From: Sasha Levin <sashal@kernel.org>
Date: Sun, 20 Jun 2021 03:15:25 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v5.4.128~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=535a633d206f6aca0eebc91d613b2ed13b67fe9a;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/alx-fix-an-error-handling-path-in-alx_probe.patch b/queue-4.9/alx-fix-an-error-handling-path-in-alx_probe.patch
new file mode 100644
index 00000000000..6a5587a2516
--- /dev/null
+++ b/queue-4.9/alx-fix-an-error-handling-path-in-alx_probe.patch
@@ -0,0 +1,36 @@
+From 4f0da1d97b2871991c93bf5bf5de0deb3284717a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 08:13:39 +0200
+Subject: alx: Fix an error handling path in 'alx_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 33e381448cf7a05d76ac0b47d4a6531ecd0e5c53 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: ab69bde6b2e9 ("alx: add a simple AR816x/AR817x device driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/alx/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c
+index 9de0f9f5b11c..59af298f99e0 100644
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -1653,6 +1653,7 @@ out_free_netdev:
+ 	free_netdev(netdev);
+ out_pci_release:
+ 	pci_release_mem_regions(pdev);
++	pci_disable_pcie_error_reporting(pdev);
+ out_pci_disable:
+ 	pci_disable_device(pdev);
+ 	return err;
+-- 
+2.30.2
+
diff --git a/queue-4.9/batman-adv-avoid-warn_on-timing-related-checks.patch b/queue-4.9/batman-adv-avoid-warn_on-timing-related-checks.patch
new file mode 100644
index 00000000000..d8091277ad1
--- /dev/null
+++ b/queue-4.9/batman-adv-avoid-warn_on-timing-related-checks.patch
@@ -0,0 +1,45 @@
+From 592f32baf139be8b03f8b112ebbf95963f80fc79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 May 2021 21:00:27 +0200
+Subject: batman-adv: Avoid WARN_ON timing related checks
+
+From: Sven Eckelmann <sven@narfation.org>
+
+[ Upstream commit 9f460ae31c4435fd022c443a6029352217a16ac1 ]
+
+The soft/batadv interface for a queued OGM can be changed during the time
+the OGM was queued for transmission and when the OGM is actually
+transmitted by the worker.
+
+But WARN_ON must be used to denote kernel bugs and not to print simple
+warnings. A warning can simply be printed using pr_warn.
+
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Reported-by: syzbot+c0b807de416427ff3dd1@syzkaller.appspotmail.com
+Fixes: ef0a937f7a14 ("batman-adv: consider outgoing interface in OGM sending")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
+index 2b663622bdb4..f85e6a9ee5ea 100644
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -585,8 +585,10 @@ static void batadv_iv_ogm_emit(struct batadv_forw_packet *forw_packet)
+ 	if (WARN_ON(!forw_packet->if_outgoing))
+ 		return;
+ 
+-	if (WARN_ON(forw_packet->if_outgoing->soft_iface != soft_iface))
++	if (forw_packet->if_outgoing->soft_iface != soft_iface) {
++		pr_warn("%s: soft interface switch for queued OGM\n", __func__);
+ 		return;
++	}
+ 
+ 	if (forw_packet->if_incoming->if_status != BATADV_IF_ACTIVE)
+ 		return;
+-- 
+2.30.2
+
diff --git a/queue-4.9/be2net-fix-an-error-handling-path-in-be_probe.patch b/queue-4.9/be2net-fix-an-error-handling-path-in-be_probe.patch
new file mode 100644
index 00000000000..b481bd42694
--- /dev/null
+++ b/queue-4.9/be2net-fix-an-error-handling-path-in-be_probe.patch
@@ -0,0 +1,37 @@
+From a365fb28115cd070f518a99e8f846d21c9ae070e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 20:43:37 +0200
+Subject: be2net: Fix an error handling path in 'be_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit c19c8c0e666f9259e2fc4d2fa4b9ff8e3b40ee5d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: d6b6d9877878 ("be2net: use PCIe AER capability")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 289560b0f643..b0b9f77c3740 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -5998,6 +5998,7 @@ drv_cleanup:
+ unmap_bars:
+ 	be_unmap_pci_bars(adapter);
+ free_netdev:
++	pci_disable_pcie_error_reporting(pdev);
+ 	free_netdev(netdev);
+ rel_reg:
+ 	pci_release_regions(pdev);
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch b/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch
new file mode 100644
index 00000000000..94bc7b3369d
--- /dev/null
+++ b/queue-4.9/net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch
@@ -0,0 +1,96 @@
+From dd092bf71df123e67394a71b9b4a40c05eefa143 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 07:47:15 -0700
+Subject: net/af_unix: fix a data-race in unix_dgram_sendmsg /
+ unix_release_sock
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ]
+
+While unix_may_send(sk, osk) is called while osk is locked, it appears
+unix_release_sock() can overwrite unix_peer() after this lock has been
+released, making KCSAN unhappy.
+
+Changing unix_release_sock() to access/change unix_peer()
+before lock is released should fix this issue.
+
+BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock
+
+write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1:
+ unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558
+ unix_release+0x2f/0x50 net/unix/af_unix.c:859
+ __sock_release net/socket.c:599 [inline]
+ sock_close+0x6c/0x150 net/socket.c:1258
+ __fput+0x25b/0x4e0 fs/file_table.c:280
+ ____fput+0x11/0x20 fs/file_table.c:313
+ task_work_run+0xae/0x130 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
+ exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
+ syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302
+ do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0:
+ unix_may_send net/unix/af_unix.c:189 [inline]
+ unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xffff888167905400 -> 0x0000000000000000
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index bcd6ed6e7e25..8bbaa35937dd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -534,12 +534,14 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 	u->path.mnt = NULL;
+ 	state = sk->sk_state;
+ 	sk->sk_state = TCP_CLOSE;
++
++	skpair = unix_peer(sk);
++	unix_peer(sk) = NULL;
++
+ 	unix_state_unlock(sk);
+ 
+ 	wake_up_interruptible_all(&u->peer_wait);
+ 
+-	skpair = unix_peer(sk);
+-
+ 	if (skpair != NULL) {
+ 		if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
+ 			unix_state_lock(skpair);
+@@ -554,7 +556,6 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 
+ 		unix_dgram_peer_wake_disconnect(sk, skpair);
+ 		sock_put(skpair); /* It may now die */
+-		unix_peer(sk) = NULL;
+ 	}
+ 
+ 	/* Try to flush out this socket. Throw out buffers at least */
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-cdc_eem-fix-tx-fixup-skb-leak.patch b/queue-4.9/net-cdc_eem-fix-tx-fixup-skb-leak.patch
new file mode 100644
index 00000000000..da9b1fe6d0e
--- /dev/null
+++ b/queue-4.9/net-cdc_eem-fix-tx-fixup-skb-leak.patch
@@ -0,0 +1,44 @@
+From 65a86a2431ecbb0e2fc3af1c888633ee66ddcbcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 07:32:32 +0800
+Subject: net: cdc_eem: fix tx fixup skb leak
+
+From: Linyu Yuan <linyyuan@codeaurora.org>
+
+[ Upstream commit c3b26fdf1b32f91c7a3bc743384b4a298ab53ad7 ]
+
+when usbnet transmit a skb, eem fixup it in eem_tx_fixup(),
+if skb_copy_expand() failed, it return NULL,
+usbnet_start_xmit() will have no chance to free original skb.
+
+fix it by free orginal skb in eem_tx_fixup() first,
+then check skb clone status, if failed, return NULL to usbnet.
+
+Fixes: 9f722c0978b0 ("usbnet: CDC EEM support (v5)")
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_eem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_eem.c b/drivers/net/usb/cdc_eem.c
+index f7180f8db39e..9c15e1a1261b 100644
+--- a/drivers/net/usb/cdc_eem.c
++++ b/drivers/net/usb/cdc_eem.c
+@@ -138,10 +138,10 @@ static struct sk_buff *eem_tx_fixup(struct usbnet *dev, struct sk_buff *skb,
+ 	}
+ 
+ 	skb2 = skb_copy_expand(skb, EEM_HEAD, ETH_FCS_LEN + padlen, flags);
++	dev_kfree_skb_any(skb);
+ 	if (!skb2)
+ 		return NULL;
+ 
+-	dev_kfree_skb_any(skb);
+ 	skb = skb2;
+ 
+ done:
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-cdc_ncm-switch-to-eth-d-interface-naming.patch b/queue-4.9/net-cdc_ncm-switch-to-eth-d-interface-naming.patch
new file mode 100644
index 00000000000..45f22e489f5
--- /dev/null
+++ b/queue-4.9/net-cdc_ncm-switch-to-eth-d-interface-naming.patch
@@ -0,0 +1,77 @@
+From 3668cf93609c8c3dce6bc798cfe404026255d80e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jun 2021 01:05:49 -0700
+Subject: net: cdc_ncm: switch to eth%d interface naming
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Å»enczykowski <maze@google.com>
+
+[ Upstream commit c1a3d4067309451e68c33dbd356032549cc0bd8e ]
+
+This is meant to make the host side cdc_ncm interface consistently
+named just like the older CDC protocols: cdc_ether & cdc_ecm
+(and even rndis_host), which all use 'FLAG_ETHER | FLAG_POINTTOPOINT'.
+
+include/linux/usb/usbnet.h:
+  #define FLAG_ETHER	0x0020		/* maybe use "eth%d" names */
+  #define FLAG_WLAN	0x0080		/* use "wlan%d" names */
+  #define FLAG_WWAN	0x0400		/* use "wwan%d" names */
+  #define FLAG_POINTTOPOINT 0x1000	/* possibly use "usb%d" names */
+
+drivers/net/usb/usbnet.c @ line 1711:
+  strcpy (net->name, "usb%d");
+  ...
+  // heuristic:  "usb%d" for links we know are two-host,
+  // else "eth%d" when there's reasonable doubt.  userspace
+  // can rename the link if it knows better.
+  if ((dev->driver_info->flags & FLAG_ETHER) != 0 &&
+      ((dev->driver_info->flags & FLAG_POINTTOPOINT) == 0 ||
+       (net->dev_addr [0] & 0x02) == 0))
+          strcpy (net->name, "eth%d");
+  /* WLAN devices should always be named "wlan%d" */
+  if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+          strcpy(net->name, "wlan%d");
+  /* WWAN devices should always be named "wwan%d" */
+  if ((dev->driver_info->flags & FLAG_WWAN) != 0)
+          strcpy(net->name, "wwan%d");
+
+So by using ETHER | POINTTOPOINT the interface naming is
+either usb%d or eth%d based on the global uniqueness of the
+mac address of the device.
+
+Without this 2.5gbps ethernet dongles which all seem to use the cdc_ncm
+driver end up being called usb%d instead of eth%d even though they're
+definitely not two-host.  (All 1gbps & 5gbps ethernet usb dongles I've
+tested don't hit this problem due to use of different drivers, primarily
+r8152 and aqc111)
+
+Fixes tag is based purely on git blame, and is really just here to make
+sure this hits LTS branches newer than v4.5.
+
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Fixes: 4d06dd537f95 ("cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind")
+Signed-off-by: Maciej Å»enczykowski <maze@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index 297d3f599efd..5a5db2f09f78 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -1639,7 +1639,7 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
+ static const struct driver_info cdc_ncm_info = {
+ 	.description = "CDC NCM",
+ 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-			| FLAG_LINK_INTR,
++			| FLAG_LINK_INTR | FLAG_ETHER,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch b/queue-4.9/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
new file mode 100644
index 00000000000..0e0dcabce9c
--- /dev/null
+++ b/queue-4.9/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
@@ -0,0 +1,56 @@
+From 47c7bb36b851d624fbfc23326b6f95372509e991 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 16:49:02 +0300
+Subject: net: ethernet: fix potential use-after-free in ec_bhf_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 9cca0c2d70149160407bda9a9446ce0c29b6e6c6 ]
+
+static void ec_bhf_remove(struct pci_dev *dev)
+{
+...
+	struct ec_bhf_priv *priv = netdev_priv(net_dev);
+
+	unregister_netdev(net_dev);
+	free_netdev(net_dev);
+
+	pci_iounmap(dev, priv->dma_io);
+	pci_iounmap(dev, priv->io);
+...
+}
+
+priv is netdev private data, but it is used
+after free_netdev(). It can cause use-after-free when accessing priv
+pointer. So, fix it by moving free_netdev() after pci_iounmap()
+calls.
+
+Fixes: 6af55ff52b02 ("Driver for Beckhoff CX5020 EtherCAT master module.")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ec_bhf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ec_bhf.c b/drivers/net/ethernet/ec_bhf.c
+index f7b42483921c..0ade0c6d81ee 100644
+--- a/drivers/net/ethernet/ec_bhf.c
++++ b/drivers/net/ethernet/ec_bhf.c
+@@ -589,10 +589,12 @@ static void ec_bhf_remove(struct pci_dev *dev)
+ 	struct ec_bhf_priv *priv = netdev_priv(net_dev);
+ 
+ 	unregister_netdev(net_dev);
+-	free_netdev(net_dev);
+ 
+ 	pci_iounmap(dev, priv->dma_io);
+ 	pci_iounmap(dev, priv->io);
++
++	free_netdev(net_dev);
++
+ 	pci_release_regions(dev);
+ 	pci_clear_master(dev);
+ 	pci_disable_device(dev);
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-hamradio-fix-memory-leak-in-mkiss_close.patch b/queue-4.9/net-hamradio-fix-memory-leak-in-mkiss_close.patch
new file mode 100644
index 00000000000..4b0bd1719a2
--- /dev/null
+++ b/queue-4.9/net-hamradio-fix-memory-leak-in-mkiss_close.patch
@@ -0,0 +1,112 @@
+From 582c8e9226ca44541774deba88368efbc72c93b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 22:09:06 +0300
+Subject: net: hamradio: fix memory leak in mkiss_close
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ]
+
+My local syzbot instance hit memory leak in
+mkiss_open()[1]. The problem was in missing
+free_netdev() in mkiss_close().
+
+In mkiss_open() netdevice is allocated and then
+registered, but in mkiss_close() netdevice was
+only unregistered, but not freed.
+
+Fail log:
+
+BUG: memory leak
+unreferenced object 0xffff8880281ba000 (size 4096):
+  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+  hex dump (first 32 bytes):
+    61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00  ax0.............
+    00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00  .'.*............
+  backtrace:
+    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+    [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80
+    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880141a9a00 (size 96):
+  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+  hex dump (first 32 bytes):
+    e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff  ...(.......(....
+    98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00  .....@..........
+  backtrace:
+    [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310
+    [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0
+    [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0
+    [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80
+    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff8880219bfc00 (size 512):
+  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+  hex dump (first 32 bytes):
+    00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff  ...(............
+    80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+    [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80
+    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+BUG: memory leak
+unreferenced object 0xffff888029b2b200 (size 256):
+  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
+    [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80
+    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
+    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
+    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
+    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
+    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
+    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
+    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/hamradio/mkiss.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
+index 088fe5d34f50..76340bc3cf44 100644
+--- a/drivers/net/hamradio/mkiss.c
++++ b/drivers/net/hamradio/mkiss.c
+@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty)
+ 	ax->tty = NULL;
+ 
+ 	unregister_netdev(ax->dev);
++	free_netdev(ax->dev);
+ }
+ 
+ /* Perform I/O control on an active ax25 channel. */
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch b/queue-4.9/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch
new file mode 100644
index 00000000000..3362d682737
--- /dev/null
+++ b/queue-4.9/net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch
@@ -0,0 +1,86 @@
+From 233ba39aff7585e0b5d9334e0a63ed235648ea69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 17:59:25 +0800
+Subject: net: ipv4: fix memory leak in ip_mc_add1_src
+
+From: Chengyang Fan <cy.fan@huawei.com>
+
+[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ]
+
+BUG: memory leak
+unreferenced object 0xffff888101bc4c00 (size 32):
+  comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+    01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
+  backtrace:
+    [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
+    [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
+    [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
+    [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
+    [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
+    [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
+    [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
+    [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
+    [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
+    [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
+    [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
+    [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
+    [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
+    [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
+link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
+because it was also called in igmpv3_clear_delrec().
+
+Rough callgraph:
+
+inetdev_destroy
+-> ip_mc_destroy_dev
+     -> igmpv3_clear_delrec
+        -> ip_mc_clear_src
+-> RCU_INIT_POINTER(dev->ip_ptr, NULL)
+
+However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
+release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
+NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
+inetdev_by_index() and then in_dev->mc_list->sources cannot be released
+by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
+
+sock_close
+-> __sock_release
+   -> inet_release
+      -> ip_mc_drop_socket
+         -> inetdev_by_index
+         -> ip_mc_leave_src
+            -> ip_mc_del_src
+               -> ip_mc_del1_src
+
+So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
+in_dev->mc_list->sources.
+
+Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index 02c1736c0b89..f4a827964b68 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1782,6 +1782,7 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
+ 	while ((i = rtnl_dereference(in_dev->mc_list)) != NULL) {
+ 		in_dev->mc_list = i->next_rcu;
+ 		in_dev->mc_count--;
++		ip_mc_clear_src(i);
+ 		ip_ma_put(i);
+ 	}
+ }
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch b/queue-4.9/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch
new file mode 100644
index 00000000000..465c69b0a81
--- /dev/null
+++ b/queue-4.9/net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch
@@ -0,0 +1,66 @@
+From 84ebab02d044e0b8099a75dd8ea31cebf9a27167 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 09:51:58 +0800
+Subject: net: ipv4: fix memory leak in netlbl_cipsov4_add_std
+
+From: Nanyong Sun <sunnanyong@huawei.com>
+
+[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ]
+
+Reported by syzkaller:
+BUG: memory leak
+unreferenced object 0xffff888105df7000 (size 64):
+comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
+hex dump (first 32 bytes):
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
+[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
+[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
+[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
+[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
+[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
+[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
+[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
+[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
+[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
+[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
+[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
+[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
+[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
+[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
+[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
+[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+The memory of doi_def->map.std pointing is allocated in
+netlbl_cipsov4_add_std, but no place has freed it. It should be
+freed in cipso_v4_doi_free which frees the cipso DOI resource.
+
+Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Nanyong Sun <sunnanyong@huawei.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/cipso_ipv4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 71409928763b..553cda6f887a 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -486,6 +486,7 @@ void cipso_v4_doi_free(struct cipso_v4_doi *doi_def)
+ 		kfree(doi_def->map.std->lvl.local);
+ 		kfree(doi_def->map.std->cat.cipso);
+ 		kfree(doi_def->map.std->cat.local);
++		kfree(doi_def->map.std);
+ 		break;
+ 	}
+ 	kfree(doi_def);
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-rds-fix-memory-leak-in-rds_recvmsg.patch b/queue-4.9/net-rds-fix-memory-leak-in-rds_recvmsg.patch
new file mode 100644
index 00000000000..503de39e0d6
--- /dev/null
+++ b/queue-4.9/net-rds-fix-memory-leak-in-rds_recvmsg.patch
@@ -0,0 +1,73 @@
+From 396558dba275981637e9ca5483afe76604006556 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jun 2021 11:06:41 +0300
+Subject: net: rds: fix memory leak in rds_recvmsg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ]
+
+Syzbot reported memory leak in rds. The problem
+was in unputted refcount in case of error.
+
+int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+		int msg_flags)
+{
+...
+
+	if (!rds_next_incoming(rs, &inc)) {
+		...
+	}
+
+After this "if" inc refcount incremented and
+
+	if (rds_cmsg_recv(inc, msg, rs)) {
+		ret = -EFAULT;
+		goto out;
+	}
+...
+out:
+	return ret;
+}
+
+in case of rds_cmsg_recv() fail the refcount won't be
+decremented. And it's easy to see from ftrace log, that
+rds_inc_addref() don't have rds_inc_put() pair in
+rds_recvmsg() after rds_cmsg_recv()
+
+ 1)               |  rds_recvmsg() {
+ 1)   3.721 us    |    rds_inc_addref();
+ 1)   3.853 us    |    rds_message_inc_copy_to_user();
+ 1) + 10.395 us   |    rds_cmsg_recv();
+ 1) + 34.260 us   |  }
+
+Fixes: bdbe6fbc6a2f ("RDS: recv.c")
+Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: HÃ¥kon Bugge <haakon.bugge@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rds/recv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/rds/recv.c b/net/rds/recv.c
+index 488a198be3e1..4bd307e31b40 100644
+--- a/net/rds/recv.c
++++ b/net/rds/recv.c
+@@ -596,7 +596,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ 
+ 		if (rds_cmsg_recv(inc, msg, rs)) {
+ 			ret = -EFAULT;
+-			goto out;
++			break;
+ 		}
+ 
+ 		rds_stats_inc(s_recv_delivered);
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch b/queue-4.9/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch
new file mode 100644
index 00000000000..2f0866ded26
--- /dev/null
+++ b/queue-4.9/net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch
@@ -0,0 +1,42 @@
+From 164a1b6303c14e32d230b9169367184858c40df8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jun 2021 15:16:11 +0800
+Subject: net: stmmac: dwmac1000: Fix extended MAC address registers definition
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 1adb20f0d496b2c61e9aa1f4761b8d71f93d258e ]
+
+The register starts from 0x800 is the 16th MAC address register rather
+than the first one.
+
+Fixes: cffb13f4d6fb ("stmmac: extend mac addr reg and fix perfect filering")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+index ff3e5ab39bd0..24fb7a2bba62 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000.h
+@@ -91,10 +91,10 @@ enum power_event {
+ #define LPI_CTRL_STATUS_TLPIEN	0x00000001	/* Transmit LPI Entry */
+ 
+ /* GMAC HW ADDR regs */
+-#define GMAC_ADDR_HIGH(reg)	(((reg > 15) ? 0x00000800 : 0x00000040) + \
+-				(reg * 8))
+-#define GMAC_ADDR_LOW(reg)	(((reg > 15) ? 0x00000804 : 0x00000044) + \
+-				(reg * 8))
++#define GMAC_ADDR_HIGH(reg)	((reg > 15) ? 0x00000800 + (reg - 16) * 8 : \
++				 0x00000040 + (reg * 8))
++#define GMAC_ADDR_LOW(reg)	((reg > 15) ? 0x00000804 + (reg - 16) * 8 : \
++				 0x00000044 + (reg * 8))
+ #define GMAC_MAX_PERFECT_ADDRESSES	1
+ 
+ #define GMAC_PCS_BASE		0x000000c0	/* PCS register base */
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch b/queue-4.9/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
new file mode 100644
index 00000000000..a703b4f3269
--- /dev/null
+++ b/queue-4.9/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
@@ -0,0 +1,72 @@
+From 8c77cede130720bd434f9c5d0cbeccda35310b51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 10:48:33 +0800
+Subject: net: usb: fix possible use-after-free in smsc75xx_bind
+
+From: Dongliang Mu <mudongliangabcd@gmail.com>
+
+[ Upstream commit 56b786d86694e079d8aad9b314e015cd4ac02a3d ]
+
+The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+fails to clean up the work scheduled in smsc75xx_reset->
+smsc75xx_set_multicast, which leads to use-after-free if the work is
+scheduled to start after the deallocation. In addition, this patch
+also removes a dangling pointer - dev->data[0].
+
+This patch calls cancel_work_sync to cancel the scheduled work and set
+the dangling pointer to NULL.
+
+Fixes: 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")
+Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/smsc75xx.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
+index 3a391ae5c4e0..841d97491592 100644
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1497,7 +1497,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	ret = smsc75xx_wait_ready(dev, 0);
+ 	if (ret < 0) {
+ 		netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
+-		goto err;
++		goto free_pdata;
+ 	}
+ 
+ 	smsc75xx_init_mac_address(dev);
+@@ -1506,7 +1506,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	ret = smsc75xx_reset(dev);
+ 	if (ret < 0) {
+ 		netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
+-		goto err;
++		goto cancel_work;
+ 	}
+ 
+ 	dev->net->netdev_ops = &smsc75xx_netdev_ops;
+@@ -1516,8 +1516,11 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
+ 	return 0;
+ 
+-err:
++cancel_work:
++	cancel_work_sync(&pdata->set_multicast);
++free_pdata:
+ 	kfree(pdata);
++	dev->data[0] = 0;
+ 	return ret;
+ }
+ 
+@@ -1528,7 +1531,6 @@ static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
+ 		cancel_work_sync(&pdata->set_multicast);
+ 		netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+ 		kfree(pdata);
+-		pdata = NULL;
+ 		dev->data[0] = 0;
+ 	}
+ }
+-- 
+2.30.2
+
diff --git a/queue-4.9/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch b/queue-4.9/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch
new file mode 100644
index 00000000000..92205403eca
--- /dev/null
+++ b/queue-4.9/netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch
@@ -0,0 +1,59 @@
+From 0241ba3e34375b9f473ed805cd66b0b73e4fd3eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 19:40:29 +0300
+Subject: netfilter: synproxy: Fix out of bounds when parsing TCP options
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+[ Upstream commit 5fc177ab759418c9537433e63301096e733fb915 ]
+
+The TCP option parser in synproxy (synproxy_parse_options) could read
+one byte out of bounds. When the length is 1, the execution flow gets
+into the loop, reads one byte of the opcode, and if the opcode is
+neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
+the length of 1.
+
+This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
+out of bounds when parsing TCP options.").
+
+v2 changes:
+
+Added an early return when length < 0 to avoid calling
+skb_header_pointer with negative length.
+
+Cc: Young Xiao <92siuyang@gmail.com>
+Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_synproxy_core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
+index c8a4a48bced9..8be604eb6961 100644
+--- a/net/netfilter/nf_synproxy_core.c
++++ b/net/netfilter/nf_synproxy_core.c
+@@ -34,6 +34,9 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ 	int length = (th->doff * 4) - sizeof(*th);
+ 	u8 buf[40], *ptr;
+ 
++	if (unlikely(length < 0))
++		return false;
++
+ 	ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
+ 	if (ptr == NULL)
+ 		return false;
+@@ -50,6 +53,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
+ 			length--;
+ 			continue;
+ 		default:
++			if (length < 2)
++				return true;
+ 			opsize = *ptr++;
+ 			if (opsize < 2)
+ 				return true;
+-- 
+2.30.2
+
diff --git a/queue-4.9/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch b/queue-4.9/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch
new file mode 100644
index 00000000000..6cd0602a993
--- /dev/null
+++ b/queue-4.9/netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch
@@ -0,0 +1,37 @@
+From ec88d6aa00b55b8a48662527f064910c827bfda7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:53:12 +0200
+Subject: netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 49a10c7b176295f8fafb338911cf028e97f65f4d ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: e87ad5539343 ("netxen: support pci error handlers")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+index a5ee3d328f3d..75e25a3fe4a7 100644
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -1617,6 +1617,8 @@ err_out_free_netdev:
+ 	free_netdev(netdev);
+ 
+ err_out_free_res:
++	if (NX_IS_REVISION_P3(pdev->revision))
++		pci_disable_pcie_error_reporting(pdev);
+ 	pci_release_regions(pdev);
+ 
+ err_out_disable_pdev:
+-- 
+2.30.2
+
diff --git a/queue-4.9/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch b/queue-4.9/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch
new file mode 100644
index 00000000000..b2d40391800
--- /dev/null
+++ b/queue-4.9/qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch
@@ -0,0 +1,36 @@
+From 359f792c53511ca9574a6efdd4a1041ea79e77df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 14:37:46 +0200
+Subject: qlcnic: Fix an error handling path in 'qlcnic_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit cb3376604a676e0302258b01893911bdd7aa5278 ]
+
+If an error occurs after a 'pci_enable_pcie_error_reporting()' call, it
+must be undone by a corresponding 'pci_disable_pcie_error_reporting()'
+call, as already done in the remove function.
+
+Fixes: 451724c821c1 ("qlcnic: aer support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+index 0928da21efd0..19dca845042e 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+@@ -2707,6 +2707,7 @@ err_out_free_hw_res:
+ 	kfree(ahw);
+ 
+ err_out_free_res:
++	pci_disable_pcie_error_reporting(pdev);
+ 	pci_release_regions(pdev);
+ 
+ err_out_disable_pdev:
+-- 
+2.30.2
+
diff --git a/queue-4.9/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch b/queue-4.9/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch
new file mode 100644
index 00000000000..3d29f6f09bb
--- /dev/null
+++ b/queue-4.9/rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch
@@ -0,0 +1,55 @@
+From ef14fecef9b8be4746fdb05bb5029d0190148027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 14:17:53 +0300
+Subject: rtnetlink: Fix regression in bridge VLAN configuration
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit d2e381c4963663bca6f30c3b996fa4dbafe8fcb5 ]
+
+Cited commit started returning errors when notification info is not
+filled by the bridge driver, resulting in the following regression:
+
+ # ip link add name br1 type bridge vlan_filtering 1
+ # bridge vlan add dev br1 vid 555 self pvid untagged
+ RTNETLINK answers: Invalid argument
+
+As long as the bridge driver does not fill notification info for the
+bridge device itself, an empty notification should not be considered as
+an error. This is explained in commit 59ccaaaa49b5 ("bridge: dont send
+notification when skb->len == 0 in rtnl_bridge_notify").
+
+Fix by removing the error and add a comment to avoid future bugs.
+
+Fixes: a8db57c1d285 ("rtnetlink: Fix missing error code in rtnl_bridge_notify()")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 93de31ca3d65..911752e8a3e6 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3530,10 +3530,12 @@ static int rtnl_bridge_notify(struct net_device *dev)
+ 	if (err < 0)
+ 		goto errout;
+ 
+-	if (!skb->len) {
+-		err = -EINVAL;
++	/* Notification info is only filled for bridge ports, not the bridge
++	 * device itself. Therefore, a zero notification length is valid and
++	 * should not result in an error.
++	 */
++	if (!skb->len)
+ 		goto errout;
+-	}
+ 
+ 	rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
+ 	return 0;
+-- 
+2.30.2
+
diff --git a/queue-4.9/series b/queue-4.9/series
index e8b237290cb..07a3b948a83 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -17,3 +17,21 @@ dmaengine-stedma40-add-missing-iounmap-on-error-in-d.patch
 mm-hwpoison-change-pagehwpoison-behavior-on-hugetlb-.patch
 mm-hwpoison-introduce-memory_failure_hugetlb.patch
 mm-memory-failure-make-sure-wait-for-page-writeback-.patch
+batman-adv-avoid-warn_on-timing-related-checks.patch
+net-ipv4-fix-memory-leak-in-netlbl_cipsov4_add_std.patch
+net-rds-fix-memory-leak-in-rds_recvmsg.patch
+udp-fix-race-between-close-and-udp_abort.patch
+rtnetlink-fix-regression-in-bridge-vlan-configuratio.patch
+netfilter-synproxy-fix-out-of-bounds-when-parsing-tc.patch
+alx-fix-an-error-handling-path-in-alx_probe.patch
+net-stmmac-dwmac1000-fix-extended-mac-address-regist.patch
+qlcnic-fix-an-error-handling-path-in-qlcnic_probe.patch
+netxen_nic-fix-an-error-handling-path-in-netxen_nic_.patch
+net-cdc_ncm-switch-to-eth-d-interface-naming.patch
+net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
+net-ipv4-fix-memory-leak-in-ip_mc_add1_src.patch
+net-af_unix-fix-a-data-race-in-unix_dgram_sendmsg-un.patch
+be2net-fix-an-error-handling-path-in-be_probe.patch
+net-hamradio-fix-memory-leak-in-mkiss_close.patch
+net-cdc_eem-fix-tx-fixup-skb-leak.patch
+net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
diff --git a/queue-4.9/udp-fix-race-between-close-and-udp_abort.patch b/queue-4.9/udp-fix-race-between-close-and-udp_abort.patch
new file mode 100644
index 00000000000..fca93daa7ce
--- /dev/null
+++ b/queue-4.9/udp-fix-race-between-close-and-udp_abort.patch
@@ -0,0 +1,77 @@
+From 4e7d3c549c5da3771397b408f8522c9ae3f0d1ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 11:49:01 +0200
+Subject: udp: fix race between close() and udp_abort()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ]
+
+Kaustubh reported and diagnosed a panic in udp_lib_lookup().
+The root cause is udp_abort() racing with close(). Both
+racing functions acquire the socket lock, but udp{v6}_destroy_sock()
+release it before performing destructive actions.
+
+We can't easily extend the socket lock scope to avoid the race,
+instead use the SOCK_DEAD flag to prevent udp_abort from doing
+any action when the critical race happens.
+
+Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
+Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 10 ++++++++++
+ net/ipv6/udp.c |  3 +++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 18a1a4890c5f..79249a44e4a3 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1998,6 +1998,9 @@ void udp_destroy_sock(struct sock *sk)
+ {
+ 	struct udp_sock *up = udp_sk(sk);
+ 	bool slow = lock_sock_fast(sk);
++
++	/* protects from races with udp_abort() */
++	sock_set_flag(sk, SOCK_DEAD);
+ 	udp_flush_pending_frames(sk);
+ 	unlock_sock_fast(sk, slow);
+ 	if (static_key_false(&udp_encap_needed) && up->encap_type) {
+@@ -2228,10 +2231,17 @@ int udp_abort(struct sock *sk, int err)
+ {
+ 	lock_sock(sk);
+ 
++	/* udp{v6}_destroy_sock() sets it under the sk lock, avoid racing
++	 * with close()
++	 */
++	if (sock_flag(sk, SOCK_DEAD))
++		goto out;
++
+ 	sk->sk_err = err;
+ 	sk->sk_error_report(sk);
+ 	__udp_disconnect(sk, 0);
+ 
++out:
+ 	release_sock(sk);
+ 
+ 	return 0;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 1ad84e18c03b..3a876a2fdd82 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1325,6 +1325,9 @@ void udpv6_destroy_sock(struct sock *sk)
+ {
+ 	struct udp_sock *up = udp_sk(sk);
+ 	lock_sock(sk);
++
++	/* protects from races with udp_abort() */
++	sock_set_flag(sk, SOCK_DEAD);
+ 	udp_v6_flush_pending_frames(sk);
+ 	release_sock(sk);
+ 
+-- 
+2.30.2
+