--- /dev/null
+From 042663f2c8cd04db966beb4915bfc811595ca009 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Dec 2021 09:30:30 -0300
+Subject: ARM: dts: imx6qdl-wandboard: Fix Ethernet support
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Haaß <vvvrrooomm@gmail.com>
+
+[ Upstream commit 39e660687ac0c57499134765abbecf71cfd11eae ]
+
+Currently, the imx6q-wandboard Ethernet does not transmit any
+data.
+
+This issue has been exposed by commit f5d9aa79dfdf ("ARM: imx6q:
+remove clk-out fixup for the Atheros AR8031 and AR8035 PHYs").
+
+Fix it by describing the qca,clk-out-frequency property as suggested
+by the commit above.
+
+Fixes: 77591e42458d ("ARM: dts: imx6qdl-wandboard: add ethernet PHY description")
+Signed-off-by: Martin Haaß <vvvrrooomm@gmail.com>
+Tested-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
+index b62a0dbb033ff..ec6fba5ee8fde 100644
+--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi
+@@ -309,6 +309,7 @@
+
+ ethphy: ethernet-phy@1 {
+ reg = <1>;
++ qca,clk-out-frequency = <125000000>;
+ };
+ };
+ };
+--
+2.34.1
+
--- /dev/null
+From de45063c5183e755018ccc951dcb4e819eb417a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Nov 2021 15:02:22 +0100
+Subject: arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+[ Upstream commit 08d2061ff9c5319a07bf9ca6bbf11fdec68f704a ]
+
+Orange Pi Zero Plus uses a Realtek RTL8211E RGMII Gigabit PHY, but its
+currently set to plain RGMII mode meaning that it doesn't introduce
+delays.
+
+With this setup, TX packets are completely lost and changing the mode to
+RGMII-ID so the PHY will add delays internally fixes the issue.
+
+Fixes: a7affb13b271 ("arm64: allwinner: H5: Add Xunlong Orange Pi Zero Plus")
+Acked-by: Chen-Yu Tsai <wens@csie.org>
+Tested-by: Ron Goossens <rgoossens@gmail.com>
+Tested-by: Samuel Holland <samuel@sholland.org>
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20211117140222.43692-1-robert.marko@sartura.hr
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
+index d13980ed7a79a..7ec5ac850a0dc 100644
+--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
++++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-orangepi-zero-plus.dts
+@@ -69,7 +69,7 @@
+ pinctrl-0 = <&emac_rgmii_pins>;
+ phy-supply = <®_gmac_3v3>;
+ phy-handle = <&ext_rgmii_phy>;
+- phy-mode = "rgmii";
++ phy-mode = "rgmii-id";
+ status = "okay";
+ };
+
+--
+2.34.1
+
--- /dev/null
+From e391dbd2f946f77c14795384fed00dd5869b3dfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 23:10:36 +0300
+Subject: asix: fix uninit-value in asix_mdio_read()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 ]
+
+asix_read_cmd() may read less than sizeof(smsr) bytes and in this case
+smsr will be uninitialized.
+
+Fail log:
+BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
+BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
+BUG: KMSAN: uninit-value in asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
+ asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline]
+ asix_check_host_enable drivers/net/usb/asix_common.c:82 [inline] drivers/net/usb/asix_common.c:497
+ asix_mdio_read+0x3c1/0xb00 drivers/net/usb/asix_common.c:497 drivers/net/usb/asix_common.c:497
+
+Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter")
+Reported-and-tested-by: syzbot+f44badb06036334e867a@syzkaller.appspotmail.com
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/8966e3b514edf39857dd93603fc79ec02e000a75.1640117288.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index 38cda590895cc..b80c2dcfc9084 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -77,7 +77,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm)
+ 0, 0, 1, &smsr, in_pm);
+ if (ret == -ENODEV)
+ break;
+- else if (ret < 0)
++ else if (ret < sizeof(smsr))
+ continue;
+ else if (smsr & AX_HOST_EN)
+ break;
+--
+2.34.1
+
--- /dev/null
+From ac5e338ed2ca507697676d716ed191925ac3df89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 23:10:43 +0300
+Subject: asix: fix wrong return value in asix_check_host_enable()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit d1652b70d07cc3eed96210c876c4879e1655f20e ]
+
+If asix_read_cmd() returns 0 on 30th interation, 0 will be returned from
+asix_check_host_enable(), which is logically wrong. Fix it by returning
+-ETIMEDOUT explicitly if we have exceeded 30 iterations
+
+Also, replaced 30 with #define as suggested by Andrew
+
+Fixes: a786e3195d6a ("net: asix: fix uninit value bugs")
+Reported-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/ecd3470ce6c2d5697ac635d0d3b14a47defb4acb.1640117288.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/asix_common.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
+index b80c2dcfc9084..9aa92076500af 100644
+--- a/drivers/net/usb/asix_common.c
++++ b/drivers/net/usb/asix_common.c
+@@ -9,6 +9,8 @@
+
+ #include "asix.h"
+
++#define AX_HOST_EN_RETRIES 30
++
+ int asix_read_cmd(struct usbnet *dev, u8 cmd, u16 value, u16 index,
+ u16 size, void *data, int in_pm)
+ {
+@@ -68,7 +70,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm)
+ int i, ret;
+ u8 smsr;
+
+- for (i = 0; i < 30; ++i) {
++ for (i = 0; i < AX_HOST_EN_RETRIES; ++i) {
+ ret = asix_set_sw_mii(dev, in_pm);
+ if (ret == -ENODEV || ret == -ETIMEDOUT)
+ break;
+@@ -83,7 +85,7 @@ static int asix_check_host_enable(struct usbnet *dev, int in_pm)
+ break;
+ }
+
+- return ret;
++ return i >= AX_HOST_EN_RETRIES ? -ETIMEDOUT : ret;
+ }
+
+ static void reset_asix_rx_fixup_info(struct asix_rx_fixup_info *rx)
+--
+2.34.1
+
--- /dev/null
+From 679cfe6e44cbf6bb3d4a91eb124e40e4318c54ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 22:08:03 +0100
+Subject: ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent()
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit 1bcd326631dc4faa3322d60b4fc45e8b3747993e ]
+
+The FIFO registers which take an DMA-able address are only 32-bit wide
+on AIU. Add dma_coerce_mask_and_coherent() to make the DMA core aware of
+this limitation.
+
+Fixes: 6ae9ca9ce986bf ("ASoC: meson: aiu: add i2s and spdif support")
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Link: https://lore.kernel.org/r/20211206210804.2512999-2-martin.blumenstingl@googlemail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/aiu-fifo.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/sound/soc/meson/aiu-fifo.c b/sound/soc/meson/aiu-fifo.c
+index 4ad23267cace5..d67ff4cdabd5a 100644
+--- a/sound/soc/meson/aiu-fifo.c
++++ b/sound/soc/meson/aiu-fifo.c
+@@ -5,6 +5,7 @@
+
+ #include <linux/bitfield.h>
+ #include <linux/clk.h>
++#include <linux/dma-mapping.h>
+ #include <sound/pcm_params.h>
+ #include <sound/soc.h>
+ #include <sound/soc-dai.h>
+@@ -179,6 +180,11 @@ int aiu_fifo_pcm_new(struct snd_soc_pcm_runtime *rtd,
+ struct snd_card *card = rtd->card->snd_card;
+ struct aiu_fifo *fifo = dai->playback_dma_data;
+ size_t size = fifo->pcm->buffer_bytes_max;
++ int ret;
++
++ ret = dma_coerce_mask_and_coherent(card->dev, DMA_BIT_MASK(32));
++ if (ret)
++ return ret;
+
+ snd_pcm_set_managed_buffer_all(rtd->pcm, SNDRV_DMA_TYPE_DEV,
+ card->dev, size, size);
+--
+2.34.1
+
--- /dev/null
+From 2ceeb885e0fbeea131836c95c4d33d492e7e6bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 12:13:45 +0100
+Subject: bonding: fix ad_actor_system option setting to default
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+[ Upstream commit 1c15b05baea71a5ff98235783e3e4ad227760876 ]
+
+When 802.3ad bond mode is configured the ad_actor_system option is set to
+"00:00:00:00:00:00". But when trying to set the all-zeroes MAC as actors'
+system address it was failing with EINVAL.
+
+An all-zeroes ethernet address is valid, only multicast addresses are not
+valid values.
+
+Fixes: 171a42c38c6e ("bonding: add netlink support for sys prio, actor sys mac, and port key")
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/20211221111345.2462-1-ffmancera@riseup.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/networking/bonding.rst | 11 ++++++-----
+ drivers/net/bonding/bond_options.c | 2 +-
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/networking/bonding.rst b/Documentation/networking/bonding.rst
+index 31cfd7d674a6c..c0a789b008063 100644
+--- a/Documentation/networking/bonding.rst
++++ b/Documentation/networking/bonding.rst
+@@ -196,11 +196,12 @@ ad_actor_sys_prio
+ ad_actor_system
+
+ In an AD system, this specifies the mac-address for the actor in
+- protocol packet exchanges (LACPDUs). The value cannot be NULL or
+- multicast. It is preferred to have the local-admin bit set for this
+- mac but driver does not enforce it. If the value is not given then
+- system defaults to using the masters' mac address as actors' system
+- address.
++ protocol packet exchanges (LACPDUs). The value cannot be a multicast
++ address. If the all-zeroes MAC is specified, bonding will internally
++ use the MAC of the bond itself. It is preferred to have the
++ local-admin bit set for this mac but driver does not enforce it. If
++ the value is not given then system defaults to using the masters'
++ mac address as actors' system address.
+
+ This parameter has effect only in 802.3ad mode and is available through
+ SysFs interface.
+diff --git a/drivers/net/bonding/bond_options.c b/drivers/net/bonding/bond_options.c
+index a8fde3bc458f6..b93337b5a7211 100644
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1526,7 +1526,7 @@ static int bond_option_ad_actor_system_set(struct bonding *bond,
+ mac = (u8 *)&newval->value;
+ }
+
+- if (!is_valid_ether_addr(mac))
++ if (is_multicast_ether_addr(mac))
+ goto err;
+
+ netdev_dbg(bond->dev, "Setting ad_actor_system to %pM\n", mac);
+--
+2.34.1
+
--- /dev/null
+From 414938c06a53fb28dc0d91c2996431ceca8f730c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Nov 2021 09:35:37 +0100
+Subject: bus: sunxi-rsb: Fix shutdown
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 017a716e7b0e9d4ac06a4d7779bd04fca009bbc9 ]
+
+Function sunxi_rsb_hw_exit() is sometimes called with pm runtime
+disabled, so in such cases pm_runtime_resume() will fail with -EACCES.
+
+Instead of doing whole dance of enabling pm runtime and thus clock just
+to disable it again immediately, just check if disabling clock is
+needed. That way calling pm_runtime_resume() is not needed at all.
+
+Fixes: 4a0dbc12e618 ("bus: sunxi-rsb: Implement runtime power management")
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Maxime Ripard <maxime@cerno.tech>
+Link: https://lore.kernel.org/r/20211121083537.612473-1-jernej.skrabec@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/sunxi-rsb.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bus/sunxi-rsb.c b/drivers/bus/sunxi-rsb.c
+index 6f225dddc74f4..4566e730ef2b8 100644
+--- a/drivers/bus/sunxi-rsb.c
++++ b/drivers/bus/sunxi-rsb.c
+@@ -687,11 +687,11 @@ err_clk_disable:
+
+ static void sunxi_rsb_hw_exit(struct sunxi_rsb *rsb)
+ {
+- /* Keep the clock and PM reference counts consistent. */
+- if (pm_runtime_status_suspended(rsb->dev))
+- pm_runtime_resume(rsb->dev);
+ reset_control_assert(rsb->rstc);
+- clk_disable_unprepare(rsb->clk);
++
++ /* Keep the clock and PM reference counts consistent. */
++ if (!pm_runtime_status_suspended(rsb->dev))
++ clk_disable_unprepare(rsb->clk);
+ }
+
+ static int __maybe_unused sunxi_rsb_runtime_suspend(struct device *dev)
+--
+2.34.1
+
--- /dev/null
+From d24755a56c3e7b6179384fc1e58518e334def743 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 15:41:12 +0800
+Subject: drivers: net: smc911x: Check for error irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit cb93b3e11d405f20a405a07482d01147ef4934a3 ]
+
+Because platform_get_irq() could fail and return error irq.
+Therefore, it might be better to check it if order to avoid the use of
+error irq.
+
+Fixes: ae150435b59e ("smsc: Move the SMC (SMSC) drivers")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/smsc/smc911x.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/smsc/smc911x.c b/drivers/net/ethernet/smsc/smc911x.c
+index b008b4e8a2a5a..0641a1d392b86 100644
+--- a/drivers/net/ethernet/smsc/smc911x.c
++++ b/drivers/net/ethernet/smsc/smc911x.c
+@@ -2070,6 +2070,11 @@ static int smc911x_drv_probe(struct platform_device *pdev)
+
+ ndev->dma = (unsigned char)-1;
+ ndev->irq = platform_get_irq(pdev, 0);
++ if (ndev->irq < 0) {
++ ret = ndev->irq;
++ goto release_both;
++ }
++
+ lp = netdev_priv(ndev);
+ lp->netdev = ndev;
+ #ifdef SMC_DYNAMIC_BUS_CONFIG
+--
+2.34.1
+
--- /dev/null
+From a7c7c0746b8a97d4903118ad6990fd04d4c58175 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Oct 2021 09:43:11 +0200
+Subject: drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 3b8e19a0aa3933a785be9f1541afd8d398c4ec69 ]
+
+In commit 41ca9caaae0b
+("drm/mediatek: hdmi: Add check for CEA modes only") a check
+for CEA modes was added to function mtk_hdmi_bridge_mode_valid()
+in order to address possible issues on MT8167;
+moreover, with commit c91026a938c2
+("drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock")
+another similar check was introduced.
+
+Unfortunately though, at the time of writing, MT8173 does not provide
+any mtk_hdmi_conf structure and this is crashing the kernel with NULL
+pointer upon entering mtk_hdmi_bridge_mode_valid(), which happens as
+soon as a HDMI cable gets plugged in.
+
+To fix this regression, add a NULL pointer check for hdmi->conf in the
+said function, restoring HDMI functionality and avoiding NULL pointer
+kernel panics.
+
+Fixes: 41ca9caaae0b ("drm/mediatek: hdmi: Add check for CEA modes only")
+Fixes: c91026a938c2 ("drm/mediatek: hdmi: Add optional limit on maximal HDMI mode clock")
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 5838c44cbf6f0..3196189429bcf 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -1224,12 +1224,14 @@ static int mtk_hdmi_bridge_mode_valid(struct drm_bridge *bridge,
+ return MODE_BAD;
+ }
+
+- if (hdmi->conf->cea_modes_only && !drm_match_cea_mode(mode))
+- return MODE_BAD;
++ if (hdmi->conf) {
++ if (hdmi->conf->cea_modes_only && !drm_match_cea_mode(mode))
++ return MODE_BAD;
+
+- if (hdmi->conf->max_mode_clock &&
+- mode->clock > hdmi->conf->max_mode_clock)
+- return MODE_CLOCK_HIGH;
++ if (hdmi->conf->max_mode_clock &&
++ mode->clock > hdmi->conf->max_mode_clock)
++ return MODE_CLOCK_HIGH;
++ }
+
+ if (mode->clock < 27000)
+ return MODE_CLOCK_LOW;
+--
+2.34.1
+
--- /dev/null
+From f8f75ae10cffbfa6fb1d31db4ca1292abf2ac667 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 15:12:07 +0800
+Subject: fjes: Check for error irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit db6d6afe382de5a65d6ccf51253ab48b8e8336c3 ]
+
+I find that platform_get_irq() will not always succeed.
+It will return error irq in case of the failure.
+Therefore, it might be better to check it if order to avoid the use of
+error irq.
+
+Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/fjes/fjes_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/fjes/fjes_main.c b/drivers/net/fjes/fjes_main.c
+index 185c8a3986816..1d1808afd5295 100644
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -1261,6 +1261,11 @@ static int fjes_probe(struct platform_device *plat_dev)
+ hw->hw_res.start = res->start;
+ hw->hw_res.size = resource_size(res);
+ hw->hw_res.irq = platform_get_irq(plat_dev, 0);
++ if (hw->hw_res.irq < 0) {
++ err = hw->hw_res.irq;
++ goto err_free_control_wq;
++ }
++
+ err = fjes_hw_init(&adapter->hw);
+ if (err)
+ goto err_free_control_wq;
+--
+2.34.1
+
--- /dev/null
+From a9e954c6891f7c19e21d739bc7c5466368143cc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 14:06:56 +0100
+Subject: gpio: virtio: remove timeout
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 3e4d9a485029aa9e172dab5420abe775fd86f8e8 ]
+
+The driver imposes an arbitrary one second timeout on virtio requests,
+but the specification doesn't prevent the virtio device from taking
+longer to process requests, so remove this timeout to support all
+systems and device implementations.
+
+Fixes: 3a29355a22c0275fe86 ("gpio: Add virtio-gpio driver")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-virtio.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/gpio/gpio-virtio.c b/drivers/gpio/gpio-virtio.c
+index d24f1c9264bc9..dd3b23c9580b1 100644
+--- a/drivers/gpio/gpio-virtio.c
++++ b/drivers/gpio/gpio-virtio.c
+@@ -81,11 +81,7 @@ static int _virtio_gpio_req(struct virtio_gpio *vgpio, u16 type, u16 gpio,
+ virtqueue_kick(vgpio->request_vq);
+ mutex_unlock(&vgpio->lock);
+
+- if (!wait_for_completion_timeout(&line->completion, HZ)) {
+- dev_err(dev, "GPIO operation timed out\n");
+- ret = -ETIMEDOUT;
+- goto out;
+- }
++ wait_for_completion(&line->completion);
+
+ if (unlikely(res->status != VIRTIO_GPIO_STATUS_OK)) {
+ dev_err(dev, "GPIO request failed: %d\n", gpio);
+--
+2.34.1
+
--- /dev/null
+From 4d9a6b2c6082d6ab03dcd3d7c2a48fc12b96cdb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Dec 2021 18:52:38 +0100
+Subject: IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit bee90911e0138c76ee67458ac0d58b38a3190f65 ]
+
+The wrong goto label was used for the error case and missed cleanup of the
+pkt allocation.
+
+Fixes: d39bf40e55e6 ("IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields")
+Link: https://lore.kernel.org/r/20211208175238.29983-1-jose.exposito89@gmail.com
+Addresses-Coverity-ID: 1493352 ("Resource leak")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Acked-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qib/qib_user_sdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/qib/qib_user_sdma.c b/drivers/infiniband/hw/qib/qib_user_sdma.c
+index ac11943a5ddb0..bf2f30d67949d 100644
+--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
++++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
+@@ -941,7 +941,7 @@ static int qib_user_sdma_queue_pkts(const struct qib_devdata *dd,
+ &addrlimit) ||
+ addrlimit > type_max(typeof(pkt->addrlimit))) {
+ ret = -EINVAL;
+- goto free_pbc;
++ goto free_pkt;
+ }
+ pkt->addrlimit = addrlimit;
+
+--
+2.34.1
+
--- /dev/null
+From 0a75dab1348000c3d48ebc10eeb95c7299d5fe39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Sep 2021 09:56:03 +0200
+Subject: ice: Use xdp_buf instead of rx_buf for xsk zero-copy
+
+From: Magnus Karlsson <magnus.karlsson@intel.com>
+
+[ Upstream commit 57f7f8b6bc0bc80d94443f94fe5f21f266499a2b ]
+
+In order to use the new xsk batched buffer allocation interface, a
+pointer to an array of struct xsk_buff pointers need to be provided so
+that the function can put the result of the allocation there. In the
+ice driver, we already have a ring that stores pointers to
+xdp_buffs. This is only used for the xsk zero-copy driver and is a
+union with the structure that is used for the regular non zero-copy
+path. Unfortunately, that structure is larger than the xdp_buffs
+pointers which mean that there will be a stride (of 20 bytes) between
+each xdp_buff pointer. And feeding this into the xsk_buff_alloc_batch
+interface will not work since it assumes a regular array of xdp_buff
+pointers (each 8 bytes with 0 bytes in-between them on a 64-bit
+system).
+
+To fix this, remove the xdp_buff pointer from the rx_buf union and
+move it one step higher to the union above which only has pointers to
+arrays in it. This solves the problem and we can directly feed the SW
+ring of xdp_buff pointers straight into the allocation function in the
+next patch when that interface is used. This will improve performance.
+
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20210922075613.12186-4-magnus.karlsson@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_txrx.h | 16 ++-----
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 56 +++++++++++------------
+ 2 files changed, 33 insertions(+), 39 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.h b/drivers/net/ethernet/intel/ice/ice_txrx.h
+index 1e46e80f3d6f8..7c2328529ff8e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_txrx.h
++++ b/drivers/net/ethernet/intel/ice/ice_txrx.h
+@@ -164,17 +164,10 @@ struct ice_tx_offload_params {
+ };
+
+ struct ice_rx_buf {
+- union {
+- struct {
+- dma_addr_t dma;
+- struct page *page;
+- unsigned int page_offset;
+- u16 pagecnt_bias;
+- };
+- struct {
+- struct xdp_buff *xdp;
+- };
+- };
++ dma_addr_t dma;
++ struct page *page;
++ unsigned int page_offset;
++ u16 pagecnt_bias;
+ };
+
+ struct ice_q_stats {
+@@ -270,6 +263,7 @@ struct ice_ring {
+ union {
+ struct ice_tx_buf *tx_buf;
+ struct ice_rx_buf *rx_buf;
++ struct xdp_buff **xdp_buf;
+ };
+ /* CL2 - 2nd cacheline starts here */
+ u16 q_index; /* Queue number of ring */
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index 5a9f61deeb38d..f4ab5259a56cc 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -364,7 +364,7 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count)
+ {
+ union ice_32b_rx_flex_desc *rx_desc;
+ u16 ntu = rx_ring->next_to_use;
+- struct ice_rx_buf *rx_buf;
++ struct xdp_buff **xdp;
+ bool ok = true;
+ dma_addr_t dma;
+
+@@ -372,26 +372,26 @@ bool ice_alloc_rx_bufs_zc(struct ice_ring *rx_ring, u16 count)
+ return true;
+
+ rx_desc = ICE_RX_DESC(rx_ring, ntu);
+- rx_buf = &rx_ring->rx_buf[ntu];
++ xdp = &rx_ring->xdp_buf[ntu];
+
+ do {
+- rx_buf->xdp = xsk_buff_alloc(rx_ring->xsk_pool);
+- if (!rx_buf->xdp) {
++ *xdp = xsk_buff_alloc(rx_ring->xsk_pool);
++ if (!xdp) {
+ ok = false;
+ break;
+ }
+
+- dma = xsk_buff_xdp_get_dma(rx_buf->xdp);
++ dma = xsk_buff_xdp_get_dma(*xdp);
+ rx_desc->read.pkt_addr = cpu_to_le64(dma);
+ rx_desc->wb.status_error0 = 0;
+
+ rx_desc++;
+- rx_buf++;
++ xdp++;
+ ntu++;
+
+ if (unlikely(ntu == rx_ring->count)) {
+ rx_desc = ICE_RX_DESC(rx_ring, 0);
+- rx_buf = rx_ring->rx_buf;
++ xdp = rx_ring->xdp_buf;
+ ntu = 0;
+ }
+ } while (--count);
+@@ -421,19 +421,19 @@ static void ice_bump_ntc(struct ice_ring *rx_ring)
+ /**
+ * ice_construct_skb_zc - Create an sk_buff from zero-copy buffer
+ * @rx_ring: Rx ring
+- * @rx_buf: zero-copy Rx buffer
++ * @xdp_arr: Pointer to the SW ring of xdp_buff pointers
+ *
+ * This function allocates a new skb from a zero-copy Rx buffer.
+ *
+ * Returns the skb on success, NULL on failure.
+ */
+ static struct sk_buff *
+-ice_construct_skb_zc(struct ice_ring *rx_ring, struct ice_rx_buf *rx_buf)
++ice_construct_skb_zc(struct ice_ring *rx_ring, struct xdp_buff **xdp_arr)
+ {
+- unsigned int metasize = rx_buf->xdp->data - rx_buf->xdp->data_meta;
+- unsigned int datasize = rx_buf->xdp->data_end - rx_buf->xdp->data;
+- unsigned int datasize_hard = rx_buf->xdp->data_end -
+- rx_buf->xdp->data_hard_start;
++ struct xdp_buff *xdp = *xdp_arr;
++ unsigned int metasize = xdp->data - xdp->data_meta;
++ unsigned int datasize = xdp->data_end - xdp->data;
++ unsigned int datasize_hard = xdp->data_end - xdp->data_hard_start;
+ struct sk_buff *skb;
+
+ skb = __napi_alloc_skb(&rx_ring->q_vector->napi, datasize_hard,
+@@ -441,13 +441,13 @@ ice_construct_skb_zc(struct ice_ring *rx_ring, struct ice_rx_buf *rx_buf)
+ if (unlikely(!skb))
+ return NULL;
+
+- skb_reserve(skb, rx_buf->xdp->data - rx_buf->xdp->data_hard_start);
+- memcpy(__skb_put(skb, datasize), rx_buf->xdp->data, datasize);
++ skb_reserve(skb, xdp->data - xdp->data_hard_start);
++ memcpy(__skb_put(skb, datasize), xdp->data, datasize);
+ if (metasize)
+ skb_metadata_set(skb, metasize);
+
+- xsk_buff_free(rx_buf->xdp);
+- rx_buf->xdp = NULL;
++ xsk_buff_free(xdp);
++ *xdp_arr = NULL;
+ return skb;
+ }
+
+@@ -521,7 +521,7 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget)
+ while (likely(total_rx_packets < (unsigned int)budget)) {
+ union ice_32b_rx_flex_desc *rx_desc;
+ unsigned int size, xdp_res = 0;
+- struct ice_rx_buf *rx_buf;
++ struct xdp_buff **xdp;
+ struct sk_buff *skb;
+ u16 stat_err_bits;
+ u16 vlan_tag = 0;
+@@ -544,18 +544,18 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget)
+ if (!size)
+ break;
+
+- rx_buf = &rx_ring->rx_buf[rx_ring->next_to_clean];
+- rx_buf->xdp->data_end = rx_buf->xdp->data + size;
+- xsk_buff_dma_sync_for_cpu(rx_buf->xdp, rx_ring->xsk_pool);
++ xdp = &rx_ring->xdp_buf[rx_ring->next_to_clean];
++ (*xdp)->data_end = (*xdp)->data + size;
++ xsk_buff_dma_sync_for_cpu(*xdp, rx_ring->xsk_pool);
+
+- xdp_res = ice_run_xdp_zc(rx_ring, rx_buf->xdp);
++ xdp_res = ice_run_xdp_zc(rx_ring, *xdp);
+ if (xdp_res) {
+ if (xdp_res & (ICE_XDP_TX | ICE_XDP_REDIR))
+ xdp_xmit |= xdp_res;
+ else
+- xsk_buff_free(rx_buf->xdp);
++ xsk_buff_free(*xdp);
+
+- rx_buf->xdp = NULL;
++ *xdp = NULL;
+ total_rx_bytes += size;
+ total_rx_packets++;
+ cleaned_count++;
+@@ -565,7 +565,7 @@ int ice_clean_rx_irq_zc(struct ice_ring *rx_ring, int budget)
+ }
+
+ /* XDP_PASS path */
+- skb = ice_construct_skb_zc(rx_ring, rx_buf);
++ skb = ice_construct_skb_zc(rx_ring, xdp);
+ if (!skb) {
+ rx_ring->rx_stats.alloc_buf_failed++;
+ break;
+@@ -813,12 +813,12 @@ void ice_xsk_clean_rx_ring(struct ice_ring *rx_ring)
+ u16 i;
+
+ for (i = 0; i < rx_ring->count; i++) {
+- struct ice_rx_buf *rx_buf = &rx_ring->rx_buf[i];
++ struct xdp_buff **xdp = &rx_ring->xdp_buf[i];
+
+- if (!rx_buf->xdp)
++ if (!xdp)
+ continue;
+
+- rx_buf->xdp = NULL;
++ *xdp = NULL;
+ }
+ }
+
+--
+2.34.1
+
--- /dev/null
+From e74f2c667a2e6ccd61b8f7c46ba4b4141746d22f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 16:31:06 +0100
+Subject: ice: xsk: return xsk buffers back to pool when cleaning the ring
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+[ Upstream commit afe8a3ba85ec2a6b6849367e25c06a2f8e0ddd05 ]
+
+Currently we only NULL the xdp_buff pointer in the internal SW ring but
+we never give it back to the xsk buffer pool. This means that buffers
+can be leaked out of the buff pool and never be used again.
+
+Add missing xsk_buff_free() call to the routine that is supposed to
+clean the entries that are left in the ring so that these buffers in the
+umem can be used by other sockets.
+
+Also, only go through the space that is actually left to be cleaned
+instead of a whole ring.
+
+Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
+Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_xsk.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_xsk.c b/drivers/net/ethernet/intel/ice/ice_xsk.c
+index f4ab5259a56cc..37c7dc6b44a9f 100644
+--- a/drivers/net/ethernet/intel/ice/ice_xsk.c
++++ b/drivers/net/ethernet/intel/ice/ice_xsk.c
+@@ -810,14 +810,14 @@ bool ice_xsk_any_rx_ring_ena(struct ice_vsi *vsi)
+ */
+ void ice_xsk_clean_rx_ring(struct ice_ring *rx_ring)
+ {
+- u16 i;
+-
+- for (i = 0; i < rx_ring->count; i++) {
+- struct xdp_buff **xdp = &rx_ring->xdp_buf[i];
++ u16 count_mask = rx_ring->count - 1;
++ u16 ntc = rx_ring->next_to_clean;
++ u16 ntu = rx_ring->next_to_use;
+
+- if (!xdp)
+- continue;
++ for ( ; ntc != ntu; ntc = (ntc + 1) & count_mask) {
++ struct xdp_buff **xdp = &rx_ring->xdp_buf[ntc];
+
++ xsk_buff_free(*xdp);
+ *xdp = NULL;
+ }
+ }
+--
+2.34.1
+
--- /dev/null
+From d0ad048b83b089e8c6c32f4e12e778f7568dec37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 12:18:44 -0800
+Subject: igb: fix deadlock caused by taking RTNL in RPM resume path
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit ac8c58f5b535d6272324e2b8b4a0454781c9147e ]
+
+Recent net core changes caused an issue with few Intel drivers
+(reportedly igb), where taking RTNL in RPM resume path results in a
+deadlock. See [0] for a bug report. I don't think the core changes
+are wrong, but taking RTNL in RPM resume path isn't needed.
+The Intel drivers are the only ones doing this. See [1] for a
+discussion on the issue. Following patch changes the RPM resume path
+to not take RTNL.
+
+[0] https://bugzilla.kernel.org/show_bug.cgi?id=215129
+[1] https://lore.kernel.org/netdev/20211125074949.5f897431@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com/t/
+
+Fixes: bd869245a3dc ("net: core: try to runtime-resume detached device in __dev_open")
+Fixes: f32a21376573 ("ethtool: runtime-resume netdev parent before ethtool ioctl ops")
+Tested-by: Martin Stolpe <martin.stolpe@gmail.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://lore.kernel.org/r/20211220201844.2714498-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 533199d819501..82a712f77cb34 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -9247,7 +9247,7 @@ static int __maybe_unused igb_suspend(struct device *dev)
+ return __igb_shutdown(to_pci_dev(dev), NULL, 0);
+ }
+
+-static int __maybe_unused igb_resume(struct device *dev)
++static int __maybe_unused __igb_resume(struct device *dev, bool rpm)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+ struct net_device *netdev = pci_get_drvdata(pdev);
+@@ -9290,17 +9290,24 @@ static int __maybe_unused igb_resume(struct device *dev)
+
+ wr32(E1000_WUS, ~0);
+
+- rtnl_lock();
++ if (!rpm)
++ rtnl_lock();
+ if (!err && netif_running(netdev))
+ err = __igb_open(netdev, true);
+
+ if (!err)
+ netif_device_attach(netdev);
+- rtnl_unlock();
++ if (!rpm)
++ rtnl_unlock();
+
+ return err;
+ }
+
++static int __maybe_unused igb_resume(struct device *dev)
++{
++ return __igb_resume(dev, false);
++}
++
+ static int __maybe_unused igb_runtime_idle(struct device *dev)
+ {
+ struct net_device *netdev = dev_get_drvdata(dev);
+@@ -9319,7 +9326,7 @@ static int __maybe_unused igb_runtime_suspend(struct device *dev)
+
+ static int __maybe_unused igb_runtime_resume(struct device *dev)
+ {
+- return igb_resume(dev);
++ return __igb_resume(dev, true);
+ }
+
+ static void igb_shutdown(struct pci_dev *pdev)
+@@ -9435,7 +9442,7 @@ static pci_ers_result_t igb_io_error_detected(struct pci_dev *pdev,
+ * @pdev: Pointer to PCI device
+ *
+ * Restart the card from scratch, as if from a cold-boot. Implementation
+- * resembles the first-half of the igb_resume routine.
++ * resembles the first-half of the __igb_resume routine.
+ **/
+ static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev)
+ {
+@@ -9475,7 +9482,7 @@ static pci_ers_result_t igb_io_slot_reset(struct pci_dev *pdev)
+ *
+ * This callback is called when the error recovery driver tells us that
+ * its OK to resume normal operation. Implementation resembles the
+- * second-half of the igb_resume routine.
++ * second-half of the __igb_resume routine.
+ */
+ static void igb_io_resume(struct pci_dev *pdev)
+ {
+--
+2.34.1
+
--- /dev/null
+From 24b3c0f2a801fa70a99b91b13605789abf472db0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 06:33:30 -0800
+Subject: inet: fully convert sk->sk_rx_dst to RCU rules
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8f905c0e7354ef261360fb7535ea079b1082c105 ]
+
+syzbot reported various issues around early demux,
+one being included in this changelog [1]
+
+sk->sk_rx_dst is using RCU protection without clearly
+documenting it.
+
+And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv()
+are not following standard RCU rules.
+
+[a] dst_release(dst);
+[b] sk->sk_rx_dst = NULL;
+
+They look wrong because a delete operation of RCU protected
+pointer is supposed to clear the pointer before
+the call_rcu()/synchronize_rcu() guarding actual memory freeing.
+
+In some cases indeed, dst could be freed before [b] is done.
+
+We could cheat by clearing sk_rx_dst before calling
+dst_release(), but this seems the right time to stick
+to standard RCU annotations and debugging facilities.
+
+[1]
+BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline]
+BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
+Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204
+
+CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
+ __kasan_report mm/kasan/report.c:433 [inline]
+ kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
+ dst_check include/net/dst.h:470 [inline]
+ tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
+ ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340
+ ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
+ ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
+ ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
+ __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
+ __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
+ __netif_receive_skb_list net/core/dev.c:5608 [inline]
+ netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
+ gro_normal_list net/core/dev.c:5853 [inline]
+ gro_normal_list net/core/dev.c:5849 [inline]
+ napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
+ virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
+ virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
+ __napi_poll+0xaf/0x440 net/core/dev.c:7023
+ napi_poll net/core/dev.c:7090 [inline]
+ net_rx_action+0x801/0xb40 net/core/dev.c:7177
+ __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
+ invoke_softirq kernel/softirq.c:432 [inline]
+ __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
+ irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
+ common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240
+ asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
+RIP: 0033:0x7f5e972bfd57
+Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73
+RSP: 002b:00007fff8a413210 EFLAGS: 00000283
+RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45
+RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45
+RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9
+R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0
+R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019
+ </TASK>
+
+Allocated by task 13:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:434 [inline]
+ __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467
+ kasan_slab_alloc include/linux/kasan.h:259 [inline]
+ slab_post_alloc_hook mm/slab.h:519 [inline]
+ slab_alloc_node mm/slub.c:3234 [inline]
+ slab_alloc mm/slub.c:3242 [inline]
+ kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247
+ dst_alloc+0x146/0x1f0 net/core/dst.c:92
+ rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
+ ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:2340
+ ip_route_input_rcu net/ipv4/route.c:2470 [inline]
+ ip_route_input_noref+0x116/0x2a0 net/ipv4/route.c:2415
+ ip_rcv_finish_core.constprop.0+0x288/0x1e80 net/ipv4/ip_input.c:354
+ ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
+ ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
+ ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
+ __netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
+ __netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
+ __netif_receive_skb_list net/core/dev.c:5608 [inline]
+ netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
+ gro_normal_list net/core/dev.c:5853 [inline]
+ gro_normal_list net/core/dev.c:5849 [inline]
+ napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
+ virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
+ virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
+ __napi_poll+0xaf/0x440 net/core/dev.c:7023
+ napi_poll net/core/dev.c:7090 [inline]
+ net_rx_action+0x801/0xb40 net/core/dev.c:7177
+ __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
+
+Freed by task 13:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ kasan_set_track+0x21/0x30 mm/kasan/common.c:46
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
+ ____kasan_slab_free mm/kasan/common.c:366 [inline]
+ ____kasan_slab_free mm/kasan/common.c:328 [inline]
+ __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
+ kasan_slab_free include/linux/kasan.h:235 [inline]
+ slab_free_hook mm/slub.c:1723 [inline]
+ slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
+ slab_free mm/slub.c:3513 [inline]
+ kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530
+ dst_destroy+0x2d6/0x3f0 net/core/dst.c:127
+ rcu_do_batch kernel/rcu/tree.c:2506 [inline]
+ rcu_core+0x7ab/0x1470 kernel/rcu/tree.c:2741
+ __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
+
+Last potentially related work creation:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ __kasan_record_aux_stack+0xf5/0x120 mm/kasan/generic.c:348
+ __call_rcu kernel/rcu/tree.c:2985 [inline]
+ call_rcu+0xb1/0x740 kernel/rcu/tree.c:3065
+ dst_release net/core/dst.c:177 [inline]
+ dst_release+0x79/0xe0 net/core/dst.c:167
+ tcp_v4_do_rcv+0x612/0x8d0 net/ipv4/tcp_ipv4.c:1712
+ sk_backlog_rcv include/net/sock.h:1030 [inline]
+ __release_sock+0x134/0x3b0 net/core/sock.c:2768
+ release_sock+0x54/0x1b0 net/core/sock.c:3300
+ tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1441
+ inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ sock_write_iter+0x289/0x3c0 net/socket.c:1057
+ call_write_iter include/linux/fs.h:2162 [inline]
+ new_sync_write+0x429/0x660 fs/read_write.c:503
+ vfs_write+0x7cd/0xae0 fs/read_write.c:590
+ ksys_write+0x1ee/0x250 fs/read_write.c:643
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff88807f1cb700
+ which belongs to the cache ip_dst_cache of size 176
+The buggy address is located 58 bytes inside of
+ 176-byte region [ffff88807f1cb700, ffff88807f1cb7b0)
+The buggy address belongs to the page:
+page:ffffea0001fc72c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f1cb
+flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8881413bb780
+raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5, ts 108466983062, free_ts 108048976062
+ prep_new_page mm/page_alloc.c:2418 [inline]
+ get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
+ __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
+ alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
+ alloc_slab_page mm/slub.c:1793 [inline]
+ allocate_slab mm/slub.c:1930 [inline]
+ new_slab+0x32d/0x4a0 mm/slub.c:1993
+ ___slab_alloc+0x918/0xfe0 mm/slub.c:3022
+ __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
+ slab_alloc_node mm/slub.c:3200 [inline]
+ slab_alloc mm/slub.c:3242 [inline]
+ kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247
+ dst_alloc+0x146/0x1f0 net/core/dst.c:92
+ rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
+ __mkroute_output net/ipv4/route.c:2564 [inline]
+ ip_route_output_key_hash_rcu+0x921/0x2d00 net/ipv4/route.c:2791
+ ip_route_output_key_hash+0x18b/0x300 net/ipv4/route.c:2619
+ __ip_route_output_key include/net/route.h:126 [inline]
+ ip_route_output_flow+0x23/0x150 net/ipv4/route.c:2850
+ ip_route_output_key include/net/route.h:142 [inline]
+ geneve_get_v4_rt+0x3a6/0x830 drivers/net/geneve.c:809
+ geneve_xmit_skb drivers/net/geneve.c:899 [inline]
+ geneve_xmit+0xc4a/0x3540 drivers/net/geneve.c:1082
+ __netdev_start_xmit include/linux/netdevice.h:4994 [inline]
+ netdev_start_xmit include/linux/netdevice.h:5008 [inline]
+ xmit_one net/core/dev.c:3590 [inline]
+ dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
+ __dev_queue_xmit+0x299a/0x3650 net/core/dev.c:4229
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1338 [inline]
+ free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
+ free_unref_page_prepare mm/page_alloc.c:3309 [inline]
+ free_unref_page+0x19/0x690 mm/page_alloc.c:3388
+ qlink_free mm/kasan/quarantine.c:146 [inline]
+ qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
+ kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
+ __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444
+ kasan_slab_alloc include/linux/kasan.h:259 [inline]
+ slab_post_alloc_hook mm/slab.h:519 [inline]
+ slab_alloc_node mm/slub.c:3234 [inline]
+ kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270
+ __alloc_skb+0x215/0x340 net/core/skbuff.c:414
+ alloc_skb include/linux/skbuff.h:1126 [inline]
+ alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078
+ sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575
+ mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1754
+ add_grhead+0x265/0x330 net/ipv6/mcast.c:1857
+ add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995
+ mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2242
+ mld_send_initial_cr net/ipv6/mcast.c:1232 [inline]
+ mld_dad_work+0x1d3/0x690 net/ipv6/mcast.c:2268
+ process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
+
+Memory state around the buggy address:
+ ffff88807f1cb600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88807f1cb680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
+>ffff88807f1cb700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88807f1cb780: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
+ ffff88807f1cb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20211220143330.680945-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 2 +-
+ net/ipv4/af_inet.c | 2 +-
+ net/ipv4/tcp.c | 3 +--
+ net/ipv4/tcp_input.c | 2 +-
+ net/ipv4/tcp_ipv4.c | 11 +++++++----
+ net/ipv4/udp.c | 6 +++---
+ net/ipv6/tcp_ipv6.c | 11 +++++++----
+ net/ipv6/udp.c | 4 ++--
+ 8 files changed, 23 insertions(+), 18 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 796f859c69dd7..dfb92f91d5be5 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -432,7 +432,7 @@ struct sock {
+ #ifdef CONFIG_XFRM
+ struct xfrm_policy __rcu *sk_policy[2];
+ #endif
+- struct dst_entry *sk_rx_dst;
++ struct dst_entry __rcu *sk_rx_dst;
+ int sk_rx_dst_ifindex;
+ u32 sk_rx_dst_cookie;
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 64062b7ce61df..3a9422a5873eb 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -158,7 +158,7 @@ void inet_sock_destruct(struct sock *sk)
+
+ kfree(rcu_dereference_protected(inet->inet_opt, 1));
+ dst_release(rcu_dereference_protected(sk->sk_dst_cache, 1));
+- dst_release(sk->sk_rx_dst);
++ dst_release(rcu_dereference_protected(sk->sk_rx_dst, 1));
+ sk_refcnt_debug_dec(sk);
+ }
+ EXPORT_SYMBOL(inet_sock_destruct);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 844c6e5a82891..f48f1059b31a6 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3039,8 +3039,7 @@ int tcp_disconnect(struct sock *sk, int flags)
+ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ __sk_dst_reset(sk);
+- dst_release(sk->sk_rx_dst);
+- sk->sk_rx_dst = NULL;
++ dst_release(xchg((__force struct dst_entry **)&sk->sk_rx_dst, NULL));
+ tcp_saved_syn_free(tp);
+ tp->compressed_ack = 0;
+ tp->segs_in = 0;
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 141e85e6422b1..f3b6239674361 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5770,7 +5770,7 @@ void tcp_rcv_established(struct sock *sk, struct sk_buff *skb)
+ trace_tcp_probe(sk, skb);
+
+ tcp_mstamp_refresh(tp);
+- if (unlikely(!sk->sk_rx_dst))
++ if (unlikely(!rcu_access_pointer(sk->sk_rx_dst)))
+ inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb);
+ /*
+ * Header prediction.
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index f6838eec6ef73..0fe9461647da5 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1698,7 +1698,10 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
+ struct sock *rsk;
+
+ if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+- struct dst_entry *dst = sk->sk_rx_dst;
++ struct dst_entry *dst;
++
++ dst = rcu_dereference_protected(sk->sk_rx_dst,
++ lockdep_sock_is_held(sk));
+
+ sock_rps_save_rxhash(sk, skb);
+ sk_mark_napi_id(sk, skb);
+@@ -1706,8 +1709,8 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
+ if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
+ !INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check,
+ dst, 0)) {
++ RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
+ dst_release(dst);
+- sk->sk_rx_dst = NULL;
+ }
+ }
+ tcp_rcv_established(sk, skb);
+@@ -1783,7 +1786,7 @@ int tcp_v4_early_demux(struct sk_buff *skb)
+ skb->sk = sk;
+ skb->destructor = sock_edemux;
+ if (sk_fullsock(sk)) {
+- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
++ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, 0);
+@@ -2200,7 +2203,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+ struct dst_entry *dst = skb_dst(skb);
+
+ if (dst && dst_hold_safe(dst)) {
+- sk->sk_rx_dst = dst;
++ rcu_assign_pointer(sk->sk_rx_dst, dst);
+ sk->sk_rx_dst_ifindex = skb->skb_iif;
+ }
+ }
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 3f6823bdd31e5..be07e3d2b77bc 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2251,7 +2251,7 @@ bool udp_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
+ struct dst_entry *old;
+
+ if (dst_hold_safe(dst)) {
+- old = xchg(&sk->sk_rx_dst, dst);
++ old = xchg((__force struct dst_entry **)&sk->sk_rx_dst, dst);
+ dst_release(old);
+ return old != dst;
+ }
+@@ -2441,7 +2441,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+ struct dst_entry *dst = skb_dst(skb);
+ int ret;
+
+- if (unlikely(sk->sk_rx_dst != dst))
++ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst))
+ udp_sk_rx_dst_set(sk, dst);
+
+ ret = udp_unicast_rcv_skb(sk, skb, uh);
+@@ -2600,7 +2600,7 @@ int udp_v4_early_demux(struct sk_buff *skb)
+
+ skb->sk = sk;
+ skb->destructor = sock_efree;
+- dst = READ_ONCE(sk->sk_rx_dst);
++ dst = rcu_dereference(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, 0);
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index 42eafe35415d1..8eedf59e9cf25 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -107,7 +107,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+ if (dst && dst_hold_safe(dst)) {
+ const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+- sk->sk_rx_dst = dst;
++ rcu_assign_pointer(sk->sk_rx_dst, dst);
+ sk->sk_rx_dst_ifindex = skb->skb_iif;
+ sk->sk_rx_dst_cookie = rt6_get_cookie(rt);
+ }
+@@ -1504,7 +1504,10 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
+
+ if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+- struct dst_entry *dst = sk->sk_rx_dst;
++ struct dst_entry *dst;
++
++ dst = rcu_dereference_protected(sk->sk_rx_dst,
++ lockdep_sock_is_held(sk));
+
+ sock_rps_save_rxhash(sk, skb);
+ sk_mark_napi_id(sk, skb);
+@@ -1512,8 +1515,8 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
+ INDIRECT_CALL_1(dst->ops->check, ip6_dst_check,
+ dst, sk->sk_rx_dst_cookie) == NULL) {
++ RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
+ dst_release(dst);
+- sk->sk_rx_dst = NULL;
+ }
+ }
+
+@@ -1875,7 +1878,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb)
+ skb->sk = sk;
+ skb->destructor = sock_edemux;
+ if (sk_fullsock(sk)) {
+- struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
++ struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, sk->sk_rx_dst_cookie);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 12c12619ee357..7bee95d8d2df0 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -956,7 +956,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
+ struct dst_entry *dst = skb_dst(skb);
+ int ret;
+
+- if (unlikely(sk->sk_rx_dst != dst))
++ if (unlikely(rcu_dereference(sk->sk_rx_dst) != dst))
+ udp6_sk_rx_dst_set(sk, dst);
+
+ if (!uh->check && !udp_sk(sk)->no_check6_rx) {
+@@ -1070,7 +1070,7 @@ INDIRECT_CALLABLE_SCOPE void udp_v6_early_demux(struct sk_buff *skb)
+
+ skb->sk = sk;
+ skb->destructor = sock_efree;
+- dst = READ_ONCE(sk->sk_rx_dst);
++ dst = rcu_dereference(sk->sk_rx_dst);
+
+ if (dst)
+ dst = dst_check(dst, sk->sk_rx_dst_cookie);
+--
+2.34.1
+
--- /dev/null
+From 89cd295ff6066f01103f802e943ef5b915313d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 20:26:56 -0700
+Subject: io_uring: zero iocb->ki_pos for stream file types
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 7b9762a5e8837b92a027d58d396a9d27f6440c36 ]
+
+io_uring supports using offset == -1 for using the current file position,
+and we read that in as part of read/write command setup. For the non-iter
+read/write types we pass in NULL for the position pointer, but for the
+iter types we should not be passing any anything but 0 for the position
+for a stream.
+
+Clear kiocb->ki_pos if the file is a stream, don't leave it as -1. If we
+do, then the request will error with -ESPIPE.
+
+Fixes: ba04291eb66e ("io_uring: allow use of offset == -1 to mean file position")
+Link: https://github.com/axboe/liburing/discussions/501
+Reported-by: Samuel Williams <samuel.williams@oriontransfer.co.nz>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index e9b06e339c4b0..0006fc7479ca3 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2879,9 +2879,13 @@ static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
+ req->flags |= REQ_F_ISREG;
+
+ kiocb->ki_pos = READ_ONCE(sqe->off);
+- if (kiocb->ki_pos == -1 && !(file->f_mode & FMODE_STREAM)) {
+- req->flags |= REQ_F_CUR_POS;
+- kiocb->ki_pos = file->f_pos;
++ if (kiocb->ki_pos == -1) {
++ if (!(file->f_mode & FMODE_STREAM)) {
++ req->flags |= REQ_F_CUR_POS;
++ kiocb->ki_pos = file->f_pos;
++ } else {
++ kiocb->ki_pos = 0;
++ }
+ }
+ kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
+ kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
+--
+2.34.1
+
--- /dev/null
+From 2e69c92867126053978409f45a1374861c4d7a02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Dec 2021 15:00:34 +0800
+Subject: ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module
+
+From: Wu Bo <wubo40@huawei.com>
+
+[ Upstream commit ffb76a86f8096a8206be03b14adda6092e18e275 ]
+
+Hi,
+
+When testing install and uninstall of ipmi_si.ko and ipmi_msghandler.ko,
+the system crashed.
+
+The log as follows:
+[ 141.087026] BUG: unable to handle kernel paging request at ffffffffc09b3a5a
+[ 141.087241] PGD 8fe4c0d067 P4D 8fe4c0d067 PUD 8fe4c0f067 PMD 103ad89067 PTE 0
+[ 141.087464] Oops: 0010 [#1] SMP NOPTI
+[ 141.087580] CPU: 67 PID: 668 Comm: kworker/67:1 Kdump: loaded Not tainted 4.18.0.x86_64 #47
+[ 141.088009] Workqueue: events 0xffffffffc09b3a40
+[ 141.088009] RIP: 0010:0xffffffffc09b3a5a
+[ 141.088009] Code: Bad RIP value.
+[ 141.088009] RSP: 0018:ffffb9094e2c3e88 EFLAGS: 00010246
+[ 141.088009] RAX: 0000000000000000 RBX: ffff9abfdb1f04a0 RCX: 0000000000000000
+[ 141.088009] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
+[ 141.088009] RBP: 0000000000000000 R08: ffff9abfffee3cb8 R09: 00000000000002e1
+[ 141.088009] R10: ffffb9094cb73d90 R11: 00000000000f4240 R12: ffff9abfffee8700
+[ 141.088009] R13: 0000000000000000 R14: ffff9abfdb1f04a0 R15: ffff9abfdb1f04a8
+[ 141.088009] FS: 0000000000000000(0000) GS:ffff9abfffec0000(0000) knlGS:0000000000000000
+[ 141.088009] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 141.088009] CR2: ffffffffc09b3a30 CR3: 0000008fe4c0a001 CR4: 00000000007606e0
+[ 141.088009] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 141.088009] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 141.088009] PKRU: 55555554
+[ 141.088009] Call Trace:
+[ 141.088009] ? process_one_work+0x195/0x390
+[ 141.088009] ? worker_thread+0x30/0x390
+[ 141.088009] ? process_one_work+0x390/0x390
+[ 141.088009] ? kthread+0x10d/0x130
+[ 141.088009] ? kthread_flush_work_fn+0x10/0x10
+[ 141.088009] ? ret_from_fork+0x35/0x40] BUG: unable to handle kernel paging request at ffffffffc0b28a5a
+[ 200.223240] PGD 97fe00d067 P4D 97fe00d067 PUD 97fe00f067 PMD a580cbf067 PTE 0
+[ 200.223464] Oops: 0010 [#1] SMP NOPTI
+[ 200.223579] CPU: 63 PID: 664 Comm: kworker/63:1 Kdump: loaded Not tainted 4.18.0.x86_64 #46
+[ 200.224008] Workqueue: events 0xffffffffc0b28a40
+[ 200.224008] RIP: 0010:0xffffffffc0b28a5a
+[ 200.224008] Code: Bad RIP value.
+[ 200.224008] RSP: 0018:ffffbf3c8e2a3e88 EFLAGS: 00010246
+[ 200.224008] RAX: 0000000000000000 RBX: ffffa0799ad6bca0 RCX: 0000000000000000
+[ 200.224008] RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
+[ 200.224008] RBP: 0000000000000000 R08: ffff9fe43fde3cb8 R09: 00000000000000d5
+[ 200.224008] R10: ffffbf3c8cb53d90 R11: 00000000000f4240 R12: ffff9fe43fde8700
+[ 200.224008] R13: 0000000000000000 R14: ffffa0799ad6bca0 R15: ffffa0799ad6bca8
+[ 200.224008] FS: 0000000000000000(0000) GS:ffff9fe43fdc0000(0000) knlGS:0000000000000000
+[ 200.224008] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 200.224008] CR2: ffffffffc0b28a30 CR3: 00000097fe00a002 CR4: 00000000007606e0
+[ 200.224008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 200.224008] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 200.224008] PKRU: 55555554
+[ 200.224008] Call Trace:
+[ 200.224008] ? process_one_work+0x195/0x390
+[ 200.224008] ? worker_thread+0x30/0x390
+[ 200.224008] ? process_one_work+0x390/0x390
+[ 200.224008] ? kthread+0x10d/0x130
+[ 200.224008] ? kthread_flush_work_fn+0x10/0x10
+[ 200.224008] ? ret_from_fork+0x35/0x40
+[ 200.224008] kernel fault(0x1) notification starting on CPU 63
+[ 200.224008] kernel fault(0x1) notification finished on CPU 63
+[ 200.224008] CR2: ffffffffc0b28a5a
+[ 200.224008] ---[ end trace c82a412d93f57412 ]---
+
+The reason is as follows:
+T1: rmmod ipmi_si.
+ ->ipmi_unregister_smi()
+ -> ipmi_bmc_unregister()
+ -> __ipmi_bmc_unregister()
+ -> kref_put(&bmc->usecount, cleanup_bmc_device);
+ -> schedule_work(&bmc->remove_work);
+
+T2: rmmod ipmi_msghandler.
+ ipmi_msghander module uninstalled, and the module space
+ will be freed.
+
+T3: bmc->remove_work doing cleanup the bmc resource.
+ -> cleanup_bmc_work()
+ -> platform_device_unregister(&bmc->pdev);
+ -> platform_device_del(pdev);
+ -> device_del(&pdev->dev);
+ -> kobject_uevent(&dev->kobj, KOBJ_REMOVE);
+ -> kobject_uevent_env()
+ -> dev_uevent()
+ -> if (dev->type && dev->type->name)
+
+ 'dev->type'(bmc_device_type) pointer space has freed when uninstall
+ ipmi_msghander module, 'dev->type->name' cause the system crash.
+
+drivers/char/ipmi/ipmi_msghandler.c:
+2820 static const struct device_type bmc_device_type = {
+2821 .groups = bmc_dev_attr_groups,
+2822 };
+
+Steps to reproduce:
+Add a time delay in cleanup_bmc_work() function,
+and uninstall ipmi_si and ipmi_msghandler module.
+
+2910 static void cleanup_bmc_work(struct work_struct *work)
+2911 {
+2912 struct bmc_device *bmc = container_of(work, struct bmc_device,
+2913 remove_work);
+2914 int id = bmc->pdev.id; /* Unregister overwrites id */
+2915
+2916 msleep(3000); <---
+2917 platform_device_unregister(&bmc->pdev);
+2918 ida_simple_remove(&ipmi_bmc_ida, id);
+2919 }
+
+Use 'remove_work_wq' instead of 'system_wq' to solve this issues.
+
+Fixes: b2cfd8ab4add ("ipmi: Rework device id and guid handling to catch changing BMCs")
+Signed-off-by: Wu Bo <wubo40@huawei.com>
+Message-Id: <1640070034-56671-1-git-send-email-wubo40@huawei.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index b404cc46cbda7..ca13536ad0008 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -2932,7 +2932,7 @@ cleanup_bmc_device(struct kref *ref)
+ * with removing the device attributes while reading a device
+ * attribute.
+ */
+- schedule_work(&bmc->remove_work);
++ queue_work(remove_work_wq, &bmc->remove_work);
+ }
+
+ /*
+--
+2.34.1
+
--- /dev/null
+From 210234b82f25ea4072e89722fc62f50e1c171dad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 09:48:17 -0700
+Subject: ipv6: move inet6_sk(sk)->rx_dst_cookie to sk->sk_rx_dst_cookie
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit ef57c1610dd8fba5031bf71e0db73356190de151 ]
+
+Increase cache locality by moving rx_dst_coookie next to sk->sk_rx_dst
+
+This removes one or two cache line misses in IPv6 early demux (TCP/UDP)
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ipv6.h | 1 -
+ include/net/sock.h | 2 ++
+ net/ipv6/tcp_ipv6.c | 6 +++---
+ net/ipv6/udp.c | 4 ++--
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
+index ef4a69865737c..c383630d3f065 100644
+--- a/include/linux/ipv6.h
++++ b/include/linux/ipv6.h
+@@ -282,7 +282,6 @@ struct ipv6_pinfo {
+ __be32 rcv_flowinfo;
+
+ __u32 dst_cookie;
+- __u32 rx_dst_cookie;
+
+ struct ipv6_mc_socklist __rcu *ipv6_mc_list;
+ struct ipv6_ac_socklist *ipv6_ac_list;
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 752601265a955..796f859c69dd7 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -260,6 +260,7 @@ struct bpf_local_storage;
+ * @sk_wq: sock wait queue and async head
+ * @sk_rx_dst: receive input route used by early demux
+ * @sk_rx_dst_ifindex: ifindex for @sk_rx_dst
++ * @sk_rx_dst_cookie: cookie for @sk_rx_dst
+ * @sk_dst_cache: destination cache
+ * @sk_dst_pending_confirm: need to confirm neighbour
+ * @sk_policy: flow policy
+@@ -433,6 +434,7 @@ struct sock {
+ #endif
+ struct dst_entry *sk_rx_dst;
+ int sk_rx_dst_ifindex;
++ u32 sk_rx_dst_cookie;
+
+ struct dst_entry __rcu *sk_dst_cache;
+ atomic_t sk_omem_alloc;
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index c72586ee517ba..42eafe35415d1 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -109,7 +109,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+
+ sk->sk_rx_dst = dst;
+ sk->sk_rx_dst_ifindex = skb->skb_iif;
+- tcp_inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
++ sk->sk_rx_dst_cookie = rt6_get_cookie(rt);
+ }
+ }
+
+@@ -1511,7 +1511,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ if (dst) {
+ if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
+ INDIRECT_CALL_1(dst->ops->check, ip6_dst_check,
+- dst, np->rx_dst_cookie) == NULL) {
++ dst, sk->sk_rx_dst_cookie) == NULL) {
+ dst_release(dst);
+ sk->sk_rx_dst = NULL;
+ }
+@@ -1878,7 +1878,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb)
+ struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
+
+ if (dst)
+- dst = dst_check(dst, tcp_inet6_sk(sk)->rx_dst_cookie);
++ dst = dst_check(dst, sk->sk_rx_dst_cookie);
+ if (dst &&
+ sk->sk_rx_dst_ifindex == skb->skb_iif)
+ skb_dst_set_noref(skb, dst);
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index be6dc64ece29f..12c12619ee357 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -884,7 +884,7 @@ static void udp6_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
+ if (udp_sk_rx_dst_set(sk, dst)) {
+ const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+- inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
++ sk->sk_rx_dst_cookie = rt6_get_cookie(rt);
+ }
+ }
+
+@@ -1073,7 +1073,7 @@ INDIRECT_CALLABLE_SCOPE void udp_v6_early_demux(struct sk_buff *skb)
+ dst = READ_ONCE(sk->sk_rx_dst);
+
+ if (dst)
+- dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
++ dst = dst_check(dst, sk->sk_rx_dst_cookie);
+ if (dst) {
+ /* set noref for now.
+ * any place which wants to hold dst has to call
+--
+2.34.1
+
--- /dev/null
+From b958bc01efdcd0f8d52eae364d969d7f48c433d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 09:49:01 -0500
+Subject: net: accept UFOv6 packages in virtio_net_hdr_to_skb
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 7e5cced9ca84df52d874aca6b632f930b3dc5bc6 ]
+
+Skb with skb->protocol 0 at the time of virtio_net_hdr_to_skb may have
+a protocol inferred from virtio_net_hdr with virtio_net_hdr_set_proto.
+
+Unlike TCP, UDP does not have separate types for IPv4 and IPv6. Type
+VIRTIO_NET_HDR_GSO_UDP is guessed to be IPv4/UDP. As of the below
+commit, UFOv6 packets are dropped due to not matching the protocol as
+obtained from dev_parse_header_protocol.
+
+Invert the test to take that L2 protocol field as starting point and
+pass both UFOv4 and UFOv6 for VIRTIO_NET_HDR_GSO_UDP.
+
+Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct")
+Link: https://lore.kernel.org/netdev/CABcq3pG9GRCYqFDBAJ48H1vpnnX=41u+MhQnayF1ztLH4WX0Fw@mail.gmail.com/
+Reported-by: Andrew Melnichenko <andrew@daynix.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20211220144901.2784030-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_net.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 04e87f4b9417c..22dd48c825600 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -7,6 +7,21 @@
+ #include <uapi/linux/udp.h>
+ #include <uapi/linux/virtio_net.h>
+
++static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type)
++{
++ switch (gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
++ case VIRTIO_NET_HDR_GSO_TCPV4:
++ return protocol == cpu_to_be16(ETH_P_IP);
++ case VIRTIO_NET_HDR_GSO_TCPV6:
++ return protocol == cpu_to_be16(ETH_P_IPV6);
++ case VIRTIO_NET_HDR_GSO_UDP:
++ return protocol == cpu_to_be16(ETH_P_IP) ||
++ protocol == cpu_to_be16(ETH_P_IPV6);
++ default:
++ return false;
++ }
++}
++
+ static inline int virtio_net_hdr_set_proto(struct sk_buff *skb,
+ const struct virtio_net_hdr *hdr)
+ {
+@@ -88,9 +103,12 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
+ if (!skb->protocol) {
+ __be16 protocol = dev_parse_header_protocol(skb);
+
+- virtio_net_hdr_set_proto(skb, hdr);
+- if (protocol && protocol != skb->protocol)
++ if (!protocol)
++ virtio_net_hdr_set_proto(skb, hdr);
++ else if (!virtio_net_hdr_match_proto(protocol, hdr->gso_type))
+ return -EINVAL;
++ else
++ skb->protocol = protocol;
+ }
+ retry:
+ if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys,
+--
+2.34.1
+
--- /dev/null
+From 29a91cd9787711f0c23d282876f34300f39c691d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 16:31:38 +0100
+Subject: net: bridge: fix ioctl old_deviceless bridge argument
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit d95a56207c078e2019cf6659d890ec1e987e8420 ]
+
+Commit 561d8352818f ("bridge: use ndo_siocdevprivate") changed the
+source and destination arguments of copy_{to,from}_user in bridge's
+old_deviceless() from args[1] to uarg breaking SIOC{G,S}IFBR ioctls.
+
+Commit cbd7ad29a507 ("net: bridge: fix ioctl old_deviceless bridge
+argument") fixed only BRCTL_{ADD,DEL}_BRIDGES commands leaving
+BRCTL_GET_BRIDGES one untouched.
+
+The fixes BRCTL_GET_BRIDGES as well and has been tested with busybox's
+brctl.
+
+Example of broken brctl:
+$ brctl show
+bridge name bridge id STP enabled interfaces
+brctl: can't get bridge name for index 0: No such device or address
+
+Example of fixed brctl:
+$ brctl show
+bridge name bridge id STP enabled interfaces
+br0 8000.000000000000 no
+
+Fixes: 561d8352818f ("bridge: use ndo_siocdevprivate")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/all/20211223153139.7661-2-repk@triplefau.lt/
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
+index 49c268871fc11..9922497e59f8c 100644
+--- a/net/bridge/br_ioctl.c
++++ b/net/bridge/br_ioctl.c
+@@ -337,7 +337,7 @@ static int old_deviceless(struct net *net, void __user *uarg)
+
+ args[2] = get_bridge_ifindices(net, indices, args[2]);
+
+- ret = copy_to_user(uarg, indices,
++ ret = copy_to_user((void __user *)args[1], indices,
+ array_size(args[2], sizeof(int)))
+ ? -EFAULT : args[2];
+
+--
+2.34.1
+
--- /dev/null
+From 92e509ceb8674e14d64b8ade9bdcb5b476ae881c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Sep 2021 15:12:39 -0500
+Subject: net: bridge: Use array_size() helper in copy_to_user()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 865bfb2affa8eff5182b29aa90803a2df4409834 ]
+
+Use array_size() helper instead of the open-coded version in
+copy_to_user(). These sorts of multiplication factors need
+to be wrapped in array_size().
+
+Link: https://github.com/KSPP/linux/issues/160
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_ioctl.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
+index 793b0db9d9a36..49c268871fc11 100644
+--- a/net/bridge/br_ioctl.c
++++ b/net/bridge/br_ioctl.c
+@@ -71,7 +71,8 @@ static int get_fdb_entries(struct net_bridge *br, void __user *userbuf,
+
+ num = br_fdb_fillbuf(br, buf, maxnum, offset);
+ if (num > 0) {
+- if (copy_to_user(userbuf, buf, num*sizeof(struct __fdb_entry)))
++ if (copy_to_user(userbuf, buf,
++ array_size(num, sizeof(struct __fdb_entry))))
+ num = -EFAULT;
+ }
+ kfree(buf);
+@@ -188,7 +189,7 @@ int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq, void __user
+ return -ENOMEM;
+
+ get_port_ifindices(br, indices, num);
+- if (copy_to_user(argp, indices, num * sizeof(int)))
++ if (copy_to_user(argp, indices, array_size(num, sizeof(int))))
+ num = -EFAULT;
+ kfree(indices);
+ return num;
+@@ -336,7 +337,8 @@ static int old_deviceless(struct net *net, void __user *uarg)
+
+ args[2] = get_bridge_ifindices(net, indices, args[2]);
+
+- ret = copy_to_user(uarg, indices, args[2]*sizeof(int))
++ ret = copy_to_user(uarg, indices,
++ array_size(args[2], sizeof(int)))
+ ? -EFAULT : args[2];
+
+ kfree(indices);
+--
+2.34.1
+
--- /dev/null
+From e4d75dfcf17720523f8ee2c989968c61436e4d5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 15:59:44 +0800
+Subject: net: ks8851: Check for error irq
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 99d7fbb5cedf598f67e8be106d6c7b8d91366aef ]
+
+Because platform_get_irq() could fail and return error irq.
+Therefore, it might be better to check it if order to avoid the use of
+error irq.
+
+Fixes: 797047f875b5 ("net: ks8851: Implement Parallel bus operations")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/micrel/ks8851_par.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/micrel/ks8851_par.c b/drivers/net/ethernet/micrel/ks8851_par.c
+index 2e8fcce50f9d1..c6f517c07bb9a 100644
+--- a/drivers/net/ethernet/micrel/ks8851_par.c
++++ b/drivers/net/ethernet/micrel/ks8851_par.c
+@@ -321,6 +321,8 @@ static int ks8851_probe_par(struct platform_device *pdev)
+ return ret;
+
+ netdev->irq = platform_get_irq(pdev, 0);
++ if (netdev->irq < 0)
++ return netdev->irq;
+
+ return ks8851_probe_common(netdev, dev, msg_enable);
+ }
+--
+2.34.1
+
--- /dev/null
+From d674f153f2a12c19ee185534bcbd60f3849332e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 19:07:36 +0200
+Subject: net: marvell: prestera: fix incorrect return of port_find
+
+From: Yevhen Orlov <yevhen.orlov@plvision.eu>
+
+[ Upstream commit 8b681bd7c301c423fbe97a6b23388a2180ff04ca ]
+
+In case, when some ports is in list and we don't find requested - we
+return last iterator state and not return NULL as expected.
+
+Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices")
+Signed-off-by: Yevhen Orlov <yevhen.orlov@plvision.eu>
+Link: https://lore.kernel.org/r/20211216170736.8851-1-yevhen.orlov@plvision.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/prestera/prestera_main.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+index 44c670807fb3c..f6d2f928c5b83 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+@@ -54,12 +54,14 @@ int prestera_port_pvid_set(struct prestera_port *port, u16 vid)
+ struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw,
+ u32 dev_id, u32 hw_id)
+ {
+- struct prestera_port *port = NULL;
++ struct prestera_port *port = NULL, *tmp;
+
+ read_lock(&sw->port_list_lock);
+- list_for_each_entry(port, &sw->port_list, list) {
+- if (port->dev_id == dev_id && port->hw_id == hw_id)
++ list_for_each_entry(tmp, &sw->port_list, list) {
++ if (tmp->dev_id == dev_id && tmp->hw_id == hw_id) {
++ port = tmp;
+ break;
++ }
+ }
+ read_unlock(&sw->port_list_lock);
+
+@@ -68,12 +70,14 @@ struct prestera_port *prestera_port_find_by_hwid(struct prestera_switch *sw,
+
+ struct prestera_port *prestera_find_port(struct prestera_switch *sw, u32 id)
+ {
+- struct prestera_port *port = NULL;
++ struct prestera_port *port = NULL, *tmp;
+
+ read_lock(&sw->port_list_lock);
+- list_for_each_entry(port, &sw->port_list, list) {
+- if (port->id == id)
++ list_for_each_entry(tmp, &sw->port_list, list) {
++ if (tmp->id == id) {
++ port = tmp;
+ break;
++ }
+ }
+ read_unlock(&sw->port_list_lock);
+
+--
+2.34.1
+
--- /dev/null
+From b453a10f2938d36dea49bde2c14b37f137b0f7c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Dec 2021 19:17:14 +0200
+Subject: net: marvell: prestera: fix incorrect structure access
+
+From: Yevhen Orlov <yevhen.orlov@plvision.eu>
+
+[ Upstream commit 2efc2256febf214e7b2bdaa21fe6c3c3146acdcb ]
+
+In line:
+ upper = info->upper_dev;
+We access upper_dev field, which is related only for particular events
+(e.g. event == NETDEV_CHANGEUPPER). So, this line cause invalid memory
+access for another events,
+when ptr is not netdev_notifier_changeupper_info.
+
+The KASAN logs are as follows:
+
+[ 30.123165] BUG: KASAN: stack-out-of-bounds in prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]
+[ 30.133336] Read of size 8 at addr ffff80000cf772b0 by task udevd/778
+[ 30.139866]
+[ 30.141398] CPU: 0 PID: 778 Comm: udevd Not tainted 5.16.0-rc3 #6
+[ 30.147588] Hardware name: DNI AmazonGo1 A7040 board (DT)
+[ 30.153056] Call trace:
+[ 30.155547] dump_backtrace+0x0/0x2c0
+[ 30.159320] show_stack+0x18/0x30
+[ 30.162729] dump_stack_lvl+0x68/0x84
+[ 30.166491] print_address_description.constprop.0+0x74/0x2b8
+[ 30.172346] kasan_report+0x1e8/0x250
+[ 30.176102] __asan_load8+0x98/0xe0
+[ 30.179682] prestera_netdev_port_event.constprop.0+0x68/0x538 [prestera]
+[ 30.186847] prestera_netdev_event_handler+0x1b4/0x1c0 [prestera]
+[ 30.193313] raw_notifier_call_chain+0x74/0xa0
+[ 30.197860] call_netdevice_notifiers_info+0x68/0xc0
+[ 30.202924] register_netdevice+0x3cc/0x760
+[ 30.207190] register_netdev+0x24/0x50
+[ 30.211015] prestera_device_register+0x8a0/0xba0 [prestera]
+
+Fixes: 3d5048cc54bd ("net: marvell: prestera: move netdev topology validation to prestera_main")
+Signed-off-by: Yevhen Orlov <yevhen.orlov@plvision.eu>
+Link: https://lore.kernel.org/r/20211216171714.11341-1-yevhen.orlov@plvision.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/prestera/prestera_main.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+index f6d2f928c5b83..aa543b29799ed 100644
+--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c
++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c
+@@ -707,23 +707,27 @@ static int prestera_netdev_port_event(struct net_device *lower,
+ struct net_device *dev,
+ unsigned long event, void *ptr)
+ {
+- struct netdev_notifier_changeupper_info *info = ptr;
++ struct netdev_notifier_info *info = ptr;
++ struct netdev_notifier_changeupper_info *cu_info;
+ struct prestera_port *port = netdev_priv(dev);
+ struct netlink_ext_ack *extack;
+ struct net_device *upper;
+
+- extack = netdev_notifier_info_to_extack(&info->info);
+- upper = info->upper_dev;
++ extack = netdev_notifier_info_to_extack(info);
++ cu_info = container_of(info,
++ struct netdev_notifier_changeupper_info,
++ info);
+
+ switch (event) {
+ case NETDEV_PRECHANGEUPPER:
++ upper = cu_info->upper_dev;
+ if (!netif_is_bridge_master(upper) &&
+ !netif_is_lag_master(upper)) {
+ NL_SET_ERR_MSG_MOD(extack, "Unknown upper device type");
+ return -EINVAL;
+ }
+
+- if (!info->linking)
++ if (!cu_info->linking)
+ break;
+
+ if (netdev_has_any_upper_dev(upper)) {
+@@ -732,7 +736,7 @@ static int prestera_netdev_port_event(struct net_device *lower,
+ }
+
+ if (netif_is_lag_master(upper) &&
+- !prestera_lag_master_check(upper, info->upper_info, extack))
++ !prestera_lag_master_check(upper, cu_info->upper_info, extack))
+ return -EOPNOTSUPP;
+ if (netif_is_lag_master(upper) && vlan_uses_dev(dev)) {
+ NL_SET_ERR_MSG_MOD(extack,
+@@ -748,14 +752,15 @@ static int prestera_netdev_port_event(struct net_device *lower,
+ break;
+
+ case NETDEV_CHANGEUPPER:
++ upper = cu_info->upper_dev;
+ if (netif_is_bridge_master(upper)) {
+- if (info->linking)
++ if (cu_info->linking)
+ return prestera_bridge_port_join(upper, port,
+ extack);
+ else
+ prestera_bridge_port_leave(upper, port);
+ } else if (netif_is_lag_master(upper)) {
+- if (info->linking)
++ if (cu_info->linking)
+ return prestera_lag_port_add(port, upper);
+ else
+ prestera_lag_port_del(port);
+--
+2.34.1
+
--- /dev/null
+From 2c0bdb17dca4f54825a4037a2d722c088755ebee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 09:50:27 -0500
+Subject: net: skip virtio_net_hdr_set_proto if protocol already set
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 1ed1d592113959f00cc552c3b9f47ca2d157768f ]
+
+virtio_net_hdr_set_proto infers skb->protocol from the virtio_net_hdr
+gso_type, to avoid packets getting dropped for lack of a proto type.
+
+Its protocol choice is a guess, especially in the case of UFO, where
+the single VIRTIO_NET_HDR_GSO_UDP label covers both UFOv4 and UFOv6.
+
+Skip this best effort if the field is already initialized. Whether
+explicitly from userspace, or implicitly based on an earlier call to
+dev_parse_header_protocol (which is more robust, but was introduced
+after this patch).
+
+Fixes: 9d2f67e43b73 ("net/packet: fix packet drop as of virtio gso")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20211220145027.2784293-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_net.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
+index 22dd48c825600..a960de68ac69e 100644
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -25,6 +25,9 @@ static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type)
+ static inline int virtio_net_hdr_set_proto(struct sk_buff *skb,
+ const struct virtio_net_hdr *hdr)
+ {
++ if (skb->protocol)
++ return 0;
++
+ switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
+ case VIRTIO_NET_HDR_GSO_TCPV4:
+ case VIRTIO_NET_HDR_GSO_UDP:
+--
+2.34.1
+
--- /dev/null
+From f5bcc99db22d6e95f0d22f1154f244d2e58b9ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 16:36:33 +0900
+Subject: net: stmmac: dwmac-visconti: Fix value of ETHER_CLK_SEL_FREQ_SEL_2P5M
+
+From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+
+[ Upstream commit 391e5975c0208ce3739587b33eba08be3e473d79 ]
+
+ETHER_CLK_SEL_FREQ_SEL_2P5M is not 0 bit of the register. This is a
+value, which is 0. Fix from BIT(0) to 0.
+
+Reported-by: Yuji Ishikawa <yuji2.ishikawa@toshiba.co.jp>
+Fixes: b38dd98ff8d0 ("net: stmmac: Add Toshiba Visconti SoCs glue driver")
+Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Link: https://lore.kernel.org/r/20211223073633.101306-1-nobuhiro1.iwamatsu@toshiba.co.jp
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c
+index d046e33b8a297..fac788718c045 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-visconti.c
+@@ -26,7 +26,7 @@
+ #define ETHER_CLK_SEL_FREQ_SEL_125M (BIT(9) | BIT(8))
+ #define ETHER_CLK_SEL_FREQ_SEL_50M BIT(9)
+ #define ETHER_CLK_SEL_FREQ_SEL_25M BIT(8)
+-#define ETHER_CLK_SEL_FREQ_SEL_2P5M BIT(0)
++#define ETHER_CLK_SEL_FREQ_SEL_2P5M 0
+ #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_IN BIT(0)
+ #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_TXC BIT(10)
+ #define ETHER_CLK_SEL_TX_CLK_EXT_SEL_DIV BIT(11)
+--
+2.34.1
+
--- /dev/null
+From 30b94efb40cdc743daa968e0440456d6fab195fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 15:39:28 +0800
+Subject: net: stmmac: ptp: fix potentially overflowing expression
+
+From: Xiaoliang Yang <xiaoliang.yang_1@nxp.com>
+
+[ Upstream commit eccffcf4657ab9a148faaa0eb354d2a091caf552 ]
+
+Convert the u32 variable to type u64 in a context where expression of
+type u64 is required to avoid potential overflow.
+
+Fixes: e9e3720002f6 ("net: stmmac: ptp: update tas basetime after ptp adjust")
+Signed-off-by: Xiaoliang Yang <xiaoliang.yang_1@nxp.com>
+Link: https://lore.kernel.org/r/20211223073928.37371-1-xiaoliang.yang_1@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+index 580cc035536bd..be9b58b2abf9b 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+@@ -102,7 +102,7 @@ static int stmmac_adjust_time(struct ptp_clock_info *ptp, s64 delta)
+ time.tv_nsec = priv->plat->est->btr_reserve[0];
+ time.tv_sec = priv->plat->est->btr_reserve[1];
+ basetime = timespec64_to_ktime(time);
+- cycle_time = priv->plat->est->ctr[1] * NSEC_PER_SEC +
++ cycle_time = (u64)priv->plat->est->ctr[1] * NSEC_PER_SEC +
+ priv->plat->est->ctr[0];
+ time = stmmac_calc_tas_basetime(basetime,
+ current_time_ns,
+--
+2.34.1
+
--- /dev/null
+From 4905673e153fbb82848ae007db223b5c15594029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 16:31:27 +0100
+Subject: netfilter: fix regression in looped (broad|multi)cast's MAC handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
+
+[ Upstream commit ebb966d3bdfed581ecccbb4a7432341baf7619b4 ]
+
+In commit 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac
+header was cleared"), the test for non-empty MAC header introduced in
+commit 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC
+handling") has been replaced with a test for a set MAC header.
+
+This breaks the case when the MAC header has been reset (using
+skb_reset_mac_header), as is the case with looped-back multicast
+packets. As a result, the packets ending up in NFQUEUE get a bogus
+hwaddr interpreted from the first bytes of the IP header.
+
+This patch adds a test for a non-empty MAC header in addition to the
+test for a set MAC header. The same two tests are also implemented in
+nfnetlink_log.c, where the initial code of commit 2c38de4c1f8da7
+("netfilter: fix looped (broad|multi)cast's MAC handling") has not been
+touched, but where supposedly the same situation may happen.
+
+Fixes: 5648b5e1169f ("netfilter: nfnetlink_queue: fix OOB when mac header was cleared")
+Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_log.c | 3 ++-
+ net/netfilter/nfnetlink_queue.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
+index 691ef4cffdd90..7f83f9697fc14 100644
+--- a/net/netfilter/nfnetlink_log.c
++++ b/net/netfilter/nfnetlink_log.c
+@@ -556,7 +556,8 @@ __build_packet_message(struct nfnl_log_net *log,
+ goto nla_put_failure;
+
+ if (indev && skb->dev &&
+- skb->mac_header != skb->network_header) {
++ skb_mac_header_was_set(skb) &&
++ skb_mac_header_len(skb) != 0) {
+ struct nfulnl_msg_packet_hw phw;
+ int len;
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 4acc4b8e9fe5a..959527708e382 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -560,7 +560,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ goto nla_put_failure;
+
+ if (indev && entskb->dev &&
+- skb_mac_header_was_set(entskb)) {
++ skb_mac_header_was_set(entskb) &&
++ skb_mac_header_len(entskb) != 0) {
+ struct nfqnl_msg_packet_hw phw;
+ int len;
+
+--
+2.34.1
+
--- /dev/null
+From 95569bb1f24520a4b5ba1df27c9f940d5344dca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Dec 2021 05:45:44 -0800
+Subject: netfilter: nf_tables: fix use-after-free in
+ nft_set_catchall_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0f7d9b31ce7abdbb29bf018131ac920c9f698518 ]
+
+We need to use list_for_each_entry_safe() iterator
+because we can not access @catchall after kfree_rcu() call.
+
+syzbot reported:
+
+BUG: KASAN: use-after-free in nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]
+BUG: KASAN: use-after-free in nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]
+BUG: KASAN: use-after-free in nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493
+Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871
+
+CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247
+ __kasan_report mm/kasan/report.c:433 [inline]
+ kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
+ nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4486 [inline]
+ nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]
+ nft_set_destroy+0x3fd/0x4f0 net/netfilter/nf_tables_api.c:4493
+ __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626
+ nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ blocking_notifier_call_chain kernel/notifier.c:318 [inline]
+ blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306
+ netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788
+ __sock_release+0xcd/0x280 net/socket.c:649
+ sock_close+0x18/0x20 net/socket.c:1314
+ __fput+0x286/0x9f0 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
+ syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
+ do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f75fbf28adb
+Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
+RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
+RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb
+RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003
+RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830
+R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3
+R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032
+ </TASK>
+
+Allocated by task 8886:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ kasan_set_track mm/kasan/common.c:46 [inline]
+ set_alloc_info mm/kasan/common.c:434 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:513 [inline]
+ ____kasan_kmalloc mm/kasan/common.c:472 [inline]
+ __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:522
+ kasan_kmalloc include/linux/kasan.h:269 [inline]
+ kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3575
+ kmalloc include/linux/slab.h:590 [inline]
+ nft_setelem_catchall_insert net/netfilter/nf_tables_api.c:5544 [inline]
+ nft_setelem_insert net/netfilter/nf_tables_api.c:5562 [inline]
+ nft_add_set_elem+0x232e/0x2f40 net/netfilter/nf_tables_api.c:5936
+ nf_tables_newsetelem+0x6ff/0xbb0 net/netfilter/nf_tables_api.c:6032
+ nfnetlink_rcv_batch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513
+ nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
+ nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:652
+ netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
+ netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
+ sock_sendmsg_nosec net/socket.c:704 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:724
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Freed by task 15335:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ kasan_set_track+0x21/0x30 mm/kasan/common.c:46
+ kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
+ ____kasan_slab_free mm/kasan/common.c:366 [inline]
+ ____kasan_slab_free mm/kasan/common.c:328 [inline]
+ __kasan_slab_free+0xd1/0x110 mm/kasan/common.c:374
+ kasan_slab_free include/linux/kasan.h:235 [inline]
+ __cache_free mm/slab.c:3445 [inline]
+ kmem_cache_free_bulk+0x67/0x1e0 mm/slab.c:3766
+ kfree_bulk include/linux/slab.h:446 [inline]
+ kfree_rcu_work+0x51c/0xa10 kernel/rcu/tree.c:3273
+ process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
+ worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
+ kthread+0x405/0x4f0 kernel/kthread.c:327
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
+
+Last potentially related work creation:
+ kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
+ __kasan_record_aux_stack+0xb5/0xe0 mm/kasan/generic.c:348
+ kvfree_call_rcu+0x74/0x990 kernel/rcu/tree.c:3550
+ nft_set_catchall_destroy net/netfilter/nf_tables_api.c:4489 [inline]
+ nft_set_destroy net/netfilter/nf_tables_api.c:4504 [inline]
+ nft_set_destroy+0x34a/0x4f0 net/netfilter/nf_tables_api.c:4493
+ __nft_release_table+0x79f/0xcd0 net/netfilter/nf_tables_api.c:9626
+ nft_rcv_nl_event+0x4f8/0x670 net/netfilter/nf_tables_api.c:9688
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ blocking_notifier_call_chain kernel/notifier.c:318 [inline]
+ blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:306
+ netlink_release+0xcb6/0x1dd0 net/netlink/af_netlink.c:788
+ __sock_release+0xcd/0x280 net/socket.c:649
+ sock_close+0x18/0x20 net/socket.c:1314
+ __fput+0x286/0x9f0 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
+ syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
+ do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The buggy address belongs to the object at ffff8880716e5b80
+ which belongs to the cache kmalloc-64 of size 64
+The buggy address is located 0 bytes inside of
+ 64-byte region [ffff8880716e5b80, ffff8880716e5bc0)
+The buggy address belongs to the page:
+page:ffffea0001c5b940 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880716e5c00 pfn:0x716e5
+flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
+raw: 00fff00000000200 ffffea0000911848 ffffea00007c4d48 ffff888010c40200
+raw: ffff8880716e5c00 ffff8880716e5000 000000010000001e 0000000000000000
+page dumped because: kasan: bad access detected
+page_owner tracks the page as allocated
+page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242040(__GFP_IO|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3638, ts 211086074437, free_ts 211031029429
+ prep_new_page mm/page_alloc.c:2418 [inline]
+ get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
+ __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
+ __alloc_pages_node include/linux/gfp.h:570 [inline]
+ kmem_getpages mm/slab.c:1377 [inline]
+ cache_grow_begin+0x75/0x470 mm/slab.c:2593
+ cache_alloc_refill+0x27f/0x380 mm/slab.c:2965
+ ____cache_alloc mm/slab.c:3048 [inline]
+ ____cache_alloc mm/slab.c:3031 [inline]
+ __do_cache_alloc mm/slab.c:3275 [inline]
+ slab_alloc mm/slab.c:3316 [inline]
+ __do_kmalloc mm/slab.c:3700 [inline]
+ __kmalloc+0x3b3/0x4d0 mm/slab.c:3711
+ kmalloc include/linux/slab.h:595 [inline]
+ kzalloc include/linux/slab.h:724 [inline]
+ tomoyo_get_name+0x234/0x480 security/tomoyo/memory.c:173
+ tomoyo_parse_name_union+0xbc/0x160 security/tomoyo/util.c:260
+ tomoyo_update_path_number_acl security/tomoyo/file.c:687 [inline]
+ tomoyo_write_file+0x629/0x7f0 security/tomoyo/file.c:1034
+ tomoyo_write_domain2+0x116/0x1d0 security/tomoyo/common.c:1152
+ tomoyo_add_entry security/tomoyo/common.c:2042 [inline]
+ tomoyo_supervisor+0xbc7/0xf00 security/tomoyo/common.c:2103
+ tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline]
+ tomoyo_path_number_perm+0x419/0x590 security/tomoyo/file.c:734
+ security_file_ioctl+0x50/0xb0 security/security.c:1541
+ __do_sys_ioctl fs/ioctl.c:868 [inline]
+ __se_sys_ioctl fs/ioctl.c:860 [inline]
+ __x64_sys_ioctl+0xb3/0x200 fs/ioctl.c:860
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+page last free stack trace:
+ reset_page_owner include/linux/page_owner.h:24 [inline]
+ free_pages_prepare mm/page_alloc.c:1338 [inline]
+ free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
+ free_unref_page_prepare mm/page_alloc.c:3309 [inline]
+ free_unref_page+0x19/0x690 mm/page_alloc.c:3388
+ slab_destroy mm/slab.c:1627 [inline]
+ slabs_destroy+0x89/0xc0 mm/slab.c:1647
+ cache_flusharray mm/slab.c:3418 [inline]
+ ___cache_free+0x4cc/0x610 mm/slab.c:3480
+ qlink_free mm/kasan/quarantine.c:146 [inline]
+ qlist_free_all+0x4e/0x110 mm/kasan/quarantine.c:165
+ kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
+ __kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:444
+ kasan_slab_alloc include/linux/kasan.h:259 [inline]
+ slab_post_alloc_hook mm/slab.h:519 [inline]
+ slab_alloc_node mm/slab.c:3261 [inline]
+ kmem_cache_alloc_node+0x2ea/0x590 mm/slab.c:3599
+ __alloc_skb+0x215/0x340 net/core/skbuff.c:414
+ alloc_skb include/linux/skbuff.h:1126 [inline]
+ nlmsg_new include/net/netlink.h:953 [inline]
+ rtmsg_ifinfo_build_skb+0x72/0x1a0 net/core/rtnetlink.c:3808
+ rtmsg_ifinfo_event net/core/rtnetlink.c:3844 [inline]
+ rtmsg_ifinfo_event net/core/rtnetlink.c:3835 [inline]
+ rtmsg_ifinfo+0x83/0x120 net/core/rtnetlink.c:3853
+ netdev_state_change net/core/dev.c:1395 [inline]
+ netdev_state_change+0x114/0x130 net/core/dev.c:1386
+ linkwatch_do_dev+0x10e/0x150 net/core/link_watch.c:167
+ __linkwatch_run_queue+0x233/0x6a0 net/core/link_watch.c:213
+ linkwatch_event+0x4a/0x60 net/core/link_watch.c:252
+ process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
+
+Memory state around the buggy address:
+ ffff8880716e5a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8880716e5b00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+>ffff8880716e5b80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffff8880716e5c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff8880716e5c80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+
+Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index c0851fec11d46..c207728226372 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4481,9 +4481,9 @@ struct nft_set_elem_catchall {
+ static void nft_set_catchall_destroy(const struct nft_ctx *ctx,
+ struct nft_set *set)
+ {
+- struct nft_set_elem_catchall *catchall;
++ struct nft_set_elem_catchall *next, *catchall;
+
+- list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
++ list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
+ list_del_rcu(&catchall->list);
+ nft_set_elem_destroy(set, catchall->elem, true);
+ kfree_rcu(catchall);
+--
+2.34.1
+
--- /dev/null
+From 81fcacf5fb456a5da9b451521dc98d8dcd31a0b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Dec 2021 17:39:11 +0800
+Subject: qlcnic: potential dereference null pointer of rx_queue->page_ring
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 60ec7fcfe76892a1479afab51ff17a4281923156 ]
+
+The return value of kcalloc() needs to be checked.
+To avoid dereference of null pointer in case of the failure of alloc.
+Therefore, it might be better to change the return type of
+qlcnic_sriov_alloc_vlans() and return -ENOMEM when alloc fails and
+return 0 the others.
+Also, qlcnic_sriov_set_guest_vlan_mode() and __qlcnic_pci_sriov_enable()
+should deal with the return value of qlcnic_sriov_alloc_vlans().
+
+Fixes: 154d0c810c53 ("qlcnic: VLAN enhancement for 84XX adapters")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h | 2 +-
+ .../net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 12 +++++++++---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c | 4 +++-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h
+index 7160b42f51ddd..d0111cb3b40e1 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov.h
+@@ -201,7 +201,7 @@ int qlcnic_sriov_get_vf_vport_info(struct qlcnic_adapter *,
+ struct qlcnic_info *, u16);
+ int qlcnic_sriov_cfg_vf_guest_vlan(struct qlcnic_adapter *, u16, u8);
+ void qlcnic_sriov_free_vlans(struct qlcnic_adapter *);
+-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *);
++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *);
+ bool qlcnic_sriov_check_any_vlan(struct qlcnic_vf_info *);
+ void qlcnic_sriov_del_vlan_id(struct qlcnic_sriov *,
+ struct qlcnic_vf_info *, u16);
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+index dd03be3fc82a9..42a44c97572ae 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -432,7 +432,7 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter,
+ struct qlcnic_cmd_args *cmd)
+ {
+ struct qlcnic_sriov *sriov = adapter->ahw->sriov;
+- int i, num_vlans;
++ int i, num_vlans, ret;
+ u16 *vlans;
+
+ if (sriov->allowed_vlans)
+@@ -443,7 +443,9 @@ static int qlcnic_sriov_set_guest_vlan_mode(struct qlcnic_adapter *adapter,
+ dev_info(&adapter->pdev->dev, "Number of allowed Guest VLANs = %d\n",
+ sriov->num_allowed_vlans);
+
+- qlcnic_sriov_alloc_vlans(adapter);
++ ret = qlcnic_sriov_alloc_vlans(adapter);
++ if (ret)
++ return ret;
+
+ if (!sriov->any_vlan)
+ return 0;
+@@ -2154,7 +2156,7 @@ static int qlcnic_sriov_vf_resume(struct qlcnic_adapter *adapter)
+ return err;
+ }
+
+-void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter)
++int qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter)
+ {
+ struct qlcnic_sriov *sriov = adapter->ahw->sriov;
+ struct qlcnic_vf_info *vf;
+@@ -2164,7 +2166,11 @@ void qlcnic_sriov_alloc_vlans(struct qlcnic_adapter *adapter)
+ vf = &sriov->vf_info[i];
+ vf->sriov_vlans = kcalloc(sriov->num_allowed_vlans,
+ sizeof(*vf->sriov_vlans), GFP_KERNEL);
++ if (!vf->sriov_vlans)
++ return -ENOMEM;
+ }
++
++ return 0;
+ }
+
+ void qlcnic_sriov_free_vlans(struct qlcnic_adapter *adapter)
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c
+index 447720b93e5ab..e90fa97c0ae6c 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c
+@@ -597,7 +597,9 @@ static int __qlcnic_pci_sriov_enable(struct qlcnic_adapter *adapter,
+ if (err)
+ goto del_flr_queue;
+
+- qlcnic_sriov_alloc_vlans(adapter);
++ err = qlcnic_sriov_alloc_vlans(adapter);
++ if (err)
++ goto del_flr_queue;
+
+ return err;
+
+--
+2.34.1
+
--- /dev/null
+From f7c3daa159d22984a5cf366bbb841698fe5de290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Dec 2021 17:27:01 +0800
+Subject: r8152: fix the force speed doesn't work for RTL8156
+
+From: Hayes Wang <hayeswang@realtek.com>
+
+[ Upstream commit 45bf944e6703d43fe5e285808312acd8a34c1a24 ]
+
+It needs to set mdio force mode. Otherwise, link off always occurs when
+setting force speed.
+
+Fixes: 195aae321c82 ("r8152: support new chips")
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index d3da350777a4d..3364e54c177ff 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -6584,6 +6584,21 @@ static bool rtl8153_in_nway(struct r8152 *tp)
+ return true;
+ }
+
++static void r8156_mdio_force_mode(struct r8152 *tp)
++{
++ u16 data;
++
++ /* Select force mode through 0xa5b4 bit 15
++ * 0: MDIO force mode
++ * 1: MMD force mode
++ */
++ data = ocp_reg_read(tp, 0xa5b4);
++ if (data & BIT(15)) {
++ data &= ~BIT(15);
++ ocp_reg_write(tp, 0xa5b4, data);
++ }
++}
++
+ static void set_carrier(struct r8152 *tp)
+ {
+ struct net_device *netdev = tp->netdev;
+@@ -8016,6 +8031,7 @@ static void r8156_init(struct r8152 *tp)
+ ocp_data |= ACT_ODMA;
+ ocp_write_byte(tp, MCU_TYPE_USB, USB_BMU_CONFIG, ocp_data);
+
++ r8156_mdio_force_mode(tp);
+ rtl_tally_reset(tp);
+
+ tp->coalesce = 15000; /* 15 us */
+@@ -8145,6 +8161,7 @@ static void r8156b_init(struct r8152 *tp)
+ ocp_data &= ~(RX_AGG_DISABLE | RX_ZERO_EN);
+ ocp_write_word(tp, MCU_TYPE_USB, USB_USB_CTRL, ocp_data);
+
++ r8156_mdio_force_mode(tp);
+ rtl_tally_reset(tp);
+
+ tp->coalesce = 15000; /* 15 us */
+--
+2.34.1
+
--- /dev/null
+From 0206da4cc6f540ba8bb0d3042695818f666ffe72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Dec 2021 22:06:55 +0800
+Subject: RDMA/hns: Fix RNR retransmission issue for HIP08
+
+From: Yangyang Li <liyangyang20@huawei.com>
+
+[ Upstream commit 4ad8181426df92976feee5fbc55236293d069b37 ]
+
+Due to the discrete nature of the HIP08 timer unit, a requester might
+finish the timeout period sooner, in elapsed real time, than its responder
+does, even when both sides share the identical RNR timeout length included
+in the RNR Nak packet and the responder indeed starts the timing prior to
+the requester. Furthermore, if a 'providential' resend packet arrived
+before the responder's timeout period expired, the responder is certainly
+entitled to drop the packet silently in the light of IB protocol.
+
+To address this problem, our team made good use of certain hardware facts:
+
+1) The timing resolution regards the transmission arrangements is 1
+ microsecond, e.g. if cq_period field is set to 3, it would be
+ interpreted as 3 microsecond by hardware
+
+2) A QPC field shall inform the hardware how many timing unit (ticks)
+ constitutes a full microsecond, which, by default, is 1000
+
+3) It takes 14ns for the processor to handle a packet in the buffer, so
+ the RNR timeout length of 10ns would ensure our processing mechanism is
+ disabled during the entire timeout period and the packet won't be
+ dropped silently
+
+To achieve (3), we permanently set the QPC field mentioned in (2) to zero
+which nominally indicates every time tick is equivalent to a microsecond
+in wall-clock time; now, a RNR timeout period at face value of 10 would
+only last 10 ticks, which is 10ns in wall-clock time.
+
+It's worth noting that we adapt the driver by magnifying certain
+configuration parameters(cq_period, eq_period and ack_timeout)by 1000
+given the user assumes the configuring timing unit to be microseconds.
+
+Also, this particular improvisation is only deployed on HIP08 since other
+hardware has already solved this issue.
+
+Fixes: cfc85f3e4b7f ("RDMA/hns: Add profile support for hip08 driver")
+Link: https://lore.kernel.org/r/20211209140655.49493-1-liangwenpeng@huawei.com
+Signed-off-by: Yangyang Li <liyangyang20@huawei.com>
+Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 64 +++++++++++++++++++---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +++
+ 2 files changed, 65 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 51dd134952e77..96fe73ba689c1 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -1604,11 +1604,17 @@ static int hns_roce_config_global_param(struct hns_roce_dev *hr_dev)
+ {
+ struct hns_roce_cmq_desc desc;
+ struct hns_roce_cmq_req *req = (struct hns_roce_cmq_req *)desc.data;
++ u32 clock_cycles_of_1us;
+
+ hns_roce_cmq_setup_basic_desc(&desc, HNS_ROCE_OPC_CFG_GLOBAL_PARAM,
+ false);
+
+- hr_reg_write(req, CFG_GLOBAL_PARAM_1US_CYCLES, 0x3e8);
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08)
++ clock_cycles_of_1us = HNS_ROCE_1NS_CFG;
++ else
++ clock_cycles_of_1us = HNS_ROCE_1US_CFG;
++
++ hr_reg_write(req, CFG_GLOBAL_PARAM_1US_CYCLES, clock_cycles_of_1us);
+ hr_reg_write(req, CFG_GLOBAL_PARAM_UDP_PORT, ROCE_V2_UDP_DPORT);
+
+ return hns_roce_cmq_send(hr_dev, &desc, 1);
+@@ -4812,6 +4818,30 @@ static int hns_roce_v2_set_abs_fields(struct ib_qp *ibqp,
+ return ret;
+ }
+
++static bool check_qp_timeout_cfg_range(struct hns_roce_dev *hr_dev, u8 *timeout)
++{
++#define QP_ACK_TIMEOUT_MAX_HIP08 20
++#define QP_ACK_TIMEOUT_OFFSET 10
++#define QP_ACK_TIMEOUT_MAX 31
++
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ if (*timeout > QP_ACK_TIMEOUT_MAX_HIP08) {
++ ibdev_warn(&hr_dev->ib_dev,
++ "Local ACK timeout shall be 0 to 20.\n");
++ return false;
++ }
++ *timeout += QP_ACK_TIMEOUT_OFFSET;
++ } else if (hr_dev->pci_dev->revision > PCI_REVISION_ID_HIP08) {
++ if (*timeout > QP_ACK_TIMEOUT_MAX) {
++ ibdev_warn(&hr_dev->ib_dev,
++ "Local ACK timeout shall be 0 to 31.\n");
++ return false;
++ }
++ }
++
++ return true;
++}
++
+ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp,
+ const struct ib_qp_attr *attr,
+ int attr_mask,
+@@ -4821,6 +4851,7 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp,
+ struct hns_roce_dev *hr_dev = to_hr_dev(ibqp->device);
+ struct hns_roce_qp *hr_qp = to_hr_qp(ibqp);
+ int ret = 0;
++ u8 timeout;
+
+ if (attr_mask & IB_QP_AV) {
+ ret = hns_roce_v2_set_path(ibqp, attr, attr_mask, context,
+@@ -4830,12 +4861,10 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp,
+ }
+
+ if (attr_mask & IB_QP_TIMEOUT) {
+- if (attr->timeout < 31) {
+- hr_reg_write(context, QPC_AT, attr->timeout);
++ timeout = attr->timeout;
++ if (check_qp_timeout_cfg_range(hr_dev, &timeout)) {
++ hr_reg_write(context, QPC_AT, timeout);
+ hr_reg_clear(qpc_mask, QPC_AT);
+- } else {
+- ibdev_warn(&hr_dev->ib_dev,
+- "Local ACK timeout shall be 0 to 30.\n");
+ }
+ }
+
+@@ -4892,7 +4921,9 @@ static int hns_roce_v2_set_opt_fields(struct ib_qp *ibqp,
+ set_access_flags(hr_qp, context, qpc_mask, attr, attr_mask);
+
+ if (attr_mask & IB_QP_MIN_RNR_TIMER) {
+- hr_reg_write(context, QPC_MIN_RNR_TIME, attr->min_rnr_timer);
++ hr_reg_write(context, QPC_MIN_RNR_TIME,
++ hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08 ?
++ HNS_ROCE_RNR_TIMER_10NS : attr->min_rnr_timer);
+ hr_reg_clear(qpc_mask, QPC_MIN_RNR_TIME);
+ }
+
+@@ -5509,6 +5540,16 @@ static int hns_roce_v2_modify_cq(struct ib_cq *cq, u16 cq_count, u16 cq_period)
+
+ hr_reg_write(cq_context, CQC_CQ_MAX_CNT, cq_count);
+ hr_reg_clear(cqc_mask, CQC_CQ_MAX_CNT);
++
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ if (cq_period * HNS_ROCE_CLOCK_ADJUST > USHRT_MAX) {
++ dev_info(hr_dev->dev,
++ "cq_period(%u) reached the upper limit, adjusted to 65.\n",
++ cq_period);
++ cq_period = HNS_ROCE_MAX_CQ_PERIOD;
++ }
++ cq_period *= HNS_ROCE_CLOCK_ADJUST;
++ }
+ hr_reg_write(cq_context, CQC_CQ_PERIOD, cq_period);
+ hr_reg_clear(cqc_mask, CQC_CQ_PERIOD);
+
+@@ -5904,6 +5945,15 @@ static int config_eqc(struct hns_roce_dev *hr_dev, struct hns_roce_eq *eq,
+ hr_reg_write(eqc, EQC_EQ_PROD_INDX, HNS_ROCE_EQ_INIT_PROD_IDX);
+ hr_reg_write(eqc, EQC_EQ_MAX_CNT, eq->eq_max_cnt);
+
++ if (hr_dev->pci_dev->revision == PCI_REVISION_ID_HIP08) {
++ if (eq->eq_period * HNS_ROCE_CLOCK_ADJUST > USHRT_MAX) {
++ dev_info(hr_dev->dev, "eq_period(%u) reached the upper limit, adjusted to 65.\n",
++ eq->eq_period);
++ eq->eq_period = HNS_ROCE_MAX_EQ_PERIOD;
++ }
++ eq->eq_period *= HNS_ROCE_CLOCK_ADJUST;
++ }
++
+ hr_reg_write(eqc, EQC_EQ_PERIOD, eq->eq_period);
+ hr_reg_write(eqc, EQC_EQE_REPORT_TIMER, HNS_ROCE_EQ_INIT_REPORT_TIMER);
+ hr_reg_write(eqc, EQC_EQE_BA_L, bt_ba >> 3);
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index 4d904d5e82be4..35c61da7ba156 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -1444,6 +1444,14 @@ struct hns_roce_dip {
+ struct list_head node; /* all dips are on a list */
+ };
+
++/* only for RNR timeout issue of HIP08 */
++#define HNS_ROCE_CLOCK_ADJUST 1000
++#define HNS_ROCE_MAX_CQ_PERIOD 65
++#define HNS_ROCE_MAX_EQ_PERIOD 65
++#define HNS_ROCE_RNR_TIMER_10NS 1
++#define HNS_ROCE_1US_CFG 999
++#define HNS_ROCE_1NS_CFG 0
++
+ #define HNS_ROCE_AEQ_DEFAULT_BURST_NUM 0x0
+ #define HNS_ROCE_AEQ_DEFAULT_INTERVAL 0x0
+ #define HNS_ROCE_CEQ_DEFAULT_BURST_NUM 0x0
+--
+2.34.1
+
--- /dev/null
+From 108ac57dcbbdd1dd953ff6b442fff1986749f251 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Dec 2021 01:42:34 -0800
+Subject: RDMA/hns: Replace kfree() with kvfree()
+
+From: Jiacheng Shi <billsjc@sjtu.edu.cn>
+
+[ Upstream commit 12d3bbdd6bd2780b71cc466f3fbc6eb7d43bbc2a ]
+
+Variables allocated by kvmalloc_array() should not be freed by kfree.
+Because they may be allocated by vmalloc. So we replace kfree() with
+kvfree() here.
+
+Fixes: 6fd610c5733d ("RDMA/hns: Support 0 hop addressing for SRQ buffer")
+Link: https://lore.kernel.org/r/20211210094234.5829-1-billsjc@sjtu.edu.cn
+Signed-off-by: Jiacheng Shi <billsjc@sjtu.edu.cn>
+Acked-by: Wenpeng Liang <liangwenpeng@huawei.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_srq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_srq.c b/drivers/infiniband/hw/hns/hns_roce_srq.c
+index 6eee9deadd122..e64ef6903fb4f 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_srq.c
++++ b/drivers/infiniband/hw/hns/hns_roce_srq.c
+@@ -259,7 +259,7 @@ static int alloc_srq_wrid(struct hns_roce_dev *hr_dev, struct hns_roce_srq *srq)
+
+ static void free_srq_wrid(struct hns_roce_srq *srq)
+ {
+- kfree(srq->wrid);
++ kvfree(srq->wrid);
+ srq->wrid = NULL;
+ }
+
+--
+2.34.1
+
hid-potential-dereference-of-null-pointer.patch
nfsd-fix-readdir-buffer-overflow.patch
pm-sleep-fix-error-handling-in-dpm_prepare.patch
+arm64-dts-allwinner-orangepi-zero-plus-fix-phy-mode.patch
+bus-sunxi-rsb-fix-shutdown.patch
+spi-change-clk_disable_unprepare-to-clk_unprepare.patch
+ucounts-fix-rlimit-max-values-check.patch
+drm-mediatek-hdmi-perform-null-pointer-check-for-mtk.patch
+asoc-meson-aiu-fifo-add-missing-dma_coerce_mask_and_.patch
+rdma-hns-fix-rnr-retransmission-issue-for-hip08.patch
+ib-qib-fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
+rdma-hns-replace-kfree-with-kvfree.patch
+netfilter-nf_tables-fix-use-after-free-in-nft_set_ca.patch
+netfilter-fix-regression-in-looped-broad-multi-cast-.patch
+arm-dts-imx6qdl-wandboard-fix-ethernet-support.patch
+ice-use-xdp_buf-instead-of-rx_buf-for-xsk-zero-copy.patch
+ice-xsk-return-xsk-buffers-back-to-pool-when-cleanin.patch
+net-marvell-prestera-fix-incorrect-return-of-port_fi.patch
+net-marvell-prestera-fix-incorrect-structure-access.patch
+qlcnic-potential-dereference-null-pointer-of-rx_queu.patch
+tcp-move-inet-rx_dst_ifindex-to-sk-sk_rx_dst_ifindex.patch
+ipv6-move-inet6_sk-sk-rx_dst_cookie-to-sk-sk_rx_dst_.patch
+inet-fully-convert-sk-sk_rx_dst-to-rcu-rules.patch
+net-accept-ufov6-packages-in-virtio_net_hdr_to_skb.patch
+net-skip-virtio_net_hdr_set_proto-if-protocol-alread.patch
+igb-fix-deadlock-caused-by-taking-rtnl-in-rpm-resume.patch
+ipmi-fix-uaf-when-uninstall-ipmi_si-and-ipmi_msghand.patch
+gpio-virtio-remove-timeout.patch
+bonding-fix-ad_actor_system-option-setting-to-defaul.patch
+fjes-check-for-error-irq.patch
+drivers-net-smc911x-check-for-error-irq.patch
+net-ks8851-check-for-error-irq.patch
+sfc-check-null-pointer-of-rx_queue-page_ring.patch
+sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch
+asix-fix-uninit-value-in-asix_mdio_read.patch
+asix-fix-wrong-return-value-in-asix_check_host_enabl.patch
+io_uring-zero-iocb-ki_pos-for-stream-file-types.patch
+veth-ensure-skb-entering-gro-are-not-cloned.patch
+net-stmmac-ptp-fix-potentially-overflowing-expressio.patch
+net-bridge-use-array_size-helper-in-copy_to_user.patch
+net-bridge-fix-ioctl-old_deviceless-bridge-argument.patch
+r8152-fix-the-force-speed-doesn-t-work-for-rtl8156.patch
+net-stmmac-dwmac-visconti-fix-value-of-ether_clk_sel.patch
--- /dev/null
+From 91e28b3c2e54560582c59471c84dfc698d27ca1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 21:56:03 +0800
+Subject: sfc: Check null pointer of rx_queue->page_ring
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit bdf1b5c3884f6a0dc91b0dbdb8c3b7d205f449e0 ]
+
+Because of the possible failure of the kcalloc, it should be better to
+set rx_queue->page_ptr_mask to 0 when it happens in order to maintain
+the consistency.
+
+Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Link: https://lore.kernel.org/r/20211220135603.954944-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/rx_common.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/rx_common.c b/drivers/net/ethernet/sfc/rx_common.c
+index 68fc7d317693b..0983abc0cc5f0 100644
+--- a/drivers/net/ethernet/sfc/rx_common.c
++++ b/drivers/net/ethernet/sfc/rx_common.c
+@@ -150,7 +150,10 @@ static void efx_init_rx_recycle_ring(struct efx_rx_queue *rx_queue)
+ efx->rx_bufs_per_page);
+ rx_queue->page_ring = kcalloc(page_ring_size,
+ sizeof(*rx_queue->page_ring), GFP_KERNEL);
+- rx_queue->page_ptr_mask = page_ring_size - 1;
++ if (!rx_queue->page_ring)
++ rx_queue->page_ptr_mask = 0;
++ else
++ rx_queue->page_ptr_mask = page_ring_size - 1;
+ }
+
+ static void efx_fini_rx_recycle_ring(struct efx_rx_queue *rx_queue)
+--
+2.34.1
+
--- /dev/null
+From c5b4fa116b97a36a7f18515d7491417aa0084372 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Dec 2021 22:03:44 +0800
+Subject: sfc: falcon: Check null pointer of rx_queue->page_ring
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+[ Upstream commit 9b8bdd1eb5890aeeab7391dddcf8bd51f7b07216 ]
+
+Because of the possible failure of the kcalloc, it should be better to
+set rx_queue->page_ptr_mask to 0 when it happens in order to maintain
+the consistency.
+
+Fixes: 5a6681e22c14 ("sfc: separate out SFC4000 ("Falcon") support into new sfc-falcon driver")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Acked-by: Martin Habets <habetsm.xilinx@gmail.com>
+Link: https://lore.kernel.org/r/20211220140344.978408-1-jiasheng@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sfc/falcon/rx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sfc/falcon/rx.c b/drivers/net/ethernet/sfc/falcon/rx.c
+index 966f13e7475dd..11a6aee852e92 100644
+--- a/drivers/net/ethernet/sfc/falcon/rx.c
++++ b/drivers/net/ethernet/sfc/falcon/rx.c
+@@ -728,7 +728,10 @@ static void ef4_init_rx_recycle_ring(struct ef4_nic *efx,
+ efx->rx_bufs_per_page);
+ rx_queue->page_ring = kcalloc(page_ring_size,
+ sizeof(*rx_queue->page_ring), GFP_KERNEL);
+- rx_queue->page_ptr_mask = page_ring_size - 1;
++ if (!rx_queue->page_ring)
++ rx_queue->page_ptr_mask = 0;
++ else
++ rx_queue->page_ptr_mask = page_ring_size - 1;
+ }
+
+ void ef4_init_rx_queue(struct ef4_rx_queue *rx_queue)
+--
+2.34.1
+
--- /dev/null
+From 7661f4d2b68238a99b144573f35447d273261aa4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 18:19:31 +0800
+Subject: spi: change clk_disable_unprepare to clk_unprepare
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit db6689b643d8653092f5853751ea2cdbc299f8d3 ]
+
+The corresponding API for clk_prepare is clk_unprepare, other than
+clk_disable_unprepare.
+
+Fix this by changing clk_disable_unprepare to clk_unprepare.
+
+Fixes: 5762ab71eb24 ("spi: Add support for Armada 3700 SPI Controller")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Link: https://lore.kernel.org/r/20211206101931.2816597-1-mudongliangabcd@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-armada-3700.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-armada-3700.c b/drivers/spi/spi-armada-3700.c
+index 46feafe4e201c..d8cc4b270644a 100644
+--- a/drivers/spi/spi-armada-3700.c
++++ b/drivers/spi/spi-armada-3700.c
+@@ -901,7 +901,7 @@ static int a3700_spi_probe(struct platform_device *pdev)
+ return 0;
+
+ error_clk:
+- clk_disable_unprepare(spi->clk);
++ clk_unprepare(spi->clk);
+ error:
+ spi_master_put(master);
+ out:
+--
+2.34.1
+
--- /dev/null
+From 588312972ff2632370aef1e5611a6a438e3dda75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Oct 2021 09:48:16 -0700
+Subject: tcp: move inet->rx_dst_ifindex to sk->sk_rx_dst_ifindex
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0c0a5ef809f9150e9229e7b13e43183b681b7a39 ]
+
+Increase cache locality by moving rx_dst_ifindex next to sk->sk_rx_dst
+
+This is part of an effort to reduce cache line misses in TCP fast path.
+
+This removes one cache line miss in early demux.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/inet_sock.h | 3 +--
+ include/net/sock.h | 3 +++
+ net/ipv4/tcp_ipv4.c | 6 +++---
+ net/ipv6/tcp_ipv6.c | 6 +++---
+ 4 files changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
+index 89163ef8cf4be..9e1111f5915bd 100644
+--- a/include/net/inet_sock.h
++++ b/include/net/inet_sock.h
+@@ -207,11 +207,10 @@ struct inet_sock {
+ __be32 inet_saddr;
+ __s16 uc_ttl;
+ __u16 cmsg_flags;
++ struct ip_options_rcu __rcu *inet_opt;
+ __be16 inet_sport;
+ __u16 inet_id;
+
+- struct ip_options_rcu __rcu *inet_opt;
+- int rx_dst_ifindex;
+ __u8 tos;
+ __u8 min_ttl;
+ __u8 mc_ttl;
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 7ac5075f9c18a..752601265a955 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -259,6 +259,7 @@ struct bpf_local_storage;
+ * @sk_rcvbuf: size of receive buffer in bytes
+ * @sk_wq: sock wait queue and async head
+ * @sk_rx_dst: receive input route used by early demux
++ * @sk_rx_dst_ifindex: ifindex for @sk_rx_dst
+ * @sk_dst_cache: destination cache
+ * @sk_dst_pending_confirm: need to confirm neighbour
+ * @sk_policy: flow policy
+@@ -431,6 +432,8 @@ struct sock {
+ struct xfrm_policy __rcu *sk_policy[2];
+ #endif
+ struct dst_entry *sk_rx_dst;
++ int sk_rx_dst_ifindex;
++
+ struct dst_entry __rcu *sk_dst_cache;
+ atomic_t sk_omem_alloc;
+ int sk_sndbuf;
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index 5b8ce65dfc067..f6838eec6ef73 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -1703,7 +1703,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
+ sock_rps_save_rxhash(sk, skb);
+ sk_mark_napi_id(sk, skb);
+ if (dst) {
+- if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
++ if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
+ !INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check,
+ dst, 0)) {
+ dst_release(dst);
+@@ -1788,7 +1788,7 @@ int tcp_v4_early_demux(struct sk_buff *skb)
+ if (dst)
+ dst = dst_check(dst, 0);
+ if (dst &&
+- inet_sk(sk)->rx_dst_ifindex == skb->skb_iif)
++ sk->sk_rx_dst_ifindex == skb->skb_iif)
+ skb_dst_set_noref(skb, dst);
+ }
+ }
+@@ -2201,7 +2201,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+
+ if (dst && dst_hold_safe(dst)) {
+ sk->sk_rx_dst = dst;
+- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
++ sk->sk_rx_dst_ifindex = skb->skb_iif;
+ }
+ }
+ EXPORT_SYMBOL(inet_sk_rx_dst_set);
+diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
+index b03dd02c9f13c..c72586ee517ba 100644
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -108,7 +108,7 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+ const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+ sk->sk_rx_dst = dst;
+- inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
++ sk->sk_rx_dst_ifindex = skb->skb_iif;
+ tcp_inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
+ }
+ }
+@@ -1509,7 +1509,7 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
+ sock_rps_save_rxhash(sk, skb);
+ sk_mark_napi_id(sk, skb);
+ if (dst) {
+- if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
++ if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
+ INDIRECT_CALL_1(dst->ops->check, ip6_dst_check,
+ dst, np->rx_dst_cookie) == NULL) {
+ dst_release(dst);
+@@ -1880,7 +1880,7 @@ INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb)
+ if (dst)
+ dst = dst_check(dst, tcp_inet6_sk(sk)->rx_dst_cookie);
+ if (dst &&
+- inet_sk(sk)->rx_dst_ifindex == skb->skb_iif)
++ sk->sk_rx_dst_ifindex == skb->skb_iif)
+ skb_dst_set_noref(skb, dst);
+ }
+ }
+--
+2.34.1
+
--- /dev/null
+From 7642731ec5f4b2f775a7204f60b91caec58aa6a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Nov 2021 21:37:25 +0100
+Subject: ucounts: Fix rlimit max values check
+
+From: Alexey Gladkov <legion@kernel.org>
+
+[ Upstream commit 59ec71575ab440cd5ca0aa53b2a2985b3639fad4 ]
+
+The semantics of the rlimit max values differs from ucounts itself. When
+creating a new userns, we store the current rlimit of the process in
+ucount_max. Thus, the value of the limit in the parent userns is saved
+in the created one.
+
+The problem is that now we are taking the maximum value for counter from
+the same userns. So for init_user_ns it will always be RLIM_INFINITY.
+
+To fix the problem we need to check the counter value with the max value
+stored in userns.
+
+Reproducer:
+
+su - test -c "ulimit -u 3; sleep 5 & sleep 6 & unshare -U --map-root-user sh -c 'sleep 7 & sleep 8 & date; wait'"
+
+Before:
+
+[1] 175
+[2] 176
+Fri Nov 26 13:48:20 UTC 2021
+[1]- Done sleep 5
+[2]+ Done sleep 6
+
+After:
+
+[1] 167
+[2] 168
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: retry: Resource temporarily unavailable
+sh: fork: Interrupted system call
+[1]- Done sleep 5
+[2]+ Done sleep 6
+
+Fixes: c54b245d0118 ("Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace")
+Reported-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Alexey Gladkov <legion@kernel.org>
+Link: https://lkml.kernel.org/r/024ec805f6e16896f0b23e094773790d171d2c1c.1638218242.git.legion@kernel.org
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/ucount.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/ucount.c b/kernel/ucount.c
+index eb03f3c68375d..16feb710ee638 100644
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -258,15 +258,16 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type)
+ long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v)
+ {
+ struct ucounts *iter;
++ long max = LONG_MAX;
+ long ret = 0;
+
+ for (iter = ucounts; iter; iter = iter->ns->ucounts) {
+- long max = READ_ONCE(iter->ns->ucount_max[type]);
+ long new = atomic_long_add_return(v, &iter->ucount[type]);
+ if (new < 0 || new > max)
+ ret = LONG_MAX;
+ else if (iter == ucounts)
+ ret = new;
++ max = READ_ONCE(iter->ns->ucount_max[type]);
+ }
+ return ret;
+ }
+@@ -306,15 +307,16 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type)
+ {
+ /* Caller must hold a reference to ucounts */
+ struct ucounts *iter;
++ long max = LONG_MAX;
+ long dec, ret = 0;
+
+ for (iter = ucounts; iter; iter = iter->ns->ucounts) {
+- long max = READ_ONCE(iter->ns->ucount_max[type]);
+ long new = atomic_long_add_return(1, &iter->ucount[type]);
+ if (new < 0 || new > max)
+ goto unwind;
+ if (iter == ucounts)
+ ret = new;
++ max = READ_ONCE(iter->ns->ucount_max[type]);
+ /*
+ * Grab an extra ucount reference for the caller when
+ * the rlimit count was previously 0.
+@@ -333,15 +335,16 @@ unwind:
+ return 0;
+ }
+
+-bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max)
++bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long rlimit)
+ {
+ struct ucounts *iter;
+- if (get_ucounts_value(ucounts, type) > max)
+- return true;
++ long max = rlimit;
++ if (rlimit > LONG_MAX)
++ max = LONG_MAX;
+ for (iter = ucounts; iter; iter = iter->ns->ucounts) {
+- max = READ_ONCE(iter->ns->ucount_max[type]);
+ if (get_ucounts_value(iter, type) > max)
+ return true;
++ max = READ_ONCE(iter->ns->ucount_max[type]);
+ }
+ return false;
+ }
+--
+2.34.1
+
--- /dev/null
+From 5a30d07c8ccabed22a09243d8caefe5d44454d86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Dec 2021 19:39:52 +0100
+Subject: veth: ensure skb entering GRO are not cloned.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 9695b7de5b4760ed22132aca919570c0190cb0ce ]
+
+After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"),
+if GRO is enabled on a veth device and TSO is disabled on the peer
+device, TCP skbs will go through the NAPI callback. If there is no XDP
+program attached, the veth code does not perform any share check, and
+shared/cloned skbs could enter the GRO engine.
+
+Ignat reported a BUG triggered later-on due to the above condition:
+
+[ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574!
+[ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
+[ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25
+[ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+[ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0
+[ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0
+7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f
+85 74 f5 ff ff <0f> 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89
+f7 4c 89 8c
+[ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246
+[ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000
+[ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2
+[ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0
+[ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590
+[ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0
+[ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000
+[ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0
+[ 53.982634][ C1] Call Trace:
+[ 53.982634][ C1] <TASK>
+[ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0
+[ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460
+[ 53.982634][ C1] tcp_ack+0x2666/0x54b0
+[ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0
+[ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810
+[ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0
+[ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0
+[ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0
+[ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440
+[ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660
+[ 53.982634][ C1] ip_list_rcv+0x2c8/0x410
+[ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910
+[ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0
+[ 53.982634][ C1] napi_complete_done+0x188/0x6e0
+[ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0
+[ 53.982634][ C1] __napi_poll+0xa1/0x530
+[ 53.982634][ C1] net_rx_action+0x567/0x1270
+[ 53.982634][ C1] __do_softirq+0x28a/0x9ba
+[ 53.982634][ C1] run_ksoftirqd+0x32/0x60
+[ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0
+[ 53.982634][ C1] kthread+0x3b9/0x490
+[ 53.982634][ C1] ret_from_fork+0x22/0x30
+[ 53.982634][ C1] </TASK>
+
+Address the issue by skipping the GRO stage for shared or cloned skbs.
+To reduce the chance of OoO, try to unclone the skbs before giving up.
+
+v1 -> v2:
+ - use avoid skb_copy and fallback to netif_receive_skb - Eric
+
+Reported-by: Ignat Korchagin <ignat@cloudflare.com>
+Fixes: d3256efd8e8b ("veth: allow enabling NAPI even without XDP")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Tested-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/b5f61c5602aab01bac8d711d8d1bfab0a4817db7.1640197544.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/veth.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/veth.c b/drivers/net/veth.c
+index 50eb43e5bf459..2acdb8ad6c713 100644
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -879,8 +879,12 @@ static int veth_xdp_rcv(struct veth_rq *rq, int budget,
+
+ stats->xdp_bytes += skb->len;
+ skb = veth_xdp_rcv_skb(rq, skb, bq, stats);
+- if (skb)
+- napi_gro_receive(&rq->xdp_napi, skb);
++ if (skb) {
++ if (skb_shared(skb) || skb_unclone(skb, GFP_ATOMIC))
++ netif_receive_skb(skb);
++ else
++ napi_gro_receive(&rq->xdp_napi, skb);
++ }
+ }
+ done++;
+ }
+--
+2.34.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
