5.10-stable patches

added patches:
	bonding-fix-data-races-around-agg_select_timer.patch
	bonding-force-carrier-update-when-releasing-slave.patch
	dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch
	drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch
	drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
	ipv6-per-netns-exclusive-flowlabel-checks.patch
	iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
	iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
	libsubcmd-fix-use-after-free-for-realloc-...-0.patch
	net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch
	net-dsa-lan9303-add-vlan-ids-to-master-device.patch
	net-dsa-lan9303-fix-reset-on-probe.patch
	net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch
	net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
	net_sched-add-__rcu-annotation-to-netdev-qdisc.patch
	netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch
	perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch
	ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
	selftests-exec-add-non-regular-to-test_gen_progs.patch
	selftests-netfilter-fix-exit-value-for-nft_concat_range.patch

diff --git a/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch b/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch
new file mode 100644 (file)
index 0000000..02b016d
--- /dev/null
+++ b/queue-5.10/bonding-fix-data-races-around-agg_select_timer.patch
@@ -0,0 +1,138 @@
+From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Feb 2022 11:15:53 -0800
+Subject: bonding: fix data-races around agg_select_timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream.
+
+syzbot reported that two threads might write over agg_select_timer
+at the same time. Make agg_select_timer atomic to fix the races.
+
+BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler
+
+read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1:
+ bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0:
+ bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998
+ bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967
+ __dev_open+0x274/0x3a0 net/core/dev.c:1407
+ dev_open+0x54/0x190 net/core/dev.c:1443
+ bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937
+ do_set_master net/core/rtnetlink.c:2532 [inline]
+ do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736
+ __rtnl_newlink net/core/rtnetlink.c:3414 [inline]
+ rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529
+ rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000050 -> 0x0000004f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G        W         5.17.0-rc4-syzkaller-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_3ad.c |   30 +++++++++++++++++++++++++-----
+ include/net/bond_3ad.h         |    2 +-
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -223,7 +223,7 @@ static inline int __check_agg_selection_
+       if (bond == NULL)
+               return 0;
+ 
+-      return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0;
++      return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0;
+ }
+ 
+ /**
+@@ -1976,7 +1976,7 @@ static void ad_marker_response_received(
+  */
+ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout)
+ {
+-      BOND_AD_INFO(bond).agg_select_timer = timeout;
++      atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout);
+ }
+ 
+ /**
+@@ -2260,6 +2260,28 @@ void bond_3ad_update_ad_actor_settings(s
+ }
+ 
+ /**
++ * bond_agg_timer_advance - advance agg_select_timer
++ * @bond:  bonding structure
++ *
++ * Return true when agg_select_timer reaches 0.
++ */
++static bool bond_agg_timer_advance(struct bonding *bond)
++{
++      int val, nval;
++
++      while (1) {
++              val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer);
++              if (!val)
++                      return false;
++              nval = val - 1;
++              if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer,
++                                 val, nval) == val)
++                      break;
++      }
++      return nval == 0;
++}
++
++/**
+  * bond_3ad_state_machine_handler - handle state machines timeout
+  * @work: work context to fetch bonding struct to work on from
+  *
+@@ -2294,9 +2316,7 @@ void bond_3ad_state_machine_handler(stru
+       if (!bond_has_slaves(bond))
+               goto re_arm;
+ 
+-      /* check if agg_select_timer timer after initialize is timed out */
+-      if (BOND_AD_INFO(bond).agg_select_timer &&
+-          !(--BOND_AD_INFO(bond).agg_select_timer)) {
++      if (bond_agg_timer_advance(bond)) {
+               slave = bond_first_slave_rcu(bond);
+               port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL;
+ 
+--- a/include/net/bond_3ad.h
++++ b/include/net/bond_3ad.h
+@@ -262,7 +262,7 @@ struct ad_system {
+ struct ad_bond_info {
+       struct ad_system system;        /* 802.3ad system structure */
+       struct bond_3ad_stats stats;
+-      u32 agg_select_timer;           /* Timer to select aggregator after all adapter's hand shakes */
++      atomic_t agg_select_timer;              /* Timer to select aggregator after all adapter's hand shakes */
+       u16 aggregator_identifier;
+ };
+ 

diff --git a/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch b/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch
new file mode 100644 (file)
index 0000000..a9d66cc
--- /dev/null
+++ b/queue-5.10/bonding-force-carrier-update-when-releasing-slave.patch
@@ -0,0 +1,49 @@
+From a6ab75cec1e461f8a35559054c146c21428430b8 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 16 Feb 2022 22:18:08 +0800
+Subject: bonding: force carrier update when releasing slave
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit a6ab75cec1e461f8a35559054c146c21428430b8 upstream.
+
+In __bond_release_one(), bond_set_carrier() is only called when bond
+device has no slave. Therefore, if we remove the up slave from a master
+with two slaves and keep the down slave, the master will remain up.
+
+Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond))
+statement.
+
+Reproducer:
+$ insmod bonding.ko mode=0 miimon=100 max_bonds=2
+$ ifconfig bond0 up
+$ ifenslave bond0 eth0 eth1
+$ ifconfig eth0 down
+$ ifenslave -d bond0 eth1
+$ cat /proc/net/bonding/bond0
+
+Fixes: ff59c4563a8d ("[PATCH] bonding: support carrier state for master")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2272,10 +2272,9 @@ static int __bond_release_one(struct net
+               bond_select_active_slave(bond);
+       }
+ 
+-      if (!bond_has_slaves(bond)) {
+-              bond_set_carrier(bond);
++      bond_set_carrier(bond);
++      if (!bond_has_slaves(bond))
+               eth_hw_addr_random(bond_dev);
+-      }
+ 
+       unblock_netpoll_tx();
+       synchronize_rcu();

diff --git a/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch b/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch
new file mode 100644 (file)
index 0000000..ac0ca16
--- /dev/null
+++ b/queue-5.10/dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch
@@ -0,0 +1,37 @@
+From 07dd44852be89386ab12210df90a2d78779f3bff Mon Sep 17 00:00:00 2001
+From: Radu Bulie <radu-andrei.bulie@nxp.com>
+Date: Mon, 14 Feb 2022 19:45:34 +0200
+Subject: dpaa2-eth: Initialize mutex used in one step timestamping path
+
+From: Radu Bulie <radu-andrei.bulie@nxp.com>
+
+commit 07dd44852be89386ab12210df90a2d78779f3bff upstream.
+
+1588 Single Step Timestamping code path uses a mutex to
+enforce atomicity for two events:
+- update of ptp single step register
+- transmit ptp event packet
+
+Before this patch the mutex was not initialized. This
+caused unexpected crashes in the Tx function.
+
+Fixes: c55211892f463 ("dpaa2-eth: support PTP Sync packet one-step timestamping")
+Signed-off-by: Radu Bulie <radu-andrei.bulie@nxp.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -4225,7 +4225,7 @@ static int dpaa2_eth_probe(struct fsl_mc
+       }
+ 
+       INIT_WORK(&priv->tx_onestep_tstamp, dpaa2_eth_tx_onestep_tstamp);
+-
++      mutex_init(&priv->onestep_tstamp_lock);
+       skb_queue_head_init(&priv->tx_skbs);
+ 
+       /* Obtain a MC portal */

diff --git a/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch b/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch
new file mode 100644 (file)
index 0000000..3a049de
--- /dev/null
+++ b/queue-5.10/drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch
@@ -0,0 +1,33 @@
+From d72d69abfdb6e0375981cfdda8eb45143f12c77d Mon Sep 17 00:00:00 2001
+From: Siva Mullati <siva.mullati@intel.com>
+Date: Fri, 7 Jan 2022 15:22:35 +0530
+Subject: drm/i915/gvt: Make DRM_I915_GVT depend on X86
+
+From: Siva Mullati <siva.mullati@intel.com>
+
+commit d72d69abfdb6e0375981cfdda8eb45143f12c77d upstream.
+
+GVT is not supported on non-x86 platforms, So add
+dependency of X86 on config parameter DRM_I915_GVT.
+
+Fixes: 0ad35fed618c ("drm/i915: gvt: Introduce the basic architecture of GVT-g")
+Signed-off-by: Siva Mullati <siva.mullati@intel.com>
+Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220107095235.243448-1-siva.mullati@intel.com
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/Kconfig |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/Kconfig
++++ b/drivers/gpu/drm/i915/Kconfig
+@@ -100,6 +100,7 @@ config DRM_I915_USERPTR
+ config DRM_I915_GVT
+       bool "Enable Intel GVT-g graphics virtualization host support"
+       depends on DRM_I915
++      depends on X86
+       depends on 64BIT
+       default n
+       help

diff --git a/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch b/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
new file mode 100644 (file)
index 0000000..a26f884
--- /dev/null
+++ b/queue-5.10/drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
@@ -0,0 +1,103 @@
+From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Feb 2022 09:13:31 -0800
+Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream.
+
+trace_napi_poll_hit() is reading stat->dev while another thread can write
+on it from dropmon_net_event()
+
+Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
+we only have to take care of load/store tearing.
+
+BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
+
+write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
+ dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
+ notifier_call_chain kernel/notifier.c:84 [inline]
+ raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
+ call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
+ call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
+ call_netdevice_notifiers net/core/dev.c:1945 [inline]
+ unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
+ ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
+ vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
+ ops_exit_list net/core/net_namespace.c:173 [inline]
+ cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
+ trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
+ trace_napi_poll include/trace/events/napi.h:14 [inline]
+ __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
+ napi_poll net/core/dev.c:6432 [inline]
+ net_rx_action+0x29e/0x650 net/core/dev.c:6519
+ __do_softirq+0x158/0x2de kernel/softirq.c:558
+ do_softirq+0xb1/0xf0 kernel/softirq.c:459
+ __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
+ __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
+ _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
+ spin_unlock_bh include/linux/spinlock.h:394 [inline]
+ ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
+ wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+value changed: 0xffff88815883e000 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
+
+Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/drop_monitor.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -280,13 +280,17 @@ static void trace_napi_poll_hit(void *ig
+ 
+       rcu_read_lock();
+       list_for_each_entry_rcu(new_stat, &hw_stats_list, list) {
++              struct net_device *dev;
++
+               /*
+                * only add a note to our monitor buffer if:
+                * 1) this is the dev we received on
+                * 2) its after the last_rx delta
+                * 3) our rx_dropped count has gone up
+                */
+-              if ((new_stat->dev == napi->dev)  &&
++              /* Paired with WRITE_ONCE() in dropmon_net_event() */
++              dev = READ_ONCE(new_stat->dev);
++              if ((dev == napi->dev)  &&
+                   (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) &&
+                   (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) {
+                       trace_drop_common(NULL, NULL);
+@@ -1574,7 +1578,10 @@ static int dropmon_net_event(struct noti
+               mutex_lock(&net_dm_mutex);
+               list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) {
+                       if (new_stat->dev == dev) {
+-                              new_stat->dev = NULL;
++
++                              /* Paired with READ_ONCE() in trace_napi_poll_hit() */
++                              WRITE_ONCE(new_stat->dev, NULL);
++
+                               if (trace_state == TRACE_OFF) {
+                                       list_del_rcu(&new_stat->list);
+                                       kfree_rcu(new_stat, rcu);

diff --git a/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch b/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch
new file mode 100644 (file)
index 0000000..068a0dd
--- /dev/null
+++ b/queue-5.10/ipv6-per-netns-exclusive-flowlabel-checks.patch
@@ -0,0 +1,98 @@
+From 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 15 Feb 2022 11:00:37 -0500
+Subject: ipv6: per-netns exclusive flowlabel checks
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b upstream.
+
+Ipv6 flowlabels historically require a reservation before use.
+Optionally in exclusive mode (e.g., user-private).
+
+Commit 59c820b2317f ("ipv6: elide flowlabel check if no exclusive
+leases exist") introduced a fastpath that avoids this check when no
+exclusive leases exist in the system, and thus any flowlabel use
+will be granted.
+
+That allows skipping the control operation to reserve a flowlabel
+entirely. Though with a warning if the fast path fails:
+
+  This is an optimization. Robust applications still have to revert to
+  requesting leases if the fast path fails due to an exclusive lease.
+
+Still, this is subtle. Better isolate network namespaces from each
+other. Flowlabels are per-netns. Also record per-netns whether
+exclusive leases are in use. Then behavior does not change based on
+activity in other netns.
+
+Changes
+  v2
+    - wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled
+
+Fixes: 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist")
+Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/
+Reported-by: Congyu Liu <liu3101@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Tested-by: Congyu Liu <liu3101@purdue.edu>
+Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ipv6.h       |    5 ++++-
+ include/net/netns/ipv6.h |    3 ++-
+ net/ipv6/ip6_flowlabel.c |    4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -390,17 +390,20 @@ static inline void txopt_put(struct ipv6
+               kfree_rcu(opt, rcu);
+ }
+ 
++#if IS_ENABLED(CONFIG_IPV6)
+ struct ip6_flowlabel *__fl6_sock_lookup(struct sock *sk, __be32 label);
+ 
+ extern struct static_key_false_deferred ipv6_flowlabel_exclusive;
+ static inline struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk,
+                                                   __be32 label)
+ {
+-      if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key))
++      if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) &&
++          READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl))
+               return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT);
+ 
+       return NULL;
+ }
++#endif
+ 
+ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
+                                        struct ip6_flowlabel *fl,
+--- a/include/net/netns/ipv6.h
++++ b/include/net/netns/ipv6.h
+@@ -80,9 +80,10 @@ struct netns_ipv6 {
+       spinlock_t              fib6_gc_lock;
+       unsigned int             ip6_rt_gc_expire;
+       unsigned long            ip6_rt_last_gc;
++      unsigned char           flowlabel_has_excl;
+ #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+-      unsigned int            fib6_rules_require_fldissect;
+       bool                    fib6_has_custom_rules;
++      unsigned int            fib6_rules_require_fldissect;
+ #ifdef CONFIG_IPV6_SUBTREES
+       unsigned int            fib6_routes_require_src;
+ #endif
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -450,8 +450,10 @@ fl_create(struct net *net, struct sock *
+               err = -EINVAL;
+               goto done;
+       }
+-      if (fl_shared_exclusive(fl) || fl->opt)
++      if (fl_shared_exclusive(fl) || fl->opt) {
++              WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1);
+               static_branch_deferred_inc(&ipv6_flowlabel_exclusive);
++      }
+       return fl;
+ 
+ done:

diff --git a/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch b/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
new file mode 100644 (file)
index 0000000..d73512d
--- /dev/null
+++ b/queue-5.10/iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
@@ -0,0 +1,34 @@
+From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:52 +0200
+Subject: iwlwifi: pcie: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this.
+
+Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1313,8 +1313,7 @@ static int iwl_trans_pcie_start_fw(struc
+       /* This may fail if AMT took ownership of the device */
+       if (iwl_pcie_prepare_card_hw(trans)) {
+               IWL_WARN(trans, "Exit HW not ready\n");
+-              ret = -EIO;
+-              goto out;
++              return -EIO;
+       }
+ 
+       iwl_enable_rfkill_int(trans);

diff --git a/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch b/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
new file mode 100644 (file)
index 0000000..498d424
--- /dev/null
+++ b/queue-5.10/iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
@@ -0,0 +1,34 @@
+From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:53 +0200
+Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this in the gen2 code as well.
+
+Fixes: eda50cde58de ("iwlwifi: pcie: add context information support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -320,8 +320,7 @@ int iwl_trans_pcie_gen2_start_fw(struct
+       /* This may fail if AMT took ownership of the device */
+       if (iwl_pcie_prepare_card_hw(trans)) {
+               IWL_WARN(trans, "Exit HW not ready\n");
+-              ret = -EIO;
+-              goto out;
++              return -EIO;
+       }
+ 
+       iwl_enable_rfkill_int(trans);

diff --git a/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch b/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch
new file mode 100644 (file)
index 0000000..23bfaeb
--- /dev/null
+++ b/queue-5.10/libsubcmd-fix-use-after-free-for-realloc-...-0.patch
@@ -0,0 +1,66 @@
+From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Sun, 13 Feb 2022 10:24:43 -0800
+Subject: libsubcmd: Fix use-after-free for realloc(..., 0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream.
+
+GCC 12 correctly reports a potential use-after-free condition in the
+xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)"
+when size == 0:
+
+In file included from help.c:12:
+In function 'xrealloc',
+    inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+   56 |                 ret = realloc(ptr, size);
+      |                       ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+   52 |         void *ret = realloc(ptr, size);
+      |                     ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+   58 |                         ret = realloc(ptr, 1);
+      |                               ^~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+   52 |         void *ret = realloc(ptr, size);
+      |                     ^~~~~~~~~~~~~~~~~~
+
+Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence")
+Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Kees Kook <keescook@chromium.org>
+Tested-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: linux-hardening@vger.kernel.org
+Cc: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/lib/subcmd/subcmd-util.h |   11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/tools/lib/subcmd/subcmd-util.h
++++ b/tools/lib/subcmd/subcmd-util.h
+@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch
+ static inline void *xrealloc(void *ptr, size_t size)
+ {
+       void *ret = realloc(ptr, size);
+-      if (!ret && !size)
+-              ret = realloc(ptr, 1);
+-      if (!ret) {
+-              ret = realloc(ptr, size);
+-              if (!ret && !size)
+-                      ret = realloc(ptr, 1);
+-              if (!ret)
+-                      die("Out of memory, realloc failed");
+-      }
++      if (!ret)
++              die("Out of memory, realloc failed");
+       return ret;
+ }
+ 

diff --git a/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch b/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch
new file mode 100644 (file)
index 0000000..6f74e58
--- /dev/null
+++ b/queue-5.10/net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch
@@ -0,0 +1,49 @@
+From c832962ac972082b3a1f89775c9d4274c8cb5670 Mon Sep 17 00:00:00 2001
+From: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+Date: Tue, 15 Feb 2022 18:53:03 +0200
+Subject: net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled
+
+From: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+
+commit c832962ac972082b3a1f89775c9d4274c8cb5670 upstream.
+
+Whenever bridge driver hits the max capacity of MDBs, it disables
+the MC processing (by setting corresponding bridge option), but never
+notifies switchdev about such change (the notifiers are called only upon
+explicit setting of this option, through the registered netlink interface).
+
+This could lead to situation when Software MDB processing gets disabled,
+but this event never gets offloaded to the underlying Hardware.
+
+Fix this by adding a notify message in such case.
+
+Fixes: 147c1e9b902c ("switchdev: bridge: Offload multicast disabled")
+Signed-off-by: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20220215165303.31908-1-oleksandr.mazur@plvision.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -77,6 +77,9 @@ __br_multicast_add_group(struct net_brid
+ static void br_multicast_find_del_pg(struct net_bridge *br,
+                                    struct net_bridge_port_group *pg);
+ 
++static int br_mc_disabled_update(struct net_device *dev, bool value,
++                               struct netlink_ext_ack *extack);
++
+ static struct net_bridge_port_group *
+ br_sg_port_find(struct net_bridge *br,
+               struct net_bridge_port_group_sg_key *sg_p)
+@@ -1040,6 +1043,7 @@ struct net_bridge_mdb_entry *br_multicas
+               return mp;
+ 
+       if (atomic_read(&br->mdb_hash_tbl.nelems) >= br->hash_max) {
++              br_mc_disabled_update(br->dev, false, NULL);
+               br_opt_toggle(br, BROPT_MULTICAST_ENABLED, false);
+               return ERR_PTR(-E2BIG);
+       }

diff --git a/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch b/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch
new file mode 100644 (file)
index 0000000..ba13e2a
--- /dev/null
+++ b/queue-5.10/net-dsa-lan9303-add-vlan-ids-to-master-device.patch
@@ -0,0 +1,75 @@
+From 430065e2671905ac675f97b7af240cc255964e93 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 16 Feb 2022 20:48:18 +0000
+Subject: net: dsa: lan9303: add VLAN IDs to master device
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 430065e2671905ac675f97b7af240cc255964e93 upstream.
+
+If the master device does VLAN filtering, the IDs used by the switch
+must be added for any frames to be received.  Do this in the
+port_enable() function, and remove them in port_disable().
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20220216204818.28746-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/Kconfig        |    1 +
+ drivers/net/dsa/lan9303-core.c |   11 +++++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/Kconfig
++++ b/drivers/net/dsa/Kconfig
+@@ -82,6 +82,7 @@ config NET_DSA_REALTEK_SMI
+ 
+ config NET_DSA_SMSC_LAN9303
+       tristate
++      depends on VLAN_8021Q || VLAN_8021Q=n
+       select NET_DSA_TAG_LAN9303
+       select REGMAP
+       help
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -10,6 +10,7 @@
+ #include <linux/mii.h>
+ #include <linux/phy.h>
+ #include <linux/if_bridge.h>
++#include <linux/if_vlan.h>
+ #include <linux/etherdevice.h>
+ 
+ #include "lan9303.h"
+@@ -1083,21 +1084,27 @@ static void lan9303_adjust_link(struct d
+ static int lan9303_port_enable(struct dsa_switch *ds, int port,
+                              struct phy_device *phy)
+ {
++      struct dsa_port *dp = dsa_to_port(ds, port);
+       struct lan9303 *chip = ds->priv;
+ 
+-      if (!dsa_is_user_port(ds, port))
++      if (!dsa_port_is_user(dp))
+               return 0;
+ 
++      vlan_vid_add(dp->cpu_dp->master, htons(ETH_P_8021Q), port);
++
+       return lan9303_enable_processing_port(chip, port);
+ }
+ 
+ static void lan9303_port_disable(struct dsa_switch *ds, int port)
+ {
++      struct dsa_port *dp = dsa_to_port(ds, port);
+       struct lan9303 *chip = ds->priv;
+ 
+-      if (!dsa_is_user_port(ds, port))
++      if (!dsa_port_is_user(dp))
+               return;
+ 
++      vlan_vid_del(dp->cpu_dp->master, htons(ETH_P_8021Q), port);
++
+       lan9303_disable_processing_port(chip, port);
+       lan9303_phy_write(ds, chip->phy_addr_base + port, MII_BMCR, BMCR_PDOWN);
+ }

diff --git a/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch b/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch
new file mode 100644 (file)
index 0000000..c700786
--- /dev/null
+++ b/queue-5.10/net-dsa-lan9303-fix-reset-on-probe.patch
@@ -0,0 +1,36 @@
+From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 9 Feb 2022 14:54:54 +0000
+Subject: net: dsa: lan9303: fix reset on probe
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream.
+
+The reset input to the LAN9303 chip is active low, and devicetree
+gpio handles reflect this.  Therefore, the gpio should be requested
+with an initial state of high in order for the reset signal to be
+asserted.  Other uses of the gpio already use the correct polarity.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fianelil <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303-core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -1305,7 +1305,7 @@ static int lan9303_probe_reset_gpio(stru
+                                    struct device_node *np)
+ {
+       chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset",
+-                                                 GPIOD_OUT_LOW);
++                                                 GPIOD_OUT_HIGH);
+       if (IS_ERR(chip->reset_gpio))
+               return PTR_ERR(chip->reset_gpio);
+ 

diff --git a/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch b/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch
new file mode 100644 (file)
index 0000000..9b87e70
--- /dev/null
+++ b/queue-5.10/net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch
@@ -0,0 +1,34 @@
+From 8c6ae46150a453f8ae9a6cd49b45f354f478587d Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Tue, 15 Feb 2022 13:42:48 +0300
+Subject: net: dsa: lantiq_gswip: fix use after free in gswip_remove()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 8c6ae46150a453f8ae9a6cd49b45f354f478587d upstream.
+
+of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be
+done before mdiobus_free(priv->ds->slave_mii_bus).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Fixes: 0d120dfb5d67 ("net: dsa: lantiq_gswip: don't use devres for mdiobus")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/1644921768-26477-1-git-send-email-khoroshilov@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lantiq_gswip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -2114,8 +2114,8 @@ static int gswip_remove(struct platform_
+ 
+       if (priv->ds->slave_mii_bus) {
+               mdiobus_unregister(priv->ds->slave_mii_bus);
+-              mdiobus_free(priv->ds->slave_mii_bus);
+               of_node_put(priv->ds->slave_mii_bus->dev.of_node);
++              mdiobus_free(priv->ds->slave_mii_bus);
+       }
+ 
+       for (i = 0; i < priv->num_gphy_fw; i++)

diff --git a/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch b/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
new file mode 100644 (file)
index 0000000..7942a6c
--- /dev/null
+++ b/queue-5.10/net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
@@ -0,0 +1,36 @@
+From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Tue, 1 Feb 2022 19:06:26 +0100
+Subject: net: ieee802154: ca8210: Fix lifs/sifs periods
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream.
+
+These periods are expressed in time units (microseconds) while 40 and 12
+are the number of symbol durations these periods will last. We need to
+multiply them both with the symbol_duration in order to get these
+values in microseconds.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2977,8 +2977,8 @@ static void ca8210_hw_setup(struct ieee8
+       ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND;
+       ca8210_hw->phy->cca_ed_level = -9800;
+       ca8210_hw->phy->symbol_duration = 16;
+-      ca8210_hw->phy->lifs_period = 40;
+-      ca8210_hw->phy->sifs_period = 12;
++      ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration;
++      ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration;
+       ca8210_hw->flags =
+               IEEE802154_HW_AFILT |
+               IEEE802154_HW_OMIT_CKSUM |

diff --git a/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch b/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch
new file mode 100644 (file)
index 0000000..7b3fb80
--- /dev/null
+++ b/queue-5.10/net_sched-add-__rcu-annotation-to-netdev-qdisc.patch
@@ -0,0 +1,327 @@
+From 5891cd5ec46c2c2eb6427cb54d214b149635dd0e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 11 Feb 2022 12:06:23 -0800
+Subject: net_sched: add __rcu annotation to netdev->qdisc
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5891cd5ec46c2c2eb6427cb54d214b149635dd0e upstream.
+
+syzbot found a data-race [1] which lead me to add __rcu
+annotations to netdev->qdisc, and proper accessors
+to get LOCKDEP support.
+
+[1]
+BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu
+
+write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1:
+ attach_default_qdiscs net/sched/sch_generic.c:1167 [inline]
+ dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221
+ __dev_open+0x2e9/0x3a0 net/core/dev.c:1416
+ __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139
+ rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150
+ __rtnl_newlink net/core/rtnetlink.c:3489 [inline]
+ rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529
+ rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0:
+ qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323
+ __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050
+ tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211
+ rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 470502de5bdb ("net: sched: unlock rules update API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h |    2 +-
+ net/core/rtnetlink.c      |    6 ++++--
+ net/sched/cls_api.c       |    6 +++---
+ net/sched/sch_api.c       |   22 ++++++++++++----------
+ net/sched/sch_generic.c   |   29 ++++++++++++++++-------------
+ 5 files changed, 36 insertions(+), 29 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2061,7 +2061,7 @@ struct net_device {
+       struct netdev_queue     *_tx ____cacheline_aligned_in_smp;
+       unsigned int            num_tx_queues;
+       unsigned int            real_num_tx_queues;
+-      struct Qdisc            *qdisc;
++      struct Qdisc __rcu      *qdisc;
+       unsigned int            tx_queue_len;
+       spinlock_t              tx_global_lock;
+ 
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1705,6 +1705,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ {
+       struct ifinfomsg *ifm;
+       struct nlmsghdr *nlh;
++      struct Qdisc *qdisc;
+ 
+       ASSERT_RTNL();
+       nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags);
+@@ -1722,6 +1723,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+       if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid))
+               goto nla_put_failure;
+ 
++      qdisc = rtnl_dereference(dev->qdisc);
+       if (nla_put_string(skb, IFLA_IFNAME, dev->name) ||
+           nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) ||
+           nla_put_u8(skb, IFLA_OPERSTATE,
+@@ -1740,8 +1742,8 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ #endif
+           put_master_ifindex(skb, dev) ||
+           nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) ||
+-          (dev->qdisc &&
+-           nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) ||
++          (qdisc &&
++           nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) ||
+           nla_put_ifalias(skb, dev) ||
+           nla_put_u32(skb, IFLA_CARRIER_CHANGES,
+                       atomic_read(&dev->carrier_up_count) +
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -1045,7 +1045,7 @@ static int __tcf_qdisc_find(struct net *
+ 
+       /* Find qdisc */
+       if (!*parent) {
+-              *q = dev->qdisc;
++              *q = rcu_dereference(dev->qdisc);
+               *parent = (*q)->handle;
+       } else {
+               *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent));
+@@ -2591,7 +2591,7 @@ static int tc_dump_tfilter(struct sk_buf
+ 
+               parent = tcm->tcm_parent;
+               if (!parent)
+-                      q = dev->qdisc;
++                      q = rtnl_dereference(dev->qdisc);
+               else
+                       q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
+               if (!q)
+@@ -2977,7 +2977,7 @@ static int tc_dump_chain(struct sk_buff
+ 
+               parent = tcm->tcm_parent;
+               if (!parent) {
+-                      q = dev->qdisc;
++                      q = rtnl_dereference(dev->qdisc);
+                       parent = q->handle;
+               } else {
+                       q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -301,7 +301,7 @@ struct Qdisc *qdisc_lookup(struct net_de
+ 
+       if (!handle)
+               return NULL;
+-      q = qdisc_match_from_root(dev->qdisc, handle);
++      q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle);
+       if (q)
+               goto out;
+ 
+@@ -320,7 +320,7 @@ struct Qdisc *qdisc_lookup_rcu(struct ne
+ 
+       if (!handle)
+               return NULL;
+-      q = qdisc_match_from_root(dev->qdisc, handle);
++      q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle);
+       if (q)
+               goto out;
+ 
+@@ -1082,10 +1082,10 @@ static int qdisc_graft(struct net_device
+ skip:
+               if (!ingress) {
+                       notify_and_destroy(net, skb, n, classid,
+-                                         dev->qdisc, new);
++                                         rtnl_dereference(dev->qdisc), new);
+                       if (new && !new->ops->attach)
+                               qdisc_refcount_inc(new);
+-                      dev->qdisc = new ? : &noop_qdisc;
++                      rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc);
+ 
+                       if (new && new->ops->attach)
+                               new->ops->attach(new);
+@@ -1460,7 +1460,7 @@ static int tc_get_qdisc(struct sk_buff *
+                               q = dev_ingress_queue(dev)->qdisc_sleeping;
+                       }
+               } else {
+-                      q = dev->qdisc;
++                      q = rtnl_dereference(dev->qdisc);
+               }
+               if (!q) {
+                       NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
+@@ -1549,7 +1549,7 @@ replay:
+                               q = dev_ingress_queue(dev)->qdisc_sleeping;
+                       }
+               } else {
+-                      q = dev->qdisc;
++                      q = rtnl_dereference(dev->qdisc);
+               }
+ 
+               /* It may be default qdisc, ignore it */
+@@ -1771,7 +1771,8 @@ static int tc_dump_qdisc(struct sk_buff
+                       s_q_idx = 0;
+               q_idx = 0;
+ 
+-              if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx,
++              if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc),
++                                     skb, cb, &q_idx, s_q_idx,
+                                      true, tca[TCA_DUMP_INVISIBLE]) < 0)
+                       goto done;
+ 
+@@ -2047,7 +2048,7 @@ static int tc_ctl_tclass(struct sk_buff
+               } else if (qid1) {
+                       qid = qid1;
+               } else if (qid == 0)
+-                      qid = dev->qdisc->handle;
++                      qid = rtnl_dereference(dev->qdisc)->handle;
+ 
+               /* Now qid is genuine qdisc handle consistent
+                * both with parent and child.
+@@ -2058,7 +2059,7 @@ static int tc_ctl_tclass(struct sk_buff
+                       portid = TC_H_MAKE(qid, portid);
+       } else {
+               if (qid == 0)
+-                      qid = dev->qdisc->handle;
++                      qid = rtnl_dereference(dev->qdisc)->handle;
+       }
+ 
+       /* OK. Locate qdisc */
+@@ -2219,7 +2220,8 @@ static int tc_dump_tclass(struct sk_buff
+       s_t = cb->args[0];
+       t = 0;
+ 
+-      if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t, true) < 0)
++      if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc),
++                              skb, tcm, cb, &t, s_t, true) < 0)
+               goto done;
+ 
+       dev_queue = dev_ingress_queue(dev);
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1088,30 +1088,33 @@ static void attach_default_qdiscs(struct
+       if (!netif_is_multiqueue(dev) ||
+           dev->priv_flags & IFF_NO_QUEUE) {
+               netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL);
+-              dev->qdisc = txq->qdisc_sleeping;
+-              qdisc_refcount_inc(dev->qdisc);
++              qdisc = txq->qdisc_sleeping;
++              rcu_assign_pointer(dev->qdisc, qdisc);
++              qdisc_refcount_inc(qdisc);
+       } else {
+               qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL);
+               if (qdisc) {
+-                      dev->qdisc = qdisc;
++                      rcu_assign_pointer(dev->qdisc, qdisc);
+                       qdisc->ops->attach(qdisc);
+               }
+       }
++      qdisc = rtnl_dereference(dev->qdisc);
+ 
+       /* Detect default qdisc setup/init failed and fallback to "noqueue" */
+-      if (dev->qdisc == &noop_qdisc) {
++      if (qdisc == &noop_qdisc) {
+               netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n",
+                           default_qdisc_ops->id, noqueue_qdisc_ops.id);
+               dev->priv_flags |= IFF_NO_QUEUE;
+               netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL);
+-              dev->qdisc = txq->qdisc_sleeping;
+-              qdisc_refcount_inc(dev->qdisc);
++              qdisc = txq->qdisc_sleeping;
++              rcu_assign_pointer(dev->qdisc, qdisc);
++              qdisc_refcount_inc(qdisc);
+               dev->priv_flags ^= IFF_NO_QUEUE;
+       }
+ 
+ #ifdef CONFIG_NET_SCHED
+-      if (dev->qdisc != &noop_qdisc)
+-              qdisc_hash_add(dev->qdisc, false);
++      if (qdisc != &noop_qdisc)
++              qdisc_hash_add(qdisc, false);
+ #endif
+ }
+ 
+@@ -1141,7 +1144,7 @@ void dev_activate(struct net_device *dev
+        * and noqueue_qdisc for virtual interfaces
+        */
+ 
+-      if (dev->qdisc == &noop_qdisc)
++      if (rtnl_dereference(dev->qdisc) == &noop_qdisc)
+               attach_default_qdiscs(dev);
+ 
+       if (!netif_carrier_ok(dev))
+@@ -1306,7 +1309,7 @@ static int qdisc_change_tx_queue_len(str
+ void dev_qdisc_change_real_num_tx(struct net_device *dev,
+                                 unsigned int new_real_tx)
+ {
+-      struct Qdisc *qdisc = dev->qdisc;
++      struct Qdisc *qdisc = rtnl_dereference(dev->qdisc);
+ 
+       if (qdisc->ops->change_real_num_tx)
+               qdisc->ops->change_real_num_tx(qdisc, new_real_tx);
+@@ -1346,7 +1349,7 @@ static void dev_init_scheduler_queue(str
+ 
+ void dev_init_scheduler(struct net_device *dev)
+ {
+-      dev->qdisc = &noop_qdisc;
++      rcu_assign_pointer(dev->qdisc, &noop_qdisc);
+       netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc);
+       if (dev_ingress_queue(dev))
+               dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc);
+@@ -1374,8 +1377,8 @@ void dev_shutdown(struct net_device *dev
+       netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc);
+       if (dev_ingress_queue(dev))
+               shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc);
+-      qdisc_put(dev->qdisc);
+-      dev->qdisc = &noop_qdisc;
++      qdisc_put(rtnl_dereference(dev->qdisc));
++      rcu_assign_pointer(dev->qdisc, &noop_qdisc);
+ 
+       WARN_ON(timer_pending(&dev->watchdog_timer));
+ }

diff --git a/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch b/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch
new file mode 100644 (file)
index 0000000..09b328a
--- /dev/null
+++ b/queue-5.10/netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch
@@ -0,0 +1,32 @@
+From 2b4e5fb4d3776c391e40fb33673ba946dd96012d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 10 Feb 2022 10:06:42 +0100
+Subject: netfilter: nft_synproxy: unregister hooks on init error path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 2b4e5fb4d3776c391e40fb33673ba946dd96012d upstream.
+
+Disable the IPv4 hooks if the IPv6 hooks fail to be registered.
+
+Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_synproxy.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_synproxy.c
++++ b/net/netfilter/nft_synproxy.c
+@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const st
+               if (err)
+                       goto nf_ct_failure;
+               err = nf_synproxy_ipv6_init(snet, ctx->net);
+-              if (err)
++              if (err) {
++                      nf_synproxy_ipv4_fini(snet, ctx->net);
+                       goto nf_ct_failure;
++              }
+               break;
+       }
+ 

diff --git a/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch b/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch
new file mode 100644 (file)
index 0000000..ee213b1
--- /dev/null
+++ b/queue-5.10/perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch
@@ -0,0 +1,50 @@
+From 31ded1535e3182778a1d0e5c32711f55da3bc512 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Wed, 16 Feb 2022 16:01:00 -0300
+Subject: perf bpf: Defer freeing string after possible strlen() on it
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit 31ded1535e3182778a1d0e5c32711f55da3bc512 upstream.
+
+This was detected by the gcc in Fedora Rawhide's gcc:
+
+  50    11.01 fedora:rawhide                : FAIL gcc version 12.0.1 20220205 (Red Hat 12.0.1-0) (GCC)
+        inlined from 'bpf__config_obj' at util/bpf-loader.c:1242:9:
+    util/bpf-loader.c:1225:34: error: pointer 'map_opt' may be used after 'free' [-Werror=use-after-free]
+     1225 |                 *key_scan_pos += strlen(map_opt);
+          |                                  ^~~~~~~~~~~~~~~
+    util/bpf-loader.c:1223:9: note: call to 'free' here
+     1223 |         free(map_name);
+          |         ^~~~~~~~~~~~~~
+    cc1: all warnings being treated as errors
+
+So do the calculations on the pointer before freeing it.
+
+Fixes: 04f9bf2bac72480c ("perf bpf-loader: Add missing '*' for key_scan_pos")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/lkml/Yg1VtQxKrPpS3uNA@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/bpf-loader.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/bpf-loader.c
++++ b/tools/perf/util/bpf-loader.c
+@@ -1215,9 +1215,10 @@ bpf__obj_config_map(struct bpf_object *o
+       pr_debug("ERROR: Invalid map config option '%s'\n", map_opt);
+       err = -BPF_LOADER_ERRNO__OBJCONF_MAP_OPT;
+ out:
+-      free(map_name);
+       if (!err)
+               *key_scan_pos += strlen(map_opt);
++
++      free(map_name);
+       return err;
+ }
+ 

diff --git a/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch b/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
new file mode 100644 (file)
index 0000000..555d5c0
--- /dev/null
+++ b/queue-5.10/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
@@ -0,0 +1,78 @@
+From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 16 Feb 2022 00:20:52 -0500
+Subject: ping: fix the dif and sdif check in ping_lookup
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream.
+
+When 'ping' changes to use PING socket instead of RAW socket by:
+
+   # sysctl -w net.ipv4.ping_group_range="0 100"
+
+There is another regression caused when matching sk_bound_dev_if
+and dif, RAW socket is using inet_iif() while PING socket lookup
+is using skb->dev->ifindex, the cmd below fails due to this:
+
+  # ip link add dummy0 type dummy
+  # ip link set dummy0 up
+  # ip addr add 192.168.111.1/24 dev dummy0
+  # ping -I dummy0 192.168.111.1 -c1
+
+The issue was also reported on:
+
+  https://github.com/iputils/iputils/issues/104
+
+But fixed in iputils in a wrong way by not binding to device when
+destination IP is on device, and it will cause some of kselftests
+to fail, as Jianlin noticed.
+
+This patch is to use inet(6)_iif and inet(6)_sdif to get dif and
+sdif for PING socket, and keep consistent with RAW socket.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -172,16 +172,23 @@ static struct sock *ping_lookup(struct n
+       struct sock *sk = NULL;
+       struct inet_sock *isk;
+       struct hlist_nulls_node *hnode;
+-      int dif = skb->dev->ifindex;
++      int dif, sdif;
+ 
+       if (skb->protocol == htons(ETH_P_IP)) {
++              dif = inet_iif(skb);
++              sdif = inet_sdif(skb);
+               pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n",
+                        (int)ident, &ip_hdr(skb)->daddr, dif);
+ #if IS_ENABLED(CONFIG_IPV6)
+       } else if (skb->protocol == htons(ETH_P_IPV6)) {
++              dif = inet6_iif(skb);
++              sdif = inet6_sdif(skb);
+               pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n",
+                        (int)ident, &ipv6_hdr(skb)->daddr, dif);
+ #endif
++      } else {
++              pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol));
++              return NULL;
+       }
+ 
+       read_lock_bh(&ping_table.lock);
+@@ -221,7 +228,7 @@ static struct sock *ping_lookup(struct n
+               }
+ 
+               if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif &&
+-                  sk->sk_bound_dev_if != inet_sdif(skb))
++                  sk->sk_bound_dev_if != sdif)
+                       continue;
+ 
+               sock_hold(sk);

diff --git a/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch b/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch
new file mode 100644 (file)
index 0000000..599d3f6
--- /dev/null
+++ b/queue-5.10/selftests-exec-add-non-regular-to-test_gen_progs.patch
@@ -0,0 +1,40 @@
+From a7e793a867ae312cecdeb6f06cceff98263e75dd Mon Sep 17 00:00:00 2001
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Date: Thu, 10 Feb 2022 22:13:23 +0500
+Subject: selftests/exec: Add non-regular to TEST_GEN_PROGS
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+commit a7e793a867ae312cecdeb6f06cceff98263e75dd upstream.
+
+non-regular file needs to be compiled and then copied to the output
+directory. Remove it from TEST_PROGS and add it to TEST_GEN_PROGS. This
+removes error thrown by rsync when non-regular object isn't found:
+
+rsync: [sender] link_stat "/linux/tools/testing/selftests/exec/non-regular" failed: No such file or directory (2)
+rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3]
+
+Fixes: 0f71241a8e32 ("selftests/exec: add file type errno tests")
+Reported-by: "kernelci.org bot" <bot@kernelci.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/exec/Makefile |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/exec/Makefile
++++ b/tools/testing/selftests/exec/Makefile
+@@ -3,8 +3,8 @@ CFLAGS = -Wall
+ CFLAGS += -Wno-nonnull
+ CFLAGS += -D_GNU_SOURCE
+ 
+-TEST_PROGS := binfmt_script non-regular
+-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216
++TEST_PROGS := binfmt_script
++TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular
+ TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir
+ # Makefile is a run-time dependency, since it's accessed by the execveat test
+ TEST_FILES := Makefile

diff --git a/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch b/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch
new file mode 100644 (file)
index 0000000..7e5fa3e
--- /dev/null
+++ b/queue-5.10/selftests-netfilter-fix-exit-value-for-nft_concat_range.patch
@@ -0,0 +1,33 @@
+From 2e71ec1a725a794a16e3862791ed43fe5ba6a06b Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 9 Feb 2022 16:25:51 +0800
+Subject: selftests: netfilter: fix exit value for nft_concat_range
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 2e71ec1a725a794a16e3862791ed43fe5ba6a06b upstream.
+
+When the nft_concat_range test failed, it exit 1 in the code
+specifically.
+
+But when part of, or all of the test passed, it will failed the
+[ ${passed} -eq 0 ] check and thus exit with 1, which is the same
+exit value with failure result. Fix it by exit 0 when passed is not 0.
+
+Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/netfilter/nft_concat_range.sh |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
+@@ -1583,4 +1583,4 @@ for name in ${TESTS}; do
+       done
+ done
+ 
+-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP}
++[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0

diff --git a/queue-5.10/series b/queue-5.10/series
index 7ad2261b1024b8e29d35f4e49f24adda04c19520..7bbfad8bcde0b92d95fd7ef0f8fbdb943cbdfb22 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -48,3 +48,23 @@ iwlwifi-fix-use-after-free.patch
 drm-radeon-fix-backlight-control-on-imac-12-1.patch
 drm-i915-opregion-check-port-number-bounds-for-swsci-display-power-state.patch
 vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch
+drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch
+iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
+iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
+selftests-netfilter-fix-exit-value-for-nft_concat_range.patch
+netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch
+ipv6-per-netns-exclusive-flowlabel-checks.patch
+net-dsa-lan9303-fix-reset-on-probe.patch
+net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch
+net-dsa-lan9303-add-vlan-ids-to-master-device.patch
+net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
+ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
+bonding-force-carrier-update-when-releasing-slave.patch
+drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
+net_sched-add-__rcu-annotation-to-netdev-qdisc.patch
+bonding-fix-data-races-around-agg_select_timer.patch
+libsubcmd-fix-use-after-free-for-realloc-...-0.patch
+dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch
+net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch
+perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch
+selftests-exec-add-non-regular-to-test_gen_progs.patch