--- /dev/null
+From f7d9cbb2a485db1801d5bdf7977e4b2cb26bc614 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Sep 2021 15:57:50 -0700
+Subject: af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 35306eb23814444bd4021f8a1c3047d3cb0c8b2b ]
+
+Jann Horn reported that SO_PEERCRED and SO_PEERGROUPS implementations
+are racy, as af_unix can concurrently change sk_peer_pid and sk_peer_cred.
+
+In order to fix this issue, this patch adds a new spinlock that needs
+to be used whenever these fields are read or written.
+
+Jann also pointed out that l2cap_sock_get_peer_pid_cb() is currently
+reading sk->sk_peer_pid which makes no sense, as this field
+is only possibly set by AF_UNIX sockets.
+We will have to clean this in a separate patch.
+This could be done by reverting b48596d1dc25 "Bluetooth: L2CAP: Add get_peer_pid callback"
+or implementing what was truly expected.
+
+Fixes: 109f6e39fa07 ("af_unix: Allow SO_PEERCRED to work across namespaces.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Jann Horn <jannh@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 ++
+ net/core/sock.c | 32 ++++++++++++++++++++++++++------
+ net/unix/af_unix.c | 34 ++++++++++++++++++++++++++++------
+ 3 files changed, 56 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 70fe85bee4e5..029df5cdeaf1 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -454,8 +454,10 @@ struct sock {
+ u32 sk_ack_backlog;
+ u32 sk_max_ack_backlog;
+ kuid_t sk_uid;
++ spinlock_t sk_peer_lock;
+ struct pid *sk_peer_pid;
+ const struct cred *sk_peer_cred;
++
+ long sk_rcvtimeo;
+ ktime_t sk_stamp;
+ #if BITS_PER_LONG==32
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 699bd3052c61..427024597204 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1069,6 +1069,16 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
+ }
+ EXPORT_SYMBOL(sock_setsockopt);
+
++static const struct cred *sk_get_peer_cred(struct sock *sk)
++{
++ const struct cred *cred;
++
++ spin_lock(&sk->sk_peer_lock);
++ cred = get_cred(sk->sk_peer_cred);
++ spin_unlock(&sk->sk_peer_lock);
++
++ return cred;
++}
+
+ static void cred_to_ucred(struct pid *pid, const struct cred *cred,
+ struct ucred *ucred)
+@@ -1242,7 +1252,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+ struct ucred peercred;
+ if (len > sizeof(peercred))
+ len = sizeof(peercred);
++
++ spin_lock(&sk->sk_peer_lock);
+ cred_to_ucred(sk->sk_peer_pid, sk->sk_peer_cred, &peercred);
++ spin_unlock(&sk->sk_peer_lock);
++
+ if (copy_to_user(optval, &peercred, len))
+ return -EFAULT;
+ goto lenout;
+@@ -1250,20 +1264,23 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
+
+ case SO_PEERGROUPS:
+ {
++ const struct cred *cred;
+ int ret, n;
+
+- if (!sk->sk_peer_cred)
++ cred = sk_get_peer_cred(sk);
++ if (!cred)
+ return -ENODATA;
+
+- n = sk->sk_peer_cred->group_info->ngroups;
++ n = cred->group_info->ngroups;
+ if (len < n * sizeof(gid_t)) {
+ len = n * sizeof(gid_t);
++ put_cred(cred);
+ return put_user(len, optlen) ? -EFAULT : -ERANGE;
+ }
+ len = n * sizeof(gid_t);
+
+- ret = groups_to_user((gid_t __user *)optval,
+- sk->sk_peer_cred->group_info);
++ ret = groups_to_user((gid_t __user *)optval, cred->group_info);
++ put_cred(cred);
+ if (ret)
+ return ret;
+ goto lenout;
+@@ -1574,9 +1591,10 @@ static void __sk_destruct(struct rcu_head *head)
+ sk->sk_frag.page = NULL;
+ }
+
+- if (sk->sk_peer_cred)
+- put_cred(sk->sk_peer_cred);
++ /* We do not need to acquire sk->sk_peer_lock, we are the last user. */
++ put_cred(sk->sk_peer_cred);
+ put_pid(sk->sk_peer_pid);
++
+ if (likely(sk->sk_net_refcnt))
+ put_net(sock_net(sk));
+ sk_prot_free(sk->sk_prot_creator, sk);
+@@ -2753,6 +2771,8 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+
+ sk->sk_peer_pid = NULL;
+ sk->sk_peer_cred = NULL;
++ spin_lock_init(&sk->sk_peer_lock);
++
+ sk->sk_write_pending = 0;
+ sk->sk_rcvlowat = 1;
+ sk->sk_rcvtimeo = MAX_SCHEDULE_TIMEOUT;
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index f30509ff302e..0e494902fada 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -595,20 +595,42 @@ static void unix_release_sock(struct sock *sk, int embrion)
+
+ static void init_peercred(struct sock *sk)
+ {
+- put_pid(sk->sk_peer_pid);
+- if (sk->sk_peer_cred)
+- put_cred(sk->sk_peer_cred);
++ const struct cred *old_cred;
++ struct pid *old_pid;
++
++ spin_lock(&sk->sk_peer_lock);
++ old_pid = sk->sk_peer_pid;
++ old_cred = sk->sk_peer_cred;
+ sk->sk_peer_pid = get_pid(task_tgid(current));
+ sk->sk_peer_cred = get_current_cred();
++ spin_unlock(&sk->sk_peer_lock);
++
++ put_pid(old_pid);
++ put_cred(old_cred);
+ }
+
+ static void copy_peercred(struct sock *sk, struct sock *peersk)
+ {
+- put_pid(sk->sk_peer_pid);
+- if (sk->sk_peer_cred)
+- put_cred(sk->sk_peer_cred);
++ const struct cred *old_cred;
++ struct pid *old_pid;
++
++ if (sk < peersk) {
++ spin_lock(&sk->sk_peer_lock);
++ spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
++ } else {
++ spin_lock(&peersk->sk_peer_lock);
++ spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
++ }
++ old_pid = sk->sk_peer_pid;
++ old_cred = sk->sk_peer_cred;
+ sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
+ sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
++
++ spin_unlock(&sk->sk_peer_lock);
++ spin_unlock(&peersk->sk_peer_lock);
++
++ put_pid(old_pid);
++ put_cred(old_cred);
+ }
+
+ static int unix_listen(struct socket *sock, int backlog)
+--
+2.33.0
+
--- /dev/null
+From ebf57ee3bfba18e6b113224861a1a8595ed04a19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 10:52:37 -0700
+Subject: e100: fix buffer overrun in e100_get_regs
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 51032e6f17ce990d06123ad7307f258c50d25aa7 ]
+
+The e100_get_regs function is used to implement a simple register dump
+for the e100 device. The data is broken into a couple of MAC control
+registers, and then a series of PHY registers, followed by a memory dump
+buffer.
+
+The total length of the register dump is defined as (1 + E100_PHY_REGS)
+* sizeof(u32) + sizeof(nic->mem->dump_buf).
+
+The logic for filling in the PHY registers uses a convoluted inverted
+count for loop which counts from E100_PHY_REGS (0x1C) down to 0, and
+assigns the slots 1 + E100_PHY_REGS - i. The first loop iteration will
+fill in [1] and the final loop iteration will fill in [1 + 0x1C]. This
+is actually one more than the supposed number of PHY registers.
+
+The memory dump buffer is then filled into the space at
+[2 + E100_PHY_REGS] which will cause that memcpy to assign 4 bytes past
+the total size.
+
+The end result is that we overrun the total buffer size allocated by the
+kernel, which could lead to a panic or other issues due to memory
+corruption.
+
+It is difficult to determine the actual total number of registers
+here. The only 8255x datasheet I could find indicates there are 28 total
+MDI registers. However, we're reading 29 here, and reading them in
+reverse!
+
+In addition, the ethtool e100 register dump interface appears to read
+the first PHY register to determine if the device is in MDI or MDIx
+mode. This doesn't appear to be documented anywhere within the 8255x
+datasheet. I can only assume it must be in register 28 (the extra
+register we're reading here).
+
+Lets not change any of the intended meaning of what we copy here. Just
+extend the space by 4 bytes to account for the extra register and
+continue copying the data out in the same order.
+
+Change the E100_PHY_REGS value to be the correct total (29) so that the
+total register dump size is calculated properly. Fix the offset for
+where we copy the dump buffer so that it doesn't overrun the total size.
+
+Re-write the for loop to use counting up instead of the convoluted
+down-counting. Correct the mdio_read offset to use the 0-based register
+offsets, but maintain the bizarre reverse ordering so that we have the
+ABI expected by applications like ethtool. This requires and additional
+subtraction of 1. It seems a bit odd but it makes the flow of assignment
+into the register buffer easier to follow.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Felicitas Hetzelt <felicitashetzelt@gmail.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index ae967fa9e502..20961985ed12 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -2459,7 +2459,7 @@ static void e100_get_drvinfo(struct net_device *netdev,
+ sizeof(info->bus_info));
+ }
+
+-#define E100_PHY_REGS 0x1C
++#define E100_PHY_REGS 0x1D
+ static int e100_get_regs_len(struct net_device *netdev)
+ {
+ struct nic *nic = netdev_priv(netdev);
+@@ -2481,14 +2481,18 @@ static void e100_get_regs(struct net_device *netdev,
+ buff[0] = ioread8(&nic->csr->scb.cmd_hi) << 24 |
+ ioread8(&nic->csr->scb.cmd_lo) << 16 |
+ ioread16(&nic->csr->scb.status);
+- for (i = E100_PHY_REGS; i >= 0; i--)
+- buff[1 + E100_PHY_REGS - i] =
+- mdio_read(netdev, nic->mii.phy_id, i);
++ for (i = 0; i < E100_PHY_REGS; i++)
++ /* Note that we read the registers in reverse order. This
++ * ordering is the ABI apparently used by ethtool and other
++ * applications.
++ */
++ buff[1 + i] = mdio_read(netdev, nic->mii.phy_id,
++ E100_PHY_REGS - 1 - i);
+ memset(nic->mem->dump_buf, 0, sizeof(nic->mem->dump_buf));
+ e100_exec_cb(nic, NULL, e100_dump);
+ msleep(10);
+- memcpy(&buff[2 + E100_PHY_REGS], nic->mem->dump_buf,
+- sizeof(nic->mem->dump_buf));
++ memcpy(&buff[1 + E100_PHY_REGS], nic->mem->dump_buf,
++ sizeof(nic->mem->dump_buf));
+ }
+
+ static void e100_get_wol(struct net_device *netdev, struct ethtool_wolinfo *wol)
+--
+2.33.0
+
--- /dev/null
+From 7ab8a2a9ca5a2c338186f8f28e31ccee28d2e4ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Sep 2021 10:52:36 -0700
+Subject: e100: fix length calculation in e100_get_regs_len
+
+From: Jacob Keller <jacob.e.keller@intel.com>
+
+[ Upstream commit 4329c8dc110b25d5f04ed20c6821bb60deff279f ]
+
+commit abf9b902059f ("e100: cleanup unneeded math") tried to simplify
+e100_get_regs_len and remove a double 'divide and then multiply'
+calculation that the e100_reg_regs_len function did.
+
+This change broke the size calculation entirely as it failed to account
+for the fact that the numbered registers are actually 4 bytes wide and
+not 1 byte. This resulted in a significant under allocation of the
+register buffer used by e100_get_regs.
+
+Fix this by properly multiplying the register count by u32 first before
+adding the size of the dump buffer.
+
+Fixes: abf9b902059f ("e100: cleanup unneeded math")
+Reported-by: Felicitas Hetzelt <felicitashetzelt@gmail.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e100.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
+index a73102357bbd..ae967fa9e502 100644
+--- a/drivers/net/ethernet/intel/e100.c
++++ b/drivers/net/ethernet/intel/e100.c
+@@ -2463,7 +2463,11 @@ static void e100_get_drvinfo(struct net_device *netdev,
+ static int e100_get_regs_len(struct net_device *netdev)
+ {
+ struct nic *nic = netdev_priv(netdev);
+- return 1 + E100_PHY_REGS + sizeof(nic->mem->dump_buf);
++
++ /* We know the number of registers, and the size of the dump buffer.
++ * Calculate the total size in bytes.
++ */
++ return (1 + E100_PHY_REGS) * sizeof(u32) + sizeof(nic->mem->dump_buf);
+ }
+
+ static void e100_get_regs(struct net_device *netdev,
+--
+2.33.0
+
--- /dev/null
+From 1f6633c14ae3a63e0eb1fe17b544631682a95738 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Sep 2021 12:30:11 +0300
+Subject: hwmon: (tmp421) fix rounding for negative values
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+[ Upstream commit 724e8af85854c4d3401313b6dd7d79cf792d8990 ]
+
+Old code produces -24999 for 0b1110011100000000 input in standard format due to
+always rounding up rather than "away from zero".
+
+Use the common macro for division, unify and simplify the conversion code along
+the way.
+
+Fixes: 9410700b881f ("hwmon: Add driver for Texas Instruments TMP421/422/423 sensor chips")
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://lore.kernel.org/r/20210924093011.26083-3-fercerpav@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/tmp421.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/hwmon/tmp421.c b/drivers/hwmon/tmp421.c
+index ceb3db6f3fdd..c45968454110 100644
+--- a/drivers/hwmon/tmp421.c
++++ b/drivers/hwmon/tmp421.c
+@@ -109,23 +109,17 @@ struct tmp421_data {
+ s16 temp[4];
+ };
+
+-static int temp_from_s16(s16 reg)
++static int temp_from_raw(u16 reg, bool extended)
+ {
+ /* Mask out status bits */
+ int temp = reg & ~0xf;
+
+- return (temp * 1000 + 128) / 256;
+-}
+-
+-static int temp_from_u16(u16 reg)
+-{
+- /* Mask out status bits */
+- int temp = reg & ~0xf;
+-
+- /* Add offset for extended temperature range. */
+- temp -= 64 * 256;
++ if (extended)
++ temp = temp - 64 * 256;
++ else
++ temp = (s16)temp;
+
+- return (temp * 1000 + 128) / 256;
++ return DIV_ROUND_CLOSEST(temp * 1000, 256);
+ }
+
+ static struct tmp421_data *tmp421_update_device(struct device *dev)
+@@ -162,10 +156,8 @@ static int tmp421_read(struct device *dev, enum hwmon_sensor_types type,
+
+ switch (attr) {
+ case hwmon_temp_input:
+- if (tmp421->config & TMP421_CONFIG_RANGE)
+- *val = temp_from_u16(tmp421->temp[channel]);
+- else
+- *val = temp_from_s16(tmp421->temp[channel]);
++ *val = temp_from_raw(tmp421->temp[channel],
++ tmp421->config & TMP421_CONFIG_RANGE);
+ return 0;
+ case hwmon_temp_fault:
+ /*
+--
+2.33.0
+
--- /dev/null
+From 1f2253d74c5588aac5bf88b13a1a54e29940d3b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Sep 2021 18:08:39 +0200
+Subject: ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
+
+From: Andrea Claudi <aclaudi@redhat.com>
+
+[ Upstream commit 69e73dbfda14fbfe748d3812da1244cce2928dcb ]
+
+ip_vs_conn_tab_bits may be provided by the user through the
+conn_tab_bits module parameter. If this value is greater than 31, or
+less than 0, the shift operator used to derive tab_size causes undefined
+behaviour.
+
+Fix this checking ip_vs_conn_tab_bits value to be in the range specified
+in ipvs Kconfig. If not, simply use default value.
+
+Fixes: 6f7edb4881bf ("IPVS: Allow boot time change of hash size")
+Reported-by: Yi Chen <yiche@redhat.com>
+Signed-off-by: Andrea Claudi <aclaudi@redhat.com>
+Acked-by: Julian Anastasov <ja@ssi.bg>
+Acked-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/ipvs/ip_vs_conn.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
+index 3d2ac71a83ec..620c865c230b 100644
+--- a/net/netfilter/ipvs/ip_vs_conn.c
++++ b/net/netfilter/ipvs/ip_vs_conn.c
+@@ -1406,6 +1406,10 @@ int __init ip_vs_conn_init(void)
+ int idx;
+
+ /* Compute size and mask */
++ if (ip_vs_conn_tab_bits < 8 || ip_vs_conn_tab_bits > 20) {
++ pr_info("conn_tab_bits not in [8, 20]. Using default value\n");
++ ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS;
++ }
+ ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits;
+ ip_vs_conn_tab_mask = ip_vs_conn_tab_size - 1;
+
+--
+2.33.0
+
--- /dev/null
+From 5ee8cee4ae78d8f6bee0398f4ad7f64e26f5aa36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Aug 2021 15:32:40 +0800
+Subject: mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
+
+From: Chih-Kang Chang <gary.chang@realtek.com>
+
+[ Upstream commit fe94bac626d9c1c5bc98ab32707be8a9d7f8adba ]
+
+In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the
+end of skb_shinfo(head)->frag_list, and use it to bind other skb in
+the end of this function. But when execute ieee80211_amsdu_aggregate()
+->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of
+skb_shinfo(head)->frag_list will be changed. However, the
+ieee80211_amsdu_aggregate() not update frag_tail after call
+pskb_expand_head(). That will cause the second skb can't bind to the
+head skb appropriately.So we update the address of frag_tail to fix it.
+
+Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
+Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20210830073240.12736-1-pkshih@realtek.com
+[reword comment]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index e7b63ba8c184..0b5171824338 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3202,6 +3202,14 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
+ if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
+ goto out;
+
++ /* If n == 2, the "while (*frag_tail)" loop above didn't execute
++ * and frag_tail should be &skb_shinfo(head)->frag_list.
++ * However, ieee80211_amsdu_prepare_head() can reallocate it.
++ * Reload frag_tail to have it pointing to the correct place.
++ */
++ if (n == 2)
++ frag_tail = &skb_shinfo(head)->frag_list;
++
+ /*
+ * Pad out the previous subframe to a multiple of 4 by adding the
+ * padding to the next one, that's being added. Note that head->len
+--
+2.33.0
+
--- /dev/null
+From 5a1e8b70528f9d206dc7d91191bcd3891b21d8f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Sep 2021 14:45:22 +0200
+Subject: mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 13cb6d826e0ac0d144b0d48191ff1a111d32f0c6 ]
+
+Limit max values for vht mcs and nss in ieee80211_parse_tx_radiotap
+routine in order to fix the following warning reported by syzbot:
+
+WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
+WARNING: CPU: 0 PID: 10717 at include/net/mac80211.h:989 ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
+Modules linked in:
+CPU: 0 PID: 10717 Comm: syz-executor.5 Not tainted 5.14.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:ieee80211_rate_set_vht include/net/mac80211.h:989 [inline]
+RIP: 0010:ieee80211_parse_tx_radiotap+0x101e/0x12d0 net/mac80211/tx.c:2244
+RSP: 0018:ffffc9000186f3e8 EFLAGS: 00010216
+RAX: 0000000000000618 RBX: ffff88804ef76500 RCX: ffffc900143a5000
+RDX: 0000000000040000 RSI: ffffffff888f478e RDI: 0000000000000003
+RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000100
+R10: ffffffff888f46f9 R11: 0000000000000000 R12: 00000000fffffff8
+R13: ffff88804ef7653c R14: 0000000000000001 R15: 0000000000000004
+FS: 00007fbf5718f700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b2de23000 CR3: 000000006a671000 CR4: 00000000001506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
+Call Trace:
+ ieee80211_monitor_select_queue+0xa6/0x250 net/mac80211/iface.c:740
+ netdev_core_pick_tx+0x169/0x2e0 net/core/dev.c:4089
+ __dev_queue_xmit+0x6f9/0x3710 net/core/dev.c:4165
+ __bpf_tx_skb net/core/filter.c:2114 [inline]
+ __bpf_redirect_no_mac net/core/filter.c:2139 [inline]
+ __bpf_redirect+0x5ba/0xd20 net/core/filter.c:2162
+ ____bpf_clone_redirect net/core/filter.c:2429 [inline]
+ bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2401
+ bpf_prog_eeb6f53a69e5c6a2+0x59/0x234
+ bpf_dispatcher_nop_func include/linux/bpf.h:717 [inline]
+ __bpf_prog_run include/linux/filter.h:624 [inline]
+ bpf_prog_run include/linux/filter.h:631 [inline]
+ bpf_test_run+0x381/0xa30 net/bpf/test_run.c:119
+ bpf_prog_test_run_skb+0xb84/0x1ee0 net/bpf/test_run.c:663
+ bpf_prog_test_run kernel/bpf/syscall.c:3307 [inline]
+ __sys_bpf+0x2137/0x5df0 kernel/bpf/syscall.c:4605
+ __do_sys_bpf kernel/bpf/syscall.c:4691 [inline]
+ __se_sys_bpf kernel/bpf/syscall.c:4689 [inline]
+ __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4689
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x4665f9
+
+Reported-by: syzbot+0196ac871673f0c20f68@syzkaller.appspotmail.com
+Fixes: 646e76bb5daf4 ("mac80211: parse VHT info in injected frames")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://lore.kernel.org/r/c26c3f02dcb38ab63b2f2534cb463d95ee81bb13.1632141760.git.lorenzo@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 0b5171824338..7e62a55a03de 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -2068,7 +2068,11 @@ static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local,
+ }
+
+ vht_mcs = iterator.this_arg[4] >> 4;
++ if (vht_mcs > 11)
++ vht_mcs = 0;
+ vht_nss = iterator.this_arg[4] & 0xF;
++ if (!vht_nss || vht_nss > 8)
++ vht_nss = 1;
+ break;
+
+ /*
+--
+2.33.0
+
--- /dev/null
+From a6985cd8d52a0a5b8f9ee27dac1ad203b3f3134a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Sep 2021 21:44:08 +0530
+Subject: scsi: csiostor: Add module softdep on cxgb4
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 79a7482249a7353bc86aff8127954d5febf02472 ]
+
+Both cxgb4 and csiostor drivers run on their own independent Physical
+Function. But when cxgb4 and csiostor are both being loaded in parallel via
+modprobe, there is a race when firmware upgrade is attempted by both the
+drivers.
+
+When the cxgb4 driver initiates the firmware upgrade, it halts the firmware
+and the chip until upgrade is complete. When the csiostor driver is coming
+up in parallel, the firmware mailbox communication fails with timeouts and
+the csiostor driver probe fails.
+
+Add a module soft dependency on cxgb4 driver to ensure loading csiostor
+triggers cxgb4 to load first when available to avoid the firmware upgrade
+race.
+
+Link: https://lore.kernel.org/r/1632759248-15382-1-git-send-email-rahul.lakkireddy@chelsio.com
+Fixes: a3667aaed569 ("[SCSI] csiostor: Chelsio FCoE offload driver")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/csiostor/csio_init.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/csiostor/csio_init.c b/drivers/scsi/csiostor/csio_init.c
+index 03c7b1603dbc..c64db2047efc 100644
+--- a/drivers/scsi/csiostor/csio_init.c
++++ b/drivers/scsi/csiostor/csio_init.c
+@@ -1260,3 +1260,4 @@ MODULE_DEVICE_TABLE(pci, csio_pci_tbl);
+ MODULE_VERSION(CSIO_DRV_VERSION);
+ MODULE_FIRMWARE(FW_FNAME_T5);
+ MODULE_FIRMWARE(FW_FNAME_T6);
++MODULE_SOFTDEP("pre: cxgb4");
+--
+2.33.0
+
--- /dev/null
+From 109c3ca24c48b3b9386d037e32060b983378c665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Sep 2021 00:05:04 -0400
+Subject: sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ]
+
+We should always check if skb_header_pointer's return is NULL before
+using it, otherwise it may cause null-ptr-deref, as syzbot reported:
+
+ KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
+ RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
+ Call Trace:
+ <IRQ>
+ sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
+ ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
+ ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
+ dst_input include/net/dst.h:460 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
+
+Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize")
+Reported-by: syzbot+581aff2ae6b860625116@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/input.c b/net/sctp/input.c
+index 89a24de23086..b20a1fbea8bf 100644
+--- a/net/sctp/input.c
++++ b/net/sctp/input.c
+@@ -679,7 +679,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
+ ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
+
+ /* Break out if chunk length is less then minimal. */
+- if (ntohs(ch->length) < sizeof(_ch))
++ if (!ch || ntohs(ch->length) < sizeof(_ch))
+ break;
+
+ ch_end = offset + SCTP_PAD4(ntohs(ch->length));
+--
+2.33.0
+
cpufreq-schedutil-use-kobject-release-method-to-free.patch
cpufreq-schedutil-destroy-mutex-before-kobject_put-f.patch
mac80211-fix-use-after-free-in-ccmp-gcmp-rx.patch
+ipvs-check-that-ip_vs_conn_tab_bits-is-between-8-and.patch
+mac80211-fix-ieee80211_amsdu_aggregate-frag_tail-bug.patch
+mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch
+sctp-break-out-if-skb_header_pointer-returns-null-in.patch
+hwmon-tmp421-fix-rounding-for-negative-values.patch
+e100-fix-length-calculation-in-e100_get_regs_len.patch
+e100-fix-buffer-overrun-in-e100_get_regs.patch
+scsi-csiostor-add-module-softdep-on-cxgb4.patch
+af_unix-fix-races-in-sk_peer_pid-and-sk_peer_cred-ac.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
