--- /dev/null
+From a826b04303a40d52439aa141035fca5654ccaccd Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@microsoft.com>
+Date: Fri, 15 Jan 2021 19:42:08 +0100
+Subject: ipv6: create multicast route with RTPROT_KERNEL
+
+From: Matteo Croce <mcroce@microsoft.com>
+
+commit a826b04303a40d52439aa141035fca5654ccaccd upstream.
+
+The ff00::/8 multicast route is created without specifying the fc_protocol
+field, so the default RTPROT_BOOT value is used:
+
+ $ ip -6 -d route
+ unicast ::1 dev lo proto kernel scope global metric 256 pref medium
+ unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
+ unicast ff00::/8 dev eth0 proto boot scope global metric 256 pref medium
+
+As the documentation says, this value identifies routes installed during
+boot, but the route is created when interface is set up.
+Change the value to RTPROT_KERNEL which is a better value.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Matteo Croce <mcroce@microsoft.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2454,6 +2454,7 @@ static void addrconf_add_mroute(struct n
+ .fc_flags = RTF_UP,
+ .fc_type = RTN_UNICAST,
+ .fc_nlinfo.nl_net = dev_net(dev),
++ .fc_protocol = RTPROT_KERNEL,
+ };
+
+ ipv6_addr_set(&cfg.fc_dst, htonl(0xFF000000), 0, 0, 0);
--- /dev/null
+From ceed9038b2783d14e0422bdc6fd04f70580efb4c Mon Sep 17 00:00:00 2001
+From: Matteo Croce <mcroce@microsoft.com>
+Date: Fri, 15 Jan 2021 19:42:09 +0100
+Subject: ipv6: set multicast flag on the multicast route
+
+From: Matteo Croce <mcroce@microsoft.com>
+
+commit ceed9038b2783d14e0422bdc6fd04f70580efb4c upstream.
+
+The multicast route ff00::/8 is created with type RTN_UNICAST:
+
+ $ ip -6 -d route
+ unicast ::1 dev lo proto kernel scope global metric 256 pref medium
+ unicast fe80::/64 dev eth0 proto kernel scope global metric 256 pref medium
+ unicast ff00::/8 dev eth0 proto kernel scope global metric 256 pref medium
+
+Set the type to RTN_MULTICAST which is more appropriate.
+
+Fixes: e8478e80e5a7 ("net/ipv6: Save route type in rt6_info")
+Signed-off-by: Matteo Croce <mcroce@microsoft.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/addrconf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2452,7 +2452,7 @@ static void addrconf_add_mroute(struct n
+ .fc_ifindex = dev->ifindex,
+ .fc_dst_len = 8,
+ .fc_flags = RTF_UP,
+- .fc_type = RTN_UNICAST,
++ .fc_type = RTN_MULTICAST,
+ .fc_nlinfo.nl_net = dev_net(dev),
+ .fc_protocol = RTPROT_KERNEL,
+ };
--- /dev/null
+From 5dabd1712cd056814f9ab15f1d68157ceb04e741 Mon Sep 17 00:00:00 2001
+From: Lecopzer Chen <lecopzer@gmail.com>
+Date: Sat, 23 Jan 2021 21:01:29 -0800
+Subject: kasan: fix incorrect arguments passing in kasan_add_zero_shadow
+
+From: Lecopzer Chen <lecopzer@gmail.com>
+
+commit 5dabd1712cd056814f9ab15f1d68157ceb04e741 upstream.
+
+kasan_remove_zero_shadow() shall use original virtual address, start and
+size, instead of shadow address.
+
+Link: https://lkml.kernel.org/r/20210103063847.5963-1-lecopzer@gmail.com
+Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
+Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/kasan/init.c
++++ b/mm/kasan/init.c
+@@ -503,7 +503,6 @@ int kasan_add_zero_shadow(void *start, u
+
+ ret = kasan_populate_early_shadow(shadow_start, shadow_end);
+ if (ret)
+- kasan_remove_zero_shadow(shadow_start,
+- size >> KASAN_SHADOW_SCALE_SHIFT);
++ kasan_remove_zero_shadow(start, size);
+ return ret;
+ }
--- /dev/null
+From a11a496ee6e2ab6ed850233c96b94caf042af0b9 Mon Sep 17 00:00:00 2001
+From: Lecopzer Chen <lecopzer@gmail.com>
+Date: Sat, 23 Jan 2021 21:01:25 -0800
+Subject: kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow
+
+From: Lecopzer Chen <lecopzer@gmail.com>
+
+commit a11a496ee6e2ab6ed850233c96b94caf042af0b9 upstream.
+
+During testing kasan_populate_early_shadow and kasan_remove_zero_shadow,
+if the shadow start and end address in kasan_remove_zero_shadow() is not
+aligned to PMD_SIZE, the remain unaligned PTE won't be removed.
+
+In the test case for kasan_remove_zero_shadow():
+
+ shadow_start: 0xffffffb802000000, shadow end: 0xffffffbfbe000000
+
+ 3-level page table:
+ PUD_SIZE: 0x40000000 PMD_SIZE: 0x200000 PAGE_SIZE: 4K
+
+0xffffffbf80000000 ~ 0xffffffbfbdf80000 will not be removed because in
+kasan_remove_pud_table(), kasan_pmd_table(*pud) is true but the next
+address is 0xffffffbfbdf80000 which is not aligned to PUD_SIZE.
+
+In the correct condition, this should fallback to the next level
+kasan_remove_pmd_table() but the condition flow always continue to skip
+the unaligned part.
+
+Fix by correcting the condition when next and addr are neither aligned.
+
+Link: https://lkml.kernel.org/r/20210103135621.83129-1-lecopzer@gmail.com
+Fixes: 0207df4fa1a86 ("kernel/memremap, kasan: make ZONE_DEVICE with work with KASAN")
+Signed-off-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: YJ Chiang <yj.chiang@mediatek.com>
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/kasan/init.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/mm/kasan/init.c
++++ b/mm/kasan/init.c
+@@ -388,9 +388,10 @@ static void kasan_remove_pmd_table(pmd_t
+
+ if (kasan_pte_table(*pmd)) {
+ if (IS_ALIGNED(addr, PMD_SIZE) &&
+- IS_ALIGNED(next, PMD_SIZE))
++ IS_ALIGNED(next, PMD_SIZE)) {
+ pmd_clear(pmd);
+- continue;
++ continue;
++ }
+ }
+ pte = pte_offset_kernel(pmd, addr);
+ kasan_remove_pte_table(pte, addr, next);
+@@ -413,9 +414,10 @@ static void kasan_remove_pud_table(pud_t
+
+ if (kasan_pmd_table(*pud)) {
+ if (IS_ALIGNED(addr, PUD_SIZE) &&
+- IS_ALIGNED(next, PUD_SIZE))
++ IS_ALIGNED(next, PUD_SIZE)) {
+ pud_clear(pud);
+- continue;
++ continue;
++ }
+ }
+ pmd = pmd_offset(pud, addr);
+ pmd_base = pmd_offset(pud, 0);
+@@ -439,9 +441,10 @@ static void kasan_remove_p4d_table(p4d_t
+
+ if (kasan_pud_table(*p4d)) {
+ if (IS_ALIGNED(addr, P4D_SIZE) &&
+- IS_ALIGNED(next, P4D_SIZE))
++ IS_ALIGNED(next, P4D_SIZE)) {
+ p4d_clear(p4d);
+- continue;
++ continue;
++ }
+ }
+ pud = pud_offset(p4d, addr);
+ kasan_remove_pud_table(pud, addr, next);
+@@ -473,9 +476,10 @@ void kasan_remove_zero_shadow(void *star
+
+ if (kasan_p4d_table(*pgd)) {
+ if (IS_ALIGNED(addr, PGDIR_SIZE) &&
+- IS_ALIGNED(next, PGDIR_SIZE))
++ IS_ALIGNED(next, PGDIR_SIZE)) {
+ pgd_clear(pgd);
+- continue;
++ continue;
++ }
+ }
+
+ p4d = p4d_offset(pgd, addr);
--- /dev/null
+From 97784481757fba7570121a70dd37ca74a29f50a8 Mon Sep 17 00:00:00 2001
+From: Pan Bian <bianpan2016@163.com>
+Date: Wed, 20 Jan 2021 23:22:02 -0800
+Subject: lightnvm: fix memory leak when submit fails
+
+From: Pan Bian <bianpan2016@163.com>
+
+commit 97784481757fba7570121a70dd37ca74a29f50a8 upstream.
+
+The allocated page is not released if error occurs in
+nvm_submit_io_sync_raw(). __free_page() is moved ealier to avoid
+possible memory leak issue.
+
+Fixes: aff3fb18f957 ("lightnvm: move bad block and chunk state logic to core")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/lightnvm/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/lightnvm/core.c
++++ b/drivers/lightnvm/core.c
+@@ -849,11 +849,10 @@ static int nvm_bb_chunk_sense(struct nvm
+ rqd.ppa_addr = generic_to_dev_addr(dev, ppa);
+
+ ret = nvm_submit_io_sync_raw(dev, &rqd);
++ __free_page(page);
+ if (ret)
+ return ret;
+
+- __free_page(page);
+-
+ return rqd.error;
+ }
+
--- /dev/null
+From a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 Mon Sep 17 00:00:00 2001
+From: Tariq Toukan <tariqt@nvidia.com>
+Date: Sun, 17 Jan 2021 17:15:38 +0200
+Subject: net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled
+
+From: Tariq Toukan <tariqt@nvidia.com>
+
+commit a3eb4e9d4c9218476d05c52dfd2be3d6fdce6b91 upstream.
+
+With NETIF_F_HW_TLS_RX packets are decrypted in HW. This cannot be
+logically done when RXCSUM offload is off.
+
+Fixes: 14136564c8ee ("net: Add TLS RX offload feature")
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Boris Pismenny <borisp@nvidia.com>
+Link: https://lore.kernel.org/r/20210117151538.9411-1-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -8692,6 +8692,11 @@ static netdev_features_t netdev_fix_feat
+ }
+ }
+
++ if ((features & NETIF_F_HW_TLS_RX) && !(features & NETIF_F_RXCSUM)) {
++ netdev_dbg(dev, "Dropping TLS RX HW offload feature since no RXCSUM feature.\n");
++ features &= ~NETIF_F_HW_TLS_RX;
++ }
++
+ return features;
+ }
+
--- /dev/null
+From 8e4052c32d6b4b39c1e13c652c7e33748d447409 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 19 Jan 2021 17:48:03 +0300
+Subject: net: dsa: b53: fix an off by one in checking "vlan->vid"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8e4052c32d6b4b39c1e13c652c7e33748d447409 upstream.
+
+The > comparison should be >= to prevent accessing one element beyond
+the end of the dev->vlans[] array in the caller function, b53_vlan_add().
+The "dev->vlans" array is allocated in the b53_switch_init() function
+and it has "dev->num_vlans" elements.
+
+Fixes: a2482d2ce349 ("net: dsa: b53: Plug in VLAN support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/YAbxI97Dl/pmBy5V@mwanda
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1330,7 +1330,7 @@ int b53_vlan_prepare(struct dsa_switch *
+ if ((is5325(dev) || is5365(dev)) && vlan->vid_begin == 0)
+ return -EOPNOTSUPP;
+
+- if (vlan->vid_end > dev->num_vlans)
++ if (vlan->vid_end >= dev->num_vlans)
+ return -ERANGE;
+
+ b53_enable_vlan(dev, true, ds->vlan_filtering);
--- /dev/null
+From 87fe04367d842c4d97a77303242d4dd4ac351e46 Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Sat, 16 Jan 2021 03:39:35 +0100
+Subject: net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+commit 87fe04367d842c4d97a77303242d4dd4ac351e46 upstream.
+
+mv88e6xxx_port_vlan_join checks whether the VTU already contains an
+entry for the given vid (via mv88e6xxx_vtu_getnext), and if so, merely
+changes the relevant .member[] element and loads the updated entry
+into the VTU.
+
+However, at least for the mv88e6250, the on-stack struct
+mv88e6xxx_vtu_entry vlan never has its .state[] array explicitly
+initialized, neither in mv88e6xxx_port_vlan_join() nor inside the
+getnext implementation. So the new entry has random garbage for the
+STU bits, breaking VLAN filtering.
+
+When the VTU entry is initially created, those bits are all zero, and
+we should make sure to keep them that way when the entry is updated.
+
+Fixes: 92307069a96c (net: dsa: mv88e6xxx: Avoid VTU corruption on 6097)
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Tobias Waldekranz <tobias@waldekranz.com>
+Tested-by: Tobias Waldekranz <tobias@waldekranz.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/dsa/mv88e6xxx/global1_vtu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/global1_vtu.c
++++ b/drivers/net/dsa/mv88e6xxx/global1_vtu.c
+@@ -351,6 +351,10 @@ int mv88e6250_g1_vtu_getnext(struct mv88
+ if (err)
+ return err;
+
++ err = mv88e6185_g1_stu_data_read(chip, entry);
++ if (err)
++ return err;
++
+ /* VTU DBNum[3:0] are located in VTU Operation 3:0
+ * VTU DBNum[5:4] are located in VTU Operation 9:8
+ */
--- /dev/null
+From 79267ae22615496655feee2db0848f6786bcf67a Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Mon, 18 Jan 2021 15:52:10 +0200
+Subject: net: mscc: ocelot: allow offloading of bridge on top of LAG
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 79267ae22615496655feee2db0848f6786bcf67a upstream.
+
+The blamed commit was too aggressive, and it made ocelot_netdevice_event
+react only to network interface events emitted for the ocelot switch
+ports.
+
+In fact, only the PRECHANGEUPPER should have had that check.
+
+When we ignore all events that are not for us, we miss the fact that the
+upper of the LAG changes, and the bonding interface gets enslaved to a
+bridge. This is an operation we could offload under certain conditions.
+
+Fixes: 7afb3e575e5a ("net: mscc: ocelot: don't handle netdev events for other netdevs")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20210118135210.2666246-1-olteanv@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/mscc/ocelot.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -1716,10 +1716,8 @@ static int ocelot_netdevice_event(struct
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ int ret = 0;
+
+- if (!ocelot_netdevice_dev_check(dev))
+- return 0;
+-
+ if (event == NETDEV_PRECHANGEUPPER &&
++ ocelot_netdevice_dev_check(dev) &&
+ netif_is_lag_master(info->upper_dev)) {
+ struct netdev_lag_upper_info *lag_upper_info = info->upper_info;
+ struct netlink_ext_ack *extack;
--- /dev/null
+From bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 14 Jan 2021 10:52:29 -0800
+Subject: net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 upstream.
+
+tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT
+attribute is not silly.
+
+UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29
+shift exponent 255 is too large for 32-bit type 'int'
+CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ valid_perfect_hash net/sched/cls_tcindex.c:260 [inline]
+ tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425
+ tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546
+ tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127
+ rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2390
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/cls_tcindex.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -366,9 +366,13 @@ tcindex_set_parms(struct net *net, struc
+ if (tb[TCA_TCINDEX_MASK])
+ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
+
+- if (tb[TCA_TCINDEX_SHIFT])
++ if (tb[TCA_TCINDEX_SHIFT]) {
+ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
+-
++ if (cp->shift > 16) {
++ err = -EINVAL;
++ goto errout;
++ }
++ }
+ if (!cp->hash) {
+ /* Hash not specified, use perfect hash if the upper limit
+ * of the hashing index is below the threshold.
--- /dev/null
+From e4bedf48aaa5552bc1f49703abd17606e7e6e82a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 14 Jan 2021 08:06:37 -0800
+Subject: net_sched: reject silly cell_log in qdisc_get_rtab()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e4bedf48aaa5552bc1f49703abd17606e7e6e82a upstream.
+
+iproute2 probably never goes beyond 8 for the cell exponent,
+but stick to the max shift exponent for signed 32bit.
+
+UBSAN reported:
+UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22
+shift exponent 130 is too large for 32-bit type 'int'
+CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x183/0x22e lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:148 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
+ __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389
+ qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435
+ cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180
+ qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246
+ tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662
+ rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564
+ netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494
+ netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
+ netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330
+ netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345
+ ___sys_sendmsg net/socket.c:2399 [inline]
+ __sys_sendmsg+0x319/0x400 net/socket.c:2432
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Link: https://lore.kernel.org/r/20210114160637.1660597-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sched/sch_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -409,7 +409,8 @@ struct qdisc_rate_table *qdisc_get_rtab(
+ {
+ struct qdisc_rate_table *rtab;
+
+- if (tab == NULL || r->rate == 0 || r->cell_log == 0 ||
++ if (tab == NULL || r->rate == 0 ||
++ r->cell_log == 0 || r->cell_log >= 32 ||
+ nla_len(tab) != TC_RTAB_SIZE) {
+ NL_SET_ERR_MSG(extack, "Invalid rate table parameters for searching");
+ return NULL;
--- /dev/null
+From 2e5a6266fbb11ae93c468dfecab169aca9c27b43 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sat, 16 Jan 2021 11:44:26 +0100
+Subject: netfilter: rpfilter: mask ecn bits before fib lookup
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit 2e5a6266fbb11ae93c468dfecab169aca9c27b43 upstream.
+
+RT_TOS() only masks one of the two ECN bits. Therefore rpfilter_mt()
+treats Not-ECT or ECT(1) packets in a different way than those with
+ECT(0) or CE.
+
+Reproducer:
+
+ Create two netns, connected with a veth:
+ $ ip netns add ns0
+ $ ip netns add ns1
+ $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
+ $ ip -netns ns0 link set dev veth01 up
+ $ ip -netns ns1 link set dev veth10 up
+ $ ip -netns ns0 address add 192.0.2.10/32 dev veth01
+ $ ip -netns ns1 address add 192.0.2.11/32 dev veth10
+
+ Add a route to ns1 in ns0:
+ $ ip -netns ns0 route add 192.0.2.11/32 dev veth01
+
+ In ns1, only packets with TOS 4 can be routed to ns0:
+ $ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10
+
+ Ping from ns0 to ns1 works regardless of the ECN bits, as long as TOS
+ is 4:
+ $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
+ ... 0% packet loss ...
+
+ Now use iptable's rpfilter module in ns1:
+ $ ip netns exec ns1 iptables-legacy -t raw -A PREROUTING -m rpfilter --invert -j DROP
+
+ Not-ECT and ECT(1) packets still pass:
+ $ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
+ ... 0% packet loss ...
+ $ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
+ ... 0% packet loss ...
+
+ But ECT(0) and ECN packets are dropped:
+ $ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
+ ... 100% packet loss ...
+ $ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
+ ... 100% packet loss ...
+
+After this patch, rpfilter doesn't drop ECT(0) and CE packets anymore.
+
+Fixes: 8f97339d3feb ("netfilter: add ipv4 reverse path filter match")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/ipt_rpfilter.c
++++ b/net/ipv4/netfilter/ipt_rpfilter.c
+@@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_
+ flow.daddr = iph->saddr;
+ flow.saddr = rpfilter_get_saddr(iph->daddr);
+ flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
+- flow.flowi4_tos = RT_TOS(iph->tos);
++ flow.flowi4_tos = iph->tos & IPTOS_RT_MASK;
+ flow.flowi4_scope = RT_SCOPE_UNIVERSE;
+ flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par));
+
xhci-tegra-delay-for-disabling-lfps-detector.patch
driver-core-extend-device_is_dependent.patch
pinctrl-ingenic-fix-jz4760-support.patch
+x86-cpu-amd-set-__max_die_per_package-on-amd.patch
+netfilter-rpfilter-mask-ecn-bits-before-fib-lookup.patch
+sh-dma-fix-kconfig-dependency-for-g2_dma.patch
+net-dsa-mv88e6xxx-also-read-stu-state-in-mv88e6250_g1_vtu_getnext.patch
+sh_eth-fix-power-down-vs.-is_opened-flag-ordering.patch
+lightnvm-fix-memory-leak-when-submit-fails.patch
+skbuff-back-tiny-skbs-with-kmalloc-in-__netdev_alloc_skb-too.patch
+kasan-fix-unaligned-address-is-unhandled-in-kasan_remove_zero_shadow.patch
+kasan-fix-incorrect-arguments-passing-in-kasan_add_zero_shadow.patch
+udp-mask-tos-bits-in-udp_v4_early_demux.patch
+ipv6-create-multicast-route-with-rtprot_kernel.patch
+net_sched-avoid-shift-out-of-bounds-in-tcindex_set_parms.patch
+net_sched-reject-silly-cell_log-in-qdisc_get_rtab.patch
+ipv6-set-multicast-flag-on-the-multicast-route.patch
+net-mscc-ocelot-allow-offloading-of-bridge-on-top-of-lag.patch
+net-disable-netif_f_hw_tls_rx-when-rxcsum-is-disabled.patch
+net-dsa-b53-fix-an-off-by-one-in-checking-vlan-vid.patch
+tcp-do-not-mess-with-cloned-skbs-in-tcp_add_backlog.patch
+tcp-fix-tcp_user_timeout-with-zero-window.patch
--- /dev/null
+From f477a538c14d07f8c45e554c8c5208d588514e98 Mon Sep 17 00:00:00 2001
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Date: Thu, 17 Sep 2020 18:45:48 +0300
+Subject: sh: dma: fix kconfig dependency for G2_DMA
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+commit f477a538c14d07f8c45e554c8c5208d588514e98 upstream.
+
+When G2_DMA is enabled and SH_DMA is disabled, it results in the following
+Kbuild warning:
+
+WARNING: unmet direct dependencies detected for SH_DMA_API
+ Depends on [n]: SH_DMA [=n]
+ Selected by [y]:
+ - G2_DMA [=y] && SH_DREAMCAST [=y]
+
+The reason is that G2_DMA selects SH_DMA_API without depending on or
+selecting SH_DMA while SH_DMA_API depends on SH_DMA.
+
+When G2_DMA was first introduced with commit 40f49e7ed77f
+("sh: dma: Make G2 DMA configurable."), this wasn't an issue since
+SH_DMA_API didn't have such dependency, and this way was the only way to
+enable it since SH_DMA_API was non-visible. However, later SH_DMA_API was
+made visible and dependent on SH_DMA with commit d8902adcc1a9
+("dmaengine: sh: Add Support SuperH DMA Engine driver").
+
+Let G2_DMA depend on SH_DMA_API instead to avoid Kbuild issues.
+
+Fixes: d8902adcc1a9 ("dmaengine: sh: Add Support SuperH DMA Engine driver")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/drivers/dma/Kconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/sh/drivers/dma/Kconfig
++++ b/arch/sh/drivers/dma/Kconfig
+@@ -63,8 +63,7 @@ config PVR2_DMA
+
+ config G2_DMA
+ tristate "G2 Bus DMA support"
+- depends on SH_DREAMCAST
+- select SH_DMA_API
++ depends on SH_DREAMCAST && SH_DMA_API
+ help
+ This enables support for the DMA controller for the Dreamcast's
+ G2 bus. Drivers that want this will generally enable this on
--- /dev/null
+From f6a2e94b3f9d89cb40771ff746b16b5687650cbb Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 18 Jan 2021 16:08:12 +0100
+Subject: sh_eth: Fix power down vs. is_opened flag ordering
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit f6a2e94b3f9d89cb40771ff746b16b5687650cbb upstream.
+
+sh_eth_close() does a synchronous power down of the device before
+marking it closed. Revert the order, to make sure the device is never
+marked opened while suspended.
+
+While at it, use pm_runtime_put() instead of pm_runtime_put_sync(), as
+there is no reason to do a synchronous power down.
+
+Fixes: 7fa2955ff70ce453 ("sh_eth: Fix sleeping function called from invalid context")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com>
+Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Link: https://lore.kernel.org/r/20210118150812.796791-1-geert+renesas@glider.be
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2640,10 +2640,10 @@ static int sh_eth_close(struct net_devic
+ /* Free all the skbuffs in the Rx queue and the DMA buffer. */
+ sh_eth_ring_free(ndev);
+
+- pm_runtime_put_sync(&mdp->pdev->dev);
+-
+ mdp->is_opened = 0;
+
++ pm_runtime_put(&mdp->pdev->dev);
++
+ return 0;
+ }
+
--- /dev/null
+From 66c556025d687dbdd0f748c5e1df89c977b6c02a Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <alobakin@pm.me>
+Date: Fri, 15 Jan 2021 15:04:40 +0000
+Subject: skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too
+
+From: Alexander Lobakin <alobakin@pm.me>
+
+commit 66c556025d687dbdd0f748c5e1df89c977b6c02a upstream.
+
+Commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for
+tiny skbs") ensured that skbs with data size lower than 1025 bytes
+will be kmalloc'ed to avoid excessive page cache fragmentation and
+memory consumption.
+However, the fix adressed only __napi_alloc_skb() (primarily for
+virtio_net and napi_get_frags()), but the issue can still be achieved
+through __netdev_alloc_skb(), which is still used by several drivers.
+Drivers often allocate a tiny skb for headers and place the rest of
+the frame to frags (so-called copybreak).
+Mirror the condition to __netdev_alloc_skb() to handle this case too.
+
+Since v1 [0]:
+ - fix "Fixes:" tag;
+ - refine commit message (mention copybreak usecase).
+
+[0] https://lore.kernel.org/netdev/20210114235423.232737-1-alobakin@pm.me
+
+Fixes: a1c7fff7e18f ("net: netdev_alloc_skb() use build_skb()")
+Signed-off-by: Alexander Lobakin <alobakin@pm.me>
+Link: https://lore.kernel.org/r/20210115150354.85967-1-alobakin@pm.me
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/skbuff.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -431,7 +431,11 @@ struct sk_buff *__netdev_alloc_skb(struc
+
+ len += NET_SKB_PAD;
+
+- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) ||
++ /* If requested length is either too small or too big,
++ * we use kmalloc() for skb->head allocation.
++ */
++ if (len <= SKB_WITH_OVERHEAD(1024) ||
++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
+ (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
+ skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
+ if (!skb)
--- /dev/null
+From b160c28548bc0a87cbd16d5af6d3edcfd70b8c9a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 19 Jan 2021 08:49:00 -0800
+Subject: tcp: do not mess with cloned skbs in tcp_add_backlog()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b160c28548bc0a87cbd16d5af6d3edcfd70b8c9a upstream.
+
+Heiner Kallweit reported that some skbs were sent with
+the following invalid GSO properties :
+- gso_size > 0
+- gso_type == 0
+
+This was triggerring a WARN_ON_ONCE() in rtl8169_tso_csum_v2.
+
+Juerg Haefliger was able to reproduce a similar issue using
+a lan78xx NIC and a workload mixing TCP incoming traffic
+and forwarded packets.
+
+The problem is that tcp_add_backlog() is writing
+over gso_segs and gso_size even if the incoming packet will not
+be coalesced to the backlog tail packet.
+
+While skb_try_coalesce() would bail out if tail packet is cloned,
+this overwriting would lead to corruptions of other packets
+cooked by lan78xx, sharing a common super-packet.
+
+The strategy used by lan78xx is to use a big skb, and split
+it into all received packets using skb_clone() to avoid copies.
+The drawback of this strategy is that all the small skb share a common
+struct skb_shared_info.
+
+This patch rewrites TCP gso_size/gso_segs handling to only
+happen on the tail skb, since skb_try_coalesce() made sure
+it was not cloned.
+
+Fixes: 4f693b55c3d2 ("tcp: implement coalescing on backlog queue")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Bisected-by: Juerg Haefliger <juergh@canonical.com>
+Tested-by: Juerg Haefliger <juergh@canonical.com>
+Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=209423
+Link: https://lore.kernel.org/r/20210119164900.766957-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp_ipv4.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1657,6 +1657,7 @@ int tcp_v4_early_demux(struct sk_buff *s
+ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb)
+ {
+ u32 limit = READ_ONCE(sk->sk_rcvbuf) + READ_ONCE(sk->sk_sndbuf);
++ u32 tail_gso_size, tail_gso_segs;
+ struct skb_shared_info *shinfo;
+ const struct tcphdr *th;
+ struct tcphdr *thtail;
+@@ -1664,6 +1665,7 @@ bool tcp_add_backlog(struct sock *sk, st
+ unsigned int hdrlen;
+ bool fragstolen;
+ u32 gso_segs;
++ u32 gso_size;
+ int delta;
+
+ /* In case all data was pulled from skb frags (in __pskb_pull_tail()),
+@@ -1689,13 +1691,6 @@ bool tcp_add_backlog(struct sock *sk, st
+ */
+ th = (const struct tcphdr *)skb->data;
+ hdrlen = th->doff * 4;
+- shinfo = skb_shinfo(skb);
+-
+- if (!shinfo->gso_size)
+- shinfo->gso_size = skb->len - hdrlen;
+-
+- if (!shinfo->gso_segs)
+- shinfo->gso_segs = 1;
+
+ tail = sk->sk_backlog.tail;
+ if (!tail)
+@@ -1718,6 +1713,15 @@ bool tcp_add_backlog(struct sock *sk, st
+ goto no_coalesce;
+
+ __skb_pull(skb, hdrlen);
++
++ shinfo = skb_shinfo(skb);
++ gso_size = shinfo->gso_size ?: skb->len;
++ gso_segs = shinfo->gso_segs ?: 1;
++
++ shinfo = skb_shinfo(tail);
++ tail_gso_size = shinfo->gso_size ?: (tail->len - hdrlen);
++ tail_gso_segs = shinfo->gso_segs ?: 1;
++
+ if (skb_try_coalesce(tail, skb, &fragstolen, &delta)) {
+ TCP_SKB_CB(tail)->end_seq = TCP_SKB_CB(skb)->end_seq;
+
+@@ -1744,11 +1748,8 @@ bool tcp_add_backlog(struct sock *sk, st
+ }
+
+ /* Not as strict as GRO. We only need to carry mss max value */
+- skb_shinfo(tail)->gso_size = max(shinfo->gso_size,
+- skb_shinfo(tail)->gso_size);
+-
+- gso_segs = skb_shinfo(tail)->gso_segs + shinfo->gso_segs;
+- skb_shinfo(tail)->gso_segs = min_t(u32, gso_segs, 0xFFFF);
++ shinfo->gso_size = max(gso_size, tail_gso_size);
++ shinfo->gso_segs = min_t(u32, gso_segs + tail_gso_segs, 0xFFFF);
+
+ sk->sk_backlog.len += delta;
+ __NET_INC_STATS(sock_net(sk),
--- /dev/null
+From 9d9b1ee0b2d1c9e02b2338c4a4b0a062d2d3edac Mon Sep 17 00:00:00 2001
+From: Enke Chen <enchen@paloaltonetworks.com>
+Date: Fri, 15 Jan 2021 14:30:58 -0800
+Subject: tcp: fix TCP_USER_TIMEOUT with zero window
+
+From: Enke Chen <enchen@paloaltonetworks.com>
+
+commit 9d9b1ee0b2d1c9e02b2338c4a4b0a062d2d3edac upstream.
+
+The TCP session does not terminate with TCP_USER_TIMEOUT when data
+remain untransmitted due to zero window.
+
+The number of unanswered zero-window probes (tcp_probes_out) is
+reset to zero with incoming acks irrespective of the window size,
+as described in tcp_probe_timer():
+
+ RFC 1122 4.2.2.17 requires the sender to stay open indefinitely
+ as long as the receiver continues to respond probes. We support
+ this by default and reset icsk_probes_out with incoming ACKs.
+
+This counter, however, is the wrong one to be used in calculating the
+duration that the window remains closed and data remain untransmitted.
+Thanks to Jonathan Maxwell <jmaxwell37@gmail.com> for diagnosing the
+actual issue.
+
+In this patch a new timestamp is introduced for the socket in order to
+track the elapsed time for the zero-window probes that have not been
+answered with any non-zero window ack.
+
+Fixes: 9721e709fa68 ("tcp: simplify window probe aborting on USER_TIMEOUT")
+Reported-by: William McCall <william.mccall@gmail.com>
+Co-developed-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Enke Chen <enchen@paloaltonetworks.com>
+Reviewed-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20210115223058.GA39267@localhost.localdomain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/inet_connection_sock.h | 3 +++
+ net/ipv4/inet_connection_sock.c | 1 +
+ net/ipv4/tcp.c | 1 +
+ net/ipv4/tcp_input.c | 1 +
+ net/ipv4/tcp_output.c | 1 +
+ net/ipv4/tcp_timer.c | 14 +++++++-------
+ 6 files changed, 14 insertions(+), 7 deletions(-)
+
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -83,6 +83,8 @@ struct inet_connection_sock_af_ops {
+ * @icsk_ext_hdr_len: Network protocol overhead (IP/IPv6 options)
+ * @icsk_ack: Delayed ACK control data
+ * @icsk_mtup; MTU probing control data
++ * @icsk_probes_tstamp: Probe timestamp (cleared by non-zero window ack)
++ * @icsk_user_timeout: TCP_USER_TIMEOUT value
+ */
+ struct inet_connection_sock {
+ /* inet_sock has to be the first member! */
+@@ -133,6 +135,7 @@ struct inet_connection_sock {
+
+ u32 probe_timestamp;
+ } icsk_mtup;
++ u32 icsk_probes_tstamp;
+ u32 icsk_user_timeout;
+
+ u64 icsk_ca_priv[104 / sizeof(u64)];
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -840,6 +840,7 @@ struct sock *inet_csk_clone_lock(const s
+ newicsk->icsk_retransmits = 0;
+ newicsk->icsk_backoff = 0;
+ newicsk->icsk_probes_out = 0;
++ newicsk->icsk_probes_tstamp = 0;
+
+ /* Deinitialize accept_queue to trap illegal accesses. */
+ memset(&newicsk->icsk_accept_queue, 0, sizeof(newicsk->icsk_accept_queue));
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2627,6 +2627,7 @@ int tcp_disconnect(struct sock *sk, int
+ icsk->icsk_backoff = 0;
+ tp->snd_cwnd = 2;
+ icsk->icsk_probes_out = 0;
++ icsk->icsk_probes_tstamp = 0;
+ icsk->icsk_rto = TCP_TIMEOUT_INIT;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ tp->snd_cwnd = TCP_INIT_CWND;
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3286,6 +3286,7 @@ static void tcp_ack_probe(struct sock *s
+ return;
+ if (!after(TCP_SKB_CB(head)->end_seq, tcp_wnd_end(tp))) {
+ icsk->icsk_backoff = 0;
++ icsk->icsk_probes_tstamp = 0;
+ inet_csk_clear_xmit_timer(sk, ICSK_TIME_PROBE0);
+ /* Socket must be waked up by subsequent tcp_data_snd_check().
+ * This function is not for random using!
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3835,6 +3835,7 @@ void tcp_send_probe0(struct sock *sk)
+ /* Cancel probe timer, if it is not required. */
+ icsk->icsk_probes_out = 0;
+ icsk->icsk_backoff = 0;
++ icsk->icsk_probes_tstamp = 0;
+ return;
+ }
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -344,6 +344,7 @@ static void tcp_probe_timer(struct sock
+
+ if (tp->packets_out || !skb) {
+ icsk->icsk_probes_out = 0;
++ icsk->icsk_probes_tstamp = 0;
+ return;
+ }
+
+@@ -355,13 +356,12 @@ static void tcp_probe_timer(struct sock
+ * corresponding system limit. We also implement similar policy when
+ * we use RTO to probe window in tcp_retransmit_timer().
+ */
+- if (icsk->icsk_user_timeout) {
+- u32 elapsed = tcp_model_timeout(sk, icsk->icsk_probes_out,
+- tcp_probe0_base(sk));
+-
+- if (elapsed >= icsk->icsk_user_timeout)
+- goto abort;
+- }
++ if (!icsk->icsk_probes_tstamp)
++ icsk->icsk_probes_tstamp = tcp_jiffies32;
++ else if (icsk->icsk_user_timeout &&
++ (s32)(tcp_jiffies32 - icsk->icsk_probes_tstamp) >=
++ msecs_to_jiffies(icsk->icsk_user_timeout))
++ goto abort;
+
+ max_probes = sock_net(sk)->ipv4.sysctl_tcp_retries2;
+ if (sock_flag(sk, SOCK_DEAD)) {
--- /dev/null
+From 8d2b51b008c25240914984208b2ced57d1dd25a5 Mon Sep 17 00:00:00 2001
+From: Guillaume Nault <gnault@redhat.com>
+Date: Sat, 16 Jan 2021 11:44:22 +0100
+Subject: udp: mask TOS bits in udp_v4_early_demux()
+
+From: Guillaume Nault <gnault@redhat.com>
+
+commit 8d2b51b008c25240914984208b2ced57d1dd25a5 upstream.
+
+udp_v4_early_demux() is the only function that calls
+ip_mc_validate_source() with a TOS that hasn't been masked with
+IPTOS_RT_MASK.
+
+This results in different behaviours for incoming multicast UDPv4
+packets, depending on if ip_mc_validate_source() is called from the
+early-demux path (udp_v4_early_demux) or from the regular input path
+(ip_route_input_noref).
+
+ECN would normally not be used with UDP multicast packets, so the
+practical consequences should be limited on that side. However,
+IPTOS_RT_MASK is used to also masks the TOS' high order bits, to align
+with the non-early-demux path behaviour.
+
+Reproducer:
+
+ Setup two netns, connected with veth:
+ $ ip netns add ns0
+ $ ip netns add ns1
+ $ ip -netns ns0 link set dev lo up
+ $ ip -netns ns1 link set dev lo up
+ $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
+ $ ip -netns ns0 link set dev veth01 up
+ $ ip -netns ns1 link set dev veth10 up
+ $ ip -netns ns0 address add 192.0.2.10 peer 192.0.2.11/32 dev veth01
+ $ ip -netns ns1 address add 192.0.2.11 peer 192.0.2.10/32 dev veth10
+
+ In ns0, add route to multicast address 224.0.2.0/24 using source
+ address 198.51.100.10:
+ $ ip -netns ns0 address add 198.51.100.10/32 dev lo
+ $ ip -netns ns0 route add 224.0.2.0/24 dev veth01 src 198.51.100.10
+
+ In ns1, define route to 198.51.100.10, only for packets with TOS 4:
+ $ ip -netns ns1 route add 198.51.100.10/32 tos 4 dev veth10
+
+ Also activate rp_filter in ns1, so that incoming packets not matching
+ the above route get dropped:
+ $ ip netns exec ns1 sysctl -wq net.ipv4.conf.veth10.rp_filter=1
+
+ Now try to receive packets on 224.0.2.11:
+ $ ip netns exec ns1 socat UDP-RECVFROM:1111,ip-add-membership=224.0.2.11:veth10,ignoreeof -
+
+ In ns0, send packet to 224.0.2.11 with TOS 4 and ECT(0) (that is,
+ tos 6 for socat):
+ $ echo test0 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
+
+ The "test0" message is properly received by socat in ns1, because
+ early-demux has no cached dst to use, so source address validation
+ is done by ip_route_input_mc(), which receives a TOS that has the
+ ECN bits masked.
+
+ Now send another packet to 224.0.2.11, still with TOS 4 and ECT(0):
+ $ echo test1 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
+
+ The "test1" message isn't received by socat in ns1, because, now,
+ early-demux has a cached dst to use and calls ip_mc_validate_source()
+ immediately, without masking the ECN bits.
+
+Fixes: bc044e8db796 ("udp: perform source validation for mcast early demux")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/udp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2495,7 +2495,8 @@ int udp_v4_early_demux(struct sk_buff *s
+ */
+ if (!inet_sk(sk)->inet_daddr && in_dev)
+ return ip_mc_validate_source(skb, iph->daddr,
+- iph->saddr, iph->tos,
++ iph->saddr,
++ iph->tos & IPTOS_RT_MASK,
+ skb->dev, in_dev, &itag);
+ }
+ return 0;
--- /dev/null
+From 76e2fc63ca40977af893b724b00cc2f8e9ce47a4 Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Date: Mon, 11 Jan 2021 11:04:29 +0100
+Subject: x86/cpu/amd: Set __max_die_per_package on AMD
+
+From: Yazen Ghannam <Yazen.Ghannam@amd.com>
+
+commit 76e2fc63ca40977af893b724b00cc2f8e9ce47a4 upstream.
+
+Set the maximum DIE per package variable on AMD using the
+NodesPerProcessor topology value. This will be used by RAPL, among
+others, to determine the maximum number of DIEs on the system in order
+to do per-DIE manipulations.
+
+ [ bp: Productize into a proper patch. ]
+
+Fixes: 028c221ed190 ("x86/CPU/AMD: Save AMD NodeId as cpu_die_id")
+Reported-by: Johnathan Smithinovic <johnathan.smithinovic@gmx.at>
+Reported-by: Rafael Kitover <rkitover@gmail.com>
+Signed-off-by: Yazen Ghannam <Yazen.Ghannam@amd.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Tested-by: Johnathan Smithinovic <johnathan.smithinovic@gmx.at>
+Tested-by: Rafael Kitover <rkitover@gmail.com>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=210939
+Link: https://lkml.kernel.org/r/20210106112106.GE5729@zn.tnic
+Link: https://lkml.kernel.org/r/20210111101455.1194-1-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/cpu/amd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -545,12 +545,12 @@ static void bsp_init_amd(struct cpuinfo_
+ u32 ecx;
+
+ ecx = cpuid_ecx(0x8000001e);
+- nodes_per_socket = ((ecx >> 8) & 7) + 1;
++ __max_die_per_package = nodes_per_socket = ((ecx >> 8) & 7) + 1;
+ } else if (boot_cpu_has(X86_FEATURE_NODEID_MSR)) {
+ u64 value;
+
+ rdmsrl(MSR_FAM10H_NODE_ID, value);
+- nodes_per_socket = ((value >> 3) & 7) + 1;
++ __max_die_per_package = nodes_per_socket = ((value >> 3) & 7) + 1;
+ }
+
+ if (!boot_cpu_has(X86_FEATURE_AMD_SSBD) &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
