--- /dev/null
+From 828ea86f16dcef9b165146e084e01bb0dd7bf963 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Jan 2021 06:36:53 +0000
+Subject: bpf: Check for integer overflow when using roundup_pow_of_two()
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+[ Upstream commit 6183f4d3a0a2ad230511987c6c362ca43ec0055f ]
+
+On 32-bit architecture, roundup_pow_of_two() can return 0 when the argument
+has upper most bit set due to resulting 1UL << 32. Add a check for this case.
+
+Fixes: d5a3b1f69186 ("bpf: introduce BPF_MAP_TYPE_STACK_TRACE")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210127063653.3576-1-minhquangbui99@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/stackmap.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
+index 55fff5e6d9831..a47d623f59fe7 100644
+--- a/kernel/bpf/stackmap.c
++++ b/kernel/bpf/stackmap.c
+@@ -114,6 +114,8 @@ static struct bpf_map *stack_map_alloc(union bpf_attr *attr)
+
+ /* hash table size must be power of 2 */
+ n_buckets = roundup_pow_of_two(attr->max_entries);
++ if (!n_buckets)
++ return ERR_PTR(-E2BIG);
+
+ cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);
+ if (cost >= U32_MAX - PAGE_SIZE)
+--
+2.27.0
+
--- /dev/null
+From 0604ce107e47889f8b7e0cf56548d29079fd5836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Feb 2021 13:42:07 -0800
+Subject: firmware_loader: align .builtin_fw to 8
+
+From: Fangrui Song <maskray@google.com>
+
+[ Upstream commit 793f49a87aae24e5bcf92ad98d764153fc936570 ]
+
+arm64 references the start address of .builtin_fw (__start_builtin_fw)
+with a pair of R_AARCH64_ADR_PREL_PG_HI21/R_AARCH64_LDST64_ABS_LO12_NC
+relocations. The compiler is allowed to emit the
+R_AARCH64_LDST64_ABS_LO12_NC relocation because struct builtin_fw in
+include/linux/firmware.h is 8-byte aligned.
+
+The R_AARCH64_LDST64_ABS_LO12_NC relocation requires the address to be a
+multiple of 8, which may not be the case if .builtin_fw is empty.
+Unconditionally align .builtin_fw to fix the linker error. 32-bit
+architectures could use ALIGN(4) but that would add unnecessary
+complexity, so just use ALIGN(8).
+
+Link: https://lkml.kernel.org/r/20201208054646.2913063-1-maskray@google.com
+Link: https://github.com/ClangBuiltLinux/linux/issues/1204
+Fixes: 5658c76 ("firmware: allow firmware files to be built into kernel image")
+Signed-off-by: Fangrui Song <maskray@google.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Nick Desaulniers <ndesaulniers@google.com>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/asm-generic/vmlinux.lds.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
+index f65a924a75abd..e71c97c3c25ef 100644
+--- a/include/asm-generic/vmlinux.lds.h
++++ b/include/asm-generic/vmlinux.lds.h
+@@ -363,7 +363,7 @@
+ } \
+ \
+ /* Built-in firmware blobs */ \
+- .builtin_fw : AT(ADDR(.builtin_fw) - LOAD_OFFSET) { \
++ .builtin_fw : AT(ADDR(.builtin_fw) - LOAD_OFFSET) ALIGN(8) { \
+ __start_builtin_fw = .; \
+ KEEP(*(.builtin_fw)) \
+ __end_builtin_fw = .; \
+--
+2.27.0
+
--- /dev/null
+From 44e67a183b957910c92ce954ecf443dc9a5bad2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Feb 2021 20:52:54 -0800
+Subject: h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit ade9679c159d5bbe14fb7e59e97daf6062872e2b ]
+
+Fix a build error for undefined 'TI_PRE_COUNT' by adding it to
+asm-offsets.c.
+
+ h8300-linux-ld: arch/h8300/kernel/entry.o: in function `resume_kernel': (.text+0x29a): undefined reference to `TI_PRE_COUNT'
+
+Link: https://lkml.kernel.org/r/20210212021650.22740-1-rdunlap@infradead.org
+Fixes: df2078b8daa7 ("h8300: Low level entry")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/h8300/kernel/asm-offsets.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/h8300/kernel/asm-offsets.c b/arch/h8300/kernel/asm-offsets.c
+index 85e60509f0a83..d4b53af657c84 100644
+--- a/arch/h8300/kernel/asm-offsets.c
++++ b/arch/h8300/kernel/asm-offsets.c
+@@ -63,6 +63,9 @@ int main(void)
+ OFFSET(TI_FLAGS, thread_info, flags);
+ OFFSET(TI_CPU, thread_info, cpu);
+ OFFSET(TI_PRE, thread_info, preempt_count);
++#ifdef CONFIG_PREEMPTION
++ DEFINE(TI_PRE_COUNT, offsetof(struct thread_info, preempt_count));
++#endif
+
+ return 0;
+ }
+--
+2.27.0
+
--- /dev/null
+From ec3915f7894a481b35ff243b2cf9a78e3c002235 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 09:51:40 +0100
+Subject: i2c: stm32f7: fix configuration of the digital filter
+
+From: Alain Volmat <alain.volmat@foss.st.com>
+
+[ Upstream commit 3d6a3d3a2a7a3a60a824e7c04e95fd50dec57812 ]
+
+The digital filter related computation are present in the driver
+however the programming of the filter within the IP is missing.
+The maximum value for the DNF is wrong and should be 15 instead of 16.
+
+Fixes: aeb068c57214 ("i2c: i2c-stm32f7: add driver")
+
+Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
+Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-stm32f7.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c
+index eb7e533b0dd47..6feafebf85feb 100644
+--- a/drivers/i2c/busses/i2c-stm32f7.c
++++ b/drivers/i2c/busses/i2c-stm32f7.c
+@@ -49,6 +49,8 @@
+ #define STM32F7_I2C_CR1_RXDMAEN BIT(15)
+ #define STM32F7_I2C_CR1_TXDMAEN BIT(14)
+ #define STM32F7_I2C_CR1_ANFOFF BIT(12)
++#define STM32F7_I2C_CR1_DNF_MASK GENMASK(11, 8)
++#define STM32F7_I2C_CR1_DNF(n) (((n) & 0xf) << 8)
+ #define STM32F7_I2C_CR1_ERRIE BIT(7)
+ #define STM32F7_I2C_CR1_TCIE BIT(6)
+ #define STM32F7_I2C_CR1_STOPIE BIT(5)
+@@ -147,7 +149,7 @@
+ #define STM32F7_I2C_MAX_SLAVE 0x2
+
+ #define STM32F7_I2C_DNF_DEFAULT 0
+-#define STM32F7_I2C_DNF_MAX 16
++#define STM32F7_I2C_DNF_MAX 15
+
+ #define STM32F7_I2C_ANALOG_FILTER_ENABLE 1
+ #define STM32F7_I2C_ANALOG_FILTER_DELAY_MIN 50 /* ns */
+@@ -645,6 +647,13 @@ static void stm32f7_i2c_hw_config(struct stm32f7_i2c_dev *i2c_dev)
+ else
+ stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1,
+ STM32F7_I2C_CR1_ANFOFF);
++
++ /* Program the Digital Filter */
++ stm32f7_i2c_clr_bits(i2c_dev->base + STM32F7_I2C_CR1,
++ STM32F7_I2C_CR1_DNF_MASK);
++ stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1,
++ STM32F7_I2C_CR1_DNF(i2c_dev->setup.dnf));
++
+ stm32f7_i2c_set_bits(i2c_dev->base + STM32F7_I2C_CR1,
+ STM32F7_I2C_CR1_PE);
+ }
+--
+2.27.0
+
--- /dev/null
+From fe6804256933203e895bd35097937e963d631653 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jan 2021 12:02:13 +0100
+Subject: mt76: dma: fix a possible memory leak in mt76_add_fragment()
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 93a1d4791c10d443bc67044def7efee2991d48b7 ]
+
+Fix a memory leak in mt76_add_fragment routine returning the buffer
+to the page_frag_cache when we receive a new fragment and the
+skb_shared_info frag array is full.
+
+Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Acked-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/dma.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
+index cc6840377bc27..8ce6a167dd2cc 100644
+--- a/drivers/net/wireless/mediatek/mt76/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/dma.c
+@@ -393,15 +393,17 @@ static void
+ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
+ int len, bool more)
+ {
+- struct page *page = virt_to_head_page(data);
+- int offset = data - page_address(page);
+ struct sk_buff *skb = q->rx_head;
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+ if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
+- offset += q->buf_offset;
++ struct page *page = virt_to_head_page(data);
++ int offset = data - page_address(page) + q->buf_offset;
++
+ skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
+ q->buf_size);
++ } else {
++ skb_free_frag(data);
+ }
+
+ if (more)
+--
+2.27.0
+
--- /dev/null
+From 92bb6816bd7fe8e4dbf865ed2c935b8842a12af2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Feb 2021 17:03:05 +0800
+Subject: net: hns3: add a check for queue_id in hclge_reset_vf_queue()
+
+From: Yufeng Mo <moyufeng@huawei.com>
+
+[ Upstream commit 67a69f84cab60484f02eb8cbc7a76edffbb28a25 ]
+
+The queue_id is received from vf, if use it directly,
+an out-of-bound issue may be caused, so add a check for
+this queue_id before using it in hclge_reset_vf_queue().
+
+Fixes: 1a426f8b40fc ("net: hns3: fix the VF queue reset flow error")
+Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index d575dd9a329d9..16ab000454f91 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -5182,12 +5182,19 @@ void hclge_reset_tqp(struct hnae3_handle *handle, u16 queue_id)
+
+ void hclge_reset_vf_queue(struct hclge_vport *vport, u16 queue_id)
+ {
++ struct hnae3_handle *handle = &vport->nic;
+ struct hclge_dev *hdev = vport->back;
+ int reset_try_times = 0;
+ int reset_status;
+ u16 queue_gid;
+ int ret;
+
++ if (queue_id >= handle->kinfo.num_tqps) {
++ dev_warn(&hdev->pdev->dev, "Invalid vf queue id(%u)\n",
++ queue_id);
++ return;
++ }
++
+ queue_gid = hclge_covert_handle_qid_global(&vport->nic, queue_id);
+
+ ret = hclge_send_reset_tqp_cmd(hdev, queue_gid, true);
+--
+2.27.0
+
--- /dev/null
+From 58846148f63f8687bc0676c35130e159949c130b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Feb 2021 22:03:16 +0800
+Subject: net: stmmac: set TxQ mode back to DCB after disabling CBS
+
+From: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+
+[ Upstream commit f317e2ea8c88737aa36228167b2292baef3f0430 ]
+
+When disable CBS, mode_to_use parameter is not updated even the operation
+mode of Tx Queue is changed to Data Centre Bridging (DCB). Therefore,
+when tc_setup_cbs() function is called to re-enable CBS, the operation
+mode of Tx Queue remains at DCB, which causing CBS fails to work.
+
+This patch updates the value of mode_to_use parameter to MTL_QUEUE_DCB
+after operation mode of Tx Queue is changed to DCB in stmmac_dma_qmode()
+callback function.
+
+Fixes: 1f705bc61aee ("net: stmmac: Add support for CBS QDISC")
+Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Mohammad Athari Bin Ismail <mohammad.athari.ismail@intel.com>
+Signed-off-by: Song, Yoong Siang <yoong.siang.song@intel.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Link: https://lore.kernel.org/r/1612447396-20351-1-git-send-email-yoong.siang.song@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+index 37c0bc699cd9c..cc1895a32b9d3 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+@@ -314,7 +314,12 @@ static int tc_setup_cbs(struct stmmac_priv *priv,
+
+ priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_AVB;
+ } else if (!qopt->enable) {
+- return stmmac_dma_qmode(priv, priv->ioaddr, queue, MTL_QUEUE_DCB);
++ ret = stmmac_dma_qmode(priv, priv->ioaddr, queue,
++ MTL_QUEUE_DCB);
++ if (ret)
++ return ret;
++
++ priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_DCB;
+ }
+
+ /* Port Transmit Rate and Speed Divider */
+--
+2.27.0
+
--- /dev/null
+From bae57c9eb607f7eb0157dffb57a381415da554c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Feb 2021 12:56:43 +0100
+Subject: netfilter: conntrack: skip identical origin tuple in same zone only
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 07998281c268592963e1cd623fe6ab0270b65ae4 ]
+
+The origin skip check needs to re-test the zone. Else, we might skip
+a colliding tuple in the reply direction.
+
+This only occurs when using 'directional zones' where origin tuples
+reside in different zones but the reply tuples share the same zone.
+
+This causes the new conntrack entry to be dropped at confirmation time
+because NAT clash resolution was elided.
+
+Fixes: 4e35c1cb9460240 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
+index ad1da6b2fb607..1dceda3c0e759 100644
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1063,7 +1063,8 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
+ * Let nf_ct_resolve_clash() deal with this later.
+ */
+ if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+- &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
++ &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
++ nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL))
+ continue;
+
+ NF_CT_STAT_INC_ATOMIC(net, found);
+--
+2.27.0
+
--- /dev/null
+From fb658efcc825cbabfa3b770dcfaeb03906b640c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 18:01:16 +0100
+Subject: netfilter: flowtable: fix tcp and udp header checksum update
+
+From: Sven Auhagen <sven.auhagen@voleatech.de>
+
+[ Upstream commit 8d6bca156e47d68551750a384b3ff49384c67be3 ]
+
+When updating the tcp or udp header checksum on port nat the function
+inet_proto_csum_replace2 with the last parameter pseudohdr as true.
+This leads to an error in the case that GRO is used and packets are
+split up in GSO. The tcp or udp checksum of all packets is incorrect.
+
+The error is probably masked due to the fact the most network driver
+implement tcp/udp checksum offloading. It also only happens when GRO is
+applied and not on single packets.
+
+The error is most visible when using a pppoe connection which is not
+triggering the tcp/udp checksum offload.
+
+Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
+Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_flow_table_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
+index 890799c16aa41..b3957fe7eced2 100644
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -360,7 +360,7 @@ static int nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff,
+ return -1;
+
+ tcph = (void *)(skb_network_header(skb) + thoff);
+- inet_proto_csum_replace2(&tcph->check, skb, port, new_port, true);
++ inet_proto_csum_replace2(&tcph->check, skb, port, new_port, false);
+
+ return 0;
+ }
+@@ -377,7 +377,7 @@ static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff,
+ udph = (void *)(skb_network_header(skb) + thoff);
+ if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
+ inet_proto_csum_replace2(&udph->check, skb, port,
+- new_port, true);
++ new_port, false);
+ if (!udph->check)
+ udph->check = CSUM_MANGLED_0;
+ }
+--
+2.27.0
+
--- /dev/null
+From 142e293ce46a1c63cb167af6743e2b8abb6581df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 16:07:37 +0100
+Subject: netfilter: nftables: fix possible UAF over chains from packet path in
+ netns
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 767d1216bff82507c945e92fe719dff2083bb2f4 ]
+
+Although hooks are released via call_rcu(), chain and rule objects are
+immediately released while packets are still walking over these bits.
+
+This patch adds the .pre_exit callback which is invoked before
+synchronize_rcu() in the netns framework to stay safe.
+
+Remove a comment which is not valid anymore since the core does not use
+synchronize_net() anymore since 8c873e219970 ("netfilter: core: free
+hooks with call_rcu").
+
+Suggested-by: Florian Westphal <fw@strlen.de>
+Fixes: df05ef874b28 ("netfilter: nf_tables: release objects on netns destruction")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 9cc8e92f4b000..e669e20120446 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7303,6 +7303,17 @@ int __nft_release_basechain(struct nft_ctx *ctx)
+ }
+ EXPORT_SYMBOL_GPL(__nft_release_basechain);
+
++static void __nft_release_hooks(struct net *net)
++{
++ struct nft_table *table;
++ struct nft_chain *chain;
++
++ list_for_each_entry(table, &net->nft.tables, list) {
++ list_for_each_entry(chain, &table->chains, list)
++ nf_tables_unregister_hook(net, table, chain);
++ }
++}
++
+ static void __nft_release_tables(struct net *net)
+ {
+ struct nft_flowtable *flowtable, *nf;
+@@ -7318,10 +7329,6 @@ static void __nft_release_tables(struct net *net)
+
+ list_for_each_entry_safe(table, nt, &net->nft.tables, list) {
+ ctx.family = table->family;
+-
+- list_for_each_entry(chain, &table->chains, list)
+- nf_tables_unregister_hook(net, table, chain);
+- /* No packets are walking on these chains anymore. */
+ ctx.table = table;
+ list_for_each_entry(chain, &table->chains, list) {
+ ctx.chain = chain;
+@@ -7368,6 +7375,11 @@ static int __net_init nf_tables_init_net(struct net *net)
+ return 0;
+ }
+
++static void __net_exit nf_tables_pre_exit_net(struct net *net)
++{
++ __nft_release_hooks(net);
++}
++
+ static void __net_exit nf_tables_exit_net(struct net *net)
+ {
+ mutex_lock(&net->nft.commit_mutex);
+@@ -7379,8 +7391,9 @@ static void __net_exit nf_tables_exit_net(struct net *net)
+ }
+
+ static struct pernet_operations nf_tables_net_ops = {
+- .init = nf_tables_init_net,
+- .exit = nf_tables_exit_net,
++ .init = nf_tables_init_net,
++ .pre_exit = nf_tables_pre_exit_net,
++ .exit = nf_tables_exit_net,
+ };
+
+ static int __init nf_tables_module_init(void)
+--
+2.27.0
+
--- /dev/null
+From 7ef5b9da9ba7848ea512ff01e3160b38709aac8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Jan 2021 20:57:43 +0100
+Subject: netfilter: xt_recent: Fix attempt to update deleted entry
+
+From: Jozsef Kadlecsik <kadlec@mail.kfki.hu>
+
+[ Upstream commit b1bdde33b72366da20d10770ab7a49fe87b5e190 ]
+
+When both --reap and --update flag are specified, there's a code
+path at which the entry to be updated is reaped beforehand,
+which then leads to kernel crash. Reap only entries which won't be
+updated.
+
+Fixes kernel bugzilla #207773.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=207773
+Reported-by: Reindl Harald <h.reindl@thelounge.net>
+Fixes: 0079c5aee348 ("netfilter: xt_recent: add an entry reaper")
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/xt_recent.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
+index 570144507df11..cb58bc7ae30d3 100644
+--- a/net/netfilter/xt_recent.c
++++ b/net/netfilter/xt_recent.c
+@@ -155,7 +155,8 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
+ /*
+ * Drop entries with timestamps older then 'time'.
+ */
+-static void recent_entry_reap(struct recent_table *t, unsigned long time)
++static void recent_entry_reap(struct recent_table *t, unsigned long time,
++ struct recent_entry *working, bool update)
+ {
+ struct recent_entry *e;
+
+@@ -164,6 +165,12 @@ static void recent_entry_reap(struct recent_table *t, unsigned long time)
+ */
+ e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
+
++ /*
++ * Do not reap the entry which are going to be updated.
++ */
++ if (e == working && update)
++ return;
++
+ /*
+ * The last time stamp is the most recent.
+ */
+@@ -306,7 +313,8 @@ recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
+
+ /* info->seconds must be non-zero */
+ if (info->check_set & XT_RECENT_REAP)
+- recent_entry_reap(t, time);
++ recent_entry_reap(t, time, e,
++ info->check_set & XT_RECENT_UPDATE && ret);
+ }
+
+ if (info->check_set & XT_RECENT_SET ||
+--
+2.27.0
+
arm-dts-lpc32xx-revert-set-default-clock-rate-of-hcl.patch
arm-ensure-the-signal-page-contains-defined-contents.patch
arm-kexec-fix-oops-after-tlb-are-invalidated.patch
+mt76-dma-fix-a-possible-memory-leak-in-mt76_add_frag.patch
+bpf-check-for-integer-overflow-when-using-roundup_po.patch
+netfilter-xt_recent-fix-attempt-to-update-deleted-en.patch
+netfilter-nftables-fix-possible-uaf-over-chains-from.patch
+netfilter-flowtable-fix-tcp-and-udp-header-checksum-.patch
+xen-netback-avoid-race-in-xenvif_rx_ring_slots_avail.patch
+net-stmmac-set-txq-mode-back-to-dcb-after-disabling-.patch
+netfilter-conntrack-skip-identical-origin-tuple-in-s.patch
+net-hns3-add-a-check-for-queue_id-in-hclge_reset_vf_.patch
+firmware_loader-align-.builtin_fw-to-8.patch
+i2c-stm32f7-fix-configuration-of-the-digital-filter.patch
+h8300-fix-preemption-build-ti_pre_count-undefined.patch
--- /dev/null
+From 777e789cb8c7bf10914dfc795d71dacd1b4219a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Feb 2021 08:09:38 +0100
+Subject: xen/netback: avoid race in xenvif_rx_ring_slots_available()
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit ec7d8e7dd3a59528e305a18e93f1cb98f7faf83b ]
+
+Since commit 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding")
+xenvif_rx_ring_slots_available() is no longer called only from the rx
+queue kernel thread, so it needs to access the rx queue with the
+associated queue held.
+
+Reported-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Fixes: 23025393dbeb3b8b3 ("xen/netback: use lateeoi irq binding")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Acked-by: Wei Liu <wl@xen.org>
+Link: https://lore.kernel.org/r/20210202070938.7863-1-jgross@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/rx.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netback/rx.c b/drivers/net/xen-netback/rx.c
+index 9b62f65b630e4..48e2006f96ce6 100644
+--- a/drivers/net/xen-netback/rx.c
++++ b/drivers/net/xen-netback/rx.c
+@@ -38,10 +38,15 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+ RING_IDX prod, cons;
+ struct sk_buff *skb;
+ int needed;
++ unsigned long flags;
++
++ spin_lock_irqsave(&queue->rx_queue.lock, flags);
+
+ skb = skb_peek(&queue->rx_queue);
+- if (!skb)
++ if (!skb) {
++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
+ return false;
++ }
+
+ needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
+ if (skb_is_gso(skb))
+@@ -49,6 +54,8 @@ static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+ if (skb->sw_hash)
+ needed++;
+
++ spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
++
+ do {
+ prod = queue->rx.sring->req_prod;
+ cons = queue->rx.req_cons;
+--
+2.27.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
