--- /dev/null
+From 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 13 Apr 2021 05:41:35 -0700
+Subject: gro: ensure frag0 meets IP header alignment
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 upstream.
+
+After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
+Guenter Roeck reported one failure in his tests using sh architecture.
+
+After much debugging, we have been able to spot silent unaligned accesses
+in inet_gro_receive()
+
+The issue at hand is that upper networking stacks assume their header
+is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN
+bytes before the Ethernet header to make that happen.
+
+This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path
+if the fragment is not properly aligned.
+
+Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN
+as 0, this extra check will be a NOP for them.
+
+Note that if frag0 is not used, GRO will call pskb_may_pull()
+as many times as needed to pull network and transport headers.
+
+Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
+Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5406,7 +5406,8 @@ static void skb_gro_reset_offset(struct
+
+ if (skb_mac_header(skb) == skb_tail_pointer(skb) &&
+ pinfo->nr_frags &&
+- !PageHighMem(skb_frag_page(frag0))) {
++ !PageHighMem(skb_frag_page(frag0)) &&
++ (!NET_IP_ALIGN || !(skb_frag_off(frag0) & 3))) {
+ NAPI_GRO_CB(skb)->frag0 = skb_frag_address(frag0);
+ NAPI_GRO_CB(skb)->frag0_len = min_t(unsigned int,
+ skb_frag_size(frag0),
--- /dev/null
+From 4e39a072a6a0fc422ba7da5e4336bdc295d70211 Mon Sep 17 00:00:00 2001
+From: Jason Xing <xingwanli@kuaishou.com>
+Date: Wed, 14 Apr 2021 10:34:28 +0800
+Subject: i40e: fix the panic when running bpf in xdpdrv mode
+
+From: Jason Xing <xingwanli@kuaishou.com>
+
+commit 4e39a072a6a0fc422ba7da5e4336bdc295d70211 upstream.
+
+Fix this panic by adding more rules to calculate the value of @rss_size_max
+which could be used in allocating the queues when bpf is loaded, which,
+however, could cause the failure and then trigger the NULL pointer of
+vsi->rx_rings. Prio to this fix, the machine doesn't care about how many
+cpus are online and then allocates 256 queues on the machine with 32 cpus
+online actually.
+
+Once the load of bpf begins, the log will go like this "failed to get
+tracking for 256 queues for VSI 0 err -12" and this "setup of MAIN VSI
+failed".
+
+Thus, I attach the key information of the crash-log here.
+
+BUG: unable to handle kernel NULL pointer dereference at
+0000000000000000
+RIP: 0010:i40e_xdp+0xdd/0x1b0 [i40e]
+Call Trace:
+[2160294.717292] ? i40e_reconfig_rss_queues+0x170/0x170 [i40e]
+[2160294.717666] dev_xdp_install+0x4f/0x70
+[2160294.718036] dev_change_xdp_fd+0x11f/0x230
+[2160294.718380] ? dev_disable_lro+0xe0/0xe0
+[2160294.718705] do_setlink+0xac7/0xe70
+[2160294.719035] ? __nla_parse+0xed/0x120
+[2160294.719365] rtnl_newlink+0x73b/0x860
+
+Fixes: 41c445ff0f48 ("i40e: main driver core")
+Co-developed-by: Shujin Li <lishujin@kuaishou.com>
+Signed-off-by: Shujin Li <lishujin@kuaishou.com>
+Signed-off-by: Jason Xing <xingwanli@kuaishou.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -11872,6 +11872,7 @@ static int i40e_sw_init(struct i40e_pf *
+ {
+ int err = 0;
+ int size;
++ u16 pow;
+
+ /* Set default capability flags */
+ pf->flags = I40E_FLAG_RX_CSUM_ENABLED |
+@@ -11890,6 +11891,11 @@ static int i40e_sw_init(struct i40e_pf *
+ pf->rss_table_size = pf->hw.func_caps.rss_table_size;
+ pf->rss_size_max = min_t(int, pf->rss_size_max,
+ pf->hw.func_caps.num_tx_qp);
++
++ /* find the next higher power-of-2 of num cpus */
++ pow = roundup_pow_of_two(num_online_cpus());
++ pf->rss_size_max = min_t(int, pf->rss_size_max, pow);
++
+ if (pf->hw.func_caps.rss) {
+ pf->flags |= I40E_FLAG_RSS_ENABLED;
+ pf->alloc_rss_size = min_t(int, pf->rss_size_max,
--- /dev/null
+From 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:14 -0500
+Subject: ibmvnic: avoid calling napi_disable() twice
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 upstream.
+
+__ibmvnic_open calls napi_disable without checking whether NAPI polling
+has already been disabled or not. This could cause napi_disable
+being called twice, which could generate deadlock. For example,
+the first napi_disable will spin until NAPI_STATE_SCHED is cleared
+by napi_complete_done, then set it again.
+When napi_disable is called the second time, it will loop infinitely
+because no dev->poll will be running to clear NAPI_STATE_SCHED.
+
+To prevent above scenario from happening, call ibmvnic_napi_disable()
+which checks if napi is disabled or not before calling napi_disable.
+
+Fixes: bfc32f297337 ("ibmvnic: Move resource initialization to its own routine")
+Suggested-by: Thomas Falcon <tlfalcon@linux.ibm.com>
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1081,8 +1081,7 @@ static int __ibmvnic_open(struct net_dev
+
+ rc = set_link_state(adapter, IBMVNIC_LOGICAL_LNK_UP);
+ if (rc) {
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_disable(&adapter->napi[i]);
++ ibmvnic_napi_disable(adapter);
+ release_resources(adapter);
+ return rc;
+ }
--- /dev/null
+From d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:15 -0500
+Subject: ibmvnic: remove duplicate napi_schedule call in do_reset function
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 upstream.
+
+During adapter reset, do_reset/do_hard_reset calls ibmvnic_open(),
+which will calls napi_schedule if previous state is VNIC_CLOSED
+(i.e, the reset case, and "ifconfig down" case). So there is no need
+for do_reset to call napi_schedule again at the end of the function
+though napi_schedule will neglect the request if napi is already
+scheduled.
+
+Fixes: ed651a10875f ("ibmvnic: Updated reset handling")
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1849,7 +1849,7 @@ static int do_reset(struct ibmvnic_adapt
+ u64 old_num_rx_queues, old_num_tx_queues;
+ u64 old_num_rx_slots, old_num_tx_slots;
+ struct net_device *netdev = adapter->netdev;
+- int i, rc;
++ int rc;
+
+ netdev_dbg(adapter->netdev, "Re-setting driver (%d)\n",
+ rwi->reset_reason);
+@@ -1994,10 +1994,6 @@ static int do_reset(struct ibmvnic_adapt
+ /* refresh device's multicast list */
+ ibmvnic_set_multi(netdev);
+
+- /* kick napi */
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_schedule(&adapter->napi[i]);
+-
+ if (adapter->reset_reason == VNIC_RESET_FAILOVER ||
+ adapter->reset_reason == VNIC_RESET_MOBILITY) {
+ call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, netdev);
--- /dev/null
+From 7c451f3ef676c805a4b77a743a01a5c21a250a73 Mon Sep 17 00:00:00 2001
+From: Lijun Pan <lijunp213@gmail.com>
+Date: Wed, 14 Apr 2021 02:46:16 -0500
+Subject: ibmvnic: remove duplicate napi_schedule call in open function
+
+From: Lijun Pan <lijunp213@gmail.com>
+
+commit 7c451f3ef676c805a4b77a743a01a5c21a250a73 upstream.
+
+Remove the unnecessary napi_schedule() call in __ibmvnic_open() since
+interrupt_rx() calls napi_schedule_prep/__napi_schedule during every
+receive interrupt.
+
+Fixes: ed651a10875f ("ibmvnic: Updated reset handling")
+Signed-off-by: Lijun Pan <lijunp213@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/net/ethernet/ibm/ibmvnic.c
++++ b/drivers/net/ethernet/ibm/ibmvnic.c
+@@ -1088,11 +1088,6 @@ static int __ibmvnic_open(struct net_dev
+
+ netif_tx_start_all_queues(netdev);
+
+- if (prev_state == VNIC_CLOSED) {
+- for (i = 0; i < adapter->req_rx_queues; i++)
+- napi_schedule(&adapter->napi[i]);
+- }
+-
+ adapter->state = VNIC_OPEN;
+ return rc;
+ }
--- /dev/null
+From a2948b17f6b936fc52f86c0f92c46d2f91928b79 Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+Date: Fri, 2 Apr 2021 14:55:55 +0530
+Subject: libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC
+
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+
+commit a2948b17f6b936fc52f86c0f92c46d2f91928b79 upstream.
+
+In case a platform doesn't provide explicit flush-hints but provides an
+explicit flush callback via ND_REGION_ASYNC region flag, then
+nvdimm_has_flush() still returns '0' indicating that writes do not
+require flushing. This happens on PPC64 with patch at [1] applied, where
+'deep_flush' of a region was denied even though an explicit flush
+function was provided.
+
+Fix this by adding a condition to nvdimm_has_flush() to test for the
+ND_REGION_ASYNC flag on the region and see if a 'region->flush' callback
+is assigned.
+
+Link: http://lore.kernel.org/r/161703936121.36.7260632399582101498.stgit@e1fbed493c87 [1]
+Fixes: c5d4355d10d4 ("libnvdimm: nd_region flush callback support")
+Reported-by: Shivaprasad G Bhat <sbhat@linux.ibm.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210402092555.208590-1-vaibhav@linux.ibm.com
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvdimm/region_devs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/nvdimm/region_devs.c
++++ b/drivers/nvdimm/region_devs.c
+@@ -1142,6 +1142,11 @@ int nvdimm_has_flush(struct nd_region *n
+ || !IS_ENABLED(CONFIG_ARCH_HAS_PMEM_API))
+ return -ENXIO;
+
++ /* Test if an explicit flush function is defined */
++ if (test_bit(ND_REGION_ASYNC, &nd_region->flags) && nd_region->flush)
++ return 1;
++
++ /* Test if any flush hints for the region are available */
+ for (i = 0; i < nd_region->ndr_mappings; i++) {
+ struct nd_mapping *nd_mapping = &nd_region->mapping[i];
+ struct nvdimm *nvdimm = nd_mapping->nvdimm;
+@@ -1152,8 +1157,8 @@ int nvdimm_has_flush(struct nd_region *n
+ }
+
+ /*
+- * The platform defines dimm devices without hints, assume
+- * platform persistence mechanism like ADR
++ * The platform defines dimm devices without hints nor explicit flush,
++ * assume platform persistence mechanism like ADR
+ */
+ return 0;
+ }
--- /dev/null
+From 31457db3750c0b0ed229d836f2609fdb8a5b790e Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 11 Apr 2021 11:02:08 +0200
+Subject: net: davicom: Fix regulator not turned off on failed probe
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 31457db3750c0b0ed229d836f2609fdb8a5b790e upstream.
+
+When the probe fails, we must disable the regulator that was previously
+enabled.
+
+This patch is a follow-up to commit ac88c531a5b3
+("net: davicom: Fix regulator not turned off on failed probe") which missed
+one case.
+
+Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/davicom/dm9000.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/davicom/dm9000.c
++++ b/drivers/net/ethernet/davicom/dm9000.c
+@@ -1476,8 +1476,10 @@ dm9000_probe(struct platform_device *pde
+
+ /* Init network device */
+ ndev = alloc_etherdev(sizeof(struct board_info));
+- if (!ndev)
+- return -ENOMEM;
++ if (!ndev) {
++ ret = -ENOMEM;
++ goto out_regulator_disable;
++ }
+
+ SET_NETDEV_DEV(ndev, &pdev->dev);
+
--- /dev/null
+From 941ea91e87a6e879ed82dad4949f6234f2702bec Mon Sep 17 00:00:00 2001
+From: Hristo Venev <hristo@venev.name>
+Date: Mon, 12 Apr 2021 20:41:17 +0300
+Subject: net: ip6_tunnel: Unregister catch-all devices
+
+From: Hristo Venev <hristo@venev.name>
+
+commit 941ea91e87a6e879ed82dad4949f6234f2702bec upstream.
+
+Similarly to the sit case, we need to remove the tunnels with no
+addresses that have been moved to another network namespace.
+
+Fixes: 0bd8762824e73 ("ip6tnl: add x-netns support")
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -2217,6 +2217,16 @@ static void __net_exit ip6_tnl_destroy_t
+ t = rtnl_dereference(t->next);
+ }
+ }
++
++ t = rtnl_dereference(ip6n->tnls_wc[0]);
++ while (t) {
++ /* If dev is in the same netns, it has already
++ * been added to the list by the previous loop.
++ */
++ if (!net_eq(dev_net(t->dev), net))
++ unregister_netdevice_queue(t->dev, list);
++ t = rtnl_dereference(t->next);
++ }
+ }
+
+ static int __net_init ip6_tnl_init_net(struct net *net)
--- /dev/null
+From a714e27ea8bdee2b238748029d31472d0a65b611 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+Date: Wed, 14 Apr 2021 14:20:29 +0300
+Subject: net: macb: fix the restore of cmp registers
+
+From: Claudiu Beznea <claudiu.beznea@microchip.com>
+
+commit a714e27ea8bdee2b238748029d31472d0a65b611 upstream.
+
+Commit a14d273ba159 ("net: macb: restore cmp registers on resume path")
+introduces the restore of CMP registers on resume path. In case the IP
+doesn't support type 2 screeners (zero on DCFG8 register) the
+struct macb::rx_fs_list::list is not initialized and thus the
+list_for_each_entry(item, &bp->rx_fs_list.list, list) loop introduced in
+commit a14d273ba159 ("net: macb: restore cmp registers on resume path")
+will access an uninitialized list leading to crash. Thus, initialize
+the struct macb::rx_fs_list::list without taking into account if the
+IP supports type 2 screeners or not.
+
+Fixes: a14d273ba159 ("net: macb: restore cmp registers on resume path")
+Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3590,6 +3590,7 @@ static int macb_init(struct platform_dev
+ reg = gem_readl(bp, DCFG8);
+ bp->max_tuples = min((GEM_BFEXT(SCR2CMP, reg) / 3),
+ GEM_BFEXT(T2SCR, reg));
++ INIT_LIST_HEAD(&bp->rx_fs_list.list);
+ if (bp->max_tuples > 0) {
+ /* also needs one ethtype match to check IPv4 */
+ if (GEM_BFEXT(SCR2ETH, reg) > 0) {
+@@ -3600,7 +3601,6 @@ static int macb_init(struct platform_dev
+ /* Filtering is supported in hw but don't enable it in kernel now */
+ dev->hw_features |= NETIF_F_NTUPLE;
+ /* init Rx flow definitions */
+- INIT_LIST_HEAD(&bp->rx_fs_list.list);
+ bp->rx_fs_list.count = 0;
+ spin_lock_init(&bp->rx_fs_lock);
+ } else
--- /dev/null
+From 610f8c0fc8d46e0933955ce13af3d64484a4630a Mon Sep 17 00:00:00 2001
+From: Hristo Venev <hristo@venev.name>
+Date: Mon, 12 Apr 2021 20:41:16 +0300
+Subject: net: sit: Unregister catch-all devices
+
+From: Hristo Venev <hristo@venev.name>
+
+commit 610f8c0fc8d46e0933955ce13af3d64484a4630a upstream.
+
+A sit interface created without a local or a remote address is linked
+into the `sit_net::tunnels_wc` list of its original namespace. When
+deleting a network namespace, delete the devices that have been moved.
+
+The following script triggers a null pointer dereference if devices
+linked in a deleted `sit_net` remain:
+
+ for i in `seq 1 30`; do
+ ip netns add ns-test
+ ip netns exec ns-test ip link add dev veth0 type veth peer veth1
+ ip netns exec ns-test ip link add dev sit$i type sit dev veth0
+ ip netns exec ns-test ip link set dev sit$i netns $$
+ ip netns del ns-test
+ done
+ for i in `seq 1 30`; do
+ ip link del dev sit$i
+ done
+
+Fixes: 5e6700b3bf98f ("sit: add support of x-netns")
+Signed-off-by: Hristo Venev <hristo@venev.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1819,9 +1819,9 @@ static void __net_exit sit_destroy_tunne
+ if (dev->rtnl_link_ops == &sit_link_ops)
+ unregister_netdevice_queue(dev, head);
+
+- for (prio = 1; prio < 4; prio++) {
++ for (prio = 0; prio < 4; prio++) {
+ int h;
+- for (h = 0; h < IP6_SIT_HASH_SIZE; h++) {
++ for (h = 0; h < (prio ? IP6_SIT_HASH_SIZE : 1); h++) {
+ struct ip_tunnel *t;
+
+ t = rtnl_dereference(sitn->tunnels[prio][h]);
--- /dev/null
+From d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Apr 2021 21:43:40 +0200
+Subject: netfilter: arp_tables: add pre_exit hook for table unregister
+
+From: Florian Westphal <fw@strlen.de>
+
+commit d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 upstream.
+
+Same problem that also existed in iptables/ip(6)tables, when
+arptable_filter is removed there is no longer a wait period before the
+table/ruleset is free'd.
+
+Unregister the hook in pre_exit, then remove the table in the exit
+function.
+This used to work correctly because the old nf_hook_unregister API
+did unconditional synchronize_net.
+
+The per-net hook unregister function uses call_rcu instead.
+
+Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netfilter_arp/arp_tables.h | 5 +++--
+ net/ipv4/netfilter/arp_tables.c | 9 +++++++--
+ net/ipv4/netfilter/arptable_filter.c | 10 +++++++++-
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+--- a/include/linux/netfilter_arp/arp_tables.h
++++ b/include/linux/netfilter_arp/arp_tables.h
+@@ -52,8 +52,9 @@ extern void *arpt_alloc_initial_table(co
+ int arpt_register_table(struct net *net, const struct xt_table *table,
+ const struct arpt_replace *repl,
+ const struct nf_hook_ops *ops, struct xt_table **res);
+-void arpt_unregister_table(struct net *net, struct xt_table *table,
+- const struct nf_hook_ops *ops);
++void arpt_unregister_table(struct net *net, struct xt_table *table);
++void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
++ const struct nf_hook_ops *ops);
+ extern unsigned int arpt_do_table(struct sk_buff *skb,
+ const struct nf_hook_state *state,
+ struct xt_table *table);
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1580,10 +1580,15 @@ out_free:
+ return ret;
+ }
+
+-void arpt_unregister_table(struct net *net, struct xt_table *table,
+- const struct nf_hook_ops *ops)
++void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,
++ const struct nf_hook_ops *ops)
+ {
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
++}
++EXPORT_SYMBOL(arpt_unregister_table_pre_exit);
++
++void arpt_unregister_table(struct net *net, struct xt_table *table)
++{
+ __arpt_unregister_table(net, table);
+ }
+
+--- a/net/ipv4/netfilter/arptable_filter.c
++++ b/net/ipv4/netfilter/arptable_filter.c
+@@ -56,16 +56,24 @@ static int __net_init arptable_filter_ta
+ return err;
+ }
+
++static void __net_exit arptable_filter_net_pre_exit(struct net *net)
++{
++ if (net->ipv4.arptable_filter)
++ arpt_unregister_table_pre_exit(net, net->ipv4.arptable_filter,
++ arpfilter_ops);
++}
++
+ static void __net_exit arptable_filter_net_exit(struct net *net)
+ {
+ if (!net->ipv4.arptable_filter)
+ return;
+- arpt_unregister_table(net, net->ipv4.arptable_filter, arpfilter_ops);
++ arpt_unregister_table(net, net->ipv4.arptable_filter);
+ net->ipv4.arptable_filter = NULL;
+ }
+
+ static struct pernet_operations arptable_filter_net_ops = {
+ .exit = arptable_filter_net_exit,
++ .pre_exit = arptable_filter_net_pre_exit,
+ };
+
+ static int __init arptable_filter_init(void)
--- /dev/null
+From 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 7 Apr 2021 21:43:39 +0200
+Subject: netfilter: bridge: add pre_exit hooks for ebtable unregistration
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 upstream.
+
+Just like ip/ip6/arptables, the hooks have to be removed, then
+synchronize_rcu() has to be called to make sure no more packets are being
+processed before the ruleset data is released.
+
+Place the hook unregistration in the pre_exit hook, then call the new
+ebtables pre_exit function from there.
+
+Years ago, when first netns support got added for netfilter+ebtables,
+this used an older (now removed) netfilter hook unregister API, that did
+a unconditional synchronize_rcu().
+
+Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit
+handlers may free the ebtable ruleset while packets are still in flight.
+
+This can only happens on module removal, not during netns exit.
+
+The new function expects the table name, not the table struct.
+
+This is because upcoming patch set (targeting -next) will remove all
+net->xt.{nat,filter,broute}_table instances, this makes it necessary
+to avoid external references to those member variables.
+
+The existing APIs will be converted, so follow the upcoming scheme of
+passing name + hook type instead.
+
+Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netfilter_bridge/ebtables.h | 5 +++--
+ net/bridge/netfilter/ebtable_broute.c | 8 +++++++-
+ net/bridge/netfilter/ebtable_filter.c | 8 +++++++-
+ net/bridge/netfilter/ebtable_nat.c | 8 +++++++-
+ net/bridge/netfilter/ebtables.c | 30 +++++++++++++++++++++++++++---
+ 5 files changed, 51 insertions(+), 8 deletions(-)
+
+--- a/include/linux/netfilter_bridge/ebtables.h
++++ b/include/linux/netfilter_bridge/ebtables.h
+@@ -110,8 +110,9 @@ extern int ebt_register_table(struct net
+ const struct ebt_table *table,
+ const struct nf_hook_ops *ops,
+ struct ebt_table **res);
+-extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
+- const struct nf_hook_ops *);
++extern void ebt_unregister_table(struct net *net, struct ebt_table *table);
++void ebt_unregister_table_pre_exit(struct net *net, const char *tablename,
++ const struct nf_hook_ops *ops);
+ extern unsigned int ebt_do_table(struct sk_buff *skb,
+ const struct nf_hook_state *state,
+ struct ebt_table *table);
+--- a/net/bridge/netfilter/ebtable_broute.c
++++ b/net/bridge/netfilter/ebtable_broute.c
+@@ -105,14 +105,20 @@ static int __net_init broute_net_init(st
+ &net->xt.broute_table);
+ }
+
++static void __net_exit broute_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "broute", &ebt_ops_broute);
++}
++
+ static void __net_exit broute_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.broute_table, &ebt_ops_broute);
++ ebt_unregister_table(net, net->xt.broute_table);
+ }
+
+ static struct pernet_operations broute_net_ops = {
+ .init = broute_net_init,
+ .exit = broute_net_exit,
++ .pre_exit = broute_net_pre_exit,
+ };
+
+ static int __init ebtable_broute_init(void)
+--- a/net/bridge/netfilter/ebtable_filter.c
++++ b/net/bridge/netfilter/ebtable_filter.c
+@@ -99,14 +99,20 @@ static int __net_init frame_filter_net_i
+ &net->xt.frame_filter);
+ }
+
++static void __net_exit frame_filter_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "filter", ebt_ops_filter);
++}
++
+ static void __net_exit frame_filter_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.frame_filter, ebt_ops_filter);
++ ebt_unregister_table(net, net->xt.frame_filter);
+ }
+
+ static struct pernet_operations frame_filter_net_ops = {
+ .init = frame_filter_net_init,
+ .exit = frame_filter_net_exit,
++ .pre_exit = frame_filter_net_pre_exit,
+ };
+
+ static int __init ebtable_filter_init(void)
+--- a/net/bridge/netfilter/ebtable_nat.c
++++ b/net/bridge/netfilter/ebtable_nat.c
+@@ -99,14 +99,20 @@ static int __net_init frame_nat_net_init
+ &net->xt.frame_nat);
+ }
+
++static void __net_exit frame_nat_net_pre_exit(struct net *net)
++{
++ ebt_unregister_table_pre_exit(net, "nat", ebt_ops_nat);
++}
++
+ static void __net_exit frame_nat_net_exit(struct net *net)
+ {
+- ebt_unregister_table(net, net->xt.frame_nat, ebt_ops_nat);
++ ebt_unregister_table(net, net->xt.frame_nat);
+ }
+
+ static struct pernet_operations frame_nat_net_ops = {
+ .init = frame_nat_net_init,
+ .exit = frame_nat_net_exit,
++ .pre_exit = frame_nat_net_pre_exit,
+ };
+
+ static int __init ebtable_nat_init(void)
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1237,10 +1237,34 @@ out:
+ return ret;
+ }
+
+-void ebt_unregister_table(struct net *net, struct ebt_table *table,
+- const struct nf_hook_ops *ops)
++static struct ebt_table *__ebt_find_table(struct net *net, const char *name)
++{
++ struct ebt_table *t;
++
++ mutex_lock(&ebt_mutex);
++
++ list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
++ if (strcmp(t->name, name) == 0) {
++ mutex_unlock(&ebt_mutex);
++ return t;
++ }
++ }
++
++ mutex_unlock(&ebt_mutex);
++ return NULL;
++}
++
++void ebt_unregister_table_pre_exit(struct net *net, const char *name, const struct nf_hook_ops *ops)
++{
++ struct ebt_table *table = __ebt_find_table(net, name);
++
++ if (table)
++ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
++}
++EXPORT_SYMBOL(ebt_unregister_table_pre_exit);
++
++void ebt_unregister_table(struct net *net, struct ebt_table *table)
+ {
+- nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+ __ebt_unregister_table(net, table);
+ }
+
--- /dev/null
+From fbea31808ca124dd73ff6bb1e67c9af4607c3e32 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 31 Mar 2021 01:04:45 +0200
+Subject: netfilter: conntrack: do not print icmpv6 as unknown via /proc
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit fbea31808ca124dd73ff6bb1e67c9af4607c3e32 upstream.
+
+/proc/net/nf_conntrack shows icmpv6 as unknown.
+
+Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_standalone.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/nf_conntrack_standalone.c
++++ b/net/netfilter/nf_conntrack_standalone.c
+@@ -266,6 +266,7 @@ static const char* l4proto_name(u16 prot
+ case IPPROTO_GRE: return "gre";
+ case IPPROTO_SCTP: return "sctp";
+ case IPPROTO_UDPLITE: return "udplite";
++ case IPPROTO_ICMPV6: return "icmpv6";
+ }
+
+ return "unknown";
--- /dev/null
+From b895bdf5d643b6feb7c60856326dd4feb6981560 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 9 Apr 2021 08:49:39 -0700
+Subject: netfilter: nft_limit: avoid possible divide error in nft_limit_init
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b895bdf5d643b6feb7c60856326dd4feb6981560 upstream.
+
+div_u64() divides u64 by u32.
+
+nft_limit_init() wants to divide u64 by u64, use the appropriate
+math function (div64_u64)
+
+divide error: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline]
+RIP: 0010:div_u64 include/linux/math64.h:127 [inline]
+RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85
+Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90009447198 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003
+RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000
+R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline]
+ nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713
+ nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160
+ nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321
+ nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456
+ nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline]
+ nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598
+ netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
+ netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
+ netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
+ ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling")
+Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Diagnosed-by: Luigi Rizzo <lrizzo@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_limit.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -76,13 +76,13 @@ static int nft_limit_init(struct nft_lim
+ return -EOVERFLOW;
+
+ if (pkts) {
+- tokens = div_u64(limit->nsecs, limit->rate) * limit->burst;
++ tokens = div64_u64(limit->nsecs, limit->rate) * limit->burst;
+ } else {
+ /* The token bucket size limits the number of tokens can be
+ * accumulated. tokens_max specifies the bucket size.
+ * tokens_max = unit * (rate + burst) / rate.
+ */
+- tokens = div_u64(limit->nsecs * (limit->rate + limit->burst),
++ tokens = div64_u64(limit->nsecs * (limit->rate + limit->burst),
+ limit->rate);
+ }
+
--- /dev/null
+From 176ddd89171ddcf661862d90c5d257877f7326d6 Mon Sep 17 00:00:00 2001
+From: Jolly Shah <jollys@google.com>
+Date: Thu, 18 Mar 2021 15:56:32 -0700
+Subject: scsi: libsas: Reset num_scatter if libata marks qc as NODATA
+
+From: Jolly Shah <jollys@google.com>
+
+commit 176ddd89171ddcf661862d90c5d257877f7326d6 upstream.
+
+When the cache_type for the SCSI device is changed, the SCSI layer issues a
+MODE_SELECT command. The caching mode details are communicated via a
+request buffer associated with the SCSI command with data direction set as
+DMA_TO_DEVICE (scsi_mode_select()). When this command reaches the libata
+layer, as a part of generic initial setup, libata layer sets up the
+scatterlist for the command using the SCSI command (ata_scsi_qc_new()).
+This command is then translated by the libata layer into
+ATA_CMD_SET_FEATURES (ata_scsi_mode_select_xlat()). The libata layer treats
+this as a non-data command (ata_mselect_caching()), since it only needs an
+ATA taskfile to pass the caching on/off information to the device. It does
+not need the scatterlist that has been setup, so it does not perform
+dma_map_sg() on the scatterlist (ata_qc_issue()). Unfortunately, when this
+command reaches the libsas layer (sas_ata_qc_issue()), libsas layer sees it
+as a non-data command with a scatterlist. It cannot extract the correct DMA
+length since the scatterlist has not been mapped with dma_map_sg() for a
+DMA operation. When this partially constructed SAS task reaches pm80xx
+LLDD, it results in the following warning:
+
+"pm80xx_chip_sata_req 6058: The sg list address
+start_addr=0x0000000000000000 data_len=0x0end_addr_high=0xffffffff
+end_addr_low=0xffffffff has crossed 4G boundary"
+
+Update libsas to handle ATA non-data commands separately so num_scatter and
+total_xfer_len remain 0.
+
+Link: https://lore.kernel.org/r/20210318225632.2481291-1-jollys@google.com
+Fixes: 53de092f47ff ("scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA")
+Tested-by: Luo Jiaxing <luojiaxing@huawei.com>
+Reviewed-by: John Garry <john.garry@huawei.com>
+Signed-off-by: Jolly Shah <jollys@google.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/libsas/sas_ata.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/scsi/libsas/sas_ata.c
++++ b/drivers/scsi/libsas/sas_ata.c
+@@ -200,18 +200,17 @@ static unsigned int sas_ata_qc_issue(str
+ memcpy(task->ata_task.atapi_packet, qc->cdb, qc->dev->cdb_len);
+ task->total_xfer_len = qc->nbytes;
+ task->num_scatter = qc->n_elem;
++ task->data_dir = qc->dma_dir;
++ } else if (qc->tf.protocol == ATA_PROT_NODATA) {
++ task->data_dir = DMA_NONE;
+ } else {
+ for_each_sg(qc->sg, sg, qc->n_elem, si)
+ xfer += sg_dma_len(sg);
+
+ task->total_xfer_len = xfer;
+ task->num_scatter = si;
+- }
+-
+- if (qc->tf.protocol == ATA_PROT_NODATA)
+- task->data_dir = DMA_NONE;
+- else
+ task->data_dir = qc->dma_dir;
++ }
+ task->scatter = qc->sg;
+ task->ata_task.retry_count = 1;
+ task->task_state_flags = SAS_TASK_STATE_PENDING;
arm64-alternatives-move-length-validation-in-alternative_-insn-endif.patch
vfio-pci-add-missing-range-check-in-vfio_pci_mmap.patch
riscv-fix-spelling-mistake-sparsemem-to-sparsmem.patch
+scsi-libsas-reset-num_scatter-if-libata-marks-qc-as-nodata.patch
+netfilter-conntrack-do-not-print-icmpv6-as-unknown-via-proc.patch
+libnvdimm-region-fix-nvdimm_has_flush-to-handle-nd_region_async.patch
+netfilter-bridge-add-pre_exit-hooks-for-ebtable-unregistration.patch
+netfilter-arp_tables-add-pre_exit-hook-for-table-unregister.patch
+net-macb-fix-the-restore-of-cmp-registers.patch
+netfilter-nft_limit-avoid-possible-divide-error-in-nft_limit_init.patch
+net-davicom-fix-regulator-not-turned-off-on-failed-probe.patch
+net-sit-unregister-catch-all-devices.patch
+net-ip6_tunnel-unregister-catch-all-devices.patch
+i40e-fix-the-panic-when-running-bpf-in-xdpdrv-mode.patch
+ibmvnic-avoid-calling-napi_disable-twice.patch
+ibmvnic-remove-duplicate-napi_schedule-call-in-do_reset-function.patch
+ibmvnic-remove-duplicate-napi_schedule-call-in-open-function.patch
+gro-ensure-frag0-meets-ip-header-alignment.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
