From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 22 Jul 2021 15:27:01 +0000 (+0200)
Subject: 5.13-stable patches
X-Git-Tag: v5.4.135~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=95d844294f2684c6fe9631cb152a13bfca065033;p=thirdparty%2Fkernel%2Fstable-queue.git

5.13-stable patches

added patches:
	dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
	net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
	net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch
	net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
	net-do-not-reuse-skbuff-allocated-from-skbuff_fclone_cache-in-the-skb-cache.patch
	net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
	net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
	net-dsa-mv88e6xxx-enable-devlink-atu-hash-param-for-topaz.patch
	net-dsa-mv88e6xxx-enable-serdes-pcs-register-dump-via-ethtool-d-on-topaz.patch
	net-dsa-mv88e6xxx-enable-serdes-rx-stats-for-topaz.patch
	net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch
	net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch
	net-fddi-fix-uaf-in-fza_probe.patch
	net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
	net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
	net-marvell-always-set-skb_shared_info-in-mvneta_swbm_add_rx_fragment.patch
	net-moxa-fix-uaf-in-moxart_mac_probe.patch
	net-netdevsim-use-xso.real_dev-instead-of-xso.dev-in-callback-functions-of-struct-xfrmdev_ops.patch
	net-qcom-emac-fix-uaf-in-emac_remove.patch
	net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
	net-sched-act_ct-remove-and-free-nf_table-callbacks.patch
	net-send-synack-packet-with-accepted-fwmark.patch
	net-ti-fix-uaf-in-tlan_remove_one.patch
	net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
	netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
	netfilter-nf_tables-fix-dereference-of-null-pointer-flow.patch
	vmxnet3-fix-cksum-offload-issues-for-tunnels-with-non-default-udp-ports.patch
---

diff --git a/queue-5.13/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch b/queue-5.13/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
new file mode 100644
index 00000000000..a6c33b7955c
--- /dev/null
+++ b/queue-5.13/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
@@ -0,0 +1,73 @@
+From ffe000217c5068c5da07ccb1c0f8cce7ad767435 Mon Sep 17 00:00:00 2001
+From: Jason Ekstrand <jason@jlekstrand.net>
+Date: Thu, 24 Jun 2021 12:47:32 -0500
+Subject: dma-buf/sync_file: Don't leak fences on merge failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Ekstrand <jason@jlekstrand.net>
+
+commit ffe000217c5068c5da07ccb1c0f8cce7ad767435 upstream.
+
+Each add_fence() call does a dma_fence_get() on the relevant fence.  In
+the error path, we weren't calling dma_fence_put() so all those fences
+got leaked.  Also, in the krealloc_array failure case, we weren't
+freeing the fences array.  Instead, ensure that i and fences are always
+zero-initialized and dma_fence_put() all the fences and kfree(fences) on
+every error path.
+
+Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Fixes: a02b9dc90d84 ("dma-buf/sync_file: refactor fence storage in struct sync_file")
+Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Cc: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210624174732.1754546-1-jason@jlekstrand.net
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/sync_file.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/dma-buf/sync_file.c
++++ b/drivers/dma-buf/sync_file.c
+@@ -211,8 +211,8 @@ static struct sync_file *sync_file_merge
+ 					 struct sync_file *b)
+ {
+ 	struct sync_file *sync_file;
+-	struct dma_fence **fences, **nfences, **a_fences, **b_fences;
+-	int i, i_a, i_b, num_fences, a_num_fences, b_num_fences;
++	struct dma_fence **fences = NULL, **nfences, **a_fences, **b_fences;
++	int i = 0, i_a, i_b, num_fences, a_num_fences, b_num_fences;
+ 
+ 	sync_file = sync_file_alloc();
+ 	if (!sync_file)
+@@ -236,7 +236,7 @@ static struct sync_file *sync_file_merge
+ 	 * If a sync_file can only be created with sync_file_merge
+ 	 * and sync_file_create, this is a reasonable assumption.
+ 	 */
+-	for (i = i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) {
++	for (i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) {
+ 		struct dma_fence *pt_a = a_fences[i_a];
+ 		struct dma_fence *pt_b = b_fences[i_b];
+ 
+@@ -277,15 +277,16 @@ static struct sync_file *sync_file_merge
+ 		fences = nfences;
+ 	}
+ 
+-	if (sync_file_set_fence(sync_file, fences, i) < 0) {
+-		kfree(fences);
++	if (sync_file_set_fence(sync_file, fences, i) < 0)
+ 		goto err;
+-	}
+ 
+ 	strlcpy(sync_file->user_name, name, sizeof(sync_file->user_name));
+ 	return sync_file;
+ 
+ err:
++	while (i)
++		dma_fence_put(fences[--i]);
++	kfree(fences);
+ 	fput(sync_file->file);
+ 	return NULL;
+ 
diff --git a/queue-5.13/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch b/queue-5.13/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
new file mode 100644
index 00000000000..071cd70b39b
--- /dev/null
+++ b/queue-5.13/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
@@ -0,0 +1,46 @@
+From 2b452550a203d88112eaf0ba9fc4b750a000b496 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 8 Jul 2021 18:55:32 -0700
+Subject: net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 2b452550a203d88112eaf0ba9fc4b750a000b496 upstream.
+
+Make sure that we disable each of the TX and RX queues in the TDMA and
+RDMA control registers. This is a correctness change to be symmetrical
+with the code that enables the TX and RX queues.
+
+Tested-by: Maxime Ripard <maxime@cerno.tech>
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3238,15 +3238,21 @@ static void bcmgenet_get_hw_addr(struct
+ /* Returns a reusable dma control register value */
+ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv)
+ {
++	unsigned int i;
+ 	u32 reg;
+ 	u32 dma_ctrl;
+ 
+ 	/* disable DMA */
+ 	dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++	for (i = 0; i < priv->hw_params->tx_queues; i++)
++		dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+ 	reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
+ 	reg &= ~dma_ctrl;
+ 	bcmgenet_tdma_writel(priv, reg, DMA_CTRL);
+ 
++	dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++	for (i = 0; i < priv->hw_params->rx_queues; i++)
++		dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+ 	reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
+ 	reg &= ~dma_ctrl;
+ 	bcmgenet_rdma_writel(priv, reg, DMA_CTRL);
diff --git a/queue-5.13/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch b/queue-5.13/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch
new file mode 100644
index 00000000000..64e387a10d6
--- /dev/null
+++ b/queue-5.13/net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch
@@ -0,0 +1,99 @@
+From 5a3c680aa2c12c90c44af383fe6882a39875ab81 Mon Sep 17 00:00:00 2001
+From: Doug Berger <opendmb@gmail.com>
+Date: Tue, 29 Jun 2021 17:14:19 -0700
+Subject: net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear
+
+From: Doug Berger <opendmb@gmail.com>
+
+commit 5a3c680aa2c12c90c44af383fe6882a39875ab81 upstream.
+
+Setting the EXT_ENERGY_DET_MASK bit allows the port energy detection
+logic of the internal PHY to prevent the system from sleeping. Some
+internal PHYs will report that energy is detected when the network
+interface is closed which can prevent the system from going to sleep
+if WoL is enabled when the interface is brought down.
+
+Since the driver does not support waking the system on this logic,
+this commit clears the bit whenever the internal PHY is powered up
+and the other logic for manipulating the bit is removed since it
+serves no useful function.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   17 ++---------------
+ drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c |    6 ------
+ 2 files changed, 2 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1640,7 +1640,8 @@ static void bcmgenet_power_up(struct bcm
+ 
+ 	switch (mode) {
+ 	case GENET_POWER_PASSIVE:
+-		reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS);
++		reg &= ~(EXT_PWR_DOWN_DLL | EXT_PWR_DOWN_BIAS |
++			 EXT_ENERGY_DET_MASK);
+ 		if (GENET_IS_V5(priv)) {
+ 			reg &= ~(EXT_PWR_DOWN_PHY_EN |
+ 				 EXT_PWR_DOWN_PHY_RD |
+@@ -3292,7 +3293,6 @@ static int bcmgenet_open(struct net_devi
+ {
+ 	struct bcmgenet_priv *priv = netdev_priv(dev);
+ 	unsigned long dma_ctrl;
+-	u32 reg;
+ 	int ret;
+ 
+ 	netif_dbg(priv, ifup, dev, "bcmgenet_open\n");
+@@ -3318,12 +3318,6 @@ static int bcmgenet_open(struct net_devi
+ 
+ 	bcmgenet_set_hw_addr(priv, dev->dev_addr);
+ 
+-	if (priv->internal_phy) {
+-		reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
+-		reg |= EXT_ENERGY_DET_MASK;
+-		bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT);
+-	}
+-
+ 	/* Disable RX/TX DMA and flush TX queues */
+ 	dma_ctrl = bcmgenet_dma_disable(priv);
+ 
+@@ -4139,7 +4133,6 @@ static int bcmgenet_resume(struct device
+ 	struct bcmgenet_priv *priv = netdev_priv(dev);
+ 	struct bcmgenet_rxnfc_rule *rule;
+ 	unsigned long dma_ctrl;
+-	u32 reg;
+ 	int ret;
+ 
+ 	if (!netif_running(dev))
+@@ -4176,12 +4169,6 @@ static int bcmgenet_resume(struct device
+ 		if (rule->state != BCMGENET_RXNFC_STATE_UNUSED)
+ 			bcmgenet_hfb_create_rxnfc_filter(priv, rule);
+ 
+-	if (priv->internal_phy) {
+-		reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
+-		reg |= EXT_ENERGY_DET_MASK;
+-		bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT);
+-	}
+-
+ 	/* Disable RX/TX DMA and flush TX queues */
+ 	dma_ctrl = bcmgenet_dma_disable(priv);
+ 
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c
+@@ -186,12 +186,6 @@ int bcmgenet_wol_power_down_cfg(struct b
+ 	reg |= CMD_RX_EN;
+ 	bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ 
+-	if (priv->hw_params->flags & GENET_HAS_EXT) {
+-		reg = bcmgenet_ext_readl(priv, EXT_EXT_PWR_MGMT);
+-		reg &= ~EXT_ENERGY_DET_MASK;
+-		bcmgenet_ext_writel(priv, reg, EXT_EXT_PWR_MGMT);
+-	}
+-
+ 	reg = UMAC_IRQ_MPD_R;
+ 	if (hfb_enable)
+ 		reg |=  UMAC_IRQ_HFB_SM | UMAC_IRQ_HFB_MM;
diff --git a/queue-5.13/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch b/queue-5.13/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
new file mode 100644
index 00000000000..6be622e8585
--- /dev/null
+++ b/queue-5.13/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
@@ -0,0 +1,73 @@
+From a019abd8022061b917da767cd1a66ed823724eab Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 2 Jul 2021 14:07:36 +0200
+Subject: net: bridge: sync fdb to new unicast-filtering ports
+
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+
+commit a019abd8022061b917da767cd1a66ed823724eab upstream.
+
+Since commit 2796d0c648c9 ("bridge: Automatically manage
+port promiscuous mode.")
+bridges with `vlan_filtering 1` and only 1 auto-port don't
+set IFF_PROMISC for unicast-filtering-capable ports.
+
+Normally on port changes `br_manage_promisc` is called to
+update the promisc flags and unicast filters if necessary,
+but it cannot distinguish between *new* ports and ones
+losing their promisc flag, and new ports end up not
+receiving the MAC address list.
+
+Fix this by calling `br_fdb_sync_static` in `br_add_if`
+after the port promisc flags are updated and the unicast
+filter was supposed to have been filled.
+
+Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_if.c |   17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -562,7 +562,7 @@ int br_add_if(struct net_bridge *br, str
+ 	struct net_bridge_port *p;
+ 	int err = 0;
+ 	unsigned br_hr, dev_hr;
+-	bool changed_addr;
++	bool changed_addr, fdb_synced = false;
+ 
+ 	/* Don't allow bridging non-ethernet like devices. */
+ 	if ((dev->flags & IFF_LOOPBACK) ||
+@@ -652,6 +652,19 @@ int br_add_if(struct net_bridge *br, str
+ 	list_add_rcu(&p->list, &br->port_list);
+ 
+ 	nbp_update_port_count(br);
++	if (!br_promisc_port(p) && (p->dev->priv_flags & IFF_UNICAST_FLT)) {
++		/* When updating the port count we also update all ports'
++		 * promiscuous mode.
++		 * A port leaving promiscuous mode normally gets the bridge's
++		 * fdb synced to the unicast filter (if supported), however,
++		 * `br_port_clear_promisc` does not distinguish between
++		 * non-promiscuous ports and *new* ports, so we need to
++		 * sync explicitly here.
++		 */
++		fdb_synced = br_fdb_sync_static(br, p) == 0;
++		if (!fdb_synced)
++			netdev_err(dev, "failed to sync bridge static fdb addresses to this port\n");
++	}
+ 
+ 	netdev_update_features(br->dev);
+ 
+@@ -701,6 +714,8 @@ int br_add_if(struct net_bridge *br, str
+ 	return 0;
+ 
+ err7:
++	if (fdb_synced)
++		br_fdb_unsync_static(br, p);
+ 	list_del_rcu(&p->list);
+ 	br_fdb_delete_by_port(br, p, 0, 1);
+ 	nbp_update_port_count(br);
diff --git a/queue-5.13/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone_cache-in-the-skb-cache.patch b/queue-5.13/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone_cache-in-the-skb-cache.patch
new file mode 100644
index 00000000000..1ba1aef0dc2
--- /dev/null
+++ b/queue-5.13/net-do-not-reuse-skbuff-allocated-from-skbuff_fclone_cache-in-the-skb-cache.patch
@@ -0,0 +1,59 @@
+From 28b34f01a73435a754956ebae826e728c03ffa38 Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <atenart@kernel.org>
+Date: Fri, 9 Jul 2021 18:16:09 +0200
+Subject: net: do not reuse skbuff allocated from skbuff_fclone_cache in the skb cache
+
+From: Antoine Tenart <atenart@kernel.org>
+
+commit 28b34f01a73435a754956ebae826e728c03ffa38 upstream.
+
+Some socket buffers allocated in the fclone cache (in __alloc_skb) can
+end-up in the following path[1]:
+
+napi_skb_finish
+  __kfree_skb_defer
+    napi_skb_cache_put
+
+The issue is napi_skb_cache_put is not fclone friendly and will put
+those skbuff in the skb cache to be reused later, although this cache
+only expects skbuff allocated from skbuff_head_cache. When this happens
+the skbuff is eventually freed using the wrong origin cache, and we can
+see traces similar to:
+
+[ 1223.947534] cache_from_obj: Wrong slab cache. skbuff_head_cache but object is from skbuff_fclone_cache
+[ 1223.948895] WARNING: CPU: 3 PID: 0 at mm/slab.h:442 kmem_cache_free+0x251/0x3e0
+[ 1223.950211] Modules linked in:
+[ 1223.950680] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.13.0+ #474
+[ 1223.951587] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-3.fc34 04/01/2014
+[ 1223.953060] RIP: 0010:kmem_cache_free+0x251/0x3e0
+
+Leading sometimes to other memory related issues.
+
+Fix this by using __kfree_skb for fclone skbuff, similar to what is done
+the other place __kfree_skb_defer is called.
+
+[1] At least in setups using veth pairs and tunnels. Building a kernel
+    with KASAN we can for example see packets allocated in
+    sk_stream_alloc_skb hit the above path and later the issue arises
+    when the skbuff is reused.
+
+Fixes: 9243adfc311a ("skbuff: queue NAPI_MERGED_FREE skbs into NAPI cache instead of freeing")
+Cc: Alexander Lobakin <alobakin@pm.me>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6194,6 +6194,8 @@ static gro_result_t napi_skb_finish(stru
+ 	case GRO_MERGED_FREE:
+ 		if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD)
+ 			napi_skb_free_stolen_head(skb);
++		else if (skb->fclone != SKB_FCLONE_UNAVAILABLE)
++			__kfree_skb(skb);
+ 		else
+ 			__kfree_skb_defer(skb);
+ 		break;
diff --git a/queue-5.13/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
new file mode 100644
index 00000000000..b37622088b3
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
@@ -0,0 +1,45 @@
+From 7da467d82d1ed4fb317aff836f99709169e73f10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:26 +0200
+Subject: net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 7da467d82d1ed4fb317aff836f99709169e73f10 upstream.
+
+Commit f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy")
+introduced .port_set_policy() method with implementation for several
+models, but forgot to add Topaz, which can use the 6352 implementation.
+
+Use the 6352 implementation of .port_set_policy() on Topaz.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3583,6 +3583,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.port_set_speed_duplex = mv88e6341_port_set_speed_duplex,
+ 	.port_max_speed_mode = mv88e6341_port_max_speed_mode,
+ 	.port_tag_remap = mv88e6095_port_tag_remap,
++	.port_set_policy = mv88e6352_port_set_policy,
+ 	.port_set_frame_mode = mv88e6351_port_set_frame_mode,
+ 	.port_set_ucast_flood = mv88e6352_port_set_ucast_flood,
+ 	.port_set_mcast_flood = mv88e6352_port_set_mcast_flood,
+@@ -4383,6 +4384,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.port_set_speed_duplex = mv88e6341_port_set_speed_duplex,
+ 	.port_max_speed_mode = mv88e6341_port_max_speed_mode,
+ 	.port_tag_remap = mv88e6095_port_tag_remap,
++	.port_set_policy = mv88e6352_port_set_policy,
+ 	.port_set_frame_mode = mv88e6351_port_set_frame_mode,
+ 	.port_set_ucast_flood = mv88e6352_port_set_ucast_flood,
+ 	.port_set_mcast_flood = mv88e6352_port_set_mcast_flood,
diff --git a/queue-5.13/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
new file mode 100644
index 00000000000..b128b656da5
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
@@ -0,0 +1,45 @@
+From 3709488790022c85720f991bff50d48ed5a36e6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:28 +0200
+Subject: net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 3709488790022c85720f991bff50d48ed5a36e6a upstream.
+
+Commit 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op")
+introduced .rmu_disable() method with implementation for several models,
+but forgot to add Topaz, which can use the Peridot implementation.
+
+Use the Peridot implementation of .rmu_disable() on Topaz.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3607,6 +3607,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.mgmt_rsvd2cpu =  mv88e6390_g1_mgmt_rsvd2cpu,
+ 	.pot_clear = mv88e6xxx_g2_pot_clear,
+ 	.reset = mv88e6352_g1_reset,
++	.rmu_disable = mv88e6390_g1_rmu_disable,
+ 	.vtu_getnext = mv88e6352_g1_vtu_getnext,
+ 	.vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+ 	.serdes_power = mv88e6390_serdes_power,
+@@ -4408,6 +4409,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.mgmt_rsvd2cpu =  mv88e6390_g1_mgmt_rsvd2cpu,
+ 	.pot_clear = mv88e6xxx_g2_pot_clear,
+ 	.reset = mv88e6352_g1_reset,
++	.rmu_disable = mv88e6390_g1_rmu_disable,
+ 	.vtu_getnext = mv88e6352_g1_vtu_getnext,
+ 	.vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+ 	.serdes_power = mv88e6390_serdes_power,
diff --git a/queue-5.13/net-dsa-mv88e6xxx-enable-devlink-atu-hash-param-for-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-enable-devlink-atu-hash-param-for-topaz.patch
new file mode 100644
index 00000000000..4677eb89578
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-enable-devlink-atu-hash-param-for-topaz.patch
@@ -0,0 +1,47 @@
+From c07fff3492acae41cedbabea395b644dd5872b8c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:29 +0200
+Subject: net: dsa: mv88e6xxx: enable devlink ATU hash param for Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit c07fff3492acae41cedbabea395b644dd5872b8c upstream.
+
+Commit 23e8b470c7788 ("net: dsa: mv88e6xxx: Add devlink param for ATU
+hash algorithm.") introduced ATU hash algorithm access via devlink, but
+did not enable it for Topaz.
+
+Enable this feature also for Topaz.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: 23e8b470c7788 ("net: dsa: mv88e6xxx: Add devlink param for ATU hash algorithm.")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3608,6 +3608,8 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.pot_clear = mv88e6xxx_g2_pot_clear,
+ 	.reset = mv88e6352_g1_reset,
+ 	.rmu_disable = mv88e6390_g1_rmu_disable,
++	.atu_get_hash = mv88e6165_g1_atu_get_hash,
++	.atu_set_hash = mv88e6165_g1_atu_set_hash,
+ 	.vtu_getnext = mv88e6352_g1_vtu_getnext,
+ 	.vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+ 	.serdes_power = mv88e6390_serdes_power,
+@@ -4410,6 +4412,8 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.pot_clear = mv88e6xxx_g2_pot_clear,
+ 	.reset = mv88e6352_g1_reset,
+ 	.rmu_disable = mv88e6390_g1_rmu_disable,
++	.atu_get_hash = mv88e6165_g1_atu_get_hash,
++	.atu_set_hash = mv88e6165_g1_atu_set_hash,
+ 	.vtu_getnext = mv88e6352_g1_vtu_getnext,
+ 	.vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+ 	.serdes_power = mv88e6390_serdes_power,
diff --git a/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-pcs-register-dump-via-ethtool-d-on-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-pcs-register-dump-via-ethtool-d-on-topaz.patch
new file mode 100644
index 00000000000..d5c4d313677
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-pcs-register-dump-via-ethtool-d-on-topaz.patch
@@ -0,0 +1,48 @@
+From 953b0dcbe2e3f7bee98cc3bca2ec82c8298e9c16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:31 +0200
+Subject: net: dsa: mv88e6xxx: enable SerDes PCS register dump via ethtool -d on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 953b0dcbe2e3f7bee98cc3bca2ec82c8298e9c16 upstream.
+
+Commit bf3504cea7d7e ("net: dsa: mv88e6xxx: Add 6390 family PCS
+registers to ethtool -d") added support for dumping SerDes PCS registers
+via ethtool -d for Peridot.
+
+The same implementation is also valid for Topaz, but was not
+enabled at the time.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: bf3504cea7d7e ("net: dsa: mv88e6xxx: Add 6390 family PCS registers to ethtool -d")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3626,6 +3626,8 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.serdes_get_sset_count = mv88e6390_serdes_get_sset_count,
+ 	.serdes_get_strings = mv88e6390_serdes_get_strings,
+ 	.serdes_get_stats = mv88e6390_serdes_get_stats,
++	.serdes_get_regs_len = mv88e6390_serdes_get_regs_len,
++	.serdes_get_regs = mv88e6390_serdes_get_regs,
+ 	.phylink_validate = mv88e6341_phylink_validate,
+ };
+ 
+@@ -4435,6 +4437,8 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.serdes_get_sset_count = mv88e6390_serdes_get_sset_count,
+ 	.serdes_get_strings = mv88e6390_serdes_get_strings,
+ 	.serdes_get_stats = mv88e6390_serdes_get_stats,
++	.serdes_get_regs_len = mv88e6390_serdes_get_regs_len,
++	.serdes_get_regs = mv88e6390_serdes_get_regs,
+ 	.phylink_validate = mv88e6341_phylink_validate,
+ };
+ 
diff --git a/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-rx-stats-for-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-rx-stats-for-topaz.patch
new file mode 100644
index 00000000000..766d1e61204
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-enable-serdes-rx-stats-for-topaz.patch
@@ -0,0 +1,82 @@
+From a03b98d68367b18e5db6d6850e2cc18754fba94a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:30 +0200
+Subject: net: dsa: mv88e6xxx: enable SerDes RX stats for Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit a03b98d68367b18e5db6d6850e2cc18754fba94a upstream.
+
+Commit 0df952873636a ("mv88e6xxx: Add serdes Rx statistics") added
+support for RX statistics on SerDes ports for Peridot.
+
+This same implementation is also valid for Topaz, but was not enabled
+at the time.
+
+We need to use the generic .serdes_get_lane() method instead of the
+Peridot specific one in the stats methods so that on Topaz the proper
+one is used.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: 0df952873636a ("mv88e6xxx: Add serdes Rx statistics")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c   |    6 ++++++
+ drivers/net/dsa/mv88e6xxx/serdes.c |    6 +++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3623,6 +3623,9 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.serdes_irq_enable = mv88e6390_serdes_irq_enable,
+ 	.serdes_irq_status = mv88e6390_serdes_irq_status,
+ 	.gpio_ops = &mv88e6352_gpio_ops,
++	.serdes_get_sset_count = mv88e6390_serdes_get_sset_count,
++	.serdes_get_strings = mv88e6390_serdes_get_strings,
++	.serdes_get_stats = mv88e6390_serdes_get_stats,
+ 	.phylink_validate = mv88e6341_phylink_validate,
+ };
+ 
+@@ -4429,6 +4432,9 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.gpio_ops = &mv88e6352_gpio_ops,
+ 	.avb_ops = &mv88e6390_avb_ops,
+ 	.ptp_ops = &mv88e6352_ptp_ops,
++	.serdes_get_sset_count = mv88e6390_serdes_get_sset_count,
++	.serdes_get_strings = mv88e6390_serdes_get_strings,
++	.serdes_get_stats = mv88e6390_serdes_get_stats,
+ 	.phylink_validate = mv88e6341_phylink_validate,
+ };
+ 
+--- a/drivers/net/dsa/mv88e6xxx/serdes.c
++++ b/drivers/net/dsa/mv88e6xxx/serdes.c
+@@ -722,7 +722,7 @@ static struct mv88e6390_serdes_hw_stat m
+ 
+ int mv88e6390_serdes_get_sset_count(struct mv88e6xxx_chip *chip, int port)
+ {
+-	if (mv88e6390_serdes_get_lane(chip, port) < 0)
++	if (mv88e6xxx_serdes_get_lane(chip, port) < 0)
+ 		return 0;
+ 
+ 	return ARRAY_SIZE(mv88e6390_serdes_hw_stats);
+@@ -734,7 +734,7 @@ int mv88e6390_serdes_get_strings(struct
+ 	struct mv88e6390_serdes_hw_stat *stat;
+ 	int i;
+ 
+-	if (mv88e6390_serdes_get_lane(chip, port) < 0)
++	if (mv88e6xxx_serdes_get_lane(chip, port) < 0)
+ 		return 0;
+ 
+ 	for (i = 0; i < ARRAY_SIZE(mv88e6390_serdes_hw_stats); i++) {
+@@ -770,7 +770,7 @@ int mv88e6390_serdes_get_stats(struct mv
+ 	int lane;
+ 	int i;
+ 
+-	lane = mv88e6390_serdes_get_lane(chip, port);
++	lane = mv88e6xxx_serdes_get_lane(chip, port);
+ 	if (lane < 0)
+ 		return 0;
+ 
diff --git a/queue-5.13/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch b/queue-5.13/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch
new file mode 100644
index 00000000000..b239c42bfec
--- /dev/null
+++ b/queue-5.13/net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch
@@ -0,0 +1,46 @@
+From 11527f3c4725640e6c40a2b7654e303f45e82a6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:27 +0200
+Subject: net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 11527f3c4725640e6c40a2b7654e303f45e82a6c upstream.
+
+Commit 40cff8fca9e3 ("net: dsa: mv88e6xxx: Fix stats histogram mode")
+introduced wrong .stats_set_histogram() method for Topaz family.
+
+The Peridot method should be used instead.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: 40cff8fca9e3 ("net: dsa: mv88e6xxx: Fix stats histogram mode")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3597,7 +3597,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.port_set_cmode = mv88e6341_port_set_cmode,
+ 	.port_setup_message_port = mv88e6xxx_setup_message_port,
+ 	.stats_snapshot = mv88e6390_g1_stats_snapshot,
+-	.stats_set_histogram = mv88e6095_g1_stats_set_histogram,
++	.stats_set_histogram = mv88e6390_g1_stats_set_histogram,
+ 	.stats_get_sset_count = mv88e6320_stats_get_sset_count,
+ 	.stats_get_strings = mv88e6320_stats_get_strings,
+ 	.stats_get_stats = mv88e6390_stats_get_stats,
+@@ -4398,7 +4398,7 @@ static const struct mv88e6xxx_ops mv88e6
+ 	.port_set_cmode = mv88e6341_port_set_cmode,
+ 	.port_setup_message_port = mv88e6xxx_setup_message_port,
+ 	.stats_snapshot = mv88e6390_g1_stats_snapshot,
+-	.stats_set_histogram = mv88e6095_g1_stats_set_histogram,
++	.stats_set_histogram = mv88e6390_g1_stats_set_histogram,
+ 	.stats_get_sset_count = mv88e6320_stats_get_sset_count,
+ 	.stats_get_strings = mv88e6320_stats_get_strings,
+ 	.stats_get_stats = mv88e6390_stats_get_stats,
diff --git a/queue-5.13/net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch b/queue-5.13/net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch
new file mode 100644
index 00000000000..897fb5cf3d9
--- /dev/null
+++ b/queue-5.13/net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch
@@ -0,0 +1,38 @@
+From bcb9928a155444dbd212473e60241ca0a7f641e1 Mon Sep 17 00:00:00 2001
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 13 Jul 2021 12:40:21 +0300
+Subject: net: dsa: properly check for the bridge_leave methods in dsa_switch_bridge_leave()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+commit bcb9928a155444dbd212473e60241ca0a7f641e1 upstream.
+
+This was not caught because there is no switch driver which implements
+the .port_bridge_join but not .port_bridge_leave method, but it should
+nonetheless be fixed, as in certain conditions (driver development) it
+might lead to NULL pointer dereference.
+
+Fixes: f66a6a69f97a ("net: dsa: permit cross-chip bridging between all trees in the system")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/switch.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/dsa/switch.c
++++ b/net/dsa/switch.c
+@@ -110,11 +110,11 @@ static int dsa_switch_bridge_leave(struc
+ 	int err, port;
+ 
+ 	if (dst->index == info->tree_index && ds->index == info->sw_index &&
+-	    ds->ops->port_bridge_join)
++	    ds->ops->port_bridge_leave)
+ 		ds->ops->port_bridge_leave(ds, info->port, info->br);
+ 
+ 	if ((dst->index != info->tree_index || ds->index != info->sw_index) &&
+-	    ds->ops->crosschip_bridge_join)
++	    ds->ops->crosschip_bridge_leave)
+ 		ds->ops->crosschip_bridge_leave(ds, info->tree_index,
+ 						info->sw_index, info->port,
+ 						info->br);
diff --git a/queue-5.13/net-fddi-fix-uaf-in-fza_probe.patch b/queue-5.13/net-fddi-fix-uaf-in-fza_probe.patch
new file mode 100644
index 00000000000..5371fa4b9a5
--- /dev/null
+++ b/queue-5.13/net-fddi-fix-uaf-in-fza_probe.patch
@@ -0,0 +1,35 @@
+From deb7178eb940e2c5caca1b1db084a69b2e59b4c9 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 13 Jul 2021 13:58:53 +0300
+Subject: net: fddi: fix UAF in fza_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit deb7178eb940e2c5caca1b1db084a69b2e59b4c9 upstream.
+
+fp is netdev private data and it cannot be
+used after free_netdev() call. Using fp after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() after error message.
+
+Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700
+TURBOchannel adapter")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fddi/defza.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/fddi/defza.c
++++ b/drivers/net/fddi/defza.c
+@@ -1504,9 +1504,8 @@ err_out_resource:
+ 	release_mem_region(start, len);
+ 
+ err_out_kfree:
+-	free_netdev(dev);
+-
+ 	pr_err("%s: initialization failure, aborting!\n", fp->name);
++	free_netdev(dev);
+ 	return ret;
+ }
+ 
diff --git a/queue-5.13/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch b/queue-5.13/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
new file mode 100644
index 00000000000..a6a2c7ef5b0
--- /dev/null
+++ b/queue-5.13/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
@@ -0,0 +1,86 @@
+From 9992a078b1771da354ac1f9737e1e639b687caa2 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 9 Jul 2021 11:45:02 +0800
+Subject: net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 9992a078b1771da354ac1f9737e1e639b687caa2 upstream.
+
+Commit 28e104d00281 ("net: ip_tunnel: fix mtu calculation") removed
+dev->hard_header_len subtraction when calculate MTU for tunnel devices
+as there is an overhead for device that has header_ops.
+
+But there are ETHER tunnel devices, like gre_tap or erspan, which don't
+have header_ops but set dev->hard_header_len during setup. This makes
+pkts greater than (MTU - ETH_HLEN) could not be xmited. Fix it by
+subtracting the ETHER tunnel devices' dev->hard_header_len for MTU
+calculation.
+
+Fixes: 28e104d00281 ("net: ip_tunnel: fix mtu calculation")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c |   18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -317,7 +317,7 @@ static int ip_tunnel_bind_dev(struct net
+ 	}
+ 
+ 	dev->needed_headroom = t_hlen + hlen;
+-	mtu -= t_hlen;
++	mtu -= t_hlen + (dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0);
+ 
+ 	if (mtu < IPV4_MIN_MTU)
+ 		mtu = IPV4_MIN_MTU;
+@@ -348,6 +348,9 @@ static struct ip_tunnel *ip_tunnel_creat
+ 	t_hlen = nt->hlen + sizeof(struct iphdr);
+ 	dev->min_mtu = ETH_MIN_MTU;
+ 	dev->max_mtu = IP_MAX_MTU - t_hlen;
++	if (dev->type == ARPHRD_ETHER)
++		dev->max_mtu -= dev->hard_header_len;
++
+ 	ip_tunnel_add(itn, nt);
+ 	return nt;
+ 
+@@ -489,11 +492,14 @@ static int tnl_update_pmtu(struct net_de
+ 
+ 	tunnel_hlen = md ? tunnel_hlen : tunnel->hlen;
+ 	pkt_size = skb->len - tunnel_hlen;
++	pkt_size -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0;
+ 
+-	if (df)
++	if (df) {
+ 		mtu = dst_mtu(&rt->dst) - (sizeof(struct iphdr) + tunnel_hlen);
+-	else
++		mtu -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0;
++	} else {
+ 		mtu = skb_valid_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
++	}
+ 
+ 	if (skb_valid_dst(skb))
+ 		skb_dst_update_pmtu_no_confirm(skb, mtu);
+@@ -972,6 +978,9 @@ int __ip_tunnel_change_mtu(struct net_de
+ 	int t_hlen = tunnel->hlen + sizeof(struct iphdr);
+ 	int max_mtu = IP_MAX_MTU - t_hlen;
+ 
++	if (dev->type == ARPHRD_ETHER)
++		max_mtu -= dev->hard_header_len;
++
+ 	if (new_mtu < ETH_MIN_MTU)
+ 		return -EINVAL;
+ 
+@@ -1149,6 +1158,9 @@ int ip_tunnel_newlink(struct net_device
+ 	if (tb[IFLA_MTU]) {
+ 		unsigned int max = IP_MAX_MTU - (nt->hlen + sizeof(struct iphdr));
+ 
++		if (dev->type == ARPHRD_ETHER)
++			max -= dev->hard_header_len;
++
+ 		mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, max);
+ 	}
+ 
diff --git a/queue-5.13/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch b/queue-5.13/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
new file mode 100644
index 00000000000..4342d0600a7
--- /dev/null
+++ b/queue-5.13/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
@@ -0,0 +1,49 @@
+From 40fc3054b45820c28ea3c65e2c86d041dc244a8a Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Fri, 2 Jul 2021 02:47:00 +0300
+Subject: net: ipv6: fix return value of ip6_skb_dst_mtu
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit 40fc3054b45820c28ea3c65e2c86d041dc244a8a upstream.
+
+Commit 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") introduced
+ip6_skb_dst_mtu with return value of signed int which is inconsistent
+with actually returned values. Also 2 users of this function actually
+assign its value to unsigned int variable and only __xfrm6_output
+assigns result of this function to signed variable but actually uses
+as unsigned in further comparisons and calls. Change this function
+to return unsigned int value.
+
+Fixes: 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_route.h |    2 +-
+ net/ipv6/xfrm6_output.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -263,7 +263,7 @@ static inline bool ipv6_anycast_destinat
+ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ 		 int (*output)(struct net *, struct sock *, struct sk_buff *));
+ 
+-static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
++static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
+ 	int mtu;
+ 
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -56,7 +56,7 @@ static int __xfrm6_output(struct net *ne
+ {
+ 	struct dst_entry *dst = skb_dst(skb);
+ 	struct xfrm_state *x = dst->xfrm;
+-	int mtu;
++	unsigned int mtu;
+ 	bool toobig;
+ 
+ #ifdef CONFIG_NETFILTER
diff --git a/queue-5.13/net-marvell-always-set-skb_shared_info-in-mvneta_swbm_add_rx_fragment.patch b/queue-5.13/net-marvell-always-set-skb_shared_info-in-mvneta_swbm_add_rx_fragment.patch
new file mode 100644
index 00000000000..4d81fc14178
--- /dev/null
+++ b/queue-5.13/net-marvell-always-set-skb_shared_info-in-mvneta_swbm_add_rx_fragment.patch
@@ -0,0 +1,52 @@
+From 6ff63a150b5556012589ae59efac1b5eeb7d32c3 Mon Sep 17 00:00:00 2001
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Sat, 3 Jul 2021 21:17:27 +0200
+Subject: net: marvell: always set skb_shared_info in mvneta_swbm_add_rx_fragment
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+commit 6ff63a150b5556012589ae59efac1b5eeb7d32c3 upstream.
+
+Always set skb_shared_info data structure in mvneta_swbm_add_rx_fragment
+routine even if the fragment contains only the ethernet FCS.
+
+Fixes: 039fbc47f9f1 ("net: mvneta: alloc skb_shared_info on the mvneta_rx_swbm stack")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c |   20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -2303,19 +2303,19 @@ mvneta_swbm_add_rx_fragment(struct mvnet
+ 		skb_frag_off_set(frag, pp->rx_offset_correction);
+ 		skb_frag_size_set(frag, data_len);
+ 		__skb_frag_set_page(frag, page);
+-
+-		/* last fragment */
+-		if (len == *size) {
+-			struct skb_shared_info *sinfo;
+-
+-			sinfo = xdp_get_shared_info_from_buff(xdp);
+-			sinfo->nr_frags = xdp_sinfo->nr_frags;
+-			memcpy(sinfo->frags, xdp_sinfo->frags,
+-			       sinfo->nr_frags * sizeof(skb_frag_t));
+-		}
+ 	} else {
+ 		page_pool_put_full_page(rxq->page_pool, page, true);
+ 	}
++
++	/* last fragment */
++	if (len == *size) {
++		struct skb_shared_info *sinfo;
++
++		sinfo = xdp_get_shared_info_from_buff(xdp);
++		sinfo->nr_frags = xdp_sinfo->nr_frags;
++		memcpy(sinfo->frags, xdp_sinfo->frags,
++		       sinfo->nr_frags * sizeof(skb_frag_t));
++	}
+ 	*size -= len;
+ }
+ 
diff --git a/queue-5.13/net-moxa-fix-uaf-in-moxart_mac_probe.patch b/queue-5.13/net-moxa-fix-uaf-in-moxart_mac_probe.patch
new file mode 100644
index 00000000000..4c65851c977
--- /dev/null
+++ b/queue-5.13/net-moxa-fix-uaf-in-moxart_mac_probe.patch
@@ -0,0 +1,45 @@
+From c78eaeebe855fd93f2e77142ffd0404a54070d84 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:09:53 +0300
+Subject: net: moxa: fix UAF in moxart_mac_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c78eaeebe855fd93f2e77142ffd0404a54070d84 upstream.
+
+In case of netdev registration failure the code path will
+jump to init_fail label:
+
+init_fail:
+	netdev_err(ndev, "init failed\n");
+	moxart_mac_free_memory(ndev);
+irq_map_fail:
+	free_netdev(ndev);
+	return ret;
+
+So, there is no need to call free_netdev() before jumping
+to error handling path, since it can cause UAF or double-free
+bug.
+
+Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -540,10 +540,8 @@ static int moxart_mac_probe(struct platf
+ 	SET_NETDEV_DEV(ndev, &pdev->dev);
+ 
+ 	ret = register_netdev(ndev);
+-	if (ret) {
+-		free_netdev(ndev);
++	if (ret)
+ 		goto init_fail;
+-	}
+ 
+ 	netdev_dbg(ndev, "%s: IRQ=%d address=%pM\n",
+ 		   __func__, ndev->irq, ndev->dev_addr);
diff --git a/queue-5.13/net-netdevsim-use-xso.real_dev-instead-of-xso.dev-in-callback-functions-of-struct-xfrmdev_ops.patch b/queue-5.13/net-netdevsim-use-xso.real_dev-instead-of-xso.dev-in-callback-functions-of-struct-xfrmdev_ops.patch
new file mode 100644
index 00000000000..6e02036381f
--- /dev/null
+++ b/queue-5.13/net-netdevsim-use-xso.real_dev-instead-of-xso.dev-in-callback-functions-of-struct-xfrmdev_ops.patch
@@ -0,0 +1,105 @@
+From 09adf7566d436322ced595b166dea48b06852efe Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 5 Jul 2021 15:38:08 +0000
+Subject: net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 09adf7566d436322ced595b166dea48b06852efe upstream.
+
+There are two pointers in struct xfrm_state_offload, *dev, *real_dev.
+These are used in callback functions of struct xfrmdev_ops.
+The *dev points whether bonding interface or real interface.
+If bonding ipsec offload is used, it points bonding interface If not,
+it points real interface.
+And real_dev always points real interface.
+So, netdevsim should always use real_dev instead of dev.
+Of course, real_dev always not be null.
+
+Test commands:
+    ip netns add A
+    ip netns exec A bash
+    modprobe netdevsim
+    echo "1 1" > /sys/bus/netdevsim/new_device
+    ip link add bond0 type bond mode active-backup
+    ip link set eth0 master bond0
+    ip link set eth0 up
+    ip link set bond0 up
+    ip x s add proto esp dst 14.1.1.1 src 15.1.1.1 spi 0x07 mode \
+transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))' \
+0x44434241343332312423222114131211f4f3f2f1 128 sel src 14.0.0.52/24 \
+dst 14.0.0.70/24 proto tcp offload dev bond0 dir in
+
+Splat looks like:
+BUG: spinlock bad magic on CPU#5, kworker/5:1/53
+ lock: 0xffff8881068c2cc8, .magic: 11121314, .owner: <none>/-1,
+.owner_cpu: -235736076
+CPU: 5 PID: 53 Comm: kworker/5:1 Not tainted 5.13.0-rc3+ #1168
+Workqueue: events linkwatch_event
+Call Trace:
+ dump_stack+0xa4/0xe5
+ do_raw_spin_lock+0x20b/0x270
+ ? rwlock_bug.part.1+0x90/0x90
+ _raw_spin_lock_nested+0x5f/0x70
+ bond_get_stats+0xe4/0x4c0 [bonding]
+ ? rcu_read_lock_sched_held+0xc0/0xc0
+ ? bond_neigh_init+0x2c0/0x2c0 [bonding]
+ ? dev_get_alias+0xe2/0x190
+ ? dev_get_port_parent_id+0x14a/0x360
+ ? rtnl_unregister+0x190/0x190
+ ? dev_get_phys_port_name+0xa0/0xa0
+ ? memset+0x1f/0x40
+ ? memcpy+0x38/0x60
+ ? rtnl_phys_switch_id_fill+0x91/0x100
+ dev_get_stats+0x8c/0x270
+ rtnl_fill_stats+0x44/0xbe0
+ ? nla_put+0xbe/0x140
+ rtnl_fill_ifinfo+0x1054/0x3ad0
+[ ... ]
+
+Fixes: 272c2330adc9 ("xfrm: bail early on slave pass over skb")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/netdevsim/ipsec.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/netdevsim/ipsec.c
++++ b/drivers/net/netdevsim/ipsec.c
+@@ -85,7 +85,7 @@ static int nsim_ipsec_parse_proto_keys(s
+ 				       u32 *mykey, u32 *mysalt)
+ {
+ 	const char aes_gcm_name[] = "rfc4106(gcm(aes))";
+-	struct net_device *dev = xs->xso.dev;
++	struct net_device *dev = xs->xso.real_dev;
+ 	unsigned char *key_data;
+ 	char *alg_name = NULL;
+ 	int key_len;
+@@ -134,7 +134,7 @@ static int nsim_ipsec_add_sa(struct xfrm
+ 	u16 sa_idx;
+ 	int ret;
+ 
+-	dev = xs->xso.dev;
++	dev = xs->xso.real_dev;
+ 	ns = netdev_priv(dev);
+ 	ipsec = &ns->ipsec;
+ 
+@@ -194,7 +194,7 @@ static int nsim_ipsec_add_sa(struct xfrm
+ 
+ static void nsim_ipsec_del_sa(struct xfrm_state *xs)
+ {
+-	struct netdevsim *ns = netdev_priv(xs->xso.dev);
++	struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
+ 	struct nsim_ipsec *ipsec = &ns->ipsec;
+ 	u16 sa_idx;
+ 
+@@ -211,7 +211,7 @@ static void nsim_ipsec_del_sa(struct xfr
+ 
+ static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
+ {
+-	struct netdevsim *ns = netdev_priv(xs->xso.dev);
++	struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
+ 	struct nsim_ipsec *ipsec = &ns->ipsec;
+ 
+ 	ipsec->ok++;
diff --git a/queue-5.13/net-qcom-emac-fix-uaf-in-emac_remove.patch b/queue-5.13/net-qcom-emac-fix-uaf-in-emac_remove.patch
new file mode 100644
index 00000000000..8775cbb2aea
--- /dev/null
+++ b/queue-5.13/net-qcom-emac-fix-uaf-in-emac_remove.patch
@@ -0,0 +1,39 @@
+From ad297cd2db8953e2202970e9504cab247b6c7cb4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:24:18 +0300
+Subject: net: qcom/emac: fix UAF in emac_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit ad297cd2db8953e2202970e9504cab247b6c7cb4 upstream.
+
+adpt is netdev private data and it cannot be
+used after free_netdev() call. Using adpt after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qualcomm/emac/emac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac.c
+@@ -735,12 +735,13 @@ static int emac_remove(struct platform_d
+ 
+ 	put_device(&adpt->phydev->mdio.dev);
+ 	mdiobus_unregister(adpt->mii_bus);
+-	free_netdev(netdev);
+ 
+ 	if (adpt->phy.digital)
+ 		iounmap(adpt->phy.digital);
+ 	iounmap(adpt->phy.base);
+ 
++	free_netdev(netdev);
++
+ 	return 0;
+ }
+ 
diff --git a/queue-5.13/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch b/queue-5.13/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
new file mode 100644
index 00000000000..51c6a0dd998
--- /dev/null
+++ b/queue-5.13/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
@@ -0,0 +1,32 @@
+From 8955b90c3cdad199137809aac8ccbbb585355913 Mon Sep 17 00:00:00 2001
+From: wenxu <wenxu@ucloud.cn>
+Date: Fri, 2 Jul 2021 11:34:31 +0800
+Subject: net/sched: act_ct: fix err check for nf_conntrack_confirm
+
+From: wenxu <wenxu@ucloud.cn>
+
+commit 8955b90c3cdad199137809aac8ccbbb585355913 upstream.
+
+The confirm operation should be checked. If there are any failed,
+the packet should be dropped like in ovs and netfilter.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: wenxu <wenxu@ucloud.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ct.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -1026,7 +1026,8 @@ do_nat:
+ 		/* This will take care of sending queued events
+ 		 * even if the connection is already confirmed.
+ 		 */
+-		nf_conntrack_confirm(skb);
++		if (nf_conntrack_confirm(skb) != NF_ACCEPT)
++			goto drop;
+ 	}
+ 
+ 	if (!skip_add)
diff --git a/queue-5.13/net-sched-act_ct-remove-and-free-nf_table-callbacks.patch b/queue-5.13/net-sched-act_ct-remove-and-free-nf_table-callbacks.patch
new file mode 100644
index 00000000000..17a2de7ec8b
--- /dev/null
+++ b/queue-5.13/net-sched-act_ct-remove-and-free-nf_table-callbacks.patch
@@ -0,0 +1,52 @@
+From 77ac5e40c44eb78333fbc38482d61fc2af7dda0a Mon Sep 17 00:00:00 2001
+From: Louis Peens <louis.peens@corigine.com>
+Date: Fri, 2 Jul 2021 11:21:38 +0200
+Subject: net/sched: act_ct: remove and free nf_table callbacks
+
+From: Louis Peens <louis.peens@corigine.com>
+
+commit 77ac5e40c44eb78333fbc38482d61fc2af7dda0a upstream.
+
+When cleaning up the nf_table in tcf_ct_flow_table_cleanup_work
+there is no guarantee that the callback list, added to by
+nf_flow_table_offload_add_cb, is empty. This means that it is
+possible that the flow_block_cb memory allocated will be lost.
+
+Fix this by iterating the list and freeing the flow_block_cb entries
+before freeing the nf_table entry (via freeing ct_ft).
+
+Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events")
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Yinjun Zhang <yinjun.zhang@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ct.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -322,11 +322,22 @@ err_alloc:
+ 
+ static void tcf_ct_flow_table_cleanup_work(struct work_struct *work)
+ {
++	struct flow_block_cb *block_cb, *tmp_cb;
+ 	struct tcf_ct_flow_table *ct_ft;
++	struct flow_block *block;
+ 
+ 	ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table,
+ 			     rwork);
+ 	nf_flow_table_free(&ct_ft->nf_ft);
++
++	/* Remove any remaining callbacks before cleanup */
++	block = &ct_ft->nf_ft.flow_block;
++	down_write(&ct_ft->nf_ft.flow_block_lock);
++	list_for_each_entry_safe(block_cb, tmp_cb, &block->cb_list, list) {
++		list_del(&block_cb->list);
++		flow_block_cb_free(block_cb);
++	}
++	up_write(&ct_ft->nf_ft.flow_block_lock);
+ 	kfree(ct_ft);
+ 
+ 	module_put(THIS_MODULE);
diff --git a/queue-5.13/net-send-synack-packet-with-accepted-fwmark.patch b/queue-5.13/net-send-synack-packet-with-accepted-fwmark.patch
new file mode 100644
index 00000000000..5dc93210765
--- /dev/null
+++ b/queue-5.13/net-send-synack-packet-with-accepted-fwmark.patch
@@ -0,0 +1,35 @@
+From 43b90bfad34bcb81b8a5bc7dc650800f4be1787e Mon Sep 17 00:00:00 2001
+From: Alexander Ovechkin <ovov@yandex-team.ru>
+Date: Fri, 9 Jul 2021 18:28:23 +0300
+Subject: net: send SYNACK packet with accepted fwmark
+
+From: Alexander Ovechkin <ovov@yandex-team.ru>
+
+commit 43b90bfad34bcb81b8a5bc7dc650800f4be1787e upstream.
+
+commit e05a90ec9e16 ("net: reflect mark on tcp syn ack packets")
+fixed IPv4 only.
+
+This part is for the IPv6 side.
+
+Fixes: e05a90ec9e16 ("net: reflect mark on tcp syn ack packets")
+Signed-off-by: Alexander Ovechkin <ovov@yandex-team.ru>
+Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/tcp_ipv6.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -540,7 +540,7 @@ static int tcp_v6_send_synack(const stru
+ 		opt = ireq->ipv6_opt;
+ 		if (!opt)
+ 			opt = rcu_dereference(np->opt);
+-		err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt,
++		err = ip6_xmit(sk, skb, fl6, skb->mark ? : sk->sk_mark, opt,
+ 			       tclass, sk->sk_priority);
+ 		rcu_read_unlock();
+ 		err = net_xmit_eval(err);
diff --git a/queue-5.13/net-ti-fix-uaf-in-tlan_remove_one.patch b/queue-5.13/net-ti-fix-uaf-in-tlan_remove_one.patch
new file mode 100644
index 00000000000..620580e640f
--- /dev/null
+++ b/queue-5.13/net-ti-fix-uaf-in-tlan_remove_one.patch
@@ -0,0 +1,35 @@
+From 0336f8ffece62f882ab3012820965a786a983f70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:58:29 +0300
+Subject: net: ti: fix UAF in tlan_remove_one
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 0336f8ffece62f882ab3012820965a786a983f70 upstream.
+
+priv is netdev private data and it cannot be
+used after free_netdev() call. Using priv after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/tlan.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ti/tlan.c
++++ b/drivers/net/ethernet/ti/tlan.c
+@@ -313,9 +313,8 @@ static void tlan_remove_one(struct pci_d
+ 	pci_release_regions(pdev);
+ #endif
+ 
+-	free_netdev(dev);
+-
+ 	cancel_work_sync(&priv->tlan_tqueue);
++	free_netdev(dev);
+ }
+ 
+ static void tlan_start(struct net_device *dev)
diff --git a/queue-5.13/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch b/queue-5.13/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
new file mode 100644
index 00000000000..d26ab7ef437
--- /dev/null
+++ b/queue-5.13/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
@@ -0,0 +1,62 @@
+From 67a9c94317402b826fc3db32afc8f39336803d97 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 9 Jul 2021 17:35:18 +0000
+Subject: net: validate lwtstate->data before returning from skb_tunnel_info()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.
+
+skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
+type without validation. lwtstate->data can have various types such as
+mpls_iptunnel_encap, etc and these are not compatible.
+So skb_tunnel_info() should validate before returning that pointer.
+
+Splat looks like:
+BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
+Read of size 2 at addr ffff888106ec2698 by task ping/811
+
+CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
+Call Trace:
+ dump_stack_lvl+0x56/0x7b
+ print_address_description.constprop.8.cold.13+0x13/0x2ee
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ kasan_report.cold.14+0x83/0xdf
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ vxlan_get_route+0x418/0x4b0 [vxlan]
+ [ ... ]
+ vxlan_xmit_one+0x148b/0x32b0 [vxlan]
+ [ ... ]
+ vxlan_xmit+0x25c5/0x4780 [vxlan]
+ [ ... ]
+ dev_hard_start_xmit+0x1ae/0x6e0
+ __dev_queue_xmit+0x1f39/0x31a0
+ [ ... ]
+ neigh_xmit+0x2f9/0x940
+ mpls_xmit+0x911/0x1600 [mpls_iptunnel]
+ lwtunnel_xmit+0x18f/0x450
+ ip_finish_output2+0x867/0x2040
+ [ ... ]
+
+Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst_metadata.h |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/dst_metadata.h
++++ b/include/net/dst_metadata.h
+@@ -45,7 +45,9 @@ skb_tunnel_info(const struct sk_buff *sk
+ 		return &md_dst->u.tun_info;
+ 
+ 	dst = skb_dst(skb);
+-	if (dst && dst->lwtstate)
++	if (dst && dst->lwtstate &&
++	    (dst->lwtstate->type == LWTUNNEL_ENCAP_IP ||
++	     dst->lwtstate->type == LWTUNNEL_ENCAP_IP6))
+ 		return lwt_tun_info(dst->lwtstate);
+ 
+ 	return NULL;
diff --git a/queue-5.13/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch b/queue-5.13/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
new file mode 100644
index 00000000000..533152c4ce9
--- /dev/null
+++ b/queue-5.13/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
@@ -0,0 +1,72 @@
+From c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 1 Jul 2021 08:02:49 +0300
+Subject: netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 upstream.
+
+Two patches listed below removed ctnetlink_dump_helpinfo call from under
+rcu_read_lock. Now its rcu_dereference generates following warning:
+=============================
+WARNING: suspicious RCU usage
+5.13.0+ #5 Not tainted
+-----------------------------
+net/netfilter/nf_conntrack_netlink.c:221 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+rcu_scheduler_active = 2, debug_locks = 1
+stack backtrace:
+CPU: 1 PID: 2251 Comm: conntrack Not tainted 5.13.0+ #5
+Call Trace:
+ dump_stack+0x7f/0xa1
+ ctnetlink_dump_helpinfo+0x134/0x150 [nf_conntrack_netlink]
+ ctnetlink_fill_info+0x2c2/0x390 [nf_conntrack_netlink]
+ ctnetlink_dump_table+0x13f/0x370 [nf_conntrack_netlink]
+ netlink_dump+0x10c/0x370
+ __netlink_dump_start+0x1a7/0x260
+ ctnetlink_get_conntrack+0x1e5/0x250 [nf_conntrack_netlink]
+ nfnetlink_rcv_msg+0x613/0x993 [nfnetlink]
+ netlink_rcv_skb+0x50/0x100
+ nfnetlink_rcv+0x55/0x120 [nfnetlink]
+ netlink_unicast+0x181/0x260
+ netlink_sendmsg+0x23f/0x460
+ sock_sendmsg+0x5b/0x60
+ __sys_sendto+0xf1/0x160
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x36/0x70
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 49ca022bccc5 ("netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks")
+Fixes: 0b35f6031a00 ("netfilter: Remove duplicated rcu_read_lock.")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -218,6 +218,7 @@ static int ctnetlink_dump_helpinfo(struc
+ 	if (!help)
+ 		return 0;
+ 
++	rcu_read_lock();
+ 	helper = rcu_dereference(help->helper);
+ 	if (!helper)
+ 		goto out;
+@@ -233,9 +234,11 @@ static int ctnetlink_dump_helpinfo(struc
+ 
+ 	nla_nest_end(skb, nest_helper);
+ out:
++	rcu_read_unlock();
+ 	return 0;
+ 
+ nla_put_failure:
++	rcu_read_unlock();
+ 	return -1;
+ }
+ 
diff --git a/queue-5.13/netfilter-nf_tables-fix-dereference-of-null-pointer-flow.patch b/queue-5.13/netfilter-nf_tables-fix-dereference-of-null-pointer-flow.patch
new file mode 100644
index 00000000000..cf914c12e25
--- /dev/null
+++ b/queue-5.13/netfilter-nf_tables-fix-dereference-of-null-pointer-flow.patch
@@ -0,0 +1,38 @@
+From 4ca041f919f13783b0b03894783deee00dbca19a Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 24 Jun 2021 20:57:18 +0100
+Subject: netfilter: nf_tables: Fix dereference of null pointer flow
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 4ca041f919f13783b0b03894783deee00dbca19a upstream.
+
+In the case where chain->flags & NFT_CHAIN_HW_OFFLOAD is false then
+nft_flow_rule_create is not called and flow is NULL. The subsequent
+error handling execution via label err_destroy_flow_rule will lead
+to a null pointer dereference on flow when calling nft_flow_rule_destroy.
+Since the error path to err_destroy_flow_rule has to cater for null
+and non-null flows, only call nft_flow_rule_destroy if flow is non-null
+to fix this issue.
+
+Addresses-Coverity: ("Explicity null dereference")
+Fixes: 3c5e44622011 ("netfilter: nf_tables: memleak in hw offload abort path")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3453,7 +3453,8 @@ static int nf_tables_newrule(struct sk_b
+ 	return 0;
+ 
+ err_destroy_flow_rule:
+-	nft_flow_rule_destroy(flow);
++	if (flow)
++		nft_flow_rule_destroy(flow);
+ err_release_rule:
+ 	nf_tables_rule_release(&ctx, rule);
+ err_release_expr:
diff --git a/queue-5.13/series b/queue-5.13/series
index cc4a9fe6247..6135c837084 100644
--- a/queue-5.13/series
+++ b/queue-5.13/series
@@ -105,3 +105,30 @@ revert-mm-shmem-fix-shmem_swapin-race-with-swapoff.patch
 mm-thp-simplify-copying-of-huge-zero-page-pmd-when-fork.patch
 mm-userfaultfd-fix-uffd-wp-special-cases-for-fork.patch
 f2fs-show-casefolding-support-only-when-supported.patch
+net-bcmgenet-ensure-ext_energy_det_mask-is-clear.patch
+net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
+net-dsa-mv88e6xxx-use-correct-.stats_set_histogram-on-topaz.patch
+net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
+net-dsa-mv88e6xxx-enable-devlink-atu-hash-param-for-topaz.patch
+net-dsa-mv88e6xxx-enable-serdes-rx-stats-for-topaz.patch
+net-dsa-mv88e6xxx-enable-serdes-pcs-register-dump-via-ethtool-d-on-topaz.patch
+net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
+netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
+net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
+netfilter-nf_tables-fix-dereference-of-null-pointer-flow.patch
+vmxnet3-fix-cksum-offload-issues-for-tunnels-with-non-default-udp-ports.patch
+net-sched-act_ct-remove-and-free-nf_table-callbacks.patch
+net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
+net-marvell-always-set-skb_shared_info-in-mvneta_swbm_add_rx_fragment.patch
+net-netdevsim-use-xso.real_dev-instead-of-xso.dev-in-callback-functions-of-struct-xfrmdev_ops.patch
+net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
+net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
+net-moxa-fix-uaf-in-moxart_mac_probe.patch
+net-qcom-emac-fix-uaf-in-emac_remove.patch
+net-ti-fix-uaf-in-tlan_remove_one.patch
+net-send-synack-packet-with-accepted-fwmark.patch
+net-do-not-reuse-skbuff-allocated-from-skbuff_fclone_cache-in-the-skb-cache.patch
+net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
+net-dsa-properly-check-for-the-bridge_leave-methods-in-dsa_switch_bridge_leave.patch
+net-fddi-fix-uaf-in-fza_probe.patch
+dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
diff --git a/queue-5.13/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-non-default-udp-ports.patch b/queue-5.13/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-non-default-udp-ports.patch
new file mode 100644
index 00000000000..e3c48444468
--- /dev/null
+++ b/queue-5.13/vmxnet3-fix-cksum-offload-issues-for-tunnels-with-non-default-udp-ports.patch
@@ -0,0 +1,80 @@
+From b22580233d473dbf7bbfa4f6549c09e2c80e9e64 Mon Sep 17 00:00:00 2001
+From: Ronak Doshi <doshir@vmware.com>
+Date: Thu, 1 Jul 2021 23:44:27 -0700
+Subject: vmxnet3: fix cksum offload issues for tunnels with non-default udp ports
+
+From: Ronak Doshi <doshir@vmware.com>
+
+commit b22580233d473dbf7bbfa4f6549c09e2c80e9e64 upstream.
+
+Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload
+support") added support for encapsulation offload. However, the inner
+offload capability is to be restricted to UDP tunnels with default
+Vxlan and Geneve ports.
+
+This patch fixes the issue for tunnels with non-default ports using
+features check capability and filtering appropriate features for such
+tunnels.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_ethtool.c |   22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vmxnet3/vmxnet3_ethtool.c
++++ b/drivers/net/vmxnet3/vmxnet3_ethtool.c
+@@ -1,7 +1,7 @@
+ /*
+  * Linux driver for VMware's vmxnet3 ethernet NIC.
+  *
+- * Copyright (C) 2008-2020, VMware, Inc. All Rights Reserved.
++ * Copyright (C) 2008-2021, VMware, Inc. All Rights Reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU General Public License as published by the
+@@ -26,6 +26,10 @@
+ 
+ 
+ #include "vmxnet3_int.h"
++#include <net/vxlan.h>
++#include <net/geneve.h>
++
++#define VXLAN_UDP_PORT 8472
+ 
+ struct vmxnet3_stat_desc {
+ 	char desc[ETH_GSTRING_LEN];
+@@ -262,6 +266,8 @@ netdev_features_t vmxnet3_features_check
+ 	if (VMXNET3_VERSION_GE_4(adapter) &&
+ 	    skb->encapsulation && skb->ip_summed == CHECKSUM_PARTIAL) {
+ 		u8 l4_proto = 0;
++		u16 port;
++		struct udphdr *udph;
+ 
+ 		switch (vlan_get_protocol(skb)) {
+ 		case htons(ETH_P_IP):
+@@ -274,8 +280,20 @@ netdev_features_t vmxnet3_features_check
+ 			return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK);
+ 		}
+ 
+-		if (l4_proto != IPPROTO_UDP)
++		switch (l4_proto) {
++		case IPPROTO_UDP:
++			udph = udp_hdr(skb);
++			port = be16_to_cpu(udph->dest);
++			/* Check if offloaded port is supported */
++			if (port != GENEVE_UDP_PORT &&
++			    port != IANA_VXLAN_UDP_PORT &&
++			    port != VXLAN_UDP_PORT) {
++				return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK);
++			}
++			break;
++		default:
+ 			return features & ~(NETIF_F_CSUM_MASK | NETIF_F_GSO_MASK);
++		}
+ 	}
+ 	return features;
+ }