--- /dev/null
+From 19aa0b41232476f371e0c623fc644fe02f197149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jan 2021 20:41:35 +0900
+Subject: can: dev: can_restart: fix use after free bug
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 03f16c5075b22c8902d2af739969e878b0879c94 ]
+
+After calling netif_rx_ni(skb), dereferencing skb is unsafe.
+Especially, the can_frame cf which aliases skb memory is accessed
+after the netif_rx_ni() in:
+ stats->rx_bytes += cf->len;
+
+Reordering the lines solves the issue.
+
+Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface")
+Link: https://lore.kernel.org/r/20210120114137.200019-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/dev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
+index c7508d9a4c6fb..164078609f98e 100644
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -555,11 +555,11 @@ static void can_restart(struct net_device *dev)
+ }
+ cf->can_id |= CAN_ERR_RESTARTED;
+
+- netif_rx_ni(skb);
+-
+ stats->rx_packets++;
+ stats->rx_bytes += cf->can_dlc;
+
++ netif_rx_ni(skb);
++
+ restart:
+ netdev_dbg(dev, "restarted\n");
+ priv->can_stats.restarts++;
+--
+2.27.0
+
--- /dev/null
+From d5f1d167baad0d412bd055f96c4b401cb66db13d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 9 Jan 2021 13:43:08 +0100
+Subject: i2c: octeon: check correct size of maximum RECV_LEN packet
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1b2cfa2d1dbdcc3b6dba1ecb7026a537a1d7277f ]
+
+I2C_SMBUS_BLOCK_MAX defines already the maximum number as defined in the
+SMBus 2.0 specs. No reason to add one to it.
+
+Fixes: 886f6f8337dd ("i2c: octeon: Support I2C_M_RECV_LEN")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Robert Richter <rric@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-octeon-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-octeon-core.c b/drivers/i2c/busses/i2c-octeon-core.c
+index 5e63b17f935d5..e5ad3f9cd372f 100644
+--- a/drivers/i2c/busses/i2c-octeon-core.c
++++ b/drivers/i2c/busses/i2c-octeon-core.c
+@@ -383,7 +383,7 @@ static int octeon_i2c_read(struct octeon_i2c *i2c, int target,
+
+ data[i] = octeon_i2c_data_read(i2c);
+ if (recv_len && i == 0) {
+- if (data[i] > I2C_SMBUS_BLOCK_MAX + 1)
++ if (data[i] > I2C_SMBUS_BLOCK_MAX)
+ return -EPROTO;
+ length += data[i];
+ }
+--
+2.27.0
+
scsi-ufs-correct-the-lun-used-in-eh_device_reset_han.patch
drm-nouveau-bios-fix-issue-shadowing-expansion-roms.patch
drm-nouveau-i2c-gm200-increase-width-of-aux-semaphor.patch
+i2c-octeon-check-correct-size-of-maximum-recv_len-pa.patch
+can-dev-can_restart-fix-use-after-free-bug.patch