From: Sasha Levin <sashal@kernel.org>
Date: Sat, 26 Jun 2021 01:30:27 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v5.12.14~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8cc658675082d454aaee9a94f3a06f7b5ae6947;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch b/queue-4.9/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch
new file mode 100644
index 00000000000..27aee035a8c
--- /dev/null
+++ b/queue-4.9/cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch
@@ -0,0 +1,62 @@
+From ad29eeb66985a84b2db2a89dec8585d43664ddaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Apr 2021 14:39:41 +0800
+Subject: cfg80211: call cfg80211_leave_ocb when switching away from OCB
+
+From: Du Cheng <ducheng2@gmail.com>
+
+[ Upstream commit a64b6a25dd9f984ed05fade603a00e2eae787d2f ]
+
+If the userland switches back-and-forth between NL80211_IFTYPE_OCB and
+NL80211_IFTYPE_ADHOC via send_msg(NL80211_CMD_SET_INTERFACE), there is a
+chance where the cleanup cfg80211_leave_ocb() is not called. This leads
+to initialization of in-use memory (e.g. init u.ibss while in-use by
+u.ocb) due to a shared struct/union within ieee80211_sub_if_data:
+
+struct ieee80211_sub_if_data {
+    ...
+    union {
+        struct ieee80211_if_ap ap;
+        struct ieee80211_if_vlan vlan;
+        struct ieee80211_if_managed mgd;
+        struct ieee80211_if_ibss ibss; // <- shares address
+        struct ieee80211_if_mesh mesh;
+        struct ieee80211_if_ocb ocb; // <- shares address
+        struct ieee80211_if_mntr mntr;
+        struct ieee80211_if_nan nan;
+    } u;
+    ...
+}
+
+Therefore add handling of otype == NL80211_IFTYPE_OCB, during
+cfg80211_change_iface() to perform cleanup when leaving OCB mode.
+
+link to syzkaller bug:
+https://syzkaller.appspot.com/bug?id=0612dbfa595bf4b9b680ff7b4948257b8e3732d5
+
+Reported-by: syzbot+105896fac213f26056f9@syzkaller.appspotmail.com
+Signed-off-by: Du Cheng <ducheng2@gmail.com>
+Link: https://lore.kernel.org/r/20210428063941.105161-1-ducheng2@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index 939320571d71..a16e805c4857 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1050,6 +1050,9 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
+ 		case NL80211_IFTYPE_MESH_POINT:
+ 			/* mesh should be handled? */
+ 			break;
++		case NL80211_IFTYPE_OCB:
++			cfg80211_leave_ocb(rdev, dev);
++			break;
+ 		default:
+ 			break;
+ 		}
+-- 
+2.30.2
+
diff --git a/queue-4.9/inet-annotate-date-races-around-sk-sk_txhash.patch b/queue-4.9/inet-annotate-date-races-around-sk-sk_txhash.patch
new file mode 100644
index 00000000000..9c28533c7e8
--- /dev/null
+++ b/queue-4.9/inet-annotate-date-races-around-sk-sk_txhash.patch
@@ -0,0 +1,97 @@
+From 4da92847b3e8d134493e847d8d2e35afd5dbee2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 07:44:11 -0700
+Subject: inet: annotate date races around sk->sk_txhash
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b71eaed8c04f72a919a9c44e83e4ee254e69e7f3 ]
+
+UDP sendmsg() path can be lockless, it is possible for another
+thread to re-connect an change sk->sk_txhash under us.
+
+There is no serious impact, but we can use READ_ONCE()/WRITE_ONCE()
+pair to document the race.
+
+BUG: KCSAN: data-race in __ip4_datagram_connect / skb_set_owner_w
+
+write to 0xffff88813397920c of 4 bytes by task 30997 on cpu 1:
+ sk_set_txhash include/net/sock.h:1937 [inline]
+ __ip4_datagram_connect+0x69e/0x710 net/ipv4/datagram.c:75
+ __ip6_datagram_connect+0x551/0x840 net/ipv6/datagram.c:189
+ ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272
+ inet_dgram_connect+0xfd/0x180 net/ipv4/af_inet.c:580
+ __sys_connect_file net/socket.c:1837 [inline]
+ __sys_connect+0x245/0x280 net/socket.c:1854
+ __do_sys_connect net/socket.c:1864 [inline]
+ __se_sys_connect net/socket.c:1861 [inline]
+ __x64_sys_connect+0x3d/0x50 net/socket.c:1861
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff88813397920c of 4 bytes by task 31039 on cpu 0:
+ skb_set_hash_from_sk include/net/sock.h:2211 [inline]
+ skb_set_owner_w+0x118/0x220 net/core/sock.c:2101
+ sock_alloc_send_pskb+0x452/0x4e0 net/core/sock.c:2359
+ sock_alloc_send_skb+0x2d/0x40 net/core/sock.c:2373
+ __ip6_append_data+0x1743/0x21a0 net/ipv6/ip6_output.c:1621
+ ip6_make_skb+0x258/0x420 net/ipv6/ip6_output.c:1983
+ udpv6_sendmsg+0x160a/0x16b0 net/ipv6/udp.c:1527
+ inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490
+ __do_sys_sendmmsg net/socket.c:2519 [inline]
+ __se_sys_sendmmsg net/socket.c:2516 [inline]
+ __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0xbca3c43d -> 0xfdb309e0
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 31039 Comm: syz-executor.2 Not tainted 5.13.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index d0e18917d8be..cf27f3688c39 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1681,7 +1681,8 @@ static inline u32 net_tx_rndhash(void)
+ 
+ static inline void sk_set_txhash(struct sock *sk)
+ {
+-	sk->sk_txhash = net_tx_rndhash();
++	/* This pairs with READ_ONCE() in skb_set_hash_from_sk() */
++	WRITE_ONCE(sk->sk_txhash, net_tx_rndhash());
+ }
+ 
+ static inline void sk_rethink_txhash(struct sock *sk)
+@@ -1936,9 +1937,12 @@ static inline void sock_poll_wait(struct file *filp,
+ 
+ static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
+ {
+-	if (sk->sk_txhash) {
++	/* This pairs with WRITE_ONCE() in sk_set_txhash() */
++	u32 txhash = READ_ONCE(sk->sk_txhash);
++
++	if (txhash) {
+ 		skb->l4_hash = 1;
+-		skb->hash = sk->sk_txhash;
++		skb->hash = txhash;
+ 	}
+ }
+ 
+-- 
+2.30.2
+
diff --git a/queue-4.9/mac80211-drop-multicast-fragments.patch b/queue-4.9/mac80211-drop-multicast-fragments.patch
new file mode 100644
index 00000000000..a7c644b4951
--- /dev/null
+++ b/queue-4.9/mac80211-drop-multicast-fragments.patch
@@ -0,0 +1,54 @@
+From 2694880ddd9c8102149886287a994c7d5a2c26c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jun 2021 16:13:06 +0200
+Subject: mac80211: drop multicast fragments
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit a9799541ca34652d9996e45f80e8e03144c12949 ]
+
+These are not permitted by the spec, just drop them.
+
+Link: https://lore.kernel.org/r/20210609161305.23def022b750.Ibd6dd3cdce573dae262fcdc47f8ac52b883a9c50@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 721caa5a5430..3a069cb188b7 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1988,17 +1988,15 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-	if (is_multicast_ether_addr(hdr->addr1)) {
+-		I802_DEBUG_INC(rx->local->dot11MulticastReceivedFrameCount);
+-		goto out_no_led;
+-	}
+-
+ 	if (rx->sta)
+ 		cache = &rx->sta->frags;
+ 
+ 	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+ 		goto out;
+ 
++	if (is_multicast_ether_addr(hdr->addr1))
++		return RX_DROP_MONITOR;
++
+ 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+ 	if (skb_linearize(rx->skb))
+@@ -2127,7 +2125,6 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
+ 
+  out:
+ 	ieee80211_led_rx(rx->local);
+- out_no_led:
+ 	if (rx->sta)
+ 		rx->sta->rx_stats.packets++;
+ 	return RX_CONTINUE;
+-- 
+2.30.2
+
diff --git a/queue-4.9/mac80211-remove-warning-in-ieee80211_get_sband.patch b/queue-4.9/mac80211-remove-warning-in-ieee80211_get_sband.patch
new file mode 100644
index 00000000000..f3ed4d2a344
--- /dev/null
+++ b/queue-4.9/mac80211-remove-warning-in-ieee80211_get_sband.patch
@@ -0,0 +1,39 @@
+From 1482ba3bcae83c2fdaa7c13882128bb68356f0fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 May 2021 16:47:17 +0200
+Subject: mac80211: remove warning in ieee80211_get_sband()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 0ee4d55534f82a0624701d0bb9fc2304d4529086 ]
+
+Syzbot reports that it's possible to hit this from userspace,
+by trying to add a station before any other connection setup
+has been done. Instead of trying to catch this in some other
+way simply remove the warning, that will appropriately reject
+the call from userspace.
+
+Reported-by: syzbot+7716dbc401d9a437890d@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20210517164715.f537da276d17.Id05f40ec8761d6a8cc2df87f1aa09c651988a586@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 21b35255ecc2..f5532a3ce72e 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1391,7 +1391,7 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
+ 	rcu_read_lock();
+ 	chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf);
+ 
+-	if (WARN_ON_ONCE(!chanctx_conf)) {
++	if (!chanctx_conf) {
+ 		rcu_read_unlock();
+ 		return NULL;
+ 	}
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-caif-fix-memory-leak-in-ldisc_open.patch b/queue-4.9/net-caif-fix-memory-leak-in-ldisc_open.patch
new file mode 100644
index 00000000000..659af0a89da
--- /dev/null
+++ b/queue-4.9/net-caif-fix-memory-leak-in-ldisc_open.patch
@@ -0,0 +1,53 @@
+From 9b0d2565eaae17208c723aa1c9bbe824b6ea7af1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jun 2021 17:51:22 +0300
+Subject: net: caif: fix memory leak in ldisc_open
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 58af3d3d54e87bfc1f936e16c04ade3369d34011 ]
+
+Syzbot reported memory leak in tty_init_dev().
+The problem was in unputted tty in ldisc_open()
+
+static int ldisc_open(struct tty_struct *tty)
+{
+...
+	ser->tty = tty_kref_get(tty);
+...
+	result = register_netdevice(dev);
+	if (result) {
+		rtnl_unlock();
+		free_netdev(dev);
+		return -ENODEV;
+	}
+...
+}
+
+Ser pointer is netdev private_data, so after free_netdev()
+this pointer goes away with unputted tty reference. So, fix
+it by adding tty_kref_put() before freeing netdev.
+
+Reported-and-tested-by: syzbot+f303e045423e617d2cad@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/caif/caif_serial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
+index 32834dad0b83..1243c2e5a86a 100644
+--- a/drivers/net/caif/caif_serial.c
++++ b/drivers/net/caif/caif_serial.c
+@@ -362,6 +362,7 @@ static int ldisc_open(struct tty_struct *tty)
+ 	rtnl_lock();
+ 	result = register_netdevice(dev);
+ 	if (result) {
++		tty_kref_put(tty);
+ 		rtnl_unlock();
+ 		free_netdev(dev);
+ 		return -ENODEV;
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch b/queue-4.9/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch
new file mode 100644
index 00000000000..4a2a3455e60
--- /dev/null
+++ b/queue-4.9/net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch
@@ -0,0 +1,40 @@
+From c7d436cf47d815357bd38f62730e09b5730a90c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jun 2021 12:52:38 +0200
+Subject: net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
+
+From: Esben Haabendal <esben@geanix.com>
+
+[ Upstream commit f6396341194234e9b01cd7538bc2c6ac4501ab14 ]
+
+As documented in Documentation/networking/driver.rst, the ndo_start_xmit
+method must not return NETDEV_TX_BUSY under any normal circumstances, and
+as recommended, we simply stop the tx queue in advance, when there is a
+risk that the next xmit would cause a NETDEV_TX_BUSY return.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index 545f60877bb7..9ba36c930ce3 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -735,6 +735,11 @@ temac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+ 	/* Kick off the transfer */
+ 	lp->dma_out(lp, TX_TAILDESC_PTR, tail_p); /* DMA start */
+ 
++	if (temac_check_tx_bd_space(lp, MAX_SKB_FRAGS + 1)) {
++		netdev_info(ndev, "%s -> netif_stop_queue\n", __func__);
++		netif_stop_queue(ndev);
++	}
++
+ 	return NETDEV_TX_OK;
+ }
+ 
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-packet-annotate-accesses-to-po-bind.patch b/queue-4.9/net-packet-annotate-accesses-to-po-bind.patch
new file mode 100644
index 00000000000..72b7b526e31
--- /dev/null
+++ b/queue-4.9/net-packet-annotate-accesses-to-po-bind.patch
@@ -0,0 +1,135 @@
+From fea824fd4ce3c4ea90551500617aff98c25004ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 06:42:01 -0700
+Subject: net/packet: annotate accesses to po->bind
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c7d2ef5dd4b03ed0ee1d13bc0c55f9cf62d49bd6 ]
+
+tpacket_snd(), packet_snd(), packet_getname() and packet_seq_show()
+can read po->num without holding a lock. This means other threads
+can change po->num at the same time.
+
+KCSAN complained about this known fact [1]
+Add READ_ONCE()/WRITE_ONCE() to address the issue.
+
+[1] BUG: KCSAN: data-race in packet_do_bind / packet_sendmsg
+
+write to 0xffff888131a0dcc0 of 2 bytes by task 24714 on cpu 0:
+ packet_do_bind+0x3ab/0x7e0 net/packet/af_packet.c:3181
+ packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255
+ __sys_bind+0x200/0x290 net/socket.c:1637
+ __do_sys_bind net/socket.c:1648 [inline]
+ __se_sys_bind net/socket.c:1646 [inline]
+ __x64_sys_bind+0x3d/0x50 net/socket.c:1646
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888131a0dcc0 of 2 bytes by task 24719 on cpu 1:
+ packet_snd net/packet/af_packet.c:2899 [inline]
+ packet_sendmsg+0x317/0x3570 net/packet/af_packet.c:3040
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg net/socket.c:674 [inline]
+ ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350
+ ___sys_sendmsg net/socket.c:2404 [inline]
+ __sys_sendmsg+0x1ed/0x270 net/socket.c:2433
+ __do_sys_sendmsg net/socket.c:2442 [inline]
+ __se_sys_sendmsg net/socket.c:2440 [inline]
+ __x64_sys_sendmsg+0x42/0x50 net/socket.c:2440
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x0000 -> 0x1200
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 24719 Comm: syz-executor.5 Not tainted 5.13.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index b5b79f501541..5f9007e7c28d 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2674,7 +2674,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ 	}
+ 	if (likely(saddr == NULL)) {
+ 		dev	= packet_cached_dev_get(po);
+-		proto	= po->num;
++		proto	= READ_ONCE(po->num);
+ 	} else {
+ 		err = -EINVAL;
+ 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -2886,7 +2886,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
+ 
+ 	if (likely(saddr == NULL)) {
+ 		dev	= packet_cached_dev_get(po);
+-		proto	= po->num;
++		proto	= READ_ONCE(po->num);
+ 	} else {
+ 		err = -EINVAL;
+ 		if (msg->msg_namelen < sizeof(struct sockaddr_ll))
+@@ -3157,7 +3157,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ 			/* prevents packet_notifier() from calling
+ 			 * register_prot_hook()
+ 			 */
+-			po->num = 0;
++			WRITE_ONCE(po->num, 0);
+ 			__unregister_prot_hook(sk, true);
+ 			rcu_read_lock();
+ 			dev_curr = po->prot_hook.dev;
+@@ -3167,7 +3167,7 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ 		}
+ 
+ 		BUG_ON(po->running);
+-		po->num = proto;
++		WRITE_ONCE(po->num, proto);
+ 		po->prot_hook.type = proto;
+ 
+ 		if (unlikely(unlisted)) {
+@@ -3514,7 +3514,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ 
+ 	sll->sll_family = AF_PACKET;
+ 	sll->sll_ifindex = po->ifindex;
+-	sll->sll_protocol = po->num;
++	sll->sll_protocol = READ_ONCE(po->num);
+ 	sll->sll_pkttype = 0;
+ 	rcu_read_lock();
+ 	dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
+@@ -4400,7 +4400,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 	was_running = po->running;
+ 	num = po->num;
+ 	if (was_running) {
+-		po->num = 0;
++		WRITE_ONCE(po->num, 0);
+ 		__unregister_prot_hook(sk, false);
+ 	}
+ 	spin_unlock(&po->bind_lock);
+@@ -4433,7 +4433,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 
+ 	spin_lock(&po->bind_lock);
+ 	if (was_running) {
+-		po->num = num;
++		WRITE_ONCE(po->num, num);
+ 		register_prot_hook(sk);
+ 	}
+ 	spin_unlock(&po->bind_lock);
+@@ -4602,7 +4602,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+ 			   s,
+ 			   atomic_read(&s->sk_refcnt),
+ 			   s->sk_type,
+-			   ntohs(po->num),
++			   ntohs(READ_ONCE(po->num)),
+ 			   po->ifindex,
+ 			   po->running,
+ 			   atomic_read(&s->sk_rmem_alloc),
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-packet-annotate-accesses-to-po-ifindex.patch b/queue-4.9/net-packet-annotate-accesses-to-po-ifindex.patch
new file mode 100644
index 00000000000..09bdf3f889e
--- /dev/null
+++ b/queue-4.9/net-packet-annotate-accesses-to-po-ifindex.patch
@@ -0,0 +1,119 @@
+From 09815d59619a4975eade1bb379dd99fd7ecd6e72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 06:42:02 -0700
+Subject: net/packet: annotate accesses to po->ifindex
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e032f7c9c7cefffcfb79b9fc16c53011d2d9d11f ]
+
+Like prior patch, we need to annotate lockless accesses to po->ifindex
+For instance, packet_getname() is reading po->ifindex (twice) while
+another thread is able to change po->ifindex.
+
+KCSAN reported:
+
+BUG: KCSAN: data-race in packet_do_bind / packet_getname
+
+write to 0xffff888143ce3cbc of 4 bytes by task 25573 on cpu 1:
+ packet_do_bind+0x420/0x7e0 net/packet/af_packet.c:3191
+ packet_bind+0xc3/0xd0 net/packet/af_packet.c:3255
+ __sys_bind+0x200/0x290 net/socket.c:1637
+ __do_sys_bind net/socket.c:1648 [inline]
+ __se_sys_bind net/socket.c:1646 [inline]
+ __x64_sys_bind+0x3d/0x50 net/socket.c:1646
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+read to 0xffff888143ce3cbc of 4 bytes by task 25578 on cpu 0:
+ packet_getname+0x5b/0x1a0 net/packet/af_packet.c:3525
+ __sys_getsockname+0x10e/0x1a0 net/socket.c:1887
+ __do_sys_getsockname net/socket.c:1902 [inline]
+ __se_sys_getsockname net/socket.c:1899 [inline]
+ __x64_sys_getsockname+0x3e/0x50 net/socket.c:1899
+ do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+value changed: 0x00000000 -> 0x00000001
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 25578 Comm: syz-executor.5 Not tainted 5.13.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 5f9007e7c28d..370d0a4af1f9 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3173,11 +3173,11 @@ static int packet_do_bind(struct sock *sk, const char *name, int ifindex,
+ 		if (unlikely(unlisted)) {
+ 			dev_put(dev);
+ 			po->prot_hook.dev = NULL;
+-			po->ifindex = -1;
++			WRITE_ONCE(po->ifindex, -1);
+ 			packet_cached_dev_reset(po);
+ 		} else {
+ 			po->prot_hook.dev = dev;
+-			po->ifindex = dev ? dev->ifindex : 0;
++			WRITE_ONCE(po->ifindex, dev ? dev->ifindex : 0);
+ 			packet_cached_dev_assign(po, dev);
+ 		}
+ 	}
+@@ -3492,7 +3492,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
+ 	uaddr->sa_family = AF_PACKET;
+ 	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+ 	rcu_read_lock();
+-	dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
++	dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
+ 	if (dev)
+ 		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+ 	rcu_read_unlock();
+@@ -3508,16 +3508,18 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
+ 	struct sock *sk = sock->sk;
+ 	struct packet_sock *po = pkt_sk(sk);
+ 	DECLARE_SOCKADDR(struct sockaddr_ll *, sll, uaddr);
++	int ifindex;
+ 
+ 	if (peer)
+ 		return -EOPNOTSUPP;
+ 
++	ifindex = READ_ONCE(po->ifindex);
+ 	sll->sll_family = AF_PACKET;
+-	sll->sll_ifindex = po->ifindex;
++	sll->sll_ifindex = ifindex;
+ 	sll->sll_protocol = READ_ONCE(po->num);
+ 	sll->sll_pkttype = 0;
+ 	rcu_read_lock();
+-	dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
++	dev = dev_get_by_index_rcu(sock_net(sk), ifindex);
+ 	if (dev) {
+ 		sll->sll_hatype = dev->type;
+ 		sll->sll_halen = dev->addr_len;
+@@ -4097,7 +4099,7 @@ static int packet_notifier(struct notifier_block *this,
+ 				}
+ 				if (msg == NETDEV_UNREGISTER) {
+ 					packet_cached_dev_reset(po);
+-					po->ifindex = -1;
++					WRITE_ONCE(po->ifindex, -1);
+ 					if (po->prot_hook.dev)
+ 						dev_put(po->prot_hook.dev);
+ 					po->prot_hook.dev = NULL;
+@@ -4603,7 +4605,7 @@ static int packet_seq_show(struct seq_file *seq, void *v)
+ 			   atomic_read(&s->sk_refcnt),
+ 			   s->sk_type,
+ 			   ntohs(READ_ONCE(po->num)),
+-			   po->ifindex,
++			   READ_ONCE(po->ifindex),
+ 			   po->running,
+ 			   atomic_read(&s->sk_rmem_alloc),
+ 			   from_kuid_munged(seq_user_ns(seq), sock_i_uid(s)),
+-- 
+2.30.2
+
diff --git a/queue-4.9/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch b/queue-4.9/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch
new file mode 100644
index 00000000000..f835195f8b6
--- /dev/null
+++ b/queue-4.9/net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch
@@ -0,0 +1,50 @@
+From 7798530916526379ea7edd5b8368f1ac7bdc4397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jun 2021 10:09:53 -0700
+Subject: net: qed: Fix memcpy() overflow of qed_dcbx_params()
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 1c200f832e14420fa770193f9871f4ce2df00d07 ]
+
+The source (&dcbx_info->operational.params) and dest
+(&p_hwfn->p_dcbx_info->set.config.params) are both struct qed_dcbx_params
+(560 bytes), not struct qed_dcbx_admin_params (564 bytes), which is used
+as the memcpy() size.
+
+However it seems that struct qed_dcbx_operational_params
+(dcbx_info->operational)'s layout matches struct qed_dcbx_admin_params
+(p_hwfn->p_dcbx_info->set.config)'s 4 byte difference (3 padding, 1 byte
+for "valid").
+
+On the assumption that the size is wrong (rather than the source structure
+type), adjust the memcpy() size argument to be 4 bytes smaller and add
+a BUILD_BUG_ON() to validate any changes to the structure sizes.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+index 7b6824e560d2..59e59878a3a7 100644
+--- a/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
++++ b/drivers/net/ethernet/qlogic/qed/qed_dcbx.c
+@@ -1205,9 +1205,11 @@ int qed_dcbx_get_config_params(struct qed_hwfn *p_hwfn,
+ 		p_hwfn->p_dcbx_info->set.ver_num |= DCBX_CONFIG_VERSION_IEEE;
+ 
+ 	p_hwfn->p_dcbx_info->set.enabled = dcbx_info->operational.enabled;
++	BUILD_BUG_ON(sizeof(dcbx_info->operational.params) !=
++		     sizeof(p_hwfn->p_dcbx_info->set.config.params));
+ 	memcpy(&p_hwfn->p_dcbx_info->set.config.params,
+ 	       &dcbx_info->operational.params,
+-	       sizeof(struct qed_dcbx_admin_params));
++	       sizeof(p_hwfn->p_dcbx_info->set.config.params));
+ 	p_hwfn->p_dcbx_info->set.config.valid = true;
+ 
+ 	memcpy(params, &p_hwfn->p_dcbx_info->set, sizeof(struct qed_dcbx_set));
+-- 
+2.30.2
+
diff --git a/queue-4.9/ping-check-return-value-of-function-ping_queue_rcv_s.patch b/queue-4.9/ping-check-return-value-of-function-ping_queue_rcv_s.patch
new file mode 100644
index 00000000000..d43d8d05109
--- /dev/null
+++ b/queue-4.9/ping-check-return-value-of-function-ping_queue_rcv_s.patch
@@ -0,0 +1,56 @@
+From 864b984f578b4769f960fc2b66f90498de6b4517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jun 2021 09:41:36 +0800
+Subject: ping: Check return value of function 'ping_queue_rcv_skb'
+
+From: Zheng Yongjun <zhengyongjun3@huawei.com>
+
+[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ]
+
+Function 'ping_queue_rcv_skb' not always return success, which will
+also return fail. If not check the wrong return value of it, lead to function
+`ping_rcv` return success.
+
+Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ping.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
+index 4fda9abf38ee..dd4e46af1e53 100644
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -976,6 +976,7 @@ bool ping_rcv(struct sk_buff *skb)
+ 	struct sock *sk;
+ 	struct net *net = dev_net(skb->dev);
+ 	struct icmphdr *icmph = icmp_hdr(skb);
++	bool rc = false;
+ 
+ 	/* We assume the packet has already been checked by icmp_rcv */
+ 
+@@ -990,14 +991,15 @@ bool ping_rcv(struct sk_buff *skb)
+ 		struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
+ 
+ 		pr_debug("rcv on socket %p\n", sk);
+-		if (skb2)
+-			ping_queue_rcv_skb(sk, skb2);
++		if (skb2 && !ping_queue_rcv_skb(sk, skb2))
++			rc = true;
+ 		sock_put(sk);
+-		return true;
+ 	}
+-	pr_debug("no socket, dropping\n");
+ 
+-	return false;
++	if (!rc)
++		pr_debug("no socket, dropping\n");
++
++	return rc;
+ }
+ EXPORT_SYMBOL_GPL(ping_rcv);
+ 
+-- 
+2.30.2
+
diff --git a/queue-4.9/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.9/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch
new file mode 100644
index 00000000000..abcd85102b8
--- /dev/null
+++ b/queue-4.9/r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch
@@ -0,0 +1,40 @@
+From 6babb4fb460599e406745a49159e98c5b045dafd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:03 -0700
+Subject: r8152: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 99718abdc00e86e4f286dd836408e2834886c16e ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/r8152.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
+index 6e74965d26a0..64fdea332886 100644
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3938,7 +3938,7 @@ static void rtl8152_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ 	switch (stringset) {
+ 	case ETH_SS_STATS:
+-		memcpy(data, *rtl8152_gstrings, sizeof(rtl8152_gstrings));
++		memcpy(data, rtl8152_gstrings, sizeof(rtl8152_gstrings));
+ 		break;
+ 	}
+ }
+-- 
+2.30.2
+
diff --git a/queue-4.9/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.9/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch
new file mode 100644
index 00000000000..e2c5a2d5293
--- /dev/null
+++ b/queue-4.9/r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch
@@ -0,0 +1,40 @@
+From e06d0e0e0c996e251c8b03ccd4c08c0e89b871c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:59 -0700
+Subject: r8169: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit da5ac772cfe2a03058b0accfac03fad60c46c24d ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
+index 3521e3a77556..f321b115719a 100644
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -2338,7 +2338,7 @@ static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
+ {
+ 	switch(stringset) {
+ 	case ETH_SS_STATS:
+-		memcpy(data, *rtl8169_gstrings, sizeof(rtl8169_gstrings));
++		memcpy(data, rtl8169_gstrings, sizeof(rtl8169_gstrings));
+ 		break;
+ 	}
+ }
+-- 
+2.30.2
+
diff --git a/queue-4.9/series b/queue-4.9/series
index 0317d135855..0d2850be5f8 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -53,3 +53,16 @@ arm-9081-1-fix-gcc-10-thumb2-kernel-regression.patch
 makefile-move-wno-unused-but-set-variable-out-of-gcc-only-block.patch
 arm64-perf-disable-pmu-while-processing-counter-overflows.patch
 revert-pci-pm-do-not-read-power-state-in-pci_enable_.patch
+mac80211-remove-warning-in-ieee80211_get_sband.patch
+cfg80211-call-cfg80211_leave_ocb-when-switching-away.patch
+mac80211-drop-multicast-fragments.patch
+ping-check-return-value-of-function-ping_queue_rcv_s.patch
+inet-annotate-date-races-around-sk-sk_txhash.patch
+net-caif-fix-memory-leak-in-ldisc_open.patch
+net-packet-annotate-accesses-to-po-bind.patch
+net-packet-annotate-accesses-to-po-ifindex.patch
+r8152-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+r8169-avoid-memcpy-over-reading-of-eth_ss_stats.patch
+net-qed-fix-memcpy-overflow-of-qed_dcbx_params.patch
+net-ll_temac-avoid-ndo_start_xmit-returning-netdev_t.patch
diff --git a/queue-4.9/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch b/queue-4.9/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch
new file mode 100644
index 00000000000..532ddead0f7
--- /dev/null
+++ b/queue-4.9/sh_eth-avoid-memcpy-over-reading-of-eth_ss_stats.patch
@@ -0,0 +1,40 @@
+From 185461f01faf1a53a9f7520025c387ce30a4a1a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 12:53:33 -0700
+Subject: sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 224004fbb033600715dbd626bceec10bfd9c58bc ]
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally reading across neighboring array fields.
+
+The memcpy() is copying the entire structure, not just the first array.
+Adjust the source argument so the compiler can do appropriate bounds
+checking.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index 0e5b1935af50..468f02beccee 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -2117,7 +2117,7 @@ static void sh_eth_get_strings(struct net_device *ndev, u32 stringset, u8 *data)
+ {
+ 	switch (stringset) {
+ 	case ETH_SS_STATS:
+-		memcpy(data, *sh_eth_gstrings_stats,
++		memcpy(data, sh_eth_gstrings_stats,
+ 		       sizeof(sh_eth_gstrings_stats));
+ 		break;
+ 	}
+-- 
+2.30.2
+