--- /dev/null
+From foo@baz Sun Dec 6 10:32:44 AM CET 2020
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 2 Dec 2020 17:56:05 +0800
+Subject: cxgb3: fix error return code in t3_sge_alloc_qset()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit ff9924897f8bfed82e61894b373ab9d2dfea5b10 ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: b1fb1f280d09 ("cxgb3 - Fix dma mapping error path")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Raju Rangoju <rajur@chelsio.com>
+Link: https://lore.kernel.org/r/1606902965-1646-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb3/sge.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb3/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb3/sge.c
+@@ -3111,6 +3111,7 @@ int t3_sge_alloc_qset(struct adapter *ad
+ GFP_KERNEL | __GFP_COMP);
+ if (!avail) {
+ CH_ALERT(adapter, "free list queue 0 initialization failed\n");
++ ret = -ENOMEM;
+ goto err;
+ }
+ if (avail < q->fl[0].size)
--- /dev/null
+From foo@baz Sun Dec 6 10:32:44 AM CET 2020
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 26 Oct 2020 16:36:20 +0100
+Subject: dt-bindings: net: correct interrupt flags in examples
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 4d521943f76bd0d1e68ea5e02df7aadd30b2838a ]
+
+GPIO_ACTIVE_x flags are not correct in the context of interrupt flags.
+These are simple defines so they could be used in DTS but they will not
+have the same meaning:
+1. GPIO_ACTIVE_HIGH = 0 = IRQ_TYPE_NONE
+2. GPIO_ACTIVE_LOW = 1 = IRQ_TYPE_EDGE_RISING
+
+Correct the interrupt flags, assuming the author of the code wanted same
+logical behavior behind the name "ACTIVE_xxx", this is:
+ ACTIVE_LOW => IRQ_TYPE_LEVEL_LOW
+ ACTIVE_HIGH => IRQ_TYPE_LEVEL_HIGH
+
+Fixes: a1a8b4594f8d ("NFC: pn544: i2c: Add DTS Documentation")
+Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
+Fixes: e3b329221567 ("dt-bindings: can: tcan4x5x: Update binding to use interrupt property")
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Acked-by: Rob Herring <robh@kernel.org>
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for tcan4x5x.txt
+Link: https://lore.kernel.org/r/20201026153620.89268-1-krzk@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/net/nfc/nxp-nci.txt | 2 +-
+ Documentation/devicetree/bindings/net/nfc/pn544.txt | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
++++ b/Documentation/devicetree/bindings/net/nfc/nxp-nci.txt
+@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with N
+ clock-frequency = <100000>;
+
+ interrupt-parent = <&gpio1>;
+- interrupts = <29 GPIO_ACTIVE_HIGH>;
++ interrupts = <29 IRQ_TYPE_LEVEL_HIGH>;
+
+ enable-gpios = <&gpio0 30 GPIO_ACTIVE_HIGH>;
+ firmware-gpios = <&gpio0 31 GPIO_ACTIVE_HIGH>;
+--- a/Documentation/devicetree/bindings/net/nfc/pn544.txt
++++ b/Documentation/devicetree/bindings/net/nfc/pn544.txt
+@@ -27,7 +27,7 @@ Example (for ARM-based BeagleBone with P
+ clock-frequency = <400000>;
+
+ interrupt-parent = <&gpio1>;
+- interrupts = <17 GPIO_ACTIVE_HIGH>;
++ interrupts = <17 IRQ_TYPE_LEVEL_HIGH>;
+
+ enable-gpios = <&gpio3 21 GPIO_ACTIVE_HIGH>;
+ firmware-gpios = <&gpio3 19 GPIO_ACTIVE_HIGH>;
--- /dev/null
+From foo@baz Sun Dec 6 10:32:44 AM CET 2020
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 2 Dec 2020 17:57:15 +0800
+Subject: net: pasemi: fix error return code in pasemi_mac_open()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit aba84871bd4f52c4dfcf3ad5d4501a6c9d2de90e ]
+
+Fix to return a negative error code from the error handling
+case instead of 0, as done elsewhere in this function.
+
+Fixes: 72b05b9940f0 ("pasemi_mac: RX/TX ring management cleanup")
+Fixes: 8d636d8bc5ff ("pasemi_mac: jumbo frame support")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Link: https://lore.kernel.org/r/1606903035-1838-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pasemi/pasemi_mac.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/pasemi/pasemi_mac.c
++++ b/drivers/net/ethernet/pasemi/pasemi_mac.c
+@@ -1129,16 +1129,20 @@ static int pasemi_mac_open(struct net_de
+
+ mac->tx = pasemi_mac_setup_tx_resources(dev);
+
+- if (!mac->tx)
++ if (!mac->tx) {
++ ret = -ENOMEM;
+ goto out_tx_ring;
++ }
+
+ /* We might already have allocated rings in case mtu was changed
+ * before interface was brought up.
+ */
+ if (dev->mtu > 1500 && !mac->num_cs) {
+ pasemi_mac_setup_csrings(mac);
+- if (!mac->num_cs)
++ if (!mac->num_cs) {
++ ret = -ENOMEM;
+ goto out_tx_ring;
++ }
+ }
+
+ /* Zero out rmon counters */
--- /dev/null
+From foo@baz Sun Dec 6 10:32:44 AM CET 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 1 Dec 2020 18:15:12 +0300
+Subject: net/x25: prevent a couple of overflows
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 6ee50c8e262a0f0693dad264c3c99e30e6442a56 ]
+
+The .x25_addr[] address comes from the user and is not necessarily
+NUL terminated. This leads to a couple problems. The first problem is
+that the strlen() in x25_bind() can read beyond the end of the buffer.
+
+The second problem is more subtle and could result in memory corruption.
+The call tree is:
+ x25_connect()
+ --> x25_write_internal()
+ --> x25_addr_aton()
+
+The .x25_addr[] buffers are copied to the "addresses" buffer from
+x25_write_internal() so it will lead to stack corruption.
+
+Verify that the strings are NUL terminated and return -EINVAL if they
+are not.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Fixes: a9288525d2ae ("X25: Dont let x25_bind use addresses containing characters")
+Reported-by: "kiyin(尹亮)" <kiyin@tencent.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Martin Schiller <ms@dev.tdt.de>
+Link: https://lore.kernel.org/r/X8ZeAKm8FnFpN//B@mwanda
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/x25/af_x25.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/x25/af_x25.c
++++ b/net/x25/af_x25.c
+@@ -679,7 +679,8 @@ static int x25_bind(struct socket *sock,
+ int len, i, rc = 0;
+
+ if (addr_len != sizeof(struct sockaddr_x25) ||
+- addr->sx25_family != AF_X25) {
++ addr->sx25_family != AF_X25 ||
++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN) {
+ rc = -EINVAL;
+ goto out;
+ }
+@@ -773,7 +774,8 @@ static int x25_connect(struct socket *so
+
+ rc = -EINVAL;
+ if (addr_len != sizeof(struct sockaddr_x25) ||
+- addr->sx25_family != AF_X25)
++ addr->sx25_family != AF_X25 ||
++ strnlen(addr->sx25_addr.x25_addr, X25_ADDR_LEN) == X25_ADDR_LEN)
+ goto out;
+
+ rc = -ENETUNREACH;
--- /dev/null
+From foo@baz Sun Dec 6 10:32:44 AM CET 2020
+From: Antoine Tenart <atenart@kernel.org>
+Date: Mon, 23 Nov 2020 18:49:02 +0100
+Subject: netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit 44f64f23bae2f0fad25503bc7ab86cd08d04cd47 ]
+
+Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the
+hooks as, while it's an expected value for a bridge, routing expects
+PACKET_HOST. The change is undone later on after hook traversal. This
+can be seen with pairs of functions updating skb>pkt_type and then
+reverting it to its original value:
+
+For hook NF_INET_PRE_ROUTING:
+ setup_pre_routing / br_nf_pre_routing_finish
+
+For hook NF_INET_FORWARD:
+ br_nf_forward_ip / br_nf_forward_finish
+
+But the third case where netfilter does this, for hook
+NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing
+but never reverted. A comment says:
+
+ /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
+ * about the value of skb->pkt_type. */
+
+But when having a tunnel (say vxlan) attached to a bridge we have the
+following call trace:
+
+ br_nf_pre_routing
+ br_nf_pre_routing_ipv6
+ br_nf_pre_routing_finish
+ br_nf_forward_ip
+ br_nf_forward_finish
+ br_nf_post_routing <- pkt_type is updated to PACKET_HOST
+ br_nf_dev_queue_xmit <- but not reverted to its original value
+ vxlan_xmit
+ vxlan_xmit_one
+ skb_tunnel_check_pmtu <- a check on pkt_type is performed
+
+In this specific case, this creates issues such as when an ICMPv6 PTB
+should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB
+isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST
+and returns early).
+
+If the comment is right and no one cares about the value of
+skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting
+it to its original value should be safe.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20201123174902.622102-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netfilter_hooks.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -711,6 +711,11 @@ static int br_nf_dev_queue_xmit(struct n
+ mtu_reserved = nf_bridge_mtu_reduction(skb);
+ mtu = skb->dev->mtu;
+
++ if (nf_bridge->pkt_otherhost) {
++ skb->pkt_type = PACKET_OTHERHOST;
++ nf_bridge->pkt_otherhost = false;
++ }
++
+ if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
+ mtu = nf_bridge->frag_max_size;
+
+@@ -804,8 +809,6 @@ static unsigned int br_nf_post_routing(v
+ else
+ return NF_ACCEPT;
+
+- /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
+- * about the value of skb->pkt_type. */
+ if (skb->pkt_type == PACKET_OTHERHOST) {
+ skb->pkt_type = PACKET_HOST;
+ nf_bridge->pkt_otherhost = true;
rose-fix-null-pointer-dereference-in-rose_send_frame.patch
usbnet-ipheth-fix-connectivity-with-ios-14.patch
bonding-wait-for-sysfs-kobject-destruction-before-freeing-struct-slave.patch
+netfilter-bridge-reset-skb-pkt_type-after-nf_inet_post_routing-traversal.patch
+net-x25-prevent-a-couple-of-overflows.patch
+cxgb3-fix-error-return-code-in-t3_sge_alloc_qset.patch
+net-pasemi-fix-error-return-code-in-pasemi_mac_open.patch
+dt-bindings-net-correct-interrupt-flags-in-examples.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
