--- /dev/null
+From 64a361cb5edc8e5589382ae6b79b6ad6d6fcd827 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Nov 2022 17:37:26 +0800
+Subject: Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+[ Upstream commit 747da1308bdd5021409974f9180f0d8ece53d142 ]
+
+hci_get_route() takes reference, we should use hci_dev_put() to release
+it when not need anymore.
+
+Fixes: 6b8d4a6a0314 ("Bluetooth: 6LoWPAN: Use connected oriented channel instead of fixed one")
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/6lowpan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c
+index 3bfd747aa515..4a29410f5abc 100644
+--- a/net/bluetooth/6lowpan.c
++++ b/net/bluetooth/6lowpan.c
+@@ -1119,6 +1119,7 @@ static int get_l2cap_conn(char *buf, bdaddr_t *addr, u8 *addr_type,
+ hci_dev_lock(hdev);
+ hcon = hci_conn_hash_lookup_le(hdev, addr, *addr_type);
+ hci_dev_unlock(hdev);
++ hci_dev_put(hdev);
+
+ if (!hcon)
+ return -ENOENT;
+--
+2.35.1
+
--- /dev/null
+From f1a7e93174c1182c80546b1051bddada3660f1a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Oct 2022 22:00:00 +0900
+Subject: e1000e: Fix TX dispatch condition
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit eed913f6919e253f35d454b2f115f2a4db2b741a ]
+
+e1000_xmit_frame is expected to stop the queue and dispatch frames to
+hardware if there is not sufficient space for the next frame in the
+buffer, but sometimes it failed to do so because the estimated maximum
+size of frame was wrong. As the consequence, the later invocation of
+e1000_xmit_frame failed with NETDEV_TX_BUSY, and the frame in the buffer
+remained forever, resulting in a watchdog failure.
+
+This change fixes the estimated size by making it match with the
+condition for NETDEV_TX_BUSY. Apparently, the old estimation failed to
+account for the following lines which determines the space requirement
+for not causing NETDEV_TX_BUSY:
+ ```
+ /* reserve a descriptor for the offload context */
+ if ((mss) || (skb->ip_summed == CHECKSUM_PARTIAL))
+ count++;
+ count++;
+
+ count += DIV_ROUND_UP(len, adapter->tx_fifo_limit);
+ ```
+
+This issue was found when running http-stress02 test included in Linux
+Test Project 20220930 on QEMU with the following commandline:
+```
+qemu-system-x86_64 -M q35,accel=kvm -m 8G -smp 8
+ -drive if=virtio,format=raw,file=root.img,file.locking=on
+ -device e1000e,netdev=netdev
+ -netdev tap,script=ifup,downscript=no,id=netdev
+```
+
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
+index 5d7967c03554..8f459f910f73 100644
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -5875,9 +5875,9 @@ static netdev_tx_t e1000_xmit_frame(struct sk_buff *skb,
+ e1000_tx_queue(tx_ring, tx_flags, count);
+ /* Make sure there is space in the ring for the next send. */
+ e1000_maybe_stop_tx(tx_ring,
+- (MAX_SKB_FRAGS *
++ ((MAX_SKB_FRAGS + 1) *
+ DIV_ROUND_UP(PAGE_SIZE,
+- adapter->tx_fifo_limit) + 2));
++ adapter->tx_fifo_limit) + 4));
+
+ if (!skb->xmit_more ||
+ netif_xmit_stopped(netdev_get_tx_queue(netdev, 0))) {
+--
+2.35.1
+
--- /dev/null
+From cce6846fcffa9374b8052ece59dee53b242f7c44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Dec 2022 14:09:08 +0800
+Subject: ethernet: aeroflex: fix potential skb leak in greth_init_rings()
+
+From: Zhang Changzhong <zhangchangzhong@huawei.com>
+
+[ Upstream commit 063a932b64db3317ec020c94466fe52923a15f60 ]
+
+The greth_init_rings() function won't free the newly allocated skb when
+dma_mapping_error() returns error, so add dev_kfree_skb() to fix it.
+
+Compile tested only.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/1670134149-29516-1-git-send-email-zhangchangzhong@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 31e02ca56572..aa2d1b088df6 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -261,6 +261,7 @@ static int greth_init_rings(struct greth_private *greth)
+ if (dma_mapping_error(greth->dev, dma_addr)) {
+ if (netif_msg_ifup(greth))
+ dev_err(greth->dev, "Could not create initial DMA mapping\n");
++ dev_kfree_skb(skb);
+ goto cleanup;
+ }
+ greth->rx_skbuff[i] = skb;
+--
+2.35.1
+
--- /dev/null
+From caccc614ec36ac0050bde4188deeda0dba218d9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Nov 2022 20:35:08 +0800
+Subject: gpio: amd8111: Fix PCI device reference count leak
+
+From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+
+[ Upstream commit 45fecdb9f658d9c82960c98240bc0770ade19aca ]
+
+for_each_pci_dev() is implemented by pci_get_device(). The comment of
+pci_get_device() says that it will increase the reference count for the
+returned pci_dev and also decrease the reference count for the input
+pci_dev @from if it is not NULL.
+
+If we break for_each_pci_dev() loop with pdev not NULL, we need to call
+pci_dev_put() to decrease the reference count. Add the missing
+pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL
+input parameter, there is no problem for the 'Device not found' branch.
+For the normal path, add pci_dev_put() in amd_gpio_exit().
+
+Fixes: f942a7de047d ("gpio: add a driver for GPIO pins found on AMD-8111 south bridge chips")
+Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-amd8111.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpio/gpio-amd8111.c b/drivers/gpio/gpio-amd8111.c
+index 30ad7d7c1678..f8486bac12d0 100644
+--- a/drivers/gpio/gpio-amd8111.c
++++ b/drivers/gpio/gpio-amd8111.c
+@@ -231,7 +231,10 @@ static int __init amd_gpio_init(void)
+ ioport_unmap(gp.pm);
+ goto out;
+ }
++ return 0;
++
+ out:
++ pci_dev_put(pdev);
+ return err;
+ }
+
+@@ -239,6 +242,7 @@ static void __exit amd_gpio_exit(void)
+ {
+ gpiochip_remove(&gp.chip);
+ ioport_unmap(gp.pm);
++ pci_dev_put(gp.pdev);
+ }
+
+ module_init(amd_gpio_init);
+--
+2.35.1
+
--- /dev/null
+From 539746577808e385457f3c54e5c14ac0b251aa36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Nov 2022 15:50:46 +0800
+Subject: ieee802154: cc2520: Fix error return code in cc2520_hw_init()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+[ Upstream commit 4d002d6a2a00ac1c433899bd7625c6400a74cfba ]
+
+In cc2520_hw_init(), if oscillator start failed, the error code
+should be returned.
+
+Fixes: 0da6bc8cc341 ("ieee802154: cc2520: adds driver for TI CC2520 radio")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Link: https://lore.kernel.org/r/20221120075046.2213633-1-william.xuanziyang@huawei.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ieee802154/cc2520.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
+index 436cf2007138..92aefaf8ea19 100644
+--- a/drivers/net/ieee802154/cc2520.c
++++ b/drivers/net/ieee802154/cc2520.c
+@@ -979,7 +979,7 @@ static int cc2520_hw_init(struct cc2520_private *priv)
+
+ if (timeout-- <= 0) {
+ dev_err(&priv->spi->dev, "oscillator start failed!\n");
+- return ret;
++ return -ETIMEDOUT;
+ }
+ udelay(1);
+ } while (!(status & CC2520_STATUS_XOSC32M_STABLE));
+--
+2.35.1
+
--- /dev/null
+From 1129559461e417ae8f91a18bdd964a82591c80f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Nov 2022 22:30:31 +0900
+Subject: igb: Allocate MSI-X vector when testing
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+[ Upstream commit 28e96556baca7056d11d9fb3cdd0aba4483e00d8 ]
+
+Without this change, the interrupt test fail with MSI-X environment:
+
+$ sudo ethtool -t enp0s2 offline
+[ 43.921783] igb 0000:00:02.0: offline testing starting
+[ 44.855824] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Down
+[ 44.961249] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+[ 51.272202] igb 0000:00:02.0: testing shared interrupt
+[ 56.996975] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is FAIL
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 4
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Here, "4" means an expected interrupt was not delivered.
+
+To fix this, route IRQs correctly to the first MSI-X vector by setting
+IVAR_MISC. Also, set bit 0 of EIMS so that the vector will not be
+masked. The interrupt test now runs properly with this change:
+
+$ sudo ethtool -t enp0s2 offline
+[ 42.762985] igb 0000:00:02.0: offline testing starting
+[ 50.141967] igb 0000:00:02.0: testing shared interrupt
+[ 56.163957] igb 0000:00:02.0 enp0s2: igb: enp0s2 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX/TX
+The test result is PASS
+The test extra info:
+Register test (offline) 0
+Eeprom test (offline) 0
+Interrupt test (offline) 0
+Loopback test (offline) 0
+Link test (on/offline) 0
+
+Fixes: 4eefa8f01314 ("igb: add single vector msi-x testing to interrupt test")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Tested-by: Gurucharan G <gurucharanx.g@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_ethtool.c b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+index b02e262ed76a..fa23c93ef740 100644
+--- a/drivers/net/ethernet/intel/igb/igb_ethtool.c
++++ b/drivers/net/ethernet/intel/igb/igb_ethtool.c
+@@ -1401,6 +1401,8 @@ static int igb_intr_test(struct igb_adapter *adapter, u64 *data)
+ *data = 1;
+ return -1;
+ }
++ wr32(E1000_IVAR_MISC, E1000_IVAR_VALID << 8);
++ wr32(E1000_EIMS, BIT(0));
+ } else if (adapter->flags & IGB_FLAG_HAS_MSI) {
+ shared_int = false;
+ if (request_irq(irq,
+--
+2.35.1
+
--- /dev/null
+From 986a2965640389659c866930530abaa28288080b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Nov 2022 09:17:05 +0000
+Subject: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit b3d72d3135d2ef68296c1ee174436efd65386f04 ]
+
+Kernel fault injection test reports null-ptr-deref as follows:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
+Call Trace:
+ <TASK>
+ raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
+ call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
+ unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
+ unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
+ register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
+ ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
+ ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
+ mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316
+
+ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
+init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
+the list when device register/unregister, and may lead to null-ptr-deref.
+
+Use INIT_LIST_HEAD() on it to initialize it correctly.
+
+Fixes: fcf39e6e88e9 ("ieee802154: add wpan_dev_list")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Acked-by: Alexander Aring <aahringo@redhat.com>
+
+Link: https://lore.kernel.org/r/20221130091705.1831140-1-weiyongjun@huaweicloud.com
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac802154/iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac802154/iface.c b/net/mac802154/iface.c
+index 06019dba4b10..9f2355cb6701 100644
+--- a/net/mac802154/iface.c
++++ b/net/mac802154/iface.c
+@@ -670,6 +670,7 @@ ieee802154_if_add(struct ieee802154_local *local, const char *name,
+ sdata->dev = ndev;
+ sdata->wpan_dev.wpan_phy = local->hw.phy;
+ sdata->local = local;
++ INIT_LIST_HEAD(&sdata->wpan_dev.list);
+
+ /* setup type-dependent data */
+ ret = ieee802154_setup_sdata(sdata, type);
+--
+2.35.1
+
--- /dev/null
+From a27213bff5dfbb15825e4eabe7cbca1bd93e81ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:07 +0300
+Subject: net: encx24j600: Add parentheses to fix precedence
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 167b3f2dcc62c271f3555b33df17e361bb1fa0ee ]
+
+In functions regmap_encx24j600_phy_reg_read() and
+regmap_encx24j600_phy_reg_write() in the conditions of the waiting
+cycles for filling the variable 'ret' it is necessary to add parentheses
+to prevent wrong assignment due to logical operations precedence.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index b5de665ce718..44e656048c51 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -363,7 +363,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -401,7 +401,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while ((ret = regmap_read(ctx->regmap, MISTAT, &mistat) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From d64a87cef5777e797a929d3d69add243990c539c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Dec 2022 20:34:08 +0300
+Subject: net: encx24j600: Fix invalid logic in reading of MISTAT register
+
+From: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+
+[ Upstream commit 25f427ac7b8d89b0259f86c0c6407b329df742b2 ]
+
+A loop for reading MISTAT register continues while regmap_read() fails
+and (mistat & BUSY), but if regmap_read() fails a value of mistat is
+undefined.
+
+The patch proposes to check for BUSY flag only when regmap_read()
+succeed. Compile test only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d70e53262f5c ("net: Microchip encx24j600 driver")
+Signed-off-by: Valentina Goncharenko <goncharenko.vp@ispras.ru>
+Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/encx24j600-regmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/encx24j600-regmap.c b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+index 44e656048c51..668a63abe0cb 100644
+--- a/drivers/net/ethernet/microchip/encx24j600-regmap.c
++++ b/drivers/net/ethernet/microchip/encx24j600-regmap.c
+@@ -363,7 +363,7 @@ static int regmap_encx24j600_phy_reg_read(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+@@ -401,7 +401,7 @@ static int regmap_encx24j600_phy_reg_write(void *context, unsigned int reg,
+ goto err_out;
+
+ usleep_range(26, 100);
+- while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) != 0) &&
++ while (((ret = regmap_read(ctx->regmap, MISTAT, &mistat)) == 0) &&
+ (mistat & BUSY))
+ cpu_relax();
+
+--
+2.35.1
+
--- /dev/null
+From c3b554c3c5038bb25e5d44270a471f5c76a0665d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:39 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 4640177049549de1a43e9bc49265f0cdfce08cfd ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 542ae60af24f ("net: hisilicon: Add Fast Ethernet MAC driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-1-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hisi_femac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hisi_femac.c b/drivers/net/ethernet/hisilicon/hisi_femac.c
+index ced185962ef8..77f61167e238 100644
+--- a/drivers/net/ethernet/hisilicon/hisi_femac.c
++++ b/drivers/net/ethernet/hisilicon/hisi_femac.c
+@@ -295,7 +295,7 @@ static int hisi_femac_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = (pos + 1) % rxq->num;
+ if (rx_pkts_num >= limit)
+--
+2.35.1
+
--- /dev/null
+From 62b015220ae9486b8f7107a117c880a920deccae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:42:40 +0800
+Subject: net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit 433c07a13f59856e4585e89e86b7d4cc59348fab ]
+
+The skb is delivered to napi_gro_receive() which may free it, after
+calling this, dereferencing skb may trigger use-after-free.
+
+Fixes: 57c5bc9ad7d7 ("net: hisilicon: add hix5hd2 mac driver")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://lore.kernel.org/r/20221203094240.1240211-2-liujian56@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hix5hd2_gmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+index dd24c352b200..4dc6c3e99d15 100644
+--- a/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
++++ b/drivers/net/ethernet/hisilicon/hix5hd2_gmac.c
+@@ -498,7 +498,7 @@ static int hix5hd2_rx(struct net_device *dev, int limit)
+ skb->protocol = eth_type_trans(skb, dev);
+ napi_gro_receive(&priv->napi, skb);
+ dev->stats.rx_packets++;
+- dev->stats.rx_bytes += skb->len;
++ dev->stats.rx_bytes += len;
+ next:
+ pos = dma_ring_incr(pos, RX_DESC_NUM);
+ }
+--
+2.35.1
+
--- /dev/null
+From 1259e2a5297fa60af6d29c0449195c7109fc5c83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 10:06:31 +0300
+Subject: net: mvneta: Fix an out of bounds check
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit cdd97383e19d4afe29adc3376025a15ae3bab3a3 ]
+
+In an earlier commit, I added a bounds check to prevent an out of bounds
+read and a WARN(). On further discussion and consideration that check
+was probably too aggressive. Instead of returning -EINVAL, a better fix
+would be to just prevent the out of bounds read but continue the process.
+
+Background: The value of "pp->rxq_def" is a number between 0-7 by default,
+or even higher depending on the value of "rxq_number", which is a module
+parameter. If the value is more than the number of available CPUs then
+it will trigger the WARN() in cpu_max_bits_warn().
+
+Fixes: e8b4fc13900b ("net: mvneta: Prevent out of bounds read in mvneta_config_rss()")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/Y5A7d1E5ccwHTYPf@kadam
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index 86eb258ed811..b2d42d276efd 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3278,7 +3278,7 @@ static void mvneta_percpu_elect(struct mvneta_port *pp)
+ /* Use the cpu associated to the rxq when it is online, in all
+ * the other cases, use the cpu 0 which can't be offline.
+ */
+- if (cpu_online(pp->rxq_def))
++ if (pp->rxq_def < nr_cpu_ids && cpu_online(pp->rxq_def))
+ elected_cpu = pp->rxq_def;
+
+ max_cpu = num_present_cpus();
+@@ -3761,9 +3761,6 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pcpu_port->napi);
+ }
+
+- if (pp->indir[0] >= nr_cpu_ids)
+- return -EINVAL;
+-
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From 27a278aa871ce8ce1b34bac0a33c0b41be9772b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:58:26 +0300
+Subject: net: mvneta: Prevent out of bounds read in mvneta_config_rss()
+
+From: Dan Carpenter <error27@gmail.com>
+
+[ Upstream commit e8b4fc13900b8e8be48debffd0dfd391772501f7 ]
+
+The pp->indir[0] value comes from the user. It is passed to:
+
+ if (cpu_online(pp->rxq_def))
+
+inside the mvneta_percpu_elect() function. It needs bounds checkeding
+to ensure that it is not beyond the end of the cpu bitmap.
+
+Fixes: cad5d847a093 ("net: mvneta: Fix the CPU choice in mvneta_percpu_elect")
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c
+index ccacdcfb5932..86eb258ed811 100644
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3761,6 +3761,9 @@ static int mvneta_config_rss(struct mvneta_port *pp)
+ napi_disable(&pcpu_port->napi);
+ }
+
++ if (pp->indir[0] >= nr_cpu_ids)
++ return -EINVAL;
++
+ pp->rxq_def = pp->indir[0];
+
+ /* Update unicast mapping */
+--
+2.35.1
+
--- /dev/null
+From 875ae531d27b466f19e5cf9f0b2382799ae04761 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 09:53:10 +0800
+Subject: net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 7d8c19bfc8ff3f78e5337107ca9246327fcb6b45 ]
+
+It is not allowed to call kfree_skb() or consume_skb() from
+hardware interrupt context or with interrupts being disabled.
+So replace kfree_skb/dev_kfree_skb() with dev_kfree_skb_irq()
+and dev_consume_skb_irq() under spin_lock_irq().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20221207015310.2984909-1-yangyingliang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/plip/plip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/plip/plip.c b/drivers/net/plip/plip.c
+index 9c4b41a4df7d..061894ba271c 100644
+--- a/drivers/net/plip/plip.c
++++ b/drivers/net/plip/plip.c
+@@ -449,12 +449,12 @@ plip_bh_timeout_error(struct net_device *dev, struct net_local *nl,
+ }
+ rcv->state = PLIP_PK_DONE;
+ if (rcv->skb) {
+- kfree_skb(rcv->skb);
++ dev_kfree_skb_irq(rcv->skb);
+ rcv->skb = NULL;
+ }
+ snd->state = PLIP_PK_DONE;
+ if (snd->skb) {
+- dev_kfree_skb(snd->skb);
++ dev_consume_skb_irq(snd->skb);
+ snd->skb = NULL;
+ }
+ spin_unlock_irq(&nl->lock);
+--
+2.35.1
+
--- /dev/null
+From 2c62990bf43f1b619a59338f29378dd047f78095 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 13:44:14 -0800
+Subject: NFC: nci: Bounds check struct nfc_target arrays
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit e329e71013c9b5a4535b099208493c7826ee4a64 ]
+
+While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported:
+
+ memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18)
+
+This appears to be a legitimate lack of bounds checking in
+nci_add_new_protocol(). Add the missing checks.
+
+Reported-by: syzbot+210e196cef4711b65139@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/lkml/0000000000001c590f05ee7b3ff4@google.com
+Fixes: 019c4fbaa790 ("NFC: Add NCI multiple targets support")
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20221202214410.never.693-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/ntf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
+index 1e8c1a12aaec..4f75453c07aa 100644
+--- a/net/nfc/nci/ntf.c
++++ b/net/nfc/nci/ntf.c
+@@ -230,6 +230,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ target->sens_res = nfca_poll->sens_res;
+ target->sel_res = nfca_poll->sel_res;
+ target->nfcid1_len = nfca_poll->nfcid1_len;
++ if (target->nfcid1_len > ARRAY_SIZE(target->nfcid1))
++ return -EPROTO;
+ if (target->nfcid1_len > 0) {
+ memcpy(target->nfcid1, nfca_poll->nfcid1,
+ target->nfcid1_len);
+@@ -238,6 +240,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcb_poll = (struct rf_tech_specific_params_nfcb_poll *)params;
+
+ target->sensb_res_len = nfcb_poll->sensb_res_len;
++ if (target->sensb_res_len > ARRAY_SIZE(target->sensb_res))
++ return -EPROTO;
+ if (target->sensb_res_len > 0) {
+ memcpy(target->sensb_res, nfcb_poll->sensb_res,
+ target->sensb_res_len);
+@@ -246,6 +250,8 @@ static int nci_add_new_protocol(struct nci_dev *ndev,
+ nfcf_poll = (struct rf_tech_specific_params_nfcf_poll *)params;
+
+ target->sensf_res_len = nfcf_poll->sensf_res_len;
++ if (target->sensf_res_len > ARRAY_SIZE(target->sensf_res))
++ return -EPROTO;
+ if (target->sensf_res_len > 0) {
+ memcpy(target->sensf_res, nfcf_poll->sensf_res,
+ target->sensf_res_len);
+--
+2.35.1
+
media-v4l2-dv-timings.c-fix-too-strict-blanking-sanity-checks.patch
hid-hid-lg4ff-add-check-for-empty-lbuf.patch
hid-core-fix-shift-out-of-bounds-in-hid_report_raw_event.patch
+ieee802154-cc2520-fix-error-return-code-in-cc2520_hw.patch
+gpio-amd8111-fix-pci-device-reference-count-leak.patch
+e1000e-fix-tx-dispatch-condition.patch
+igb-allocate-msi-x-vector-when-testing.patch
+bluetooth-6lowpan-add-missing-hci_dev_put-in-get_l2c.patch
+mac802154-fix-missing-init_list_head-in-ieee802154_i.patch
+net-encx24j600-add-parentheses-to-fix-precedence.patch
+net-encx24j600-fix-invalid-logic-in-reading-of-mista.patch
+net-mvneta-prevent-out-of-bounds-read-in-mvneta_conf.patch
+nfc-nci-bounds-check-struct-nfc_target-arrays.patch
+net-hisilicon-fix-potential-use-after-free-in-hisi_f.patch
+net-hisilicon-fix-potential-use-after-free-in-hix5hd.patch
+tipc-fix-potential-oob-in-tipc_link_proto_rcv.patch
+ethernet-aeroflex-fix-potential-skb-leak-in-greth_in.patch
+xen-netback-fix-build-warning.patch
+net-plip-don-t-call-kfree_skb-dev_kfree_skb-under-sp.patch
+net-mvneta-fix-an-out-of-bounds-check.patch
--- /dev/null
+From 17ba465fd59b19aeda476d706934fda7c67952ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Dec 2022 17:46:35 +0800
+Subject: tipc: Fix potential OOB in tipc_link_proto_rcv()
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ]
+
+Fix the potential risk of OOB if skb_linearize() fails in
+tipc_link_proto_rcv().
+
+Fixes: 5cbb28a4bf65 ("tipc: linearize arriving NAME_DISTR and LINK_PROTO buffers")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Link: https://lore.kernel.org/r/20221203094635.29024-1-yuehaibing@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/link.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/link.c b/net/tipc/link.c
+index 2c1350e811e2..5c063a548093 100644
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -1456,7 +1456,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
+ if (tipc_own_addr(l->net) > msg_prevnode(hdr))
+ l->net_plane = msg_net_plane(hdr);
+
+- skb_linearize(skb);
++ if (skb_linearize(skb))
++ goto exit;
++
+ hdr = buf_msg(skb);
+ data = msg_data(hdr);
+
+--
+2.35.1
+
--- /dev/null
+From 83852718b2d461aa76aadaa1e221e96214d0b377 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Dec 2022 08:19:38 +0100
+Subject: xen/netback: fix build warning
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 7dfa764e0223a324366a2a1fc056d4d9d4e95491 ]
+
+Commit ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in
+the non-linear area") introduced a (valid) build warning. There have
+even been reports of this problem breaking networking of Xen guests.
+
+Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Tested-by: Jason Andryuk <jandryuk@gmail.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netback/netback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c
+index c7d480c1a066..f82120f81c79 100644
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -523,7 +523,7 @@ static int xenvif_tx_check_gop(struct xenvif_queue *queue,
+ const bool sharedslot = nr_frags &&
+ frag_get_pending_idx(&shinfo->frags[0]) ==
+ copy_pending_idx(skb, copy_count(skb) - 1);
+- int i, err;
++ int i, err = 0;
+
+ for (i = 0; i < copy_count(skb); i++) {
+ int newerr;
+--
+2.35.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
