--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 3 Dec 2020 11:44:31 +0300
+Subject: chelsio/chtls: fix a double free in chtls_setkey()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 391119fb5c5c4bdb4d57c7ffeb5e8d18560783d1 ]
+
+The "skb" is freed by the transmit code in cxgb4_ofld_send() and we
+shouldn't use it again. But in the current code, if we hit an error
+later on in the function then the clean up code will call kfree_skb(skb)
+and so it causes a double free.
+
+Set the "skb" to NULL and that makes the kfree_skb() a no-op.
+
+Fixes: d25f2f71f653 ("crypto: chtls - Program the TLS session Key")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/X8ilb6PtBRLWiSHp@mwanda
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/chelsio/chtls/chtls_hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/chelsio/chtls/chtls_hw.c
++++ b/drivers/crypto/chelsio/chtls/chtls_hw.c
+@@ -365,6 +365,7 @@ int chtls_setkey(struct chtls_sock *csk,
+ csk->wr_unacked += DIV_ROUND_UP(len, 16);
+ enqueue_wr(csk, skb);
+ cxgb4_ofld_send(csk->egress_dev, skb);
++ skb = NULL;
+
+ chtls_set_scmd(csk);
+ /* Clear quiesce for Rx key */
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Date: Thu, 26 Nov 2020 03:19:14 +0530
+Subject: chelsio/chtls: fix panic during unload reload chtls
+
+From: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+
+[ Upstream commit e3d5e971d2f83d8ddd4b91a50cea4517fb488383 ]
+
+there is kernel panic in inet_twsk_free() while chtls
+module unload when socket is in TIME_WAIT state because
+sk_prot_creator was not preserved on connection socket.
+
+Fixes: cc35c88ae4db ("crypto : chtls - CPL handler definition")
+Signed-off-by: Udai Sharma <udai.sharma@chelsio.com>
+Signed-off-by: Vinay Kumar Yadav <vinay.yadav@chelsio.com>
+Link: https://lore.kernel.org/r/20201125214913.16938-1-vinay.yadav@chelsio.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/chelsio/chtls/chtls_cm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/crypto/chelsio/chtls/chtls_cm.c
++++ b/drivers/crypto/chelsio/chtls/chtls_cm.c
+@@ -1077,6 +1077,7 @@ static struct sock *chtls_recv_sock(stru
+ sk_setup_caps(newsk, dst);
+ ctx = tls_get_ctx(lsk);
+ newsk->sk_destruct = ctx->sk_destruct;
++ newsk->sk_prot_creator = lsk->sk_prot_creator;
+ csk->sk = newsk;
+ csk->passive_reap_next = oreq;
+ csk->tx_chan = cxgb4_port_chan(ndev);
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 2 Dec 2020 17:56:05 +0800
+Subject: cxgb3: fix error return code in t3_sge_alloc_qset()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit ff9924897f8bfed82e61894b373ab9d2dfea5b10 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: b1fb1f280d09 ("cxgb3 - Fix dma mapping error path")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Raju Rangoju <rajur@chelsio.com>
+Link: https://lore.kernel.org/r/1606902965-1646-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c
+@@ -3176,6 +3176,7 @@ int t3_sge_alloc_qset(struct adapter *ad
+ GFP_KERNEL | __GFP_COMP);
+ if (!avail) {
+ CH_ALERT(adapter, "free list queue 0 initialization failed\n");
++ ret = -ENOMEM;
+ goto err;
+ }
+ if (avail < q->fl[0].size)
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 26 Oct 2020 16:36:20 +0100
+Subject: dt-bindings: net: correct interrupt flags in examples
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 4d521943f76bd0d1e68ea5e02df7aadd30b2838a ]
+
+GPIO_ACTIVE_x flags are not correct in the context of interrupt flags.
+These are simple defines so they could be used in DTS but they will not
+have the same meaning:
+1. GPIO_ACTIVE_HIGH = 0 = IRQ_TYPE_NONE
+2. GPIO_ACTIVE_LOW = 1 = IRQ_TYPE_EDGE_RISING
+
+Correct the interrupt flags, assuming the author of the code wanted same
+logical behavior behind the name "ACTIVE_xxx", this is:
+ ACTIVE_LOW => IRQ_TYPE_LEVEL_LOW
+ ACTIVE_HIGH => IRQ_TYPE_LEVEL_HIGH
+
+Fixes: a1a8b4594f8d ("NFC: pn544: i2c: Add DTS Documentation")
+Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
+Fixes: e3b329221567 ("dt-bindings: can: tcan4x5x: Update binding to use interrupt property")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for tcan4x5x.txt
+Link: https://lore.kernel.org/r/20201026153620.89268-1-krzk@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/net/can/tcan4x5x.txt | 2 +-
+ Documentation/devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
+ Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/Documentation/devicetree/bindings/net/can/tcan4x5x.txt
++++ b/Documentation/devicetree/bindings/net/can/tcan4x5x.txt
+@@ -33,7 +33,7 @@ tcan4x5x: tcan4x5x@0 {
+ spi-max-frequency = <10000000>;
+ bosch,mram-cfg = <0x0 0 0 32 0 0 1 1>;
+ interrupt-parent = <&gpio1>;
+- interrupts = <14 GPIO_ACTIVE_LOW>;
++ interrupts = <14 IRQ_TYPE_LEVEL_LOW>;
+ device-state-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>;
+ device-wake-gpios = <&gpio1 15 GPIO_ACTIVE_HIGH>;
+ reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>;
+--- a/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
++++ b/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
+@@ -25,7 +25,7 @@ Example (for ARM-based BeagleBone with N
+ clock-frequency = <100000>;
+
+ interrupt-parent = <&gpio1>;
+- interrupts = <29 GPIO_ACTIVE_HIGH>;
++ interrupts = <29 IRQ_TYPE_LEVEL_HIGH>;
+
+ enable-gpios = <&gpio0 30 GPIO_ACTIVE_HIGH>;
+ firmware-gpios = <&gpio0 31 GPIO_ACTIVE_HIGH>;
+--- a/Documentation/devicetree/bindings/net/nfc/pn544.txt
++++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt
+@@ -25,7 +25,7 @@ Example (for ARM-based BeagleBone with P
+ clock-frequency = <400000>;
+
+ interrupt-parent = <&gpio1>;
+- interrupts = <17 GPIO_ACTIVE_HIGH>;
++ interrupts = <17 IRQ_TYPE_LEVEL_HIGH>;
+
+ enable-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>;
+ firmware-gpios = <&gpio3 19 GPIO_ACTIVE_HIGH>;
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 1 Dec 2020 01:05:07 -0800
+Subject: geneve: pull IP header before ECN decapsulation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4179b00c04d18ea7013f68d578d80f3c9d13150a ]
+
+IP_ECN_decapsulate() and IP6_ECN_decapsulate() assume
+IP header is already pulled.
+
+geneve does not ensure this yet.
+
+Fixing this generically in IP_ECN_decapsulate() and
+IP6_ECN_decapsulate() is not possible, since callers
+pass a pointer that might be freed by pskb_may_pull()
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
+BUG: KMSAN: uninit-value in INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
+CPU: 1 PID: 8941 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x21c/0x280 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197
+ __INET_ECN_decapsulate include/net/inet_ecn.h:238 [inline]
+ INET_ECN_decapsulate+0x345/0x1db0 include/net/inet_ecn.h:260
+ geneve_rx+0x2103/0x2980 include/net/inet_ecn.h:306
+ geneve_udp_encap_recv+0x105c/0x1340 drivers/net/geneve.c:377
+ udp_queue_rcv_one_skb+0x193a/0x1af0 net/ipv4/udp.c:2093
+ udp_queue_rcv_skb+0x282/0x1050 net/ipv4/udp.c:2167
+ udp_unicast_rcv_skb net/ipv4/udp.c:2325 [inline]
+ __udp4_lib_rcv+0x399d/0x5880 net/ipv4/udp.c:2394
+ udp_rcv+0x5c/0x70 net/ipv4/udp.c:2564
+ ip_protocol_deliver_rcu+0x572/0xc50 net/ipv4/ip_input.c:204
+ ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip_local_deliver+0x583/0x8d0 net/ipv4/ip_input.c:252
+ dst_input include/net/dst.h:449 [inline]
+ ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip_rcv+0x5c3/0x840 net/ipv4/ip_input.c:539
+ __netif_receive_skb_one_core net/core/dev.c:5315 [inline]
+ __netif_receive_skb+0x1ec/0x640 net/core/dev.c:5429
+ process_backlog+0x523/0xc10 net/core/dev.c:6319
+ napi_poll+0x420/0x1010 net/core/dev.c:6763
+ net_rx_action+0x35c/0xd40 net/core/dev.c:6833
+ __do_softirq+0x1a9/0x6fa kernel/softirq.c:298
+ asm_call_irq_on_stack+0xf/0x20
+ </IRQ>
+ __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
+ run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
+ do_softirq_own_stack+0x6e/0x90 arch/x86/kernel/irq_64.c:77
+ do_softirq kernel/softirq.c:343 [inline]
+ __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:195
+ local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
+ rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
+ __dev_queue_xmit+0x3a9b/0x4520 net/core/dev.c:4167
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:4173
+ packet_snd net/packet/af_packet.c:2992 [inline]
+ packet_sendmsg+0x86f9/0x99d0 net/packet/af_packet.c:3017
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:671 [inline]
+ __sys_sendto+0x9dc/0xc80 net/socket.c:1992
+ __do_sys_sendto net/socket.c:2004 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2000
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2000
+ do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20201201090507.4137906-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -254,11 +254,21 @@ static void geneve_rx(struct geneve_dev
+ skb_dst_set(skb, &tun_dst->dst);
+
+ /* Ignore packet loops (and multicast echo) */
+- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) {
+- geneve->dev->stats.rx_errors++;
+- goto drop;
+- }
++ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr))
++ goto rx_error;
+
++ switch (skb_protocol(skb, true)) {
++ case htons(ETH_P_IP):
++ if (pskb_may_pull(skb, sizeof(struct iphdr)))
++ goto rx_error;
++ break;
++ case htons(ETH_P_IPV6):
++ if (pskb_may_pull(skb, sizeof(struct ipv6hdr)))
++ goto rx_error;
++ break;
++ default:
++ goto rx_error;
++ }
+ oiph = skb_network_header(skb);
+ skb_reset_network_header(skb);
+
+@@ -299,6 +309,8 @@ static void geneve_rx(struct geneve_dev
+ u64_stats_update_end(&stats->syncp);
+ }
+ return;
++rx_error:
++ geneve->dev->stats.rx_errors++;
+ drop:
+ /* Consume bad packet */
+ kfree_skb(skb);
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Tue, 1 Dec 2020 09:52:10 -0600
+Subject: ibmvnic: Ensure that SCRQ entry reads are correctly ordered
+
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+
+[ Upstream commit b71ec952234610b4f90ef17a2fdcb124d5320070 ]
+
+Ensure that received Subordinate Command-Response Queue (SCRQ)
+entries are properly read in order by the driver. These queues
+are used in the ibmvnic device to process RX buffer and TX completion
+descriptors. dma_rmb barriers have been added after checking for a
+pending descriptor to ensure the correct descriptor entry is checked
+and after reading the SCRQ descriptor to ensure the entire
+descriptor is read before processing.
+
+Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -2307,6 +2307,12 @@ restart_poll:
+
+ if (!pending_scrq(adapter, adapter->rx_scrq[scrq_num]))
+ break;
++ /* The queue entry at the current index is peeked at above
++ * to determine that there is a valid descriptor awaiting
++ * processing. We want to be sure that the current slot
++ * holds a valid descriptor before reading its contents.
++ */
++ dma_rmb();
+ next = ibmvnic_next_scrq(adapter, adapter->rx_scrq[scrq_num]);
+ rx_buff =
+ (struct ibmvnic_rx_buff *)be64_to_cpu(next->
+@@ -2988,6 +2994,13 @@ restart_loop:
+ unsigned int pool = scrq->pool_index;
+ int num_entries = 0;
+
++ /* The queue entry at the current index is peeked at above
++ * to determine that there is a valid descriptor awaiting
++ * processing. We want to be sure that the current slot
++ * holds a valid descriptor before reading its contents.
++ */
++ dma_rmb();
++
+ next = ibmvnic_next_scrq(adapter, scrq);
+ for (i = 0; i < next->tx_comp.num_comps; i++) {
+ if (next->tx_comp.rcs[i]) {
+@@ -3388,6 +3401,11 @@ static union sub_crq *ibmvnic_next_scrq(
+ }
+ spin_unlock_irqrestore(&scrq->lock, flags);
+
++ /* Ensure that the entire buffer descriptor has been
++ * loaded before reading its contents
++ */
++ dma_rmb();
++
+ return entry;
+ }
+
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+Date: Tue, 1 Dec 2020 09:52:11 -0600
+Subject: ibmvnic: Fix TX completion error handling
+
+From: Thomas Falcon <tlfalcon@linux.ibm.com>
+
+[ Upstream commit ba246c175116e2e8fa4fdfa5f8e958e086a9a818 ]
+
+TX completions received with an error return code are not
+being processed properly. When an error code is seen, do not
+proceed to the next completion before cleaning up the existing
+entry's data structures.
+
+Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
+Signed-off-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -3003,11 +3003,9 @@ restart_loop:
+
+ next = ibmvnic_next_scrq(adapter, scrq);
+ for (i = 0; i < next->tx_comp.num_comps; i++) {
+- if (next->tx_comp.rcs[i]) {
++ if (next->tx_comp.rcs[i])
+ dev_err(dev, "tx error %x\n",
+ next->tx_comp.rcs[i]);
+- continue;
+- }
+ index = be32_to_cpu(next->tx_comp.correlators[i]);
+ if (index & IBMVNIC_TSO_POOL_MASK) {
+ tx_pool = &adapter->tso_pool[pool];
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Mon, 30 Nov 2020 19:37:05 +0100
+Subject: inet_ecn: Fix endianness of checksum update when setting ECT(1)
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit 2867e1eac61016f59b3d730e3f7aa488e186e917 ]
+
+When adding support for propagating ECT(1) marking in IP headers it seems I
+suffered from endianness-confusion in the checksum update calculation: In
+fact the ECN field is in the *lower* bits of the first 16-bit word of the
+IP header when calculating in network byte order. This means that the
+addition performed to update the checksum field was wrong; let's fix that.
+
+Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040")
+Reported-by: Jonathan Morton <chromatix99@gmail.com>
+Tested-by: Pete Heist <pete@heistp.net>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20201130183705.17540-1-toke@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_ecn.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/inet_ecn.h
++++ b/include/net/inet_ecn.h
+@@ -107,7 +107,7 @@ static inline int IP_ECN_set_ect1(struct
+ if ((iph->tos & INET_ECN_MASK) != INET_ECN_ECT_0)
+ return 0;
+
+- check += (__force u16)htons(0x100);
++ check += (__force u16)htons(0x1);
+
+ iph->check = (__force __sum16)(check + (check>=0xFFFF));
+ iph->tos ^= INET_ECN_MASK;
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Guillaume Nault <gnault@redhat.com>
+Date: Thu, 26 Nov 2020 19:09:22 +0100
+Subject: ipv4: Fix tos mask in inet_rtm_getroute()
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 1ebf179037cb46c19da3a9c1e2ca16e7a754b75e ]
+
+When inet_rtm_getroute() was converted to use the RCU variants of
+ip_route_input() and ip_route_output_key(), the TOS parameters
+stopped being masked with IPTOS_RT_MASK before doing the route lookup.
+
+As a result, "ip route get" can return a different route than what
+would be used when sending real packets.
+
+For example:
+
+ $ ip route add 192.0.2.11/32 dev eth0
+ $ ip route add unreachable 192.0.2.11/32 tos 2
+ $ ip route get 192.0.2.11 tos 2
+ RTNETLINK answers: No route to host
+
+But, packets with TOS 2 (ECT(0) if interpreted as an ECN bit) would
+actually be routed using the first route:
+
+ $ ping -c 1 -Q 2 192.0.2.11
+ PING 192.0.2.11 (192.0.2.11) 56(84) bytes of data.
+ 64 bytes from 192.0.2.11: icmp_seq=1 ttl=64 time=0.173 ms
+
+ --- 192.0.2.11 ping statistics ---
+ 1 packets transmitted, 1 received, 0% packet loss, time 0ms
+ rtt min/avg/max/mdev = 0.173/0.173/0.173/0.000 ms
+
+This patch re-applies IPTOS_RT_MASK in inet_rtm_getroute(), to
+return results consistent with real route lookups.
+
+Fixes: 3765d35ed8b9 ("net: ipv4: Convert inet_rtm_getroute to rcu versions of route lookup")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/b2d237d08317ca55926add9654a48409ac1b8f5b.1606412894.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -3132,7 +3132,7 @@ static int inet_rtm_getroute(struct sk_b
+
+ fl4.daddr = dst;
+ fl4.saddr = src;
+- fl4.flowi4_tos = rtm->rtm_tos;
++ fl4.flowi4_tos = rtm->rtm_tos & IPTOS_RT_MASK;
+ fl4.flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0;
+ fl4.flowi4_mark = mark;
+ fl4.flowi4_uid = uid;
+@@ -3156,8 +3156,9 @@ static int inet_rtm_getroute(struct sk_b
+ fl4.flowi4_iif = iif; /* for rt_fill_info */
+ skb->dev = dev;
+ skb->mark = mark;
+- err = ip_route_input_rcu(skb, dst, src, rtm->rtm_tos,
+- dev, &res);
++ err = ip_route_input_rcu(skb, dst, src,
++ rtm->rtm_tos & IPTOS_RT_MASK, dev,
++ &res);
+
+ rt = skb_rtable(skb);
+ if (err == 0 && rt->dst.error)
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Antoine Tenart <atenart@kernel.org>
+Date: Mon, 30 Nov 2020 17:19:11 +0100
+Subject: net: ip6_gre: set dev->hard_header_len when using header_ops
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 832ba596494b2c9eac7760259eff2d8b7dcad0ee ]
+
+syzkaller managed to crash the kernel using an NBMA ip6gre interface. I
+could reproduce it creating an NBMA ip6gre interface and forwarding
+traffic to it:
+
+ skbuff: skb_under_panic: text:ffffffff8250e927 len:148 put:44 head:ffff8c03c7a33
+ ------------[ cut here ]------------
+ kernel BUG at net/core/skbuff.c:109!
+ Call Trace:
+ skb_push+0x10/0x10
+ ip6gre_header+0x47/0x1b0
+ neigh_connected_output+0xae/0xf0
+
+ip6gre tunnel provides its own header_ops->create, and sets it
+conditionally when initializing the tunnel in NBMA mode. When
+header_ops->create is used, dev->hard_header_len should reflect the
+length of the header created. Otherwise, when not used,
+dev->needed_headroom should be used.
+
+Fixes: eb95f52fc72d ("net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap")
+Cc: Maria Pasechnik <mariap@mellanox.com>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Link: https://lore.kernel.org/r/20201130161911.464106-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1120,8 +1120,13 @@ static void ip6gre_tnl_link_config_route
+ return;
+
+ if (rt->dst.dev) {
+- dev->needed_headroom = rt->dst.dev->hard_header_len +
+- t_hlen;
++ unsigned short dst_len = rt->dst.dev->hard_header_len +
++ t_hlen;
++
++ if (t->dev->header_ops)
++ dev->hard_header_len = dst_len;
++ else
++ dev->needed_headroom = dst_len;
+
+ if (set_mtu) {
+ dev->mtu = rt->dst.dev->mtu - t_hlen;
+@@ -1146,7 +1151,12 @@ static int ip6gre_calc_hlen(struct ip6_t
+ tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
+
+ t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
+- tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;
++
++ if (tunnel->dev->header_ops)
++ tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
++ else
++ tunnel->dev->needed_headroom = LL_MAX_HEADER + t_hlen;
++
+ return t_hlen;
+ }
+
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Date: Wed, 2 Dec 2020 20:39:46 -0800
+Subject: net/mlx5: DR, Proper handling of unsupported Connect-X6DX SW steering
+
+From: Yevgeny Kliteynik <kliteyn@nvidia.com>
+
+[ Upstream commit d421e466c2373095f165ddd25cbabd6c5b077928 ]
+
+STEs format for Connect-X5 and Connect-X6DX different. Currently, on
+Connext-X6DX the SW steering would break at some point when building STEs
+w/o giving a proper error message. Fix this by checking the STE format of
+the current device when initializing domain: add mlx5_ifc definitions for
+Connect-X6DX SW steering, read FW capability to get the current format
+version, and check this version when domain is being created.
+
+Fixes: 26d688e33f88 ("net/mlx5: DR, Add Steering entry (STE) utilities")
+Signed-off-by: Yevgeny Kliteynik <kliteyn@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c | 5 +++++
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h | 1 +
+ include/linux/mlx5/mlx5_ifc.h | 9 ++++++++-
+ 4 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_cmd.c
+@@ -92,6 +92,7 @@ int mlx5dr_cmd_query_device(struct mlx5_
+ caps->eswitch_manager = MLX5_CAP_GEN(mdev, eswitch_manager);
+ caps->gvmi = MLX5_CAP_GEN(mdev, vhca_id);
+ caps->flex_protocols = MLX5_CAP_GEN(mdev, flex_parser_protocols);
++ caps->sw_format_ver = MLX5_CAP_GEN(mdev, steering_format_version);
+
+ if (mlx5dr_matcher_supp_flex_parser_icmp_v4(caps)) {
+ caps->flex_parser_id_icmp_dw0 = MLX5_CAP_GEN(mdev, flex_parser_id_icmp_dw0);
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c
+@@ -223,6 +223,11 @@ static int dr_domain_caps_init(struct ml
+ if (ret)
+ return ret;
+
++ if (dmn->info.caps.sw_format_ver != MLX5_STEERING_FORMAT_CONNECTX_5) {
++ mlx5dr_err(dmn, "SW steering is not supported on this device\n");
++ return -EOPNOTSUPP;
++ }
++
+ ret = dr_domain_query_fdb_caps(mdev, dmn);
+ if (ret)
+ return ret;
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_types.h
+@@ -613,6 +613,7 @@ struct mlx5dr_cmd_caps {
+ u8 max_ft_level;
+ u16 roce_min_src_udp;
+ u8 num_esw_ports;
++ u8 sw_format_ver;
+ bool eswitch_manager;
+ bool rx_sw_owner;
+ bool tx_sw_owner;
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -1139,6 +1139,11 @@ enum mlx5_fc_bulk_alloc_bitmask {
+
+ #define MLX5_FC_BULK_NUM_FCS(fc_enum) (MLX5_FC_BULK_SIZE_FACTOR * (fc_enum))
+
++enum {
++ MLX5_STEERING_FORMAT_CONNECTX_5 = 0,
++ MLX5_STEERING_FORMAT_CONNECTX_6DX = 1,
++};
++
+ struct mlx5_ifc_cmd_hca_cap_bits {
+ u8 reserved_at_0[0x30];
+ u8 vhca_id[0x10];
+@@ -1419,7 +1424,9 @@ struct mlx5_ifc_cmd_hca_cap_bits {
+
+ u8 general_obj_types[0x40];
+
+- u8 reserved_at_440[0x20];
++ u8 reserved_at_440[0x4];
++ u8 steering_format_version[0x4];
++ u8 create_qp_start_hint[0x18];
+
+ u8 reserved_at_460[0x3];
+ u8 log_max_uctx[0x5];
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Eran Ben Elisha <eranbe@nvidia.com>
+Date: Wed, 2 Dec 2020 20:39:43 -0800
+Subject: net/mlx5: Fix wrong address reclaim when command interface is down
+
+From: Eran Ben Elisha <eranbe@nvidia.com>
+
+[ Upstream commit 1d2bb5ad89f47d8ce8aedc70ef85059ab3870292 ]
+
+When command interface is down, driver to reclaim all 4K page chucks that
+were hold by the Firmeware. Fix a bug for 64K page size systems, where
+driver repeatedly released only the first chunk of the page.
+
+Define helper function to fill 4K chunks for a given Firmware pages.
+Iterate over all unreleased Firmware pages and call the hepler per each.
+
+Fixes: 5adff6a08862 ("net/mlx5: Fix incorrect page count when in internal error")
+Signed-off-by: Eran Ben Elisha <eranbe@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 21 ++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c
+@@ -339,6 +339,24 @@ out_free:
+ return err;
+ }
+
++static u32 fwp_fill_manage_pages_out(struct fw_page *fwp, u32 *out, u32 index,
++ u32 npages)
++{
++ u32 pages_set = 0;
++ unsigned int n;
++
++ for_each_clear_bit(n, &fwp->bitmask, MLX5_NUM_4K_IN_PAGE) {
++ MLX5_ARRAY_SET64(manage_pages_out, out, pas, index + pages_set,
++ fwp->addr + (n * MLX5_ADAPTER_PAGE_SIZE));
++ pages_set++;
++
++ if (!--npages)
++ break;
++ }
++
++ return pages_set;
++}
++
+ static int reclaim_pages_cmd(struct mlx5_core_dev *dev,
+ u32 *in, int in_size, u32 *out, int out_size)
+ {
+@@ -362,8 +380,7 @@ static int reclaim_pages_cmd(struct mlx5
+ if (fwp->func_id != func_id)
+ continue;
+
+- MLX5_ARRAY_SET64(manage_pages_out, out, pas, i, fwp->addr);
+- i++;
++ i += fwp_fill_manage_pages_out(fwp, out, i, npages - i);
+ }
+
+ MLX5_SET(manage_pages_out, out, output_num_entries, i);
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Wang Hai <wanghai38@huawei.com>
+Date: Thu, 3 Dec 2020 22:18:06 +0800
+Subject: net: mvpp2: Fix error return code in mvpp2_open()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 82a10dc7f0960735f40e8d7d3bee56934291600f ]
+
+Fix to return negative error code -ENOENT from invalid configuration
+error handling case instead of 0, as done elsewhere in this function.
+
+Fixes: 4bb043262878 ("net: mvpp2: phylink support")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20201203141806.37966-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -3696,6 +3696,7 @@ static int mvpp2_open(struct net_device
+ if (!valid) {
+ netdev_err(port->dev,
+ "invalid configuration: no dt or link IRQ");
++ err = -ENOENT;
+ goto err_free_irq;
+ }
+
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 3 Dec 2020 10:46:06 +0100
+Subject: net: openvswitch: ensure LSE is pullable before reading it
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 43c13605bad44b8abbc9776d6e63f62ccb7a47d6 ]
+
+when openvswitch is configured to mangle the LSE, the current value is
+read from the packet dereferencing 4 bytes at mpls_hdr(): ensure that
+the label is contained in the skb "linear" area.
+
+Found by code inspection.
+
+Fixes: d27cf5c59a12 ("net: core: add MPLS update core helper and use in OvS")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://lore.kernel.org/r/aa099f245d93218b84b5c056b67b6058ccf81a66.1606987185.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/actions.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -196,6 +196,9 @@ static int set_mpls(struct sk_buff *skb,
+ __be32 lse;
+ int err;
+
++ if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
++ return -ENOMEM;
++
+ stack = mpls_hdr(skb);
+ lse = OVS_MASKED(stack->label_stack_entry, *mpls_lse, *mask);
+ err = skb_mpls_update_lse(skb, lse);
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 2 Dec 2020 17:57:15 +0800
+Subject: net: pasemi: fix error return code in pasemi_mac_open()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit aba84871bd4f52c4dfcf3ad5d4501a6c9d2de90e ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 72b05b9940f0 ("pasemi_mac: RX/TX ring management cleanup")
+Fixes: 8d636d8bc5ff ("pasemi_mac: jumbo frame support")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1606903035-1838-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/pasemi/pasemi_mac.c
++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c
+@@ -1078,16 +1078,20 @@ static int pasemi_mac_open(struct net_de
+
+ mac->tx = pasemi_mac_setup_tx_resources(dev);
+
+- if (!mac->tx)
++ if (!mac->tx) {
++ ret = -ENOMEM;
+ goto out_tx_ring;
++ }
+
+ /* We might already have allocated rings in case mtu was changed
+ * before interface was brought up.
+ */
+ if (dev->mtu > 1500 && !mac->num_cs) {
+ pasemi_mac_setup_csrings(mac);
+- if (!mac->num_cs)
++ if (!mac->num_cs) {
++ ret = -ENOMEM;
+ goto out_tx_ring;
++ }
+ }
+
+ /* Zero out rmon counters */
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 3 Dec 2020 10:37:52 +0100
+Subject: net/sched: act_mpls: ensure LSE is pullable before reading it
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 9608fa653059c3f72faab0c148ac8773c46e7314 ]
+
+when 'act_mpls' is used to mangle the LSE, the current value is read from
+the packet dereferencing 4 bytes at mpls_hdr(): ensure that the label is
+contained in the skb "linear" area.
+
+Found by code inspection.
+
+v2:
+ - use MPLS_HLEN instead of sizeof(new_lse), thanks to Jakub Kicinski
+
+Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Link: https://lore.kernel.org/r/3243506cba43d14858f3bd21ee0994160e44d64a.1606987058.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_mpls.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/act_mpls.c
++++ b/net/sched/act_mpls.c
+@@ -88,6 +88,9 @@ static int tcf_mpls_act(struct sk_buff *
+ goto drop;
+ break;
+ case TCA_MPLS_ACT_MODIFY:
++ if (!pskb_may_pull(skb,
++ skb_network_offset(skb) + MPLS_HLEN))
++ goto drop;
+ new_lse = tcf_mpls_get_lse(mpls_hdr(skb), p, false);
+ if (skb_mpls_update_lse(skb, new_lse))
+ goto drop;
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Thu, 3 Dec 2020 10:58:21 +0100
+Subject: net: skbuff: ensure LSE is pullable before decrementing the MPLS ttl
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 13de4ed9e3a9ccbe54d05f7d5c773f69ecaf6c64 ]
+
+skb_mpls_dec_ttl() reads the LSE without ensuring that it is contained in
+the skb "linear" area. Fix this calling pskb_may_pull() before reading the
+current ttl.
+
+Found by code inspection.
+
+Fixes: 2a2ea50870ba ("net: sched: add mpls manipulation actions to TC")
+Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://lore.kernel.org/r/53659f28be8bc336c113b5254dc637cc76bbae91.1606987074.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5618,6 +5618,9 @@ int skb_mpls_dec_ttl(struct sk_buff *skb
+ if (unlikely(!eth_p_mpls(skb->protocol)))
+ return -EINVAL;
+
++ if (!pskb_may_pull(skb, skb_network_offset(skb) + MPLS_HLEN))
++ return -ENOMEM;
++
+ lse = be32_to_cpu(mpls_hdr(skb)->label_stack_entry);
+ ttl = (lse & MPLS_LS_TTL_MASK) >> MPLS_LS_TTL_SHIFT;
+ if (!--ttl)
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 1 Dec 2020 18:15:12 +0300
+Subject: net/x25: prevent a couple of overflows
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6ee50c8e262a0f0693dad264c3c99e30e6442a56 ]
+
+The .x25_addr[] address comes from the user and is not necessarily
+NUL terminated. This leads to a couple problems. The first problem is
+that the strlen() in x25_bind() can read beyond the end of the buffer.
+
+The second problem is more subtle and could result in memory corruption.
+The call tree is:
+ x25_connect()
+ --> x25_write_internal()
+ --> x25_addr_aton()
+
+The .x25_addr[] buffers are copied to the "addresses" buffer from
+x25_write_internal() so it will lead to stack corruption.
+
+Verify that the strings are NUL terminated and return -EINVAL if they
+are not.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: a9288525d2ae ("X25: Dont let x25_bind use addresses containing characters")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/x25/af_x25.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -675,7 +675,8 @@ static int x25_bind(struct socket *sock,
+ int len, i, rc = 0;
+
+ if (addr_len != sizeof(struct sockaddr_x25) ||
+- addr->sx25_family != AF_X25) {
++ addr->sx25_family != AF_X25 ||
++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) {
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -769,7 +770,8 @@ static int x25_connect(struct socket *so
+
+ rc = -EINVAL;
+ if (addr_len != sizeof(struct sockaddr_x25) ||
+- addr->sx25_family != AF_X25)
++ addr->sx25_family != AF_X25 ||
++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN)
+ goto out;
+
+ rc = -ENETUNREACH;
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Antoine Tenart <atenart@kernel.org>
+Date: Mon, 23 Nov 2020 18:49:02 +0100
+Subject: netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ]
+
+Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the
+hooks as, while it's an expected value for a bridge, routing expects
+PACKET_HOST. The change is undone later on after hook traversal. This
+can be seen with pairs of functions updating skb>pkt_type and then
+reverting it to its original value:
+
+For hook NF_INET_PRE_ROUTING:
+ setup_pre_routing / br_nf_pre_routing_finish
+
+For hook NF_INET_FORWARD:
+ br_nf_forward_ip / br_nf_forward_finish
+
+But the third case where netfilter does this, for hook
+NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing
+but never reverted. A comment says:
+
+ /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
+ * about the value of skb->pkt_type. */
+
+But when having a tunnel (say vxlan) attached to a bridge we have the
+following call trace:
+
+ br_nf_pre_routing
+ br_nf_pre_routing_ipv6
+ br_nf_pre_routing_finish
+ br_nf_forward_ip
+ br_nf_forward_finish
+ br_nf_post_routing <- pkt_type is updated to PACKET_HOST
+ br_nf_dev_queue_xmit <- but not reverted to its original value
+ vxlan_xmit
+ vxlan_xmit_one
+ skb_tunnel_check_pmtu <- a check on pkt_type is performed
+
+In this specific case, this creates issues such as when an ICMPv6 PTB
+should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB
+isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST
+and returns early).
+
+If the comment is right and no one cares about the value of
+skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting
+it to its original value should be safe.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netfilter_hooks.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -735,6 +735,11 @@ static int br_nf_dev_queue_xmit(struct n
+ mtu_reserved = nf_bridge_mtu_reduction(skb);
+ mtu = skb->dev->mtu;
+
++ if (nf_bridge->pkt_otherhost) {
++ skb->pkt_type = PACKET_OTHERHOST;
++ nf_bridge->pkt_otherhost = false;
++ }
++
+ if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
+ mtu = nf_bridge->frag_max_size;
+
+@@ -835,8 +840,6 @@ static unsigned int br_nf_post_routing(v
+ else
+ return NF_ACCEPT;
+
+- /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
+- * about the value of skb->pkt_type. */
+ if (skb->pkt_type == PACKET_OTHERHOST) {
+ skb->pkt_type = PACKET_HOST;
+ nf_bridge->pkt_otherhost = true;
staging-octeon-fix-up-merge-error.patch
ima-extend-boot_aggregate-with-kernel-measurements.patch
sched-fair-fix-unthrottle_cfs_rq-for-leaf_cfs_rq-lis.patch
+netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch
+ipv4-fix-tos-mask-in-inet_rtm_getroute.patch
+dt-bindings-net-correct-interrupt-flags-in-examples.patch
+chelsio-chtls-fix-panic-during-unload-reload-chtls.patch
+ibmvnic-ensure-that-scrq-entry-reads-are-correctly-ordered.patch
+ibmvnic-fix-tx-completion-error-handling.patch
+inet_ecn-fix-endianness-of-checksum-update-when-setting-ect-1.patch
+geneve-pull-ip-header-before-ecn-decapsulation.patch
+net-ip6_gre-set-dev-hard_header_len-when-using-header_ops.patch
+net-x25-prevent-a-couple-of-overflows.patch
+cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch
+net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch
+vxlan-fix-error-return-code-in-__vxlan_dev_create.patch
+chelsio-chtls-fix-a-double-free-in-chtls_setkey.patch
+net-mvpp2-fix-error-return-code-in-mvpp2_open.patch
+net-skbuff-ensure-lse-is-pullable-before-decrementing-the-mpls-ttl.patch
+net-openvswitch-ensure-lse-is-pullable-before-reading-it.patch
+net-sched-act_mpls-ensure-lse-is-pullable-before-reading-it.patch
+net-mlx5-dr-proper-handling-of-unsupported-connect-x6dx-sw-steering.patch
+net-mlx5-fix-wrong-address-reclaim-when-command-interface-is-down.patch
--- /dev/null
+From foo@baz Sun Dec 6 10:20:28 AM CET 2020
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 2 Dec 2020 17:58:42 +0800
+Subject: vxlan: fix error return code in __vxlan_dev_create()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 832e09798c261cf58de3a68cfcc6556408c16a5a ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 0ce1822c2a08 ("vxlan: add adjacent link to limit depth level")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1606903122-2098-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -3617,8 +3617,10 @@ static int __vxlan_dev_create(struct net
+
+ if (dst->remote_ifindex) {
+ remote_dev = __dev_get_by_index(net, dst->remote_ifindex);
+- if (!remote_dev)
++ if (!remote_dev) {
++ err = -ENODEV;
+ goto errout;
++ }
+
+ err = netdev_upper_dev_link(remote_dev, dev, extack);
+ if (err)
projects / thirdparty / kernel / stable-queue.git / commitdiff
