--- /dev/null
+From bf8e59fd315f304eb538546e35de6dc603e4709f Mon Sep 17 00:00:00 2001
+From: Gatis Peisenieks <gatis@mikrotik.com>
+Date: Fri, 11 Feb 2022 08:51:23 +0200
+Subject: atl1c: fix tx timeout after link flap on Mikrotik 10/25G NIC
+
+From: Gatis Peisenieks <gatis@mikrotik.com>
+
+commit bf8e59fd315f304eb538546e35de6dc603e4709f upstream.
+
+If NIC had packets in tx queue at the moment link down event
+happened, it could result in tx timeout when link got back up.
+
+Since device has more than one tx queue we need to reset them
+accordingly.
+
+Fixes: 057f4af2b171 ("atl1c: add 4 RX/TX queue support for Mikrotik 10/25G NIC")
+Signed-off-by: Gatis Peisenieks <gatis@mikrotik.com>
+Link: https://lore.kernel.org/r/20220211065123.4187615-1-gatis@mikrotik.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c
+@@ -900,7 +900,7 @@ static void atl1c_clean_tx_ring(struct a
+ atl1c_clean_buffer(pdev, buffer_info);
+ }
+
+- netdev_reset_queue(adapter->netdev);
++ netdev_tx_reset_queue(netdev_get_tx_queue(adapter->netdev, queue));
+
+ /* Zero out Tx-buffers */
+ memset(tpd_ring->desc, 0, sizeof(struct atl1c_tpd_desc) *
--- /dev/null
+From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Feb 2022 11:15:53 -0800
+Subject: bonding: fix data-races around agg_select_timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream.
+
+syzbot reported that two threads might write over agg_select_timer
+at the same time. Make agg_select_timer atomic to fix the races.
+
+BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler
+
+read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1:
+ bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0:
+ bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998
+ bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967
+ __dev_open+0x274/0x3a0 net/core/dev.c:1407
+ dev_open+0x54/0x190 net/core/dev.c:1443
+ bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937
+ do_set_master net/core/rtnetlink.c:2532 [inline]
+ do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736
+ __rtnl_newlink net/core/rtnetlink.c:3414 [inline]
+ rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529
+ rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000050 -> 0x0000004f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++-----
+ include/net/bond_3ad.h | 2 +-
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -225,7 +225,7 @@ static inline int __check_agg_selection_
+ if (bond == NULL)
+ return 0;
+
+- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0;
++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0;
+ }
+
+ /**
+@@ -1995,7 +1995,7 @@ static void ad_marker_response_received(
+ */
+ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout)
+ {
+- BOND_AD_INFO(bond).agg_select_timer = timeout;
++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout);
+ }
+
+ /**
+@@ -2279,6 +2279,28 @@ void bond_3ad_update_ad_actor_settings(s
+ }
+
+ /**
++ * bond_agg_timer_advance - advance agg_select_timer
++ * @bond: bonding structure
++ *
++ * Return true when agg_select_timer reaches 0.
++ */
++static bool bond_agg_timer_advance(struct bonding *bond)
++{
++ int val, nval;
++
++ while (1) {
++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer);
++ if (!val)
++ return false;
++ nval = val - 1;
++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer,
++ val, nval) == val)
++ break;
++ }
++ return nval == 0;
++}
++
++/**
+ * bond_3ad_state_machine_handler - handle state machines timeout
+ * @work: work context to fetch bonding struct to work on from
+ *
+@@ -2313,9 +2335,7 @@ void bond_3ad_state_machine_handler(stru
+ if (!bond_has_slaves(bond))
+ goto re_arm;
+
+- /* check if agg_select_timer timer after initialize is timed out */
+- if (BOND_AD_INFO(bond).agg_select_timer &&
+- !(--BOND_AD_INFO(bond).agg_select_timer)) {
++ if (bond_agg_timer_advance(bond)) {
+ slave = bond_first_slave_rcu(bond);
+ port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL;
+
+--- a/include/net/bond_3ad.h
++++ b/include/net/bond_3ad.h
+@@ -262,7 +262,7 @@ struct ad_system {
+ struct ad_bond_info {
+ struct ad_system system; /* 802.3ad system structure */
+ struct bond_3ad_stats stats;
+- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */
++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */
+ u16 aggregator_identifier;
+ };
+
--- /dev/null
+From a6ab75cec1e461f8a35559054c146c21428430b8 Mon Sep 17 00:00:00 2001
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+Date: Wed, 16 Feb 2022 22:18:08 +0800
+Subject: bonding: force carrier update when releasing slave
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+commit a6ab75cec1e461f8a35559054c146c21428430b8 upstream.
+
+In __bond_release_one(), bond_set_carrier() is only called when bond
+device has no slave. Therefore, if we remove the up slave from a master
+with two slaves and keep the down slave, the master will remain up.
+
+Fix this by moving bond_set_carrier() out of if (!bond_has_slaves(bond))
+statement.
+
+Reproducer:
+$ insmod bonding.ko mode=0 miimon=100 max_bonds=2
+$ ifconfig bond0 up
+$ ifenslave bond0 eth0 eth1
+$ ifconfig eth0 down
+$ ifenslave -d bond0 eth1
+$ cat /proc/net/bonding/bond0
+
+Fixes: ff59c4563a8d ("[PATCH] bonding: support carrier state for master")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Link: https://lore.kernel.org/r/1645021088-38370-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2377,10 +2377,9 @@ static int __bond_release_one(struct net
+ bond_select_active_slave(bond);
+ }
+
+- if (!bond_has_slaves(bond)) {
+- bond_set_carrier(bond);
++ bond_set_carrier(bond);
++ if (!bond_has_slaves(bond))
+ eth_hw_addr_random(bond_dev);
+- }
+
+ unblock_netpoll_tx();
+ synchronize_rcu();
--- /dev/null
+From 665408f4c3a5c83e712871daa062721624b2b79e Mon Sep 17 00:00:00 2001
+From: Phil Elwell <phil@raspberrypi.com>
+Date: Tue, 18 Jan 2022 15:45:14 +0000
+Subject: brcmfmac: firmware: Fix crash in brcm_alt_fw_path
+
+From: Phil Elwell <phil@raspberrypi.com>
+
+commit 665408f4c3a5c83e712871daa062721624b2b79e upstream.
+
+The call to brcm_alt_fw_path in brcmf_fw_get_firmwares is not protected
+by a check to the validity of the fwctx->req->board_type pointer. This
+results in a crash in strlcat when, for example, the WLAN chip is found
+in a USB dongle.
+
+Prevent the crash by adding the necessary check.
+
+See: https://github.com/raspberrypi/linux/issues/4833
+
+Fixes: 5ff013914c62 ("brcmfmac: firmware: Allow per-board firmware binaries")
+Signed-off-by: Phil Elwell <phil@raspberrypi.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220118154514.3245524-1-phil@raspberrypi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+@@ -693,7 +693,7 @@ int brcmf_fw_get_firmwares(struct device
+ {
+ struct brcmf_fw_item *first = &req->items[0];
+ struct brcmf_fw *fwctx;
+- char *alt_path;
++ char *alt_path = NULL;
+ int ret;
+
+ brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
+@@ -712,7 +712,9 @@ int brcmf_fw_get_firmwares(struct device
+ fwctx->done = fw_cb;
+
+ /* First try alternative board-specific path if any */
+- alt_path = brcm_alt_fw_path(first->path, fwctx->req->board_type);
++ if (fwctx->req->board_type)
++ alt_path = brcm_alt_fw_path(first->path,
++ fwctx->req->board_type);
+ if (alt_path) {
+ ret = request_firmware_nowait(THIS_MODULE, true, alt_path,
+ fwctx->dev, GFP_KERNEL, fwctx,
--- /dev/null
+From f0a6fd1527067da537e9c48390237488719948ed Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 1 Feb 2022 14:09:51 +0100
+Subject: cfg80211: fix race in netlink owner interface destruction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f0a6fd1527067da537e9c48390237488719948ed upstream.
+
+My previous fix here to fix the deadlock left a race where
+the exact same deadlock (see the original commit referenced
+below) can still happen if cfg80211_destroy_ifaces() already
+runs while nl80211_netlink_notify() is still marking some
+interfaces as nl_owner_dead.
+
+The race happens because we have two loops here - first we
+dev_close() all the netdevs, and then we destroy them. If we
+also have two netdevs (first one need only be a wdev though)
+then we can find one during the first iteration, close it,
+and go to the second iteration -- but then find two, and try
+to destroy also the one we didn't close yet.
+
+Fix this by only iterating once.
+
+Reported-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Fixes: ea6b2098dd02 ("cfg80211: fix locking in netlink owner interface destruction")
+Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Link: https://lore.kernel.org/r/20220201130951.22093-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -5,7 +5,7 @@
+ * Copyright 2006-2010 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+ * Copyright 2015-2017 Intel Deutschland GmbH
+- * Copyright (C) 2018-2021 Intel Corporation
++ * Copyright (C) 2018-2022 Intel Corporation
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -332,29 +332,20 @@ static void cfg80211_event_work(struct w
+ void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev)
+ {
+ struct wireless_dev *wdev, *tmp;
+- bool found = false;
+
+ ASSERT_RTNL();
+
+- list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
++ list_for_each_entry_safe(wdev, tmp, &rdev->wiphy.wdev_list, list) {
+ if (wdev->nl_owner_dead) {
+ if (wdev->netdev)
+ dev_close(wdev->netdev);
+- found = true;
+- }
+- }
+-
+- if (!found)
+- return;
+
+- wiphy_lock(&rdev->wiphy);
+- list_for_each_entry_safe(wdev, tmp, &rdev->wiphy.wdev_list, list) {
+- if (wdev->nl_owner_dead) {
++ wiphy_lock(&rdev->wiphy);
+ cfg80211_leave(rdev, wdev);
+ rdev_del_virtual_intf(rdev, wdev);
++ wiphy_unlock(&rdev->wiphy);
+ }
+ }
+- wiphy_unlock(&rdev->wiphy);
+ }
+
+ static void cfg80211_destroy_iface_wk(struct work_struct *work)
--- /dev/null
+From 25206111512de994dfc914f5b2972a22aa904ef3 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 13 Feb 2022 11:06:07 -0800
+Subject: crypto: af_alg - get rid of alg_memory_allocated
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 25206111512de994dfc914f5b2972a22aa904ef3 upstream.
+
+alg_memory_allocated does not seem to be really used.
+
+alg_proto does have a .memory_allocated field, but no
+corresponding .sysctl_mem.
+
+This means sk_has_account() returns true, but all sk_prot_mem_limits()
+users will trigger a NULL dereference [1].
+
+THis was not a problem until SO_RESERVE_MEM addition.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]
+RIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000
+Code: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48
+RSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202
+RAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000
+RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120
+RBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025
+R10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840
+R13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001
+FS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446
+ __sys_setsockopt+0x5af/0x980 net/socket.c:2176
+ __do_sys_setsockopt net/socket.c:2191 [inline]
+ __se_sys_setsockopt net/socket.c:2188 [inline]
+ __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fc7440fddc9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9
+RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004
+RBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990
+R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c
+R13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000
+ </TASK>
+Modules linked in:
+---[ end trace 0000000000000000 ]---
+RIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]
+RIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000
+Code: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48
+RSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202
+RAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000
+RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120
+RBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025
+R10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840
+R13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001
+FS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+
+Fixes: 2bb2f5fb21b0 ("net: add new socket option SO_RESERVE_MEM")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Wei Wang <weiwan@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -25,12 +25,9 @@ struct alg_type_list {
+ struct list_head list;
+ };
+
+-static atomic_long_t alg_memory_allocated;
+-
+ static struct proto alg_proto = {
+ .name = "ALG",
+ .owner = THIS_MODULE,
+- .memory_allocated = &alg_memory_allocated,
+ .obj_size = sizeof(struct alg_sock),
+ };
+
--- /dev/null
+From 07dd44852be89386ab12210df90a2d78779f3bff Mon Sep 17 00:00:00 2001
+From: Radu Bulie <radu-andrei.bulie@nxp.com>
+Date: Mon, 14 Feb 2022 19:45:34 +0200
+Subject: dpaa2-eth: Initialize mutex used in one step timestamping path
+
+From: Radu Bulie <radu-andrei.bulie@nxp.com>
+
+commit 07dd44852be89386ab12210df90a2d78779f3bff upstream.
+
+1588 Single Step Timestamping code path uses a mutex to
+enforce atomicity for two events:
+- update of ptp single step register
+- transmit ptp event packet
+
+Before this patch the mutex was not initialized. This
+caused unexpected crashes in the Tx function.
+
+Fixes: c55211892f463 ("dpaa2-eth: support PTP Sync packet one-step timestamping")
+Signed-off-by: Radu Bulie <radu-andrei.bulie@nxp.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -4338,7 +4338,7 @@ static int dpaa2_eth_probe(struct fsl_mc
+ }
+
+ INIT_WORK(&priv->tx_onestep_tstamp, dpaa2_eth_tx_onestep_tstamp);
+-
++ mutex_init(&priv->onestep_tstamp_lock);
+ skb_queue_head_init(&priv->tx_skbs);
+
+ priv->rx_copybreak = DPAA2_ETH_DEFAULT_COPYBREAK;
--- /dev/null
+From 2a36ed7c1cd55742503bed81d2cc0ea83bd0ad0c Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Mon, 14 Feb 2022 07:41:39 -0800
+Subject: dpaa2-switch: fix default return of dpaa2_switch_flower_parse_mirror_key
+
+From: Tom Rix <trix@redhat.com>
+
+commit 2a36ed7c1cd55742503bed81d2cc0ea83bd0ad0c upstream.
+
+Clang static analysis reports this representative problem
+dpaa2-switch-flower.c:616:24: warning: The right operand of '=='
+ is a garbage value
+ tmp->cfg.vlan_id == vlan) {
+ ^ ~~~~
+vlan is set in dpaa2_switch_flower_parse_mirror_key(). However
+this function can return success without setting vlan. So
+change the default return to -EOPNOTSUPP.
+
+Fixes: 0f3faece5808 ("dpaa2-switch: add VLAN based mirroring")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-switch-flower.c
+@@ -532,6 +532,7 @@ static int dpaa2_switch_flower_parse_mir
+ struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
+ struct flow_dissector *dissector = rule->match.dissector;
+ struct netlink_ext_ack *extack = cls->common.extack;
++ int ret = -EOPNOTSUPP;
+
+ if (dissector->used_keys &
+ ~(BIT(FLOW_DISSECTOR_KEY_BASIC) |
+@@ -561,9 +562,10 @@ static int dpaa2_switch_flower_parse_mir
+ }
+
+ *vlan = (u16)match.key->vlan_id;
++ ret = 0;
+ }
+
+- return 0;
++ return ret;
+ }
+
+ static int
--- /dev/null
+From 59f39bfa6553d598cb22f694d45e89547f420d85 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Wed, 13 Oct 2021 10:36:54 -0400
+Subject: drm/cma-helper: Set VM_DONTEXPAND for mmap
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit 59f39bfa6553d598cb22f694d45e89547f420d85 upstream.
+
+drm_gem_cma_mmap() cannot assume every implementation of dma_mmap_wc()
+will end up calling remap_pfn_range() (which happens to set the relevant
+vma flag, among others), so in order to make sure expectations around
+VM_DONTEXPAND are met, let it explicitly set the flag like most other
+GEM mmap implementations do.
+
+This avoids repeated warnings on a small minority of systems where the
+display is behind an IOMMU, and has a simple driver which does not
+override drm_gem_cma_default_funcs. Arm hdlcd is an in-tree affected
+driver. Out-of-tree, the Apple DCP driver is affected; this fix is
+required for DCP to be mainlined.
+
+[Alyssa: Update commit message.]
+
+Fixes: c40069cb7bd6 ("drm: add mmap() to drm_gem_object_funcs")
+Acked-by: Daniel Vetter <daniel@ffwll.ch>
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Alyssa Rosenzweig <alyssa.rosenzweig@collabora.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211013143654.39031-1-alyssa@rosenzweig.io
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_cma_helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/drm_gem_cma_helper.c
++++ b/drivers/gpu/drm/drm_gem_cma_helper.c
+@@ -518,6 +518,7 @@ int drm_gem_cma_mmap(struct drm_gem_obje
+ */
+ vma->vm_pgoff -= drm_vma_node_start(&obj->vma_node);
+ vma->vm_flags &= ~VM_PFNMAP;
++ vma->vm_flags |= VM_DONTEXPAND;
+
+ cma_obj = to_drm_gem_cma_obj(obj);
+
--- /dev/null
+From d72d69abfdb6e0375981cfdda8eb45143f12c77d Mon Sep 17 00:00:00 2001
+From: Siva Mullati <siva.mullati@intel.com>
+Date: Fri, 7 Jan 2022 15:22:35 +0530
+Subject: drm/i915/gvt: Make DRM_I915_GVT depend on X86
+
+From: Siva Mullati <siva.mullati@intel.com>
+
+commit d72d69abfdb6e0375981cfdda8eb45143f12c77d upstream.
+
+GVT is not supported on non-x86 platforms, So add
+dependency of X86 on config parameter DRM_I915_GVT.
+
+Fixes: 0ad35fed618c ("drm/i915: gvt: Introduce the basic architecture of GVT-g")
+Signed-off-by: Siva Mullati <siva.mullati@intel.com>
+Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20220107095235.243448-1-siva.mullati@intel.com
+Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
+Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/i915/Kconfig
++++ b/drivers/gpu/drm/i915/Kconfig
+@@ -101,6 +101,7 @@ config DRM_I915_USERPTR
+ config DRM_I915_GVT
+ bool "Enable Intel GVT-g graphics virtualization host support"
+ depends on DRM_I915
++ depends on X86
+ depends on 64BIT
+ default n
+ help
--- /dev/null
+From 0bdc0a0699929c814a8aecd55d2accb8c11beae2 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Wed, 9 Feb 2022 11:16:52 +0000
+Subject: drm/i915/ttm: tweak priority hint selection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit 0bdc0a0699929c814a8aecd55d2accb8c11beae2 upstream.
+
+For some reason we are selecting PRIO_HAS_PAGES when we don't have
+mm.pages, and vice versa.
+
+v2(Thomas):
+ - Add missing fixes tag
+
+Fixes: 213d50927763 ("drm/i915/ttm: Introduce a TTM i915 gem object backend")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20220209111652.468762-1-matthew.auld@intel.com
+(cherry picked from commit ba2c5d15022a565da187d90e2fe44768e33e5034)
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+@@ -787,11 +787,9 @@ static void i915_ttm_adjust_lru(struct d
+ if (obj->mm.madv != I915_MADV_WILLNEED) {
+ bo->priority = I915_TTM_PRIO_PURGE;
+ } else if (!i915_gem_object_has_pages(obj)) {
+- if (bo->priority < I915_TTM_PRIO_HAS_PAGES)
+- bo->priority = I915_TTM_PRIO_HAS_PAGES;
++ bo->priority = I915_TTM_PRIO_NO_PAGES;
+ } else {
+- if (bo->priority > I915_TTM_PRIO_NO_PAGES)
+- bo->priority = I915_TTM_PRIO_NO_PAGES;
++ bo->priority = I915_TTM_PRIO_HAS_PAGES;
+ }
+
+ ttm_bo_move_to_lru_tail(bo, bo->resource, NULL);
--- /dev/null
+From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Feb 2022 09:13:31 -0800
+Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream.
+
+trace_napi_poll_hit() is reading stat->dev while another thread can write
+on it from dropmon_net_event()
+
+Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
+we only have to take care of load/store tearing.
+
+BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
+
+write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
+ dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
+ notifier_call_chain kernel/notifier.c:84 [inline]
+ raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
+ call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
+ call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
+ call_netdevice_notifiers net/core/dev.c:1945 [inline]
+ unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
+ ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
+ vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
+ ops_exit_list net/core/net_namespace.c:173 [inline]
+ cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
+ trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
+ trace_napi_poll include/trace/events/napi.h:14 [inline]
+ __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
+ napi_poll net/core/dev.c:6432 [inline]
+ net_rx_action+0x29e/0x650 net/core/dev.c:6519
+ __do_softirq+0x158/0x2de kernel/softirq.c:558
+ do_softirq+0xb1/0xf0 kernel/softirq.c:459
+ __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
+ __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
+ _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
+ spin_unlock_bh include/linux/spinlock.h:394 [inline]
+ ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
+ wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+value changed: 0xffff88815883e000 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
+
+Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/drop_monitor.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -280,13 +280,17 @@ static void trace_napi_poll_hit(void *ig
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(new_stat, &hw_stats_list, list) {
++ struct net_device *dev;
++
+ /*
+ * only add a note to our monitor buffer if:
+ * 1) this is the dev we received on
+ * 2) its after the last_rx delta
+ * 3) our rx_dropped count has gone up
+ */
+- if ((new_stat->dev == napi->dev) &&
++ /* Paired with WRITE_ONCE() in dropmon_net_event() */
++ dev = READ_ONCE(new_stat->dev);
++ if ((dev == napi->dev) &&
+ (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) &&
+ (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) {
+ trace_drop_common(NULL, NULL);
+@@ -1572,7 +1576,10 @@ static int dropmon_net_event(struct noti
+ mutex_lock(&net_dm_mutex);
+ list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) {
+ if (new_stat->dev == dev) {
+- new_stat->dev = NULL;
++
++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */
++ WRITE_ONCE(new_stat->dev, NULL);
++
+ if (trace_state == TRACE_OFF) {
+ list_del_rcu(&new_stat->list);
+ kfree_rcu(new_stat, rcu);
--- /dev/null
+From 9fcf986cc4bc6a3a39f23fbcbbc3a9e52d3c24fd Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Feb 2022 09:32:16 -0800
+Subject: ipv4: fix data races in fib_alias_hw_flags_set
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 9fcf986cc4bc6a3a39f23fbcbbc3a9e52d3c24fd upstream.
+
+fib_alias_hw_flags_set() can be used by concurrent threads,
+and is only RCU protected.
+
+We need to annotate accesses to following fields of struct fib_alias:
+
+ offload, trap, offload_failed
+
+Because of READ_ONCE()WRITE_ONCE() limitations, make these
+field u8.
+
+BUG: KCSAN: data-race in fib_alias_hw_flags_set / fib_alias_hw_flags_set
+
+read to 0xffff888134224a6a of 1 bytes by task 2013 on cpu 1:
+ fib_alias_hw_flags_set+0x28a/0x470 net/ipv4/fib_trie.c:1050
+ nsim_fib4_rt_hw_flags_set drivers/net/netdevsim/fib.c:350 [inline]
+ nsim_fib4_rt_add drivers/net/netdevsim/fib.c:367 [inline]
+ nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:429 [inline]
+ nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline]
+ nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline]
+ nsim_fib_event_work+0x1852/0x2cf0 drivers/net/netdevsim/fib.c:1477
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ process_scheduled_works kernel/workqueue.c:2370 [inline]
+ worker_thread+0x7df/0xa70 kernel/workqueue.c:2456
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+write to 0xffff888134224a6a of 1 bytes by task 4872 on cpu 0:
+ fib_alias_hw_flags_set+0x2d5/0x470 net/ipv4/fib_trie.c:1054
+ nsim_fib4_rt_hw_flags_set drivers/net/netdevsim/fib.c:350 [inline]
+ nsim_fib4_rt_add drivers/net/netdevsim/fib.c:367 [inline]
+ nsim_fib4_rt_insert drivers/net/netdevsim/fib.c:429 [inline]
+ nsim_fib4_event drivers/net/netdevsim/fib.c:461 [inline]
+ nsim_fib_event drivers/net/netdevsim/fib.c:881 [inline]
+ nsim_fib_event_work+0x1852/0x2cf0 drivers/net/netdevsim/fib.c:1477
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ process_scheduled_works kernel/workqueue.c:2370 [inline]
+ worker_thread+0x7df/0xa70 kernel/workqueue.c:2456
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+value changed: 0x00 -> 0x02
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 4872 Comm: kworker/0:0 Not tainted 5.17.0-rc3-syzkaller-00188-g1d41d2e82623-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events nsim_fib_event_work
+
+Fixes: 90b93f1b31f8 ("ipv4: Add "offload" and "trap" indications to routes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/20220216173217.3792411-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_lookup.h | 7 +++----
+ net/ipv4/fib_semantics.c | 6 +++---
+ net/ipv4/fib_trie.c | 22 +++++++++++++---------
+ net/ipv4/route.c | 4 ++--
+ 4 files changed, 21 insertions(+), 18 deletions(-)
+
+--- a/net/ipv4/fib_lookup.h
++++ b/net/ipv4/fib_lookup.h
+@@ -16,10 +16,9 @@ struct fib_alias {
+ u8 fa_slen;
+ u32 tb_id;
+ s16 fa_default;
+- u8 offload:1,
+- trap:1,
+- offload_failed:1,
+- unused:5;
++ u8 offload;
++ u8 trap;
++ u8 offload_failed;
+ struct rcu_head rcu;
+ };
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -524,9 +524,9 @@ void rtmsg_fib(int event, __be32 key, st
+ fri.dst_len = dst_len;
+ fri.tos = fa->fa_tos;
+ fri.type = fa->fa_type;
+- fri.offload = fa->offload;
+- fri.trap = fa->trap;
+- fri.offload_failed = fa->offload_failed;
++ fri.offload = READ_ONCE(fa->offload);
++ fri.trap = READ_ONCE(fa->trap);
++ fri.offload_failed = READ_ONCE(fa->offload_failed);
+ err = fib_dump_info(skb, info->portid, seq, event, &fri, nlm_flags);
+ if (err < 0) {
+ /* -EMSGSIZE implies BUG in fib_nlmsg_size() */
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1047,19 +1047,23 @@ void fib_alias_hw_flags_set(struct net *
+ if (!fa_match)
+ goto out;
+
+- if (fa_match->offload == fri->offload && fa_match->trap == fri->trap &&
+- fa_match->offload_failed == fri->offload_failed)
++ /* These are paired with the WRITE_ONCE() happening in this function.
++ * The reason is that we are only protected by RCU at this point.
++ */
++ if (READ_ONCE(fa_match->offload) == fri->offload &&
++ READ_ONCE(fa_match->trap) == fri->trap &&
++ READ_ONCE(fa_match->offload_failed) == fri->offload_failed)
+ goto out;
+
+- fa_match->offload = fri->offload;
+- fa_match->trap = fri->trap;
++ WRITE_ONCE(fa_match->offload, fri->offload);
++ WRITE_ONCE(fa_match->trap, fri->trap);
+
+ /* 2 means send notifications only if offload_failed was changed. */
+ if (net->ipv4.sysctl_fib_notify_on_flag_change == 2 &&
+- fa_match->offload_failed == fri->offload_failed)
++ READ_ONCE(fa_match->offload_failed) == fri->offload_failed)
+ goto out;
+
+- fa_match->offload_failed = fri->offload_failed;
++ WRITE_ONCE(fa_match->offload_failed, fri->offload_failed);
+
+ if (!net->ipv4.sysctl_fib_notify_on_flag_change)
+ goto out;
+@@ -2297,9 +2301,9 @@ static int fn_trie_dump_leaf(struct key_
+ fri.dst_len = KEYLENGTH - fa->fa_slen;
+ fri.tos = fa->fa_tos;
+ fri.type = fa->fa_type;
+- fri.offload = fa->offload;
+- fri.trap = fa->trap;
+- fri.offload_failed = fa->offload_failed;
++ fri.offload = READ_ONCE(fa->offload);
++ fri.trap = READ_ONCE(fa->trap);
++ fri.offload_failed = READ_ONCE(fa->offload_failed);
+ err = fib_dump_info(skb,
+ NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq,
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -3393,8 +3393,8 @@ static int inet_rtm_getroute(struct sk_b
+ fa->fa_tos == fri.tos &&
+ fa->fa_info == res.fi &&
+ fa->fa_type == fri.type) {
+- fri.offload = fa->offload;
+- fri.trap = fa->trap;
++ fri.offload = READ_ONCE(fa->offload);
++ fri.trap = READ_ONCE(fa->trap);
+ break;
+ }
+ }
--- /dev/null
+From d95d6320ba7a51d61c097ffc3bcafcf70283414e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Feb 2022 09:32:17 -0800
+Subject: ipv6: fix data-race in fib6_info_hw_flags_set / fib6_purge_rt
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d95d6320ba7a51d61c097ffc3bcafcf70283414e upstream.
+
+Because fib6_info_hw_flags_set() is called without any synchronization,
+all accesses to gi6->offload, fi->trap and fi->offload_failed
+need some basic protection like READ_ONCE()/WRITE_ONCE().
+
+BUG: KCSAN: data-race in fib6_info_hw_flags_set / fib6_purge_rt
+
+read to 0xffff8881087d5886 of 1 bytes by task 13953 on cpu 0:
+ fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1007 [inline]
+ fib6_purge_rt+0x4f/0x580 net/ipv6/ip6_fib.c:1033
+ fib6_del_route net/ipv6/ip6_fib.c:1983 [inline]
+ fib6_del+0x696/0x890 net/ipv6/ip6_fib.c:2028
+ __ip6_del_rt net/ipv6/route.c:3876 [inline]
+ ip6_del_rt+0x83/0x140 net/ipv6/route.c:3891
+ __ipv6_dev_ac_dec+0x2b5/0x370 net/ipv6/anycast.c:374
+ ipv6_dev_ac_dec net/ipv6/anycast.c:387 [inline]
+ __ipv6_sock_ac_close+0x141/0x200 net/ipv6/anycast.c:207
+ ipv6_sock_ac_close+0x79/0x90 net/ipv6/anycast.c:220
+ inet6_release+0x32/0x50 net/ipv6/af_inet6.c:476
+ __sock_release net/socket.c:650 [inline]
+ sock_close+0x6c/0x150 net/socket.c:1318
+ __fput+0x295/0x520 fs/file_table.c:280
+ ____fput+0x11/0x20 fs/file_table.c:313
+ task_work_run+0x8e/0x110 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x160/0x190 kernel/entry/common.c:207
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:300
+ do_syscall_64+0x50/0xd0 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+write to 0xffff8881087d5886 of 1 bytes by task 1912 on cpu 1:
+ fib6_info_hw_flags_set+0x155/0x3b0 net/ipv6/route.c:6230
+ nsim_fib6_rt_hw_flags_set drivers/net/netdevsim/fib.c:668 [inline]
+ nsim_fib6_rt_add drivers/net/netdevsim/fib.c:691 [inline]
+ nsim_fib6_rt_insert drivers/net/netdevsim/fib.c:756 [inline]
+ nsim_fib6_event drivers/net/netdevsim/fib.c:853 [inline]
+ nsim_fib_event drivers/net/netdevsim/fib.c:886 [inline]
+ nsim_fib_event_work+0x284f/0x2cf0 drivers/net/netdevsim/fib.c:1477
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x2c7/0x2e0 kernel/kthread.c:327
+ ret_from_fork+0x1f/0x30
+
+value changed: 0x22 -> 0x2a
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 1912 Comm: kworker/1:3 Not tainted 5.16.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: events nsim_fib_event_work
+
+Fixes: 0c5fcf9e249e ("IPv6: Add "offload failed" indication to routes")
+Fixes: bb3c4ab93e44 ("ipv6: Add "offload" and "trap" indications to routes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Amit Cohen <amcohen@nvidia.com>
+Cc: Ido Schimmel <idosch@nvidia.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20220216173217.3792411-2-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/netdevsim/fib.c | 4 ++--
+ include/net/ip6_fib.h | 10 ++++++----
+ net/ipv6/route.c | 19 ++++++++++---------
+ 3 files changed, 18 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/netdevsim/fib.c
++++ b/drivers/net/netdevsim/fib.c
+@@ -623,14 +623,14 @@ static int nsim_fib6_rt_append(struct ns
+ if (err)
+ goto err_fib6_rt_nh_del;
+
+- fib6_event->rt_arr[i]->trap = true;
++ WRITE_ONCE(fib6_event->rt_arr[i]->trap, true);
+ }
+
+ return 0;
+
+ err_fib6_rt_nh_del:
+ for (i--; i >= 0; i--) {
+- fib6_event->rt_arr[i]->trap = false;
++ WRITE_ONCE(fib6_event->rt_arr[i]->trap, false);
+ nsim_fib6_rt_nh_del(fib6_rt, fib6_event->rt_arr[i]);
+ }
+ return err;
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -189,14 +189,16 @@ struct fib6_info {
+ u32 fib6_metric;
+ u8 fib6_protocol;
+ u8 fib6_type;
++
++ u8 offload;
++ u8 trap;
++ u8 offload_failed;
++
+ u8 should_flush:1,
+ dst_nocount:1,
+ dst_nopolicy:1,
+ fib6_destroying:1,
+- offload:1,
+- trap:1,
+- offload_failed:1,
+- unused:1;
++ unused:4;
+
+ struct rcu_head rcu;
+ struct nexthop *nh;
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5767,11 +5767,11 @@ static int rt6_fill_node(struct net *net
+ }
+
+ if (!dst) {
+- if (rt->offload)
++ if (READ_ONCE(rt->offload))
+ rtm->rtm_flags |= RTM_F_OFFLOAD;
+- if (rt->trap)
++ if (READ_ONCE(rt->trap))
+ rtm->rtm_flags |= RTM_F_TRAP;
+- if (rt->offload_failed)
++ if (READ_ONCE(rt->offload_failed))
+ rtm->rtm_flags |= RTM_F_OFFLOAD_FAILED;
+ }
+
+@@ -6229,19 +6229,20 @@ void fib6_info_hw_flags_set(struct net *
+ struct sk_buff *skb;
+ int err;
+
+- if (f6i->offload == offload && f6i->trap == trap &&
+- f6i->offload_failed == offload_failed)
++ if (READ_ONCE(f6i->offload) == offload &&
++ READ_ONCE(f6i->trap) == trap &&
++ READ_ONCE(f6i->offload_failed) == offload_failed)
+ return;
+
+- f6i->offload = offload;
+- f6i->trap = trap;
++ WRITE_ONCE(f6i->offload, offload);
++ WRITE_ONCE(f6i->trap, trap);
+
+ /* 2 means send notifications only if offload_failed was changed. */
+ if (net->ipv6.sysctl.fib_notify_on_flag_change == 2 &&
+- f6i->offload_failed == offload_failed)
++ READ_ONCE(f6i->offload_failed) == offload_failed)
+ return;
+
+- f6i->offload_failed = offload_failed;
++ WRITE_ONCE(f6i->offload_failed, offload_failed);
+
+ if (!rcu_access_pointer(f6i->fib6_node))
+ /* The route was removed from the tree, do not send
--- /dev/null
+From 26394fc118d6115390bd5b3a0fb17096271da227 Mon Sep 17 00:00:00 2001
+From: Ignat Korchagin <ignat@cloudflare.com>
+Date: Fri, 11 Feb 2022 17:30:42 +0000
+Subject: ipv6: mcast: use rcu-safe version of ipv6_get_lladdr()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+commit 26394fc118d6115390bd5b3a0fb17096271da227 upstream.
+
+Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mca_lock")
+switched ipv6_get_lladdr() to __ipv6_get_lladdr(), which is rcu-unsafe
+version. That was OK, because idev->lock was held for these codepaths.
+
+In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were
+removed, so we probably need to restore the original rcu-safe call.
+
+Otherwise, we occasionally get a machine crashed/stalled with the following
+in dmesg:
+
+[ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI
+[ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1
+[ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV
+[ 3406.009552][T230589] Workqueue: mld mld_ifc_work
+[ 3406.017224][T230589] RIP: 0010:__ipv6_get_lladdr+0x34/0x60
+[ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b
+[ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202
+[ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040
+[ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008
+[ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000
+[ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100
+[ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000
+[ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000
+[ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0
+[ 3406.162421][T230589] Call Trace:
+[ 3406.170235][T230589] <TASK>
+[ 3406.177736][T230589] mld_newpack+0xfe/0x1a0
+[ 3406.186686][T230589] add_grhead+0x87/0xa0
+[ 3406.195498][T230589] add_grec+0x485/0x4e0
+[ 3406.204310][T230589] ? newidle_balance+0x126/0x3f0
+[ 3406.214024][T230589] mld_ifc_work+0x15d/0x450
+[ 3406.223279][T230589] process_one_work+0x1e6/0x380
+[ 3406.232982][T230589] worker_thread+0x50/0x3a0
+[ 3406.242371][T230589] ? rescuer_thread+0x360/0x360
+[ 3406.252175][T230589] kthread+0x127/0x150
+[ 3406.261197][T230589] ? set_kthread_struct+0x40/0x40
+[ 3406.271287][T230589] ret_from_fork+0x22/0x30
+[ 3406.280812][T230589] </TASK>
+[ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders]
+[ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---
+
+Fixes: 88e2ca308094 ("mld: convert ifmcaddr6 to RCU")
+Reported-by: David Pinilla Caparros <dpini@cloudflare.com>
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/addrconf.h | 2 --
+ net/ipv6/addrconf.c | 4 ++--
+ net/ipv6/mcast.c | 2 +-
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -109,8 +109,6 @@ struct inet6_ifaddr *ipv6_get_ifaddr(str
+ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dev,
+ const struct in6_addr *daddr, unsigned int srcprefs,
+ struct in6_addr *saddr);
+-int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr,
+- u32 banned_flags);
+ int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr,
+ u32 banned_flags);
+ bool inet_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2,
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1839,8 +1839,8 @@ out:
+ }
+ EXPORT_SYMBOL(ipv6_dev_get_saddr);
+
+-int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr,
+- u32 banned_flags)
++static int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr,
++ u32 banned_flags)
+ {
+ struct inet6_ifaddr *ifp;
+ int err = -EADDRNOTAVAIL;
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1759,7 +1759,7 @@ static struct sk_buff *mld_newpack(struc
+ skb_reserve(skb, hlen);
+ skb_tailroom_reserve(skb, mtu, tlen);
+
+- if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) {
++ if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) {
+ /* <draft-ietf-magma-mld-source-05.txt>:
+ * use unspecified address as the source address
+ * when a valid link-local address is not available.
--- /dev/null
+From 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 15 Feb 2022 11:00:37 -0500
+Subject: ipv6: per-netns exclusive flowlabel checks
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b upstream.
+
+Ipv6 flowlabels historically require a reservation before use.
+Optionally in exclusive mode (e.g., user-private).
+
+Commit 59c820b2317f ("ipv6: elide flowlabel check if no exclusive
+leases exist") introduced a fastpath that avoids this check when no
+exclusive leases exist in the system, and thus any flowlabel use
+will be granted.
+
+That allows skipping the control operation to reserve a flowlabel
+entirely. Though with a warning if the fast path fails:
+
+ This is an optimization. Robust applications still have to revert to
+ requesting leases if the fast path fails due to an exclusive lease.
+
+Still, this is subtle. Better isolate network namespaces from each
+other. Flowlabels are per-netns. Also record per-netns whether
+exclusive leases are in use. Then behavior does not change based on
+activity in other netns.
+
+Changes
+ v2
+ - wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled
+
+Fixes: 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist")
+Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/
+Reported-by: Congyu Liu <liu3101@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Tested-by: Congyu Liu <liu3101@purdue.edu>
+Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ipv6.h | 5 ++++-
+ include/net/netns/ipv6.h | 3 ++-
+ net/ipv6/ip6_flowlabel.c | 4 +++-
+ 3 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -391,17 +391,20 @@ static inline void txopt_put(struct ipv6
+ kfree_rcu(opt, rcu);
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
+ struct ip6_flowlabel *__fl6_sock_lookup(struct sock *sk, __be32 label);
+
+ extern struct static_key_false_deferred ipv6_flowlabel_exclusive;
+ static inline struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk,
+ __be32 label)
+ {
+- if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key))
++ if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) &&
++ READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl))
+ return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT);
+
+ return NULL;
+ }
++#endif
+
+ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
+ struct ip6_flowlabel *fl,
+--- a/include/net/netns/ipv6.h
++++ b/include/net/netns/ipv6.h
+@@ -77,9 +77,10 @@ struct netns_ipv6 {
+ spinlock_t fib6_gc_lock;
+ unsigned int ip6_rt_gc_expire;
+ unsigned long ip6_rt_last_gc;
++ unsigned char flowlabel_has_excl;
+ #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+- unsigned int fib6_rules_require_fldissect;
+ bool fib6_has_custom_rules;
++ unsigned int fib6_rules_require_fldissect;
+ #ifdef CONFIG_IPV6_SUBTREES
+ unsigned int fib6_routes_require_src;
+ #endif
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -450,8 +450,10 @@ fl_create(struct net *net, struct sock *
+ err = -EINVAL;
+ goto done;
+ }
+- if (fl_shared_exclusive(fl) || fl->opt)
++ if (fl_shared_exclusive(fl) || fl->opt) {
++ WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1);
+ static_branch_deferred_inc(&ipv6_flowlabel_exclusive);
++ }
+ return fl;
+
+ done:
--- /dev/null
+From 973f02c932b0be41a26bb9bdf38b7b92721611d2 Mon Sep 17 00:00:00 2001
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Date: Fri, 28 Jan 2022 14:30:51 +0200
+Subject: iwlwifi: fix iwl_legacy_rate_to_fw_idx
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+commit 973f02c932b0be41a26bb9bdf38b7b92721611d2 upstream.
+
+There are a couple of bugs in this function:
+
+1. It is declared as a non-static function, even though
+ it's only used in one file.
+2. Its return value should be of type u32 but it returns
+ (in some cases) -1.
+
+Fix them by making this function static and returning an
+error value of type unsigned.
+
+In addition, we're assigning the return value of this function
+as the legacy rate even if the function returned an error value.
+Fix this by assigning the lowest rate in this case.
+
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Reported-by: Ye Guojin <ye.guojin@zte.com.cn>
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Fixes: 9998f81e4ba5 ("iwlwifi: mvm: convert old rate & flags to the new format.")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5612eeb9d6d0.I992e10d93fc22919b2bc42daad087ee1b5d6f014@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/api/rs.h | 1
+ drivers/net/wireless/intel/iwlwifi/fw/rs.c | 33 +++++++++++++------------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/api/rs.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/rs.h
+@@ -710,7 +710,6 @@ struct iwl_lq_cmd {
+
+ u8 iwl_fw_rate_idx_to_plcp(int idx);
+ u32 iwl_new_rate_from_v1(u32 rate_v1);
+-u32 iwl_legacy_rate_to_fw_idx(u32 rate_n_flags);
+ const struct iwl_rate_mcs_info *iwl_rate_mcs(int idx);
+ const char *iwl_rs_pretty_ant(u8 ant);
+ const char *iwl_rs_pretty_bw(int bw);
+--- a/drivers/net/wireless/intel/iwlwifi/fw/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/rs.c
+@@ -91,6 +91,20 @@ const char *iwl_rs_pretty_bw(int bw)
+ }
+ IWL_EXPORT_SYMBOL(iwl_rs_pretty_bw);
+
++static u32 iwl_legacy_rate_to_fw_idx(u32 rate_n_flags)
++{
++ int rate = rate_n_flags & RATE_LEGACY_RATE_MSK_V1;
++ int idx;
++ bool ofdm = !(rate_n_flags & RATE_MCS_CCK_MSK_V1);
++ int offset = ofdm ? IWL_FIRST_OFDM_RATE : 0;
++ int last = ofdm ? IWL_RATE_COUNT_LEGACY : IWL_FIRST_OFDM_RATE;
++
++ for (idx = offset; idx < last; idx++)
++ if (iwl_fw_rate_idx_to_plcp(idx) == rate)
++ return idx - offset;
++ return IWL_RATE_INVALID;
++}
++
+ u32 iwl_new_rate_from_v1(u32 rate_v1)
+ {
+ u32 rate_v2 = 0;
+@@ -144,7 +158,10 @@ u32 iwl_new_rate_from_v1(u32 rate_v1)
+ } else {
+ u32 legacy_rate = iwl_legacy_rate_to_fw_idx(rate_v1);
+
+- WARN_ON(legacy_rate < 0);
++ if (WARN_ON_ONCE(legacy_rate == IWL_RATE_INVALID))
++ legacy_rate = (rate_v1 & RATE_MCS_CCK_MSK_V1) ?
++ IWL_FIRST_CCK_RATE : IWL_FIRST_OFDM_RATE;
++
+ rate_v2 |= legacy_rate;
+ if (!(rate_v1 & RATE_MCS_CCK_MSK_V1))
+ rate_v2 |= RATE_MCS_LEGACY_OFDM_MSK;
+@@ -172,20 +189,6 @@ u32 iwl_new_rate_from_v1(u32 rate_v1)
+ }
+ IWL_EXPORT_SYMBOL(iwl_new_rate_from_v1);
+
+-u32 iwl_legacy_rate_to_fw_idx(u32 rate_n_flags)
+-{
+- int rate = rate_n_flags & RATE_LEGACY_RATE_MSK_V1;
+- int idx;
+- bool ofdm = !(rate_n_flags & RATE_MCS_CCK_MSK_V1);
+- int offset = ofdm ? IWL_FIRST_OFDM_RATE : 0;
+- int last = ofdm ? IWL_RATE_COUNT_LEGACY : IWL_FIRST_OFDM_RATE;
+-
+- for (idx = offset; idx < last; idx++)
+- if (iwl_fw_rate_idx_to_plcp(idx) == rate)
+- return idx - offset;
+- return -1;
+-}
+-
+ int rs_pretty_print_rate(char *buf, int bufsz, const u32 rate)
+ {
+ char *type;
--- /dev/null
+From 5f06f6bf8d816578c390a2b8a485d40adcca4749 Mon Sep 17 00:00:00 2001
+From: Luca Coelho <luciano.coelho@intel.com>
+Date: Fri, 28 Jan 2022 14:48:51 +0200
+Subject: iwlwifi: mvm: don't send SAR GEO command for 3160 devices
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+commit 5f06f6bf8d816578c390a2b8a485d40adcca4749 upstream.
+
+SAR GEO offsets are not supported on 3160 devices. The code was
+refactored and caused us to start sending the command anyway, which
+causes a FW assertion failure. Fix that only considering this feature
+supported on FW API with major version is 17 if the device is not
+3160.
+
+Additionally, fix the caller of iwl_mvm_sar_geo_init() so that it
+checks for the return value, which it was ignoring.
+
+Reported-by: Len Brown <lenb@kernel.org>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Fixes: 78a19d5285d9 ("iwlwifi: mvm: Read the PPAG and SAR tables at INIT stage")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128144623.96f683a89b42.I14e2985bfd7ddd8a8d83eb1869b800c0e7f30db4@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 11 ++++++-----
+ drivers/net/wireless/intel/iwlwifi/iwl-csr.h | 3 ++-
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 2 +-
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -1,7 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+ /*
+ * Copyright (C) 2017 Intel Deutschland GmbH
+- * Copyright (C) 2019-2021 Intel Corporation
++ * Copyright (C) 2019-2022 Intel Corporation
+ */
+ #include <linux/uuid.h>
+ #include "iwl-drv.h"
+@@ -873,10 +873,11 @@ bool iwl_sar_geo_support(struct iwl_fw_r
+ * only one using version 36, so skip this version entirely.
+ */
+ return IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) >= 38 ||
+- IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 17 ||
+- (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 29 &&
+- ((fwrt->trans->hw_rev & CSR_HW_REV_TYPE_MSK) ==
+- CSR_HW_REV_TYPE_7265D));
++ (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 17 &&
++ fwrt->trans->hw_rev != CSR_HW_REV_TYPE_3160) ||
++ (IWL_UCODE_SERIAL(fwrt->fw->ucode_ver) == 29 &&
++ ((fwrt->trans->hw_rev & CSR_HW_REV_TYPE_MSK) ==
++ CSR_HW_REV_TYPE_7265D));
+ }
+ IWL_EXPORT_SYMBOL(iwl_sar_geo_support);
+
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-csr.h
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-csr.h
+@@ -1,6 +1,6 @@
+ /* SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause */
+ /*
+- * Copyright (C) 2005-2014, 2018-2021 Intel Corporation
++ * Copyright (C) 2005-2014, 2018-2022 Intel Corporation
+ * Copyright (C) 2013-2014 Intel Mobile Communications GmbH
+ * Copyright (C) 2016 Intel Deutschland GmbH
+ */
+@@ -326,6 +326,7 @@ enum {
+ #define CSR_HW_REV_TYPE_2x00 (0x0000100)
+ #define CSR_HW_REV_TYPE_105 (0x0000110)
+ #define CSR_HW_REV_TYPE_135 (0x0000120)
++#define CSR_HW_REV_TYPE_3160 (0x0000164)
+ #define CSR_HW_REV_TYPE_7265D (0x0000210)
+ #define CSR_HW_REV_TYPE_NONE (0x00001F0)
+ #define CSR_HW_REV_TYPE_QNJ (0x0000360)
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -1636,7 +1636,7 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
+ ret = iwl_mvm_sar_init(mvm);
+ if (ret == 0)
+ ret = iwl_mvm_sar_geo_init(mvm);
+- else if (ret < 0)
++ if (ret < 0)
+ goto error;
+
+ iwl_mvm_tas_init(mvm);
--- /dev/null
+From be8287c9b8326d767429c8371bbc78b33f6efe13 Mon Sep 17 00:00:00 2001
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Date: Fri, 28 Jan 2022 14:30:50 +0200
+Subject: iwlwifi: mvm: fix condition which checks the version of rate_n_flags
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+commit be8287c9b8326d767429c8371bbc78b33f6efe13 upstream.
+
+We're checking the FW version of TX_CMD in order to decide whether to
+convert rate_n_flags from the old format to the new one. If the API
+is smaller or equal to 6 we should convert it. Currently we're
+converting if the API version is greater than 6. Fix it.
+
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Fixes: dc52fac37c87 ("iwlwifi: mvm: Support new TX_RSP and COMPRESSED_BA_RES versions")
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.a264ac51d106.I228ba1317cdcbfef931c09d280d701fcad9048d2@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -1380,7 +1380,7 @@ static void iwl_mvm_hwrate_to_tx_status(
+ struct ieee80211_tx_rate *r = &info->status.rates[0];
+
+ if (iwl_fw_lookup_notif_ver(fw, LONG_GROUP,
+- TX_CMD, 0) > 6)
++ TX_CMD, 0) <= 6)
+ rate_n_flags = iwl_new_rate_from_v1(rate_n_flags);
+
+ info->status.antenna =
--- /dev/null
+From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:52 +0200
+Subject: iwlwifi: pcie: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this.
+
+Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1303,8 +1303,7 @@ static int iwl_trans_pcie_start_fw(struc
+ /* This may fail if AMT took ownership of the device */
+ if (iwl_pcie_prepare_card_hw(trans)) {
+ IWL_WARN(trans, "Exit HW not ready\n");
+- ret = -EIO;
+- goto out;
++ return -EIO;
+ }
+
+ iwl_enable_rfkill_int(trans);
--- /dev/null
+From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:53 +0200
+Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this in the gen2 code as well.
+
+Fixes: eda50cde58de ("iwlwifi: pcie: add context information support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -384,8 +384,7 @@ int iwl_trans_pcie_gen2_start_fw(struct
+ /* This may fail if AMT took ownership of the device */
+ if (iwl_pcie_prepare_card_hw(trans)) {
+ IWL_WARN(trans, "Exit HW not ready\n");
+- ret = -EIO;
+- goto out;
++ return -EIO;
+ }
+
+ iwl_enable_rfkill_int(trans);
--- /dev/null
+From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Sun, 13 Feb 2022 10:24:43 -0800
+Subject: libsubcmd: Fix use-after-free for realloc(..., 0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream.
+
+GCC 12 correctly reports a potential use-after-free condition in the
+xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)"
+when size == 0:
+
+In file included from help.c:12:
+In function 'xrealloc',
+ inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+ 56 | ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+ 52 | void *ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+ 58 | ret = realloc(ptr, 1);
+ | ^~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+ 52 | void *ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+
+Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence")
+Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Kees Kook <keescook@chromium.org>
+Tested-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: linux-hardening@vger.kernel.org
+Cc: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/lib/subcmd/subcmd-util.h | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/tools/lib/subcmd/subcmd-util.h
++++ b/tools/lib/subcmd/subcmd-util.h
+@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch
+ static inline void *xrealloc(void *ptr, size_t size)
+ {
+ void *ret = realloc(ptr, size);
+- if (!ret && !size)
+- ret = realloc(ptr, 1);
+- if (!ret) {
+- ret = realloc(ptr, size);
+- if (!ret && !size)
+- ret = realloc(ptr, 1);
+- if (!ret)
+- die("Out of memory, realloc failed");
+- }
++ if (!ret)
++ die("Out of memory, realloc failed");
+ return ret;
+ }
+
--- /dev/null
+From a72c01a94f1d285a274219d36e2a17b4846c0615 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Wed, 5 Jan 2022 16:15:59 +0800
+Subject: mac80211: mlme: check for null after calling kmemdup
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+commit a72c01a94f1d285a274219d36e2a17b4846c0615 upstream.
+
+As the possible failure of the alloc, the ifmgd->assoc_req_ies might be
+NULL pointer returned from kmemdup().
+Therefore it might be better to free the skb and return error in order
+to fail the association, like ieee80211_assoc_success().
+Also, the caller, ieee80211_do_assoc(), needs to deal with the return
+value from ieee80211_send_assoc().
+
+Fixes: 4d9ec73d2b78 ("cfg80211: Report Association Request frame IEs in association events")
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20220105081559.2387083-1-jiasheng@iscas.ac.cn
+[fix some paths to be errors, not success]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mlme.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -664,7 +664,7 @@ static void ieee80211_add_he_ie(struct i
+ ieee80211_ie_build_he_6ghz_cap(sdata, skb);
+ }
+
+-static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
++static int ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata)
+ {
+ struct ieee80211_local *local = sdata->local;
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+@@ -684,6 +684,7 @@ static void ieee80211_send_assoc(struct
+ enum nl80211_iftype iftype = ieee80211_vif_type_p2p(&sdata->vif);
+ const struct ieee80211_sband_iftype_data *iftd;
+ struct ieee80211_prep_tx_info info = {};
++ int ret;
+
+ /* we know it's writable, cast away the const */
+ if (assoc_data->ie_len)
+@@ -697,7 +698,7 @@ static void ieee80211_send_assoc(struct
+ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+ if (WARN_ON(!chanctx_conf)) {
+ rcu_read_unlock();
+- return;
++ return -EINVAL;
+ }
+ chan = chanctx_conf->def.chan;
+ rcu_read_unlock();
+@@ -748,7 +749,7 @@ static void ieee80211_send_assoc(struct
+ (iftd ? iftd->vendor_elems.len : 0),
+ GFP_KERNEL);
+ if (!skb)
+- return;
++ return -ENOMEM;
+
+ skb_reserve(skb, local->hw.extra_tx_headroom);
+
+@@ -1029,15 +1030,22 @@ skip_rates:
+ skb_put_data(skb, assoc_data->ie + offset, noffset - offset);
+ }
+
+- if (assoc_data->fils_kek_len &&
+- fils_encrypt_assoc_req(skb, assoc_data) < 0) {
+- dev_kfree_skb(skb);
+- return;
++ if (assoc_data->fils_kek_len) {
++ ret = fils_encrypt_assoc_req(skb, assoc_data);
++ if (ret < 0) {
++ dev_kfree_skb(skb);
++ return ret;
++ }
+ }
+
+ pos = skb_tail_pointer(skb);
+ kfree(ifmgd->assoc_req_ies);
+ ifmgd->assoc_req_ies = kmemdup(ie_start, pos - ie_start, GFP_ATOMIC);
++ if (!ifmgd->assoc_req_ies) {
++ dev_kfree_skb(skb);
++ return -ENOMEM;
++ }
++
+ ifmgd->assoc_req_ies_len = pos - ie_start;
+
+ drv_mgd_prepare_tx(local, sdata, &info);
+@@ -1047,6 +1055,8 @@ skip_rates:
+ IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
+ IEEE80211_TX_INTFL_MLME_CONN_TX;
+ ieee80211_tx_skb(sdata, skb);
++
++ return 0;
+ }
+
+ void ieee80211_send_pspoll(struct ieee80211_local *local,
+@@ -4491,6 +4501,7 @@ static int ieee80211_do_assoc(struct iee
+ {
+ struct ieee80211_mgd_assoc_data *assoc_data = sdata->u.mgd.assoc_data;
+ struct ieee80211_local *local = sdata->local;
++ int ret;
+
+ sdata_assert_lock(sdata);
+
+@@ -4511,7 +4522,9 @@ static int ieee80211_do_assoc(struct iee
+ sdata_info(sdata, "associate with %pM (try %d/%d)\n",
+ assoc_data->bss->bssid, assoc_data->tries,
+ IEEE80211_ASSOC_MAX_TRIES);
+- ieee80211_send_assoc(sdata);
++ ret = ieee80211_send_assoc(sdata);
++ if (ret)
++ return ret;
+
+ if (!ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS)) {
+ assoc_data->timeout = jiffies + IEEE80211_ASSOC_TIMEOUT;
--- /dev/null
+From 7e5b6a5c8c44310784c88c1c198dde79f6402f7b Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Mon, 14 Feb 2022 18:05:41 -0800
+Subject: mctp: fix use after free
+
+From: Tom Rix <trix@redhat.com>
+
+commit 7e5b6a5c8c44310784c88c1c198dde79f6402f7b upstream.
+
+Clang static analysis reports this problem
+route.c:425:4: warning: Use of memory after it is freed
+ trace_mctp_key_acquire(key);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~
+When mctp_key_add() fails, key is freed but then is later
+used in trace_mctp_key_acquire(). Add an else statement
+to use the key only when mctp_key_add() is successful.
+
+Fixes: 4f9e1ba6de45 ("mctp: Add tracepoints for tag/key handling")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mctp/route.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -414,13 +414,14 @@ static int mctp_route_input(struct mctp_
+ * this function.
+ */
+ rc = mctp_key_add(key, msk);
+- if (rc)
++ if (rc) {
+ kfree(key);
++ } else {
++ trace_mctp_key_acquire(key);
+
+- trace_mctp_key_acquire(key);
+-
+- /* we don't need to release key->lock on exit */
+- mctp_key_unref(key);
++ /* we don't need to release key->lock on exit */
++ mctp_key_unref(key);
++ }
+ key = NULL;
+
+ } else {
--- /dev/null
+From c832962ac972082b3a1f89775c9d4274c8cb5670 Mon Sep 17 00:00:00 2001
+From: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+Date: Tue, 15 Feb 2022 18:53:03 +0200
+Subject: net: bridge: multicast: notify switchdev driver whenever MC processing gets disabled
+
+From: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+
+commit c832962ac972082b3a1f89775c9d4274c8cb5670 upstream.
+
+Whenever bridge driver hits the max capacity of MDBs, it disables
+the MC processing (by setting corresponding bridge option), but never
+notifies switchdev about such change (the notifiers are called only upon
+explicit setting of this option, through the registered netlink interface).
+
+This could lead to situation when Software MDB processing gets disabled,
+but this event never gets offloaded to the underlying Hardware.
+
+Fix this by adding a notify message in such case.
+
+Fixes: 147c1e9b902c ("switchdev: bridge: Offload multicast disabled")
+Signed-off-by: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Link: https://lore.kernel.org/r/20220215165303.31908-1-oleksandr.mazur@plvision.eu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -82,6 +82,9 @@ static void br_multicast_find_del_pg(str
+ struct net_bridge_port_group *pg);
+ static void __br_multicast_stop(struct net_bridge_mcast *brmctx);
+
++static int br_mc_disabled_update(struct net_device *dev, bool value,
++ struct netlink_ext_ack *extack);
++
+ static struct net_bridge_port_group *
+ br_sg_port_find(struct net_bridge *br,
+ struct net_bridge_port_group_sg_key *sg_p)
+@@ -1156,6 +1159,7 @@ struct net_bridge_mdb_entry *br_multicas
+ return mp;
+
+ if (atomic_read(&br->mdb_hash_tbl.nelems) >= br->hash_max) {
++ br_mc_disabled_update(br->dev, false, NULL);
+ br_opt_toggle(br, BROPT_MULTICAST_ENABLED, false);
+ return ERR_PTR(-E2BIG);
+ }
--- /dev/null
+From 430065e2671905ac675f97b7af240cc255964e93 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 16 Feb 2022 20:48:18 +0000
+Subject: net: dsa: lan9303: add VLAN IDs to master device
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 430065e2671905ac675f97b7af240cc255964e93 upstream.
+
+If the master device does VLAN filtering, the IDs used by the switch
+must be added for any frames to be received. Do this in the
+port_enable() function, and remove them in port_disable().
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20220216204818.28746-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/Kconfig | 1 +
+ drivers/net/dsa/lan9303-core.c | 11 +++++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/Kconfig
++++ b/drivers/net/dsa/Kconfig
+@@ -82,6 +82,7 @@ config NET_DSA_REALTEK_SMI
+
+ config NET_DSA_SMSC_LAN9303
+ tristate
++ depends on VLAN_8021Q || VLAN_8021Q=n
+ select NET_DSA_TAG_LAN9303
+ select REGMAP
+ help
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -10,6 +10,7 @@
+ #include <linux/mii.h>
+ #include <linux/phy.h>
+ #include <linux/if_bridge.h>
++#include <linux/if_vlan.h>
+ #include <linux/etherdevice.h>
+
+ #include "lan9303.h"
+@@ -1083,21 +1084,27 @@ static void lan9303_adjust_link(struct d
+ static int lan9303_port_enable(struct dsa_switch *ds, int port,
+ struct phy_device *phy)
+ {
++ struct dsa_port *dp = dsa_to_port(ds, port);
+ struct lan9303 *chip = ds->priv;
+
+- if (!dsa_is_user_port(ds, port))
++ if (!dsa_port_is_user(dp))
+ return 0;
+
++ vlan_vid_add(dp->cpu_dp->master, htons(ETH_P_8021Q), port);
++
+ return lan9303_enable_processing_port(chip, port);
+ }
+
+ static void lan9303_port_disable(struct dsa_switch *ds, int port)
+ {
++ struct dsa_port *dp = dsa_to_port(ds, port);
+ struct lan9303 *chip = ds->priv;
+
+- if (!dsa_is_user_port(ds, port))
++ if (!dsa_port_is_user(dp))
+ return;
+
++ vlan_vid_del(dp->cpu_dp->master, htons(ETH_P_8021Q), port);
++
+ lan9303_disable_processing_port(chip, port);
+ lan9303_phy_write(ds, chip->phy_addr_base + port, MII_BMCR, BMCR_PDOWN);
+ }
--- /dev/null
+From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 9 Feb 2022 14:54:54 +0000
+Subject: net: dsa: lan9303: fix reset on probe
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream.
+
+The reset input to the LAN9303 chip is active low, and devicetree
+gpio handles reflect this. Therefore, the gpio should be requested
+with an initial state of high in order for the reset signal to be
+asserted. Other uses of the gpio already use the correct polarity.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fianelil <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -1309,7 +1309,7 @@ static int lan9303_probe_reset_gpio(stru
+ struct device_node *np)
+ {
+ chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset",
+- GPIOD_OUT_LOW);
++ GPIOD_OUT_HIGH);
+ if (IS_ERR(chip->reset_gpio))
+ return PTR_ERR(chip->reset_gpio);
+
--- /dev/null
+From 017b355bbdc6620fd8fe05fe297f553ce9d855ee Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 16 Feb 2022 12:46:34 +0000
+Subject: net: dsa: lan9303: handle hwaccel VLAN tags
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 017b355bbdc6620fd8fe05fe297f553ce9d855ee upstream.
+
+Check for a hwaccel VLAN tag on rx and use it if present. Otherwise,
+use __skb_vlan_pop() like the other tag parsers do. This fixes the case
+where the VLAN tag has already been consumed by the master.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20220216124634.23123-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/tag_lan9303.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/net/dsa/tag_lan9303.c
++++ b/net/dsa/tag_lan9303.c
+@@ -77,7 +77,6 @@ static struct sk_buff *lan9303_xmit(stru
+
+ static struct sk_buff *lan9303_rcv(struct sk_buff *skb, struct net_device *dev)
+ {
+- __be16 *lan9303_tag;
+ u16 lan9303_tag1;
+ unsigned int source_port;
+
+@@ -87,14 +86,15 @@ static struct sk_buff *lan9303_rcv(struc
+ return NULL;
+ }
+
+- lan9303_tag = dsa_etype_header_pos_rx(skb);
+-
+- if (lan9303_tag[0] != htons(ETH_P_8021Q)) {
+- dev_warn_ratelimited(&dev->dev, "Dropping packet due to invalid VLAN marker\n");
+- return NULL;
++ if (skb_vlan_tag_present(skb)) {
++ lan9303_tag1 = skb_vlan_tag_get(skb);
++ __vlan_hwaccel_clear_tag(skb);
++ } else {
++ skb_push_rcsum(skb, ETH_HLEN);
++ __skb_vlan_pop(skb, &lan9303_tag1);
++ skb_pull_rcsum(skb, ETH_HLEN);
+ }
+
+- lan9303_tag1 = ntohs(lan9303_tag[1]);
+ source_port = lan9303_tag1 & 0x3;
+
+ skb->dev = dsa_master_find_slave(dev, 0, source_port);
+@@ -103,13 +103,6 @@ static struct sk_buff *lan9303_rcv(struc
+ return NULL;
+ }
+
+- /* remove the special VLAN tag between the MAC addresses
+- * and the current ethertype field.
+- */
+- skb_pull_rcsum(skb, 2 + 2);
+-
+- dsa_strip_etype_header(skb, LAN9303_TAG_LEN);
+-
+ if (!(lan9303_tag1 & LAN9303_TAG_RX_TRAPPED_TO_CPU))
+ dsa_default_offload_fwd_mark(skb);
+
--- /dev/null
+From 8c6ae46150a453f8ae9a6cd49b45f354f478587d Mon Sep 17 00:00:00 2001
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Date: Tue, 15 Feb 2022 13:42:48 +0300
+Subject: net: dsa: lantiq_gswip: fix use after free in gswip_remove()
+
+From: Alexey Khoroshilov <khoroshilov@ispras.ru>
+
+commit 8c6ae46150a453f8ae9a6cd49b45f354f478587d upstream.
+
+of_node_put(priv->ds->slave_mii_bus->dev.of_node) should be
+done before mdiobus_free(priv->ds->slave_mii_bus).
+
+Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Fixes: 0d120dfb5d67 ("net: dsa: lantiq_gswip: don't use devres for mdiobus")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/1644921768-26477-1-git-send-email-khoroshilov@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lantiq_gswip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lantiq_gswip.c
++++ b/drivers/net/dsa/lantiq_gswip.c
+@@ -2217,8 +2217,8 @@ static int gswip_remove(struct platform_
+
+ if (priv->ds->slave_mii_bus) {
+ mdiobus_unregister(priv->ds->slave_mii_bus);
+- mdiobus_free(priv->ds->slave_mii_bus);
+ of_node_put(priv->ds->slave_mii_bus->dev.of_node);
++ mdiobus_free(priv->ds->slave_mii_bus);
+ }
+
+ for (i = 0; i < priv->num_gphy_fw; i++)
--- /dev/null
+From a2614140dc0f467a83aa3bb4b6ee2d6480a76202 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Fri, 11 Feb 2022 19:45:06 +0200
+Subject: net: dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit a2614140dc0f467a83aa3bb4b6ee2d6480a76202 upstream.
+
+mv88e6xxx is special among DSA drivers in that it requires the VTU to
+contain the VID of the FDB entry it modifies in
+mv88e6xxx_port_db_load_purge(), otherwise it will return -EOPNOTSUPP.
+
+Sometimes due to races this is not always satisfied even if external
+code does everything right (first deletes the FDB entries, then the
+VLAN), because DSA commits to hardware FDB entries asynchronously since
+commit c9eb3e0f8701 ("net: dsa: Add support for learning FDB through
+notification").
+
+Therefore, the mv88e6xxx driver must close this race condition by
+itself, by asking DSA to flush the switchdev workqueue of any FDB
+deletions in progress, prior to exiting a VLAN.
+
+Fixes: c9eb3e0f8701 ("net: dsa: Add support for learning FDB through notification")
+Reported-by: Rafael Richter <rafael.richter@gin.de>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 7 +++++++
+ include/net/dsa.h | 1 +
+ net/dsa/dsa.c | 1 +
+ net/dsa/dsa_priv.h | 1 -
+ 4 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -2290,6 +2290,13 @@ static int mv88e6xxx_port_vlan_del(struc
+ if (!mv88e6xxx_max_vid(chip))
+ return -EOPNOTSUPP;
+
++ /* The ATU removal procedure needs the FID to be mapped in the VTU,
++ * but FDB deletion runs concurrently with VLAN deletion. Flush the DSA
++ * switchdev workqueue to ensure that all FDB entries are deleted
++ * before we remove the VLAN.
++ */
++ dsa_flush_workqueue();
++
+ mv88e6xxx_reg_lock(chip);
+
+ err = mv88e6xxx_port_get_pvid(chip, port, &pvid);
+--- a/include/net/dsa.h
++++ b/include/net/dsa.h
+@@ -1094,6 +1094,7 @@ void dsa_unregister_switch(struct dsa_sw
+ int dsa_register_switch(struct dsa_switch *ds);
+ void dsa_switch_shutdown(struct dsa_switch *ds);
+ struct dsa_switch *dsa_switch_find(int tree_index, int sw_index);
++void dsa_flush_workqueue(void);
+ #ifdef CONFIG_PM_SLEEP
+ int dsa_switch_suspend(struct dsa_switch *ds);
+ int dsa_switch_resume(struct dsa_switch *ds);
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -349,6 +349,7 @@ void dsa_flush_workqueue(void)
+ {
+ flush_workqueue(dsa_owq);
+ }
++EXPORT_SYMBOL_GPL(dsa_flush_workqueue);
+
+ int dsa_devlink_param_get(struct devlink *dl, u32 id,
+ struct devlink_param_gset_ctx *ctx)
+--- a/net/dsa/dsa_priv.h
++++ b/net/dsa/dsa_priv.h
+@@ -170,7 +170,6 @@ void dsa_tag_driver_put(const struct dsa
+ const struct dsa_device_ops *dsa_find_tagger_by_name(const char *buf);
+
+ bool dsa_schedule_work(struct work_struct *work);
+-void dsa_flush_workqueue(void);
+ const char *dsa_tag_protocol_to_str(const struct dsa_device_ops *ops);
+
+ static inline int dsa_tag_protocol_overhead(const struct dsa_device_ops *ops)
--- /dev/null
+From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Tue, 1 Feb 2022 19:06:26 +0100
+Subject: net: ieee802154: ca8210: Fix lifs/sifs periods
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream.
+
+These periods are expressed in time units (microseconds) while 40 and 12
+are the number of symbol durations these periods will last. We need to
+multiply them both with the symbol_duration in order to get these
+values in microseconds.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2975,8 +2975,8 @@ static void ca8210_hw_setup(struct ieee8
+ ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND;
+ ca8210_hw->phy->cca_ed_level = -9800;
+ ca8210_hw->phy->symbol_duration = 16;
+- ca8210_hw->phy->lifs_period = 40;
+- ca8210_hw->phy->sifs_period = 12;
++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration;
++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration;
+ ca8210_hw->flags =
+ IEEE802154_HW_AFILT |
+ IEEE802154_HW_OMIT_CKSUM |
--- /dev/null
+From ef57640575406f57f5b3393cf57f457b0ace837e Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 15 Feb 2022 01:42:00 +0200
+Subject: net: mscc: ocelot: fix use-after-free in ocelot_vlan_del()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit ef57640575406f57f5b3393cf57f457b0ace837e upstream.
+
+ocelot_vlan_member_del() will free the struct ocelot_bridge_vlan, so if
+this is the same as the port's pvid_vlan which we access afterwards,
+what we're accessing is freed memory.
+
+Fix the bug by determining whether to clear ocelot_port->pvid_vlan prior
+to calling ocelot_vlan_member_del().
+
+Fixes: d4004422f6f9 ("net: mscc: ocelot: track the port pvid using a pointer")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mscc/ocelot.c
++++ b/drivers/net/ethernet/mscc/ocelot.c
+@@ -480,14 +480,18 @@ EXPORT_SYMBOL(ocelot_vlan_add);
+ int ocelot_vlan_del(struct ocelot *ocelot, int port, u16 vid)
+ {
+ struct ocelot_port *ocelot_port = ocelot->ports[port];
++ bool del_pvid = false;
+ int err;
+
++ if (ocelot_port->pvid_vlan && ocelot_port->pvid_vlan->vid == vid)
++ del_pvid = true;
++
+ err = ocelot_vlan_member_del(ocelot, port, vid);
+ if (err)
+ return err;
+
+ /* Ingress */
+- if (ocelot_port->pvid_vlan && ocelot_port->pvid_vlan->vid == vid)
++ if (del_pvid)
+ ocelot_port_set_pvid(ocelot, port, NULL);
+
+ /* Egress */
--- /dev/null
+From 525b108e6d95b643eccbd84fb10aa9aa101b18dd Mon Sep 17 00:00:00 2001
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Wed, 9 Feb 2022 22:39:47 +0800
+Subject: net: phy: mediatek: remove PHY mode check on MT7531
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+commit 525b108e6d95b643eccbd84fb10aa9aa101b18dd upstream.
+
+The function mt7531_phy_mode_supported in the DSA driver set supported
+mode to PHY_INTERFACE_MODE_GMII instead of PHY_INTERFACE_MODE_INTERNAL
+for the internal PHY, so this check breaks the PHY initialization:
+
+mt7530 mdio-bus:00 wan (uninitialized): failed to connect to PHY: -EINVAL
+
+Remove the check to make it work again.
+
+Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
+Fixes: e40d2cca0189 ("net: phy: add MediaTek Gigabit Ethernet PHY driver")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
+Tested-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mediatek-ge.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/phy/mediatek-ge.c
++++ b/drivers/net/phy/mediatek-ge.c
+@@ -55,9 +55,6 @@ static int mt7530_phy_config_init(struct
+
+ static int mt7531_phy_config_init(struct phy_device *phydev)
+ {
+- if (phydev->interface != PHY_INTERFACE_MODE_INTERNAL)
+- return -EINVAL;
+-
+ mtk_gephy_config_init(phydev);
+
+ /* PHY link down power saving enable */
--- /dev/null
+From 1de9770d121ee9294794cca0e0be8fbfa0134ee8 Mon Sep 17 00:00:00 2001
+From: Wen Gu <guwen@linux.alibaba.com>
+Date: Wed, 9 Feb 2022 22:10:53 +0800
+Subject: net/smc: Avoid overwriting the copies of clcsock callback functions
+
+From: Wen Gu <guwen@linux.alibaba.com>
+
+commit 1de9770d121ee9294794cca0e0be8fbfa0134ee8 upstream.
+
+The callback functions of clcsock will be saved and replaced during
+the fallback. But if the fallback happens more than once, then the
+copies of these callback functions will be overwritten incorrectly,
+resulting in a loop call issue:
+
+clcsk->sk_error_report
+ |- smc_fback_error_report() <------------------------------|
+ |- smc_fback_forward_wakeup() | (loop)
+ |- clcsock_callback() (incorrectly overwritten) |
+ |- smc->clcsk_error_report() ------------------|
+
+So this patch fixes the issue by saving these function pointers only
+once in the fallback and avoiding overwriting.
+
+Reported-by: syzbot+4de3c0e8a263e1e499bc@syzkaller.appspotmail.com
+Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
+Link: https://lore.kernel.org/r/0000000000006d045e05d78776f6@google.com
+Signed-off-by: Wen Gu <guwen@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -667,14 +667,17 @@ static void smc_fback_error_report(struc
+ static int smc_switch_to_fallback(struct smc_sock *smc, int reason_code)
+ {
+ struct sock *clcsk;
++ int rc = 0;
+
+ mutex_lock(&smc->clcsock_release_lock);
+ if (!smc->clcsock) {
+- mutex_unlock(&smc->clcsock_release_lock);
+- return -EBADF;
++ rc = -EBADF;
++ goto out;
+ }
+ clcsk = smc->clcsock->sk;
+
++ if (smc->use_fallback)
++ goto out;
+ smc->use_fallback = true;
+ smc->fallback_rsn = reason_code;
+ smc_stat_fallback(smc);
+@@ -702,8 +705,9 @@ static int smc_switch_to_fallback(struct
+ smc->clcsock->sk->sk_user_data =
+ (void *)((uintptr_t)smc | SK_USER_DATA_NOCOPY);
+ }
++out:
+ mutex_unlock(&smc->clcsock_release_lock);
+- return 0;
++ return rc;
+ }
+
+ /* fall back during connect */
--- /dev/null
+From 5891cd5ec46c2c2eb6427cb54d214b149635dd0e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 11 Feb 2022 12:06:23 -0800
+Subject: net_sched: add __rcu annotation to netdev->qdisc
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 5891cd5ec46c2c2eb6427cb54d214b149635dd0e upstream.
+
+syzbot found a data-race [1] which lead me to add __rcu
+annotations to netdev->qdisc, and proper accessors
+to get LOCKDEP support.
+
+[1]
+BUG: KCSAN: data-race in dev_activate / qdisc_lookup_rcu
+
+write to 0xffff888168ad6410 of 8 bytes by task 13559 on cpu 1:
+ attach_default_qdiscs net/sched/sch_generic.c:1167 [inline]
+ dev_activate+0x2ed/0x8f0 net/sched/sch_generic.c:1221
+ __dev_open+0x2e9/0x3a0 net/core/dev.c:1416
+ __dev_change_flags+0x167/0x3f0 net/core/dev.c:8139
+ rtnl_configure_link+0xc2/0x150 net/core/rtnetlink.c:3150
+ __rtnl_newlink net/core/rtnetlink.c:3489 [inline]
+ rtnl_newlink+0xf4d/0x13e0 net/core/rtnetlink.c:3529
+ rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888168ad6410 of 8 bytes by task 13560 on cpu 0:
+ qdisc_lookup_rcu+0x30/0x2e0 net/sched/sch_api.c:323
+ __tcf_qdisc_find+0x74/0x3a0 net/sched/cls_api.c:1050
+ tc_del_tfilter+0x1c7/0x1350 net/sched/cls_api.c:2211
+ rtnetlink_rcv_msg+0x5ba/0x7e0 net/core/rtnetlink.c:5585
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xffffffff85dee080 -> 0xffff88815d96ec00
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 13560 Comm: syz-executor.2 Not tainted 5.17.0-rc3-syzkaller-00116-gf1baf68e1383-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 470502de5bdb ("net: sched: unlock rules update API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 +-
+ net/core/rtnetlink.c | 6 ++++--
+ net/sched/cls_api.c | 6 +++---
+ net/sched/sch_api.c | 22 ++++++++++++----------
+ net/sched/sch_generic.c | 29 ++++++++++++++++-------------
+ 5 files changed, 36 insertions(+), 29 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2149,7 +2149,7 @@ struct net_device {
+ struct netdev_queue *_tx ____cacheline_aligned_in_smp;
+ unsigned int num_tx_queues;
+ unsigned int real_num_tx_queues;
+- struct Qdisc *qdisc;
++ struct Qdisc __rcu *qdisc;
+ unsigned int tx_queue_len;
+ spinlock_t tx_global_lock;
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1698,6 +1698,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ {
+ struct ifinfomsg *ifm;
+ struct nlmsghdr *nlh;
++ struct Qdisc *qdisc;
+
+ ASSERT_RTNL();
+ nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags);
+@@ -1715,6 +1716,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ if (tgt_netnsid >= 0 && nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid))
+ goto nla_put_failure;
+
++ qdisc = rtnl_dereference(dev->qdisc);
+ if (nla_put_string(skb, IFLA_IFNAME, dev->name) ||
+ nla_put_u32(skb, IFLA_TXQLEN, dev->tx_queue_len) ||
+ nla_put_u8(skb, IFLA_OPERSTATE,
+@@ -1733,8 +1735,8 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ #endif
+ put_master_ifindex(skb, dev) ||
+ nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) ||
+- (dev->qdisc &&
+- nla_put_string(skb, IFLA_QDISC, dev->qdisc->ops->id)) ||
++ (qdisc &&
++ nla_put_string(skb, IFLA_QDISC, qdisc->ops->id)) ||
+ nla_put_ifalias(skb, dev) ||
+ nla_put_u32(skb, IFLA_CARRIER_CHANGES,
+ atomic_read(&dev->carrier_up_count) +
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -1044,7 +1044,7 @@ static int __tcf_qdisc_find(struct net *
+
+ /* Find qdisc */
+ if (!*parent) {
+- *q = dev->qdisc;
++ *q = rcu_dereference(dev->qdisc);
+ *parent = (*q)->handle;
+ } else {
+ *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent));
+@@ -2587,7 +2587,7 @@ static int tc_dump_tfilter(struct sk_buf
+
+ parent = tcm->tcm_parent;
+ if (!parent)
+- q = dev->qdisc;
++ q = rtnl_dereference(dev->qdisc);
+ else
+ q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
+ if (!q)
+@@ -2962,7 +2962,7 @@ static int tc_dump_chain(struct sk_buff
+ return skb->len;
+
+ if (!tcm->tcm_parent)
+- q = dev->qdisc;
++ q = rtnl_dereference(dev->qdisc);
+ else
+ q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -301,7 +301,7 @@ struct Qdisc *qdisc_lookup(struct net_de
+
+ if (!handle)
+ return NULL;
+- q = qdisc_match_from_root(dev->qdisc, handle);
++ q = qdisc_match_from_root(rtnl_dereference(dev->qdisc), handle);
+ if (q)
+ goto out;
+
+@@ -320,7 +320,7 @@ struct Qdisc *qdisc_lookup_rcu(struct ne
+
+ if (!handle)
+ return NULL;
+- q = qdisc_match_from_root(dev->qdisc, handle);
++ q = qdisc_match_from_root(rcu_dereference(dev->qdisc), handle);
+ if (q)
+ goto out;
+
+@@ -1082,10 +1082,10 @@ static int qdisc_graft(struct net_device
+ skip:
+ if (!ingress) {
+ notify_and_destroy(net, skb, n, classid,
+- dev->qdisc, new);
++ rtnl_dereference(dev->qdisc), new);
+ if (new && !new->ops->attach)
+ qdisc_refcount_inc(new);
+- dev->qdisc = new ? : &noop_qdisc;
++ rcu_assign_pointer(dev->qdisc, new ? : &noop_qdisc);
+
+ if (new && new->ops->attach)
+ new->ops->attach(new);
+@@ -1451,7 +1451,7 @@ static int tc_get_qdisc(struct sk_buff *
+ q = dev_ingress_queue(dev)->qdisc_sleeping;
+ }
+ } else {
+- q = dev->qdisc;
++ q = rtnl_dereference(dev->qdisc);
+ }
+ if (!q) {
+ NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
+@@ -1540,7 +1540,7 @@ replay:
+ q = dev_ingress_queue(dev)->qdisc_sleeping;
+ }
+ } else {
+- q = dev->qdisc;
++ q = rtnl_dereference(dev->qdisc);
+ }
+
+ /* It may be default qdisc, ignore it */
+@@ -1762,7 +1762,8 @@ static int tc_dump_qdisc(struct sk_buff
+ s_q_idx = 0;
+ q_idx = 0;
+
+- if (tc_dump_qdisc_root(dev->qdisc, skb, cb, &q_idx, s_q_idx,
++ if (tc_dump_qdisc_root(rtnl_dereference(dev->qdisc),
++ skb, cb, &q_idx, s_q_idx,
+ true, tca[TCA_DUMP_INVISIBLE]) < 0)
+ goto done;
+
+@@ -2033,7 +2034,7 @@ static int tc_ctl_tclass(struct sk_buff
+ } else if (qid1) {
+ qid = qid1;
+ } else if (qid == 0)
+- qid = dev->qdisc->handle;
++ qid = rtnl_dereference(dev->qdisc)->handle;
+
+ /* Now qid is genuine qdisc handle consistent
+ * both with parent and child.
+@@ -2044,7 +2045,7 @@ static int tc_ctl_tclass(struct sk_buff
+ portid = TC_H_MAKE(qid, portid);
+ } else {
+ if (qid == 0)
+- qid = dev->qdisc->handle;
++ qid = rtnl_dereference(dev->qdisc)->handle;
+ }
+
+ /* OK. Locate qdisc */
+@@ -2205,7 +2206,8 @@ static int tc_dump_tclass(struct sk_buff
+ s_t = cb->args[0];
+ t = 0;
+
+- if (tc_dump_tclass_root(dev->qdisc, skb, tcm, cb, &t, s_t, true) < 0)
++ if (tc_dump_tclass_root(rtnl_dereference(dev->qdisc),
++ skb, tcm, cb, &t, s_t, true) < 0)
+ goto done;
+
+ dev_queue = dev_ingress_queue(dev);
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1109,30 +1109,33 @@ static void attach_default_qdiscs(struct
+ if (!netif_is_multiqueue(dev) ||
+ dev->priv_flags & IFF_NO_QUEUE) {
+ netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL);
+- dev->qdisc = txq->qdisc_sleeping;
+- qdisc_refcount_inc(dev->qdisc);
++ qdisc = txq->qdisc_sleeping;
++ rcu_assign_pointer(dev->qdisc, qdisc);
++ qdisc_refcount_inc(qdisc);
+ } else {
+ qdisc = qdisc_create_dflt(txq, &mq_qdisc_ops, TC_H_ROOT, NULL);
+ if (qdisc) {
+- dev->qdisc = qdisc;
++ rcu_assign_pointer(dev->qdisc, qdisc);
+ qdisc->ops->attach(qdisc);
+ }
+ }
++ qdisc = rtnl_dereference(dev->qdisc);
+
+ /* Detect default qdisc setup/init failed and fallback to "noqueue" */
+- if (dev->qdisc == &noop_qdisc) {
++ if (qdisc == &noop_qdisc) {
+ netdev_warn(dev, "default qdisc (%s) fail, fallback to %s\n",
+ default_qdisc_ops->id, noqueue_qdisc_ops.id);
+ dev->priv_flags |= IFF_NO_QUEUE;
+ netdev_for_each_tx_queue(dev, attach_one_default_qdisc, NULL);
+- dev->qdisc = txq->qdisc_sleeping;
+- qdisc_refcount_inc(dev->qdisc);
++ qdisc = txq->qdisc_sleeping;
++ rcu_assign_pointer(dev->qdisc, qdisc);
++ qdisc_refcount_inc(qdisc);
+ dev->priv_flags ^= IFF_NO_QUEUE;
+ }
+
+ #ifdef CONFIG_NET_SCHED
+- if (dev->qdisc != &noop_qdisc)
+- qdisc_hash_add(dev->qdisc, false);
++ if (qdisc != &noop_qdisc)
++ qdisc_hash_add(qdisc, false);
+ #endif
+ }
+
+@@ -1162,7 +1165,7 @@ void dev_activate(struct net_device *dev
+ * and noqueue_qdisc for virtual interfaces
+ */
+
+- if (dev->qdisc == &noop_qdisc)
++ if (rtnl_dereference(dev->qdisc) == &noop_qdisc)
+ attach_default_qdiscs(dev);
+
+ if (!netif_carrier_ok(dev))
+@@ -1328,7 +1331,7 @@ static int qdisc_change_tx_queue_len(str
+ void dev_qdisc_change_real_num_tx(struct net_device *dev,
+ unsigned int new_real_tx)
+ {
+- struct Qdisc *qdisc = dev->qdisc;
++ struct Qdisc *qdisc = rtnl_dereference(dev->qdisc);
+
+ if (qdisc->ops->change_real_num_tx)
+ qdisc->ops->change_real_num_tx(qdisc, new_real_tx);
+@@ -1392,7 +1395,7 @@ static void dev_init_scheduler_queue(str
+
+ void dev_init_scheduler(struct net_device *dev)
+ {
+- dev->qdisc = &noop_qdisc;
++ rcu_assign_pointer(dev->qdisc, &noop_qdisc);
+ netdev_for_each_tx_queue(dev, dev_init_scheduler_queue, &noop_qdisc);
+ if (dev_ingress_queue(dev))
+ dev_init_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc);
+@@ -1420,8 +1423,8 @@ void dev_shutdown(struct net_device *dev
+ netdev_for_each_tx_queue(dev, shutdown_scheduler_queue, &noop_qdisc);
+ if (dev_ingress_queue(dev))
+ shutdown_scheduler_queue(dev, dev_ingress_queue(dev), &noop_qdisc);
+- qdisc_put(dev->qdisc);
+- dev->qdisc = &noop_qdisc;
++ qdisc_put(rtnl_dereference(dev->qdisc));
++ rcu_assign_pointer(dev->qdisc, &noop_qdisc);
+
+ WARN_ON(timer_pending(&dev->watchdog_timer));
+ }
--- /dev/null
+From 2b4e5fb4d3776c391e40fb33673ba946dd96012d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 10 Feb 2022 10:06:42 +0100
+Subject: netfilter: nft_synproxy: unregister hooks on init error path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 2b4e5fb4d3776c391e40fb33673ba946dd96012d upstream.
+
+Disable the IPv4 hooks if the IPv6 hooks fail to be registered.
+
+Fixes: ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_synproxy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_synproxy.c
++++ b/net/netfilter/nft_synproxy.c
+@@ -191,8 +191,10 @@ static int nft_synproxy_do_init(const st
+ if (err)
+ goto nf_ct_failure;
+ err = nf_synproxy_ipv6_init(snet, ctx->net);
+- if (err)
++ if (err) {
++ nf_synproxy_ipv4_fini(snet, ctx->net);
+ goto nf_ct_failure;
++ }
+ break;
+ }
+
--- /dev/null
+From 75063c9294fb239bbe64eb72141b6871fe526d29 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 8 Feb 2022 18:30:43 -0800
+Subject: netfilter: xt_socket: fix a typo in socket_mt_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 75063c9294fb239bbe64eb72141b6871fe526d29 upstream.
+
+Calling nf_defrag_ipv4_disable() instead of nf_defrag_ipv6_disable()
+was probably not the intent.
+
+I found this by code inspection, while chasing a possible issue in TPROXY.
+
+Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/xt_socket.c
++++ b/net/netfilter/xt_socket.c
+@@ -221,7 +221,7 @@ static void socket_mt_destroy(const stru
+ if (par->family == NFPROTO_IPV4)
+ nf_defrag_ipv4_disable(par->net);
+ else if (par->family == NFPROTO_IPV6)
+- nf_defrag_ipv4_disable(par->net);
++ nf_defrag_ipv6_disable(par->net);
+ }
+
+ static struct xt_match socket_mt_reg[] __read_mostly = {
--- /dev/null
+From 7dbcda584eaa5bdb4a281c379207dacc1a5e6081 Mon Sep 17 00:00:00 2001
+From: Danie du Toit <danie.dutoit@corigine.com>
+Date: Thu, 17 Feb 2022 14:48:20 +0200
+Subject: nfp: flower: netdev offload check for ip6gretap
+
+From: Danie du Toit <danie.dutoit@corigine.com>
+
+commit 7dbcda584eaa5bdb4a281c379207dacc1a5e6081 upstream.
+
+IPv6 GRE tunnels are not being offloaded, this is caused by a missing
+netdev offload check. The functionality of IPv6 GRE tunnel offloading
+was previously added but this check was not included. Adding the
+ip6gretap check allows IPv6 GRE tunnels to be offloaded correctly.
+
+Fixes: f7536ffb0986 ("nfp: flower: Allow ipv6gretap interface for offloading")
+Signed-off-by: Danie du Toit <danie.dutoit@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Link: https://lore.kernel.org/r/20220217124820.40436-1-louis.peens@corigine.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+index 784292b16290..1543e47456d5 100644
+--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+@@ -723,6 +723,8 @@ static inline bool nfp_fl_is_netdev_to_offload(struct net_device *netdev)
+ return true;
+ if (netif_is_gretap(netdev))
+ return true;
++ if (netif_is_ip6gretap(netdev))
++ return true;
+
+ return false;
+ }
+--
+2.35.1
+
--- /dev/null
+From 31ded1535e3182778a1d0e5c32711f55da3bc512 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Wed, 16 Feb 2022 16:01:00 -0300
+Subject: perf bpf: Defer freeing string after possible strlen() on it
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit 31ded1535e3182778a1d0e5c32711f55da3bc512 upstream.
+
+This was detected by the gcc in Fedora Rawhide's gcc:
+
+ 50 11.01 fedora:rawhide : FAIL gcc version 12.0.1 20220205 (Red Hat 12.0.1-0) (GCC)
+ inlined from 'bpf__config_obj' at util/bpf-loader.c:1242:9:
+ util/bpf-loader.c:1225:34: error: pointer 'map_opt' may be used after 'free' [-Werror=use-after-free]
+ 1225 | *key_scan_pos += strlen(map_opt);
+ | ^~~~~~~~~~~~~~~
+ util/bpf-loader.c:1223:9: note: call to 'free' here
+ 1223 | free(map_name);
+ | ^~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+So do the calculations on the pointer before freeing it.
+
+Fixes: 04f9bf2bac72480c ("perf bpf-loader: Add missing '*' for key_scan_pos")
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Link: https://lore.kernel.org/lkml/Yg1VtQxKrPpS3uNA@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/bpf-loader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/util/bpf-loader.c
++++ b/tools/perf/util/bpf-loader.c
+@@ -1214,9 +1214,10 @@ bpf__obj_config_map(struct bpf_object *o
+ pr_debug("ERROR: Invalid map config option '%s'\n", map_opt);
+ err = -BPF_LOADER_ERRNO__OBJCONF_MAP_OPT;
+ out:
+- free(map_name);
+ if (!err)
+ *key_scan_pos += strlen(map_opt);
++
++ free(map_name);
+ return err;
+ }
+
--- /dev/null
+From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 16 Feb 2022 00:20:52 -0500
+Subject: ping: fix the dif and sdif check in ping_lookup
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream.
+
+When 'ping' changes to use PING socket instead of RAW socket by:
+
+ # sysctl -w net.ipv4.ping_group_range="0 100"
+
+There is another regression caused when matching sk_bound_dev_if
+and dif, RAW socket is using inet_iif() while PING socket lookup
+is using skb->dev->ifindex, the cmd below fails due to this:
+
+ # ip link add dummy0 type dummy
+ # ip link set dummy0 up
+ # ip addr add 192.168.111.1/24 dev dummy0
+ # ping -I dummy0 192.168.111.1 -c1
+
+The issue was also reported on:
+
+ https://github.com/iputils/iputils/issues/104
+
+But fixed in iputils in a wrong way by not binding to device when
+destination IP is on device, and it will cause some of kselftests
+to fail, as Jianlin noticed.
+
+This patch is to use inet(6)_iif and inet(6)_sdif to get dif and
+sdif for PING socket, and keep consistent with RAW socket.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -172,16 +172,23 @@ static struct sock *ping_lookup(struct n
+ struct sock *sk = NULL;
+ struct inet_sock *isk;
+ struct hlist_nulls_node *hnode;
+- int dif = skb->dev->ifindex;
++ int dif, sdif;
+
+ if (skb->protocol == htons(ETH_P_IP)) {
++ dif = inet_iif(skb);
++ sdif = inet_sdif(skb);
+ pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n",
+ (int)ident, &ip_hdr(skb)->daddr, dif);
+ #if IS_ENABLED(CONFIG_IPV6)
+ } else if (skb->protocol == htons(ETH_P_IPV6)) {
++ dif = inet6_iif(skb);
++ sdif = inet6_sdif(skb);
+ pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n",
+ (int)ident, &ipv6_hdr(skb)->daddr, dif);
+ #endif
++ } else {
++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol));
++ return NULL;
+ }
+
+ read_lock_bh(&ping_table.lock);
+@@ -221,7 +228,7 @@ static struct sock *ping_lookup(struct n
+ }
+
+ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif &&
+- sk->sk_bound_dev_if != inet_sdif(skb))
++ sk->sk_bound_dev_if != sdif)
+ continue;
+
+ sock_hold(sk);
--- /dev/null
+From 6aba04ee3263669b335458c4cf4c7d97d6940229 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Wed, 16 Feb 2022 10:46:34 -0800
+Subject: Revert "net: ethernet: bgmac: Use devm_platform_ioremap_resource_byname"
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+commit 6aba04ee3263669b335458c4cf4c7d97d6940229 upstream.
+
+This reverts commit 3710e80952cf2dc48257ac9f145b117b5f74e0a5.
+
+Since idm_base and nicpm_base are still optional resources not present
+on all platforms, this breaks the driver for everything except Northstar
+2 (which has both).
+
+The same change was already reverted once with 755f5738ff98 ("net:
+broadcom: fix a mistake about ioremap resource").
+
+So let's do it again.
+
+Fixes: 3710e80952cf ("net: ethernet: bgmac: Use devm_platform_ioremap_resource_byname")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+[florian: Added comments to explain the resources are optional]
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20220216184634.2032460-1-f.fainelli@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bgmac-platform.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bgmac-platform.c
++++ b/drivers/net/ethernet/broadcom/bgmac-platform.c
+@@ -172,6 +172,7 @@ static int bgmac_probe(struct platform_d
+ {
+ struct device_node *np = pdev->dev.of_node;
+ struct bgmac *bgmac;
++ struct resource *regs;
+ int ret;
+
+ bgmac = bgmac_alloc(&pdev->dev);
+@@ -208,15 +209,23 @@ static int bgmac_probe(struct platform_d
+ if (IS_ERR(bgmac->plat.base))
+ return PTR_ERR(bgmac->plat.base);
+
+- bgmac->plat.idm_base = devm_platform_ioremap_resource_byname(pdev, "idm_base");
+- if (IS_ERR(bgmac->plat.idm_base))
+- return PTR_ERR(bgmac->plat.idm_base);
+- else
++ /* The idm_base resource is optional for some platforms */
++ regs = platform_get_resource_byname(pdev, IORESOURCE_MEM, "idm_base");
++ if (regs) {
++ bgmac->plat.idm_base = devm_ioremap_resource(&pdev->dev, regs);
++ if (IS_ERR(bgmac->plat.idm_base))
++ return PTR_ERR(bgmac->plat.idm_base);
+ bgmac->feature_flags &= ~BGMAC_FEAT_IDM_MASK;
++ }
+
+- bgmac->plat.nicpm_base = devm_platform_ioremap_resource_byname(pdev, "nicpm_base");
+- if (IS_ERR(bgmac->plat.nicpm_base))
+- return PTR_ERR(bgmac->plat.nicpm_base);
++ /* The nicpm_base resource is optional for some platforms */
++ regs = platform_get_resource_byname(pdev, IORESOURCE_MEM, "nicpm_base");
++ if (regs) {
++ bgmac->plat.nicpm_base = devm_ioremap_resource(&pdev->dev,
++ regs);
++ if (IS_ERR(bgmac->plat.nicpm_base))
++ return PTR_ERR(bgmac->plat.nicpm_base);
++ }
+
+ bgmac->read = platform_bgmac_read;
+ bgmac->write = platform_bgmac_write;
--- /dev/null
+From a7e793a867ae312cecdeb6f06cceff98263e75dd Mon Sep 17 00:00:00 2001
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Date: Thu, 10 Feb 2022 22:13:23 +0500
+Subject: selftests/exec: Add non-regular to TEST_GEN_PROGS
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+commit a7e793a867ae312cecdeb6f06cceff98263e75dd upstream.
+
+non-regular file needs to be compiled and then copied to the output
+directory. Remove it from TEST_PROGS and add it to TEST_GEN_PROGS. This
+removes error thrown by rsync when non-regular object isn't found:
+
+rsync: [sender] link_stat "/linux/tools/testing/selftests/exec/non-regular" failed: No such file or directory (2)
+rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1333) [sender=3.2.3]
+
+Fixes: 0f71241a8e32 ("selftests/exec: add file type errno tests")
+Reported-by: "kernelci.org bot" <bot@kernelci.org>
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/exec/Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/exec/Makefile
++++ b/tools/testing/selftests/exec/Makefile
+@@ -3,8 +3,8 @@ CFLAGS = -Wall
+ CFLAGS += -Wno-nonnull
+ CFLAGS += -D_GNU_SOURCE
+
+-TEST_PROGS := binfmt_script non-regular
+-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216
++TEST_PROGS := binfmt_script
++TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular
+ TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir
+ # Makefile is a run-time dependency, since it's accessed by the execveat test
+ TEST_FILES := Makefile
--- /dev/null
+From bbe4c0896d25009a7c86285d2ab024eed4374eea Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 10 Feb 2022 17:50:56 +0800
+Subject: selftests: netfilter: disable rp_filter on router
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit bbe4c0896d25009a7c86285d2ab024eed4374eea upstream.
+
+Some distros may enable rp_filter by default. After ns1 change addr to
+10.0.2.99 and set default router to 10.0.2.1, while the connected router
+address is still 10.0.1.1. The router will not reply the arp request
+from ns1. Fix it by setting the router's veth0 rp_filter to 0.
+
+Before the fix:
+ # ./nft_fib.sh
+ PASS: fib expression did not cause unwanted packet drops
+ Netns nsrouter-HQkDORO2 fib counter doesn't match expected packet count of 1 for 1.1.1.1
+ table inet filter {
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ ip daddr 1.1.1.1 fib saddr . iif oif missing counter packets 0 bytes 0 drop
+ ip6 daddr 1c3::c01d fib saddr . iif oif missing counter packets 0 bytes 0 drop
+ }
+ }
+
+After the fix:
+ # ./nft_fib.sh
+ PASS: fib expression did not cause unwanted packet drops
+ PASS: fib expression did drop packets for 1.1.1.1
+ PASS: fib expression did drop packets for 1c3::c01d
+
+Fixes: 82944421243e ("selftests: netfilter: add fib test case")
+Signed-off-by: Yi Chen <yiche@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/netfilter/nft_fib.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/netfilter/nft_fib.sh
++++ b/tools/testing/selftests/netfilter/nft_fib.sh
+@@ -174,6 +174,7 @@ test_ping() {
+ ip netns exec ${nsrouter} sysctl net.ipv6.conf.all.forwarding=1 > /dev/null
+ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.forwarding=1 > /dev/null
+ ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth1.forwarding=1 > /dev/null
++ip netns exec ${nsrouter} sysctl net.ipv4.conf.veth0.rp_filter=0 > /dev/null
+
+ sleep 3
+
--- /dev/null
+From 2e71ec1a725a794a16e3862791ed43fe5ba6a06b Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 9 Feb 2022 16:25:51 +0800
+Subject: selftests: netfilter: fix exit value for nft_concat_range
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 2e71ec1a725a794a16e3862791ed43fe5ba6a06b upstream.
+
+When the nft_concat_range test failed, it exit 1 in the code
+specifically.
+
+But when part of, or all of the test passed, it will failed the
+[ ${passed} -eq 0 ] check and thus exit with 1, which is the same
+exit value with failure result. Fix it by exit 0 when passed is not 0.
+
+Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
+@@ -1601,4 +1601,4 @@ for name in ${TESTS}; do
+ done
+ done
+
+-[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP}
++[ ${passed} -eq 0 ] && exit ${KSELFTEST_SKIP} || exit 0
drm-i915-fix-mbus-join-config-lookup.patch
vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch
optee-use-driver-internal-tee_context-for-some-rpc.patch
+drm-cma-helper-set-vm_dontexpand-for-mmap.patch
+drm-i915-gvt-make-drm_i915_gvt-depend-on-x86.patch
+drm-i915-ttm-tweak-priority-hint-selection.patch
+iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
+iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
+iwlwifi-mvm-fix-condition-which-checks-the-version-of-rate_n_flags.patch
+iwlwifi-fix-iwl_legacy_rate_to_fw_idx.patch
+iwlwifi-mvm-don-t-send-sar-geo-command-for-3160-devices.patch
+netfilter-xt_socket-fix-a-typo-in-socket_mt_destroy.patch
+selftests-netfilter-fix-exit-value-for-nft_concat_range.patch
+netfilter-nft_synproxy-unregister-hooks-on-init-error-path.patch
+selftests-netfilter-disable-rp_filter-on-router.patch
+ipv4-fix-data-races-in-fib_alias_hw_flags_set.patch
+ipv6-fix-data-race-in-fib6_info_hw_flags_set-fib6_purge_rt.patch
+ipv6-mcast-use-rcu-safe-version-of-ipv6_get_lladdr.patch
+ipv6-per-netns-exclusive-flowlabel-checks.patch
+revert-net-ethernet-bgmac-use-devm_platform_ioremap_resource_byname.patch
+mac80211-mlme-check-for-null-after-calling-kmemdup.patch
+brcmfmac-firmware-fix-crash-in-brcm_alt_fw_path.patch
+cfg80211-fix-race-in-netlink-owner-interface-destruction.patch
+net-dsa-lan9303-fix-reset-on-probe.patch
+net-dsa-mv88e6xxx-flush-switchdev-fdb-workqueue-before-removing-vlan.patch
+net-dsa-lantiq_gswip-fix-use-after-free-in-gswip_remove.patch
+net-dsa-lan9303-handle-hwaccel-vlan-tags.patch
+net-dsa-lan9303-add-vlan-ids-to-master-device.patch
+net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
+ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
+bonding-force-carrier-update-when-releasing-slave.patch
+mctp-fix-use-after-free.patch
+drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
+net_sched-add-__rcu-annotation-to-netdev-qdisc.patch
+crypto-af_alg-get-rid-of-alg_memory_allocated.patch
+bonding-fix-data-races-around-agg_select_timer.patch
+nfp-flower-netdev-offload-check-for-ip6gretap.patch
+libsubcmd-fix-use-after-free-for-realloc-...-0.patch
+net-smc-avoid-overwriting-the-copies-of-clcsock-callback-functions.patch
+net-phy-mediatek-remove-phy-mode-check-on-mt7531.patch
+atl1c-fix-tx-timeout-after-link-flap-on-mikrotik-10-25g-nic.patch
+tipc-fix-wrong-publisher-node-address-in-link-publications.patch
+dpaa2-switch-fix-default-return-of-dpaa2_switch_flower_parse_mirror_key.patch
+dpaa2-eth-initialize-mutex-used-in-one-step-timestamping-path.patch
+net-mscc-ocelot-fix-use-after-free-in-ocelot_vlan_del.patch
+net-bridge-multicast-notify-switchdev-driver-whenever-mc-processing-gets-disabled.patch
+perf-bpf-defer-freeing-string-after-possible-strlen-on-it.patch
+selftests-exec-add-non-regular-to-test_gen_progs.patch
--- /dev/null
+From 032062f363b4bf02b1d547f329aa5d97b6a17410 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sun, 13 Feb 2022 20:38:52 -0500
+Subject: tipc: fix wrong publisher node address in link publications
+
+From: Jon Maloy <jmaloy@redhat.com>
+
+commit 032062f363b4bf02b1d547f329aa5d97b6a17410 upstream.
+
+When a link comes up we add its presence to the name table to make it
+possible for users to subscribe for link up/down events. However, after
+a previous call signature change the binding is wrongly published with
+the peer node as publishing node, instead of the own node as it should
+be. This has the effect that the command 'tipc name table show' will
+list the link binding (service type 2) with node scope and a peer node
+as originator, something that obviously is impossible.
+
+We correct this bug here.
+
+Fixes: 50a3499ab853 ("tipc: simplify signature of tipc_namtbl_publish()")
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Link: https://lore.kernel.org/r/20220214013852.2803940-1-jmaloy@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -413,7 +413,7 @@ static void tipc_node_write_unlock(struc
+ tipc_uaddr(&ua, TIPC_SERVICE_RANGE, TIPC_NODE_SCOPE,
+ TIPC_LINK_STATE, n->addr, n->addr);
+ sk.ref = n->link_id;
+- sk.node = n->addr;
++ sk.node = tipc_own_addr(net);
+ bearer_id = n->link_id & 0xffff;
+ publ_list = &n->publ_list;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
