--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
-@@ -5827,6 +5827,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
+@@ -5822,6 +5822,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_s
page = alloc_huge_page(dst_vma, dst_addr, 0);
if (IS_ERR(page)) {
--- /dev/null
+From 283d736ff7c7e96ac5b32c6c0de40372f8eb171e Mon Sep 17 00:00:00 2001
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Date: Thu, 7 Jul 2022 12:20:42 +0200
+Subject: ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e upstream.
+
+Tx side sets EOP and RS bits on descriptors to indicate that a
+particular descriptor is the last one and needs to generate an irq when
+it was sent. These bits should not be checked on completion path
+regardless whether it's the Tx or the Rx. DD bit serves this purpose and
+it indicates that a particular descriptor is either for Rx or was
+successfully Txed. EOF is also set as loopback test does not xmit
+fragmented frames.
+
+Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead
+of EOP and RS pair.
+
+Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -660,7 +660,8 @@ static int ice_lbtest_receive_frames(str
+ rx_desc = ICE_RX_DESC(rx_ring, i);
+
+ if (!(rx_desc->wb.status_error0 &
+- cpu_to_le16(ICE_TX_DESC_CMD_EOP | ICE_TX_DESC_CMD_RS)))
++ (cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_DD_S)) |
++ cpu_to_le16(BIT(ICE_RX_FLEX_DESC_STATUS0_EOF_S)))))
+ continue;
+
+ rx_buf = &rx_ring->rx_buf[i];
--- /dev/null
+From cc019545a238518fa9da1e2a889f6e1bb1005a63 Mon Sep 17 00:00:00 2001
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Date: Thu, 7 Jul 2022 12:20:43 +0200
+Subject: ice: do not setup vlan for loopback VSI
+
+From: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+
+commit cc019545a238518fa9da1e2a889f6e1bb1005a63 upstream.
+
+Currently loopback test is failiing due to the error returned from
+ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI.
+
+Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest")
+Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -5994,10 +5994,12 @@ int ice_vsi_cfg(struct ice_vsi *vsi)
+ if (vsi->netdev) {
+ ice_set_rx_mode(vsi->netdev);
+
+- err = ice_vsi_vlan_setup(vsi);
++ if (vsi->type != ICE_VSI_LB) {
++ err = ice_vsi_vlan_setup(vsi);
+
+- if (err)
+- return err;
++ if (err)
++ return err;
++ }
+ }
+ ice_vsi_cfg_dcb_rings(vsi);
+
--- /dev/null
+From 1e308c6fb7127371f48a0fb9770ea0b30a6b5698 Mon Sep 17 00:00:00 2001
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Date: Mon, 4 Jul 2022 15:46:12 +0200
+Subject: ice: Fix max VLANs available for VF
+
+From: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+
+commit 1e308c6fb7127371f48a0fb9770ea0b30a6b5698 upstream.
+
+Legacy VLAN implementation allows for untrusted VF to have 8 VLAN
+filters, not counting VLAN 0 filters. Current VLAN_V2 implementation
+lowers available filters for VF, by counting in VLAN 0 filter for both
+TPIDs.
+Fix this by counting only non zero VLAN filters.
+Without this patch, untrusted VF would not be able to access 8 VLAN
+filters.
+
+Fixes: cc71de8fa133 ("ice: Add support for VIRTCHNL_VF_OFFLOAD_VLAN_V2")
+Signed-off-by: Przemyslaw Patynowski <przemyslawx.patynowski@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_virtchnl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_virtchnl.c
++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl.c
+@@ -2966,7 +2966,8 @@ ice_vc_validate_add_vlan_filter_list(str
+ struct virtchnl_vlan_filtering_caps *vfc,
+ struct virtchnl_vlan_filter_list_v2 *vfl)
+ {
+- u16 num_requested_filters = vsi->num_vlan + vfl->num_elements;
++ u16 num_requested_filters = ice_vsi_num_non_zero_vlans(vsi) +
++ vfl->num_elements;
+
+ if (num_requested_filters > vfc->max_filters)
+ return false;
--- /dev/null
+From 5c8e3c7ff3e7bd7b938659be704f75cc746b697f Mon Sep 17 00:00:00 2001
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Date: Thu, 21 Jul 2022 10:03:09 +0200
+Subject: ice: Fix VSIs unable to share unicast MAC
+
+From: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+
+commit 5c8e3c7ff3e7bd7b938659be704f75cc746b697f upstream.
+
+The driver currently does not allow two VSIs in the same PF domain
+to have the same unicast MAC address. This is incorrect in the sense
+that a policy decision is being made in the driver when it must be
+left to the user. This approach was causing issues when rebooting
+the system with VFs spawned not being able to change their MAC addresses.
+Such errors were present in dmesg:
+
+[ 7921.068237] ice 0000:b6:00.2 ens2f2: Unicast MAC 6a:0d:e4:70:ca:d1 already
+exists on this PF. Preventing setting VF 7 unicast MAC address to 6a:0d:e4:70:ca:d1
+
+Fix that by removing this restriction. Doing this also allows
+us to remove some additional code that's checking if a unicast MAC
+filter already exists.
+
+Fixes: 47ebc7b02485 ("ice: Check if unicast MAC exists before setting VF MAC")
+Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com>
+Signed-off-by: Sylwester Dziedziuch <sylwesterx.dziedziuch@intel.com>
+Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
+Signed-off-by: Jedrzej Jagielski <jedrzej.jagielski@intel.com>
+Tested-by: Marek Szlosek <marek.szlosek@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 2 +
+ drivers/net/ethernet/intel/ice/ice_sriov.c | 40 -----------------------------
+ 2 files changed, 2 insertions(+), 40 deletions(-)
+
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -4640,6 +4640,8 @@ ice_probe(struct pci_dev *pdev, const st
+ ice_set_safe_mode_caps(hw);
+ }
+
++ hw->ucast_shared = true;
++
+ err = ice_init_pf(pf);
+ if (err) {
+ dev_err(dev, "ice_init_pf failed: %d\n", err);
+--- a/drivers/net/ethernet/intel/ice/ice_sriov.c
++++ b/drivers/net/ethernet/intel/ice/ice_sriov.c
+@@ -1310,39 +1310,6 @@ out_put_vf:
+ }
+
+ /**
+- * ice_unicast_mac_exists - check if the unicast MAC exists on the PF's switch
+- * @pf: PF used to reference the switch's rules
+- * @umac: unicast MAC to compare against existing switch rules
+- *
+- * Return true on the first/any match, else return false
+- */
+-static bool ice_unicast_mac_exists(struct ice_pf *pf, u8 *umac)
+-{
+- struct ice_sw_recipe *mac_recipe_list =
+- &pf->hw.switch_info->recp_list[ICE_SW_LKUP_MAC];
+- struct ice_fltr_mgmt_list_entry *list_itr;
+- struct list_head *rule_head;
+- struct mutex *rule_lock; /* protect MAC filter list access */
+-
+- rule_head = &mac_recipe_list->filt_rules;
+- rule_lock = &mac_recipe_list->filt_rule_lock;
+-
+- mutex_lock(rule_lock);
+- list_for_each_entry(list_itr, rule_head, list_entry) {
+- u8 *existing_mac = &list_itr->fltr_info.l_data.mac.mac_addr[0];
+-
+- if (ether_addr_equal(existing_mac, umac)) {
+- mutex_unlock(rule_lock);
+- return true;
+- }
+- }
+-
+- mutex_unlock(rule_lock);
+-
+- return false;
+-}
+-
+-/**
+ * ice_set_vf_mac
+ * @netdev: network interface device structure
+ * @vf_id: VF identifier
+@@ -1376,13 +1343,6 @@ int ice_set_vf_mac(struct net_device *ne
+ if (ret)
+ goto out_put_vf;
+
+- if (ice_unicast_mac_exists(pf, mac)) {
+- netdev_err(netdev, "Unicast MAC %pM already exists on this PF. Preventing setting VF %u unicast MAC address to %pM\n",
+- mac, vf_id, mac);
+- ret = -EINVAL;
+- goto out_put_vf;
+- }
+-
+ mutex_lock(&vf->cfg_lock);
+
+ /* VF is notified of its new MAC via the PF's response to the
--- /dev/null
+From 85f0173df35e5462d89947135a6a5599c6c3ef6f Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Thu, 28 Jul 2022 09:33:07 +0800
+Subject: ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 85f0173df35e5462d89947135a6a5599c6c3ef6f upstream.
+
+Change net device's MTU to smaller than IPV6_MIN_MTU or unregister
+device while matching route. That may trigger null-ptr-deref bug
+for ip6_ptr probability as following.
+
+=========================================================
+BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134
+Read of size 4 at addr 0000000000000308 by task ping6/263
+
+CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14
+Call trace:
+ dump_backtrace+0x1a8/0x230
+ show_stack+0x20/0x70
+ dump_stack_lvl+0x68/0x84
+ print_report+0xc4/0x120
+ kasan_report+0x84/0x120
+ __asan_load4+0x94/0xd0
+ find_match.part.0+0x70/0x134
+ __find_rr_leaf+0x408/0x470
+ fib6_table_lookup+0x264/0x540
+ ip6_pol_route+0xf4/0x260
+ ip6_pol_route_output+0x58/0x70
+ fib6_rule_lookup+0x1a8/0x330
+ ip6_route_output_flags_noref+0xd8/0x1a0
+ ip6_route_output_flags+0x58/0x160
+ ip6_dst_lookup_tail+0x5b4/0x85c
+ ip6_dst_lookup_flow+0x98/0x120
+ rawv6_sendmsg+0x49c/0xc70
+ inet_sendmsg+0x68/0x94
+
+Reproducer as following:
+Firstly, prepare conditions:
+$ip netns add ns1
+$ip netns add ns2
+$ip link add veth1 type veth peer name veth2
+$ip link set veth1 netns ns1
+$ip link set veth2 netns ns2
+$ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1
+$ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2
+$ip netns exec ns1 ifconfig veth1 up
+$ip netns exec ns2 ifconfig veth2 up
+$ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1
+$ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1
+
+Secondly, execute the following two commands in two ssh windows
+respectively:
+$ip netns exec ns1 sh
+$while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done
+
+$ip netns exec ns1 sh
+$while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done
+
+It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly,
+then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check.
+
+ cpu0 cpu1
+fib6_table_lookup
+__find_rr_leaf
+ addrconf_notify [ NETDEV_CHANGEMTU ]
+ addrconf_ifdown
+ RCU_INIT_POINTER(dev->ip6_ptr, NULL)
+find_match
+ip6_ignore_linkdown
+
+So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to
+fix the null-ptr-deref bug.
+
+Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/addrconf.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -405,6 +405,9 @@ static inline bool ip6_ignore_linkdown(c
+ {
+ const struct inet6_dev *idev = __in6_dev_get(dev);
+
++ if (unlikely(!idev))
++ return true;
++
+ return !!idev->cnf.ignore_routes_with_linkdown;
+ }
+
+++ /dev/null
-From c2cb0dcce9dd8b748b6ca8bb8d4a389f2e232307 Mon Sep 17 00:00:00 2001
-From: Naoya Horiguchi <naoya.horiguchi@nec.com>
-Date: Mon, 4 Jul 2022 10:33:05 +0900
-Subject: mm/hugetlb: separate path for hwpoison entry in copy_hugetlb_page_range()
-
-From: Naoya Horiguchi <naoya.horiguchi@nec.com>
-
-commit c2cb0dcce9dd8b748b6ca8bb8d4a389f2e232307 upstream.
-
-Originally copy_hugetlb_page_range() handles migration entries and
-hwpoisoned entries in similar manner. But recently the related code path
-has more code for migration entries, and when
-is_writable_migration_entry() was converted to
-!is_readable_migration_entry(), hwpoison entries on source processes got
-to be unexpectedly updated (which is legitimate for migration entries, but
-not for hwpoison entries). This results in unexpected serious issues like
-kernel panic when forking processes with hwpoison entries in pmd.
-
-Separate the if branch into one for hwpoison entries and one for migration
-entries.
-
-Link: https://lkml.kernel.org/r/20220704013312.2415700-3-naoya.horiguchi@linux.dev
-Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive")
-Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
-Reviewed-by: Miaohe Lin <linmiaohe@huawei.com>
-Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
-Reviewed-by: Muchun Song <songmuchun@bytedance.com>
-Cc: <stable@vger.kernel.org> [5.18]
-Cc: David Hildenbrand <david@redhat.com>
-Cc: Liu Shixin <liushixin2@huawei.com>
-Cc: Oscar Salvador <osalvador@suse.de>
-Cc: Yang Shi <shy828301@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- mm/hugetlb.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/mm/hugetlb.c
-+++ b/mm/hugetlb.c
-@@ -4764,8 +4764,13 @@ again:
- * sharing with another vma.
- */
- ;
-- } else if (unlikely(is_hugetlb_entry_migration(entry) ||
-- is_hugetlb_entry_hwpoisoned(entry))) {
-+ } else if (unlikely(is_hugetlb_entry_hwpoisoned(entry))) {
-+ bool uffd_wp = huge_pte_uffd_wp(entry);
-+
-+ if (!userfaultfd_wp(dst_vma) && uffd_wp)
-+ entry = huge_pte_clear_uffd_wp(entry);
-+ set_huge_pte_at(dst, addr, dst_pte, entry);
-+ } else if (unlikely(is_hugetlb_entry_migration(entry))) {
- swp_entry_t swp_entry = pte_to_swp_entry(entry);
-
- if (is_writable_migration_entry(swp_entry) && cow) {
--- /dev/null
+From e27326009a3d247b831eda38878c777f6f4eb3d1 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 27 Jul 2022 18:22:20 -0700
+Subject: net: ping6: Fix memleak in ipv6_renew_options().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream.
+
+When we close ping6 sockets, some resources are left unfreed because
+pingv6_prot is missing sk->sk_prot->destroy(). As reported by
+syzbot [0], just three syscalls leak 96 bytes and easily cause OOM.
+
+ struct ipv6_sr_hdr *hdr;
+ char data[24] = {0};
+ int fd;
+
+ hdr = (struct ipv6_sr_hdr *)data;
+ hdr->hdrlen = 2;
+ hdr->type = IPV6_SRCRT_TYPE_4;
+
+ fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP);
+ setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24);
+ close(fd);
+
+To fix memory leaks, let's add a destroy function.
+
+Note the socket() syscall checks if the GID is within the range of
+net.ipv4.ping_group_range. The default value is [1, 0] so that no
+GID meets the condition (1 <= GID <= 0). Thus, the local DoS does
+not succeed until we change the default value. However, at least
+Ubuntu/Fedora/RHEL loosen it.
+
+ $ cat /usr/lib/sysctl.d/50-default.conf
+ ...
+ -net.ipv4.ping_group_range = 0 2147483647
+
+Also, there could be another path reported with these options, and
+some of them require CAP_NET_RAW.
+
+ setsockopt
+ IPV6_ADDRFORM (inet6_sk(sk)->pktoptions)
+ IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu)
+ IPV6_HOPOPTS (inet6_sk(sk)->opt)
+ IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt)
+ IPV6_RTHDR (inet6_sk(sk)->opt)
+ IPV6_DSTOPTS (inet6_sk(sk)->opt)
+ IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt)
+
+ getsockopt
+ IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list)
+
+For the record, I left a different splat with syzbot's one.
+
+ unreferenced object 0xffff888006270c60 (size 96):
+ comm "repro2", pid 231, jiffies 4294696626 (age 13.118s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D...........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554)
+ [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715)
+ [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024)
+ [<000000007096a025>] __sys_setsockopt (net/socket.c:2254)
+ [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262)
+ [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
+ [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
+
+[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176
+
+Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
+Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com
+Reported-by: Ayushman Dutta <ayudutta@amazon.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ping.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -22,6 +22,11 @@
+ #include <linux/proc_fs.h>
+ #include <net/ping.h>
+
++static void ping_v6_destroy(struct sock *sk)
++{
++ inet6_destroy_sock(sk);
++}
++
+ /* Compatibility glue so we can support IPv6 when it's compiled as a module */
+ static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len,
+ int *addr_len)
+@@ -181,6 +186,7 @@ struct proto pingv6_prot = {
+ .owner = THIS_MODULE,
+ .init = ping_init_sock,
+ .close = ping_close,
++ .destroy = ping_v6_destroy,
+ .connect = ip6_datagram_connect_v6_only,
+ .disconnect = __udp_disconnect,
+ .setsockopt = ipv6_setsockopt,
--- /dev/null
+From f6336724a4d4220c89a4ec38bca84b03b178b1a3 Mon Sep 17 00:00:00 2001
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+Date: Thu, 21 Jul 2022 12:11:27 +0300
+Subject: net/tls: Remove the context from the list in tls_device_down
+
+From: Maxim Mikityanskiy <maximmi@nvidia.com>
+
+commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 upstream.
+
+tls_device_down takes a reference on all contexts it's going to move to
+the degraded state (software fallback). If sk_destruct runs afterwards,
+it can reduce the reference counter back to 1 and return early without
+destroying the context. Then tls_device_down will release the reference
+it took and call tls_device_free_ctx. However, the context will still
+stay in tls_device_down_list forever. The list will contain an item,
+memory for which is released, making a memory corruption possible.
+
+Fix the above bug by properly removing the context from all lists before
+any call to tls_device_free_ctx.
+
+Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down")
+Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -1351,8 +1351,13 @@ static int tls_device_down(struct net_de
+ * by tls_device_free_ctx. rx_conf and tx_conf stay in TLS_HW.
+ * Now release the ref taken above.
+ */
+- if (refcount_dec_and_test(&ctx->refcount))
++ if (refcount_dec_and_test(&ctx->refcount)) {
++ /* sk_destruct ran after tls_device_down took a ref, and
++ * it returned early. Complete the destruction here.
++ */
++ list_del(&ctx->list);
+ tls_device_free_ctx(ctx);
++ }
+ }
+
+ up_write(&device_offload_lock);
--- /dev/null
+From 59e1be6f83b928a04189bbf3ab683a1fc6248db3 Mon Sep 17 00:00:00 2001
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+Date: Sun, 24 Jul 2022 13:51:14 +0530
+Subject: octeontx2-pf: Fix UDP/TCP src and dst port tc filters
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+commit 59e1be6f83b928a04189bbf3ab683a1fc6248db3 upstream.
+
+Check the mask for non-zero value before installing tc filters
+for L4 source and destination ports. Otherwise installing a
+filter for source port installs destination port too and
+vice-versa.
+
+Fixes: 1d4d9e42c240 ("octeontx2-pf: Add tc flower hardware offload on ingress traffic")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 30 +++++++++++--------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
+@@ -614,21 +614,27 @@ static int otx2_tc_prepare_flow(struct o
+
+ flow_spec->dport = match.key->dst;
+ flow_mask->dport = match.mask->dst;
+- if (ip_proto == IPPROTO_UDP)
+- req->features |= BIT_ULL(NPC_DPORT_UDP);
+- else if (ip_proto == IPPROTO_TCP)
+- req->features |= BIT_ULL(NPC_DPORT_TCP);
+- else if (ip_proto == IPPROTO_SCTP)
+- req->features |= BIT_ULL(NPC_DPORT_SCTP);
++
++ if (flow_mask->dport) {
++ if (ip_proto == IPPROTO_UDP)
++ req->features |= BIT_ULL(NPC_DPORT_UDP);
++ else if (ip_proto == IPPROTO_TCP)
++ req->features |= BIT_ULL(NPC_DPORT_TCP);
++ else if (ip_proto == IPPROTO_SCTP)
++ req->features |= BIT_ULL(NPC_DPORT_SCTP);
++ }
+
+ flow_spec->sport = match.key->src;
+ flow_mask->sport = match.mask->src;
+- if (ip_proto == IPPROTO_UDP)
+- req->features |= BIT_ULL(NPC_SPORT_UDP);
+- else if (ip_proto == IPPROTO_TCP)
+- req->features |= BIT_ULL(NPC_SPORT_TCP);
+- else if (ip_proto == IPPROTO_SCTP)
+- req->features |= BIT_ULL(NPC_SPORT_SCTP);
++
++ if (flow_mask->sport) {
++ if (ip_proto == IPPROTO_UDP)
++ req->features |= BIT_ULL(NPC_SPORT_UDP);
++ else if (ip_proto == IPPROTO_TCP)
++ req->features |= BIT_ULL(NPC_SPORT_TCP);
++ else if (ip_proto == IPPROTO_SCTP)
++ req->features |= BIT_ULL(NPC_SPORT_SCTP);
++ }
+ }
+
+ return otx2_tc_parse_actions(nic, &rule->action, req, f, node);
--- /dev/null
+From 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 Mon Sep 17 00:00:00 2001
+From: Wei Wang <weiwan@google.com>
+Date: Thu, 21 Jul 2022 20:44:04 +0000
+Subject: Revert "tcp: change pingpong threshold to 3"
+
+From: Wei Wang <weiwan@google.com>
+
+commit 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 upstream.
+
+This reverts commit 4a41f453bedfd5e9cd040bad509d9da49feb3e2c.
+
+This to-be-reverted commit was meant to apply a stricter rule for the
+stack to enter pingpong mode. However, the condition used to check for
+interactive session "before(tp->lsndtime, icsk->icsk_ack.lrcvtime)" is
+jiffy based and might be too coarse, which delays the stack entering
+pingpong mode.
+We revert this patch so that we no longer use the above condition to
+determine interactive session, and also reduce pingpong threshold to 1.
+
+Fixes: 4a41f453bedf ("tcp: change pingpong threshold to 3")
+Reported-by: LemmyHuang <hlm3280@163.com>
+Suggested-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Wei Wang <weiwan@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20220721204404.388396-1-weiwan@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_connection_sock.h | 10 +---------
+ net/ipv4/tcp_output.c | 15 ++++++---------
+ 2 files changed, 7 insertions(+), 18 deletions(-)
+
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -323,7 +323,7 @@ void inet_csk_update_fastreuse(struct in
+
+ struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu);
+
+-#define TCP_PINGPONG_THRESH 3
++#define TCP_PINGPONG_THRESH 1
+
+ static inline void inet_csk_enter_pingpong_mode(struct sock *sk)
+ {
+@@ -340,14 +340,6 @@ static inline bool inet_csk_in_pingpong_
+ return inet_csk(sk)->icsk_ack.pingpong >= TCP_PINGPONG_THRESH;
+ }
+
+-static inline void inet_csk_inc_pingpong_cnt(struct sock *sk)
+-{
+- struct inet_connection_sock *icsk = inet_csk(sk);
+-
+- if (icsk->icsk_ack.pingpong < U8_MAX)
+- icsk->icsk_ack.pingpong++;
+-}
+-
+ static inline bool inet_csk_has_ulp(struct sock *sk)
+ {
+ return inet_sk(sk)->is_icsk && !!inet_csk(sk)->icsk_ulp_ops;
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -167,16 +167,13 @@ static void tcp_event_data_sent(struct t
+ if (tcp_packets_in_flight(tp) == 0)
+ tcp_ca_event(sk, CA_EVENT_TX_START);
+
+- /* If this is the first data packet sent in response to the
+- * previous received data,
+- * and it is a reply for ato after last received packet,
+- * increase pingpong count.
+- */
+- if (before(tp->lsndtime, icsk->icsk_ack.lrcvtime) &&
+- (u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato)
+- inet_csk_inc_pingpong_cnt(sk);
+-
+ tp->lsndtime = now;
++
++ /* If it is a reply for ato after last received
++ * packet, enter pingpong mode.
++ */
++ if ((u32)(now - icsk->icsk_ack.lrcvtime) < icsk->icsk_ack.ato)
++ inet_csk_enter_pingpong_mode(sk);
+ }
+
+ /* Account for an ACK we sent. */
--- /dev/null
+From d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 Mon Sep 17 00:00:00 2001
+From: Jason Yan <yanaijie@huawei.com>
+Date: Wed, 20 Jul 2022 10:51:20 +0800
+Subject: scsi: core: Fix warning in scsi_alloc_sgtables()
+
+From: Jason Yan <yanaijie@huawei.com>
+
+commit d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 upstream.
+
+As explained in SG_IO howto[1]:
+
+"If iovec_count is non-zero then 'dxfer_len' should be equal to the sum of
+iov_len lengths. If not, the minimum of the two is the transfer length."
+
+When iovec_count is non-zero and dxfer_len is zero, the sg_io() just
+genarated a null bio, and finally caused a warning below. To fix it, skip
+generating a bio for this request if dxfer_len is zero.
+
+[1] https://tldp.org/HOWTO/SCSI-Generic-HOWTO/x198.html
+
+WARNING: CPU: 2 PID: 3643 at drivers/scsi/scsi_lib.c:1032 scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032
+Modules linked in:
+
+CPU: 2 PID: 3643 Comm: syz-executor397 Not tainted
+5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-204/01/2014
+RIP: 0010:scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032
+Code: e7 fc 31 ff 44 89 f6 e8 c1 4e e7 fc 45 85 f6 0f 84 1a f5 ff ff e8
+93 4c e7 fc 83 c5 01 0f b7 ed e9 0f f5 ff ff e8 83 4c e7 fc <0f> 0b 41
+ bc 0a 00 00 00 e9 2b fb ff ff 41 bc 09 00 00 00 e9 20 fb
+RSP: 0018:ffffc90000d07558 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffff88801bfc96a0 RCX: 0000000000000000
+RDX: ffff88801c876000 RSI: ffffffff849060bd RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: ffffffff849055b9 R11: 0000000000000000 R12: ffff888012b8c000
+R13: ffff88801bfc9580 R14: 0000000000000000 R15: ffff88801432c000
+FS: 00007effdec8e700(0000) GS:ffff88802cc00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007effdec6d718 CR3: 00000000206d6000 CR4: 0000000000150ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1219 [inline]
+ scsi_prepare_cmd drivers/scsi/scsi_lib.c:1614 [inline]
+ scsi_queue_rq+0x283e/0x3630 drivers/scsi/scsi_lib.c:1730
+ blk_mq_dispatch_rq_list+0x6ea/0x22e0 block/blk-mq.c:1851
+ __blk_mq_sched_dispatch_requests+0x20b/0x410 block/blk-mq-sched.c:299
+ blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:332
+ __blk_mq_run_hw_queue+0xf9/0x350 block/blk-mq.c:1968
+ __blk_mq_delay_run_hw_queue+0x5b6/0x6c0 block/blk-mq.c:2045
+ blk_mq_run_hw_queue+0x30f/0x480 block/blk-mq.c:2096
+ blk_mq_sched_insert_request+0x340/0x440 block/blk-mq-sched.c:451
+ blk_execute_rq+0xcc/0x340 block/blk-mq.c:1231
+ sg_io+0x67c/0x1210 drivers/scsi/scsi_ioctl.c:485
+ scsi_ioctl_sg_io drivers/scsi/scsi_ioctl.c:866 [inline]
+ scsi_ioctl+0xa66/0x1560 drivers/scsi/scsi_ioctl.c:921
+ sd_ioctl+0x199/0x2a0 drivers/scsi/sd.c:1576
+ blkdev_ioctl+0x37a/0x800 block/ioctl.c:588
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:874 [inline]
+ __se_sys_ioctl fs/ioctl.c:860 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7effdecdc5d9
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89
+f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
+f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007effdec8e2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007effded664c0 RCX: 00007effdecdc5d9
+RDX: 0000000020002300 RSI: 0000000000002285 RDI: 0000000000000004
+RBP: 00007effded34034 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
+R13: 00007effded34054 R14: 2f30656c69662f2e R15: 00007effded664c8
+
+Link: https://lore.kernel.org/r/20220720025120.3226770-1-yanaijie@huawei.com
+Fixes: 25636e282fe9 ("block: fix SG_IO vector request data length handling")
+Reported-by: syzbot+d44b35ecfb807e5af0b5@syzkaller.appspotmail.com
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Yan <yanaijie@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_ioctl.c
++++ b/drivers/scsi/scsi_ioctl.c
+@@ -450,7 +450,7 @@ static int sg_io(struct scsi_device *sde
+ goto out_put_request;
+
+ ret = 0;
+- if (hdr->iovec_count) {
++ if (hdr->iovec_count && hdr->dxfer_len) {
+ struct iov_iter i;
+ struct iovec *iov = NULL;
+
--- /dev/null
+From 0fde22c5420ed258ee538a760291c2f3935f6a01 Mon Sep 17 00:00:00 2001
+From: David Jeffery <djeffery@redhat.com>
+Date: Fri, 22 Jul 2022 10:24:48 -0400
+Subject: scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown
+
+From: David Jeffery <djeffery@redhat.com>
+
+commit 0fde22c5420ed258ee538a760291c2f3935f6a01 upstream.
+
+During system shutdown or reboot, mpt3sas will reset the firmware back to
+ready state. However, the driver leaves running a watchdog work item
+intended to keep the firmware in operational state. This causes a second,
+unneeded reset on shutdown and moves the firmware back to operational
+instead of in ready state as intended. And if the mpt3sas_fwfault_debug
+module parameter is set, this extra reset also panics the system.
+
+mpt3sas's scsih_shutdown needs to stop the watchdog before resetting the
+firmware back to ready state.
+
+Link: https://lore.kernel.org/r/20220722142448.6289-1-djeffery@redhat.com
+Fixes: fae21608c31c ("scsi: mpt3sas: Transition IOC to Ready state during shutdown")
+Tested-by: Laurence Oberman <loberman@redhat.com>
+Acked-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: David Jeffery <djeffery@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -11386,6 +11386,7 @@ scsih_shutdown(struct pci_dev *pdev)
+ _scsih_ir_shutdown(ioc);
+ _scsih_nvme_shutdown(ioc);
+ mpt3sas_base_mask_interrupts(ioc);
++ mpt3sas_base_stop_watchdog(ioc);
+ ioc->shost_recovery = 1;
+ mpt3sas_base_make_ioc_ready(ioc, SOFT_RESET);
+ ioc->shost_recovery = 0;
--- /dev/null
+From a3435afba87dc6cd83f5595e7607f3c40f93ef01 Mon Sep 17 00:00:00 2001
+From: Liang He <windhl@126.com>
+Date: Tue, 19 Jul 2022 15:15:29 +0800
+Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle()
+
+From: Liang He <windhl@126.com>
+
+commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream.
+
+In ufshcd_populate_vreg(), we should hold the reference returned by
+of_parse_phandle() and then use it to call of_node_put() for refcount
+balance.
+
+Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com
+Fixes: aa4976130934 ("ufs: Add regulator enable support")
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Liang He <windhl@126.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufshcd-pltfrm.c
++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c
+@@ -107,9 +107,20 @@ out:
+ return ret;
+ }
+
++static bool phandle_exists(const struct device_node *np,
++ const char *phandle_name, int index)
++{
++ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index);
++
++ if (parse_np)
++ of_node_put(parse_np);
++
++ return parse_np != NULL;
++}
++
+ #define MAX_PROP_SIZE 32
+ static int ufshcd_populate_vreg(struct device *dev, const char *name,
+- struct ufs_vreg **out_vreg)
++ struct ufs_vreg **out_vreg)
+ {
+ char prop_name[MAX_PROP_SIZE];
+ struct ufs_vreg *vreg = NULL;
+@@ -121,7 +132,7 @@ static int ufshcd_populate_vreg(struct d
+ }
+
+ snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name);
+- if (!of_parse_phandle(np, prop_name, 0)) {
++ if (!phandle_exists(np, prop_name, 0)) {
+ dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n",
+ __func__, prop_name);
+ goto out;
ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch
fs-sendfile-handles-o_nonblock-of-out_fd.patch
secretmem-fix-unhandled-fault-in-truncate.patch
-mm-hugetlb-separate-path-for-hwpoison-entry-in-copy_hugetlb_page_range.patch
mm-fix-page-leak-with-multiple-threads-mapping-the-same-page.patch
mm-fix-missing-wake-up-event-for-fsdax-pages.patch
hugetlb-fix-memoryleak-in-hugetlb_mcopy_atomic_pte.patch
tcp-fix-a-data-race-around-sysctl_tcp_nometrics_save.patch
tcp-fix-data-races-around-sysctl_tcp_no_ssthresh_metrics_save.patch
bridge-do-not-send-empty-ifla_af_spec-attribute.patch
+ice-fix-max-vlans-available-for-vf.patch
+ice-check-dd-eof-bits-on-rx-descriptor-rather-than-eop-rs.patch
+ice-do-not-setup-vlan-for-loopback-vsi.patch
+ice-fix-vsis-unable-to-share-unicast-mac.patch
+scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
+revert-tcp-change-pingpong-threshold-to-3.patch
+octeontx2-pf-fix-udp-tcp-src-and-dst-port-tc-filters.patch
+tcp-md5-fix-ipv4-mapped-support.patch
+tcp-fix-data-races-around-sysctl_tcp_moderate_rcvbuf.patch
+tcp-fix-a-data-race-around-sysctl_tcp_limit_output_bytes.patch
+tcp-fix-a-data-race-around-sysctl_tcp_challenge_ack_limit.patch
+scsi-core-fix-warning-in-scsi_alloc_sgtables.patch
+scsi-mpt3sas-stop-fw-fault-watchdog-work-item-during-system-shutdown.patch
+net-ping6-fix-memleak-in-ipv6_renew_options.patch
+ipv6-addrconf-fix-a-null-ptr-deref-bug-for-ip6_ptr.patch
+net-tls-remove-the-context-from-the-list-in-tls_device_down.patch
--- /dev/null
+From db3815a2fa691da145cfbe834584f31ad75df9ff Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 20 Jul 2022 09:50:21 -0700
+Subject: tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream.
+
+While reading sysctl_tcp_challenge_ack_limit, it can be changed
+concurrently. Thus, we need to add READ_ONCE() to its reader.
+
+Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3629,7 +3629,7 @@ static void tcp_send_challenge_ack(struc
+ /* Then check host-wide RFC 5961 rate limit. */
+ now = jiffies / HZ;
+ if (now != challenge_timestamp) {
+- u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit;
++ u32 ack_limit = READ_ONCE(net->ipv4.sysctl_tcp_challenge_ack_limit);
+ u32 half = (ack_limit + 1) >> 1;
+
+ challenge_timestamp = now;
--- /dev/null
+From 9fb90193fbd66b4c5409ef729fd081861f8b6351 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 20 Jul 2022 09:50:20 -0700
+Subject: tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 upstream.
+
+While reading sysctl_tcp_limit_output_bytes, it can be changed
+concurrently. Thus, we need to add READ_ONCE() to its reader.
+
+Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -2502,7 +2502,7 @@ static bool tcp_small_queue_check(struct
+ sk->sk_pacing_rate >> READ_ONCE(sk->sk_pacing_shift));
+ if (sk->sk_pacing_status == SK_PACING_NONE)
+ limit = min_t(unsigned long, limit,
+- sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes);
++ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_limit_output_bytes));
+ limit <<= factor;
+
+ if (static_branch_unlikely(&tcp_tx_delay_enabled) &&
--- /dev/null
+From 780476488844e070580bfc9e3bc7832ec1cea883 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 20 Jul 2022 09:50:18 -0700
+Subject: tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit 780476488844e070580bfc9e3bc7832ec1cea883 upstream.
+
+While reading sysctl_tcp_moderate_rcvbuf, it can be changed
+concurrently. Thus, we need to add READ_ONCE() to its readers.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ net/mptcp/protocol.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -724,7 +724,7 @@ void tcp_rcv_space_adjust(struct sock *s
+ * <prev RTT . ><current RTT .. ><next RTT .... >
+ */
+
+- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf &&
++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) &&
+ !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
+ int rcvmem, rcvbuf;
+ u64 rcvwin, grow;
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1882,7 +1882,7 @@ static void mptcp_rcv_space_adjust(struc
+ if (msk->rcvq_space.copied <= msk->rcvq_space.space)
+ goto new_measure;
+
+- if (sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf &&
++ if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_moderate_rcvbuf) &&
+ !(sk->sk_userlocks & SOCK_RCVBUF_LOCK)) {
+ int rcvmem, rcvbuf;
+ u64 rcvwin, grow;
--- /dev/null
+From e62d2e110356093c034998e093675df83057e511 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 26 Jul 2022 11:57:43 +0000
+Subject: tcp: md5: fix IPv4-mapped support
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit e62d2e110356093c034998e093675df83057e511 upstream.
+
+After the blamed commit, IPv4 SYN packets handled
+by a dual stack IPv6 socket are dropped, even if
+perfectly valid.
+
+$ nstat | grep MD5
+TcpExtTCPMD5Failure 5 0.0
+
+For a dual stack listener, an incoming IPv4 SYN packet
+would call tcp_inbound_md5_hash() with @family == AF_INET,
+while tp->af_specific is pointing to tcp_sock_ipv6_specific.
+
+Only later when an IPv4-mapped child is created, tp->af_specific
+is changed to tcp_sock_ipv6_mapped_specific.
+
+Fixes: 7bbb765b7349 ("net/tcp: Merge TCP-MD5 inbound callbacks")
+Reported-by: Brian Vazquez <brianvv@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Dmitry Safonov <dima@arista.com>
+Tested-by: Leonard Crestez <cdleonard@gmail.com>
+Link: https://lore.kernel.org/r/20220726115743.2759832-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -4481,9 +4481,18 @@ tcp_inbound_md5_hash(const struct sock *
+ return SKB_DROP_REASON_TCP_MD5UNEXPECTED;
+ }
+
+- /* check the signature */
+- genhash = tp->af_specific->calc_md5_hash(newhash, hash_expected,
+- NULL, skb);
++ /* Check the signature.
++ * To support dual stack listeners, we need to handle
++ * IPv4-mapped case.
++ */
++ if (family == AF_INET)
++ genhash = tcp_v4_md5_hash_skb(newhash,
++ hash_expected,
++ NULL, skb);
++ else
++ genhash = tp->af_specific->calc_md5_hash(newhash,
++ hash_expected,
++ NULL, skb);
+
+ if (genhash || memcmp(hash_location, newhash, 16) != 0) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
projects / thirdparty / kernel / stable-queue.git / commitdiff
