--- /dev/null
+From f5c839440c615ab6a80ce8d387254743ea951e69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 14:38:24 +0000
+Subject: dma: fix call order in dmam_free_coherent
+
+From: Lance Richardson <rlance@google.com>
+
+[ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ]
+
+dmam_free_coherent() frees a DMA allocation, which makes the
+freed vaddr available for reuse, then calls devres_destroy()
+to remove and free the data structure used to track the DMA
+allocation. Between the two calls, it is possible for a
+concurrent task to make an allocation with the same vaddr
+and add it to the devres list.
+
+If this happens, there will be two entries in the devres list
+with the same vaddr and devres_destroy() can free the wrong
+entry, triggering the WARN_ON() in dmam_match.
+
+Fix by destroying the devres entry before freeing the DMA
+allocation.
+
+Tested:
+ kokonut //net/encryption
+ http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03
+
+Fixes: 9ac7849e35f7 ("devres: device resource management")
+Signed-off-by: Lance Richardson <rlance@google.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/mapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c
+index d2a92ddaac4d1..34edceed643d3 100644
+--- a/kernel/dma/mapping.c
++++ b/kernel/dma/mapping.c
+@@ -97,8 +97,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr,
+ {
+ struct dma_devres match_data = { size, vaddr, dma_handle };
+
+- dma_free_coherent(dev, size, vaddr, dma_handle);
+ WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data));
++ dma_free_coherent(dev, size, vaddr, dma_handle);
+ }
+ EXPORT_SYMBOL(dmam_free_coherent);
+
+--
+2.43.0
+
--- /dev/null
+From 1d04089807114d2271ff9892e10f5fad60284e26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 15:34:07 +0300
+Subject: ipv4: Fix incorrect source address in Record Route option
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ]
+
+The Record Route IP option records the addresses of the routers that
+routed the packet. In the case of forwarded packets, the kernel performs
+a route lookup via fib_lookup() and fills in the preferred source
+address of the matched route.
+
+The lookup is performed with the DS field of the forwarded packet, but
+using the RT_TOS() macro which only masks one of the two ECN bits. If
+the packet is ECT(0) or CE, the matched route might be different than
+the route via which the packet was forwarded as the input path masks
+both of the ECN bits, resulting in the wrong address being filled in the
+Record Route option.
+
+Fix by masking both of the ECN bits.
+
+Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 1aac0d77a3aa1..437960825ec2f 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1277,7 +1277,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
+ struct flowi4 fl4 = {
+ .daddr = iph->daddr,
+ .saddr = iph->saddr,
+- .flowi4_tos = RT_TOS(iph->tos),
++ .flowi4_tos = iph->tos & IPTOS_RT_MASK,
+ .flowi4_oif = rt->dst.dev->ifindex,
+ .flowi4_iif = skb->dev->ifindex,
+ .flowi4_mark = skb->mark,
+--
+2.43.0
+
--- /dev/null
+From d8a52d6bd4ed1d31309b5ddd45a718a5b5a00190 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 22:28:09 +0900
+Subject: jfs: Fix array-index-out-of-bounds in diFree
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ]
+
+Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_imap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 00800c8c6f077..9893cb6b8a756 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -305,7 +305,7 @@ int diSync(struct inode *ipimap)
+ int diRead(struct inode *ip)
+ {
+ struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
+- int iagno, ino, extno, rc;
++ int iagno, ino, extno, rc, agno;
+ struct inode *ipimap;
+ struct dinode *dp;
+ struct iag *iagp;
+@@ -354,8 +354,11 @@ int diRead(struct inode *ip)
+
+ /* get the ag for the iag */
+ agstart = le64_to_cpu(iagp->agstart);
++ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb));
+
+ release_metapage(mp);
++ if (agno >= MAXAG || agno < 0)
++ return -EIO;
+
+ rel_inode = (ino & (INOSPERPAGE - 1));
+ pageno = blkno >> sbi->l2nbperpage;
+--
+2.43.0
+
--- /dev/null
+From cee8113f8734060ea8e33cff8ed229fc5e452195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 14:11:48 +0200
+Subject: kdb: address -Wformat-security warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ]
+
+When -Wformat-security is not disabled, using a string pointer
+as a format causes a warning:
+
+kernel/debug/kdb/kdb_io.c: In function 'kdb_read':
+kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security]
+ 365 | kdb_printf(kdb_prompt_str);
+ | ^~~~~~~~~~~~~~
+kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr':
+kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security]
+ 456 | kdb_printf(kdb_prompt_str);
+ | ^~~~~~~~~~~~~~
+
+Use an explcit "%s" format instead.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 5358e8a8b6f11..9ce4e52532b77 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -368,7 +368,7 @@ static char *kdb_read(char *buffer, size_t bufsize)
+ if (i >= dtab_count)
+ kdb_printf("...");
+ kdb_printf("\n");
+- kdb_printf(kdb_prompt_str);
++ kdb_printf("%s", kdb_prompt_str);
+ kdb_printf("%s", buffer);
+ if (cp != lastchar)
+ kdb_position_cursor(kdb_prompt_str, buffer, cp);
+@@ -460,7 +460,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt)
+ {
+ if (prompt && kdb_prompt_str != prompt)
+ strscpy(kdb_prompt_str, prompt, CMD_BUFLEN);
+- kdb_printf(kdb_prompt_str);
++ kdb_printf("%s", kdb_prompt_str);
+ kdb_nextline = 1; /* Prompt and input resets line number */
+ return kdb_read(buffer, bufsize);
+ }
+--
+2.43.0
+
--- /dev/null
+From 21f00cb98e9f1d8d1f91d2274b1c04652015d3b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2019 16:57:20 +0800
+Subject: kdb: Fix bound check compiler warning
+
+From: Wenlin Kang <wenlin.kang@windriver.com>
+
+[ Upstream commit ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 ]
+
+The strncpy() function may leave the destination string buffer
+unterminated, better use strscpy() instead.
+
+This fixes the following warning with gcc 8.2:
+
+kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr':
+kernel/debug/kdb/kdb_io.c:449:3: warning: 'strncpy' specified bound 256 equals destination size [-Wstringop-truncation]
+ strncpy(kdb_prompt_str, prompt, CMD_BUFLEN);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Stable-dep-of: 70867efacf43 ("kdb: address -Wformat-security warnings")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index acc8e13b823b2..5358e8a8b6f11 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -459,7 +459,7 @@ static char *kdb_read(char *buffer, size_t bufsize)
+ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt)
+ {
+ if (prompt && kdb_prompt_str != prompt)
+- strncpy(kdb_prompt_str, prompt, CMD_BUFLEN);
++ strscpy(kdb_prompt_str, prompt, CMD_BUFLEN);
+ kdb_printf(kdb_prompt_str);
+ kdb_nextline = 1; /* Prompt and input resets line number */
+ return kdb_read(buffer, bufsize);
+--
+2.43.0
+
--- /dev/null
+From d2bf235051338957b4bc6b738c8e6c07b7dea2b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 07:11:48 -0700
+Subject: kdb: Use the passed prompt in kdb_position_cursor()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ]
+
+The function kdb_position_cursor() takes in a "prompt" parameter but
+never uses it. This doesn't _really_ matter since all current callers
+of the function pass the same value and it's a global variable, but
+it's a bit ugly. Let's clean it up.
+
+Found by code inspection. This patch is expected to functionally be a
+no-op.
+
+Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 9ce4e52532b77..bfce77a0daac8 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -192,7 +192,7 @@ static int kdb_read_get_key(char *buffer, size_t bufsize)
+ */
+ static void kdb_position_cursor(char *prompt, char *buffer, char *cp)
+ {
+- kdb_printf("\r%s", kdb_prompt_str);
++ kdb_printf("\r%s", prompt);
+ if (cp > buffer)
+ kdb_printf("%.*s", (int)(cp - buffer), buffer);
+ }
+--
+2.43.0
+
--- /dev/null
+From ed8b1248683d49b8bfec2734fb546a37acfcc8dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 15:15:39 +0200
+Subject: MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ]
+
+When the CM block migrated from CM2.5 to CM3.0, the address offset for
+the Global CSR Access Privilege register was modified. We saw this in
+the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is
+stated that "the Global CSR Access Privilege register is located at
+offset 0x0120" in section 5.4. It is at least the same for I6400.
+
+This fix allows to use the VP cores in SMP mode if the reset values
+were modified by the bootloader.
+
+Based on the work of Vladimir Kondratiev
+<vladimir.kondratiev@mobileye.com> and the feedback from Jiaxun Yang
+<jiaxun.yang@flygoat.com>.
+
+Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mips-cm.h | 4 ++++
+ arch/mips/kernel/smp-cps.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h
+index 890e51b159e06..11a3d5120e2b5 100644
+--- a/arch/mips/include/asm/mips-cm.h
++++ b/arch/mips/include/asm/mips-cm.h
+@@ -232,6 +232,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status)
+ GCR_ACCESSOR_RO(32, 0x0f0, cpc_status)
+ #define CM_GCR_CPC_STATUS_EX BIT(0)
+
++/* GCR_ACCESS - Controls core/IOCU access to GCRs */
++GCR_ACCESSOR_RW(32, 0x120, access_cm3)
++#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0)
++
+ /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */
+ GCR_ACCESSOR_RW(32, 0x130, l2_config)
+ #define CM_GCR_L2_CONFIG_BYPASS BIT(20)
+diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c
+index 03f1026ad1484..1861b20e978d0 100644
+--- a/arch/mips/kernel/smp-cps.c
++++ b/arch/mips/kernel/smp-cps.c
+@@ -233,7 +233,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id)
+ write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB);
+
+ /* Ensure the core can access the GCRs */
+- set_gcr_access(1 << core);
++ if (mips_cm_revision() < CM_REV_CM3)
++ set_gcr_access(1 << core);
++ else
++ set_gcr_access_cm3(1 << core);
+
+ if (mips_cpc_present()) {
+ /* Reset the core */
+--
+2.43.0
+
--- /dev/null
+From 0608f7b50aecbe3163d8c6f546b3a8b1d840124e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 11:08:18 -0500
+Subject: mISDN: Fix a use after free in hfcmulti_tx()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ]
+
+Don't dereference *sp after calling dev_kfree_skb(*sp).
+
+Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
+index 60b3a4aabe6b8..9010d5ca3cd53 100644
+--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
+@@ -1945,7 +1945,7 @@ hfcmulti_dtmf(struct hfc_multi *hc)
+ static void
+ hfcmulti_tx(struct hfc_multi *hc, int ch)
+ {
+- int i, ii, temp, len = 0;
++ int i, ii, temp, tmp_len, len = 0;
+ int Zspace, z1, z2; /* must be int for calculation */
+ int Fspace, f1, f2;
+ u_char *d;
+@@ -2166,14 +2166,15 @@ hfcmulti_tx(struct hfc_multi *hc, int ch)
+ HFC_wait_nodebug(hc);
+ }
+
++ tmp_len = (*sp)->len;
+ dev_kfree_skb(*sp);
+ /* check for next frame */
+ if (bch && get_next_bframe(bch)) {
+- len = (*sp)->len;
++ len = tmp_len;
+ goto next_frame;
+ }
+ if (dch && get_next_dframe(dch)) {
+- len = (*sp)->len;
++ len = tmp_len;
+ goto next_frame;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3ebd35a9a0aa902cfb4b47537b55b8dafbd7e856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 09:41:18 -0700
+Subject: net: bonding: correctly annotate RCU in bond_should_notify_peers()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ]
+
+RCU use in bond_should_notify_peers() looks wrong, since it does
+rcu_dereference(), leaves the critical section, and uses the
+pointer after that.
+
+Luckily, it's called either inside a nested RCU critical section
+or with the RTNL held.
+
+Annotate it with rcu_dereference_rtnl() instead, and remove the
+inner RCU critical section.
+
+Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()")
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 79b36f1c50aec..f0c0da85ba4fc 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -774,13 +774,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond)
+ return bestslave;
+ }
+
++/* must be called in RCU critical section or with RTNL held */
+ static bool bond_should_notify_peers(struct bonding *bond)
+ {
+- struct slave *slave;
+-
+- rcu_read_lock();
+- slave = rcu_dereference(bond->curr_active_slave);
+- rcu_read_unlock();
++ struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave);
+
+ if (!slave || !bond->send_peer_notif ||
+ !netif_carrier_ok(bond->dev) ||
+--
+2.43.0
+
--- /dev/null
+From 53f2d0d6ef858505d8c15dd287137401027199eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Sep 2018 23:44:46 -0700
+Subject: net: ip_rt_get_source() - use new style struct initializer instead of
+ memset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+[ Upstream commit e351bb6227fbe2bb5da6f38a4cf5bd18810b0557 ]
+
+(allows for better compiler optimization)
+
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: cc73bbab4b1f ("ipv4: Fix incorrect source address in Record Route option")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 21 +++++++++------------
+ 1 file changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 3c5401dafdeed..1aac0d77a3aa1 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1273,18 +1273,15 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
+ src = ip_hdr(skb)->saddr;
+ else {
+ struct fib_result res;
+- struct flowi4 fl4;
+- struct iphdr *iph;
+-
+- iph = ip_hdr(skb);
+-
+- memset(&fl4, 0, sizeof(fl4));
+- fl4.daddr = iph->daddr;
+- fl4.saddr = iph->saddr;
+- fl4.flowi4_tos = RT_TOS(iph->tos);
+- fl4.flowi4_oif = rt->dst.dev->ifindex;
+- fl4.flowi4_iif = skb->dev->ifindex;
+- fl4.flowi4_mark = skb->mark;
++ struct iphdr *iph = ip_hdr(skb);
++ struct flowi4 fl4 = {
++ .daddr = iph->daddr,
++ .saddr = iph->saddr,
++ .flowi4_tos = RT_TOS(iph->tos),
++ .flowi4_oif = rt->dst.dev->ifindex,
++ .flowi4_iif = skb->dev->ifindex,
++ .flowi4_mark = skb->mark,
++ };
+
+ rcu_read_lock();
+ if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res, 0) == 0)
+--
+2.43.0
+
rdma-iwcm-fix-a-use-after-free-related-to-destroying-cm-ids.patch
selftests-sigaltstack-fix-ppc64-gcc-build.patch
nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch
+kdb-fix-bound-check-compiler-warning.patch
+kdb-address-wformat-security-warnings.patch
+kdb-use-the-passed-prompt-in-kdb_position_cursor.patch
+jfs-fix-array-index-out-of-bounds-in-difree.patch
+dma-fix-call-order-in-dmam_free_coherent.patch
+mips-smp-cps-fix-address-for-gcr_access-register-for.patch
+net-ip_rt_get_source-use-new-style-struct-initialize.patch
+ipv4-fix-incorrect-source-address-in-record-route-op.patch
+net-bonding-correctly-annotate-rcu-in-bond_should_no.patch
+tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch
+misdn-fix-a-use-after-free-in-hfcmulti_tx.patch
--- /dev/null
+From 4b00e0afab73cfa1f85836be29b9206911aeb022 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 11:09:05 +0900
+Subject: tipc: Return non-zero value from tipc_udp_addr2str() on error
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ]
+
+tipc_udp_addr2str() should return non-zero value if the UDP media
+address is invalid. Otherwise, a buffer overflow access can occur in
+tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP
+media address.
+
+Fixes: d0f91938bede ("tipc: add ip/udp media type")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@endava.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/udp_media.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 1d62354797061..796309b50bb6a 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -127,8 +127,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size)
+ snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port));
+ else if (ntohs(ua->proto) == ETH_P_IPV6)
+ snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port));
+- else
++ else {
+ pr_err("Invalid UDP media address\n");
++ return 1;
++ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
