--- /dev/null
+From b4d541cbbd9bbbbfa7285f2fd6012d94c53ee5e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 08:13:39 +0200
+Subject: alx: Fix an error handling path in 'alx_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index bde8ec75ac4e..bee62d7caccc 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1852,6 +1852,7 @@ out_free_netdev:
+ free_netdev(netdev);
+ out_pci_release:
+ pci_release_mem_regions(pdev);
++ pci_disable_pcie_error_reporting(pdev);
+ out_pci_disable:
+ pci_disable_device(pdev);
+ return err;
+--
+2.30.2
+
--- /dev/null
+From 6f42e27807fe7163e930b061e183d1b4da15f330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 21:00:27 +0200
+Subject: batman-adv: Avoid WARN_ON timing related checks
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ]
+
+The soft/batadv interface for a queued OGM can be changed during the time
+the OGM was queued for transmission and when the OGM is actually
+transmitted by the worker.
+
+But WARN_ON must be used to denote kernel bugs and not to print simple
+warnings. A warning can simply be printed using pr_warn.
+
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
+Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index d88a4de02237..8be8a1feca84 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -409,8 +409,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
+ if (WARN_ON(!forw_packet->if_outgoing))
+ return;
+
+- if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
++ if (forw_packet->if_outgoing->soft_iface != soft_iface) {
++ pr_warn("%s: soft interface switch for queued OGM\n", __func__);
+ return;
++ }
+
+ if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
+ return;
+--
+2.30.2
+
--- /dev/null
+From 6969f0e02d2fb6dd1dbdc788a07c40d70c13384f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 20:43:37 +0200
+Subject: be2net: Fix an error handling path in 'be_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: d6b6d9877878 ("be2net: use PCIe AER capability")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 39eb7d525043..9aebb121365f 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -6030,6 +6030,7 @@ drv_cleanup:
+ unmap_bars:
+ be_unmap_pci_bars(adapter);
+ free_netdev:
++ pci_disable_pcie_error_reporting(pdev);
+ free_netdev(netdev);
+ rel_reg:
+ pci_release_regions(pdev);
+--
+2.30.2
+
--- /dev/null
+From 404989e76f906a958922078b31e3b3b925f83330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 02:07:27 -0400
+Subject: bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 03400aaa69f916a376e11526cf591901a96a3a5c ]
+
+bnxt_ethtool_init() may have allocated some memory and we need to
+call bnxt_ethtool_free() to properly unwind if bnxt_init_one()
+fails.
+
+Fixes: 7c3809181468 ("bnxt_en: Refactor bnxt_init_one() and turn on TPA support on 57500 chips.")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index f983d03da1e4..d1c3939b0307 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11963,6 +11963,7 @@ init_err_cleanup:
+ init_err_pci_clean:
+ bnxt_free_hwrm_short_cmd_req(bp);
+ bnxt_free_hwrm_resources(bp);
++ bnxt_ethtool_free(bp);
+ kfree(bp->fw_health);
+ bp->fw_health = NULL;
+ bnxt_cleanup_pci(bp);
+--
+2.30.2
+
--- /dev/null
+From 28a3efb75d64e514e8b83dad0c8fe8f488939042 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 02:07:25 -0400
+Subject: bnxt_en: Rediscover PHY capabilities after firmware reset
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 0afd6a4e8028cc487c240b6cfe04094e45a306e4 ]
+
+There is a missing bnxt_probe_phy() call in bnxt_fw_init_one() to
+rediscover the PHY capabilities after a firmware reset. This can cause
+some PHY related functionalities to fail after a firmware reset. For
+example, in multi-host, the ability for any host to configure the PHY
+settings may be lost after a firmware reset.
+
+Fixes: ec5d31e3c15d ("bnxt_en: Handle firmware reset status during IF_UP.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 00ae7a9a42bf..f983d03da1e4 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -10610,6 +10610,8 @@ static void bnxt_fw_init_one_p3(struct bnxt *bp)
+ bnxt_hwrm_coal_params_qcaps(bp);
+ }
+
++static int bnxt_probe_phy(struct bnxt *bp, bool fw_dflt);
++
+ static int bnxt_fw_init_one(struct bnxt *bp)
+ {
+ int rc;
+@@ -10624,6 +10626,9 @@ static int bnxt_fw_init_one(struct bnxt *bp)
+ netdev_err(bp->dev, "Firmware init phase 2 failed\n");
+ return rc;
+ }
++ rc = bnxt_probe_phy(bp, false);
++ if (rc)
++ return rc;
+ rc = bnxt_approve_mac(bp, bp->dev->dev_addr, false);
+ if (rc)
+ return rc;
+--
+2.30.2
+
--- /dev/null
+From a25af6e6a5e176ad583ab399b8eef080e043dd26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 11:29:48 +0200
+Subject: cxgb4: fix wrong shift.
+
+From: Pavel Machek <pavel@denx.de>
+
+[ Upstream commit 39eb028183bc7378bb6187067e20bf6d8c836407 ]
+
+While fixing coverity warning, commit dd2c79677375 introduced typo in
+shift value. Fix that.
+
+Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
+Fixes: dd2c79677375 ("cxgb4: Fix unintentional sign extension issues")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+index ccb28182f745..44f86a33ef62 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+@@ -198,7 +198,7 @@ static void set_nat_params(struct adapter *adap, struct filter_entry *f,
+ WORD_MASK, f->fs.nat_lip[3] |
+ f->fs.nat_lip[2] << 8 |
+ f->fs.nat_lip[1] << 16 |
+- (u64)f->fs.nat_lip[0] << 25, 1);
++ (u64)f->fs.nat_lip[0] << 24, 1);
+ }
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 915dd00db085e8d84f158e19e67873b6cfa1f52c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 13:04:35 +0200
+Subject: icmp: don't send out ICMP messages with a source address of 0.0.0.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ]
+
+When constructing ICMP response messages, the kernel will try to pick a
+suitable source address for the outgoing packet. However, if no IPv4
+addresses are configured on the system at all, this will fail and we end up
+producing an ICMP message with a source address of 0.0.0.0. This can happen
+on a box routing IPv4 traffic via v6 nexthops, for instance.
+
+Since 0.0.0.0 is not generally routable on the internet, there's a good
+chance that such ICMP messages will never make it back to the sender of the
+original packet that the ICMP message was sent in response to. This, in
+turn, can create connectivity and PMTUd problems for senders. Fortunately,
+RFC7600 reserves a dummy address to be used as a source for ICMP
+messages (192.0.0.8/32), so let's teach the kernel to substitute that
+address as a last resort if the regular source address selection procedure
+fails.
+
+Below is a quick example reproducing this issue with network namespaces:
+
+ip netns add ns0
+ip l add type veth peer netns ns0
+ip l set dev veth0 up
+ip a add 10.0.0.1/24 dev veth0
+ip a add fc00:dead:cafe:42::1/64 dev veth0
+ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2
+ip -n ns0 l set dev veth0 up
+ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0
+ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1
+ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0
+ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1
+tcpdump -tpni veth0 -c 2 icmp &
+ping -w 1 10.1.0.1 > /dev/null
+tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
+listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64
+IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
+2 packets captured
+2 packets received by filter
+0 packets dropped by kernel
+
+With this patch the above capture changes to:
+IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64
+IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Juliusz Chroboczek <jch@irif.fr>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/in.h | 3 +++
+ net/ipv4/icmp.c | 7 +++++++
+ 2 files changed, 10 insertions(+)
+
+diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
+index e7ad9d350a28..60e1241d4b77 100644
+--- a/include/uapi/linux/in.h
++++ b/include/uapi/linux/in.h
+@@ -284,6 +284,9 @@ struct sockaddr_in {
+ /* Address indicating an error return. */
+ #define INADDR_NONE ((unsigned long int) 0xffffffff)
+
++/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */
++#define INADDR_DUMMY ((unsigned long int) 0xc0000008)
++
+ /* Network number for local host loopback. */
+ #define IN_LOOPBACKNET 127
+
+diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
+index dd8fae89be72..c88612242c89 100644
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -739,6 +739,13 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
+ icmp_param.data_len = room;
+ icmp_param.head_len = sizeof(struct icmphdr);
+
++ /* if we don't have a source address at this point, fall back to the
++ * dummy address instead of sending out a packet with a source address
++ * of 0.0.0.0
++ */
++ if (!fl4.saddr)
++ fl4.saddr = htonl(INADDR_DUMMY);
++
+ icmp_push_reply(&icmp_param, &fl4, &ipc, &rt);
+ ende:
+ ip_rt_put(rt);
+--
+2.30.2
+
--- /dev/null
+From 365d204973319580d48902d95b0f78ef0b1444d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 22:42:57 +0200
+Subject: lantiq: net: fix duplicated skb in rx descriptor ring
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit 7ea6cd16f1599c1eac6018751eadbc5fc736b99a ]
+
+The previous commit didn't fix the bug properly. By mistake, it replaces
+the pointer of the next skb in the descriptor ring instead of the current
+one. As a result, the two descriptors are assigned the same SKB. The error
+is seen during the iperf test when skb_put tries to insert a second packet
+and exceeds the available buffer.
+
+Fixes: c7718ee96dbc ("net: lantiq: fix memory corruption in RX ring ")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_xrx200.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c
+index 8d073b895fc0..6e504854571c 100644
+--- a/drivers/net/ethernet/lantiq_xrx200.c
++++ b/drivers/net/ethernet/lantiq_xrx200.c
+@@ -154,6 +154,7 @@ static int xrx200_close(struct net_device *net_dev)
+
+ static int xrx200_alloc_skb(struct xrx200_chan *ch)
+ {
++ struct sk_buff *skb = ch->skb[ch->dma.desc];
+ dma_addr_t mapping;
+ int ret = 0;
+
+@@ -168,6 +169,7 @@ static int xrx200_alloc_skb(struct xrx200_chan *ch)
+ XRX200_DMA_DATA_LEN, DMA_FROM_DEVICE);
+ if (unlikely(dma_mapping_error(ch->priv->dev, mapping))) {
+ dev_kfree_skb_any(ch->skb[ch->dma.desc]);
++ ch->skb[ch->dma.desc] = skb;
+ ret = -ENOMEM;
+ goto skip;
+ }
+@@ -198,7 +200,6 @@ static int xrx200_hw_receive(struct xrx200_chan *ch)
+ ch->dma.desc %= LTQ_DESC_NUM;
+
+ if (ret) {
+- ch->skb[ch->dma.desc] = skb;
+ net_dev->stats.rx_dropped++;
+ netdev_err(net_dev, "failed to allocate new rx buffer\n");
+ return ret;
+--
+2.30.2
+
--- /dev/null
+From 1e62044148eb9a8ec0aff82741f00733c11193df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:47:15 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg /
+ unix_release_sock
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ]
+
+While unix_may_send(sk, osk) is called while osk is locked, it appears
+unix_release_sock() can overwrite unix_peer() after this lock has been
+released, making KCSAN unhappy.
+
+Changing unix_release_sock() to access/change unix_peer()
+before lock is released should fix this issue.
+
+BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock
+
+write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1:
+ unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558
+ unix_release+0x2f/0x50 net/unix/af_unix.c:859
+ __sock_release net/socket.c:599 [inline]
+ sock_close+0x6c/0x150 net/socket.c:1258
+ __fput+0x25b/0x4e0 fs/file_table.c:280
+ ____fput+0x11/0x20 fs/file_table.c:313
+ task_work_run+0xae/0x130 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302
+ do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0:
+ unix_may_send net/unix/af_unix.c:189 [inline]
+ unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xffff888167905400 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index ecadd9e482c4..9f96826eb3ba 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -537,12 +537,14 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ u->path.mnt = NULL;
+ state = sk->sk_state;
+ sk->sk_state = TCP_CLOSE;
++
++ skpair = unix_peer(sk);
++ unix_peer(sk) = NULL;
++
+ unix_state_unlock(sk);
+
+ wake_up_interruptible_all(&u->peer_wait);
+
+- skpair = unix_peer(sk);
+-
+ if (skpair != NULL) {
+ if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
+ unix_state_lock(skpair);
+@@ -557,7 +559,6 @@ static void unix_release_sock(struct sock *sk, int embrion)
+
+ unix_dgram_peer_wake_disconnect(sk, skpair);
+ sock_put(skpair); /* It may now die */
+- unix_peer(sk) = NULL;
+ }
+
+ /* Try to flush out this socket. Throw out buffers at least */
+--
+2.30.2
+
--- /dev/null
+From 90f480a3e0fc73b4e371f8b6fd0d4c2005b5fcc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 07:32:32 +0800
+Subject: net: cdc_eem: fix tx fixup skb leak
+
+From: Linyu Yuan <linyyuan@codeaurora.org>
+
+[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ]
+
+when usbnet transmit a skb, eem fixup it in eem_tx_fixup(),
+if skb_copy_expand() failed, it return NULL,
+usbnet_start_xmit() will have no chance to free original skb.
+
+fix it by free orginal skb in eem_tx_fixup() first,
+then check skb clone status, if failed, return NULL to usbnet.
+
+Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)")
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_eem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c
+index 0eeec80bec31..e4a570366646 100644
+--- a/drivers/net/usb/cdc_eem.c
++++ b/drivers/net/usb/cdc_eem.c
+@@ -123,10 +123,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+ }
+
+ skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags);
++ dev_kfree_skb_any(skb);
+ if (!skb2)
+ return NULL;
+
+- dev_kfree_skb_any(skb);
+ skb = skb2;
+
+ done:
+--
+2.30.2
+
--- /dev/null
+From 40aa46326f67ae50a8fa4c33705f0b5826df2f0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 01:05:49 -0700
+Subject: net: cdc_ncm: switch to eth%d interface naming
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ]
+
+This is meant to make the host side cdc_ncm interface consistently
+named just like the older CDC protocols: cdc_ether & cdc_ecm
+(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'.
+
+include/linux/usb/usbnet.h:
+ #define FLAG_ETHER 0x0020 /* maybe use "eth%d" names */
+ #define FLAG_WLAN 0x0080 /* use "wlan%d" names */
+ #define FLAG_WWAN 0x0400 /* use "wwan%d" names */
+ #define FLAG_POINTTOPOINT 0x1000 /* possibly use "usb%d" names */
+
+drivers/net/usb/usbnet.c @ line 1711:
+ strcpy (net->name, "usb%d");
+ ...
+ // heuristic: "usb%d" for links we know are two-host,
+ // else "eth%d" when there's reasonable doubt. userspace
+ // can rename the link if it knows better.
+ if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+ ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+ (net->dev_addr [0] & 0x02) == 0))
+ strcpy (net->name, "eth%d");
+ /* WLAN devices should always be named "wlan%d" */
+ if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+ strcpy(net->name, "wlan%d");
+ /* WWAN devices should always be named "wwan%d" */
+ if ((dev->driver_info->flags & FLAG_WWAN) != 0)
+ strcpy(net->name, "wwan%d");
+
+So by using ETHER | POINTTOPOINT the interface naming is
+either usb%d or eth%d based on the global uniqueness of the
+mac address of the device.
+
+Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm
+driver end up being called usb%d instead of eth%d even though they're
+definitely not two-host. (All 1gbps & 5gbps ethernet usb dongles I've
+tested don't hit this problem due to use of different drivers, primarily
+r8152 and aqc111)
+
+Fixes tag is based purely on git blame, and is really just here to make
+sure this hits LTS branches newer than v4.5.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind")
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 0646bcd26968..4cff0a6b1098 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1662,7 +1662,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
+ static const struct driver_info cdc_ncm_info = {
+ .description = "CDC NCM",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+- | FLAG_LINK_INTR,
++ | FLAG_LINK_INTR | FLAG_ETHER,
+ .bind = cdc_ncm_bind,
+ .unbind = cdc_ncm_unbind,
+ .manage_power = usbnet_manage_power,
+--
+2.30.2
+
--- /dev/null
+From eec60eb55898ede18af59a7dc0bb0e239dc04677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 16:49:02 +0300
+Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ]
+
+static void ec_bhf_remove(struct pci_dev *dev)
+{
+...
+ struct ec_bhf_priv *priv = netdev_priv(net_dev);
+
+ unregister_netdev(net_dev);
+ free_netdev(net_dev);
+
+ pci_iounmap(dev, priv->dma_io);
+ pci_iounmap(dev, priv->io);
+...
+}
+
+priv is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing priv
+pointer. So, fix it by moving free_netdev() after pci_iounmap()
+calls.
+
+Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ec_bhf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c
+index 46b0dbab8aad..7c992172933b 100644
+--- a/drivers/net/ethernet/ec_bhf.c
++++ b/drivers/net/ethernet/ec_bhf.c
+@@ -576,10 +576,12 @@ static void ec_bhf_remove(struct pci_dev *dev)
+ struct ec_bhf_priv *priv = netdev_priv(net_dev);
+
+ unregister_netdev(net_dev);
+- free_netdev(net_dev);
+
+ pci_iounmap(dev, priv->dma_io);
+ pci_iounmap(dev, priv->io);
++
++ free_netdev(net_dev);
++
+ pci_release_regions(dev);
+ pci_clear_master(dev);
+ pci_disable_device(dev);
+--
+2.30.2
+
--- /dev/null
+From a83cac4ce6a2bcbccb5ad63158590209023399e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:14:26 +0800
+Subject: net: fec_ptp: fix issue caused by refactor the fec_devtype
+
+From: Joakim Zhang <qiangqing.zhang@nxp.com>
+
+[ Upstream commit d23765646e71b43ed2b809930411ba5c0aadee7b ]
+
+Commit da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.")
+refactor the fec_devtype, need adjust ptp driver accordingly.
+
+Fixes: da722186f654 ("net: fec: set GPR bit on suspend by DT configuration.")
+Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_ptp.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 49fad118988b..da04e61d819a 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -220,15 +220,13 @@ static u64 fec_ptp_read(const struct cyclecounter *cc)
+ {
+ struct fec_enet_private *fep =
+ container_of(cc, struct fec_enet_private, cc);
+- const struct platform_device_id *id_entry =
+- platform_get_device_id(fep->pdev);
+ u32 tempval;
+
+ tempval = readl(fep->hwp + FEC_ATIME_CTRL);
+ tempval |= FEC_T_CTRL_CAPTURE;
+ writel(tempval, fep->hwp + FEC_ATIME_CTRL);
+
+- if (id_entry->driver_data & FEC_QUIRK_BUG_CAPTURE)
++ if (fep->quirks & FEC_QUIRK_BUG_CAPTURE)
+ udelay(1);
+
+ return readl(fep->hwp + FEC_ATIME);
+--
+2.30.2
+
--- /dev/null
+From a4f94c923f8233de87a2b478705c75a0d1158997 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 22:09:06 +0300
+Subject: net: hamradio: fix memory leak in mkiss_close
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ]
+
+My local syzbot instance hit memory leak in
+mkiss_open()[1]. The problem was in missing
+free_netdev() in mkiss_close().
+
+In mkiss_open() netdevice is allocated and then
+registered, but in mkiss_close() netdevice was
+only unregistered, but not freed.
+
+Fail log:
+
+BUG: memory leak
+unreferenced object 0xffff8880281ba000 (size 4096):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............
+ 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880141a9a00 (size 96):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....
+ 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........
+ backtrace:
+ [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310
+ [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0
+ [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0
+ [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880219bfc00 (size 512):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............
+ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff888029b2b200 (size 256):
+ comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+ [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80
+ [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+ [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+ [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+ [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+ [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+ [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+ [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/mkiss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
+index deef14215110..352f9e75954c 100644
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -800,6 +800,7 @@ static void mkiss_close(struct tty_struct *tty)
+ ax->tty = NULL;
+
+ unregister_netdev(ax->dev);
++ free_netdev(ax->dev);
+ }
+
+ /* Perform I/O control on an active ax25 channel. */
+--
+2.30.2
+
--- /dev/null
+From 0dcbe9901b01db145c5b099cf592fb1268b1ae07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:59:25 +0800
+Subject: net: ipv4: fix memory leak in ip_mc_add1_src
+
+From: Chengyang Fan <cy.fan@huawei.com>
+
+[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ]
+
+BUG: memory leak
+unreferenced object 0xffff888101bc4c00 (size 32):
+ comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
+ backtrace:
+ [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
+ [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
+ [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
+ [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
+ [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
+ [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
+ [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
+ [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
+ [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
+ [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
+ [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
+ [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
+ [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
+ [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
+link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
+because it was also called in igmpv3_clear_delrec().
+
+Rough callgraph:
+
+inetdev_destroy
+-> ip_mc_destroy_dev
+ -> igmpv3_clear_delrec
+ -> ip_mc_clear_src
+-> RCU_INIT_POINTER(dev->ip_ptr, NULL)
+
+However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
+release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
+NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
+inetdev_by_index() and then in_dev->mc_list->sources cannot be released
+by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
+
+sock_close
+-> __sock_release
+ -> inet_release
+ -> ip_mc_drop_socket
+ -> inetdev_by_index
+ -> ip_mc_leave_src
+ -> ip_mc_del_src
+ -> ip_mc_del1_src
+
+So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
+in_dev->mc_list->sources.
+
+Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 480d0b22db1a..c8cbdc4d5cbc 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1803,6 +1803,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
+ while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
+ in_dev->mc_list = i->next_rcu;
+ in_dev->mc_count--;
++ ip_mc_clear_src(i);
+ ip_ma_put(i);
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 8026239dc6b512cee93e46e5ce8c00b533c496e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 09:51:58 +0800
+Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std
+
+From: Nanyong Sun <sunnanyong@huawei.com>
+
+[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ]
+
+Reported by syzkaller:
+BUG: memory leak
+unreferenced object 0xffff888105df7000 (size 64):
+comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
+hex dump (first 32 bytes):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
+[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
+[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
+[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
+[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The memory of doi_def->map.std pointing is allocated in
+netlbl_cipsov4_add_std, but no place has freed it. It should be
+freed in cipso_v4_doi_free which frees the cipso DOI resource.
+
+Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Nanyong Sun <sunnanyong@huawei.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/cipso_ipv4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index e290a0c9e928..c1ac802d6894 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -472,6 +472,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
+ kfree(doi_def->map.std->lvl.local);
+ kfree(doi_def->map.std->cat.cipso);
+ kfree(doi_def->map.std->cat.local);
++ kfree(doi_def->map.std);
+ break;
+ }
+ kfree(doi_def);
+--
+2.30.2
+
--- /dev/null
+From b7075fc3cab1a48b2483103806606536a90fcbb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 23:21:07 +0200
+Subject: net: lantiq: disable interrupt before sheduling NAPI
+
+From: Aleksander Jan Bajkowski <olek2@wp.pl>
+
+[ Upstream commit f2386cf7c5f4ff5d7b584f5d92014edd7df6c676 ]
+
+This patch fixes TX hangs with threaded NAPI enabled. The scheduled
+NAPI seems to be executed in parallel with the interrupt on second
+thread. Sometimes it happens that ltq_dma_disable_irq() is executed
+after xrx200_tx_housekeeping(). The symptom is that TX interrupts
+are disabled in the DMA controller. As a result, the TX hangs after
+a few seconds of the iperf test. Scheduling NAPI after disabling
+interrupts fixes this issue.
+
+Tested on Lantiq xRX200 (BT Home Hub 5A).
+
+Fixes: 9423361da523 ("net: lantiq: Disable IRQs only if NAPI gets scheduled ")
+Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/lantiq_xrx200.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/lantiq_xrx200.c b/drivers/net/ethernet/lantiq_xrx200.c
+index 6ece99e6b6dd..8d073b895fc0 100644
+--- a/drivers/net/ethernet/lantiq_xrx200.c
++++ b/drivers/net/ethernet/lantiq_xrx200.c
+@@ -351,8 +351,8 @@ static irqreturn_t xrx200_dma_irq(int irq, void *ptr)
+ struct xrx200_chan *ch = ptr;
+
+ if (napi_schedule_prep(&ch->napi)) {
+- __napi_schedule(&ch->napi);
+ ltq_dma_disable_irq(&ch->dma);
++ __napi_schedule(&ch->napi);
+ }
+
+ ltq_dma_ack_irq(&ch->dma);
+--
+2.30.2
+
--- /dev/null
+From db464c68aede652cbf0e8065e710dfcd1478af5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 22:29:59 +0800
+Subject: net: make get_net_ns return error if NET_NS is disabled
+
+From: Changbin Du <changbin.du@gmail.com>
+
+[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ]
+
+There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled.
+The reason is that nsfs tries to access ns->ops but the proc_ns_operations
+is not implemented in this case.
+
+[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010
+[7.670268] pgd = 32b54000
+[7.670544] [00000010] *pgd=00000000
+[7.671861] Internal error: Oops: 5 [#1] SMP ARM
+[7.672315] Modules linked in:
+[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16
+[7.673309] Hardware name: Generic DT based system
+[7.673642] PC is at nsfs_evict+0x24/0x30
+[7.674486] LR is at clear_inode+0x20/0x9c
+
+The same to tun SIOCGSKNS command.
+
+To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is
+disabled. Meanwhile move it to right place net/core/net_namespace.c.
+
+Signed-off-by: Changbin Du <changbin.du@gmail.com>
+Fixes: c62cce2caee5 ("net: add an ioctl to get a socket network namespace")
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: David Laight <David.Laight@ACULAB.COM>
+Cc: Christian Brauner <christian.brauner@ubuntu.com>
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/socket.h | 2 --
+ include/net/net_namespace.h | 7 +++++++
+ net/core/net_namespace.c | 12 ++++++++++++
+ net/socket.c | 13 -------------
+ 4 files changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index 4049d9755cf1..a465c6a45d6f 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -406,6 +406,4 @@ extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr,
+ extern int __sys_socketpair(int family, int type, int protocol,
+ int __user *usockvec);
+ extern int __sys_shutdown(int fd, int how);
+-
+-extern struct ns_common *get_net_ns(struct ns_common *ns);
+ #endif /* _LINUX_SOCKET_H */
+diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
+index 0fca98a3d2d3..167e390ac9d4 100644
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -195,6 +195,8 @@ struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns,
+ void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid);
+
+ void net_ns_barrier(void);
++
++struct ns_common *get_net_ns(struct ns_common *ns);
+ #else /* CONFIG_NET_NS */
+ #include <linux/sched.h>
+ #include <linux/nsproxy.h>
+@@ -214,6 +216,11 @@ static inline void net_ns_get_ownership(const struct net *net,
+ }
+
+ static inline void net_ns_barrier(void) {}
++
++static inline struct ns_common *get_net_ns(struct ns_common *ns)
++{
++ return ERR_PTR(-EINVAL);
++}
+ #endif /* CONFIG_NET_NS */
+
+
+diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
+index 39402840025e..c303873496a3 100644
+--- a/net/core/net_namespace.c
++++ b/net/core/net_namespace.c
+@@ -643,6 +643,18 @@ void __put_net(struct net *net)
+ }
+ EXPORT_SYMBOL_GPL(__put_net);
+
++/**
++ * get_net_ns - increment the refcount of the network namespace
++ * @ns: common namespace (net)
++ *
++ * Returns the net's common namespace.
++ */
++struct ns_common *get_net_ns(struct ns_common *ns)
++{
++ return &get_net(container_of(ns, struct net, ns))->ns;
++}
++EXPORT_SYMBOL_GPL(get_net_ns);
++
+ struct net *get_net_ns_by_fd(int fd)
+ {
+ struct file *file;
+diff --git a/net/socket.c b/net/socket.c
+index d1a0264401b7..b14917dd811a 100644
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -1071,19 +1071,6 @@ static long sock_do_ioctl(struct net *net, struct socket *sock,
+ * what to do with it - that's up to the protocol still.
+ */
+
+-/**
+- * get_net_ns - increment the refcount of the network namespace
+- * @ns: common namespace (net)
+- *
+- * Returns the net's common namespace.
+- */
+-
+-struct ns_common *get_net_ns(struct ns_common *ns)
+-{
+- return &get_net(container_of(ns, struct net, ns))->ns;
+-}
+-EXPORT_SYMBOL_GPL(get_net_ns);
+-
+ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ {
+ struct socket *sock;
+--
+2.30.2
+
--- /dev/null
+From 7b7a2d157c7e54cd5485dc869592f07311f3847f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jun 2021 11:20:46 +0300
+Subject: net/mlx5: Consider RoCE cap before init RDMA resources
+
+From: Maor Gottlieb <maorg@nvidia.com>
+
+[ Upstream commit c189716b2a7c1d2d8658e269735273caa1c38b54 ]
+
+Check if RoCE is supported by the device before enable it in
+the vport context and create all the RDMA steering objects.
+
+Fixes: 80f09dfc237f ("net/mlx5: Eswitch, enable RoCE loopback traffic")
+Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/rdma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c
+index 8e0dddc6383f..2389239acadc 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/rdma.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/rdma.c
+@@ -156,6 +156,9 @@ void mlx5_rdma_enable_roce(struct mlx5_core_dev *dev)
+ {
+ int err;
+
++ if (!MLX5_CAP_GEN(dev, roce))
++ return;
++
+ err = mlx5_nic_vport_enable_roce(dev);
+ if (err) {
+ mlx5_core_err(dev, "Failed to enable RoCE: %d\n", err);
+--
+2.30.2
+
--- /dev/null
+From 2d2e2a86ab12177ebdd16691afaf8e78a4132e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2020 12:07:59 +0100
+Subject: net/mlx5e: allow TSO on VXLAN over VLAN topologies
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit a1718505d7f67ee0ab051322f1cbc7ac42b5da82 ]
+
+since mlx5 hardware can segment correctly TSO packets on VXLAN over VLAN
+topologies, CPU usage can improve significantly if we enable tunnel
+offloads in dev->vlan_features, like it was done in the past with other
+NIC drivers (e.g. mlx4, be2net and ixgbe).
+
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 36b9a364ef26..374ce17e1499 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5012,6 +5012,8 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
+ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL |
+ NETIF_F_GSO_UDP_TUNNEL_CSUM;
+ netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM;
++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL |
++ NETIF_F_GSO_UDP_TUNNEL_CSUM;
+ }
+
+ if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) {
+--
+2.30.2
+
--- /dev/null
+From 2c00f817d2a9b974c2008872e85e21200a94ba49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 May 2021 14:34:58 +0300
+Subject: net/mlx5e: Block offload of outer header csum for UDP tunnels
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit 6d6727dddc7f93fcc155cb8d0c49c29ae0e71122 ]
+
+The device is able to offload either the outer header csum or inner
+header csum. The driver utilizes the inner csum offload. Hence, block
+setting of tx-udp_tnl-csum-segmentation and set it to off[fixed].
+
+Fixes: b49663c8fb49 ("net/mlx5e: Add support for UDP tunnel segmentation with outer checksum offload")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 374ce17e1499..24c49a84947f 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5007,13 +5007,9 @@ static void mlx5e_build_nic_netdev(struct net_device *netdev)
+ }
+
+ if (mlx5_vxlan_allowed(mdev->vxlan) || mlx5_geneve_tx_allowed(mdev)) {
+- netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL |
+- NETIF_F_GSO_UDP_TUNNEL_CSUM;
+- netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL |
+- NETIF_F_GSO_UDP_TUNNEL_CSUM;
+- netdev->gso_partial_features = NETIF_F_GSO_UDP_TUNNEL_CSUM;
+- netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL |
+- NETIF_F_GSO_UDP_TUNNEL_CSUM;
++ netdev->hw_features |= NETIF_F_GSO_UDP_TUNNEL;
++ netdev->hw_enc_features |= NETIF_F_GSO_UDP_TUNNEL;
++ netdev->vlan_features |= NETIF_F_GSO_UDP_TUNNEL;
+ }
+
+ if (mlx5e_tunnel_proto_supported(mdev, IPPROTO_GRE)) {
+--
+2.30.2
+
--- /dev/null
+From 614da970adb3ca7d8837a401bd2cd2237a7ef741 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 May 2021 13:45:10 +0300
+Subject: net/mlx5e: Fix page reclaim for dead peer hairpin
+
+From: Dima Chumak <dchumak@nvidia.com>
+
+[ Upstream commit a3e5fd9314dfc4314a9567cde96e1aef83a7458a ]
+
+When adding a hairpin flow, a firmware-side send queue is created for
+the peer net device, which claims some host memory pages for its
+internal ring buffer. If the peer net device is removed/unbound before
+the hairpin flow is deleted, then the send queue is not destroyed which
+leads to a stack trace on pci device remove:
+
+[ 748.005230] mlx5_core 0000:08:00.2: wait_func:1094:(pid 12985): MANAGE_PAGES(0x108) timeout. Will cause a leak of a command resource
+[ 748.005231] mlx5_core 0000:08:00.2: reclaim_pages:514:(pid 12985): failed reclaiming pages: err -110
+[ 748.001835] mlx5_core 0000:08:00.2: mlx5_reclaim_root_pages:653:(pid 12985): failed reclaiming pages (-110) for func id 0x0
+[ 748.002171] ------------[ cut here ]------------
+[ 748.001177] FW pages counter is 4 after reclaiming all pages
+[ 748.001186] WARNING: CPU: 1 PID: 12985 at drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c:685 mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core] [ +0.002771] Modules linked in: cls_flower mlx5_ib mlx5_core ptp pps_core act_mirred sch_ingress openvswitch nsh xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm ib_umad ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay fuse [last unloaded: pps_core]
+[ 748.007225] CPU: 1 PID: 12985 Comm: tee Not tainted 5.12.0+ #1
+[ 748.001376] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+[ 748.002315] RIP: 0010:mlx5_reclaim_startup_pages+0x34b/0x460 [mlx5_core]
+[ 748.001679] Code: 28 00 00 00 0f 85 22 01 00 00 48 81 c4 b0 00 00 00 31 c0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 c7 c7 40 cc 19 a1 e8 9f 71 0e e2 <0f> 0b e9 30 ff ff ff 48 c7 c7 a0 cc 19 a1 e8 8c 71 0e e2 0f 0b e9
+[ 748.003781] RSP: 0018:ffff88815220faf8 EFLAGS: 00010286
+[ 748.001149] RAX: 0000000000000000 RBX: ffff8881b4900280 RCX: 0000000000000000
+[ 748.001445] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102a441f51
+[ 748.001614] RBP: 00000000000032b9 R08: 0000000000000001 R09: ffffed1054a15ee8
+[ 748.001446] R10: ffff8882a50af73b R11: ffffed1054a15ee7 R12: fffffbfff07c1e30
+[ 748.001447] R13: dffffc0000000000 R14: ffff8881b492cba8 R15: 0000000000000000
+[ 748.001429] FS: 00007f58bd08b580(0000) GS:ffff8882a5080000(0000) knlGS:0000000000000000
+[ 748.001695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 748.001309] CR2: 000055a026351740 CR3: 00000001d3b48006 CR4: 0000000000370ea0
+[ 748.001506] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 748.001483] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 748.001654] Call Trace:
+[ 748.000576] ? mlx5_satisfy_startup_pages+0x290/0x290 [mlx5_core]
+[ 748.001416] ? mlx5_cmd_teardown_hca+0xa2/0xd0 [mlx5_core]
+[ 748.001354] ? mlx5_cmd_init_hca+0x280/0x280 [mlx5_core]
+[ 748.001203] mlx5_function_teardown+0x30/0x60 [mlx5_core]
+[ 748.001275] mlx5_uninit_one+0xa7/0xc0 [mlx5_core]
+[ 748.001200] remove_one+0x5f/0xc0 [mlx5_core]
+[ 748.001075] pci_device_remove+0x9f/0x1d0
+[ 748.000833] device_release_driver_internal+0x1e0/0x490
+[ 748.001207] unbind_store+0x19f/0x200
+[ 748.000942] ? sysfs_file_ops+0x170/0x170
+[ 748.001000] kernfs_fop_write_iter+0x2bc/0x450
+[ 748.000970] new_sync_write+0x373/0x610
+[ 748.001124] ? new_sync_read+0x600/0x600
+[ 748.001057] ? lock_acquire+0x4d6/0x700
+[ 748.000908] ? lockdep_hardirqs_on_prepare+0x400/0x400
+[ 748.001126] ? fd_install+0x1c9/0x4d0
+[ 748.000951] vfs_write+0x4d0/0x800
+[ 748.000804] ksys_write+0xf9/0x1d0
+[ 748.000868] ? __x64_sys_read+0xb0/0xb0
+[ 748.000811] ? filp_open+0x50/0x50
+[ 748.000919] ? syscall_enter_from_user_mode+0x1d/0x50
+[ 748.001223] do_syscall_64+0x3f/0x80
+[ 748.000892] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[ 748.001026] RIP: 0033:0x7f58bcfb22f7
+[ 748.000944] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
+[ 748.003925] RSP: 002b:00007fffd7f2aaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+[ 748.001732] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f58bcfb22f7
+[ 748.001426] RDX: 000000000000000d RSI: 00007fffd7f2abc0 RDI: 0000000000000003
+[ 748.001746] RBP: 00007fffd7f2abc0 R08: 0000000000000000 R09: 0000000000000001
+[ 748.001631] R10: 00000000000001b6 R11: 0000000000000246 R12: 000000000000000d
+[ 748.001537] R13: 00005597ac2c24a0 R14: 000000000000000d R15: 00007f58bd084700
+[ 748.001564] irq event stamp: 0
+[ 748.000787] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+[ 748.001399] hardirqs last disabled at (0): [<ffffffff813132cf>] copy_process+0x146f/0x5eb0
+[ 748.001854] softirqs last enabled at (0): [<ffffffff8131330e>] copy_process+0x14ae/0x5eb0
+[ 748.013431] softirqs last disabled at (0): [<0000000000000000>] 0x0
+[ 748.001492] ---[ end trace a6fabd773d1c51ae ]---
+
+Fix by destroying the send queue of a hairpin peer net device that is
+being removed/unbound, which returns the allocated ring buffer pages to
+the host.
+
+Fixes: 4d8fcf216c90 ("net/mlx5e: Avoid unbounded peer devices when unpairing TC hairpin rules")
+Signed-off-by: Dima Chumak <dchumak@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +-
+ .../ethernet/mellanox/mlx5/core/transobj.c | 30 +++++++++++++++----
+ include/linux/mlx5/transobj.h | 1 +
+ 3 files changed, 26 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index fe7342e8a043..9d26463f3fa5 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -4079,7 +4079,7 @@ static void mlx5e_tc_hairpin_update_dead_peer(struct mlx5e_priv *priv,
+ list_for_each_entry_safe(hpe, tmp, &init_wait_list, dead_peer_wait_list) {
+ wait_for_completion(&hpe->res_ready);
+ if (!IS_ERR_OR_NULL(hpe->hp) && hpe->peer_vhca_id == peer_vhca_id)
+- hpe->hp->pair->peer_gone = true;
++ mlx5_core_hairpin_clear_dead_peer(hpe->hp->pair);
+
+ mlx5e_hairpin_put(priv, hpe);
+ }
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c
+index b1068500f1df..0b5437051a3b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/transobj.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/transobj.c
+@@ -457,6 +457,15 @@ err_modify_sq:
+ return err;
+ }
+
++static void mlx5_hairpin_unpair_peer_sq(struct mlx5_hairpin *hp)
++{
++ int i;
++
++ for (i = 0; i < hp->num_channels; i++)
++ mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY,
++ MLX5_SQC_STATE_RST, 0, 0);
++}
++
+ static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp)
+ {
+ int i;
+@@ -465,13 +474,9 @@ static void mlx5_hairpin_unpair_queues(struct mlx5_hairpin *hp)
+ for (i = 0; i < hp->num_channels; i++)
+ mlx5_hairpin_modify_rq(hp->func_mdev, hp->rqn[i], MLX5_RQC_STATE_RDY,
+ MLX5_RQC_STATE_RST, 0, 0);
+-
+ /* unset peer SQs */
+- if (hp->peer_gone)
+- return;
+- for (i = 0; i < hp->num_channels; i++)
+- mlx5_hairpin_modify_sq(hp->peer_mdev, hp->sqn[i], MLX5_SQC_STATE_RDY,
+- MLX5_SQC_STATE_RST, 0, 0);
++ if (!hp->peer_gone)
++ mlx5_hairpin_unpair_peer_sq(hp);
+ }
+
+ struct mlx5_hairpin *
+@@ -518,3 +523,16 @@ void mlx5_core_hairpin_destroy(struct mlx5_hairpin *hp)
+ mlx5_hairpin_destroy_queues(hp);
+ kfree(hp);
+ }
++
++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp)
++{
++ int i;
++
++ mlx5_hairpin_unpair_peer_sq(hp);
++
++ /* destroy peer SQ */
++ for (i = 0; i < hp->num_channels; i++)
++ mlx5_core_destroy_sq(hp->peer_mdev, hp->sqn[i]);
++
++ hp->peer_gone = true;
++}
+diff --git a/include/linux/mlx5/transobj.h b/include/linux/mlx5/transobj.h
+index dc6b1e7cb8c4..3abefd40a4d8 100644
+--- a/include/linux/mlx5/transobj.h
++++ b/include/linux/mlx5/transobj.h
+@@ -92,4 +92,5 @@ mlx5_core_hairpin_create(struct mlx5_core_dev *func_mdev,
+ struct mlx5_hairpin_params *params);
+
+ void mlx5_core_hairpin_destroy(struct mlx5_hairpin *pair);
++void mlx5_core_hairpin_clear_dead_peer(struct mlx5_hairpin *hp);
+ #endif /* __TRANSOBJ_H__ */
+--
+2.30.2
+
--- /dev/null
+From 169fc12c42032da2d83c82de1436d11599fa91cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 May 2021 13:20:32 -0500
+Subject: net/mlx5e: Remove dependency in IPsec initialization flows
+
+From: Huy Nguyen <huyn@nvidia.com>
+
+[ Upstream commit 8ad893e516a77209a1818a2072d2027d87db809f ]
+
+Currently, IPsec feature is disabled because mlx5e_build_nic_netdev
+is required to be called after mlx5e_ipsec_init. This requirement is
+invalid as mlx5e_build_nic_netdev and mlx5e_ipsec_init initialize
+independent resources.
+
+Remove ipsec pointer check in mlx5e_build_nic_netdev so that the
+two functions can be called at any order.
+
+Fixes: 547eede070eb ("net/mlx5e: IPSec, Innova IPSec offload infrastructure")
+Signed-off-by: Huy Nguyen <huyn@nvidia.com>
+Reviewed-by: Raed Salem <raeds@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index cf58c9637904..c467f5e981f6 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -515,9 +515,6 @@ void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
+ struct mlx5_core_dev *mdev = priv->mdev;
+ struct net_device *netdev = priv->netdev;
+
+- if (!priv->ipsec)
+- return;
+-
+ if (!(mlx5_accel_ipsec_device_caps(mdev) & MLX5_ACCEL_IPSEC_CAP_ESP) ||
+ !MLX5_CAP_ETH(mdev, swp)) {
+ mlx5_core_dbg(mdev, "mlx5e: ESP and SWP offload not supported\n");
+--
+2.30.2
+
--- /dev/null
+From 9e7e2cb3ba7bac45c87ee2e18eaca4881a2ef917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 15:06:50 +0300
+Subject: net: qrtr: fix OOB Read in qrtr_endpoint_post
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit ad9d24c9429e2159d1e279dc3a83191ccb4daf1d ]
+
+Syzbot reported slab-out-of-bounds Read in
+qrtr_endpoint_post. The problem was in wrong
+_size_ type:
+
+ if (len != ALIGN(size, 4) + hdrlen)
+ goto err;
+
+If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of
+ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293
+in header this check won't fail and
+
+ skb_put_data(skb, data + hdrlen, size);
+
+will read out of bound from data, which is hdrlen allocated block.
+
+Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
+Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
+index 46273a838361..faea2ce12511 100644
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -257,7 +257,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
+ const struct qrtr_hdr_v2 *v2;
+ struct sk_buff *skb;
+ struct qrtr_cb *cb;
+- unsigned int size;
++ size_t size;
+ unsigned int ver;
+ size_t hdrlen;
+
+--
+2.30.2
+
--- /dev/null
+From b638a86489c81b9a4da763fce9bb6677b2898336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 11:06:41 +0300
+Subject: net: rds: fix memory leak in rds_recvmsg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ]
+
+Syzbot reported memory leak in rds. The problem
+was in unputted refcount in case of error.
+
+int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ int msg_flags)
+{
+...
+
+ if (!rds_next_incoming(rs, &inc)) {
+ ...
+ }
+
+After this "if" inc refcount incremented and
+
+ if (rds_cmsg_recv(inc, msg, rs)) {
+ ret = -EFAULT;
+ goto out;
+ }
+...
+out:
+ return ret;
+}
+
+in case of rds_cmsg_recv() fail the refcount won't be
+decremented. And it's easy to see from ftrace log, that
+rds_inc_addref() don't have rds_inc_put() pair in
+rds_recvmsg() after rds_cmsg_recv()
+
+ 1) | rds_recvmsg() {
+ 1) 3.721 us | rds_inc_addref();
+ 1) 3.853 us | rds_message_inc_copy_to_user();
+ 1) + 10.395 us | rds_cmsg_recv();
+ 1) + 34.260 us | }
+
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/recv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index aba4afe4dfed..967d115f97ef 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -714,7 +714,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+
+ if (rds_cmsg_recv(inc, msg, rs)) {
+ ret = -EFAULT;
+- goto out;
++ break;
+ }
+ rds_recvmsg_zcookie(rs, msg);
+
+--
+2.30.2
+
--- /dev/null
+From cb9a79c2463e6cc928b4a7576297fdf497518565 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 11:23:56 -0300
+Subject: net/sched: act_ct: handle DNAT tuple collision
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 13c62f5371e3eb4fc3400cfa26e64ca75f888008 ]
+
+This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT
+tuple collision") for act_ct. From that commit changelog:
+
+"""
+With multiple DNAT rules it's possible that after destination
+translation the resulting tuples collide.
+
+...
+
+Netfilter handles this case by allocating a null binding for SNAT at
+egress by default. Perform the same operation in openvswitch for DNAT
+if no explicit SNAT is requested by the user and allocate a null binding
+for SNAT for packets in the "original" direction.
+"""
+
+Fixes: 95219afbb980 ("act_ct: support asymmetric conntrack")
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/act_ct.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
+index 31eb8eefc868..16c4cbf6d1f0 100644
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -361,14 +361,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
+ }
+
+ err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
+- if (err == NF_ACCEPT &&
+- ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+- if (maniptype == NF_NAT_MANIP_SRC)
+- maniptype = NF_NAT_MANIP_DST;
+- else
+- maniptype = NF_NAT_MANIP_SRC;
+-
+- err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
++ if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) {
++ if (ct->status & IPS_SRC_NAT) {
++ if (maniptype == NF_NAT_MANIP_SRC)
++ maniptype = NF_NAT_MANIP_DST;
++ else
++ maniptype = NF_NAT_MANIP_SRC;
++
++ err = ct_nat_execute(skb, ct, ctinfo, range,
++ maniptype);
++ } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
++ err = ct_nat_execute(skb, ct, ctinfo, NULL,
++ NF_NAT_MANIP_SRC);
++ }
+ }
+ return err;
+ #else
+--
+2.30.2
+
--- /dev/null
+From 91c0216bf791b73595205db469112e7fcc41139f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:16:11 +0800
+Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ]
+
+The register starts from 0x800 is the 16th MAC address register rather
+than the first one.
+
+Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+index b70d44ac0990..3c73453725f9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+@@ -76,10 +76,10 @@ enum power_event {
+ #define LPI_CTRL_STATUS_TLPIEN 0x00000001 /* Transmit LPI Entry */
+
+ /* GMAC HW ADDR regs */
+-#define GMAC_ADDR_HIGH(reg) (((reg > 15) ? 0x00000800 : 0x00000040) + \
+- (reg * 8))
+-#define GMAC_ADDR_LOW(reg) (((reg > 15) ? 0x00000804 : 0x00000044) + \
+- (reg * 8))
++#define GMAC_ADDR_HIGH(reg) ((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \
++ 0x00000040 + (reg * 8))
++#define GMAC_ADDR_LOW(reg) ((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \
++ 0x00000044 + (reg * 8))
+ #define GMAC_MAX_PERFECT_ADDRESSES 1
+
+ #define GMAC_PCS_BASE 0x000000c0 /* PCS register base */
+--
+2.30.2
+
--- /dev/null
+From a4d4752806443a00ebd12ead50b3bb9759b4a469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:48:33 +0800
+Subject: net: usb: fix possible use-after-free in smsc75xx_bind
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ]
+
+The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+fails to clean up the work scheduled in smsc75xx_reset->
+smsc75xx_set_multicast, which leads to use-after-free if the work is
+scheduled to start after the deallocation. In addition, this patch
+also removes a dangling pointer - dev->data[0].
+
+This patch calls cancel_work_sync to cancel the scheduled work and set
+the dangling pointer to NULL.
+
+Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index d0ae0df34e13..aa848be459ec 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1482,7 +1482,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ ret = smsc75xx_wait_ready(dev, 0);
+ if (ret < 0) {
+ netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+- goto err;
++ goto free_pdata;
+ }
+
+ smsc75xx_init_mac_address(dev);
+@@ -1491,7 +1491,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ ret = smsc75xx_reset(dev);
+ if (ret < 0) {
+ netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+- goto err;
++ goto cancel_work;
+ }
+
+ dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1502,8 +1502,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
+ return 0;
+
+-err:
++cancel_work:
++ cancel_work_sync(&pdata->set_multicast);
++free_pdata:
+ kfree(pdata);
++ dev->data[0] = 0;
+ return ret;
+ }
+
+@@ -1514,7 +1517,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+ cancel_work_sync(&pdata->set_multicast);
+ netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+ kfree(pdata);
+- pdata = NULL;
+ dev->data[0] = 0;
+ }
+ }
+--
+2.30.2
+
--- /dev/null
+From 42483fde12b1f3df0d94046c3fba904952a12496 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 19:40:29 +0300
+Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ]
+
+The TCP option parser in synproxy (synproxy_parse_options) could read
+one byte out of bounds. When the length is 1, the execution flow gets
+into the loop, reads one byte of the opcode, and if the opcode is
+neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
+the length of 1.
+
+This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
+out of bounds when parsing TCP options.").
+
+v2 changes:
+
+Added an early return when length < 0 to avoid calling
+skb_header_pointer with negative length.
+
+Cc: Young Xiao <92siuyang@gmail.com>
+Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_synproxy_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index 4bb4cfde28b4..c6c0d27caaed 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -31,6 +31,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ int length = (th->doff * 4) - sizeof(*th);
+ u8 buf[40], *ptr;
+
++ if (unlikely(length < 0))
++ return false;
++
+ ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
+ if (ptr == NULL)
+ return false;
+@@ -47,6 +50,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ length--;
+ continue;
+ default:
++ if (length < 2)
++ return true;
+ opsize = *ptr++;
+ if (opsize < 2)
+ return true;
+--
+2.30.2
+
--- /dev/null
+From ff196812de3b200f7690a9be2fbf1978880930b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:53:12 +0200
+Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: e87ad5539343 ("netxen: support pci error handlers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+index 25b6f2ee2beb..1b9867ea4333 100644
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -1602,6 +1602,8 @@ err_out_free_netdev:
+ free_netdev(netdev);
+
+ err_out_free_res:
++ if (NX_IS_REVISION_P3(pdev->revision))
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+
+ err_out_disable_pdev:
+--
+2.30.2
+
--- /dev/null
+From faa92318b2aaeec193c6ebbbbd5a5e5985ef85eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jun 2021 15:24:05 -0700
+Subject: ptp: improve max_adj check against unreasonable values
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 475b92f932168a78da8109acd10bfb7578b8f2bb ]
+
+Scaled PPM conversion to PPB may (on 64bit systems) result
+in a value larger than s32 can hold (freq/scaled_ppm is a long).
+This means the kernel will not correctly reject unreasonably
+high ->freq values (e.g. > 4294967295ppb, 281474976645 scaled PPM).
+
+The conversion is equivalent to a division by ~66 (65.536),
+so the value of ppb is always smaller than ppm, but not small
+enough to assume narrowing the type from long -> s32 is okay.
+
+Note that reasonable user space (e.g. ptp4l) will not use such
+high values, anyway, 4289046510ppb ~= 4.3x, so the fix is
+somewhat pedantic.
+
+Fixes: d39a743511cd ("ptp: validate the requested frequency adjustment.")
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_clock.c | 6 +++---
+ include/linux/ptp_clock_kernel.h | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index b84f16bbd6f2..eedf067ee8e3 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -63,7 +63,7 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue,
+ spin_unlock_irqrestore(&queue->lock, flags);
+ }
+
+-s32 scaled_ppm_to_ppb(long ppm)
++long scaled_ppm_to_ppb(long ppm)
+ {
+ /*
+ * The 'freq' field in the 'struct timex' is in parts per
+@@ -80,7 +80,7 @@ s32 scaled_ppm_to_ppb(long ppm)
+ s64 ppb = 1 + ppm;
+ ppb *= 125;
+ ppb >>= 13;
+- return (s32) ppb;
++ return (long) ppb;
+ }
+ EXPORT_SYMBOL(scaled_ppm_to_ppb);
+
+@@ -138,7 +138,7 @@ static int ptp_clock_adjtime(struct posix_clock *pc, struct __kernel_timex *tx)
+ delta = ktime_to_ns(kt);
+ err = ops->adjtime(ops, delta);
+ } else if (tx->modes & ADJ_FREQUENCY) {
+- s32 ppb = scaled_ppm_to_ppb(tx->freq);
++ long ppb = scaled_ppm_to_ppb(tx->freq);
+ if (ppb > ops->max_adj || ppb < -ops->max_adj)
+ return -ERANGE;
+ if (ops->adjfine)
+diff --git a/include/linux/ptp_clock_kernel.h b/include/linux/ptp_clock_kernel.h
+index 93cc4f1d444a..874f7e73ed01 100644
+--- a/include/linux/ptp_clock_kernel.h
++++ b/include/linux/ptp_clock_kernel.h
+@@ -218,7 +218,7 @@ extern int ptp_clock_index(struct ptp_clock *ptp);
+ * @ppm: Parts per million, but with a 16 bit binary fractional field
+ */
+
+-extern s32 scaled_ppm_to_ppb(long ppm);
++extern long scaled_ppm_to_ppb(long ppm);
+
+ /**
+ * ptp_find_pin() - obtain the pin index of a given auxiliary function
+--
+2.30.2
+
--- /dev/null
+From 5f6c4ec806d41d2bd9c03a8ab0e9763dee74e4e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:37:46 +0200
+Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 451724c821c1 ("qlcnic: aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+index f2e5f494462b..3a96fd6deef7 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+@@ -2709,6 +2709,7 @@ err_out_free_hw_res:
+ kfree(ahw);
+
+ err_out_free_res:
++ pci_disable_pcie_error_reporting(pdev);
+ pci_release_regions(pdev);
+
+ err_out_disable_pdev:
+--
+2.30.2
+
--- /dev/null
+From 552356792ccfba48d223cb9690158f7248f73bb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 14:17:53 +0300
+Subject: rtnetlink: Fix regression in bridge VLAN configuration
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ]
+
+Cited commit started returning errors when notification info is not
+filled by the bridge driver, resulting in the following regression:
+
+ # ip link add name br1 type bridge vlan_filtering 1
+ # bridge vlan add dev br1 vid 555 self pvid untagged
+ RTNETLINK answers: Invalid argument
+
+As long as the bridge driver does not fill notification info for the
+bridge device itself, an empty notification should not be considered as
+an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send
+notification when skb->len == 0 in rtnl_bridge_notify").
+
+Fix by removing the error and add a comment to avoid future bugs.
+
+Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index bdeb169a7a99..0bad5db23129 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -4535,10 +4535,12 @@ static int rtnl_bridge_notify(struct net_device *dev)
+ if (err < 0)
+ goto errout;
+
+- if (!skb->len) {
+- err = -EINVAL;
++ /* Notification info is only filled for bridge ports, not the bridge
++ * device itself. Therefore, a zero notification length is valid and
++ * should not result in an error.
++ */
++ if (!skb->len)
+ goto errout;
+- }
+
+ rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
+ return 0;
+--
+2.30.2
+
--- /dev/null
+From 4f27127279f453a659be837dcc01d535e61ac677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 19:40:31 +0300
+Subject: sch_cake: Fix out of bounds when parsing TCP options and header
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit ba91c49dedbde758ba0b72f57ac90b06ddf8e548 ]
+
+The TCP option parser in cake qdisc (cake_get_tcpopt and
+cake_tcph_may_drop) could read one byte out of bounds. When the length
+is 1, the execution flow gets into the loop, reads one byte of the
+opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
+one more byte, which exceeds the length of 1.
+
+This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
+out of bounds when parsing TCP options.").
+
+v2 changes:
+
+Added doff validation in cake_get_tcphdr to avoid parsing garbage as TCP
+header. Although it wasn't strictly an out-of-bounds access (memory was
+allocated), garbage values could be read where CAKE expected the TCP
+header if doff was smaller than 5.
+
+Cc: Young Xiao <92siuyang@gmail.com>
+Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cake.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
+index 896c0562cb42..e8eebe40e0ae 100644
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -907,7 +907,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
+ }
+
+ tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
+- if (!tcph)
++ if (!tcph || tcph->doff < 5)
+ return NULL;
+
+ return skb_header_pointer(skb, offset,
+@@ -931,6 +931,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph,
+ length--;
+ continue;
+ }
++ if (length < 2)
++ break;
+ opsize = *ptr++;
+ if (opsize < 2 || opsize > length)
+ break;
+@@ -1068,6 +1070,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph,
+ length--;
+ continue;
+ }
++ if (length < 2)
++ break;
+ opsize = *ptr++;
+ if (opsize < 2 || opsize > length)
+ break;
+--
+2.30.2
+
afs-fix-an-is_err-vs-null-check.patch
mm-memory-failure-make-sure-wait-for-page-writeback-.patch
kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch
+batman-adv-avoid-warn_on-timing-related-checks.patch
+net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch
+vrf-fix-maximum-mtu.patch
+net-rds-fix-memory-leak-in-rds_recvmsg.patch
+net-lantiq-disable-interrupt-before-sheduling-napi.patch
+udp-fix-race-between-close-and-udp_abort.patch
+rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch
+net-sched-act_ct-handle-dnat-tuple-collision.patch
+net-mlx5e-remove-dependency-in-ipsec-initialization-.patch
+net-mlx5e-fix-page-reclaim-for-dead-peer-hairpin.patch
+net-mlx5-consider-roce-cap-before-init-rdma-resource.patch
+net-mlx5e-allow-tso-on-vxlan-over-vlan-topologies.patch
+net-mlx5e-block-offload-of-outer-header-csum-for-udp.patch
+netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch
+sch_cake-fix-out-of-bounds-when-parsing-tcp-options-.patch
+alx-fix-an-error-handling-path-in-alx_probe.patch
+net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch
+net-make-get_net_ns-return-error-if-net_ns-is-disabl.patch
+qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch
+netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch
+net-qrtr-fix-oob-read-in-qrtr_endpoint_post.patch
+ptp-improve-max_adj-check-against-unreasonable-value.patch
+net-cdc_ncm-switch-to-eth-d-interface-naming.patch
+lantiq-net-fix-duplicated-skb-in-rx-descriptor-ring.patch
+net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
+net-fec_ptp-fix-issue-caused-by-refactor-the-fec_dev.patch
+net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch
+be2net-fix-an-error-handling-path-in-be_probe.patch
+net-hamradio-fix-memory-leak-in-mkiss_close.patch
+net-cdc_eem-fix-tx-fixup-skb-leak.patch
+cxgb4-fix-wrong-shift.patch
+bnxt_en-rediscover-phy-capabilities-after-firmware-r.patch
+bnxt_en-call-bnxt_ethtool_free-in-bnxt_init_one-erro.patch
+icmp-don-t-send-out-icmp-messages-with-a-source-addr.patch
+net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
--- /dev/null
+From 424f7927c1ed0c4a954fc03320368bd8d0e681d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 11:49:01 +0200
+Subject: udp: fix race between close() and udp_abort()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ]
+
+Kaustubh reported and diagnosed a panic in udp_lib_lookup().
+The root cause is udp_abort() racing with close(). Both
+racing functions acquire the socket lock, but udp{v6}_destroy_sock()
+release it before performing destructive actions.
+
+We can't easily extend the socket lock scope to avoid the race,
+instead use the SOCK_DEAD flag to prevent udp_abort from doing
+any action when the critical race happens.
+
+Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
+Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 10 ++++++++++
+ net/ipv6/udp.c | 3 +++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 24841a9e9966..4644f86c932f 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2511,6 +2511,9 @@ void udp_destroy_sock(struct sock *sk)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ bool slow = lock_sock_fast(sk);
++
++ /* protects from races with udp_abort() */
++ sock_set_flag(sk, SOCK_DEAD);
+ udp_flush_pending_frames(sk);
+ unlock_sock_fast(sk, slow);
+ if (static_branch_unlikely(&udp_encap_needed_key)) {
+@@ -2770,10 +2773,17 @@ int udp_abort(struct sock *sk, int err)
+ {
+ lock_sock(sk);
+
++ /* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
++ * with close()
++ */
++ if (sock_flag(sk, SOCK_DEAD))
++ goto out;
++
+ sk->sk_err = err;
+ sk->sk_error_report(sk);
+ __udp_disconnect(sk, 0);
+
++out:
+ release_sock(sk);
+
+ return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 6762430280f5..3c94b81bb459 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1539,6 +1539,9 @@ void udpv6_destroy_sock(struct sock *sk)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ lock_sock(sk);
++
++ /* protects from races with udp_abort() */
++ sock_set_flag(sk, SOCK_DEAD);
+ udp_v6_flush_pending_frames(sk);
+ release_sock(sk);
+
+--
+2.30.2
+
--- /dev/null
+From b3ee103f019d3a836268244176dd451d064fc4e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 16:59:51 +0200
+Subject: vrf: fix maximum MTU
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit 9bb392f62447d73cc7dd7562413a2cd9104c82f8 ]
+
+My initial goal was to fix the default MTU, which is set to 65536, ie above
+the maximum defined in the driver: 65535 (ETH_MAX_MTU).
+
+In fact, it's seems more consistent, wrt min_mtu, to set the max_mtu to
+IP6_MAX_MTU (65535 + sizeof(struct ipv6hdr)) and use it by default.
+
+Let's also, for consistency, set the mtu in vrf_setup(). This function
+calls ether_setup(), which set the mtu to 1500. Thus, the whole mtu config
+is done in the same function.
+
+Before the patch:
+$ ip link add blue type vrf table 1234
+$ ip link list blue
+9: blue: <NOARP,MASTER> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
+ link/ether fa:f5:27:70:24:2a brd ff:ff:ff:ff:ff:ff
+$ ip link set dev blue mtu 65535
+$ ip link set dev blue mtu 65536
+Error: mtu greater than device maximum.
+
+Fixes: 5055376a3b44 ("net: vrf: Fix ping failed when vrf mtu is set to 0")
+CC: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vrf.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
+index 14dfb9278345..1267786d2931 100644
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -908,9 +908,6 @@ static int vrf_dev_init(struct net_device *dev)
+
+ dev->flags = IFF_MASTER | IFF_NOARP;
+
+- /* MTU is irrelevant for VRF device; set to 64k similar to lo */
+- dev->mtu = 64 * 1024;
+-
+ /* similarly, oper state is irrelevant; set to up to avoid confusion */
+ dev->operstate = IF_OPER_UP;
+ return 0;
+@@ -1343,7 +1340,8 @@ static void vrf_setup(struct net_device *dev)
+ * which breaks networking.
+ */
+ dev->min_mtu = IPV6_MIN_MTU;
+- dev->max_mtu = ETH_MAX_MTU;
++ dev->max_mtu = IP6_MAX_MTU;
++ dev->mtu = dev->max_mtu;
+ }
+
+ static int vrf_validate(struct nlattr *tb[], struct nlattr *data[],
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
