--- /dev/null
+From d9ea761fdd197351890418acd462c51f241014a7 Mon Sep 17 00:00:00 2001
+From: "Lin, Zhenpeng" <zplin@psu.edu>
+Date: Wed, 8 Sep 2021 03:40:59 +0000
+Subject: dccp: don't duplicate ccid when cloning dccp sock
+
+From: Lin, Zhenpeng <zplin@psu.edu>
+
+commit d9ea761fdd197351890418acd462c51f241014a7 upstream.
+
+Commit 2677d2067731 ("dccp: don't free ccid2_hc_tx_sock ...") fixed
+a UAF but reintroduced CVE-2017-6074.
+
+When the sock is cloned, two dccps_hc_tx_ccid will reference to the
+same ccid. So one can free the ccid object twice from two socks after
+cloning.
+
+This issue was found by "Hadar Manor" as well and assigned with
+CVE-2020-16119, which was fixed in Ubuntu's kernel. So here I port
+the patch from Ubuntu to fix it.
+
+The patch prevents cloned socks from referencing the same ccid.
+
+Fixes: 2677d2067731410 ("dccp: don't free ccid2_hc_tx_sock ...")
+Signed-off-by: Zhenpeng Lin <zplin@psu.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/minisocks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dccp/minisocks.c
++++ b/net/dccp/minisocks.c
+@@ -98,6 +98,8 @@ struct sock *dccp_create_openreq_child(c
+ newdp->dccps_role = DCCP_ROLE_SERVER;
+ newdp->dccps_hc_rx_ackvec = NULL;
+ newdp->dccps_service_list = NULL;
++ newdp->dccps_hc_rx_ccid = NULL;
++ newdp->dccps_hc_tx_ccid = NULL;
+ newdp->dccps_service = dreq->dreq_service;
+ newdp->dccps_timestamp_echo = dreq->dreq_timestamp_echo;
+ newdp->dccps_timestamp_time = dreq->dreq_timestamp_time;
--- /dev/null
+From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+Date: Mon, 6 Sep 2021 11:53:10 +1000
+Subject: events: Reuse value read using READ_ONCE instead of re-reading it
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+commit b89a05b21f46150ac10a962aa50109250b56b03b upstream.
+
+In perf_event_addr_filters_apply, the task associated with
+the event (event->ctx->task) is read using READ_ONCE at the beginning
+of the function, checked, and then re-read from event->ctx->task,
+voiding all guarantees of the checks. Reuse the value that was read by
+READ_ONCE to ensure the consistency of the task struct throughout the
+function.
+
+Fixes: 375637bc52495 ("perf/core: Introduce address range filtering")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -8435,7 +8435,7 @@ static void perf_event_addr_filters_appl
+ if (!ifh->nr_file_filters)
+ return;
+
+- mm = get_task_mm(event->ctx->task);
++ mm = get_task_mm(task);
+ if (!mm)
+ goto restart;
+
--- /dev/null
+From 273c29e944bda9a20a30c26cfc34c9a3f363280b Mon Sep 17 00:00:00 2001
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Date: Wed, 8 Sep 2021 09:58:20 -0700
+Subject: ibmvnic: check failover_pending in login response
+
+From: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+
+commit 273c29e944bda9a20a30c26cfc34c9a3f363280b upstream.
+
+If a failover occurs before a login response is received, the login
+response buffer maybe undefined. Check that there was no failover
+before accessing the login response buffer.
+
+Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol")
+Signed-off-by: Sukadev Bhattiprolu <sukadev@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -3965,6 +3965,14 @@ static int ibmvnic_probe(struct vio_dev
+ goto ibmvnic_init_fail;
+ } while (rc == EAGAIN);
+
++ if (adapter->failover_pending) {
++ adapter->init_done_rc = -EAGAIN;
++ netdev_dbg(netdev, "Failover pending, ignoring login response\n");
++ complete(&adapter->init_done);
++ /* login response buffer will be released on reset */
++ return 0;
++ }
++
+ netdev->mtu = adapter->req_mtu - ETH_HLEN;
+
+ rc = device_create_file(&dev->dev, &dev_attr_failover);
--- /dev/null
+From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 8 Sep 2021 17:00:29 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_poll
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream.
+
+syzbot reported another data-race in af_unix [1]
+
+Lets change __skb_insert() to use WRITE_ONCE() when changing
+skb head qlen.
+
+Also, change unix_dgram_poll() to use lockless version
+of unix_recvq_full()
+
+It is verry possible we can switch all/most unix_recvq_full()
+to the lockless version, this will be done in a future kernel version.
+
+[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1
+
+BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll
+
+write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1938 [inline]
+ __skb_queue_before include/linux/skbuff.h:2043 [inline]
+ __skb_queue_tail include/linux/skbuff.h:2076 [inline]
+ skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264
+ unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532
+ __do_sys_sendmmsg net/socket.c:2561 [inline]
+ __se_sys_sendmmsg net/socket.c:2558 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1:
+ skb_queue_len include/linux/skbuff.h:1869 [inline]
+ unix_recvq_full net/unix/af_unix.c:194 [inline]
+ unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777
+ sock_poll+0x23e/0x260 net/socket.c:1288
+ vfs_poll include/linux/poll.h:90 [inline]
+ ep_item_poll fs/eventpoll.c:846 [inline]
+ ep_send_events fs/eventpoll.c:1683 [inline]
+ ep_poll fs/eventpoll.c:1798 [inline]
+ do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226
+ __do_sys_epoll_wait fs/eventpoll.c:2238 [inline]
+ __se_sys_epoll_wait fs/eventpoll.c:2233 [inline]
+ __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000001b -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()")
+Cc: Qian Cai <cai@lca.pw>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ net/unix/af_unix.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1758,7 +1758,7 @@ static inline void __skb_insert(struct s
+ WRITE_ONCE(newsk->prev, prev);
+ WRITE_ONCE(next->prev, newsk);
+ WRITE_ONCE(prev->next, newsk);
+- list->qlen++;
++ WRITE_ONCE(list->qlen, list->qlen + 1);
+ }
+
+ static inline void __skb_queue_splice(const struct sk_buff_head *list,
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2742,7 +2742,7 @@ static unsigned int unix_dgram_poll(stru
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+- unix_recvq_full(other) &&
++ unix_recvq_full_lockless(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
--- /dev/null
+From 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 13 Sep 2021 11:08:36 -0700
+Subject: net-caif: avoid user-triggerable WARN_ON(1)
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 550ac9c1aaaaf51fd42e20d461f0b1cdbd55b3d2 upstream.
+
+syszbot triggers this warning, which looks something
+we can easily prevent.
+
+If we initialize priv->list_field in chnl_net_init(),
+then always use list_del_init(), we can remove robust_list_del()
+completely.
+
+WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 robust_list_del net/caif/chnl_net.c:67 [inline]
+WARNING: CPU: 0 PID: 3233 at net/caif/chnl_net.c:67 chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375
+Modules linked in:
+CPU: 0 PID: 3233 Comm: syz-executor.3 Not tainted 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:robust_list_del net/caif/chnl_net.c:67 [inline]
+RIP: 0010:chnl_net_uninit+0xc9/0x2e0 net/caif/chnl_net.c:375
+Code: 89 eb e8 3a a3 ba f8 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 bf 01 00 00 48 81 fb 00 14 4e 8d 48 8b 2b 75 d0 e8 17 a3 ba f8 <0f> 0b 5b 5d 41 5c 41 5d e9 0a a3 ba f8 4c 89 e3 e8 02 a3 ba f8 4c
+RSP: 0018:ffffc90009067248 EFLAGS: 00010202
+RAX: 0000000000008780 RBX: ffffffff8d4e1400 RCX: ffffc9000fd34000
+RDX: 0000000000040000 RSI: ffffffff88bb6e49 RDI: 0000000000000003
+RBP: ffff88802cd9ee08 R08: 0000000000000000 R09: ffffffff8d0e6647
+R10: ffffffff88bb6dc2 R11: 0000000000000000 R12: ffff88803791ae08
+R13: dffffc0000000000 R14: 00000000e600ffce R15: ffff888073ed3480
+FS: 00007fed10fa0700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2c322000 CR3: 00000000164a6000 CR4: 00000000001506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ register_netdevice+0xadf/0x1500 net/core/dev.c:10347
+ ipcaif_newlink+0x4c/0x260 net/caif/chnl_net.c:468
+ __rtnl_newlink+0x106d/0x1750 net/core/rtnetlink.c:3458
+ rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506
+ rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5572
+ netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
+ netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
+ netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ __sys_sendto+0x21c/0x320 net/socket.c:2036
+ __do_sys_sendto net/socket.c:2048 [inline]
+ __se_sys_sendto net/socket.c:2044 [inline]
+ __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2044
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: cc36a070b590 ("net-caif: add CAIF netdevice")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/chnl_net.c | 19 +++----------------
+ 1 file changed, 3 insertions(+), 16 deletions(-)
+
+--- a/net/caif/chnl_net.c
++++ b/net/caif/chnl_net.c
+@@ -54,20 +54,6 @@ struct chnl_net {
+ enum caif_states state;
+ };
+
+-static void robust_list_del(struct list_head *delete_node)
+-{
+- struct list_head *list_node;
+- struct list_head *n;
+- ASSERT_RTNL();
+- list_for_each_safe(list_node, n, &chnl_net_list) {
+- if (list_node == delete_node) {
+- list_del(list_node);
+- return;
+- }
+- }
+- WARN_ON(1);
+-}
+-
+ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
+ {
+ struct sk_buff *skb;
+@@ -369,6 +355,7 @@ static int chnl_net_init(struct net_devi
+ ASSERT_RTNL();
+ priv = netdev_priv(dev);
+ strncpy(priv->name, dev->name, sizeof(priv->name));
++ INIT_LIST_HEAD(&priv->list_field);
+ return 0;
+ }
+
+@@ -377,7 +364,7 @@ static void chnl_net_uninit(struct net_d
+ struct chnl_net *priv;
+ ASSERT_RTNL();
+ priv = netdev_priv(dev);
+- robust_list_del(&priv->list_field);
++ list_del_init(&priv->list_field);
+ }
+
+ static const struct net_device_ops netdev_ops = {
+@@ -542,7 +529,7 @@ static void __exit chnl_exit_module(void
+ rtnl_lock();
+ list_for_each_safe(list_node, _tmp, &chnl_net_list) {
+ dev = list_entry(list_node, struct chnl_net, list_field);
+- list_del(list_node);
++ list_del_init(list_node);
+ delete_device(dev);
+ }
+ rtnl_unlock();
--- /dev/null
+From 9b6ff7eb666415e1558f1ba8a742f5db6a9954de Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 9 Sep 2021 12:32:00 +0800
+Subject: net/l2tp: Fix reference count leak in l2tp_udp_recv_core
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit 9b6ff7eb666415e1558f1ba8a742f5db6a9954de upstream.
+
+The reference count leak issue may take place in an error handling
+path. If both conditions of tunnel->version == L2TP_HDR_VER_3 and the
+return value of l2tp_v3_ensure_opt_in_linear is nonzero, the function
+would directly jump to label invalid, without decrementing the reference
+count of the l2tp_session object session increased earlier by
+l2tp_tunnel_get_session(). This may result in refcount leaks.
+
+Fix this issue by decrease the reference count before jumping to the
+label invalid.
+
+Fixes: 4522a70db7aa ("l2tp: fix reading optional fields of L2TPv3")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -994,8 +994,10 @@ static int l2tp_udp_recv_core(struct l2t
+ }
+
+ if (tunnel->version == L2TP_HDR_VER_3 &&
+- l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
++ l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr)) {
++ l2tp_session_dec_refcount(session);
+ goto error;
++ }
+
+ l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
+ l2tp_session_dec_refcount(session);
--- /dev/null
+From 7366c23ff492ad260776a3ee1aaabba9fc773a8b Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Mon, 13 Sep 2021 15:06:05 -0700
+Subject: ptp: dp83640: don't define PAGE0
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 7366c23ff492ad260776a3ee1aaabba9fc773a8b upstream.
+
+Building dp83640.c on arch/parisc/ produces a build warning for
+PAGE0 being redefined. Since the macro is not used in the dp83640
+driver, just make it a comment for documentation purposes.
+
+In file included from ../drivers/net/phy/dp83640.c:23:
+../drivers/net/phy/dp83640_reg.h:8: warning: "PAGE0" redefined
+ 8 | #define PAGE0 0x0000
+ from ../drivers/net/phy/dp83640.c:11:
+../arch/parisc/include/asm/page.h:187: note: this is the location of the previous definition
+ 187 | #define PAGE0 ((struct zeropage *)__PAGE_OFFSET)
+
+Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Richard Cochran <richard.cochran@omicron.at>
+Cc: John Stultz <john.stultz@linaro.org>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20210913220605.19682-1-rdunlap@infradead.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640_reg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640_reg.h
++++ b/drivers/net/phy/dp83640_reg.h
+@@ -5,7 +5,7 @@
+ #ifndef HAVE_DP83640_REGISTERS
+ #define HAVE_DP83640_REGISTERS
+
+-#define PAGE0 0x0000
++/* #define PAGE0 0x0000 */
+ #define PHYCR2 0x001c /* PHY Control Register 2 */
+
+ #define PAGE4 0x0004
--- /dev/null
+From e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 9 Sep 2021 10:33:28 -0700
+Subject: r6040: Restore MDIO clock frequency after MAC reset
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit e3f0cc1a945fcefec0c7c9d9dfd028a51daa1846 upstream.
+
+A number of users have reported that they were not able to get the PHY
+to successfully link up, especially after commit c36757eb9dee ("net:
+phy: consider AN_RESTART status when reading link status") where we
+stopped reading just BMSR, but we also read BMCR to determine the link
+status.
+
+Andrius at NetBSD did a wonderful job at debugging the problem
+and found out that the MDIO bus clock frequency would be incorrectly set
+back to its default value which would prevent the MDIO bus controller
+from reading PHY registers properly. Back when we only read BMSR, if we
+read all 1s, we could falsely indicate a link status, though in general
+there is a cable plugged in, so this went unnoticed. After a second read
+of BMCR was added, a wrong read will lead to the inability to determine
+a link UP condition which is when it started to be visibly broken, even
+if it was long before that.
+
+The fix consists in restoring the value of the MD_CSR register that was
+set prior to the MAC reset.
+
+Link: http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53494
+Fixes: 90f750a81a29 ("r6040: consolidate MAC reset to its own function")
+Reported-by: Andrius V <vezhlys@gmail.com>
+Reported-by: Darek Strugacz <darek.strugacz@op.pl>
+Tested-by: Darek Strugacz <darek.strugacz@op.pl>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/rdc/r6040.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/rdc/r6040.c
++++ b/drivers/net/ethernet/rdc/r6040.c
+@@ -133,6 +133,8 @@
+ #define PHY_ST 0x8A /* PHY status register */
+ #define MAC_SM 0xAC /* MAC status machine */
+ #define MAC_SM_RST 0x0002 /* MAC status machine reset */
++#define MD_CSC 0xb6 /* MDC speed control register */
++#define MD_CSC_DEFAULT 0x0030
+ #define MAC_ID 0xBE /* Identifier register */
+
+ #define TX_DCNT 0x80 /* TX descriptor count */
+@@ -368,8 +370,9 @@ static void r6040_reset_mac(struct r6040
+ {
+ void __iomem *ioaddr = lp->base;
+ int limit = MAC_DEF_TIMEOUT;
+- u16 cmd;
++ u16 cmd, md_csc;
+
++ md_csc = ioread16(ioaddr + MD_CSC);
+ iowrite16(MAC_RST, ioaddr + MCR1);
+ while (limit--) {
+ cmd = ioread16(ioaddr + MCR1);
+@@ -381,6 +384,10 @@ static void r6040_reset_mac(struct r6040
+ iowrite16(MAC_SM_RST, ioaddr + MAC_SM);
+ iowrite16(0, ioaddr + MAC_SM);
+ mdelay(5);
++
++ /* Restore MDIO clock frequency */
++ if (md_csc != MD_CSC_DEFAULT)
++ iowrite16(md_csc, ioaddr + MD_CSC);
+ }
+
+ static void r6040_init_mac_regs(struct net_device *dev)
--- /dev/null
+From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001
+From: Yajun Deng <yajun.deng@linux.dev>
+Date: Mon, 13 Sep 2021 12:04:42 +0800
+Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+commit d7807a9adf4856171f8441f13078c33941df48ab upstream.
+
+This reverts commit 919483096bfe75dda338e98d56da91a263746a0a.
+
+There is only when ip_options_get() return zero need to free.
+It already called kfree() when return error.
+
+Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ping.c | 5 ++---
+ net/ipv4/raw.c | 5 ++---
+ net/ipv4/udp.c | 4 +---
+ 4 files changed, 6 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -277,7 +277,7 @@ int ip_cmsg_send(struct sock *sk, struct
+ case IP_RETOPTS:
+ err = cmsg->cmsg_len - sizeof(struct cmsghdr);
+
+- /* Our caller is responsible for freeing ipc->opt */
++ /* Our caller is responsible for freeing ipc->opt when err = 0 */
+ err = ip_options_get(net, &ipc->opt, CMSG_DATA(cmsg),
+ err < 40 ? err : 40);
+ if (err)
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -749,10 +749,9 @@ static int ping_v4_sendmsg(struct sock *
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -571,10 +571,9 @@ static int raw_sendmsg(struct sock *sk,
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ goto out;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -955,10 +955,8 @@ int udp_sendmsg(struct sock *sk, struct
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, sk->sk_family == AF_INET6);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
+ if (ipc.opt)
+ free = 1;
+ connected = 0;
bnx2x-fix-enabling-network-interfaces-without-vfs.patch
pm-base-power-don-t-try-to-use-non-existing-rtc-for-storing-data.patch
x86-mm-fix-kern_addr_valid-to-cope-with-existing-but-not-present-entries.patch
+net-caif-avoid-user-triggerable-warn_on-1.patch
+ptp-dp83640-don-t-define-page0.patch
+dccp-don-t-duplicate-ccid-when-cloning-dccp-sock.patch
+net-l2tp-fix-reference-count-leak-in-l2tp_udp_recv_core.patch
+r6040-restore-mdio-clock-frequency-after-mac-reset.patch
+tipc-increase-timeout-in-tipc_sk_enqueue.patch
+events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch
+revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch
+tcp-fix-tp-undo_retrans-accounting-in-tcp_sacktag_one.patch
+ibmvnic-check-failover_pending-in-login-response.patch
--- /dev/null
+From 4f884f3962767877d7aabbc1ec124d2c307a4257 Mon Sep 17 00:00:00 2001
+From: zhenggy <zhenggy@chinatelecom.cn>
+Date: Tue, 14 Sep 2021 09:51:15 +0800
+Subject: tcp: fix tp->undo_retrans accounting in tcp_sacktag_one()
+
+From: zhenggy <zhenggy@chinatelecom.cn>
+
+commit 4f884f3962767877d7aabbc1ec124d2c307a4257 upstream.
+
+Commit 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit
+time") may directly retrans a multiple segments TSO/GSO packet without
+split, Since this commit, we can no longer assume that a retransmitted
+packet is a single segment.
+
+This patch fixes the tp->undo_retrans accounting in tcp_sacktag_one()
+that use the actual segments(pcount) of the retransmitted packet.
+
+Before that commit (10d3be569243), the assumption underlying the
+tp->undo_retrans-- seems correct.
+
+Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time")
+Signed-off-by: zhenggy <zhenggy@chinatelecom.cn>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1225,7 +1225,7 @@ static u8 tcp_sacktag_one(struct sock *s
+ if (dup_sack && (sacked & TCPCB_RETRANS)) {
+ if (tp->undo_marker && tp->undo_retrans > 0 &&
+ after(end_seq, tp->undo_marker))
+- tp->undo_retrans--;
++ tp->undo_retrans = max_t(int, 0, tp->undo_retrans - pcount);
+ if (sacked & TCPCB_SACKED_ACKED)
+ state->reord = min(fack_count, state->reord);
+ }
--- /dev/null
+From f4bb62e64c88c93060c051195d3bbba804e56945 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Mon, 13 Sep 2021 16:28:52 +0700
+Subject: tipc: increase timeout in tipc_sk_enqueue()
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit f4bb62e64c88c93060c051195d3bbba804e56945 upstream.
+
+In tipc_sk_enqueue() we use hardcoded 2 jiffies to extract
+socket buffer from generic queue to particular socket.
+The 2 jiffies is too short in case there are other high priority
+tasks get CPU cycles for multiple jiffies update. As result, no
+buffer could be enqueued to particular socket.
+
+To solve this, we switch to use constant timeout 20msecs.
+Then, the function will be expired between 2 jiffies (CONFIG_100HZ)
+and 20 jiffies (CONFIG_1000HZ).
+
+Fixes: c637c1035534 ("tipc: resolve race problem at unicast message reception")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1775,7 +1775,7 @@ static int tipc_backlog_rcv(struct sock
+ static void tipc_sk_enqueue(struct sk_buff_head *inputq, struct sock *sk,
+ u32 dport, struct sk_buff_head *xmitq)
+ {
+- unsigned long time_limit = jiffies + 2;
++ unsigned long time_limit = jiffies + usecs_to_jiffies(20000);
+ struct sk_buff *skb;
+ unsigned int lim;
+ atomic_t *dcnt;
projects / thirdparty / kernel / stable-queue.git / commitdiff
