--- /dev/null
+From 4062a5bf8bcd32ae77b63817ca93cc3b411cc302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 08:13:39 +0200
+Subject: alx: Fix an error handling path in 'alx_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index d83ad06bf199..54bfe9d84ecd 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1855,6 +1855,7 @@ out_free_netdev:
+ free_netdev(netdev);
+ out_pci_release:
+ pci_release_mem_regions(pdev);
++ pci_disable_pcie_error_reporting(pdev);
+ out_pci_disable:
+ pci_disable_device(pdev);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From c0f2815dc457504a254b2a1cc5411703e5d3e0fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 21:00:27 +0200
+Subject: batman-adv: Avoid WARN_ON timing related checks
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ]
+
+The soft/batadv interface for a queued OGM can be changed during the time
+the OGM was queued for transmission and when the OGM is actually
+transmitted by the worker.
+
+But WARN_ON must be used to denote kernel bugs and not to print simple
+warnings. A warning can simply be printed using pr_warn.
+
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
+Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 0b052ff51bde..cede6826e5b3 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -594,8 +594,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
+ if (WARN_ON(!forw_packet->if_outgoing))
+ return;
+
+- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
++ if (forw_packet->if_outgoing->soft_iface != soft_iface) {
++ pr_warn("%s: soft interface switch for queued OGM\n", __func__);
+ return;
++ }
+
+ if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
+ return;
+--
+2.30.2
+
--- /dev/null
+From e7ca77c57a33c31bc704d84fa094de420c600a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 20:43:37 +0200
+Subject: be2net: Fix an error handling path in 'be_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: d6b6d9877878 ("be2net: use PCIe AER capability")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 3fe6a28027fe..05cb2f7cc35c 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -6029,6 +6029,7 @@ drv_cleanup:
+ unmap_bars:
+ be_unmap_pci_bars(adapter);
+ free_netdev:
++ pci_disable_pcie_error_reporting(pdev);
+ free_netdev(netdev);
+ rel_reg:
+ pci_release_regions(pdev);
+--
+2.30.2
+
--- /dev/null
+From 524d4862816549b6416f938e5fc851316b1654aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:04:35 +0200
+Subject: icmp: don't send out ICMP messages with a source address of 0.0.0.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ]
+
+When constructing ICMP response messages, the kernel will try to pick a
+suitable source address for the outgoing packet. However, if no IPv4
+addresses are configured on the system at all, this will fail and we end up
+producing an ICMP message with a source address of 0.0.0.0. This can happen
+on a box routing IPv4 traffic via v6 nexthops, for instance.
+
+Since 0.0.0.0 is not generally routable on the internet, there's a good
+chance that such ICMP messages will never make it back to the sender of the
+original packet that the ICMP message was sent in response to. This, in
+turn, can create connectivity and PMTUd problems for senders. Fortunately,
+RFC7600 reserves a dummy address to be used as a source for ICMP
+messages (192.0.0.8/32), so let's teach the kernel to substitute that
+address as a last resort if the regular source address selection procedure
+fails.
+
+Below is a quick example reproducing this issue with network namespaces:
+
+ip netns add ns0
+ip l add type veth peer netns ns0
+ip l set dev veth0 up
+ip a add 10.0.0.1/24 dev veth0
+ip a add fc00:dead:cafe:42::1/64 dev veth0
+ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2
+ip -n ns0 l set dev veth0 up
+ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0
+ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1
+ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0
+ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1
+tcpdump -tpni veth0 -c 2 icmp &
+ping -w 1 10.1.0.1 > /dev/null
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64
+IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
+2 packets captured
+2 packets received by filter
+0 packets dropped by kernel
+
+With this patch the above capture changes to:
+IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64
+IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Juliusz Chroboczek <jch@irif.fr>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/in.h | 3 +++
+ net/ipv4/icmp.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
+index 48e8a225b985..2a66ab49f14d 100644
+--- a/include/uapi/linux/in.h
++++ b/include/uapi/linux/in.h
+@@ -280,6 +280,9 @@ struct sockaddr_in {
+ /* Address indicating an error return. */
+ #define INADDR_NONE ((unsigned long int) 0xffffffff)
+
++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */
++#define INADDR_DUMMY ((unsigned long int) 0xc0000008)
++
+ /* Network number for local host loopback. */
+ #define IN_LOOPBACKNET 127
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index b048125ea099..dde6cf82e9f0 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -744,6 +744,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
+ icmp_param.data_len = room;
+ icmp_param.head_len = sizeof(struct icmphdr);
+
++ /* if we don't have a source address at this point, fall back to the
++ * dummy address instead of sending out a packet with a source address
++ * of 0.0.0.0
++ */
++ if (!fl4.saddr)
++ fl4.saddr = htonl(INADDR_DUMMY);
++
+ icmp_push_reply(&icmp_param, &fl4, &ipc, &rt);
+ ende:
+ ip_rt_put(rt);
+--
+2.30.2
+
--- /dev/null
+From fc85173e6ff1a589db893b28a7fdea40162ddfee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Mar 2019 10:45:23 -0300
+Subject: net: add documentation to socket.c
+
+From: Pedro Tammela <pctammela@gmail.com>
+
+[ Upstream commit 8a3c245c031944f2176118270e7bc5d4fd4a1075 ]
+
+Adds missing sphinx documentation to the
+socket.c's functions. Also fixes some whitespaces.
+
+I also changed the style of older documentation as an
+effort to have an uniform documentation style.
+
+Signed-off-by: Pedro Tammela <pctammela@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/net.h | 6 +
+ include/linux/socket.h | 12 +-
+ net/socket.c | 277 ++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 271 insertions(+), 24 deletions(-)
+
+diff --git a/include/linux/net.h b/include/linux/net.h
+index e0930678c8bf..41dc703b261c 100644
+--- a/include/linux/net.h
++++ b/include/linux/net.h
+@@ -83,6 +83,12 @@ enum sock_type {
+
+ #endif /* ARCH_HAS_SOCKET_TYPES */
+
++/**
++ * enum sock_shutdown_cmd - Shutdown types
++ * @SHUT_RD: shutdown receptions
++ * @SHUT_WR: shutdown transmissions
++ * @SHUT_RDWR: shutdown receptions/transmissions
++ */
+ enum sock_shutdown_cmd {
+ SHUT_RD,
+ SHUT_WR,
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 7ed4713d5337..cc1d3f1b7656 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -26,7 +26,7 @@ typedef __kernel_sa_family_t sa_family_t;
+ /*
+ * 1003.1g requires sa_family_t and that sa_data is char.
+ */
+-
++
+ struct sockaddr {
+ sa_family_t sa_family; /* address family, AF_xxx */
+ char sa_data[14]; /* 14 bytes of protocol address */
+@@ -44,7 +44,7 @@ struct linger {
+ * system, not 4.3. Thus msg_accrights(len) are now missing. They
+ * belong in an obscure libc emulation or the bin.
+ */
+-
++
+ struct msghdr {
+ void *msg_name; /* ptr to socket address structure */
+ int msg_namelen; /* size of socket address structure */
+@@ -54,7 +54,7 @@ struct msghdr {
+ unsigned int msg_flags; /* flags on received message */
+ struct kiocb *msg_iocb; /* ptr to iocb for async requests */
+ };
+-
++
+ struct user_msghdr {
+ void __user *msg_name; /* ptr to socket address structure */
+ int msg_namelen; /* size of socket address structure */
+@@ -122,7 +122,7 @@ struct cmsghdr {
+ * inside range, given by msg->msg_controllen before using
+ * ancillary object DATA. --ANK (980731)
+ */
+-
++
+ static inline struct cmsghdr * __cmsg_nxthdr(void *__ctl, __kernel_size_t __size,
+ struct cmsghdr *__cmsg)
+ {
+@@ -264,10 +264,10 @@ struct ucred {
+ /* Maximum queue length specifiable by listen. */
+ #define SOMAXCONN 128
+
+-/* Flags we can use with send/ and recv.
++/* Flags we can use with send/ and recv.
+ Added those for 1003.1g not all are supported yet
+ */
+-
++
+ #define MSG_OOB 1
+ #define MSG_PEEK 2
+ #define MSG_DONTROUTE 4
+diff --git a/net/socket.c b/net/socket.c
+index 29169045dcfe..1ed7be54815a 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -384,6 +384,18 @@ static struct file_system_type sock_fs_type = {
+ * but we take care of internal coherence yet.
+ */
+
++/**
++ * sock_alloc_file - Bind a &socket to a &file
++ * @sock: socket
++ * @flags: file status flags
++ * @dname: protocol name
++ *
++ * Returns the &file bound with @sock, implicitly storing it
++ * in sock->file. If dname is %NULL, sets to "".
++ * On failure the return is a ERR pointer (see linux/err.h).
++ * This function uses GFP_KERNEL internally.
++ */
++
+ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
+ {
+ struct file *file;
+@@ -424,6 +436,14 @@ static int sock_map_fd(struct socket *sock, int flags)
+ return PTR_ERR(newfile);
+ }
+
++/**
++ * sock_from_file - Return the &socket bounded to @file.
++ * @file: file
++ * @err: pointer to an error code return
++ *
++ * On failure returns %NULL and assigns -ENOTSOCK to @err.
++ */
++
+ struct socket *sock_from_file(struct file *file, int *err)
+ {
+ if (file->f_op == &socket_file_ops)
+@@ -532,11 +552,11 @@ static const struct inode_operations sockfs_inode_ops = {
+ };
+
+ /**
+- * sock_alloc - allocate a socket
++ * sock_alloc - allocate a socket
+ *
+ * Allocate a new inode and socket object. The two are bound together
+ * and initialised. The socket is then returned. If we are out of inodes
+- * NULL is returned.
++ * NULL is returned. This functions uses GFP_KERNEL internally.
+ */
+
+ struct socket *sock_alloc(void)
+@@ -561,7 +581,7 @@ struct socket *sock_alloc(void)
+ EXPORT_SYMBOL(sock_alloc);
+
+ /**
+- * sock_release - close a socket
++ * sock_release - close a socket
+ * @sock: socket to close
+ *
+ * The socket is released from the protocol stack if it has a release
+@@ -617,6 +637,15 @@ void __sock_tx_timestamp(__u16 tsflags, __u8 *tx_flags)
+ }
+ EXPORT_SYMBOL(__sock_tx_timestamp);
+
++/**
++ * sock_sendmsg - send a message through @sock
++ * @sock: socket
++ * @msg: message to send
++ *
++ * Sends @msg through @sock, passing through LSM.
++ * Returns the number of bytes sent, or an error code.
++ */
++
+ static inline int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg)
+ {
+ int ret = sock->ops->sendmsg(sock, msg, msg_data_left(msg));
+@@ -633,6 +662,18 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg)
+ }
+ EXPORT_SYMBOL(sock_sendmsg);
+
++/**
++ * kernel_sendmsg - send a message through @sock (kernel-space)
++ * @sock: socket
++ * @msg: message header
++ * @vec: kernel vec
++ * @num: vec array length
++ * @size: total message data size
++ *
++ * Builds the message data with @vec and sends it through @sock.
++ * Returns the number of bytes sent, or an error code.
++ */
++
+ int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
+ struct kvec *vec, size_t num, size_t size)
+ {
+@@ -641,6 +682,19 @@ int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
+ }
+ EXPORT_SYMBOL(kernel_sendmsg);
+
++/**
++ * kernel_sendmsg_locked - send a message through @sock (kernel-space)
++ * @sk: sock
++ * @msg: message header
++ * @vec: output s/g array
++ * @num: output s/g array length
++ * @size: total message data size
++ *
++ * Builds the message data with @vec and sends it through @sock.
++ * Returns the number of bytes sent, or an error code.
++ * Caller must hold @sk.
++ */
++
+ int kernel_sendmsg_locked(struct sock *sk, struct msghdr *msg,
+ struct kvec *vec, size_t num, size_t size)
+ {
+@@ -789,6 +843,16 @@ void __sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
+ }
+ EXPORT_SYMBOL_GPL(__sock_recv_ts_and_drops);
+
++/**
++ * sock_recvmsg - receive a message from @sock
++ * @sock: socket
++ * @msg: message to receive
++ * @flags: message flags
++ *
++ * Receives @msg from @sock, passing through LSM. Returns the total number
++ * of bytes received, or an error.
++ */
++
+ static inline int sock_recvmsg_nosec(struct socket *sock, struct msghdr *msg,
+ int flags)
+ {
+@@ -804,20 +868,21 @@ int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags)
+ EXPORT_SYMBOL(sock_recvmsg);
+
+ /**
+- * kernel_recvmsg - Receive a message from a socket (kernel space)
+- * @sock: The socket to receive the message from
+- * @msg: Received message
+- * @vec: Input s/g array for message data
+- * @num: Size of input s/g array
+- * @size: Number of bytes to read
+- * @flags: Message flags (MSG_DONTWAIT, etc...)
++ * kernel_recvmsg - Receive a message from a socket (kernel space)
++ * @sock: The socket to receive the message from
++ * @msg: Received message
++ * @vec: Input s/g array for message data
++ * @num: Size of input s/g array
++ * @size: Number of bytes to read
++ * @flags: Message flags (MSG_DONTWAIT, etc...)
+ *
+- * On return the msg structure contains the scatter/gather array passed in the
+- * vec argument. The array is modified so that it consists of the unfilled
+- * portion of the original array.
++ * On return the msg structure contains the scatter/gather array passed in the
++ * vec argument. The array is modified so that it consists of the unfilled
++ * portion of the original array.
+ *
+- * The returned value is the total number of bytes received, or an error.
++ * The returned value is the total number of bytes received, or an error.
+ */
++
+ int kernel_recvmsg(struct socket *sock, struct msghdr *msg,
+ struct kvec *vec, size_t num, size_t size, int flags)
+ {
+@@ -983,6 +1048,13 @@ static long sock_do_ioctl(struct net *net, struct socket *sock,
+ * what to do with it - that's up to the protocol still.
+ */
+
++/**
++ * get_net_ns - increment the refcount of the network namespace
++ * @ns: common namespace (net)
++ *
++ * Returns the net's common namespace.
++ */
++
+ struct ns_common *get_net_ns(struct ns_common *ns)
+ {
+ return &get_net(container_of(ns, struct net, ns))->ns;
+@@ -1077,6 +1149,19 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ return err;
+ }
+
++/**
++ * sock_create_lite - creates a socket
++ * @family: protocol family (AF_INET, ...)
++ * @type: communication type (SOCK_STREAM, ...)
++ * @protocol: protocol (0, ...)
++ * @res: new socket
++ *
++ * Creates a new socket and assigns it to @res, passing through LSM.
++ * The new socket initialization is not complete, see kernel_accept().
++ * Returns 0 or an error. On failure @res is set to %NULL.
++ * This function internally uses GFP_KERNEL.
++ */
++
+ int sock_create_lite(int family, int type, int protocol, struct socket **res)
+ {
+ int err;
+@@ -1202,6 +1287,21 @@ call_kill:
+ }
+ EXPORT_SYMBOL(sock_wake_async);
+
++/**
++ * __sock_create - creates a socket
++ * @net: net namespace
++ * @family: protocol family (AF_INET, ...)
++ * @type: communication type (SOCK_STREAM, ...)
++ * @protocol: protocol (0, ...)
++ * @res: new socket
++ * @kern: boolean for kernel space sockets
++ *
++ * Creates a new socket and assigns it to @res, passing through LSM.
++ * Returns 0 or an error. On failure @res is set to %NULL. @kern must
++ * be set to true if the socket resides in kernel space.
++ * This function internally uses GFP_KERNEL.
++ */
++
+ int __sock_create(struct net *net, int family, int type, int protocol,
+ struct socket **res, int kern)
+ {
+@@ -1311,12 +1411,35 @@ out_release:
+ }
+ EXPORT_SYMBOL(__sock_create);
+
++/**
++ * sock_create - creates a socket
++ * @family: protocol family (AF_INET, ...)
++ * @type: communication type (SOCK_STREAM, ...)
++ * @protocol: protocol (0, ...)
++ * @res: new socket
++ *
++ * A wrapper around __sock_create().
++ * Returns 0 or an error. This function internally uses GFP_KERNEL.
++ */
++
+ int sock_create(int family, int type, int protocol, struct socket **res)
+ {
+ return __sock_create(current->nsproxy->net_ns, family, type, protocol, res, 0);
+ }
+ EXPORT_SYMBOL(sock_create);
+
++/**
++ * sock_create_kern - creates a socket (kernel space)
++ * @net: net namespace
++ * @family: protocol family (AF_INET, ...)
++ * @type: communication type (SOCK_STREAM, ...)
++ * @protocol: protocol (0, ...)
++ * @res: new socket
++ *
++ * A wrapper around __sock_create().
++ * Returns 0 or an error. This function internally uses GFP_KERNEL.
++ */
++
+ int sock_create_kern(struct net *net, int family, int type, int protocol, struct socket **res)
+ {
+ return __sock_create(net, family, type, protocol, res, 1);
+@@ -3273,18 +3396,46 @@ static long compat_sock_ioctl(struct file *file, unsigned int cmd,
+ }
+ #endif
+
++/**
++ * kernel_bind - bind an address to a socket (kernel space)
++ * @sock: socket
++ * @addr: address
++ * @addrlen: length of address
++ *
++ * Returns 0 or an error.
++ */
++
+ int kernel_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
+ {
+ return sock->ops->bind(sock, addr, addrlen);
+ }
+ EXPORT_SYMBOL(kernel_bind);
+
++/**
++ * kernel_listen - move socket to listening state (kernel space)
++ * @sock: socket
++ * @backlog: pending connections queue size
++ *
++ * Returns 0 or an error.
++ */
++
+ int kernel_listen(struct socket *sock, int backlog)
+ {
+ return sock->ops->listen(sock, backlog);
+ }
+ EXPORT_SYMBOL(kernel_listen);
+
++/**
++ * kernel_accept - accept a connection (kernel space)
++ * @sock: listening socket
++ * @newsock: new connected socket
++ * @flags: flags
++ *
++ * @flags must be SOCK_CLOEXEC, SOCK_NONBLOCK or 0.
++ * If it fails, @newsock is guaranteed to be %NULL.
++ * Returns 0 or an error.
++ */
++
+ int kernel_accept(struct socket *sock, struct socket **newsock, int flags)
+ {
+ struct sock *sk = sock->sk;
+@@ -3310,6 +3461,19 @@ done:
+ }
+ EXPORT_SYMBOL(kernel_accept);
+
++/**
++ * kernel_connect - connect a socket (kernel space)
++ * @sock: socket
++ * @addr: address
++ * @addrlen: address length
++ * @flags: flags (O_NONBLOCK, ...)
++ *
++ * For datagram sockets, @addr is the addres to which datagrams are sent
++ * by default, and the only address from which datagrams are received.
++ * For stream sockets, attempts to connect to @addr.
++ * Returns 0 or an error code.
++ */
++
+ int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
+ int flags)
+ {
+@@ -3317,18 +3481,48 @@ int kernel_connect(struct socket *sock, struct sockaddr *addr, int addrlen,
+ }
+ EXPORT_SYMBOL(kernel_connect);
+
++/**
++ * kernel_getsockname - get the address which the socket is bound (kernel space)
++ * @sock: socket
++ * @addr: address holder
++ *
++ * Fills the @addr pointer with the address which the socket is bound.
++ * Returns 0 or an error code.
++ */
++
+ int kernel_getsockname(struct socket *sock, struct sockaddr *addr)
+ {
+ return sock->ops->getname(sock, addr, 0);
+ }
+ EXPORT_SYMBOL(kernel_getsockname);
+
++/**
++ * kernel_peername - get the address which the socket is connected (kernel space)
++ * @sock: socket
++ * @addr: address holder
++ *
++ * Fills the @addr pointer with the address which the socket is connected.
++ * Returns 0 or an error code.
++ */
++
+ int kernel_getpeername(struct socket *sock, struct sockaddr *addr)
+ {
+ return sock->ops->getname(sock, addr, 1);
+ }
+ EXPORT_SYMBOL(kernel_getpeername);
+
++/**
++ * kernel_getsockopt - get a socket option (kernel space)
++ * @sock: socket
++ * @level: API level (SOL_SOCKET, ...)
++ * @optname: option tag
++ * @optval: option value
++ * @optlen: option length
++ *
++ * Assigns the option length to @optlen.
++ * Returns 0 or an error.
++ */
++
+ int kernel_getsockopt(struct socket *sock, int level, int optname,
+ char *optval, int *optlen)
+ {
+@@ -3351,6 +3545,17 @@ int kernel_getsockopt(struct socket *sock, int level, int optname,
+ }
+ EXPORT_SYMBOL(kernel_getsockopt);
+
++/**
++ * kernel_setsockopt - set a socket option (kernel space)
++ * @sock: socket
++ * @level: API level (SOL_SOCKET, ...)
++ * @optname: option tag
++ * @optval: option value
++ * @optlen: option length
++ *
++ * Returns 0 or an error.
++ */
++
+ int kernel_setsockopt(struct socket *sock, int level, int optname,
+ char *optval, unsigned int optlen)
+ {
+@@ -3371,6 +3576,17 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
+ }
+ EXPORT_SYMBOL(kernel_setsockopt);
+
++/**
++ * kernel_sendpage - send a &page through a socket (kernel space)
++ * @sock: socket
++ * @page: page
++ * @offset: page offset
++ * @size: total size in bytes
++ * @flags: flags (MSG_DONTWAIT, ...)
++ *
++ * Returns the total amount sent in bytes or an error.
++ */
++
+ int kernel_sendpage(struct socket *sock, struct page *page, int offset,
+ size_t size, int flags)
+ {
+@@ -3381,6 +3597,18 @@ int kernel_sendpage(struct socket *sock, struct page *page, int offset,
+ }
+ EXPORT_SYMBOL(kernel_sendpage);
+
++/**
++ * kernel_sendpage_locked - send a &page through the locked sock (kernel space)
++ * @sk: sock
++ * @page: page
++ * @offset: page offset
++ * @size: total size in bytes
++ * @flags: flags (MSG_DONTWAIT, ...)
++ *
++ * Returns the total amount sent in bytes or an error.
++ * Caller must hold @sk.
++ */
++
+ int kernel_sendpage_locked(struct sock *sk, struct page *page, int offset,
+ size_t size, int flags)
+ {
+@@ -3394,17 +3622,30 @@ int kernel_sendpage_locked(struct sock *sk, struct page *page, int offset,
+ }
+ EXPORT_SYMBOL(kernel_sendpage_locked);
+
++/**
++ * kernel_shutdown - shut down part of a full-duplex connection (kernel space)
++ * @sock: socket
++ * @how: connection part
++ *
++ * Returns 0 or an error.
++ */
++
+ int kernel_sock_shutdown(struct socket *sock, enum sock_shutdown_cmd how)
+ {
+ return sock->ops->shutdown(sock, how);
+ }
+ EXPORT_SYMBOL(kernel_sock_shutdown);
+
+-/* This routine returns the IP overhead imposed by a socket i.e.
+- * the length of the underlying IP header, depending on whether
+- * this is an IPv4 or IPv6 socket and the length from IP options turned
+- * on at the socket. Assumes that the caller has a lock on the socket.
++/**
++ * kernel_sock_ip_overhead - returns the IP overhead imposed by a socket
++ * @sk: socket
++ *
++ * This routine returns the IP overhead imposed by a socket i.e.
++ * the length of the underlying IP header, depending on whether
++ * this is an IPv4 or IPv6 socket and the length from IP options turned
++ * on at the socket. Assumes that the caller has a lock on the socket.
+ */
++
+ u32 kernel_sock_ip_overhead(struct sock *sk)
+ {
+ struct inet_sock *inet;
+--
+2.30.2
+
--- /dev/null
+From 532b03f4475b9420b64edbc0c2b4e332f7506e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:47:15 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg /
+ unix_release_sock
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ]
+
+While unix_may_send(sk, osk) is called while osk is locked, it appears
+unix_release_sock() can overwrite unix_peer() after this lock has been
+released, making KCSAN unhappy.
+
+Changing unix_release_sock() to access/change unix_peer()
+before lock is released should fix this issue.
+
+BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock
+
+write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1:
+ unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558
+ unix_release+0x2f/0x50 net/unix/af_unix.c:859
+ __sock_release net/socket.c:599 [inline]
+ sock_close+0x6c/0x150 net/socket.c:1258
+ __fput+0x25b/0x4e0 fs/file_table.c:280
+ ____fput+0x11/0x20 fs/file_table.c:313
+ task_work_run+0xae/0x130 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302
+ do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0:
+ unix_may_send net/unix/af_unix.c:189 [inline]
+ unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xffff888167905400 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 2020306468af..53fe5ada5a83 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -540,12 +540,14 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ u->path.mnt = NULL;
+ state = sk->sk_state;
+ sk->sk_state = TCP_CLOSE;
++
++ skpair = unix_peer(sk);
++ unix_peer(sk) = NULL;
++
+ unix_state_unlock(sk);
+
+ wake_up_interruptible_all(&u->peer_wait);
+
+- skpair = unix_peer(sk);
+-
+ if (skpair != NULL) {
+ if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
+ unix_state_lock(skpair);
+@@ -560,7 +562,6 @@ static void unix_release_sock(struct sock *sk, int embrion)
+
+ unix_dgram_peer_wake_disconnect(sk, skpair);
+ sock_put(skpair); /* It may now die */
+- unix_peer(sk) = NULL;
+ }
+
+ /* Try to flush out this socket. Throw out buffers at least */
+--
+2.30.2
+
--- /dev/null
+From 91b986e4229de0ae39b0a15ca48abc366f48dd6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 07:32:32 +0800
+Subject: net: cdc_eem: fix tx fixup skb leak
+
+From: Linyu Yuan <linyyuan@codeaurora.org>
+
+[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ]
+
+when usbnet transmit a skb, eem fixup it in eem_tx_fixup(),
+if skb_copy_expand() failed, it return NULL,
+usbnet_start_xmit() will have no chance to free original skb.
+
+fix it by free orginal skb in eem_tx_fixup() first,
+then check skb clone status, if failed, return NULL to usbnet.
+
+Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)")
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_eem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c
+index 61ea4eaace5d..e3f108080af1 100644
+--- a/drivers/net/usb/cdc_eem.c
++++ b/drivers/net/usb/cdc_eem.c
+@@ -135,10 +135,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+ }
+
+ skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags);
++ dev_kfree_skb_any(skb);
+ if (!skb2)
+ return NULL;
+
+- dev_kfree_skb_any(skb);
+ skb = skb2;
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From bedb048aec5c65d2a68de8fe664257b1c0627e2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 01:05:49 -0700
+Subject: net: cdc_ncm: switch to eth%d interface naming
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ]
+
+This is meant to make the host side cdc_ncm interface consistently
+named just like the older CDC protocols: cdc_ether & cdc_ecm
+(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'.
+
+include/linux/usb/usbnet.h:
+ #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */
+ #define FLAG_WLAN 0x0080 /* use "wlan%d" names */
+ #define FLAG_WWAN 0x0400 /* use "wwan%d" names */
+ #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */
+
+drivers/net/usb/usbnet.c @ line 1711:
+ strcpy (net->name, "usb%d");
+ ...
+ // heuristic: "usb%d" for links we know are two-host,
+ // else "eth%d" when there's reasonable doubt. userspace
+ // can rename the link if it knows better.
+ if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+ ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+ (net->dev_addr [0] & 0x02) == 0))
+ strcpy (net->name, "eth%d");
+ /* WLAN devices should always be named "wlan%d" */
+ if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+ strcpy(net->name, "wlan%d");
+ /* WWAN devices should always be named "wwan%d" */
+ if ((dev->driver_info->flags & FLAG_WWAN) != 0)
+ strcpy(net->name, "wwan%d");
+
+So by using ETHER | POINTTOPOINT the interface naming is
+either usb%d or eth%d based on the global uniqueness of the
+mac address of the device.
+
+Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm
+driver end up being called usb%d instead of eth%d even though they're
+definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've
+tested don't hit this problem due to use of different drivers, primarily
+r8152 and aqc111)
+
+Fixes tag is based purely on git blame, and is really just here to make
+sure this hits LTS branches newer than v4.5.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind")
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 82ec00a7370d..f3f78ccdb274 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1666,7 +1666,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
+ static const struct driver_info cdc_ncm_info = {
+ .description = "CDC NCM",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_LINK_INTR,
++ | FLAG_LINK_INTR | FLAG_ETHER,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .manage_power = usbnet_manage_power,
+--
+2.30.2
+
--- /dev/null
+From f3f2eae71b5e718b7642a3ef164625acede53ef7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 16:49:02 +0300
+Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ]
+
+static void ec_bhf_remove(struct pci_dev *dev)
+{
+...
+ struct ec_bhf_priv *priv = netdev_priv(net_dev);
+
+ unregister_netdev(net_dev);
+ free_netdev(net_dev);
+
+ pci_iounmap(dev, priv->dma_io);
+ pci_iounmap(dev, priv->io);
+...
+}
+
+priv is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing priv
+pointer. So, fix it by moving free_netdev() after pci_iounmap()
+calls.
+
+Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ec_bhf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c
+index d71cba0842c5..59dc20020c73 100644
+--- a/drivers/net/ethernet/ec_bhf.c
++++ b/drivers/net/ethernet/ec_bhf.c
+@@ -585,10 +585,12 @@ static void ec_bhf_remove(struct pci_dev *dev)
+ struct ec_bhf_priv *priv = netdev_priv(net_dev);
+
+ unregister_netdev(net_dev);
+- free_netdev(net_dev);
+
+ pci_iounmap(dev, priv->dma_io);
+ pci_iounmap(dev, priv->io);
++
++ free_netdev(net_dev);
++
+ pci_release_regions(dev);
+ pci_clear_master(dev);
+ pci_disable_device(dev);
+--
+2.30.2
+
--- /dev/null
+From f57334ccfab6ea423ef6cf9db12f260e4bae9200 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:14:26 +0800
+Subject: net: fec_ptp: fix issue caused by refactor the fec_devtype
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit d23765646e71b43ed2b809930411ba5c0aadee7b ]
+
+Commit da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.")
+refactor the fec_devtype, need adjust ptp driver accordingly.
+
+Fixes: da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.")
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_ptp.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 09a762eb4f09..eca65d49decb 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -220,15 +220,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc)
+ {
+ struct fec_enet_private *fep =
+ container_of(cc, struct fec_enet_private, cc);
+- const struct platform_device_id *id_entry =
+- platform_get_device_id(fep->pdev);
+ u32 tempval;
+
+ tempval = readl(fep->hwp + FEC_ATIME_CTRL);
+ tempval |= FEC_T_CTRL_CAPTURE;
+ writel(tempval, fep->hwp + FEC_ATIME_CTRL);
+
+- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE)
++ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE)
+ udelay(1);
+
+ return readl(fep->hwp + FEC_ATIME);
+--
+2.30.2
+
--- /dev/null
+From bcbc4223fcff0aaa755b08abbbf208774661ace9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 22:09:06 +0300
+Subject: net: hamradio: fix memory leak in mkiss_close
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ]
+
+My local syzbot instance hit memory leak in
+mkiss_open()[1]. The problem was in missing
+free_netdev() in mkiss_close().
+
+In mkiss_open() netdevice is allocated and then
+registered, but in mkiss_close() netdevice was
+only unregistered, but not freed.
+
+Fail log:
+
+BUG: memory leak
+unreferenced object 0xffff8880281ba000 (size 4096):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............
+ 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880141a9a00 (size 96):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....
+ 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........
+ backtrace:
+ [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310
+ [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0
+ [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0
+ [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880219bfc00 (size 512):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............
+ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff888029b2b200 (size 256):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/mkiss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
+index 3b14e6e281d4..940aa7a19f50 100644
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty)
+ ax->tty = NULL;
+
+ unregister_netdev(ax->dev);
++ free_netdev(ax->dev);
+ }
+
+ /* Perform I/O control on an active ax25 channel. */
+--
+2.30.2
+
--- /dev/null
+From 88774020790570b6d06f7acd5b62ce9606737c9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:59:25 +0800
+Subject: net: ipv4: fix memory leak in ip_mc_add1_src
+
+From: Chengyang Fan <cy.fan@huawei.com>
+
+[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ]
+
+BUG: memory leak
+unreferenced object 0xffff888101bc4c00 (size 32):
+ comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
+ backtrace:
+ [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
+ [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
+ [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
+ [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
+ [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
+ [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
+ [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
+ [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
+ [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
+ [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
+ [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
+ [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
+ [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
+ [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
+link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
+because it was also called in igmpv3_clear_delrec().
+
+Rough callgraph:
+
+inetdev_destroy
+-> ip_mc_destroy_dev
+ -> igmpv3_clear_delrec
+ -> ip_mc_clear_src
+-> RCU_INIT_POINTER(dev->ip_ptr, NULL)
+
+However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
+release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
+NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
+inetdev_by_index() and then in_dev->mc_list->sources cannot be released
+by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
+
+sock_close
+-> __sock_release
+ -> inet_release
+ -> ip_mc_drop_socket
+ -> inetdev_by_index
+ -> ip_mc_leave_src
+ -> ip_mc_del_src
+ -> ip_mc_del1_src
+
+So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
+in_dev->mc_list->sources.
+
+Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 523d26f5e22e..ffa847fc9619 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1816,6 +1816,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
+ while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
+ in_dev->mc_list = i->next_rcu;
+ in_dev->mc_count--;
++ ip_mc_clear_src(i);
+ ip_ma_put(i);
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 50234f3651eba4ce2deecf256023b633270049ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 09:51:58 +0800
+Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std
+
+From: Nanyong Sun <sunnanyong@huawei.com>
+
+[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ]
+
+Reported by syzkaller:
+BUG: memory leak
+unreferenced object 0xffff888105df7000 (size 64):
+comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
+hex dump (first 32 bytes):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
+[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
+[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
+[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
+[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The memory of doi_def->map.std pointing is allocated in
+netlbl_cipsov4_add_std, but no place has freed it. It should be
+freed in cipso_v4_doi_free which frees the cipso DOI resource.
+
+Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Nanyong Sun <sunnanyong@huawei.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/cipso_ipv4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 6a1b52b34e20..e8b8dd1cb157 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -486,6 +486,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
+ kfree(doi_def->map.std->lvl.local);
+ kfree(doi_def->map.std->cat.cipso);
+ kfree(doi_def->map.std->cat.local);
++ kfree(doi_def->map.std);
+ break;
+ }
+ kfree(doi_def);
+--
+2.30.2
+
--- /dev/null
+From 46ca927c0dbbaf600e535b9fab89253a9a61c2bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 22:29:59 +0800
+Subject: net: make get_net_ns return error if NET_NS is disabled
+
+From: Changbin Du <changbin.du@gmail.com>
+
+[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ]
+
+There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled.
+The reason is that nsfs tries to access ns->ops but the proc_ns_operations
+is not implemented in this case.
+
+[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010
+[7.670268] pgd = 32b54000
+[7.670544] [00000010] *pgd=00000000
+[7.671861] Internal error: Oops: 5 [#1] SMP ARM
+[7.672315] Modules linked in:
+[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16
+[7.673309] Hardware name: Generic DT based system
+[7.673642] PC is at nsfs_evict+0x24/0x30
+[7.674486] LR is at clear_inode+0x20/0x9c
+
+The same to tun SIOCGSKNS command.
+
+To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is
+disabled. Meanwhile move it to right place net/core/net_namespace.c.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Fixes: c62cce2caee5 ("net: add an ioctl to get a socket network namespace")
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/socket.h | 2 --
+ include/net/net_namespace.h | 7 +++++++
+ net/core/net_namespace.c | 12 ++++++++++++
+ net/socket.c | 13 -------------
+ 4 files changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index cc1d3f1b7656..15a7eb24f63c 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -384,6 +384,4 @@ extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
+ extern int __sys_socketpair(int family, int type, int protocol,
+ int __user *usockvec);
+ extern int __sys_shutdown(int fd, int how);
+-
+-extern struct ns_common *get_net_ns(struct ns_common *ns);
+ #endif /* _LINUX_SOCKET_H */
+diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
+index 5007eaba207d..bc88ac6c2e1d 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -175,6 +175,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns,
+ void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid);
+
+ void net_ns_barrier(void);
++
++struct ns_common *get_net_ns(struct ns_common *ns);
+ #else /* CONFIG_NET_NS */
+ #include <linux/sched.h>
+ #include <linux/nsproxy.h>
+@@ -194,6 +196,11 @@ static inline void net_ns_get_ownership(const struct net *net,
+ }
+
+ static inline void net_ns_barrier(void) {}
++
++static inline struct ns_common *get_net_ns(struct ns_common *ns)
++{
++ return ERR_PTR(-EINVAL);
++}
+ #endif /* CONFIG_NET_NS */
+
+
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index c60123dff803..939d8a31eb82 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -598,6 +598,18 @@ void __put_net(struct net *net)
+ }
+ EXPORT_SYMBOL_GPL(__put_net);
+
++/**
++ * get_net_ns - increment the refcount of the network namespace
++ * @ns: common namespace (net)
++ *
++ * Returns the net's common namespace.
++ */
++struct ns_common *get_net_ns(struct ns_common *ns)
++{
++ return &get_net(container_of(ns, struct net, ns))->ns;
++}
++EXPORT_SYMBOL_GPL(get_net_ns);
++
+ struct net *get_net_ns_by_fd(int fd)
+ {
+ struct file *file;
+diff --git a/net/socket.c b/net/socket.c
+index 1ed7be54815a..f14bca00ff01 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1048,19 +1048,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock,
+ * what to do with it - that's up to the protocol still.
+ */
+
+-/**
+- * get_net_ns - increment the refcount of the network namespace
+- * @ns: common namespace (net)
+- *
+- * Returns the net's common namespace.
+- */
+-
+-struct ns_common *get_net_ns(struct ns_common *ns)
+-{
+- return &get_net(container_of(ns, struct net, ns))->ns;
+-}
+-EXPORT_SYMBOL_GPL(get_net_ns);
+-
+ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ {
+ struct socket *sock;
+--
+2.30.2
+
--- /dev/null
+From a8f9c99787fa2a634830edd352aa35425855a68e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 14:34:58 +0300
+Subject: net/mlx5e: Block offload of outer header csum for UDP tunnels
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122 ]
+
+The device is able to offload either the outer header csum or inner
+header csum. The driver utilizes the inner csum offload. Hence, block
+setting of tx-udp_tnl-csum-segmentation and set it to off[fixed].
+
+Fixes: b49663c8fb49 ("net/mlx5e: Add support for UDP tunnel segmentation with outer checksum offload")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 51edc507b7b5..9003702892cd 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4679,11 +4679,8 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
+ }
+
+ if (mlx5_vxlan_allowed(mdev->vxlan)) {
+- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL |
+- NETIF_F_GSO_UDP_TUNNEL_CSUM;
+- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL |
+- NETIF_F_GSO_UDP_TUNNEL_CSUM;
+- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM;
++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL;
+ }
+
+ if (MLX5_CAP_ETH(mdev, tunnel_stateless_gre)) {
+--
+2.30.2
+
--- /dev/null
+From 85fd79f4946307b734aedabcb58af6aebd14037c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 13:20:32 -0500
+Subject: net/mlx5e: Remove dependency in IPsec initialization flows
+
+From: Huy Nguyen <huyn@nvidia.com>
+
+[ Upstream commit 8ad893e516a77209a1818a2072d2027d87db809f ]
+
+Currently, IPsec feature is disabled because mlx5e_build_nic_netdev
+is required to be called after mlx5e_ipsec_init. This requirement is
+invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize
+independent resources.
+
+Remove ipsec pointer check in mlx5e_build_nic_netdev so that the
+two functions can be called at any order.
+
+Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure")
+Signed-off-by: Huy Nguyen <huyn@nvidia.com>
+Reviewed-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index cf58c9637904..c467f5e981f6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -515,9 +515,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct net_device *netdev = priv->netdev;
+
+- if (!priv->ipsec)
+- return;
+-
+ if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) ||
+ !MLX5_CAP_ETH(mdev, swp)) {
+ mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n");
+--
+2.30.2
+
--- /dev/null
+From b765166971c7bfb33bebb47ebb9a33902a39521c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 15:06:50 +0300
+Subject: net: qrtr: fix OOB Read in qrtr_endpoint_post
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit ad9d24c9429e2159d1e279dc3a83191ccb4daf1d ]
+
+Syzbot reported slab-out-of-bounds Read in
+qrtr_endpoint_post. The problem was in wrong
+_size_ type:
+
+ if (len != ALIGN(size, 4) + hdrlen)
+ goto err;
+
+If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of
+ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293
+in header this check won't fail and
+
+ skb_put_data(skb, data + hdrlen, size);
+
+will read out of bound from data, which is hdrlen allocated block.
+
+Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
+Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
+index 43f63d0606ec..1e2772913957 100644
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -264,7 +264,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ const struct qrtr_hdr_v2 *v2;
+ struct sk_buff *skb;
+ struct qrtr_cb *cb;
+- unsigned int size;
++ size_t size;
+ unsigned int ver;
+ size_t hdrlen;
+
+--
+2.30.2
+
--- /dev/null
+From 29ca7a5ea2cafdb08f1a28f112977d56fac0ece2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 11:06:41 +0300
+Subject: net: rds: fix memory leak in rds_recvmsg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ]
+
+Syzbot reported memory leak in rds. The problem
+was in unputted refcount in case of error.
+
+int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ int msg_flags)
+{
+...
+
+ if (!rds_next_incoming(rs, &inc)) {
+ ...
+ }
+
+After this "if" inc refcount incremented and
+
+ if (rds_cmsg_recv(inc, msg, rs)) {
+ ret = -EFAULT;
+ goto out;
+ }
+...
+out:
+ return ret;
+}
+
+in case of rds_cmsg_recv() fail the refcount won't be
+decremented. And it's easy to see from ftrace log, that
+rds_inc_addref() don't have rds_inc_put() pair in
+rds_recvmsg() after rds_cmsg_recv()
+
+ 1) | rds_recvmsg() {
+ 1) 3.721 us | rds_inc_addref();
+ 1) 3.853 us | rds_message_inc_copy_to_user();
+ 1) + 10.395 us | rds_cmsg_recv();
+ 1) + 34.260 us | }
+
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/recv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index 3ca278988b52..ccf0bf283002 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -705,7 +705,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+
+ if (rds_cmsg_recv(inc, msg, rs)) {
+ ret = -EFAULT;
+- goto out;
++ break;
+ }
+ rds_recvmsg_zcookie(rs, msg);
+
+--
+2.30.2
+
--- /dev/null
+From f3ba4e4c3d4629e39845d0b2f42c3e01ceb8a287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:16:11 +0800
+Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ]
+
+The register starts from 0x800 is the 16th MAC address register rather
+than the first one.
+
+Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+index 184ca13c8f79..1a84cf459e40 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+@@ -86,10 +86,10 @@ enum power_event {
+ #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */
+
+ /* GMAC HW ADDR regs */
+-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \
+- (reg * 8))
+-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \
+- (reg * 8))
++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \
++ 0x00000040 + (reg * 8))
++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \
++ 0x00000044 + (reg * 8))
+ #define GMAC_MAX_PERFECT_ADDRESSES 1
+
+ #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */
+--
+2.30.2
+
--- /dev/null
+From 81600248855d59138765fd17488fca85ed155c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:48:33 +0800
+Subject: net: usb: fix possible use-after-free in smsc75xx_bind
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ]
+
+The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+fails to clean up the work scheduled in smsc75xx_reset->
+smsc75xx_set_multicast, which leads to use-after-free if the work is
+scheduled to start after the deallocation. In addition, this patch
+also removes a dangling pointer - dev->data[0].
+
+This patch calls cancel_work_sync to cancel the scheduled work and set
+the dangling pointer to NULL.
+
+Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 62f2862c9775..8b9fd4e071f3 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1495,7 +1495,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ ret = smsc75xx_wait_ready(dev, 0);
+ if (ret < 0) {
+ netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+- goto err;
++ goto free_pdata;
+ }
+
+ smsc75xx_init_mac_address(dev);
+@@ -1504,7 +1504,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ ret = smsc75xx_reset(dev);
+ if (ret < 0) {
+ netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+- goto err;
++ goto cancel_work;
+ }
+
+ dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1515,8 +1515,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+ return 0;
+
+-err:
++cancel_work:
++ cancel_work_sync(&pdata->set_multicast);
++free_pdata:
+ kfree(pdata);
++ dev->data[0] = 0;
+ return ret;
+ }
+
+@@ -1527,7 +1530,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+ cancel_work_sync(&pdata->set_multicast);
+ netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+ kfree(pdata);
+- pdata = NULL;
+ dev->data[0] = 0;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 4868eceb906cf6236d3d6c68b1ceed524ecf0a5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 19:40:29 +0300
+Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ]
+
+The TCP option parser in synproxy (synproxy_parse_options) could read
+one byte out of bounds. When the length is 1, the execution flow gets
+into the loop, reads one byte of the opcode, and if the opcode is
+neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
+the length of 1.
+
+This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
+out of bounds when parsing TCP options.").
+
+v2 changes:
+
+Added an early return when length < 0 to avoid calling
+skb_header_pointer with negative length.
+
+Cc: Young Xiao <92siuyang@gmail.com>
+Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_synproxy_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index 353a2aa80c3c..04b07b63c540 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ int length = (th->doff * 4) - sizeof(*th);
+ u8 buf[40], *ptr;
+
++ if (unlikely(length < 0))
++ return false;
++
+ ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
+ if (ptr == NULL)
+ return false;
+@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ length--;
+ continue;
+ default:
++ if (length < 2)
++ return true;
+ opsize = *ptr++;
+ if (opsize < 2)
+ return true;
+--
+2.30.2
+
--- /dev/null
+From ae81eee5f6a9b1f401af7d6121f1ef66efe6a745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:53:12 +0200
+Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: e87ad5539343 ("netxen: support pci error handlers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+index 42b99b182616..a331ad406e7a 100644
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -1618,6 +1618,8 @@ err_out_free_netdev:
+ free_netdev(netdev);
+
+ err_out_free_res:
++ if (NX_IS_REVISION_P3(pdev->revision))
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+
+ err_out_disable_pdev:
+--
+2.30.2
+
--- /dev/null
+From 73bd25db58a8954e698711637a9a697fe1cf155c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 15:24:05 -0700
+Subject: ptp: improve max_adj check against unreasonable values
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 475b92f932168a78da8109acd10bfb7578b8f2bb ]
+
+Scaled PPM conversion to PPB may (on 64bit systems) result
+in a value larger than s32 can hold (freq/scaled_ppm is a long).
+This means the kernel will not correctly reject unreasonably
+high ->freq values (e.g. > 4294967295ppb, 281474976645 scaled PPM).
+
+The conversion is equivalent to a division by ~66 (65.536),
+so the value of ppb is always smaller than ppm, but not small
+enough to assume narrowing the type from long -> s32 is okay.
+
+Note that reasonable user space (e.g. ptp4l) will not use such
+high values, anyway, 4289046510ppb ~= 4.3x, so the fix is
+somewhat pedantic.
+
+Fixes: d39a743511cd ("ptp: validate the requested frequency adjustment.")
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_clock.c | 6 +++---
+ include/linux/ptp_clock_kernel.h | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index 863958f3bb57..89632cc9c28f 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -76,7 +76,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue,
+ spin_unlock_irqrestore(&queue->lock, flags);
+ }
+
+-s32 scaled_ppm_to_ppb(long ppm)
++long scaled_ppm_to_ppb(long ppm)
+ {
+ /*
+ * The 'freq' field in the 'struct timex' is in parts per
+@@ -93,7 +93,7 @@ s32 scaled_ppm_to_ppb(long ppm)
+ s64 ppb = 1 + ppm;
+ ppb *= 125;
+ ppb >>= 13;
+- return (s32) ppb;
++ return (long) ppb;
+ }
+ EXPORT_SYMBOL(scaled_ppm_to_ppb);
+
+@@ -148,7 +148,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct timex *tx)
+ delta = ktime_to_ns(kt);
+ err = ops->adjtime(ops, delta);
+ } else if (tx->modes & ADJ_FREQUENCY) {
+- s32 ppb = scaled_ppm_to_ppb(tx->freq);
++ long ppb = scaled_ppm_to_ppb(tx->freq);
+ if (ppb > ops->max_adj || ppb < -ops->max_adj)
+ return -ERANGE;
+ if (ops->adjfine)
+diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
+index 40ea83fcfdd5..99c3f4ee938e 100644
+--- a/include/linux/ptp_clock_kernel.h
++++ b/include/linux/ptp_clock_kernel.h
+@@ -210,7 +210,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp);
+ * @ppm: Parts per million, but with a 16 bit binary fractional field
+ */
+
+-extern s32 scaled_ppm_to_ppb(long ppm);
++extern long scaled_ppm_to_ppb(long ppm);
+
+ /**
+ * ptp_find_pin() - obtain the pin index of a given auxiliary function
+--
+2.30.2
+
--- /dev/null
+From 97c9ab69366955c1bfd9ab58ff53e7c6b9ed5dc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2019 18:45:09 +0300
+Subject: ptp: ptp_clock: Publish scaled_ppm_to_ppb
+
+From: Shalom Toledo <shalomt@mellanox.com>
+
+[ Upstream commit 4368dada5b37e74a13b892ca5cef8a7d558e9a5f ]
+
+Publish scaled_ppm_to_ppb to allow drivers to use it.
+
+Signed-off-by: Shalom Toledo <shalomt@mellanox.com>
+Reviewed-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_clock.c | 3 ++-
+ include/linux/ptp_clock_kernel.h | 8 ++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index e232233beb8f..863958f3bb57 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -76,7 +76,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue,
+ spin_unlock_irqrestore(&queue->lock, flags);
+ }
+
+-static s32 scaled_ppm_to_ppb(long ppm)
++s32 scaled_ppm_to_ppb(long ppm)
+ {
+ /*
+ * The 'freq' field in the 'struct timex' is in parts per
+@@ -95,6 +95,7 @@ static s32 scaled_ppm_to_ppb(long ppm)
+ ppb >>= 13;
+ return (s32) ppb;
+ }
++EXPORT_SYMBOL(scaled_ppm_to_ppb);
+
+ /* posix clock implementation */
+
+diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
+index 51349d124ee5..40ea83fcfdd5 100644
+--- a/include/linux/ptp_clock_kernel.h
++++ b/include/linux/ptp_clock_kernel.h
+@@ -204,6 +204,14 @@ extern void ptp_clock_event(struct ptp_clock *ptp,
+
+ extern int ptp_clock_index(struct ptp_clock *ptp);
+
++/**
++ * scaled_ppm_to_ppb() - convert scaled ppm to ppb
++ *
++ * @ppm: Parts per million, but with a 16 bit binary fractional field
++ */
++
++extern s32 scaled_ppm_to_ppb(long ppm);
++
+ /**
+ * ptp_find_pin() - obtain the pin index of a given auxiliary function
+ *
+--
+2.30.2
+
--- /dev/null
+From 9a0cbb7a3845a057ee7191613045db26e76aef0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:37:46 +0200
+Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 451724c821c1 ("qlcnic: aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+index ed34b7d1a9e1..43920374beae 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+@@ -2708,6 +2708,7 @@ err_out_free_hw_res:
+ kfree(ahw);
+
+ err_out_free_res:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+
+ err_out_disable_pdev:
+--
+2.30.2
+
--- /dev/null
+From a820987d60fc5d5324cef2214302d3d946214457 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 14:17:53 +0300
+Subject: rtnetlink: Fix regression in bridge VLAN configuration
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ]
+
+Cited commit started returning errors when notification info is not
+filled by the bridge driver, resulting in the following regression:
+
+ # ip link add name br1 type bridge vlan_filtering 1
+ # bridge vlan add dev br1 vid 555 self pvid untagged
+ RTNETLINK answers: Invalid argument
+
+As long as the bridge driver does not fill notification info for the
+bridge device itself, an empty notification should not be considered as
+an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send
+notification when skb->len == 0 in rtnl_bridge_notify").
+
+Fix by removing the error and add a comment to avoid future bugs.
+
+Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 7f2dda27f9e7..055fd09ac111 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -4102,10 +4102,12 @@ static int rtnl_bridge_notify(struct net_device *dev)
+ if (err < 0)
+ goto errout;
+
+- if (!skb->len) {
+- err = -EINVAL;
++ /* Notification info is only filled for bridge ports, not the bridge
++ * device itself. Therefore, a zero notification length is valid and
++ * should not result in an error.
++ */
++ if (!skb->len)
+ goto errout;
+- }
+
+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 3dc8a8f85a2853943207c71d67019260daad7d99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 19:40:31 +0300
+Subject: sch_cake: Fix out of bounds when parsing TCP options and header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ]
+
+The TCP option parser in cake qdisc (cake_get_tcpopt and
+cake_tcph_may_drop) could read one byte out of bounds. When the length
+is 1, the execution flow gets into the loop, reads one byte of the
+opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
+one more byte, which exceeds the length of 1.
+
+This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
+out of bounds when parsing TCP options.").
+
+v2 changes:
+
+Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP
+header. Although it wasn't strictly an out-of-bounds access (memory was
+allocated), garbage values could be read where CAKE expected the TCP
+header if doff was smaller than 5.
+
+Cc: Young Xiao <92siuyang@gmail.com>
+Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cake.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
+index 32712e7dcbdc..2025f0f559de 100644
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -900,7 +900,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
+ }
+
+ tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
+- if (!tcph)
++ if (!tcph || tcph->doff < 5)
+ return NULL;
+
+ return skb_header_pointer(skb, offset,
+@@ -924,6 +924,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph,
+ length--;
+ continue;
+ }
++ if (length < 2)
++ break;
+ opsize = *ptr++;
+ if (opsize < 2 || opsize > length)
+ break;
+@@ -1061,6 +1063,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph,
+ length--;
+ continue;
+ }
++ if (length < 2)
++ break;
+ opsize = *ptr++;
+ if (opsize < 2 || opsize > length)
+ break;
+--
+2.30.2
+
dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch
afs-fix-an-is_err-vs-null-check.patch
mm-memory-failure-make-sure-wait-for-page-writeback-.patch
+batman-adv-avoid-warn_on-timing-related-checks.patch
+net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch
+net-rds-fix-memory-leak-in-rds_recvmsg.patch
+udp-fix-race-between-close-and-udp_abort.patch
+rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch
+net-mlx5e-remove-dependency-in-ipsec-initialization-.patch
+net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch
+netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch
+sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch
+alx-fix-an-error-handling-path-in-alx_probe.patch
+net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch
+net-add-documentation-to-socket.c.patch
+net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch
+qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch
+netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch
+net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch
+ptp-ptp_clock-publish-scaled_ppm_to_ppb.patch
+ptp-improve-max_adj-check-against-unreasonable-value.patch
+net-cdc_ncm-switch-to-eth-d-interface-naming.patch
+net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
+net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch
+net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch
+be2net-fix-an-error-handling-path-in-be_probe.patch
+net-hamradio-fix-memory-leak-in-mkiss_close.patch
+net-cdc_eem-fix-tx-fixup-skb-leak.patch
+icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch
+net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
--- /dev/null
+From dc6542dc0a448ed83e2ecf521141b2a7d327d874 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 11:49:01 +0200
+Subject: udp: fix race between close() and udp_abort()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ]
+
+Kaustubh reported and diagnosed a panic in udp_lib_lookup().
+The root cause is udp_abort() racing with close(). Both
+racing functions acquire the socket lock, but udp{v6}_destroy_sock()
+release it before performing destructive actions.
+
+We can't easily extend the socket lock scope to avoid the race,
+instead use the SOCK_DEAD flag to prevent udp_abort from doing
+any action when the critical race happens.
+
+Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
+Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 10 ++++++++++
+ net/ipv6/udp.c | 3 +++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 110af0e7dc7b..2ff9f774d446 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2432,6 +2432,9 @@ void udp_destroy_sock(struct sock *sk)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ bool slow = lock_sock_fast(sk);
++
++ /* protects from races with udp_abort() */
++ sock_set_flag(sk, SOCK_DEAD);
+ udp_flush_pending_frames(sk);
+ unlock_sock_fast(sk, slow);
+ if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) {
+@@ -2673,10 +2676,17 @@ int udp_abort(struct sock *sk, int err)
+ {
+ lock_sock(sk);
+
++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
++ * with close()
++ */
++ if (sock_flag(sk, SOCK_DEAD))
++ goto out;
++
+ sk->sk_err = err;
+ sk->sk_error_report(sk);
+ __udp_disconnect(sk, 0);
+
++out:
+ release_sock(sk);
+
+ return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 6799ad462be3..c4a76c6af205 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1476,6 +1476,9 @@ void udpv6_destroy_sock(struct sock *sk)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ lock_sock(sk);
++
++ /* protects from races with udp_abort() */
++ sock_set_flag(sk, SOCK_DEAD);
+ udp_v6_flush_pending_frames(sk);
+ release_sock(sk);
+
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
