4.19-stable patches

added patches:
	net-fix-iteration-for-sctp-transport-seq_files.patch
	net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch
	net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch
	net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch
	net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch
	ovl-expand-warning-in-ovl_d_real.patch
	vsock-fix-locking-in-vsock_shutdown.patch
	vsock-virtio-update-credit-only-if-socket-is-not-closed.patch

diff --git a/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch b/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch
new file mode 100644 (file)
index 0000000..99665be
--- /dev/null
+++ b/queue-4.19/net-fix-iteration-for-sctp-transport-seq_files.patch
@@ -0,0 +1,76 @@
+From af8085f3a4712c57d0dd415ad543bac85780375c Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Fri, 5 Feb 2021 11:36:30 +1100
+Subject: net: fix iteration for sctp transport seq_files
+
+From: NeilBrown <neilb@suse.de>
+
+commit af8085f3a4712c57d0dd415ad543bac85780375c upstream.
+
+The sctp transport seq_file iterators take a reference to the transport
+in the ->start and ->next functions and releases the reference in the
+->show function.  The preferred handling for such resources is to
+release them in the subsequent ->next or ->stop function call.
+
+Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration
+code and interface") there is no guarantee that ->show will be called
+after ->next, so this function can now leak references.
+
+So move the sctp_transport_put() call to ->next and ->stop.
+
+Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface")
+Reported-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: NeilBrown <neilb@suse.de>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/proc.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -230,6 +230,12 @@ static void sctp_transport_seq_stop(stru
+ {
+       struct sctp_ht_iter *iter = seq->private;
+ 
++      if (v && v != SEQ_START_TOKEN) {
++              struct sctp_transport *transport = v;
++
++              sctp_transport_put(transport);
++      }
++
+       sctp_transport_walk_stop(&iter->hti);
+ }
+ 
+@@ -237,6 +243,12 @@ static void *sctp_transport_seq_next(str
+ {
+       struct sctp_ht_iter *iter = seq->private;
+ 
++      if (v && v != SEQ_START_TOKEN) {
++              struct sctp_transport *transport = v;
++
++              sctp_transport_put(transport);
++      }
++
+       ++*pos;
+ 
+       return sctp_transport_get_next(seq_file_net(seq), &iter->hti);
+@@ -292,8 +304,6 @@ static int sctp_assocs_seq_show(struct s
+               sk->sk_rcvbuf);
+       seq_printf(seq, "\n");
+ 
+-      sctp_transport_put(transport);
+-
+       return 0;
+ }
+ 
+@@ -369,8 +379,6 @@ static int sctp_remaddr_seq_show(struct
+               seq_printf(seq, "\n");
+       }
+ 
+-      sctp_transport_put(transport);
+-
+       return 0;
+ }
+ 

diff --git a/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch b/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch
new file mode 100644 (file)
index 0000000..f8124af
--- /dev/null
+++ b/queue-4.19/net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch
@@ -0,0 +1,51 @@
+From 2a80c15812372e554474b1dba0b1d8e467af295d Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Tue, 2 Feb 2021 15:20:59 +0600
+Subject: net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit 2a80c15812372e554474b1dba0b1d8e467af295d upstream.
+
+syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length
+exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition.
+
+Additionally, there is no check for 0 length write.
+
+[1]
+WARNING: mm/page_alloc.c:5011
+[..]
+Call Trace:
+ alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
+ alloc_pages include/linux/gfp.h:547 [inline]
+ kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
+ kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
+ kmalloc include/linux/slab.h:557 [inline]
+ kzalloc include/linux/slab.h:682 [inline]
+ qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83
+ call_write_iter include/linux/fs.h:1901 [inline]
+
+Reported-by: syzbot+c2a7e5c5211605a90865@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Link: https://lore.kernel.org/r/20210202092059.1361381-1-snovitoll@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/tun.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/qrtr/tun.c
++++ b/net/qrtr/tun.c
+@@ -80,6 +80,12 @@ static ssize_t qrtr_tun_write_iter(struc
+       ssize_t ret;
+       void *kbuf;
+ 
++      if (!len)
++              return -EINVAL;
++
++      if (len > KMALLOC_MAX_SIZE)
++              return -ENOMEM;
++
+       kbuf = kzalloc(len, GFP_KERNEL);
+       if (!kbuf)
+               return -ENOMEM;

diff --git a/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch b/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch
new file mode 100644 (file)
index 0000000..469e724
--- /dev/null
+++ b/queue-4.19/net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch
@@ -0,0 +1,53 @@
+From a11148e6fcce2ae53f47f0a442d098d860b4f7db Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Tue, 2 Feb 2021 02:32:33 +0600
+Subject: net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit a11148e6fcce2ae53f47f0a442d098d860b4f7db upstream.
+
+syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
+control message is passed with user-controlled
+0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
+
+The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
+So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
+is the closest limit, with 0x10 leftover.
+
+Same condition is currently done in rds_cmsg_rdma_args().
+
+[1] WARNING: mm/page_alloc.c:5011
+[..]
+Call Trace:
+ alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
+ alloc_pages include/linux/gfp.h:547 [inline]
+ kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
+ kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
+ kmalloc_array include/linux/slab.h:592 [inline]
+ kcalloc include/linux/slab.h:621 [inline]
+ rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
+ rds_rm_size net/rds/send.c:928 [inline]
+
+Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Link: https://lore.kernel.org/r/20210201203233.1324704-1-snovitoll@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/rdma.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/rdma.c
++++ b/net/rds/rdma.c
+@@ -531,6 +531,9 @@ int rds_rdma_extra_size(struct rds_rdma_
+       if (args->nr_local == 0)
+               return -EINVAL;
+ 
++      if (args->nr_local > UIO_MAXIOV)
++              return -EMSGSIZE;
++
+       iov->iov = kcalloc(args->nr_local,
+                          sizeof(struct rds_iovec),
+                          GFP_KERNEL);

diff --git a/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch b/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch
new file mode 100644 (file)
index 0000000..5a58bad
--- /dev/null
+++ b/queue-4.19/net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch
@@ -0,0 +1,49 @@
+From 3d0bc44d39bca615b72637e340317b7899b7f911 Mon Sep 17 00:00:00 2001
+From: Norbert Slusarek <nslusarek@gmx.net>
+Date: Fri, 5 Feb 2021 13:14:05 +0100
+Subject: net/vmw_vsock: improve locking in vsock_connect_timeout()
+
+From: Norbert Slusarek <nslusarek@gmx.net>
+
+commit 3d0bc44d39bca615b72637e340317b7899b7f911 upstream.
+
+A possible locking issue in vsock_connect_timeout() was recognized by
+Eric Dumazet which might cause a null pointer dereference in
+vsock_transport_cancel_pkt(). This patch assures that
+vsock_transport_cancel_pkt() will be called within the lock, so a race
+condition won't occur which could result in vsk->transport to be set to NULL.
+
+Fixes: 380feae0def7 ("vsock: cancel packets when failing to connect")
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/trinity-f8e0937a-cf0e-4d80-a76e-d9a958ba3ef1-1612535522360@3c-app-gmx-bap12
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c |    5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1107,7 +1107,6 @@ static void vsock_connect_timeout(struct
+ {
+       struct sock *sk;
+       struct vsock_sock *vsk;
+-      int cancel = 0;
+ 
+       vsk = container_of(work, struct vsock_sock, connect_work.work);
+       sk = sk_vsock(vsk);
+@@ -1118,11 +1117,9 @@ static void vsock_connect_timeout(struct
+               sk->sk_state = TCP_CLOSE;
+               sk->sk_err = ETIMEDOUT;
+               sk->sk_error_report(sk);
+-              cancel = 1;
++              vsock_transport_cancel_pkt(vsk);
+       }
+       release_sock(sk);
+-      if (cancel)
+-              vsock_transport_cancel_pkt(vsk);
+ 
+       sock_put(sk);
+ }

diff --git a/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch b/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch
new file mode 100644 (file)
index 0000000..b09b2cc
--- /dev/null
+++ b/queue-4.19/net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch
@@ -0,0 +1,47 @@
+From 3aa6bce9af0e25b735c9c1263739a5639a336ae8 Mon Sep 17 00:00:00 2001
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Fri, 5 Feb 2021 17:37:32 -0800
+Subject: net: watchdog: hold device global xmit lock during tx disable
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+commit 3aa6bce9af0e25b735c9c1263739a5639a336ae8 upstream.
+
+Prevent netif_tx_disable() running concurrently with dev_watchdog() by
+taking the device global xmit lock. Otherwise, the recommended:
+
+       netif_carrier_off(dev);
+       netif_tx_disable(dev);
+
+driver shutdown sequence can happen after the watchdog has already
+checked carrier, resulting in possible false alarms. This is because
+netif_tx_lock() only sets the frozen bit without maintaining the locks
+on the individual queues.
+
+Fixes: c3f26a269c24 ("netdev: Fix lockdep warnings in multiqueue configurations.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -3966,6 +3966,7 @@ static inline void netif_tx_disable(stru
+ 
+       local_bh_disable();
+       cpu = smp_processor_id();
++      spin_lock(&dev->tx_global_lock);
+       for (i = 0; i < dev->num_tx_queues; i++) {
+               struct netdev_queue *txq = netdev_get_tx_queue(dev, i);
+ 
+@@ -3973,6 +3974,7 @@ static inline void netif_tx_disable(stru
+               netif_tx_stop_queue(txq);
+               __netif_tx_unlock(txq);
+       }
++      spin_unlock(&dev->tx_global_lock);
+       local_bh_enable();
+ }
+ 

diff --git a/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch b/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch
new file mode 100644 (file)
index 0000000..ce2ef83
--- /dev/null
+++ b/queue-4.19/ovl-expand-warning-in-ovl_d_real.patch
@@ -0,0 +1,54 @@
+From cef4cbff06fbc3be54d6d79ee139edecc2ee8598 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Thu, 12 Nov 2020 11:31:55 +0100
+Subject: ovl: expand warning in ovl_d_real()
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit cef4cbff06fbc3be54d6d79ee139edecc2ee8598 upstream.
+
+There was a syzbot report with this warning but insufficient information...
+
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/super.c |   13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -82,7 +82,7 @@ static void ovl_dentry_release(struct de
+ static struct dentry *ovl_d_real(struct dentry *dentry,
+                                const struct inode *inode)
+ {
+-      struct dentry *real;
++      struct dentry *real = NULL, *lower;
+ 
+       /* It's an overlay file */
+       if (inode && d_inode(dentry) == inode)
+@@ -101,9 +101,10 @@ static struct dentry *ovl_d_real(struct
+       if (real && !inode && ovl_has_upperdata(d_inode(dentry)))
+               return real;
+ 
+-      real = ovl_dentry_lowerdata(dentry);
+-      if (!real)
++      lower = ovl_dentry_lowerdata(dentry);
++      if (!lower)
+               goto bug;
++      real = lower;
+ 
+       /* Handle recursion */
+       real = d_real(real, inode);
+@@ -111,8 +112,10 @@ static struct dentry *ovl_d_real(struct
+       if (!inode || inode == d_inode(real))
+               return real;
+ bug:
+-      WARN(1, "ovl_d_real(%pd4, %s:%lu): real dentry not found\n", dentry,
+-           inode ? inode->i_sb->s_id : "NULL", inode ? inode->i_ino : 0);
++      WARN(1, "%s(%pd4, %s:%lu): real dentry (%p/%lu) not found\n",
++           __func__, dentry, inode ? inode->i_sb->s_id : "NULL",
++           inode ? inode->i_ino : 0, real,
++           real && d_inode(real) ? d_inode(real)->i_ino : 0);
+       return dentry;
+ }
+ 

diff --git a/queue-4.19/series b/queue-4.19/series
index e88799d0aaf9e1a9a0e32298d3e5ce6990edf676..8600d39f4c83b9171d44cc18157168d3cb8d3196 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -26,3 +26,11 @@ i2c-stm32f7-fix-configuration-of-the-digital-filter.patch
 h8300-fix-preemption-build-ti_pre_count-undefined.patch
 usb-dwc3-ulpi-fix-checkpatch-warning.patch
 usb-dwc3-ulpi-replace-cpu-based-busyloop-with-protocol-based-one.patch
+net-fix-iteration-for-sctp-transport-seq_files.patch
+net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch
+net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch
+vsock-virtio-update-credit-only-if-socket-is-not-closed.patch
+vsock-fix-locking-in-vsock_shutdown.patch
+net-rds-restrict-iovecs-length-for-rds_cmsg_rdma_args.patch
+net-qrtr-restrict-user-controlled-length-in-qrtr_tun_write_iter.patch
+ovl-expand-warning-in-ovl_d_real.patch

diff --git a/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch b/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch
new file mode 100644 (file)
index 0000000..d65248e
--- /dev/null
+++ b/queue-4.19/vsock-fix-locking-in-vsock_shutdown.patch
@@ -0,0 +1,86 @@
+From 1c5fae9c9a092574398a17facc31c533791ef232 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Tue, 9 Feb 2021 09:52:19 +0100
+Subject: vsock: fix locking in vsock_shutdown()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 1c5fae9c9a092574398a17facc31c533791ef232 upstream.
+
+In vsock_shutdown() we touched some socket fields without holding the
+socket lock, such as 'state' and 'sk_flags'.
+
+Also, after the introduction of multi-transport, we are accessing
+'vsk->transport' in vsock_send_shutdown() without holding the lock
+and this call can be made while the connection is in progress, so
+the transport can change in the meantime.
+
+To avoid issues, we hold the socket lock when we enter in
+vsock_shutdown() and release it when we leave.
+
+Among the transports that implement the 'shutdown' callback, only
+hyperv_transport acquired the lock. Since the caller now holds it,
+we no longer take it.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c         |    8 +++++---
+ net/vmw_vsock/hyperv_transport.c |    4 ----
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -816,10 +816,12 @@ static int vsock_shutdown(struct socket
+        */
+ 
+       sk = sock->sk;
++
++      lock_sock(sk);
+       if (sock->state == SS_UNCONNECTED) {
+               err = -ENOTCONN;
+               if (sk->sk_type == SOCK_STREAM)
+-                      return err;
++                      goto out;
+       } else {
+               sock->state = SS_DISCONNECTING;
+               err = 0;
+@@ -828,10 +830,8 @@ static int vsock_shutdown(struct socket
+       /* Receive and send shutdowns are treated alike. */
+       mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN);
+       if (mode) {
+-              lock_sock(sk);
+               sk->sk_shutdown |= mode;
+               sk->sk_state_change(sk);
+-              release_sock(sk);
+ 
+               if (sk->sk_type == SOCK_STREAM) {
+                       sock_reset_flag(sk, SOCK_DONE);
+@@ -839,6 +839,8 @@ static int vsock_shutdown(struct socket
+               }
+       }
+ 
++out:
++      release_sock(sk);
+       return err;
+ }
+ 
+--- a/net/vmw_vsock/hyperv_transport.c
++++ b/net/vmw_vsock/hyperv_transport.c
+@@ -443,14 +443,10 @@ static void hvs_shutdown_lock_held(struc
+ 
+ static int hvs_shutdown(struct vsock_sock *vsk, int mode)
+ {
+-      struct sock *sk = sk_vsock(vsk);
+-
+       if (!(mode & SEND_SHUTDOWN))
+               return 0;
+ 
+-      lock_sock(sk);
+       hvs_shutdown_lock_held(vsk->trans, mode);
+-      release_sock(sk);
+       return 0;
+ }
+ 

diff --git a/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch b/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch
new file mode 100644 (file)
index 0000000..d6d1cbd
--- /dev/null
+++ b/queue-4.19/vsock-virtio-update-credit-only-if-socket-is-not-closed.patch
@@ -0,0 +1,40 @@
+From ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 8 Feb 2021 15:44:54 +0100
+Subject: vsock/virtio: update credit only if socket is not closed
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 upstream.
+
+If the socket is closed or is being released, some resources used by
+virtio_transport_space_update() such as 'vsk->trans' may be released.
+
+To avoid a use after free bug we should only update the available credit
+when we are sure the socket is still open and we have the lock held.
+
+Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20210208144454.84438-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1033,10 +1033,10 @@ void virtio_transport_recv_pkt(struct vi
+ 
+       vsk = vsock_sk(sk);
+ 
+-      space_available = virtio_transport_space_update(sk, pkt);
+-
+       lock_sock(sk);
+ 
++      space_available = virtio_transport_space_update(sk, pkt);
++
+       /* Update CID in case it has changed after a transport reset event */
+       vsk->local_addr.svm_cid = dst.svm_cid;
+