--- /dev/null
+From b89a05b21f46150ac10a962aa50109250b56b03b Mon Sep 17 00:00:00 2001
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+Date: Mon, 6 Sep 2021 11:53:10 +1000
+Subject: events: Reuse value read using READ_ONCE instead of re-reading it
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+commit b89a05b21f46150ac10a962aa50109250b56b03b upstream.
+
+In perf_event_addr_filters_apply, the task associated with
+the event (event->ctx->task) is read using READ_ONCE at the beginning
+of the function, checked, and then re-read from event->ctx->task,
+voiding all guarantees of the checks. Reuse the value that was read by
+READ_ONCE to ensure the consistency of the task struct throughout the
+function.
+
+Fixes: 375637bc52495 ("perf/core: Introduce address range filtering")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20210906015310.12802-1-baptiste.lepers@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -10192,7 +10192,7 @@ static void perf_event_addr_filters_appl
+ return;
+
+ if (ifh->nr_file_filters) {
+- mm = get_task_mm(event->ctx->task);
++ mm = get_task_mm(task);
+ if (!mm)
+ goto restart;
+
--- /dev/null
+From ec783c7cb2495c5a3b8ca10db8056d43c528f940 Mon Sep 17 00:00:00 2001
+From: Kortan <kortanzh@gmail.com>
+Date: Wed, 8 Sep 2021 11:28:48 +0800
+Subject: gen_compile_commands: fix missing 'sys' package
+
+From: Kortan <kortanzh@gmail.com>
+
+commit ec783c7cb2495c5a3b8ca10db8056d43c528f940 upstream.
+
+We need to import the 'sys' package since the script has called
+sys.exit() method.
+
+Fixes: 6ad7cbc01527 ("Makefile: Add clang-tidy and static analyzer support to makefile")
+Signed-off-by: Kortan <kortanzh@gmail.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/clang-tools/gen_compile_commands.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/scripts/clang-tools/gen_compile_commands.py
++++ b/scripts/clang-tools/gen_compile_commands.py
+@@ -13,6 +13,7 @@ import logging
+ import os
+ import re
+ import subprocess
++import sys
+
+ _DEFAULT_OUTPUT = 'compile_commands.json'
+ _DEFAULT_LOG_LEVEL = 'WARNING'
--- /dev/null
+From 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 8 Sep 2021 17:00:29 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_poll
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream.
+
+syzbot reported another data-race in af_unix [1]
+
+Lets change __skb_insert() to use WRITE_ONCE() when changing
+skb head qlen.
+
+Also, change unix_dgram_poll() to use lockless version
+of unix_recvq_full()
+
+It is verry possible we can switch all/most unix_recvq_full()
+to the lockless version, this will be done in a future kernel version.
+
+[1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1
+
+BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll
+
+write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0:
+ __skb_insert include/linux/skbuff.h:1938 [inline]
+ __skb_queue_before include/linux/skbuff.h:2043 [inline]
+ __skb_queue_tail include/linux/skbuff.h:2076 [inline]
+ skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264
+ unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850
+ sock_sendmsg_nosec net/socket.c:703 [inline]
+ sock_sendmsg net/socket.c:723 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392
+ ___sys_sendmsg net/socket.c:2446 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532
+ __do_sys_sendmmsg net/socket.c:2561 [inline]
+ __se_sys_sendmmsg net/socket.c:2558 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1:
+ skb_queue_len include/linux/skbuff.h:1869 [inline]
+ unix_recvq_full net/unix/af_unix.c:194 [inline]
+ unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777
+ sock_poll+0x23e/0x260 net/socket.c:1288
+ vfs_poll include/linux/poll.h:90 [inline]
+ ep_item_poll fs/eventpoll.c:846 [inline]
+ ep_send_events fs/eventpoll.c:1683 [inline]
+ ep_poll fs/eventpoll.c:1798 [inline]
+ do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226
+ __do_sys_epoll_wait fs/eventpoll.c:2238 [inline]
+ __se_sys_epoll_wait fs/eventpoll.c:2233 [inline]
+ __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000001b -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()")
+Cc: Qian Cai <cai@lca.pw>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 2 +-
+ net/unix/af_unix.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1935,7 +1935,7 @@ static inline void __skb_insert(struct s
+ WRITE_ONCE(newsk->prev, prev);
+ WRITE_ONCE(next->prev, newsk);
+ WRITE_ONCE(prev->next, newsk);
+- list->qlen++;
++ WRITE_ONCE(list->qlen, list->qlen + 1);
+ }
+
+ static inline void __skb_queue_splice(const struct sk_buff_head *list,
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2774,7 +2774,7 @@ static __poll_t unix_dgram_poll(struct f
+
+ other = unix_peer(sk);
+ if (other && unix_peer(other) != sk &&
+- unix_recvq_full(other) &&
++ unix_recvq_full_lockless(other) &&
+ unix_dgram_peer_wake_me(sk, other))
+ writable = 0;
+
--- /dev/null
+From 6a52e73368038f47f6618623d75061dc263b26ae Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 14 Sep 2021 16:43:31 +0300
+Subject: net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit 6a52e73368038f47f6618623d75061dc263b26ae upstream.
+
+DSA supports connecting to a phy-handle, and has a fallback to a non-OF
+based method of connecting to an internal PHY on the switch's own MDIO
+bus, if no phy-handle and no fixed-link nodes were present.
+
+The -ENODEV error code from the first attempt (phylink_of_phy_connect)
+is what triggers the second attempt (phylink_connect_phy).
+
+However, when the first attempt returns a different error code than
+-ENODEV, this results in an unbalance of calls to phylink_create and
+phylink_destroy by the time we exit the function. The phylink instance
+has leaked.
+
+There are many other error codes that can be returned by
+phylink_of_phy_connect. For example, phylink_validate returns -EINVAL.
+So this is a practical issue too.
+
+Fixes: aab9c4067d23 ("net: dsa: Plug in PHYLINK support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Link: https://lore.kernel.org/r/20210914134331.2303380-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/slave.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -1784,13 +1784,11 @@ static int dsa_slave_phy_setup(struct ne
+ * use the switch internal MDIO bus instead
+ */
+ ret = dsa_slave_phy_connect(slave_dev, dp->index, phy_flags);
+- if (ret) {
+- netdev_err(slave_dev,
+- "failed to connect to port %d: %d\n",
+- dp->index, ret);
+- phylink_destroy(dp->pl);
+- return ret;
+- }
++ }
++ if (ret) {
++ netdev_err(slave_dev, "failed to connect to PHY: %pe\n",
++ ERR_PTR(ret));
++ phylink_destroy(dp->pl);
+ }
+
+ return ret;
--- /dev/null
+From b5c102238cea985d8126b173d06b9e1de88037ee Mon Sep 17 00:00:00 2001
+From: Alex Elder <elder@linaro.org>
+Date: Tue, 7 Sep 2021 12:05:54 -0500
+Subject: net: ipa: initialize all filter table slots
+
+From: Alex Elder <elder@linaro.org>
+
+commit b5c102238cea985d8126b173d06b9e1de88037ee upstream.
+
+There is an off-by-one problem in ipa_table_init_add(), when
+initializing filter tables.
+
+In that function, the number of filter table entries is determined
+based on the number of set bits in the filter map. However that
+count does *not* include the extra "slot" in the filter table that
+holds the filter map itself. Meanwhile, ipa_table_addr() *does*
+include the filter map in the memory it returns, but because the
+count it's provided doesn't include it, it includes one too few
+table entries.
+
+Fix this by including the extra slot for the filter map in the count
+computed in ipa_table_init_add().
+
+Note: ipa_filter_reset_table() does not have this problem; it resets
+filter table entries one by one, but does not overwrite the filter
+bitmap.
+
+Fixes: 2b9feef2b6c2 ("soc: qcom: ipa: filter and routing tables")
+Signed-off-by: Alex Elder <elder@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipa/ipa_table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ipa/ipa_table.c
++++ b/drivers/net/ipa/ipa_table.c
+@@ -430,7 +430,8 @@ static void ipa_table_init_add(struct gs
+ * table region determines the number of entries it has.
+ */
+ if (filter) {
+- count = hweight32(ipa->filter_map);
++ /* Include one extra "slot" to hold the filter map itself */
++ count = 1 + hweight32(ipa->filter_map);
+ hash_count = hash_mem->size ? count : 0;
+ } else {
+ count = mem->size / sizeof(__le64);
--- /dev/null
+From b871895b148256f1721bc565d803860242755a0b Mon Sep 17 00:00:00 2001
+From: Nicholas Piggin <npiggin@gmail.com>
+Date: Fri, 3 Sep 2021 22:57:06 +1000
+Subject: powerpc/64s: system call scv tabort fix for corrupt irq soft-mask state
+
+From: Nicholas Piggin <npiggin@gmail.com>
+
+commit b871895b148256f1721bc565d803860242755a0b upstream.
+
+If a system call is made with a transaction active, the kernel
+immediately aborts it and returns. scv system calls disable irqs even
+earlier in their interrupt handler, and tabort_syscall does not fix this
+up.
+
+This can result in irq soft-mask state being messed up on the next
+kernel entry, and crashing at BUG_ON(arch_irq_disabled_regs(regs)) in
+the kernel exit handlers, or possibly worse.
+
+This can't easily be fixed in asm because at this point an async irq may
+have hit, which is soft-masked and marked pending. The pending interrupt
+has to be replayed before returning to userspace. The fix is to move the
+tabort_syscall code to C in the main syscall handler, and just skip the
+system call but otherwise return as usual, which will take care of the
+pending irqs. This also does a bunch of other things including possible
+signal delivery to the process, but the doomed transaction should still
+be aborted when it is eventually returned to.
+
+The sc system call path is changed to use the new C function as well to
+reduce code and path differences. This slows down how quickly system
+calls are aborted when called while a transaction is active, which could
+potentially impact TM performance. But making any system call is already
+bad for performance, and TM is on the way out, so go with simpler over
+faster.
+
+Fixes: 7fa95f9adaee7 ("powerpc/64s: system call support for scv/rfscv instructions")
+Reported-by: Eirik Fuller <efuller@redhat.com>
+Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+[mpe: Use #ifdef rather than IS_ENABLED() to fix build error on 32-bit]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20210903125707.1601269-1-npiggin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/interrupt.c | 30 +++++++++++++++++++++++++++
+ arch/powerpc/kernel/interrupt_64.S | 41 -------------------------------------
+ 2 files changed, 30 insertions(+), 41 deletions(-)
+
+--- a/arch/powerpc/kernel/interrupt.c
++++ b/arch/powerpc/kernel/interrupt.c
+@@ -19,6 +19,7 @@
+ #include <asm/switch_to.h>
+ #include <asm/syscall.h>
+ #include <asm/time.h>
++#include <asm/tm.h>
+ #include <asm/unistd.h>
+
+ #if defined(CONFIG_PPC_ADV_DEBUG_REGS) && defined(CONFIG_PPC32)
+@@ -138,6 +139,35 @@ notrace long system_call_exception(long
+ */
+ irq_soft_mask_regs_set_state(regs, IRQS_ENABLED);
+
++ /*
++ * If the system call was made with a transaction active, doom it and
++ * return without performing the system call. Unless it was an
++ * unsupported scv vector, in which case it's treated like an illegal
++ * instruction.
++ */
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ if (unlikely(MSR_TM_TRANSACTIONAL(regs->msr)) &&
++ !trap_is_unsupported_scv(regs)) {
++ /* Enable TM in the kernel, and disable EE (for scv) */
++ hard_irq_disable();
++ mtmsr(mfmsr() | MSR_TM);
++
++ /* tabort, this dooms the transaction, nothing else */
++ asm volatile(".long 0x7c00071d | ((%0) << 16)"
++ :: "r"(TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT));
++
++ /*
++ * Userspace will never see the return value. Execution will
++ * resume after the tbegin. of the aborted transaction with the
++ * checkpointed register state. A context switch could occur
++ * or signal delivered to the process before resuming the
++ * doomed transaction context, but that should all be handled
++ * as expected.
++ */
++ return -ENOSYS;
++ }
++#endif // CONFIG_PPC_TRANSACTIONAL_MEM
++
+ local_irq_enable();
+
+ if (unlikely(current_thread_info()->flags & _TIF_SYSCALL_DOTRACE)) {
+--- a/arch/powerpc/kernel/interrupt_64.S
++++ b/arch/powerpc/kernel/interrupt_64.S
+@@ -12,7 +12,6 @@
+ #include <asm/mmu.h>
+ #include <asm/ppc_asm.h>
+ #include <asm/ptrace.h>
+-#include <asm/tm.h>
+
+ .section ".toc","aw"
+ SYS_CALL_TABLE:
+@@ -55,12 +54,6 @@ COMPAT_SYS_CALL_TABLE:
+ .globl system_call_vectored_\name
+ system_call_vectored_\name:
+ _ASM_NOKPROBE_SYMBOL(system_call_vectored_\name)
+-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+-BEGIN_FTR_SECTION
+- extrdi. r10, r12, 1, (63-MSR_TS_T_LG) /* transaction active? */
+- bne tabort_syscall
+-END_FTR_SECTION_IFSET(CPU_FTR_TM)
+-#endif
+ SCV_INTERRUPT_TO_KERNEL
+ mr r10,r1
+ ld r1,PACAKSAVE(r13)
+@@ -247,12 +240,6 @@ _ASM_NOKPROBE_SYMBOL(system_call_common_
+ .globl system_call_common
+ system_call_common:
+ _ASM_NOKPROBE_SYMBOL(system_call_common)
+-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+-BEGIN_FTR_SECTION
+- extrdi. r10, r12, 1, (63-MSR_TS_T_LG) /* transaction active? */
+- bne tabort_syscall
+-END_FTR_SECTION_IFSET(CPU_FTR_TM)
+-#endif
+ mr r10,r1
+ ld r1,PACAKSAVE(r13)
+ std r10,0(r1)
+@@ -425,34 +412,6 @@ SOFT_MASK_TABLE(.Lsyscall_rst_start, 1b)
+ RESTART_TABLE(.Lsyscall_rst_start, .Lsyscall_rst_end, syscall_restart)
+ #endif
+
+-#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+-tabort_syscall:
+-_ASM_NOKPROBE_SYMBOL(tabort_syscall)
+- /* Firstly we need to enable TM in the kernel */
+- mfmsr r10
+- li r9, 1
+- rldimi r10, r9, MSR_TM_LG, 63-MSR_TM_LG
+- mtmsrd r10, 0
+-
+- /* tabort, this dooms the transaction, nothing else */
+- li r9, (TM_CAUSE_SYSCALL|TM_CAUSE_PERSISTENT)
+- TABORT(R9)
+-
+- /*
+- * Return directly to userspace. We have corrupted user register state,
+- * but userspace will never see that register state. Execution will
+- * resume after the tbegin of the aborted transaction with the
+- * checkpointed register state.
+- */
+- li r9, MSR_RI
+- andc r10, r10, r9
+- mtmsrd r10, 1
+- mtspr SPRN_SRR0, r11
+- mtspr SPRN_SRR1, r12
+- RFI_TO_USER
+- b . /* prevent speculative execution */
+-#endif
+-
+ /*
+ * If MSR EE/RI was never enabled, IRQs not reconciled, NVGPRs not
+ * touched, no exit work created, then this can be used.
--- /dev/null
+From d7807a9adf4856171f8441f13078c33941df48ab Mon Sep 17 00:00:00 2001
+From: Yajun Deng <yajun.deng@linux.dev>
+Date: Mon, 13 Sep 2021 12:04:42 +0800
+Subject: Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+commit d7807a9adf4856171f8441f13078c33941df48ab upstream.
+
+This reverts commit 919483096bfe75dda338e98d56da91a263746a0a.
+
+There is only when ip_options_get() return zero need to free.
+It already called kfree() when return error.
+
+Fixes: 919483096bfe ("ipv4: fix memory leaks in ip_cmsg_send() callers")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 2 +-
+ net/ipv4/ping.c | 5 ++---
+ net/ipv4/raw.c | 5 ++---
+ net/ipv4/udp.c | 5 ++---
+ 4 files changed, 7 insertions(+), 10 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -279,7 +279,7 @@ int ip_cmsg_send(struct sock *sk, struct
+ case IP_RETOPTS:
+ err = cmsg->cmsg_len - sizeof(struct cmsghdr);
+
+- /* Our caller is responsible for freeing ipc->opt */
++ /* Our caller is responsible for freeing ipc->opt when err = 0 */
+ err = ip_options_get(net, &ipc->opt,
+ KERNEL_SOCKPTR(CMSG_DATA(cmsg)),
+ err < 40 ? err : 40);
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -727,10 +727,9 @@ static int ping_v4_sendmsg(struct sock *
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ return err;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -562,10 +562,9 @@ static int raw_sendmsg(struct sock *sk,
+
+ if (msg->msg_controllen) {
+ err = ip_cmsg_send(sk, msg, &ipc, false);
+- if (unlikely(err)) {
+- kfree(ipc.opt);
++ if (unlikely(err))
+ goto out;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ }
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1122,10 +1122,9 @@ int udp_sendmsg(struct sock *sk, struct
+ if (err > 0)
+ err = ip_cmsg_send(sk, msg, &ipc,
+ sk->sk_family == AF_INET6);
+- if (unlikely(err < 0)) {
+- kfree(ipc.opt);
++ if (unlikely(err < 0))
+ return err;
+- }
++
+ if (ipc.opt)
+ free = 1;
+ connected = 0;
net-stmmac-fix-system-hang-caused-by-eee_ctrl_timer-during-suspend-resume.patch
igc-fix-tunnel-offloading.patch
nvme-tcp-fix-io_work-priority-inversion.patch
+powerpc-64s-system-call-scv-tabort-fix-for-corrupt-irq-soft-mask-state.patch
+events-reuse-value-read-using-read_once-instead-of-re-reading-it.patch
+net-ipa-initialize-all-filter-table-slots.patch
+gen_compile_commands-fix-missing-sys-package.patch
+vhost_net-fix-oob-on-sendmsg-failure.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_poll.patch
+net-dsa-destroy-the-phylink-instance-on-any-error-in-dsa_slave_phy_setup.patch
+revert-ipv4-fix-memory-leaks-in-ip_cmsg_send-callers.patch
--- /dev/null
+From 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 8 Sep 2021 13:42:09 +0200
+Subject: vhost_net: fix OoB on sendmsg() failure.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 3c4cea8fa7f71f00c5279547043a84bc2a4d8b8c upstream.
+
+If the sendmsg() call in vhost_tx_batch() fails, both the 'batched_xdp'
+and 'done_idx' indexes are left unchanged. If such failure happens
+when batched_xdp == VHOST_NET_BATCH, the next call to
+vhost_net_build_xdp() will access and write memory outside the xdp
+buffers area.
+
+Since sendmsg() can only error with EBADFD, this change addresses the
+issue explicitly freeing the XDP buffers batch on error.
+
+Fixes: 0a0be13b8fe2 ("vhost_net: batch submitting XDP buffers to underlayer sockets")
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -467,7 +467,7 @@ static void vhost_tx_batch(struct vhost_
+ .num = nvq->batched_xdp,
+ .ptr = nvq->xdp,
+ };
+- int err;
++ int i, err;
+
+ if (nvq->batched_xdp == 0)
+ goto signal_used;
+@@ -476,6 +476,15 @@ static void vhost_tx_batch(struct vhost_
+ err = sock->ops->sendmsg(sock, msghdr, 0);
+ if (unlikely(err < 0)) {
+ vq_err(&nvq->vq, "Fail to batch sending packets\n");
++
++ /* free pages owned by XDP; since this is an unlikely error path,
++ * keep it simple and avoid more complex bulk update for the
++ * used pages
++ */
++ for (i = 0; i < nvq->batched_xdp; ++i)
++ put_page(virt_to_head_page(nvq->xdp[i].data));
++ nvq->batched_xdp = 0;
++ nvq->done_idx = 0;
+ return;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
