--- /dev/null
+From 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 14 Feb 2022 11:15:53 -0800
+Subject: bonding: fix data-races around agg_select_timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 9ceaf6f76b203682bb6100e14b3d7da4c0bedde8 upstream.
+
+syzbot reported that two threads might write over agg_select_timer
+at the same time. Make agg_select_timer atomic to fix the races.
+
+BUG: KCSAN: data-race in bond_3ad_initiate_agg_selection / bond_3ad_state_machine_handler
+
+read to 0xffff8881242aea90 of 4 bytes by task 1846 on cpu 1:
+ bond_3ad_state_machine_handler+0x99/0x2810 drivers/net/bonding/bond_3ad.c:2317
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+write to 0xffff8881242aea90 of 4 bytes by task 25910 on cpu 0:
+ bond_3ad_initiate_agg_selection+0x18/0x30 drivers/net/bonding/bond_3ad.c:1998
+ bond_open+0x658/0x6f0 drivers/net/bonding/bond_main.c:3967
+ __dev_open+0x274/0x3a0 net/core/dev.c:1407
+ dev_open+0x54/0x190 net/core/dev.c:1443
+ bond_enslave+0xcef/0x3000 drivers/net/bonding/bond_main.c:1937
+ do_set_master net/core/rtnetlink.c:2532 [inline]
+ do_setlink+0x94f/0x2500 net/core/rtnetlink.c:2736
+ __rtnl_newlink net/core/rtnetlink.c:3414 [inline]
+ rtnl_newlink+0xfeb/0x13e0 net/core/rtnetlink.c:3529
+ rtnetlink_rcv_msg+0x745/0x7e0 net/core/rtnetlink.c:5594
+ netlink_rcv_skb+0x14e/0x250 net/netlink/af_netlink.c:2494
+ rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:5612
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x602/0x6d0 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x728/0x850 net/netlink/af_netlink.c:1919
+ sock_sendmsg_nosec net/socket.c:705 [inline]
+ sock_sendmsg net/socket.c:725 [inline]
+ ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
+ ___sys_sendmsg net/socket.c:2467 [inline]
+ __sys_sendmsg+0x195/0x230 net/socket.c:2496
+ __do_sys_sendmsg net/socket.c:2505 [inline]
+ __se_sys_sendmsg net/socket.c:2503 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2503
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000050 -> 0x0000004f
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 25910 Comm: syz-executor.1 Tainted: G W 5.17.0-rc4-syzkaller-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_3ad.c | 30 +++++++++++++++++++++++++-----
+ include/net/bond_3ad.h | 2 +-
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/bonding/bond_3ad.c
++++ b/drivers/net/bonding/bond_3ad.c
+@@ -249,7 +249,7 @@ static inline int __check_agg_selection_
+ if (bond == NULL)
+ return 0;
+
+- return BOND_AD_INFO(bond).agg_select_timer ? 1 : 0;
++ return atomic_read(&BOND_AD_INFO(bond).agg_select_timer) ? 1 : 0;
+ }
+
+ /**
+@@ -1965,7 +1965,7 @@ static void ad_marker_response_received(
+ */
+ void bond_3ad_initiate_agg_selection(struct bonding *bond, int timeout)
+ {
+- BOND_AD_INFO(bond).agg_select_timer = timeout;
++ atomic_set(&BOND_AD_INFO(bond).agg_select_timer, timeout);
+ }
+
+ /**
+@@ -2250,6 +2250,28 @@ void bond_3ad_update_ad_actor_settings(s
+ }
+
+ /**
++ * bond_agg_timer_advance - advance agg_select_timer
++ * @bond: bonding structure
++ *
++ * Return true when agg_select_timer reaches 0.
++ */
++static bool bond_agg_timer_advance(struct bonding *bond)
++{
++ int val, nval;
++
++ while (1) {
++ val = atomic_read(&BOND_AD_INFO(bond).agg_select_timer);
++ if (!val)
++ return false;
++ nval = val - 1;
++ if (atomic_cmpxchg(&BOND_AD_INFO(bond).agg_select_timer,
++ val, nval) == val)
++ break;
++ }
++ return nval == 0;
++}
++
++/**
+ * bond_3ad_state_machine_handler - handle state machines timeout
+ * @bond: bonding struct to work on
+ *
+@@ -2284,9 +2306,7 @@ void bond_3ad_state_machine_handler(stru
+ if (!bond_has_slaves(bond))
+ goto re_arm;
+
+- /* check if agg_select_timer timer after initialize is timed out */
+- if (BOND_AD_INFO(bond).agg_select_timer &&
+- !(--BOND_AD_INFO(bond).agg_select_timer)) {
++ if (bond_agg_timer_advance(bond)) {
+ slave = bond_first_slave_rcu(bond);
+ port = slave ? &(SLAVE_AD_INFO(slave)->port) : NULL;
+
+--- a/include/net/bond_3ad.h
++++ b/include/net/bond_3ad.h
+@@ -265,7 +265,7 @@ struct ad_system {
+
+ struct ad_bond_info {
+ struct ad_system system; /* 802.3ad system structure */
+- u32 agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */
++ atomic_t agg_select_timer; /* Timer to select aggregator after all adapter's hand shakes */
+ u16 aggregator_identifier;
+ };
+
--- /dev/null
+From dcd54265c8bc14bd023815e36e2d5f9d66ee1fee Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 10 Feb 2022 09:13:31 -0800
+Subject: drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit dcd54265c8bc14bd023815e36e2d5f9d66ee1fee upstream.
+
+trace_napi_poll_hit() is reading stat->dev while another thread can write
+on it from dropmon_net_event()
+
+Use READ_ONCE()/WRITE_ONCE() here, RCU rules are properly enforced already,
+we only have to take care of load/store tearing.
+
+BUG: KCSAN: data-race in dropmon_net_event / trace_napi_poll_hit
+
+write to 0xffff88816f3ab9c0 of 8 bytes by task 20260 on cpu 1:
+ dropmon_net_event+0xb8/0x2b0 net/core/drop_monitor.c:1579
+ notifier_call_chain kernel/notifier.c:84 [inline]
+ raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:392
+ call_netdevice_notifiers_info net/core/dev.c:1919 [inline]
+ call_netdevice_notifiers_extack net/core/dev.c:1931 [inline]
+ call_netdevice_notifiers net/core/dev.c:1945 [inline]
+ unregister_netdevice_many+0x867/0xfb0 net/core/dev.c:10415
+ ip_tunnel_delete_nets+0x24a/0x280 net/ipv4/ip_tunnel.c:1123
+ vti_exit_batch_net+0x2a/0x30 net/ipv4/ip_vti.c:515
+ ops_exit_list net/core/net_namespace.c:173 [inline]
+ cleanup_net+0x4dc/0x8d0 net/core/net_namespace.c:597
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+read to 0xffff88816f3ab9c0 of 8 bytes by interrupt on cpu 0:
+ trace_napi_poll_hit+0x89/0x1c0 net/core/drop_monitor.c:292
+ trace_napi_poll include/trace/events/napi.h:14 [inline]
+ __napi_poll+0x36b/0x3f0 net/core/dev.c:6366
+ napi_poll net/core/dev.c:6432 [inline]
+ net_rx_action+0x29e/0x650 net/core/dev.c:6519
+ __do_softirq+0x158/0x2de kernel/softirq.c:558
+ do_softirq+0xb1/0xf0 kernel/softirq.c:459
+ __local_bh_enable_ip+0x68/0x70 kernel/softirq.c:383
+ __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
+ _raw_spin_unlock_bh+0x33/0x40 kernel/locking/spinlock.c:210
+ spin_unlock_bh include/linux/spinlock.h:394 [inline]
+ ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]
+ wg_packet_decrypt_worker+0x73c/0x780 drivers/net/wireguard/receive.c:506
+ process_one_work+0x3f6/0x960 kernel/workqueue.c:2307
+ worker_thread+0x616/0xa70 kernel/workqueue.c:2454
+ kthread+0x1bf/0x1e0 kernel/kthread.c:377
+ ret_from_fork+0x1f/0x30
+
+value changed: 0xffff88815883e000 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 26435 Comm: kworker/0:1 Not tainted 5.17.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: wg-crypt-wg2 wg_packet_decrypt_worker
+
+Fixes: 4ea7e38696c7 ("dropmon: add ability to detect when hardware dropsrxpackets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/drop_monitor.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -219,13 +219,17 @@ static void trace_napi_poll_hit(void *ig
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(new_stat, &hw_stats_list, list) {
++ struct net_device *dev;
++
+ /*
+ * only add a note to our monitor buffer if:
+ * 1) this is the dev we received on
+ * 2) its after the last_rx delta
+ * 3) our rx_dropped count has gone up
+ */
+- if ((new_stat->dev == napi->dev) &&
++ /* Paired with WRITE_ONCE() in dropmon_net_event() */
++ dev = READ_ONCE(new_stat->dev);
++ if ((dev == napi->dev) &&
+ (time_after(jiffies, new_stat->last_rx + dm_hw_check_delta)) &&
+ (napi->dev->stats.rx_dropped != new_stat->last_drop_val)) {
+ trace_drop_common(NULL, NULL);
+@@ -340,7 +344,10 @@ static int dropmon_net_event(struct noti
+ mutex_lock(&trace_state_mutex);
+ list_for_each_entry_safe(new_stat, tmp, &hw_stats_list, list) {
+ if (new_stat->dev == dev) {
+- new_stat->dev = NULL;
++
++ /* Paired with READ_ONCE() in trace_napi_poll_hit() */
++ WRITE_ONCE(new_stat->dev, NULL);
++
+ if (trace_state == TRACE_OFF) {
+ list_del_rcu(&new_stat->list);
+ kfree_rcu(new_stat, rcu);
--- /dev/null
+From e9848aed147708a06193b40d78493b0ef6abccf2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:52 +0200
+Subject: iwlwifi: pcie: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit e9848aed147708a06193b40d78493b0ef6abccf2 upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this.
+
+Fixes: a6bd005fe92d ("iwlwifi: pcie: fix RF-Kill vs. firmware load race")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.5d16821d1433.Id259699ddf9806459856d6aefbdbe54477aecffd@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+@@ -1363,8 +1363,7 @@ static int iwl_trans_pcie_start_fw(struc
+ /* This may fail if AMT took ownership of the device */
+ if (iwl_pcie_prepare_card_hw(trans)) {
+ IWL_WARN(trans, "Exit HW not ready\n");
+- ret = -EIO;
+- goto out;
++ return -EIO;
+ }
+
+ iwl_enable_rfkill_int(trans);
--- /dev/null
+From 4c29c1e27a1e178a219b3877d055e6dd643bdfda Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 28 Jan 2022 14:30:53 +0200
+Subject: iwlwifi: pcie: gen2: fix locking when "HW not ready"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 4c29c1e27a1e178a219b3877d055e6dd643bdfda upstream.
+
+If we run into this error path, we shouldn't unlock the mutex
+since it's not locked since. Fix this in the gen2 code as well.
+
+Fixes: eda50cde58de ("iwlwifi: pcie: add context information support")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/iwlwifi.20220128142706.b8b0dfce16ef.Ie20f0f7b23e5911350a2766524300d2915e7b677@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans-gen2.c
+@@ -310,8 +310,7 @@ int iwl_trans_pcie_gen2_start_fw(struct
+ /* This may fail if AMT took ownership of the device */
+ if (iwl_pcie_prepare_card_hw(trans)) {
+ IWL_WARN(trans, "Exit HW not ready\n");
+- ret = -EIO;
+- goto out;
++ return -EIO;
+ }
+
+ iwl_enable_rfkill_int(trans);
--- /dev/null
+From 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Sun, 13 Feb 2022 10:24:43 -0800
+Subject: libsubcmd: Fix use-after-free for realloc(..., 0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 52a9dab6d892763b2a8334a568bd4e2c1a6fde66 upstream.
+
+GCC 12 correctly reports a potential use-after-free condition in the
+xrealloc helper. Fix the warning by avoiding an implicit "free(ptr)"
+when size == 0:
+
+In file included from help.c:12:
+In function 'xrealloc',
+ inlined from 'add_cmdname' at help.c:24:2: subcmd-util.h:56:23: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+ 56 | ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+ 52 | void *ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+subcmd-util.h:58:31: error: pointer may be used after 'realloc' [-Werror=use-after-free]
+ 58 | ret = realloc(ptr, 1);
+ | ^~~~~~~~~~~~~~~
+subcmd-util.h:52:21: note: call to 'realloc' here
+ 52 | void *ret = realloc(ptr, size);
+ | ^~~~~~~~~~~~~~~~~~
+
+Fixes: 2f4ce5ec1d447beb ("perf tools: Finalize subcmd independence")
+Reported-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Signed-off-by: Kees Kook <keescook@chromium.org>
+Tested-by: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: linux-hardening@vger.kernel.org
+Cc: Valdis Klētnieks <valdis.kletnieks@vt.edu>
+Link: http://lore.kernel.org/lkml/20220213182443.4037039-1-keescook@chromium.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/lib/subcmd/subcmd-util.h | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/tools/lib/subcmd/subcmd-util.h
++++ b/tools/lib/subcmd/subcmd-util.h
+@@ -50,15 +50,8 @@ static NORETURN inline void die(const ch
+ static inline void *xrealloc(void *ptr, size_t size)
+ {
+ void *ret = realloc(ptr, size);
+- if (!ret && !size)
+- ret = realloc(ptr, 1);
+- if (!ret) {
+- ret = realloc(ptr, size);
+- if (!ret && !size)
+- ret = realloc(ptr, 1);
+- if (!ret)
+- die("Out of memory, realloc failed");
+- }
++ if (!ret)
++ die("Out of memory, realloc failed");
+ return ret;
+ }
+
--- /dev/null
+From 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 Mon Sep 17 00:00:00 2001
+From: Mans Rullgard <mans@mansr.com>
+Date: Wed, 9 Feb 2022 14:54:54 +0000
+Subject: net: dsa: lan9303: fix reset on probe
+
+From: Mans Rullgard <mans@mansr.com>
+
+commit 6bb9681a43f34f2cab4aad6e2a02da4ce54d13c5 upstream.
+
+The reset input to the LAN9303 chip is active low, and devicetree
+gpio handles reflect this. Therefore, the gpio should be requested
+with an initial state of high in order for the reset signal to be
+asserted. Other uses of the gpio already use the correct polarity.
+
+Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
+Signed-off-by: Mans Rullgard <mans@mansr.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fianelil <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220209145454.19749-1-mans@mansr.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/lan9303-core.c
++++ b/drivers/net/dsa/lan9303-core.c
+@@ -1307,7 +1307,7 @@ static int lan9303_probe_reset_gpio(stru
+ struct device_node *np)
+ {
+ chip->reset_gpio = devm_gpiod_get_optional(chip->dev, "reset",
+- GPIOD_OUT_LOW);
++ GPIOD_OUT_HIGH);
+ if (IS_ERR(chip->reset_gpio))
+ return PTR_ERR(chip->reset_gpio);
+
--- /dev/null
+From bdc120a2bcd834e571ce4115aaddf71ab34495de Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Tue, 1 Feb 2022 19:06:26 +0100
+Subject: net: ieee802154: ca8210: Fix lifs/sifs periods
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit bdc120a2bcd834e571ce4115aaddf71ab34495de upstream.
+
+These periods are expressed in time units (microseconds) while 40 and 12
+are the number of symbol durations these periods will last. We need to
+multiply them both with the symbol_duration in order to get these
+values in microseconds.
+
+Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20220201180629.93410-2-miquel.raynal@bootlin.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ieee802154/ca8210.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ieee802154/ca8210.c
++++ b/drivers/net/ieee802154/ca8210.c
+@@ -2975,8 +2975,8 @@ static void ca8210_hw_setup(struct ieee8
+ ca8210_hw->phy->cca.opt = NL802154_CCA_OPT_ENERGY_CARRIER_AND;
+ ca8210_hw->phy->cca_ed_level = -9800;
+ ca8210_hw->phy->symbol_duration = 16;
+- ca8210_hw->phy->lifs_period = 40;
+- ca8210_hw->phy->sifs_period = 12;
++ ca8210_hw->phy->lifs_period = 40 * ca8210_hw->phy->symbol_duration;
++ ca8210_hw->phy->sifs_period = 12 * ca8210_hw->phy->symbol_duration;
+ ca8210_hw->flags =
+ IEEE802154_HW_AFILT |
+ IEEE802154_HW_OMIT_CKSUM |
--- /dev/null
+From 35a79e64de29e8d57a5989aac57611c0cd29e13e Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 16 Feb 2022 00:20:52 -0500
+Subject: ping: fix the dif and sdif check in ping_lookup
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream.
+
+When 'ping' changes to use PING socket instead of RAW socket by:
+
+ # sysctl -w net.ipv4.ping_group_range="0 100"
+
+There is another regression caused when matching sk_bound_dev_if
+and dif, RAW socket is using inet_iif() while PING socket lookup
+is using skb->dev->ifindex, the cmd below fails due to this:
+
+ # ip link add dummy0 type dummy
+ # ip link set dummy0 up
+ # ip addr add 192.168.111.1/24 dev dummy0
+ # ping -I dummy0 192.168.111.1 -c1
+
+The issue was also reported on:
+
+ https://github.com/iputils/iputils/issues/104
+
+But fixed in iputils in a wrong way by not binding to device when
+destination IP is on device, and it will cause some of kselftests
+to fail, as Jianlin noticed.
+
+This patch is to use inet(6)_iif and inet(6)_sdif to get dif and
+sdif for PING socket, and keep consistent with RAW socket.
+
+Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ping.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -177,16 +177,23 @@ static struct sock *ping_lookup(struct n
+ struct sock *sk = NULL;
+ struct inet_sock *isk;
+ struct hlist_nulls_node *hnode;
+- int dif = skb->dev->ifindex;
++ int dif, sdif;
+
+ if (skb->protocol == htons(ETH_P_IP)) {
++ dif = inet_iif(skb);
++ sdif = inet_sdif(skb);
+ pr_debug("try to find: num = %d, daddr = %pI4, dif = %d\n",
+ (int)ident, &ip_hdr(skb)->daddr, dif);
+ #if IS_ENABLED(CONFIG_IPV6)
+ } else if (skb->protocol == htons(ETH_P_IPV6)) {
++ dif = inet6_iif(skb);
++ sdif = inet6_sdif(skb);
+ pr_debug("try to find: num = %d, daddr = %pI6c, dif = %d\n",
+ (int)ident, &ipv6_hdr(skb)->daddr, dif);
+ #endif
++ } else {
++ pr_err("ping: protocol(%x) is not supported\n", ntohs(skb->protocol));
++ return NULL;
+ }
+
+ read_lock_bh(&ping_table.lock);
+@@ -226,7 +233,7 @@ static struct sock *ping_lookup(struct n
+ }
+
+ if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif &&
+- sk->sk_bound_dev_if != inet_sdif(skb))
++ sk->sk_bound_dev_if != sdif)
+ continue;
+
+ sock_hold(sk);
taskstats-cleanup-the-use-of-task-exit_code.patch
mmc-block-fix-read-single-on-recovery-logic.patch
vsock-remove-vsock-from-connected-table-when-connect-is-interrupted-by-a-signal.patch
+iwlwifi-pcie-fix-locking-when-hw-not-ready.patch
+iwlwifi-pcie-gen2-fix-locking-when-hw-not-ready.patch
+net-dsa-lan9303-fix-reset-on-probe.patch
+net-ieee802154-ca8210-fix-lifs-sifs-periods.patch
+ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch
+drop_monitor-fix-data-race-in-dropmon_net_event-trace_napi_poll_hit.patch
+bonding-fix-data-races-around-agg_select_timer.patch
+libsubcmd-fix-use-after-free-for-realloc-...-0.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
