNIT_OFF);
+ pin_reg &= ~BIT(DB_TMR_LARGE_OFF);
+ } else if (debounce < 250000) {
+- time = debounce / 15600;
++ time = debounce / 15625;
+ pin_reg |= time & DB_TMR_OUT_MASK;
+ pin_reg &= ~BIT(DB_TMR_OUT_UNIT_OFF);
+ pin_reg |= BIT(DB_TMR_LARGE_OFF);
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 5 Nov 2020 15:28:42 +0100
+Subject: r8169: fix potential skb double free in an error path
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit cc6528bc9a0c901c83b8220a2e2617f3354d6dd9 ]
+
+The caller of rtl8169_tso_csum_v2() frees the skb if false is returned.
+eth_skb_pad() internally frees the skb on error what would result in a
+double free. Therefore use __skb_put_padto() directly and instruct it
+to not free the skb on error.
+
+Fixes: b423e9ae49d7 ("r8169: fix offloaded tx checksum for small packets.")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://lore.kernel.org/r/f7e68191-acff-9ded-4263-c016428a8762@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/realtek/r8169_main.c
++++ b/drivers/net/ethernet/realtek/r8169_main.c
+@@ -5846,7 +5846,8 @@ static bool rtl8169_tso_csum_v2(struct r
+ opts[1] |= transport_offset << TCPHO_SHIFT;
+ } else {
+ if (unlikely(rtl_test_hw_pad_bug(tp, skb)))
+- return !eth_skb_pad(skb);
++ /* eth_skb_pad would free the skb on error */
++ return !__skb_put_padto(skb, ETH_ZLEN, false);
+ }
+
+ return true;
mmc-renesas_sdhi_core-add-missing-tmio_mmc_host_free-at-remove.patch
don-t-dump-the-threads-that-had-been-already-exiting-when-zapped.patch
drm-gma500-fix-out-of-bounds-access-to-struct-drm_device.vblank.patch
+pinctrl-amd-use-higher-precision-for-512-rtcclk.patch
+pinctrl-amd-fix-incorrect-way-to-disable-debounce-filter.patch
+swiotlb-fix-x86-don-t-panic-if-can-not-alloc-buffer-for-swiotlb.patch
+ipv6-set-sit-tunnel-hard_header_len-to-zero.patch
+net-af_iucv-fix-null-pointer-dereference-on-shutdown.patch
+net-udp-fix-udp-header-access-on-fast-frag0-udp-gro.patch
+net-update-window_clamp-if-sock_rcvbuf-is-set.patch
+net-x25-fix-null-ptr-deref-in-x25_connect.patch
+tipc-fix-memory-leak-in-tipc_topsrv_start.patch
+r8169-fix-potential-skb-double-free-in-an-error-path.patch
--- /dev/null
+From e9696d259d0fb5d239e8c28ca41089838ea76d13 Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@xilinx.com>
+Date: Mon, 26 Oct 2020 17:02:14 -0700
+Subject: swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb"
+
+From: Stefano Stabellini <stefano.stabellini@xilinx.com>
+
+commit e9696d259d0fb5d239e8c28ca41089838ea76d13 upstream.
+
+kernel/dma/swiotlb.c:swiotlb_init gets called first and tries to
+allocate a buffer for the swiotlb. It does so by calling
+
+ memblock_alloc_low(PAGE_ALIGN(bytes), PAGE_SIZE);
+
+If the allocation must fail, no_iotlb_memory is set.
+
+Later during initialization swiotlb-xen comes in
+(drivers/xen/swiotlb-xen.c:xen_swiotlb_init) and given that io_tlb_start
+is != 0, it thinks the memory is ready to use when actually it is not.
+
+When the swiotlb is actually needed, swiotlb_tbl_map_single gets called
+and since no_iotlb_memory is set the kernel panics.
+
+Instead, if swiotlb-xen.c:xen_swiotlb_init knew the swiotlb hadn't been
+initialized, it would do the initialization itself, which might still
+succeed.
+
+Fix the panic by setting io_tlb_start to 0 on swiotlb initialization
+failure, and also by setting no_iotlb_memory to false on swiotlb
+initialization success.
+
+Fixes: ac2cbab21f31 ("x86: Don't panic if can not alloc buffer for swiotlb")
+
+Reported-by: Elliott Mitchell <ehem+xen@m5p.com>
+Tested-by: Elliott Mitchell <ehem+xen@m5p.com>
+Signed-off-by: Stefano Stabellini <stefano.stabellini@xilinx.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/dma/swiotlb.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/dma/swiotlb.c
++++ b/kernel/dma/swiotlb.c
+@@ -230,6 +230,7 @@ int __init swiotlb_init_with_tbl(char *t
+ io_tlb_orig_addr[i] = INVALID_PHYS_ADDR;
+ }
+ io_tlb_index = 0;
++ no_iotlb_memory = false;
+
+ if (verbose)
+ swiotlb_print_info();
+@@ -261,9 +262,11 @@ swiotlb_init(int verbose)
+ if (vstart && !swiotlb_init_with_tbl(vstart, io_tlb_nslabs, verbose))
+ return;
+
+- if (io_tlb_start)
++ if (io_tlb_start) {
+ memblock_free_early(io_tlb_start,
+ PAGE_ALIGN(io_tlb_nslabs << IO_TLB_SHIFT));
++ io_tlb_start = 0;
++ }
+ pr_warn("Cannot allocate buffer");
+ no_iotlb_memory = true;
+ }
+@@ -361,6 +364,7 @@ swiotlb_late_init_with_tbl(char *tlb, un
+ io_tlb_orig_addr[i] = INVALID_PHYS_ADDR;
+ }
+ io_tlb_index = 0;
++ no_iotlb_memory = false;
+
+ swiotlb_print_info();
+
--- /dev/null
+From foo@baz Mon Nov 16 07:54:22 PM CET 2020
+From: Wang Hai <wanghai38@huawei.com>
+Date: Mon, 9 Nov 2020 22:09:13 +0800
+Subject: tipc: fix memory leak in tipc_topsrv_start()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit fa6882c63621821f73cc806f291208e1c6ea6187 ]
+
+kmemleak report a memory leak as follows:
+
+unreferenced object 0xffff88810a596800 (size 512):
+ comm "ip", pid 21558, jiffies 4297568990 (age 112.120s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff 00 83 60 b0 ff ff ff ff ..........`.....
+ backtrace:
+ [<0000000022bbe21f>] tipc_topsrv_init_net+0x1f3/0xa70
+ [<00000000fe15ddf7>] ops_init+0xa8/0x3c0
+ [<00000000138af6f2>] setup_net+0x2de/0x7e0
+ [<000000008c6807a3>] copy_net_ns+0x27d/0x530
+ [<000000006b21adbd>] create_new_namespaces+0x382/0xa30
+ [<00000000bb169746>] unshare_nsproxy_namespaces+0xa1/0x1d0
+ [<00000000fe2e42bc>] ksys_unshare+0x39c/0x780
+ [<0000000009ba3b19>] __x64_sys_unshare+0x2d/0x40
+ [<00000000614ad866>] do_syscall_64+0x56/0xa0
+ [<00000000a1b5ca3c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+'srv' is malloced in tipc_topsrv_start() but not free before
+leaving from the error handling cases. We need to free it.
+
+Fixes: 5c45ab24ac77 ("tipc: make struct tipc_server private for server.c")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20201109140913.47370-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/topsrv.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -664,12 +664,18 @@ static int tipc_topsrv_start(struct net
+
+ ret = tipc_topsrv_work_start(srv);
+ if (ret < 0)
+- return ret;
++ goto err_start;
+
+ ret = tipc_topsrv_create_listener(srv);
+ if (ret < 0)
+- tipc_topsrv_work_stop(srv);
++ goto err_create;
+
++ return 0;
++
++err_create:
++ tipc_topsrv_work_stop(srv);
++err_start:
++ kfree(srv);
+ return ret;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
