--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Wed, 13 Jan 2021 15:31:00 +0800
+Subject: can: mcp251xfd: mcp251xfd_handle_rxif_one(): fix wrong NULL pointer check
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+[ Upstream commit ca4c6ebeeb50112f5178f14bfb6d9e8ddf148545 ]
+
+If alloc_canfd_skb() returns NULL, 'cfg' is an uninitialized variable, so we
+should check 'skb' rather than 'cfd' after calling alloc_canfd_skb(priv->ndev,
+&cfd).
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20210113073100.79552-1-miaoqinglang@huawei.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -1432,7 +1432,7 @@ mcp251xfd_handle_rxif_one(struct mcp251x
+ else
+ skb = alloc_can_skb(priv->ndev, (struct can_frame **)&cfd);
+
+- if (!cfd) {
++ if (!skb) {
+ stats->rx_dropped++;
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 5 Jan 2021 16:15:16 +0100
+Subject: dt-bindings: net: renesas,etheravb: RZ/G2H needs tx-internal-delay-ps
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit f97844f9c518172f813b7ece18a9956b1f70c1bb ]
+
+The merge resolution of the interaction of commits 307eea32b202864c
+("dt-bindings: net: renesas,ravb: Add support for r8a774e1 SoC") and
+d7adf6331189cbe9 ("dt-bindings: net: renesas,etheravb: Convert to
+json-schema") missed that "tx-internal-delay-ps" should be a required
+property on RZ/G2H.
+
+Fixes: 8b0308fe319b8002 ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20210105151516.1540653-1-geert+renesas@glider.be
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/net/renesas,etheravb.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/net/renesas,etheravb.yaml
++++ b/Documentation/devicetree/bindings/net/renesas,etheravb.yaml
+@@ -163,6 +163,7 @@ allOf:
+ enum:
+ - renesas,etheravb-r8a774a1
+ - renesas,etheravb-r8a774b1
++ - renesas,etheravb-r8a774e1
+ - renesas,etheravb-r8a7795
+ - renesas,etheravb-r8a7796
+ - renesas,etheravb-r8a77961
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Willem de Bruijn <willemb@google.com>
+Date: Sat, 9 Jan 2021 17:18:34 -0500
+Subject: esp: avoid unneeded kmap_atomic call
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 9bd6b629c39e3fa9e14243a6d8820492be1a5b2e ]
+
+esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for
+the esp trailer.
+
+It accesses the page with kmap_atomic to handle highmem. But
+skb_page_frag_refill can return compound pages, of which
+kmap_atomic only maps the first underlying page.
+
+skb_page_frag_refill does not return highmem, because flag
+__GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP.
+That also does not call kmap_atomic, but directly uses page_address,
+in skb_copy_to_page_nocache. Do the same for ESP.
+
+This issue has become easier to trigger with recent kmap local
+debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/esp4.c | 7 +------
+ net/ipv6/esp6.c | 7 +------
+ 2 files changed, 2 insertions(+), 12 deletions(-)
+
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -443,7 +443,6 @@ static int esp_output_encap(struct xfrm_
+ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
+ {
+ u8 *tail;
+- u8 *vaddr;
+ int nfrags;
+ int esph_offset;
+ struct page *page;
+@@ -485,14 +484,10 @@ int esp_output_head(struct xfrm_state *x
+ page = pfrag->page;
+ get_page(page);
+
+- vaddr = kmap_atomic(page);
+-
+- tail = vaddr + pfrag->offset;
++ tail = page_address(page) + pfrag->offset;
+
+ esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto);
+
+- kunmap_atomic(vaddr);
+-
+ nfrags = skb_shinfo(skb)->nr_frags;
+
+ __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -478,7 +478,6 @@ static int esp6_output_encap(struct xfrm
+ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *esp)
+ {
+ u8 *tail;
+- u8 *vaddr;
+ int nfrags;
+ int esph_offset;
+ struct page *page;
+@@ -519,14 +518,10 @@ int esp6_output_head(struct xfrm_state *
+ page = pfrag->page;
+ get_page(page);
+
+- vaddr = kmap_atomic(page);
+-
+- tail = vaddr + pfrag->offset;
++ tail = page_address(page) + pfrag->offset;
+
+ esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto);
+
+- kunmap_atomic(vaddr);
+-
+ nfrags = skb_shinfo(skb)->nr_frags;
+
+ __skb_fill_page_desc(skb, nfrags, page, pfrag->offset,
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
+Date: Mon, 11 Jan 2021 18:11:38 +0000
+Subject: i40e: fix potential NULL pointer dereferencing
+
+From: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
+
+[ Upstream commit 7128c834d30e6b2cf649f14d8fc274941786d0e1 ]
+
+Currently, the function i40e_construct_skb_zc only frees the input xdp
+buffer when the output skb is successfully built. On error, the
+function i40e_clean_rx_irq_zc does not commit anything for the current
+packet descriptor and simply exits the packet descriptor processing
+loop, with the plan to restart the processing of this descriptor on
+the next invocation. Therefore, on error the ring next-to-clean
+pointer should not advance, the xdp i.e. *bi buffer should not be
+freed and the current buffer info should not be invalidated by setting
+*bi to NULL. Therefore, the *bi should only be set to NULL when the
+function i40e_construct_skb_zc is successful, otherwise a NULL *bi
+will be dereferenced when the work for the current descriptor is
+eventually restarted.
+
+Fixes: 3b4f0b66c2b3 ("i40e, xsk: Migrate to new MEM_TYPE_XSK_BUFF_POOL")
+Signed-off-by: Cristian Dumitrescu <cristian.dumitrescu@intel.com>
+Acked-by: Björn Töpel <bjorn.topel@intel.com>
+Link: https://lore.kernel.org/r/20210111181138.49757-1-cristian.dumitrescu@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_xsk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+@@ -348,12 +348,12 @@ int i40e_clean_rx_irq_zc(struct i40e_rin
+ * SBP is *not* set in PRT_SBPVSI (default not set).
+ */
+ skb = i40e_construct_skb_zc(rx_ring, *bi);
+- *bi = NULL;
+ if (!skb) {
+ rx_ring->rx_stats.alloc_buff_failed++;
+ break;
+ }
+
++ *bi = NULL;
+ cleaned_count++;
+ i40e_inc_ntc(rx_ring);
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Vadim Pasternak <vadimp@nvidia.com>
+Date: Fri, 8 Jan 2021 16:52:09 +0200
+Subject: mlxsw: core: Add validation of transceiver temperature thresholds
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+[ Upstream commit 57726ebe2733891c9f59105eff028735f73d05fb ]
+
+Validate thresholds to avoid a single failure due to some transceiver
+unreliability. Ignore the last readouts in case warning temperature is
+above alarm temperature, since it can cause unexpected thermal
+shutdown. Stay with the previous values and refresh threshold within
+the next iteration.
+
+This is a rare scenario, but it was observed at a customer site.
+
+Fixes: 6a79507cfe94 ("mlxsw: core: Extend thermal module with per QSFP module thermal zones")
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_thermal.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
+@@ -176,6 +176,12 @@ mlxsw_thermal_module_trips_update(struct
+ if (err)
+ return err;
+
++ if (crit_temp > emerg_temp) {
++ dev_warn(dev, "%s : Critical threshold %d is above emergency threshold %d\n",
++ tz->tzdev->type, crit_temp, emerg_temp);
++ return 0;
++ }
++
+ /* According to the system thermal requirements, the thermal zones are
+ * defined with four trip points. The critical and emergency
+ * temperature thresholds, provided by QSFP module are set as "active"
+@@ -190,11 +196,8 @@ mlxsw_thermal_module_trips_update(struct
+ tz->trips[MLXSW_THERMAL_TEMP_TRIP_NORM].temp = crit_temp;
+ tz->trips[MLXSW_THERMAL_TEMP_TRIP_HIGH].temp = crit_temp;
+ tz->trips[MLXSW_THERMAL_TEMP_TRIP_HOT].temp = emerg_temp;
+- if (emerg_temp > crit_temp)
+- tz->trips[MLXSW_THERMAL_TEMP_TRIP_CRIT].temp = emerg_temp +
++ tz->trips[MLXSW_THERMAL_TEMP_TRIP_CRIT].temp = emerg_temp +
+ MLXSW_THERMAL_MODULE_TEMP_SHIFT;
+- else
+- tz->trips[MLXSW_THERMAL_TEMP_TRIP_CRIT].temp = emerg_temp;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Vadim Pasternak <vadimp@nvidia.com>
+Date: Fri, 8 Jan 2021 16:52:10 +0200
+Subject: mlxsw: core: Increase critical threshold for ASIC thermal zone
+
+From: Vadim Pasternak <vadimp@nvidia.com>
+
+[ Upstream commit b06ca3d5a43ca2dd806f7688a17e8e7e0619a80a ]
+
+Increase critical threshold for ASIC thermal zone from 110C to 140C
+according to the system hardware requirements. All the supported ASICs
+(Spectrum-1, Spectrum-2, Spectrum-3) could be still operational with ASIC
+temperature below 140C. With the old critical threshold value system
+can perform unjustified shutdown.
+
+All the systems equipped with the above ASICs implement thermal
+protection mechanism at firmware level and firmware could decide to
+perform system thermal shutdown in case the temperature is below 140C.
+So with the new threshold system will not meltdown, while thermal
+operating range will be aligned with hardware abilities.
+
+Fixes: 41e760841d26 ("mlxsw: core: Replace thermal temperature trips with defines")
+Fixes: a50c1e35650b ("mlxsw: core: Implement thermal zone")
+Signed-off-by: Vadim Pasternak <vadimp@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_thermal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_thermal.c
+@@ -19,7 +19,7 @@
+ #define MLXSW_THERMAL_ASIC_TEMP_NORM 75000 /* 75C */
+ #define MLXSW_THERMAL_ASIC_TEMP_HIGH 85000 /* 85C */
+ #define MLXSW_THERMAL_ASIC_TEMP_HOT 105000 /* 105C */
+-#define MLXSW_THERMAL_ASIC_TEMP_CRIT 110000 /* 110C */
++#define MLXSW_THERMAL_ASIC_TEMP_CRIT 140000 /* 140C */
+ #define MLXSW_THERMAL_HYSTERESIS_TEMP 5000 /* 5C */
+ #define MLXSW_THERMAL_MODULE_TEMP_SHIFT (MLXSW_THERMAL_HYSTERESIS_TEMP * 2)
+ #define MLXSW_THERMAL_ZONE_MAX_NAME 16
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 13 Jan 2021 08:18:19 -0800
+Subject: net: avoid 32 x truesize under-estimation for tiny skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3226b158e67cfaa677fd180152bfb28989cb2fac ]
+
+Both virtio net and napi_get_frags() allocate skbs
+with a very small skb->head
+
+While using page fragments instead of a kmalloc backed skb->head might give
+a small performance improvement in some cases, there is a huge risk of
+under estimating memory usage.
+
+For both GOOD_COPY_LEN and GRO_MAX_HEAD, we can fit at least 32 allocations
+per page (order-3 page in x86), or even 64 on PowerPC
+
+We have been tracking OOM issues on GKE hosts hitting tcp_mem limits
+but consuming far more memory for TCP buffers than instructed in tcp_mem[2]
+
+Even if we force napi_alloc_skb() to only use order-0 pages, the issue
+would still be there on arches with PAGE_SIZE >= 32768
+
+This patch makes sure that small skb head are kmalloc backed, so that
+other objects in the slab page can be reused instead of being held as long
+as skbs are sitting in socket queues.
+
+Note that we might in the future use the sk_buff napi cache,
+instead of going through a more expensive __alloc_skb()
+
+Another idea would be to use separate page sizes depending
+on the allocated length (to never have more than 4 frags per page)
+
+I would like to thank Greg Thelen for his precious help on this matter,
+analysing crash dumps is always a time consuming task.
+
+Fixes: fd11a83dd363 ("net: Pull out core bits of __netdev_alloc_skb and add __napi_alloc_skb")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Greg Thelen <gthelen@google.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20210113161819.1155526-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -496,13 +496,17 @@ EXPORT_SYMBOL(__netdev_alloc_skb);
+ struct sk_buff *__napi_alloc_skb(struct napi_struct *napi, unsigned int len,
+ gfp_t gfp_mask)
+ {
+- struct napi_alloc_cache *nc = this_cpu_ptr(&napi_alloc_cache);
++ struct napi_alloc_cache *nc;
+ struct sk_buff *skb;
+ void *data;
+
+ len += NET_SKB_PAD + NET_IP_ALIGN;
+
+- if ((len > SKB_WITH_OVERHEAD(PAGE_SIZE)) ||
++ /* If requested length is either too small or too big,
++ * we use kmalloc() for skb->head allocation.
++ */
++ if (len <= SKB_WITH_OVERHEAD(1024) ||
++ len > SKB_WITH_OVERHEAD(PAGE_SIZE) ||
+ (gfp_mask & (__GFP_DIRECT_RECLAIM | GFP_DMA))) {
+ skb = __alloc_skb(len, gfp_mask, SKB_ALLOC_RX, NUMA_NO_NODE);
+ if (!skb)
+@@ -510,6 +514,7 @@ struct sk_buff *__napi_alloc_skb(struct
+ goto skb_success;
+ }
+
++ nc = this_cpu_ptr(&napi_alloc_cache);
+ len += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ len = SKB_DATA_ALIGN(len);
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Petr Machata <petrm@nvidia.com>
+Date: Mon, 11 Jan 2021 18:07:07 +0100
+Subject: net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit df85bc140a4d6cbaa78d8e9c35154e1a2f0622c7 ]
+
+In commit 826f328e2b7e ("net: dcb: Validate netlink message in DCB
+handler"), Linux started rejecting RTM_GETDCB netlink messages if they
+contained a set-like DCB_CMD_ command.
+
+The reason was that privileges were only verified for RTM_SETDCB messages,
+but the value that determined the action to be taken is the command, not
+the message type. And validation of message type against the DCB command
+was the obvious missing piece.
+
+Unfortunately it turns out that mlnx_qos, a somewhat widely deployed tool
+for configuration of DCB, accesses the DCB set-like APIs through
+RTM_GETDCB.
+
+Therefore do not bounce the discrepancy between message type and command.
+Instead, in addition to validating privileges based on the actual message
+type, validate them also based on the expected message type. This closes
+the loophole of allowing DCB configuration on non-admin accounts, while
+maintaining backward compatibility.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Fixes: 826f328e2b7e ("net: dcb: Validate netlink message in DCB handler")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://lore.kernel.org/r/a3edcfda0825f2aa2591801c5232f2bbf2d8a554.1610384801.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1765,7 +1765,7 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
+- if (fn->type != nlh->nlmsg_type)
++ if (fn->type == RTM_SETDCB && !netlink_capable(skb, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Petr Machata <me@pmachata.org>
+Date: Tue, 22 Dec 2020 22:49:44 +0100
+Subject: net: dcb: Validate netlink message in DCB handler
+
+From: Petr Machata <me@pmachata.org>
+
+[ Upstream commit 826f328e2b7e8854dd42ea44e6519cd75018e7b1 ]
+
+DCB uses the same handler function for both RTM_GETDCB and RTM_SETDCB
+messages. dcb_doit() bounces RTM_SETDCB mesasges if the user does not have
+the CAP_NET_ADMIN capability.
+
+However, the operation to be performed is not decided from the DCB message
+type, but from the DCB command. Thus DCB_CMD_*_GET commands are used for
+reading DCB objects, the corresponding SET and DEL commands are used for
+manipulation.
+
+The assumption is that set-like commands will be sent via an RTM_SETDCB
+message, and get-like ones via RTM_GETDCB. However, this assumption is not
+enforced.
+
+It is therefore possible to manipulate DCB objects without CAP_NET_ADMIN
+capability by sending the corresponding command in an RTM_GETDCB message.
+That is a bug. Fix it by validating the type of the request message against
+the type used for the response.
+
+Fixes: 2f90b8657ec9 ("ixgbe: this patch adds support for DCB to the kernel and ixgbe driver")
+Signed-off-by: Petr Machata <me@pmachata.org>
+Link: https://lore.kernel.org/r/a2a9b88418f3a58ef211b718f2970128ef9e3793.1608673640.git.me@pmachata.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1765,6 +1765,8 @@ static int dcb_doit(struct sk_buff *skb,
+ fn = &reply_funcs[dcb->cmd];
+ if (!fn->cb)
+ return -EOPNOTSUPP;
++ if (fn->type != nlh->nlmsg_type)
++ return -EPERM;
+
+ if (!tb[DCB_ATTR_IFNAME])
+ return -EINVAL;
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Tue, 12 Jan 2021 02:48:31 +0200
+Subject: net: dsa: clear devlink port type before unregistering slave netdevs
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 91158e1680b164c8d101144ca916a3dca10c3e17 ]
+
+Florian reported a use-after-free bug in devlink_nl_port_fill found with
+KASAN:
+
+(devlink_nl_port_fill)
+(devlink_port_notify)
+(devlink_port_unregister)
+(dsa_switch_teardown.part.3)
+(dsa_tree_teardown_switches)
+(dsa_unregister_switch)
+(bcm_sf2_sw_remove)
+(platform_remove)
+(device_release_driver_internal)
+(device_links_unbind_consumers)
+(device_release_driver_internal)
+(device_driver_detach)
+(unbind_store)
+
+Allocated by task 31:
+ alloc_netdev_mqs+0x5c/0x50c
+ dsa_slave_create+0x110/0x9c8
+ dsa_register_switch+0xdb0/0x13a4
+ b53_switch_register+0x47c/0x6dc
+ bcm_sf2_sw_probe+0xaa4/0xc98
+ platform_probe+0x90/0xf4
+ really_probe+0x184/0x728
+ driver_probe_device+0xa4/0x278
+ __device_attach_driver+0xe8/0x148
+ bus_for_each_drv+0x108/0x158
+
+Freed by task 249:
+ free_netdev+0x170/0x194
+ dsa_slave_destroy+0xac/0xb0
+ dsa_port_teardown.part.2+0xa0/0xb4
+ dsa_tree_teardown_switches+0x50/0xc4
+ dsa_unregister_switch+0x124/0x250
+ bcm_sf2_sw_remove+0x98/0x13c
+ platform_remove+0x44/0x5c
+ device_release_driver_internal+0x150/0x254
+ device_links_unbind_consumers+0xf8/0x12c
+ device_release_driver_internal+0x84/0x254
+ device_driver_detach+0x30/0x34
+ unbind_store+0x90/0x134
+
+What happens is that devlink_port_unregister emits a netlink
+DEVLINK_CMD_PORT_DEL message which associates the devlink port that is
+getting unregistered with the ifindex of its corresponding net_device.
+Only trouble is, the net_device has already been unregistered.
+
+It looks like we can stub out the search for a corresponding net_device
+if we clear the devlink_port's type. This looks like a bit of a hack,
+but also seems to be the reason why the devlink_port_type_clear function
+exists in the first place.
+
+Fixes: 3122433eb533 ("net: dsa: Register devlink ports before calling DSA driver setup()")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Tested-by: Florian fainelli <f.fainelli@gmail.com>
+Reported-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20210112004831.3778323-1-olteanv@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa2.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/dsa/dsa2.c
++++ b/net/dsa/dsa2.c
+@@ -353,9 +353,13 @@ static int dsa_port_devlink_setup(struct
+
+ static void dsa_port_teardown(struct dsa_port *dp)
+ {
++ struct devlink_port *dlp = &dp->devlink_port;
++
+ if (!dp->setup)
+ return;
+
++ devlink_port_type_clear(dlp);
++
+ switch (dp->type) {
+ case DSA_PORT_TYPE_UNUSED:
+ break;
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Dongseok Yi <dseok.yi@samsung.com>
+Date: Fri, 8 Jan 2021 11:28:38 +0900
+Subject: net: fix use-after-free when UDP GRO with shared fraglist
+
+From: Dongseok Yi <dseok.yi@samsung.com>
+
+[ Upstream commit 53475c5dd856212e91538a9501162e821cc1f791 ]
+
+skbs in fraglist could be shared by a BPF filter loaded at TC. If TC
+writes, it will call skb_ensure_writable -> pskb_expand_head to create
+a private linear section for the head_skb. And then call
+skb_clone_fraglist -> skb_get on each skb in the fraglist.
+
+skb_segment_list overwrites part of the skb linear section of each
+fragment itself. Even after skb_clone, the frag_skbs share their
+linear section with their clone in PF_PACKET.
+
+Both sk_receive_queue of PF_PACKET and PF_INET (or PF_INET6) can have
+a link for the same frag_skbs chain. If a new skb (not frags) is
+queued to one of the sk_receive_queue, multiple ptypes can see and
+release this. It causes use-after-free.
+
+[ 4443.426215] ------------[ cut here ]------------
+[ 4443.426222] refcount_t: underflow; use-after-free.
+[ 4443.426291] WARNING: CPU: 7 PID: 28161 at lib/refcount.c:190
+refcount_dec_and_test_checked+0xa4/0xc8
+[ 4443.426726] pstate: 60400005 (nZCv daif +PAN -UAO)
+[ 4443.426732] pc : refcount_dec_and_test_checked+0xa4/0xc8
+[ 4443.426737] lr : refcount_dec_and_test_checked+0xa0/0xc8
+[ 4443.426808] Call trace:
+[ 4443.426813] refcount_dec_and_test_checked+0xa4/0xc8
+[ 4443.426823] skb_release_data+0x144/0x264
+[ 4443.426828] kfree_skb+0x58/0xc4
+[ 4443.426832] skb_queue_purge+0x64/0x9c
+[ 4443.426844] packet_set_ring+0x5f0/0x820
+[ 4443.426849] packet_setsockopt+0x5a4/0xcd0
+[ 4443.426853] __sys_setsockopt+0x188/0x278
+[ 4443.426858] __arm64_sys_setsockopt+0x28/0x38
+[ 4443.426869] el0_svc_common+0xf0/0x1d0
+[ 4443.426873] el0_svc_handler+0x74/0x98
+[ 4443.426880] el0_svc+0x8/0xc
+
+Fixes: 3a1296a38d0c (net: Support GRO/GSO fraglist chaining.)
+Signed-off-by: Dongseok Yi <dseok.yi@samsung.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/r/1610072918-174177-1-git-send-email-dseok.yi@samsung.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3648,7 +3648,8 @@ struct sk_buff *skb_segment_list(struct
+ unsigned int delta_truesize = 0;
+ unsigned int delta_len = 0;
+ struct sk_buff *tail = NULL;
+- struct sk_buff *nskb;
++ struct sk_buff *nskb, *tmp;
++ int err;
+
+ skb_push(skb, -skb_network_offset(skb) + offset);
+
+@@ -3658,11 +3659,28 @@ struct sk_buff *skb_segment_list(struct
+ nskb = list_skb;
+ list_skb = list_skb->next;
+
++ err = 0;
++ if (skb_shared(nskb)) {
++ tmp = skb_clone(nskb, GFP_ATOMIC);
++ if (tmp) {
++ consume_skb(nskb);
++ nskb = tmp;
++ err = skb_unclone(nskb, GFP_ATOMIC);
++ } else {
++ err = -ENOMEM;
++ }
++ }
++
+ if (!tail)
+ skb->next = nskb;
+ else
+ tail->next = nskb;
+
++ if (unlikely(err)) {
++ nskb->next = list_skb;
++ goto err_linearize;
++ }
++
+ tail = nskb;
+
+ delta_len += nskb->len;
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Stephan Gerhold <stephan@gerhold.net>
+Date: Wed, 6 Jan 2021 11:07:55 +0100
+Subject: net: ipa: modem: add missing SET_NETDEV_DEV() for proper sysfs links
+
+From: Stephan Gerhold <stephan@gerhold.net>
+
+[ Upstream commit afba9dc1f3a5390475006061c0bdc5ad4915878e ]
+
+At the moment it is quite hard to identify the network interface
+provided by IPA in userspace components: The network interface is
+created as virtual device, without any link to the IPA device.
+The interface name ("rmnet_ipa%d") is the only indication that the
+network interface belongs to IPA, but this is not very reliable.
+
+Add SET_NETDEV_DEV() to associate the network interface with the
+IPA parent device. This allows userspace services like ModemManager
+to properly identify that this network interface is provided by IPA
+and belongs to the modem.
+
+Cc: Alex Elder <elder@kernel.org>
+Fixes: a646d6ec9098 ("soc: qcom: ipa: modem and microcontroller")
+Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
+Link: https://lore.kernel.org/r/20210106100755.56800-1-stephan@gerhold.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipa/ipa_modem.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ipa/ipa_modem.c
++++ b/drivers/net/ipa/ipa_modem.c
+@@ -216,6 +216,7 @@ int ipa_modem_start(struct ipa *ipa)
+ ipa->name_map[IPA_ENDPOINT_AP_MODEM_TX]->netdev = netdev;
+ ipa->name_map[IPA_ENDPOINT_AP_MODEM_RX]->netdev = netdev;
+
++ SET_NETDEV_DEV(netdev, &ipa->pdev->dev);
+ priv = netdev_priv(netdev);
+ priv->ipa = ipa;
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Aya Levin <ayal@nvidia.com>
+Date: Thu, 7 Jan 2021 15:50:18 +0200
+Subject: net: ipv6: Validate GSO SKB before finish IPv6 processing
+
+From: Aya Levin <ayal@nvidia.com>
+
+[ Upstream commit b210de4f8c97d57de051e805686248ec4c6cfc52 ]
+
+There are cases where GSO segment's length exceeds the egress MTU:
+ - Forwarding of a TCP GRO skb, when DF flag is not set.
+ - Forwarding of an skb that arrived on a virtualisation interface
+ (virtio-net/vhost/tap) with TSO/GSO size set by other network
+ stack.
+ - Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an
+ interface with a smaller MTU.
+ - Arriving GRO skb (or GSO skb in a virtualised environment) that is
+ bridged to a NETIF_F_TSO tunnel stacked over an interface with an
+ insufficient MTU.
+
+If so:
+ - Consume the SKB and its segments.
+ - Issue an ICMP packet with 'Packet Too Big' message containing the
+ MTU, allowing the source host to reduce its Path MTU appropriately.
+
+Note: These cases are handled in the same manner in IPv4 output finish.
+This patch aligns the behavior of IPv6 and the one of IPv4.
+
+Fixes: 9e50849054a4 ("netfilter: ipv6: move POSTROUTING invocation before fragmentation")
+Signed-off-by: Aya Levin <ayal@nvidia.com>
+Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/1610027418-30438-1-git-send-email-ayal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -125,8 +125,43 @@ static int ip6_finish_output2(struct net
+ return -EINVAL;
+ }
+
++static int
++ip6_finish_output_gso_slowpath_drop(struct net *net, struct sock *sk,
++ struct sk_buff *skb, unsigned int mtu)
++{
++ struct sk_buff *segs, *nskb;
++ netdev_features_t features;
++ int ret = 0;
++
++ /* Please see corresponding comment in ip_finish_output_gso
++ * describing the cases where GSO segment length exceeds the
++ * egress MTU.
++ */
++ features = netif_skb_features(skb);
++ segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
++ if (IS_ERR_OR_NULL(segs)) {
++ kfree_skb(skb);
++ return -ENOMEM;
++ }
++
++ consume_skb(skb);
++
++ skb_list_walk_safe(segs, segs, nskb) {
++ int err;
++
++ skb_mark_not_on_list(segs);
++ err = ip6_fragment(net, sk, segs, ip6_finish_output2);
++ if (err && ret == 0)
++ ret = err;
++ }
++
++ return ret;
++}
++
+ static int __ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
++ unsigned int mtu;
++
+ #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+ /* Policy lookup after SNAT yielded a new policy */
+ if (skb_dst(skb)->xfrm) {
+@@ -135,7 +170,11 @@ static int __ip6_finish_output(struct ne
+ }
+ #endif
+
+- if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
++ mtu = ip6_skb_dst_mtu(skb);
++ if (skb_is_gso(skb) && !skb_gso_validate_network_len(skb, mtu))
++ return ip6_finish_output_gso_slowpath_drop(net, sk, skb, mtu);
++
++ if ((skb->len > mtu && !skb_is_gso(skb)) ||
+ dst_allfrag(skb_dst(skb)) ||
+ (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))
+ return ip6_fragment(net, sk, skb, ip6_finish_output2);
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Stefan Chulski <stefanc@marvell.com>
+Date: Sun, 10 Jan 2021 21:23:02 +0200
+Subject: net: mvpp2: Remove Pause and Asym_Pause support
+
+From: Stefan Chulski <stefanc@marvell.com>
+
+[ Upstream commit 6f83802a1a06e74eafbdbc9b52c05516d3083d02 ]
+
+Packet Processor hardware not connected to MAC flow control unit and
+cannot support TX flow control.
+This patch disable flow control support.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Signed-off-by: Stefan Chulski <stefanc@marvell.com>
+Acked-by: Marcin Wojtas <mw@semihalf.com>
+Link: https://lore.kernel.org/r/1610306582-16641-1-git-send-email-stefanc@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -5874,8 +5874,6 @@ static void mvpp2_phylink_validate(struc
+
+ phylink_set(mask, Autoneg);
+ phylink_set_port_modes(mask);
+- phylink_set(mask, Pause);
+- phylink_set(mask, Asym_Pause);
+
+ switch (state->interface) {
+ case PHY_INTERFACE_MODE_10GBASER:
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Mon, 11 Jan 2021 09:59:32 +0100
+Subject: net: phy: smsc: fix clk error handling
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+[ Upstream commit a18caa97b1bda0a3d126a7be165ddcfc56c2dde6 ]
+
+Commit bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in
+support") added the phy clk support. The commit already checks if
+clk_get_optional() throw an error but instead of returning the error it
+ignores it.
+
+Fixes: bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20210111085932.28680-1-m.felsch@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/smsc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -284,7 +284,8 @@ static int smsc_phy_probe(struct phy_dev
+ /* Make clk optional to keep DTB backward compatibility. */
+ priv->refclk = clk_get_optional(dev, NULL);
+ if (IS_ERR(priv->refclk))
+- dev_err_probe(dev, PTR_ERR(priv->refclk), "Failed to request clock\n");
++ return dev_err_probe(dev, PTR_ERR(priv->refclk),
++ "Failed to request clock\n");
+
+ ret = clk_prepare_enable(priv->refclk);
+ if (ret)
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Wed, 13 Jan 2021 17:29:47 -0800
+Subject: net: sit: unregister_netdevice on newlink's error path
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 47e4bb147a96f1c9b4e7691e7e994e53838bfff8 ]
+
+We need to unregister the netdevice if config failed.
+.ndo_uninit takes care of most of the heavy lifting.
+
+This was uncovered by recent commit c269a24ce057 ("net: make
+free_netdev() more lenient with unregistering devices").
+Previously the partially-initialized device would be left
+in the system.
+
+Reported-and-tested-by: syzbot+2393580080a2da190f04@syzkaller.appspotmail.com
+Fixes: e2f1f072db8d ("sit: allow to configure 6rd tunnels via netlink")
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Link: https://lore.kernel.org/r/20210114012947.2515313-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1645,8 +1645,11 @@ static int ipip6_newlink(struct net *src
+ }
+
+ #ifdef CONFIG_IPV6_SIT_6RD
+- if (ipip6_netlink_6rd_parms(data, &ip6rd))
++ if (ipip6_netlink_6rd_parms(data, &ip6rd)) {
+ err = ipip6_tunnel_update_6rd(nt, &ip6rd);
++ if (err < 0)
++ unregister_netdevice_queue(dev, NULL);
++ }
+ #endif
+
+ return err;
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Yannick Vignon <yannick.vignon@nxp.com>
+Date: Wed, 13 Jan 2021 14:15:57 +0100
+Subject: net: stmmac: fix taprio configuration when base_time is in the past
+
+From: Yannick Vignon <yannick.vignon@nxp.com>
+
+[ Upstream commit fe28c53ed71d463e187748b6b10e1130dd72ceeb ]
+
+The Synopsys TSN MAC supports Qbv base times in the past, but only up to a
+certain limit. As a result, a taprio qdisc configuration with a small
+base time (for example when treating the base time as a simple phase
+offset) is not applied by the hardware and silently ignored.
+
+This was observed on an NXP i.MX8MPlus device, but likely affects all
+TSN-variants of the MAC.
+
+Fix the issue by making sure the base time is in the future, pushing it by
+an integer amount of cycle times if needed. (a similar check is already
+done in several other taprio implementations, see for example
+drivers/net/ethernet/intel/igc/igc_tsn.c#L116 or
+drivers/net/dsa/sja1105/sja1105_ptp.h#L39).
+
+Fixes: b60189e0392f ("net: stmmac: Integrate EST with TAPRIO scheduler API")
+Signed-off-by: Yannick Vignon <yannick.vignon@nxp.com>
+Link: https://lore.kernel.org/r/20210113131557.24651-2-yannick.vignon@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+@@ -605,7 +605,8 @@ static int tc_setup_taprio(struct stmmac
+ {
+ u32 size, wid = priv->dma_cap.estwid, dep = priv->dma_cap.estdep;
+ struct plat_stmmacenet_data *plat = priv->plat;
+- struct timespec64 time;
++ struct timespec64 time, current_time;
++ ktime_t current_time_ns;
+ bool fpe = false;
+ int i, ret = 0;
+ u64 ctr;
+@@ -700,7 +701,22 @@ static int tc_setup_taprio(struct stmmac
+ }
+
+ /* Adjust for real system time */
+- time = ktime_to_timespec64(qopt->base_time);
++ priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time);
++ current_time_ns = timespec64_to_ktime(current_time);
++ if (ktime_after(qopt->base_time, current_time_ns)) {
++ time = ktime_to_timespec64(qopt->base_time);
++ } else {
++ ktime_t base_time;
++ s64 n;
++
++ n = div64_s64(ktime_sub_ns(current_time_ns, qopt->base_time),
++ qopt->cycle_time);
++ base_time = ktime_add_ns(qopt->base_time,
++ (n + 1) * qopt->cycle_time);
++
++ time = ktime_to_timespec64(base_time);
++ }
++
+ priv->plat->est->btr[0] = (u32)time.tv_nsec;
+ priv->plat->est->btr[1] = (u32)time.tv_sec;
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Yannick Vignon <yannick.vignon@nxp.com>
+Date: Wed, 13 Jan 2021 14:15:56 +0100
+Subject: net: stmmac: fix taprio schedule configuration
+
+From: Yannick Vignon <yannick.vignon@nxp.com>
+
+[ Upstream commit b76889ff51bfee318bea15891420e5aefd2833a0 ]
+
+When configuring a 802.1Qbv schedule through the tc taprio qdisc on an NXP
+i.MX8MPlus device, the effective cycle time differed from the requested one
+by N*96ns, with N number of entries in the Qbv Gate Control List. This is
+because the driver was adding a 96ns margin to each interval of the GCL,
+apparently to account for the IPG. The problem was observed on NXP
+i.MX8MPlus devices but likely affected all devices relying on the same
+configuration callback (dwmac 4.00, 4.10, 5.10 variants).
+
+Fix the issue by removing the margins, and simply setup the MAC with the
+provided cycle time value. This is the behavior expected by the user-space
+API, as altering the Qbv schedule timings would break standards conformance.
+This is also the behavior of several other Ethernet MAC implementations
+supporting taprio, including the dwxgmac variant of stmmac.
+
+Fixes: 504723af0d85 ("net: stmmac: Add basic EST support for GMAC5+")
+Signed-off-by: Yannick Vignon <yannick.vignon@nxp.com>
+Link: https://lore.kernel.org/r/20210113131557.24651-1-yannick.vignon@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 52 ++-------------------------
+ 1 file changed, 4 insertions(+), 48 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c
+@@ -572,68 +572,24 @@ static int dwmac5_est_write(void __iomem
+ int dwmac5_est_configure(void __iomem *ioaddr, struct stmmac_est *cfg,
+ unsigned int ptp_rate)
+ {
+- u32 speed, total_offset, offset, ctrl, ctr_low;
+- u32 extcfg = readl(ioaddr + GMAC_EXT_CONFIG);
+- u32 mac_cfg = readl(ioaddr + GMAC_CONFIG);
+ int i, ret = 0x0;
+- u64 total_ctr;
+-
+- if (extcfg & GMAC_CONFIG_EIPG_EN) {
+- offset = (extcfg & GMAC_CONFIG_EIPG) >> GMAC_CONFIG_EIPG_SHIFT;
+- offset = 104 + (offset * 8);
+- } else {
+- offset = (mac_cfg & GMAC_CONFIG_IPG) >> GMAC_CONFIG_IPG_SHIFT;
+- offset = 96 - (offset * 8);
+- }
+-
+- speed = mac_cfg & (GMAC_CONFIG_PS | GMAC_CONFIG_FES);
+- speed = speed >> GMAC_CONFIG_FES_SHIFT;
+-
+- switch (speed) {
+- case 0x0:
+- offset = offset * 1000; /* 1G */
+- break;
+- case 0x1:
+- offset = offset * 400; /* 2.5G */
+- break;
+- case 0x2:
+- offset = offset * 100000; /* 10M */
+- break;
+- case 0x3:
+- offset = offset * 10000; /* 100M */
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+- offset = offset / 1000;
++ u32 ctrl;
+
+ ret |= dwmac5_est_write(ioaddr, BTR_LOW, cfg->btr[0], false);
+ ret |= dwmac5_est_write(ioaddr, BTR_HIGH, cfg->btr[1], false);
+ ret |= dwmac5_est_write(ioaddr, TER, cfg->ter, false);
+ ret |= dwmac5_est_write(ioaddr, LLR, cfg->gcl_size, false);
++ ret |= dwmac5_est_write(ioaddr, CTR_LOW, cfg->ctr[0], false);
++ ret |= dwmac5_est_write(ioaddr, CTR_HIGH, cfg->ctr[1], false);
+ if (ret)
+ return ret;
+
+- total_offset = 0;
+ for (i = 0; i < cfg->gcl_size; i++) {
+- ret = dwmac5_est_write(ioaddr, i, cfg->gcl[i] + offset, true);
++ ret = dwmac5_est_write(ioaddr, i, cfg->gcl[i], true);
+ if (ret)
+ return ret;
+-
+- total_offset += offset;
+ }
+
+- total_ctr = cfg->ctr[0] + cfg->ctr[1] * 1000000000ULL;
+- total_ctr += total_offset;
+-
+- ctr_low = do_div(total_ctr, 1000000000);
+-
+- ret |= dwmac5_est_write(ioaddr, CTR_LOW, ctr_low, false);
+- ret |= dwmac5_est_write(ioaddr, CTR_HIGH, total_ctr, false);
+- if (ret)
+- return ret;
+-
+ ctrl = readl(ioaddr + MTL_EST_CONTROL);
+ ctrl &= ~PTOV;
+ ctrl |= ((1000000000 / ptp_rate) * 6) << PTOV_SHIFT;
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: David Wu <david.wu@rock-chips.com>
+Date: Wed, 13 Jan 2021 11:41:09 +0800
+Subject: net: stmmac: Fixed mtu channged by cache aligned
+
+From: David Wu <david.wu@rock-chips.com>
+
+[ Upstream commit 5b55299eed78538cc4746e50ee97103a1643249c ]
+
+Since the original mtu is not used when the mtu is updated,
+the mtu is aligned with cache, this will get an incorrect.
+For example, if you want to configure the mtu to be 1500,
+but mtu 1536 is configured in fact.
+
+Fixed: eaf4fac478077 ("net: stmmac: Do not accept invalid MTU values")
+Signed-off-by: David Wu <david.wu@rock-chips.com>
+Link: https://lore.kernel.org/r/20210113034109.27865-1-david.wu@rock-chips.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3996,6 +3996,7 @@ static int stmmac_change_mtu(struct net_
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+ int txfifosz = priv->plat->tx_fifo_size;
++ const int mtu = new_mtu;
+
+ if (txfifosz == 0)
+ txfifosz = priv->dma_cap.tx_fifo_size;
+@@ -4013,7 +4014,7 @@ static int stmmac_change_mtu(struct net_
+ if ((txfifosz < new_mtu) || (new_mtu > BUF_SIZE_16KiB))
+ return -EINVAL;
+
+- dev->mtu = new_mtu;
++ dev->mtu = mtu;
+
+ netdev_update_features(dev);
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Seb Laveze <sebastien.laveze@nxp.com>
+Date: Tue, 12 Jan 2021 15:01:22 +0100
+Subject: net: stmmac: use __napi_schedule() for PREEMPT_RT
+
+From: Seb Laveze <sebastien.laveze@nxp.com>
+
+[ Upstream commit 1f02efd1bb35bee95feed6aab46d1217f29d555b ]
+
+Use of __napi_schedule_irqoff() is not safe with PREEMPT_RT in which
+hard interrupts are not disabled while running the threaded interrupt.
+
+Using __napi_schedule() works for both PREEMPT_RT and mainline Linux,
+just at the cost of an additional check if interrupts are disabled for
+mainline (since they are already disabled).
+
+Similar to the fix done for enetc commit 215602a8d212 ("enetc: use
+napi_schedule to be compatible with PREEMPT_RT")
+
+Signed-off-by: Seb Laveze <sebastien.laveze@nxp.com>
+Link: https://lore.kernel.org/r/20210112140121.1487619-1-sebastien.laveze@oss.nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2158,7 +2158,7 @@ static int stmmac_napi_check(struct stmm
+ spin_lock_irqsave(&ch->lock, flags);
+ stmmac_disable_dma_irq(priv, priv->ioaddr, chan, 1, 0);
+ spin_unlock_irqrestore(&ch->lock, flags);
+- __napi_schedule_irqoff(&ch->rx_napi);
++ __napi_schedule(&ch->rx_napi);
+ }
+ }
+
+@@ -2167,7 +2167,7 @@ static int stmmac_napi_check(struct stmm
+ spin_lock_irqsave(&ch->lock, flags);
+ stmmac_disable_dma_irq(priv, priv->ioaddr, chan, 0, 1);
+ spin_unlock_irqrestore(&ch->lock, flags);
+- __napi_schedule_irqoff(&ch->tx_napi);
++ __napi_schedule(&ch->tx_napi);
+ }
+ }
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Manish Chopra <manishc@marvell.com>
+Date: Thu, 7 Jan 2021 02:15:20 -0800
+Subject: netxen_nic: fix MSI/MSI-x interrupts
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit a2bc221b972db91e4be1970e776e98f16aa87904 ]
+
+For all PCI functions on the netxen_nic adapter, interrupt
+mode (INTx or MSI) configuration is dependent on what has
+been configured by the PCI function zero in the shared
+interrupt register, as these adapters do not support mixed
+mode interrupts among the functions of a given adapter.
+
+Logic for setting MSI/MSI-x interrupt mode in the shared interrupt
+register based on PCI function id zero check is not appropriate for
+all family of netxen adapters, as for some of the netxen family
+adapters PCI function zero is not really meant to be probed/loaded
+in the host but rather just act as a management function on the device,
+which caused all the other PCI functions on the adapter to always use
+legacy interrupt (INTx) mode instead of choosing MSI/MSI-x interrupt mode.
+
+This patch replaces that check with port number so that for all
+type of adapters driver attempts for MSI/MSI-x interrupt modes.
+
+Fixes: b37eb210c076 ("netxen_nic: Avoid mixed mode interrupts")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Link: https://lore.kernel.org/r/20210107101520.6735-1-manishc@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_main.c
+@@ -564,11 +564,6 @@ static const struct net_device_ops netxe
+ .ndo_set_features = netxen_set_features,
+ };
+
+-static inline bool netxen_function_zero(struct pci_dev *pdev)
+-{
+- return (PCI_FUNC(pdev->devfn) == 0) ? true : false;
+-}
+-
+ static inline void netxen_set_interrupt_mode(struct netxen_adapter *adapter,
+ u32 mode)
+ {
+@@ -664,7 +659,7 @@ static int netxen_setup_intr(struct netx
+ netxen_initialize_interrupt_registers(adapter);
+ netxen_set_msix_bit(pdev, 0);
+
+- if (netxen_function_zero(pdev)) {
++ if (adapter->portnum == 0) {
+ if (!netxen_setup_msi_interrupts(adapter, num_msix))
+ netxen_set_interrupt_mode(adapter, NETXEN_MSI_MODE);
+ else
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Date: Fri, 8 Jan 2021 09:58:39 +0000
+Subject: rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request
+
+From: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+
+[ Upstream commit e56b3d94d939f52d46209b9e1b6700c5bfff3123 ]
+
+MSFT ActiveSync implementation requires that the size of the response for
+incoming query is to be provided in the request input length. Failure to
+set the input size proper results in failed request transfer, where the
+ActiveSync counterpart reports the NDIS_STATUS_INVALID_LENGTH (0xC0010014L)
+error.
+
+Set the input size for OID_GEN_PHYSICAL_MEDIUM query to the expected size
+of the response in order for the ActiveSync to properly respond to the
+request.
+
+Fixes: 039ee17d1baa ("rndis_host: Add RNDIS physical medium checking into generic_rndis_bind()")
+Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
+Link: https://lore.kernel.org/r/20210108095839.3335-1-andrey.zhizhikin@leica-geosystems.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/rndis_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/rndis_host.c
++++ b/drivers/net/usb/rndis_host.c
+@@ -387,7 +387,7 @@ generic_rndis_bind(struct usbnet *dev, s
+ reply_len = sizeof *phym;
+ retval = rndis_query(dev, intf, u.buf,
+ RNDIS_OID_GEN_PHYSICAL_MEDIUM,
+- 0, (void **) &phym, &reply_len);
++ reply_len, (void **)&phym, &reply_len);
+ if (retval != 0 || !phym) {
+ /* OID is optional so don't fail here. */
+ phym_unspec = cpu_to_le32(RNDIS_PHYSICAL_MEDIUM_UNSPECIFIED);
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+Date: Tue, 12 Jan 2021 15:59:15 +0000
+Subject: rxrpc: Call state should be read with READ_ONCE() under some circumstances
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+[ Upstream commit a95d25dd7b94a5ba18246da09b4218f132fed60e ]
+
+The call state may be changed at any time by the data-ready routine in
+response to received packets, so if the call state is to be read and acted
+upon several times in a function, READ_ONCE() must be used unless the call
+state lock is held.
+
+As it happens, we used READ_ONCE() to read the state a few lines above the
+unmarked read in rxrpc_input_data(), so use that value rather than
+re-reading it.
+
+Fixes: a158bdd3247b ("rxrpc: Fix call timeouts")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/161046715522.2450566.488819910256264150.stgit@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -430,7 +430,7 @@ static void rxrpc_input_data(struct rxrp
+ return;
+ }
+
+- if (call->state == RXRPC_CALL_SERVER_RECV_REQUEST) {
++ if (state == RXRPC_CALL_SERVER_RECV_REQUEST) {
+ unsigned long timo = READ_ONCE(call->next_req_timo);
+ unsigned long now, expect_req_by;
+
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 12 Jan 2021 15:23:51 +0000
+Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ]
+
+Clang static analysis reports the following:
+
+net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
+ toksize = toksizes[tok++];
+ ^ ~~~~~~~~~~~~~~~
+
+rxrpc_read() contains two consecutive loops. The first loop calculates the
+token sizes and stores the results in toksizes[] and the second one uses
+the array. When there is an error in identifying the token in the first
+loop, the token is skipped, no change is made to the toksizes[] array.
+When the same error happens in the second loop, the token is not skipped.
+This will cause the toksizes[] array to be out of step and will overrun
+past the calculated sizes.
+
+Fix this by making both loops log a message and return an error in this
+case. This should only happen if a new token type is incompletely
+implemented, so it should normally be impossible to trigger this.
+
+Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
+Reported-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Tom Rix <trix@redhat.com>
+Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -1109,7 +1109,7 @@ static long rxrpc_read(const struct key
+ default: /* we have a ticket we can't encode */
+ pr_err("Unsupported key token type (%u)\n",
+ token->security_index);
+- continue;
++ return -ENOPKG;
+ }
+
+ _debug("token[%u]: toksize=%u", ntoks, toksize);
+@@ -1224,7 +1224,9 @@ static long rxrpc_read(const struct key
+ break;
+
+ default:
+- break;
++ pr_err("Unsupported key token type (%u)\n",
++ token->security_index);
++ return -ENOPKG;
+ }
+
+ ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==,
bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch
bpf-support-ptr_to_mem-_or_null-register-spilling.patch
bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch
+net-ipa-modem-add-missing-set_netdev_dev-for-proper-sysfs-links.patch
+net-fix-use-after-free-when-udp-gro-with-shared-fraglist.patch
+udp-prevent-reuseport_select_sock-from-reading-uninitialized-socks.patch
+netxen_nic-fix-msi-msi-x-interrupts.patch
+net-ipv6-validate-gso-skb-before-finish-ipv6-processing.patch
+tipc-fix-null-deref-in-tipc_link_xmit.patch
+mlxsw-core-add-validation-of-transceiver-temperature-thresholds.patch
+mlxsw-core-increase-critical-threshold-for-asic-thermal-zone.patch
+net-mvpp2-remove-pause-and-asym_pause-support.patch
+rndis_host-set-proper-input-size-for-oid_gen_physical_medium-request.patch
+esp-avoid-unneeded-kmap_atomic-call.patch
+net-dcb-validate-netlink-message-in-dcb-handler.patch
+net-dcb-accept-rtm_getdcb-messages-carrying-set-like-dcb-commands.patch
+rxrpc-call-state-should-be-read-with-read_once-under-some-circumstances.patch
+i40e-fix-potential-null-pointer-dereferencing.patch
+net-stmmac-fixed-mtu-channged-by-cache-aligned.patch
+net-sit-unregister_netdevice-on-newlink-s-error-path.patch
+net-stmmac-fix-taprio-schedule-configuration.patch
+net-stmmac-fix-taprio-configuration-when-base_time-is-in-the-past.patch
+net-avoid-32-x-truesize-under-estimation-for-tiny-skbs.patch
+dt-bindings-net-renesas-etheravb-rz-g2h-needs-tx-internal-delay-ps.patch
+net-phy-smsc-fix-clk-error-handling.patch
+net-dsa-clear-devlink-port-type-before-unregistering-slave-netdevs.patch
+rxrpc-fix-handling-of-an-unsupported-token-type-in-rxrpc_read.patch
+net-stmmac-use-__napi_schedule-for-preempt_rt.patch
+can-mcp251xfd-mcp251xfd_handle_rxif_one-fix-wrong-null-pointer-check.patch
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Fri, 8 Jan 2021 14:13:37 +0700
+Subject: tipc: fix NULL deref in tipc_link_xmit()
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit b77413446408fdd256599daf00d5be72b5f3e7c6 ]
+
+The buffer list can have zero skb as following path:
+tipc_named_node_up()->tipc_node_xmit()->tipc_link_xmit(), so
+we need to check the list before casting an &sk_buff.
+
+Fault report:
+ [] tipc: Bulk publication failure
+ [] general protection fault, probably for non-canonical [#1] PREEMPT [...]
+ [] KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf]
+ [] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 5.10.0-rc4+ #2
+ [] Hardware name: Bochs ..., BIOS Bochs 01/01/2011
+ [] RIP: 0010:tipc_link_xmit+0xc1/0x2180
+ [] Code: 24 b8 00 00 00 00 4d 39 ec 4c 0f 44 e8 e8 d7 0a 10 f9 48 [...]
+ [] RSP: 0018:ffffc90000006ea0 EFLAGS: 00010202
+ [] RAX: dffffc0000000000 RBX: ffff8880224da000 RCX: 1ffff11003d3cc0d
+ [] RDX: 0000000000000019 RSI: ffffffff886007b9 RDI: 00000000000000c8
+ [] RBP: ffffc90000007018 R08: 0000000000000001 R09: fffff52000000ded
+ [] R10: 0000000000000003 R11: fffff52000000dec R12: ffffc90000007148
+ [] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90000007018
+ [] FS: 0000000000000000(0000) GS:ffff888037400000(0000) knlGS:000[...]
+ [] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [] CR2: 00007fffd2db5000 CR3: 000000002b08f000 CR4: 00000000000006f0
+
+Fixes: af9b028e270fd ("tipc: make media xmit call outside node spinlock context")
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Link: https://lore.kernel.org/r/20210108071337.3598-1-hoang.h.le@dektech.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/link.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/link.c
++++ b/net/tipc/link.c
+@@ -996,7 +996,6 @@ void tipc_link_reset(struct tipc_link *l
+ int tipc_link_xmit(struct tipc_link *l, struct sk_buff_head *list,
+ struct sk_buff_head *xmitq)
+ {
+- struct tipc_msg *hdr = buf_msg(skb_peek(list));
+ struct sk_buff_head *backlogq = &l->backlogq;
+ struct sk_buff_head *transmq = &l->transmq;
+ struct sk_buff *skb, *_skb;
+@@ -1004,13 +1003,18 @@ int tipc_link_xmit(struct tipc_link *l,
+ u16 ack = l->rcv_nxt - 1;
+ u16 seqno = l->snd_nxt;
+ int pkt_cnt = skb_queue_len(list);
+- int imp = msg_importance(hdr);
+ unsigned int mss = tipc_link_mss(l);
+ unsigned int cwin = l->window;
+ unsigned int mtu = l->mtu;
++ struct tipc_msg *hdr;
+ bool new_bundle;
+ int rc = 0;
++ int imp;
+
++ if (pkt_cnt <= 0)
++ return 0;
++
++ hdr = buf_msg(skb_peek(list));
+ if (unlikely(msg_size(hdr) > mtu)) {
+ pr_warn("Too large msg, purging xmit list %d %d %d %d %d!\n",
+ skb_queue_len(list), msg_user(hdr),
+@@ -1019,6 +1023,7 @@ int tipc_link_xmit(struct tipc_link *l,
+ return -EMSGSIZE;
+ }
+
++ imp = msg_importance(hdr);
+ /* Allow oversubscription of one data msg per source at congestion */
+ if (unlikely(l->backlog[imp].len >= l->backlog[imp].limit)) {
+ if (imp == TIPC_SYSTEM_IMPORTANCE) {
--- /dev/null
+From foo@baz Fri Jan 22 11:51:17 AM CET 2021
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+Date: Thu, 7 Jan 2021 16:11:10 +1100
+Subject: udp: Prevent reuseport_select_sock from reading uninitialized socks
+
+From: Baptiste Lepers <baptiste.lepers@gmail.com>
+
+[ Upstream commit fd2ddef043592e7de80af53f47fa46fd3573086e ]
+
+reuse->socks[] is modified concurrently by reuseport_add_sock. To
+prevent reading values that have not been fully initialized, only read
+the array up until the last known safe index instead of incorrectly
+re-reading the last index of the array.
+
+Fixes: acdcecc61285f ("udp: correct reuseport selection with connected sockets")
+Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Link: https://lore.kernel.org/r/20210107051110.12247-1-baptiste.lepers@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_reuseport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/sock_reuseport.c
++++ b/net/core/sock_reuseport.c
+@@ -293,7 +293,7 @@ select_by_hash:
+ i = j = reciprocal_scale(hash, socks);
+ while (reuse->socks[i]->sk_state == TCP_ESTABLISHED) {
+ i++;
+- if (i >= reuse->num_socks)
++ if (i >= socks)
+ i = 0;
+ if (i == j)
+ goto out;
projects / thirdparty / kernel / stable-queue.git / commitdiff
