--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Mao Wenan <maowenan@huawei.com>
+Date: Mon, 9 Dec 2019 21:31:25 +0800
+Subject: af_packet: set defaule value for tmo
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ]
+
+There is softlockup when using TPACKET_V3:
+...
+NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms!
+(__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
+(_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c)
+(mod_timer) from [<c0549c30>]
+(prb_retire_rx_blk_timer_expired+0x68/0x11c)
+(prb_retire_rx_blk_timer_expired) from [<c027a7ac>]
+(call_timer_fn+0x90/0x17c)
+(call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc)
+(run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318)
+(__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
+(irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
+(msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4)
+(handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118)
+(gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c)
+...
+
+If __ethtool_get_link_ksettings() is failed in
+prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies
+is zero and the timer expire for retire_blk_timer is turn to
+mod_timer(&pkc->retire_blk_timer, jiffies + 0),
+which will trigger cpu usage of softirq is 100%.
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com>
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -587,7 +587,8 @@ static int prb_calc_retire_blk_tmo(struc
+ msec = 1;
+ div = speed / 1000;
+ }
+- }
++ } else
++ return DEFAULT_PRB_RETIRE_TOV;
+
+ mbits = (blk_size_in_bytes * 8) / (1024 * 1024);
+
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Tue, 10 Dec 2019 00:22:07 +0800
+Subject: fjes: fix missed check in fjes_acpi_add
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit a288f105a03a7e0e629a8da2b31f34ebf0343ee2 ]
+
+fjes_acpi_add() misses a check for platform_device_register_simple().
+Add a check to fix it.
+
+Fixes: 658d439b2292 ("fjes: Introduce FUJITSU Extended Socket Network Device driver")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fjes/fjes_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/fjes/fjes_main.c
++++ b/drivers/net/fjes/fjes_main.c
+@@ -149,6 +149,9 @@ static int fjes_acpi_add(struct acpi_dev
+ /* create platform_device */
+ plat_dev = platform_device_register_simple(DRV_NAME, 0, fjes_resource,
+ ARRAY_SIZE(fjes_resource));
++ if (IS_ERR(plat_dev))
++ return PTR_ERR(plat_dev);
++
+ device->driver_data = plat_dev;
+
+ return 0;
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Thu, 19 Dec 2019 23:24:47 +0000
+Subject: mod_devicetable: fix PHY module format
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit d2ed49cf6c13e379c5819aa5ac20e1f9674ebc89 ]
+
+When a PHY is probed, if the top bit is set, we end up requesting a
+module with the string "mdio:-10101110000000100101000101010001" -
+the top bit is printed to a signed -1 value. This leads to the module
+not being loaded.
+
+Fix the module format string and the macro generating the values for
+it to ensure that we only print unsigned types and the top bit is
+always 0/1. We correctly end up with
+"mdio:10101110000000100101000101010001".
+
+Fixes: 8626d3b43280 ("phylib: Support phy module autoloading")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mod_devicetable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/mod_devicetable.h
++++ b/include/linux/mod_devicetable.h
+@@ -502,9 +502,9 @@ struct platform_device_id {
+
+ #define MDIO_MODULE_PREFIX "mdio:"
+
+-#define MDIO_ID_FMT "%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d%d"
++#define MDIO_ID_FMT "%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u%u"
+ #define MDIO_ID_ARGS(_id) \
+- (_id)>>31, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \
++ ((_id)>>31) & 1, ((_id)>>30) & 1, ((_id)>>29) & 1, ((_id)>>28) & 1, \
+ ((_id)>>27) & 1, ((_id)>>26) & 1, ((_id)>>25) & 1, ((_id)>>24) & 1, \
+ ((_id)>>23) & 1, ((_id)>>22) & 1, ((_id)>>21) & 1, ((_id)>>20) & 1, \
+ ((_id)>>19) & 1, ((_id)>>18) & 1, ((_id)>>17) & 1, ((_id)>>16) & 1, \
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:03:45 AM EST
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+Date: Fri, 20 Dec 2019 14:31:40 +0100
+Subject: net: dst: Force 4-byte alignment of dst_metrics
+
+From: Geert Uytterhoeven <geert@linux-m68k.org>
+
+[ Upstream commit 258a980d1ec23e2c786e9536a7dd260bea74bae6 ]
+
+When storing a pointer to a dst_metrics structure in dst_entry._metrics,
+two flags are added in the least significant bits of the pointer value.
+Hence this assumes all pointers to dst_metrics structures have at least
+4-byte alignment.
+
+However, on m68k, the minimum alignment of 32-bit values is 2 bytes, not
+4 bytes. Hence in some kernel builds, dst_default_metrics may be only
+2-byte aligned, leading to obscure boot warnings like:
+
+ WARNING: CPU: 0 PID: 7 at lib/refcount.c:28 refcount_warn_saturate+0x44/0x9a
+ refcount_t: underflow; use-after-free.
+ Modules linked in:
+ CPU: 0 PID: 7 Comm: ksoftirqd/0 Tainted: G W 5.5.0-rc2-atari-01448-g114a1a1038af891d-dirty #261
+ Stack from 10835e6c:
+ 10835e6c 0038134f 00023fa6 00394b0f 0000001c 00000009 00321560 00023fea
+ 00394b0f 0000001c 001a70f8 00000009 00000000 10835eb4 00000001 00000000
+ 04208040 0000000a 00394b4a 10835ed4 00043aa8 001a70f8 00394b0f 0000001c
+ 00000009 00394b4a 0026aba8 003215a4 00000003 00000000 0026d5a8 00000001
+ 003215a4 003a4361 003238d6 000001f0 00000000 003215a4 10aa3b00 00025e84
+ 003ddb00 10834000 002416a8 10aa3b00 00000000 00000080 000aa038 0004854a
+ Call Trace: [<00023fa6>] __warn+0xb2/0xb4
+ [<00023fea>] warn_slowpath_fmt+0x42/0x64
+ [<001a70f8>] refcount_warn_saturate+0x44/0x9a
+ [<00043aa8>] printk+0x0/0x18
+ [<001a70f8>] refcount_warn_saturate+0x44/0x9a
+ [<0026aba8>] refcount_sub_and_test.constprop.73+0x38/0x3e
+ [<0026d5a8>] ipv4_dst_destroy+0x5e/0x7e
+ [<00025e84>] __local_bh_enable_ip+0x0/0x8e
+ [<002416a8>] dst_destroy+0x40/0xae
+
+Fix this by forcing 4-byte alignment of all dst_metrics structures.
+
+Fixes: e5fd387ad5b30ca3 ("ipv6: do not overwrite inetpeer metrics prematurely")
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -113,7 +113,7 @@ struct dst_entry {
+ struct dst_metrics {
+ u32 metrics[RTAX_MAX];
+ atomic_t refcnt;
+-};
++} __aligned(4); /* Low pointer bits contain DST_METRICS_FLAGS */
+ extern const struct dst_metrics dst_default_metrics;
+
+ u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old);
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Date: Thu, 19 Dec 2019 10:08:07 +0800
+Subject: net: hisilicon: Fix a BUG trigered by wrong bytes_compl
+
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+
+[ Upstream commit 90b3b339364c76baa2436445401ea9ade040c216 ]
+
+When doing stress test, we get the following trace:
+kernel BUG at lib/dynamic_queue_limits.c:26!
+Internal error: Oops - BUG: 0 [#1] SMP ARM
+Modules linked in: hip04_eth
+CPU: 0 PID: 2003 Comm: tDblStackPcap0 Tainted: G O L 4.4.197 #1
+Hardware name: Hisilicon A15
+task: c3637668 task.stack: de3bc000
+PC is at dql_completed+0x18/0x154
+LR is at hip04_tx_reclaim+0x110/0x174 [hip04_eth]
+pc : [<c041abfc>] lr : [<bf0003a8>] psr: 800f0313
+sp : de3bdc2c ip : 00000000 fp : c020fb10
+r10: 00000000 r9 : c39b4224 r8 : 00000001
+r7 : 00000046 r6 : c39b4000 r5 : 0078f392 r4 : 0078f392
+r3 : 00000047 r2 : 00000000 r1 : 00000046 r0 : df5d5c80
+Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
+Control: 32c5387d Table: 1e189b80 DAC: 55555555
+Process tDblStackPcap0 (pid: 2003, stack limit = 0xde3bc190)
+Stack: (0xde3bdc2c to 0xde3be000)
+[<c041abfc>] (dql_completed) from [<bf0003a8>] (hip04_tx_reclaim+0x110/0x174 [hip04_eth])
+[<bf0003a8>] (hip04_tx_reclaim [hip04_eth]) from [<bf0012c0>] (hip04_rx_poll+0x20/0x388 [hip04_eth])
+[<bf0012c0>] (hip04_rx_poll [hip04_eth]) from [<c04c8d9c>] (net_rx_action+0x120/0x374)
+[<c04c8d9c>] (net_rx_action) from [<c021eaf4>] (__do_softirq+0x218/0x318)
+[<c021eaf4>] (__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac)
+[<c021eea0>] (irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4)
+[<c0240130>] (msa_irq_exit) from [<c0267ba8>] (__handle_domain_irq+0x110/0x148)
+[<c0267ba8>] (__handle_domain_irq) from [<c0201588>] (gic_handle_irq+0xd4/0x118)
+[<c0201588>] (gic_handle_irq) from [<c0558360>] (__irq_svc+0x40/0x58)
+Exception stack(0xde3bdde0 to 0xde3bde28)
+dde0: 00000000 00008001 c3637668 00000000 00000000 a00f0213 dd3627a0 c0af6380
+de00: c086d380 a00f0213 c0a22a50 de3bde6c 00000002 de3bde30 c0558138 c055813c
+de20: 600f0213 ffffffff
+[<c0558360>] (__irq_svc) from [<c055813c>] (_raw_spin_unlock_irqrestore+0x44/0x54)
+Kernel panic - not syncing: Fatal exception in interrupt
+
+Pre-modification code:
+int hip04_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+{
+[...]
+[1] priv->tx_head = TX_NEXT(tx_head);
+[2] count++;
+[3] netdev_sent_queue(ndev, skb->len);
+[...]
+}
+An rx interrupt occurs if hip04_mac_start_xmit just executes to the line 2,
+tx_head has been updated, but corresponding 'skb->len' has not been
+added to dql_queue.
+
+And then
+hip04_mac_interrupt->__napi_schedule->hip04_rx_poll->hip04_tx_reclaim
+
+In hip04_tx_reclaim, because tx_head has been updated,
+bytes_compl will plus an additional "skb-> len"
+which has not been added to dql_queue. And then
+trigger the BUG_ON(bytes_compl > num_queued - dql->num_completed).
+
+To solve the problem described above, we put
+"netdev_sent_queue(ndev, skb->len);"
+before
+"priv->tx_head = TX_NEXT(tx_head);"
+
+Fixes: a41ea46a9a12 ("net: hisilicon: new hip04 ethernet driver")
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hip04_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
++++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
+@@ -455,9 +455,9 @@ static int hip04_mac_start_xmit(struct s
+ skb_tx_timestamp(skb);
+
+ hip04_set_xmit_desc(priv, phys);
+- priv->tx_head = TX_NEXT(tx_head);
+ count++;
+ netdev_sent_queue(ndev, skb->len);
++ priv->tx_head = TX_NEXT(tx_head);
+
+ stats->tx_bytes += skb->len;
+ stats->tx_packets++;
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Wed, 18 Dec 2019 17:21:55 +0800
+Subject: net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit b7ac893652cafadcf669f78452329727e4e255cc ]
+
+The kernel may sleep while holding a spinlock.
+The function call path (from bottom to top) in Linux 4.19 is:
+
+net/nfc/nci/uart.c, 349:
+ nci_skb_alloc in nci_uart_default_recv_buf
+net/nfc/nci/uart.c, 255:
+ (FUNC_PTR)nci_uart_default_recv_buf in nci_uart_tty_receive
+net/nfc/nci/uart.c, 254:
+ spin_lock in nci_uart_tty_receive
+
+nci_skb_alloc(GFP_KERNEL) can sleep at runtime.
+(FUNC_PTR) means a function pointer is called.
+
+To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC for
+nci_skb_alloc().
+
+This bug is found by a static analysis tool STCheck written by myself.
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/uart.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/uart.c
++++ b/net/nfc/nci/uart.c
+@@ -355,7 +355,7 @@ static int nci_uart_default_recv_buf(str
+ nu->rx_packet_len = -1;
+ nu->rx_skb = nci_skb_alloc(nu->ndev,
+ NCI_MAX_PACKET_SIZE,
+- GFP_KERNEL);
++ GFP_ATOMIC);
+ if (!nu->rx_skb)
+ return -ENOMEM;
+ }
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 17 Dec 2019 01:57:40 +0000
+Subject: net: qlogic: Fix error paths in ql_alloc_large_buffers()
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+[ Upstream commit cad46039e4c99812db067c8ac22a864960e7acc4 ]
+
+ql_alloc_large_buffers() has the usual RX buffer allocation
+loop where it allocates skbs and maps them for DMA. It also
+treats failure as a fatal error.
+
+There are (at least) three bugs in the error paths:
+
+1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the
+first buffer that couldn't be allocated will have .skb == NULL.
+But the qla_buf[] array is not zero-initialised.
+
+2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is
+incorrect for the last allocated skb, if DMA mapping failed.
+
+3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in
+ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any()
+after the skb is recorded in lrg_buf[], so ql_free_large_buffers()
+will double-free it.
+
+The bugs are somewhat inter-twined, so fix them all at once:
+
+* Clear each entry in qla_buf[] before attempting to allocate
+ an skb for it. This goes half-way to fixing bug 1.
+* Set the .skb field only after the skb is DMA-mapped. This
+ fixes the rest.
+
+Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...")
+Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...")
+Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers")
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qla3xxx.c
++++ b/drivers/net/ethernet/qlogic/qla3xxx.c
+@@ -2752,6 +2752,9 @@ static int ql_alloc_large_buffers(struct
+ int err;
+
+ for (i = 0; i < qdev->num_large_buffers; i++) {
++ lrg_buf_cb = &qdev->lrg_buf[i];
++ memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
++
+ skb = netdev_alloc_skb(qdev->ndev,
+ qdev->lrg_buffer_len);
+ if (unlikely(!skb)) {
+@@ -2762,11 +2765,7 @@ static int ql_alloc_large_buffers(struct
+ ql_free_large_buffers(qdev);
+ return -ENOMEM;
+ } else {
+-
+- lrg_buf_cb = &qdev->lrg_buf[i];
+- memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb));
+ lrg_buf_cb->index = i;
+- lrg_buf_cb->skb = skb;
+ /*
+ * We save some space to copy the ethhdr from first
+ * buffer
+@@ -2788,6 +2787,7 @@ static int ql_alloc_large_buffers(struct
+ return -ENOMEM;
+ }
+
++ lrg_buf_cb->skb = skb;
+ dma_unmap_addr_set(lrg_buf_cb, mapaddr, map);
+ dma_unmap_len_set(lrg_buf_cb, maplen,
+ qdev->lrg_buffer_len -
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:33 AM EST
+From: Cristian Birsan <cristian.birsan@microchip.com>
+Date: Thu, 12 Dec 2019 13:52:47 +0200
+Subject: net: usb: lan78xx: Fix suspend/resume PHY register access error
+
+From: Cristian Birsan <cristian.birsan@microchip.com>
+
+[ Upstream commit 20032b63586ac6c28c936dff696981159913a13f ]
+
+Lan78xx driver accesses the PHY registers through MDIO bus over USB
+connection. When performing a suspend/resume, the PHY registers can be
+accessed before the USB connection is resumed. This will generate an
+error and will prevent the device to resume correctly.
+This patch adds the dependency between the MDIO bus and USB device to
+allow correct handling of suspend/resume.
+
+Fixes: ce85e13ad6ef ("lan78xx: Update to use phylib instead of mii_if_info.")
+Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -1448,6 +1448,7 @@ static int lan78xx_mdio_init(struct lan7
+ dev->mdiobus->read = lan78xx_mdiobus_read;
+ dev->mdiobus->write = lan78xx_mdiobus_write;
+ dev->mdiobus->name = "lan78xx-mdiobus";
++ dev->mdiobus->parent = &dev->udev->dev;
+
+ snprintf(dev->mdiobus->id, MII_BUS_ID_SIZE, "usb-%03d:%03d",
+ dev->udev->bus->busnum, dev->udev->devnum);
--- /dev/null
+From foo@baz Sat 28 Dec 2019 06:07:34 AM EST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 9 Dec 2019 13:45:54 +0800
+Subject: sctp: fully initialize v4 addr in some functions
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit b6f3320b1d5267e7b583a6d0c88dda518101740c ]
+
+Syzbot found a crash:
+
+ BUG: KMSAN: uninit-value in crc32_body lib/crc32.c:112 [inline]
+ BUG: KMSAN: uninit-value in crc32_le_generic lib/crc32.c:179 [inline]
+ BUG: KMSAN: uninit-value in __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
+ Call Trace:
+ crc32_body lib/crc32.c:112 [inline]
+ crc32_le_generic lib/crc32.c:179 [inline]
+ __crc32c_le_base+0x4fa/0xd30 lib/crc32.c:202
+ chksum_update+0xb2/0x110 crypto/crc32c_generic.c:90
+ crypto_shash_update+0x4c5/0x530 crypto/shash.c:107
+ crc32c+0x150/0x220 lib/libcrc32c.c:47
+ sctp_csum_update+0x89/0xa0 include/net/sctp/checksum.h:36
+ __skb_checksum+0x1297/0x12a0 net/core/skbuff.c:2640
+ sctp_compute_cksum include/net/sctp/checksum.h:59 [inline]
+ sctp_packet_pack net/sctp/output.c:528 [inline]
+ sctp_packet_transmit+0x40fb/0x4250 net/sctp/output.c:597
+ sctp_outq_flush_transports net/sctp/outqueue.c:1146 [inline]
+ sctp_outq_flush+0x1823/0x5d80 net/sctp/outqueue.c:1194
+ sctp_outq_uncork+0xd0/0xf0 net/sctp/outqueue.c:757
+ sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1781 [inline]
+ sctp_side_effects net/sctp/sm_sideeffect.c:1184 [inline]
+ sctp_do_sm+0x8fe1/0x9720 net/sctp/sm_sideeffect.c:1155
+ sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:185
+ sctp_apply_peer_addr_params+0x212/0x1d40 net/sctp/socket.c:2433
+ sctp_setsockopt_peer_addr_params net/sctp/socket.c:2686 [inline]
+ sctp_setsockopt+0x189bb/0x19090 net/sctp/socket.c:4672
+
+The issue was caused by transport->ipaddr set with uninit addr param, which
+was passed by:
+
+ sctp_transport_init net/sctp/transport.c:47 [inline]
+ sctp_transport_new+0x248/0xa00 net/sctp/transport.c:100
+ sctp_assoc_add_peer+0x5ba/0x2030 net/sctp/associola.c:611
+ sctp_process_param net/sctp/sm_make_chunk.c:2524 [inline]
+
+where 'addr' is set by sctp_v4_from_addr_param(), and it doesn't initialize
+the padding of addr->v4.
+
+Later when calling sctp_make_heartbeat(), hbinfo.daddr(=transport->ipaddr)
+will become the part of skb, and the issue occurs.
+
+This patch is to fix it by initializing the padding of addr->v4 in
+sctp_v4_from_addr_param(), as well as other functions that do the similar
+thing, and these functions shouldn't trust that the caller initializes the
+memory, as Marcelo suggested.
+
+Reported-by: syzbot+6dcbfea81cd3d4dd0b02@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/protocol.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -191,6 +191,7 @@ static void sctp_free_local_addr_list(st
+ list_del(pos);
+ kfree(addr);
+ }
++ memset(sa->sin_zero, 0, sizeof(sa->sin_zero));
+ }
+
+ /* Copy the local addresses which are valid for 'scope' into 'bp'. */
+@@ -255,6 +256,7 @@ static void sctp_v4_from_sk(union sctp_a
+ addr->v4.sin_family = AF_INET;
+ addr->v4.sin_port = 0;
+ addr->v4.sin_addr.s_addr = inet_sk(sk)->inet_rcv_saddr;
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+
+ /* Initialize sk->sk_rcv_saddr from sctp_addr. */
+@@ -277,6 +279,7 @@ static void sctp_v4_from_addr_param(unio
+ addr->v4.sin_family = AF_INET;
+ addr->v4.sin_port = port;
+ addr->v4.sin_addr.s_addr = param->v4.addr.s_addr;
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+
+ /* Initialize an address parameter from a sctp_addr and return the length
+@@ -301,6 +304,7 @@ static void sctp_v4_dst_saddr(union sctp
+ saddr->v4.sin_family = AF_INET;
+ saddr->v4.sin_port = port;
+ saddr->v4.sin_addr.s_addr = fl4->saddr;
++ memset(saddr->v4.sin_zero, 0, sizeof(saddr->v4.sin_zero));
+ }
+
+ /* Compare two addresses exactly. */
+@@ -323,6 +327,7 @@ static void sctp_v4_inaddr_any(union sct
+ addr->v4.sin_family = AF_INET;
+ addr->v4.sin_addr.s_addr = htonl(INADDR_ANY);
+ addr->v4.sin_port = port;
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ }
+
+ /* Is this a wildcard address? */
btrfs-abort-transaction-after-failed-inode-updates-i.patch
btrfs-fix-removal-logic-of-the-tree-mod-log-that-lea.patch
alsa-pcm-avoid-possible-info-leaks-from-pcm-stream-buffers.patch
+af_packet-set-defaule-value-for-tmo.patch
+fjes-fix-missed-check-in-fjes_acpi_add.patch
+mod_devicetable-fix-phy-module-format.patch
+net-hisilicon-fix-a-bug-trigered-by-wrong-bytes_compl.patch
+net-nfc-nci-fix-a-possible-sleep-in-atomic-context-bug-in-nci_uart_tty_receive.patch
+net-qlogic-fix-error-paths-in-ql_alloc_large_buffers.patch
+net-usb-lan78xx-fix-suspend-resume-phy-register-access-error.patch
+sctp-fully-initialize-v4-addr-in-some-functions.patch
+net-dst-force-4-byte-alignment-of-dst_metrics.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
