--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 2 Feb 2020 02:41:37 -0500
+Subject: bnxt_en: Fix logic that disables Bus Master during firmware reset.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit d407302895d3f3ca3a333c711744a95e0b1b0150 ]
+
+The current logic that calls pci_disable_device() in __bnxt_close_nic()
+during firmware reset is flawed. If firmware is still alive, we're
+disabling the device too early, causing some firmware commands to
+not reach the firmware.
+
+Fix it by moving the logic to bnxt_reset_close(). If firmware is
+in fatal condition, we call pci_disable_device() before we free
+any of the rings to prevent DMA corruption of the freed rings. If
+firmware is still alive, we call pci_disable_device() after the
+last firmware message has been sent.
+
+Fixes: 3bc7d4a352ef ("bnxt_en: Add BNXT_STATE_IN_FW_RESET state.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9273,10 +9273,6 @@ static void __bnxt_close_nic(struct bnxt
+ bnxt_debug_dev_exit(bp);
+ bnxt_disable_napi(bp);
+ del_timer_sync(&bp->timer);
+- if (test_bit(BNXT_STATE_IN_FW_RESET, &bp->state) &&
+- pci_is_enabled(bp->pdev))
+- pci_disable_device(bp->pdev);
+-
+ bnxt_free_skbs(bp);
+
+ /* Save ring stats before shutdown */
+@@ -10052,8 +10048,15 @@ static void bnxt_fw_reset_close(struct b
+ {
+ __bnxt_close_nic(bp, true, false);
+ bnxt_ulp_irq_stop(bp);
++ /* When firmware is fatal state, disable PCI device to prevent
++ * any potential bad DMAs before freeing kernel memory.
++ */
++ if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state))
++ pci_disable_device(bp->pdev);
+ bnxt_clear_int_mode(bp);
+ bnxt_hwrm_func_drv_unrgtr(bp);
++ if (pci_is_enabled(bp->pdev))
++ pci_disable_device(bp->pdev);
+ bnxt_free_ctx_mem(bp);
+ kfree(bp->ctx);
+ bp->ctx = NULL;
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 2 Feb 2020 02:41:38 -0500
+Subject: bnxt_en: Fix TC queue mapping.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 18e4960c18f484ac288f41b43d0e6c4c88e6ea78 ]
+
+The driver currently only calls netdev_set_tc_queue when the number of
+TCs is greater than 1. Instead, the comparison should be greater than
+or equal to 1. Even with 1 TC, we need to set the queue mapping.
+
+This bug can cause warnings when the number of TCs is changed back to 1.
+
+Fixes: 7809592d3e2e ("bnxt_en: Enable MSIX early in bnxt_init_one().")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7873,7 +7873,7 @@ static void bnxt_setup_msix(struct bnxt
+ int tcs, i;
+
+ tcs = netdev_get_num_tc(dev);
+- if (tcs > 1) {
++ if (tcs) {
+ int i, off, count;
+
+ for (i = 0; i < tcs; i++) {
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Mon, 27 Jan 2020 04:56:22 -0500
+Subject: bnxt_en: Move devlink_register before registering netdev
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit cda2cab0771183932d6ba73c5ac63bb63decdadf ]
+
+Latest kernels get the phys_port_name via devlink, if
+ndo_get_phys_port_name is not defined. To provide the phys_port_name
+correctly, register devlink before registering netdev.
+
+Also call devlink_port_type_eth_set() after registering netdev as
+devlink port updates the netdev structure and notifies user.
+
+Cc: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 12 ++++++++----
+ drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 1 -
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11359,9 +11359,9 @@ static void bnxt_remove_one(struct pci_d
+ bnxt_sriov_disable(bp);
+
+ bnxt_dl_fw_reporters_destroy(bp, true);
+- bnxt_dl_unregister(bp);
+ pci_disable_pcie_error_reporting(pdev);
+ unregister_netdev(dev);
++ bnxt_dl_unregister(bp);
+ bnxt_shutdown_tc(bp);
+ bnxt_cancel_sp_work(bp);
+ bp->sp_event = 0;
+@@ -11850,11 +11850,14 @@ static int bnxt_init_one(struct pci_dev
+ bnxt_init_tc(bp);
+ }
+
++ bnxt_dl_register(bp);
++
+ rc = register_netdev(dev);
+ if (rc)
+- goto init_err_cleanup_tc;
++ goto init_err_cleanup;
+
+- bnxt_dl_register(bp);
++ if (BNXT_PF(bp))
++ devlink_port_type_eth_set(&bp->dl_port, bp->dev);
+ bnxt_dl_fw_reporters_create(bp);
+
+ netdev_info(dev, "%s found at mem %lx, node addr %pM\n",
+@@ -11864,7 +11867,8 @@ static int bnxt_init_one(struct pci_dev
+
+ return 0;
+
+-init_err_cleanup_tc:
++init_err_cleanup:
++ bnxt_dl_unregister(bp);
+ bnxt_shutdown_tc(bp);
+ bnxt_clear_int_mode(bp);
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+@@ -482,7 +482,6 @@ int bnxt_dl_register(struct bnxt *bp)
+ netdev_err(bp->dev, "devlink_port_register failed");
+ goto err_dl_param_unreg;
+ }
+- devlink_port_type_eth_set(&bp->dl_port, bp->dev);
+
+ rc = devlink_port_params_register(&bp->dl_port, bnxt_dl_port_params,
+ ARRAY_SIZE(bnxt_dl_port_params));
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 15:27:04 -0800
+Subject: cls_rsvp: fix rsvp_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ]
+
+NLA_BINARY can be confusing, since .len value represents
+the max size of the blob.
+
+cls_rsvp really wants user space to provide long enough data
+for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
+
+BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
+BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
+BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
+CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ rsvp_get net/sched/cls_rsvp.h:258 [inline]
+ gen_handle net/sched/cls_rsvp.h:402 [inline]
+ rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
+ tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
+ rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
+ netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45b349
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
+RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
+RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2774 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
+ netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_rsvp.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/sched/cls_rsvp.h
++++ b/net/sched/cls_rsvp.h
+@@ -463,10 +463,8 @@ static u32 gen_tunnel(struct rsvp_head *
+
+ static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
+ [TCA_RSVP_CLASSID] = { .type = NLA_U32 },
+- [TCA_RSVP_DST] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
+- [TCA_RSVP_SRC] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) },
+ };
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 4 Feb 2020 03:24:59 +0000
+Subject: gtp: use __GFP_NOWARN to avoid memalloc warning
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit bd5cd35b782abf5437fbd01dfaee12437d20e832 ]
+
+gtp hashtable size is received by user-space.
+So, this hashtable size could be too large. If so, kmalloc will internally
+print a warning message.
+This warning message is actually not necessary for the gtp module.
+So, this patch adds __GFP_NOWARN to avoid this message.
+
+Splat looks like:
+[ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
+[ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
+[ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
+[ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
+[ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
+[ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
+[ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
+[ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
+[ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
+[ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
+[ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
+[ 2171.292328][ T1860] FS: 00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
+[ 2171.293409][ T1860] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
+[ 2171.295424][ T1860] Call Trace:
+[ 2171.295756][ T1860] ? mark_held_locks+0xa5/0xe0
+[ 2171.296659][ T1860] ? __alloc_pages_slowpath+0x21b0/0x21b0
+[ 2171.298283][ T1860] ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
+[ 2171.298962][ T1860] ? alloc_pages_current+0xc1/0x1a0
+[ 2171.299475][ T1860] kmalloc_order+0x22/0x80
+[ 2171.299936][ T1860] kmalloc_order_trace+0x1d/0x140
+[ 2171.300437][ T1860] __kmalloc+0x302/0x3a0
+[ 2171.300896][ T1860] gtp_newlink+0x293/0xba0 [gtp]
+[ ... ]
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/gtp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -767,12 +767,12 @@ static int gtp_hashtable_new(struct gtp_
+ int i;
+
+ gtp->addr_hash = kmalloc_array(hsize, sizeof(struct hlist_head),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->addr_hash == NULL)
+ return -ENOMEM;
+
+ gtp->tid_hash = kmalloc_array(hsize, sizeof(struct hlist_head),
+- GFP_KERNEL);
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->tid_hash == NULL)
+ goto err1;
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Shannon Nelson <snelson@pensando.io>
+Date: Thu, 30 Jan 2020 10:07:06 -0800
+Subject: ionic: fix rxq comp packet type mask
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit b5ce31b5e11b768b7d685b2bab7db09ad5549493 ]
+
+Be sure to include all the packet type bits in the mask.
+
+Fixes: fbfb8031533c ("ionic: Add hardware init and device commands")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_if.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/pensando/ionic/ionic_if.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_if.h
+@@ -862,7 +862,7 @@ struct ionic_rxq_comp {
+ #define IONIC_RXQ_COMP_CSUM_F_VLAN 0x40
+ #define IONIC_RXQ_COMP_CSUM_F_CALC 0x80
+ u8 pkt_type_color;
+-#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x0f
++#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x7f
+ };
+
+ enum ionic_pkt_type {
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+Date: Tue, 4 Feb 2020 12:24:00 +1300
+Subject: l2tp: Allow duplicate session creation with UDP
+
+From: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+
+[ Upstream commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 ]
+
+In the past it was possible to create multiple L2TPv3 sessions with the
+same session id as long as the sessions belonged to different tunnels.
+The resulting sessions had issues when used with IP encapsulated tunnels,
+but worked fine with UDP encapsulated ones. Some applications began to
+rely on this behaviour to avoid having to negotiate unique session ids.
+
+Some time ago a change was made to require session ids to be unique across
+all tunnels, breaking the applications making use of this "feature".
+
+This change relaxes the duplicate session id check to allow duplicates
+if both of the colliding sessions belong to UDP encapsulated tunnels.
+
+Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
+Signed-off-by: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+Acked-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -322,8 +322,13 @@ int l2tp_session_register(struct l2tp_se
+
+ spin_lock_bh(&pn->l2tp_session_hlist_lock);
+
++ /* IP encap expects session IDs to be globally unique, while
++ * UDP encap doesn't.
++ */
+ hlist_for_each_entry(session_walk, g_head, global_hlist)
+- if (session_walk->session_id == session->session_id) {
++ if (session_walk->session_id == session->session_id &&
++ (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
++ tunnel->encap == L2TP_ENCAPTYPE_IP)) {
+ err = -EEXIST;
+ goto err_tlock_pnlock;
+ }
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Date: Sat, 1 Feb 2020 13:43:01 +0100
+Subject: MAINTAINERS: correct entries for ISDN/mISDN section
+
+From: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+
+[ Upstream commit dff6bc1bfd462b76dc13ec19dedc2c134a62ac59 ]
+
+Commit 6d97985072dc ("isdn: move capi drivers to staging") cleaned up the
+isdn drivers and split the MAINTAINERS section for ISDN, but missed to add
+the terminal slash for the two directories mISDN and hardware. Hence, all
+files in those directories were not part of the new ISDN/mISDN SUBSYSTEM,
+but were considered to be part of "THE REST".
+
+Rectify the situation, and while at it, also complete the section with two
+further build files that belong to that subsystem.
+
+This was identified with a small script that finds all files belonging to
+"THE REST" according to the current MAINTAINERS file, and I investigated
+upon its output.
+
+Fixes: 6d97985072dc ("isdn: move capi drivers to staging")
+Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ MAINTAINERS | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -8704,8 +8704,10 @@ L: isdn4linux@listserv.isdn4linux.de (su
+ L: netdev@vger.kernel.org
+ W: http://www.isdn4linux.de
+ S: Maintained
+-F: drivers/isdn/mISDN
+-F: drivers/isdn/hardware
++F: drivers/isdn/mISDN/
++F: drivers/isdn/hardware/
++F: drivers/isdn/Kconfig
++F: drivers/isdn/Makefile
+
+ ISDN/CAPI SUBSYSTEM
+ M: Karsten Keil <isdn@linux-pingi.de>
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Feb 2020 10:15:07 -0800
+Subject: net: hsr: fix possible NULL deref in hsr_handle_frame()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ]
+
+hsr_port_get_rcu() can return NULL, so we need to be careful.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
+RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
+Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
+RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
+RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
+RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
+R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
+R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
+FS: 00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
+ __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
+ __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
+ __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
+ process_backlog+0x206/0x750 net/core/dev.c:6144
+ napi_poll net/core/dev.c:6582 [inline]
+ net_rx_action+0x508/0x1120 net/core/dev.c:6650
+ __do_softirq+0x262/0x98c kernel/softirq.c:292
+ do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
+ </IRQ>
+
+Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_slave.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/hsr/hsr_slave.c
++++ b/net/hsr/hsr_slave.c
+@@ -27,6 +27,8 @@ static rx_handler_result_t hsr_handle_fr
+
+ rcu_read_lock(); /* hsr->node_db, hsr->ports */
+ port = hsr_port_get_rcu(skb->dev);
++ if (!port)
++ goto finish_pass;
+
+ if (hsr_addr_is_self(port->hsr, eth_hdr(skb)->h_source)) {
+ /* Directly kill frames sent by ourselves */
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+Date: Fri, 31 Jan 2020 18:01:24 -0800
+Subject: net: stmmac: Delete txtimer in suspend()
+
+From: Nicolin Chen <nicoleotsuka@gmail.com>
+
+[ Upstream commit 14b41a2959fbaa50932699d32ceefd6643abacc6 ]
+
+When running v5.5 with a rootfs on NFS, memory abort may happen in
+the system resume stage:
+ Unable to handle kernel paging request at virtual address dead00000000012a
+ [dead00000000012a] address between user and kernel address ranges
+ pc : run_timer_softirq+0x334/0x3d8
+ lr : run_timer_softirq+0x244/0x3d8
+ x1 : ffff800011cafe80 x0 : dead000000000122
+ Call trace:
+ run_timer_softirq+0x334/0x3d8
+ efi_header_end+0x114/0x234
+ irq_exit+0xd0/0xd8
+ __handle_domain_irq+0x60/0xb0
+ gic_handle_irq+0x58/0xa8
+ el1_irq+0xb8/0x180
+ arch_cpu_idle+0x10/0x18
+ do_idle+0x1d8/0x2b0
+ cpu_startup_entry+0x24/0x40
+ secondary_start_kernel+0x1b4/0x208
+ Code: f9000693 a9400660 f9000020 b4000040 (f9000401)
+ ---[ end trace bb83ceeb4c482071 ]---
+ Kernel panic - not syncing: Fatal exception in interrupt
+ SMP: stopping secondary CPUs
+ SMP: failed to stop secondary CPUs 2-3
+ Kernel Offset: disabled
+ CPU features: 0x00002,2300aa30
+ Memory Limit: none
+ ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
+
+It's found that stmmac_xmit() and stmmac_resume() sometimes might
+run concurrently, possibly resulting in a race condition between
+mod_timer() and setup_timer(), being called by stmmac_xmit() and
+stmmac_resume() respectively.
+
+Since the resume() runs setup_timer() every time, it'd be safer to
+have del_timer_sync() in the suspend() as the counterpart.
+
+Signed-off-by: Nicolin Chen <nicoleotsuka@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -4763,6 +4763,7 @@ int stmmac_suspend(struct device *dev)
+ {
+ struct net_device *ndev = dev_get_drvdata(dev);
+ struct stmmac_priv *priv = netdev_priv(ndev);
++ u32 chan;
+
+ if (!ndev || !netif_running(ndev))
+ return 0;
+@@ -4776,6 +4777,9 @@ int stmmac_suspend(struct device *dev)
+
+ stmmac_disable_all_queues(priv);
+
++ for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++)
++ del_timer_sync(&priv->tx_queue[chan].txtimer);
++
+ /* Stop TX/RX DMA */
+ stmmac_stop_all_dma(priv);
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 2 Feb 2020 21:14:35 -0800
+Subject: net_sched: fix an OOB access in cls_tcindex
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ]
+
+As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
+to compute the size of memory allocation, but cp->hash is
+set again after the allocation, this caused an out-of-bound
+access.
+
+So we have to move all cp->hash initialization and computation
+before the memory allocation. Move cp->mask and cp->shift together
+as cp->hash may need them for computation too.
+
+Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
+Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_tcindex.c | 40 ++++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -333,12 +333,31 @@ tcindex_set_parms(struct net *net, struc
+ cp->fall_through = p->fall_through;
+ cp->tp = tp;
+
++ if (tb[TCA_TCINDEX_HASH])
++ cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
++
++ if (tb[TCA_TCINDEX_MASK])
++ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
++
++ if (tb[TCA_TCINDEX_SHIFT])
++ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
++
++ if (!cp->hash) {
++ /* Hash not specified, use perfect hash if the upper limit
++ * of the hashing index is below the threshold.
++ */
++ if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
++ cp->hash = (cp->mask >> cp->shift) + 1;
++ else
++ cp->hash = DEFAULT_HASH_SIZE;
++ }
++
+ if (p->perfect) {
+ int i;
+
+ if (tcindex_alloc_perfect_hash(net, cp) < 0)
+ goto errout;
+- for (i = 0; i < cp->hash; i++)
++ for (i = 0; i < min(cp->hash, p->hash); i++)
+ cp->perfect[i].res = p->perfect[i].res;
+ balloc = 1;
+ }
+@@ -350,15 +369,6 @@ tcindex_set_parms(struct net *net, struc
+ if (old_r)
+ cr = r->res;
+
+- if (tb[TCA_TCINDEX_HASH])
+- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
+-
+- if (tb[TCA_TCINDEX_MASK])
+- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
+-
+- if (tb[TCA_TCINDEX_SHIFT])
+- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
+-
+ err = -EBUSY;
+
+ /* Hash already allocated, make sure that we still meet the
+@@ -376,16 +386,6 @@ tcindex_set_parms(struct net *net, struc
+ if (tb[TCA_TCINDEX_FALL_THROUGH])
+ cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
+
+- if (!cp->hash) {
+- /* Hash not specified, use perfect hash if the upper limit
+- * of the hashing index is below the threshold.
+- */
+- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
+- cp->hash = (cp->mask >> cp->shift) + 1;
+- else
+- cp->hash = DEFAULT_HASH_SIZE;
+- }
+-
+ if (!cp->perfect && !cp->h)
+ cp->alloc_hash = cp->hash;
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 1 Feb 2020 16:43:22 +0000
+Subject: netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 6fb8852b1298200da39bd85788bc5755d1d56f32 ]
+
+When netdevsim dev is being created, a debugfs directory is created.
+The variable "dev_ddir_name" is 16bytes device name pointer and device
+name is "netdevsim<dev id>".
+The maximum dev id length is 10.
+So, 16bytes for device name isn't enough.
+
+Test commands:
+ modprobe netdevsim
+ echo "1000000000 0" > /sys/bus/netdevsim/new_device
+
+Splat looks like:
+[ 249.622710][ T900] BUG: KASAN: stack-out-of-bounds in number+0x824/0x880
+[ 249.623658][ T900] Write of size 1 at addr ffff88804c527988 by task bash/900
+[ 249.624521][ T900]
+[ 249.624830][ T900] CPU: 1 PID: 900 Comm: bash Not tainted 5.5.0+ #322
+[ 249.625691][ T900] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 249.626712][ T900] Call Trace:
+[ 249.627103][ T900] dump_stack+0x96/0xdb
+[ 249.627639][ T900] ? number+0x824/0x880
+[ 249.628173][ T900] print_address_description.constprop.5+0x1be/0x360
+[ 249.629022][ T900] ? number+0x824/0x880
+[ 249.629569][ T900] ? number+0x824/0x880
+[ 249.630105][ T900] __kasan_report+0x12a/0x170
+[ 249.630717][ T900] ? number+0x824/0x880
+[ 249.631201][ T900] kasan_report+0xe/0x20
+[ 249.631723][ T900] number+0x824/0x880
+[ 249.632235][ T900] ? put_dec+0xa0/0xa0
+[ 249.632716][ T900] ? rcu_read_lock_sched_held+0x90/0xc0
+[ 249.633392][ T900] vsnprintf+0x63c/0x10b0
+[ 249.633983][ T900] ? pointer+0x5b0/0x5b0
+[ 249.634543][ T900] ? mark_lock+0x11d/0xc40
+[ 249.635200][ T900] sprintf+0x9b/0xd0
+[ 249.635750][ T900] ? scnprintf+0xe0/0xe0
+[ 249.636370][ T900] nsim_dev_probe+0x63c/0xbf0 [netdevsim]
+[ ... ]
+
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Fixes: ab1d0cc004d7 ("netdevsim: change debugfs tree topology")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/netdevsim/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -73,7 +73,7 @@ static const struct file_operations nsim
+
+ static int nsim_dev_debugfs_init(struct nsim_dev *nsim_dev)
+ {
+- char dev_ddir_name[16];
++ char dev_ddir_name[sizeof(DRV_NAME) + 10];
+
+ sprintf(dev_ddir_name, DRV_NAME "%u", nsim_dev->nsim_bus_dev->dev.id);
+ nsim_dev->ddir = debugfs_create_dir(dev_ddir_name, nsim_dev_ddir);
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:36 +0000
+Subject: rxrpc: Fix insufficient receive notification generation
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b ]
+
+In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
+number of the packet is immediately following the hard-ack point at the end
+of the function. However, this isn't sufficient, since the recvmsg side
+may have been advancing the window and then overrun the position in which
+we're adding - at which point rx_hard_ack >= seq0 and no notification is
+generated.
+
+Fix this by always generating a notification at the end of the input
+function.
+
+Without this, a long call may stall, possibly indefinitely.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -599,10 +599,8 @@ ack:
+ false, true,
+ rxrpc_propose_ack_input_data);
+
+- if (seq0 == READ_ONCE(call->rx_hard_ack) + 1) {
+- trace_rxrpc_notify_socket(call->debug_id, serial);
+- rxrpc_notify_socket(call);
+- }
++ trace_rxrpc_notify_socket(call->debug_id, serial);
++ rxrpc_notify_socket(call);
+
+ unlock:
+ spin_unlock(&call->input_lock);
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:36 +0000
+Subject: rxrpc: Fix missing active use pinning of rxrpc_local object
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 04d36d748fac349b068ef621611f454010054c58 ]
+
+The introduction of a split between the reference count on rxrpc_local
+objects and the usage count didn't quite go far enough. A number of kernel
+work items need to make use of the socket to perform transmission. These
+also need to get an active count on the local object to prevent the socket
+from being closed.
+
+Fix this by getting the active count in those places.
+
+Also split out the raw active count get/put functions as these places tend
+to hold refs on the rxrpc_local object already, so getting and putting an
+extra object ref is just a waste of time.
+
+The problem can lead to symptoms like:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ ..
+ CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51
+ ...
+ RIP: 0010:selinux_socket_sendmsg+0x5/0x13
+ ...
+ Call Trace:
+ security_socket_sendmsg+0x2c/0x3e
+ sock_sendmsg+0x1a/0x46
+ rxrpc_send_keepalive+0x131/0x1ae
+ rxrpc_peer_keepalive_worker+0x219/0x34b
+ process_one_work+0x18e/0x271
+ worker_thread+0x1a3/0x247
+ kthread+0xe6/0xeb
+ ret_from_fork+0x1f/0x30
+
+Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/af_rxrpc.c | 2 ++
+ net/rxrpc/ar-internal.h | 10 ++++++++++
+ net/rxrpc/conn_event.c | 30 ++++++++++++++++++++----------
+ net/rxrpc/local_object.c | 18 +++++++-----------
+ net/rxrpc/peer_event.c | 40 ++++++++++++++++++++++------------------
+ 5 files changed, 61 insertions(+), 39 deletions(-)
+
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -194,6 +194,7 @@ static int rxrpc_bind(struct socket *soc
+ service_in_use:
+ write_unlock(&local->services_lock);
+ rxrpc_unuse_local(local);
++ rxrpc_put_local(local);
+ ret = -EADDRINUSE;
+ error_unlock:
+ release_sock(&rx->sk);
+@@ -899,6 +900,7 @@ static int rxrpc_release_sock(struct soc
+ rxrpc_purge_queue(&sk->sk_receive_queue);
+
+ rxrpc_unuse_local(rx->local);
++ rxrpc_put_local(rx->local);
+ rx->local = NULL;
+ key_put(rx->key);
+ rx->key = NULL;
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -1021,6 +1021,16 @@ void rxrpc_unuse_local(struct rxrpc_loca
+ void rxrpc_queue_local(struct rxrpc_local *);
+ void rxrpc_destroy_all_locals(struct rxrpc_net *);
+
++static inline bool __rxrpc_unuse_local(struct rxrpc_local *local)
++{
++ return atomic_dec_return(&local->active_users) == 0;
++}
++
++static inline bool __rxrpc_use_local(struct rxrpc_local *local)
++{
++ return atomic_fetch_add_unless(&local->active_users, 1, 0) != 0;
++}
++
+ /*
+ * misc.c
+ */
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -438,16 +438,12 @@ again:
+ /*
+ * connection-level event processor
+ */
+-void rxrpc_process_connection(struct work_struct *work)
++static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
+ {
+- struct rxrpc_connection *conn =
+- container_of(work, struct rxrpc_connection, processor);
+ struct sk_buff *skb;
+ u32 abort_code = RX_PROTOCOL_ERROR;
+ int ret;
+
+- rxrpc_see_connection(conn);
+-
+ if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
+ rxrpc_secure_connection(conn);
+
+@@ -475,18 +471,32 @@ void rxrpc_process_connection(struct wor
+ }
+ }
+
+-out:
+- rxrpc_put_connection(conn);
+- _leave("");
+ return;
+
+ requeue_and_leave:
+ skb_queue_head(&conn->rx_queue, skb);
+- goto out;
++ return;
+
+ protocol_error:
+ if (rxrpc_abort_connection(conn, ret, abort_code) < 0)
+ goto requeue_and_leave;
+ rxrpc_free_skb(skb, rxrpc_skb_freed);
+- goto out;
++ return;
++}
++
++void rxrpc_process_connection(struct work_struct *work)
++{
++ struct rxrpc_connection *conn =
++ container_of(work, struct rxrpc_connection, processor);
++
++ rxrpc_see_connection(conn);
++
++ if (__rxrpc_use_local(conn->params.local)) {
++ rxrpc_do_process_connection(conn);
++ rxrpc_unuse_local(conn->params.local);
++ }
++
++ rxrpc_put_connection(conn);
++ _leave("");
++ return;
+ }
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -383,14 +383,11 @@ void rxrpc_put_local(struct rxrpc_local
+ */
+ struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local)
+ {
+- unsigned int au;
+-
+ local = rxrpc_get_local_maybe(local);
+ if (!local)
+ return NULL;
+
+- au = atomic_fetch_add_unless(&local->active_users, 1, 0);
+- if (au == 0) {
++ if (!__rxrpc_use_local(local)) {
+ rxrpc_put_local(local);
+ return NULL;
+ }
+@@ -404,14 +401,11 @@ struct rxrpc_local *rxrpc_use_local(stru
+ */
+ void rxrpc_unuse_local(struct rxrpc_local *local)
+ {
+- unsigned int au;
+-
+ if (local) {
+- au = atomic_dec_return(&local->active_users);
+- if (au == 0)
++ if (__rxrpc_unuse_local(local)) {
++ rxrpc_get_local(local);
+ rxrpc_queue_local(local);
+- else
+- rxrpc_put_local(local);
++ }
+ }
+ }
+
+@@ -468,7 +462,7 @@ static void rxrpc_local_processor(struct
+
+ do {
+ again = false;
+- if (atomic_read(&local->active_users) == 0) {
++ if (!__rxrpc_use_local(local)) {
+ rxrpc_local_destroyer(local);
+ break;
+ }
+@@ -482,6 +476,8 @@ static void rxrpc_local_processor(struct
+ rxrpc_process_local_events(local);
+ again = true;
+ }
++
++ __rxrpc_unuse_local(local);
+ } while (again);
+
+ rxrpc_put_local(local);
+--- a/net/rxrpc/peer_event.c
++++ b/net/rxrpc/peer_event.c
+@@ -364,27 +364,31 @@ static void rxrpc_peer_keepalive_dispatc
+ if (!rxrpc_get_peer_maybe(peer))
+ continue;
+
+- spin_unlock_bh(&rxnet->peer_hash_lock);
++ if (__rxrpc_use_local(peer->local)) {
++ spin_unlock_bh(&rxnet->peer_hash_lock);
+
+- keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
+- slot = keepalive_at - base;
+- _debug("%02x peer %u t=%d {%pISp}",
+- cursor, peer->debug_id, slot, &peer->srx.transport);
++ keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
++ slot = keepalive_at - base;
++ _debug("%02x peer %u t=%d {%pISp}",
++ cursor, peer->debug_id, slot, &peer->srx.transport);
+
+- if (keepalive_at <= base ||
+- keepalive_at > base + RXRPC_KEEPALIVE_TIME) {
+- rxrpc_send_keepalive(peer);
+- slot = RXRPC_KEEPALIVE_TIME;
+- }
++ if (keepalive_at <= base ||
++ keepalive_at > base + RXRPC_KEEPALIVE_TIME) {
++ rxrpc_send_keepalive(peer);
++ slot = RXRPC_KEEPALIVE_TIME;
++ }
+
+- /* A transmission to this peer occurred since last we examined
+- * it so put it into the appropriate future bucket.
+- */
+- slot += cursor;
+- slot &= mask;
+- spin_lock_bh(&rxnet->peer_hash_lock);
+- list_add_tail(&peer->keepalive_link,
+- &rxnet->peer_keepalive[slot & mask]);
++ /* A transmission to this peer occurred since last we
++ * examined it so put it into the appropriate future
++ * bucket.
++ */
++ slot += cursor;
++ slot &= mask;
++ spin_lock_bh(&rxnet->peer_hash_lock);
++ list_add_tail(&peer->keepalive_link,
++ &rxnet->peer_keepalive[slot & mask]);
++ rxrpc_unuse_local(peer->local);
++ }
+ rxrpc_put_peer_locked(peer);
+ }
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:36 +0000
+Subject: rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5273a191dca65a675dc0bcf3909e59c6933e2831 ]
+
+When a call is disconnected, the connection pointer from the call is
+cleared to make sure it isn't used again and to prevent further attempted
+transmission for the call. Unfortunately, there might be a daemon trying
+to use it at the same time to transmit a packet.
+
+Fix this by keeping call->conn set, but setting a flag on the call to
+indicate disconnection instead.
+
+Remove also the bits in the transmission functions where the conn pointer is
+checked and a ref taken under spinlock as this is now redundant.
+
+Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-internal.h | 1 +
+ net/rxrpc/call_object.c | 4 ++--
+ net/rxrpc/conn_client.c | 3 +--
+ net/rxrpc/conn_object.c | 4 ++--
+ net/rxrpc/output.c | 27 +++++++++------------------
+ 5 files changed, 15 insertions(+), 24 deletions(-)
+
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -490,6 +490,7 @@ enum rxrpc_call_flag {
+ RXRPC_CALL_RX_HEARD, /* The peer responded at least once to this call */
+ RXRPC_CALL_RX_UNDERRUN, /* Got data underrun */
+ RXRPC_CALL_IS_INTR, /* The call is interruptible */
++ RXRPC_CALL_DISCONNECTED, /* The call has been disconnected */
+ };
+
+ /*
+--- a/net/rxrpc/call_object.c
++++ b/net/rxrpc/call_object.c
+@@ -493,7 +493,7 @@ void rxrpc_release_call(struct rxrpc_soc
+
+ _debug("RELEASE CALL %p (%d CONN %p)", call, call->debug_id, conn);
+
+- if (conn)
++ if (conn && !test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ rxrpc_disconnect_call(call);
+ if (call->security)
+ call->security->free_call_crypto(call);
+@@ -569,6 +569,7 @@ static void rxrpc_rcu_destroy_call(struc
+ struct rxrpc_call *call = container_of(rcu, struct rxrpc_call, rcu);
+ struct rxrpc_net *rxnet = call->rxnet;
+
++ rxrpc_put_connection(call->conn);
+ rxrpc_put_peer(call->peer);
+ kfree(call->rxtx_buffer);
+ kfree(call->rxtx_annotations);
+@@ -590,7 +591,6 @@ void rxrpc_cleanup_call(struct rxrpc_cal
+
+ ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
+ ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags));
+- ASSERTCMP(call->conn, ==, NULL);
+
+ rxrpc_cleanup_ring(call);
+ rxrpc_free_skb(call->tx_pending, rxrpc_skb_cleaned);
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -785,6 +785,7 @@ void rxrpc_disconnect_client_call(struct
+ u32 cid;
+
+ spin_lock(&conn->channel_lock);
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
+
+ cid = call->cid;
+ if (cid) {
+@@ -792,7 +793,6 @@ void rxrpc_disconnect_client_call(struct
+ chan = &conn->channels[channel];
+ }
+ trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect);
+- call->conn = NULL;
+
+ /* Calls that have never actually been assigned a channel can simply be
+ * discarded. If the conn didn't get used either, it will follow
+@@ -908,7 +908,6 @@ out:
+ spin_unlock(&rxnet->client_conn_cache_lock);
+ out_2:
+ spin_unlock(&conn->channel_lock);
+- rxrpc_put_connection(conn);
+ _leave("");
+ return;
+
+--- a/net/rxrpc/conn_object.c
++++ b/net/rxrpc/conn_object.c
+@@ -171,6 +171,8 @@ void __rxrpc_disconnect_call(struct rxrp
+
+ _enter("%d,%x", conn->debug_id, call->cid);
+
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
++
+ if (rcu_access_pointer(chan->call) == call) {
+ /* Save the result of the call so that we can repeat it if necessary
+ * through the channel, whilst disposing of the actual call record.
+@@ -223,9 +225,7 @@ void rxrpc_disconnect_call(struct rxrpc_
+ __rxrpc_disconnect_call(conn, call);
+ spin_unlock(&conn->channel_lock);
+
+- call->conn = NULL;
+ conn->idle_timestamp = jiffies;
+- rxrpc_put_connection(conn);
+ }
+
+ /*
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -129,7 +129,7 @@ static size_t rxrpc_fill_out_ack(struct
+ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
+ rxrpc_serial_t *_serial)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_ack_buffer *pkt;
+ struct msghdr msg;
+ struct kvec iov[2];
+@@ -139,18 +139,14 @@ int rxrpc_send_ack_packet(struct rxrpc_c
+ int ret;
+ u8 reason;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
+ pkt = kzalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt) {
+- rxrpc_put_connection(conn);
++ if (!pkt)
+ return -ENOMEM;
+- }
++
++ conn = call->conn;
+
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+@@ -244,7 +240,6 @@ int rxrpc_send_ack_packet(struct rxrpc_c
+ }
+
+ out:
+- rxrpc_put_connection(conn);
+ kfree(pkt);
+ return ret;
+ }
+@@ -254,7 +249,7 @@ out:
+ */
+ int rxrpc_send_abort_packet(struct rxrpc_call *call)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_abort_buffer pkt;
+ struct msghdr msg;
+ struct kvec iov[1];
+@@ -271,13 +266,11 @@ int rxrpc_send_abort_packet(struct rxrpc
+ test_bit(RXRPC_CALL_TX_LAST, &call->flags))
+ return 0;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
++ conn = call->conn;
++
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+ msg.msg_control = NULL;
+@@ -312,8 +305,6 @@ int rxrpc_send_abort_packet(struct rxrpc
+ trace_rxrpc_tx_packet(call->debug_id, &pkt.whdr,
+ rxrpc_tx_point_call_abort);
+ rxrpc_tx_backoff(call, ret);
+-
+- rxrpc_put_connection(conn);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:35 +0000
+Subject: rxrpc: Fix use-after-free in rxrpc_put_local()
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit fac20b9e738523fc884ee3ea5be360a321cd8bad ]
+
+Fix rxrpc_put_local() to not access local->debug_id after calling
+atomic_dec_return() as, unless that returned n==0, we no longer have the
+right to access the object.
+
+Fixes: 06d9532fa6b3 ("rxrpc: Fix read-after-free in rxrpc_queue_local()")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/local_object.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/rxrpc/local_object.c
++++ b/net/rxrpc/local_object.c
+@@ -364,11 +364,14 @@ void rxrpc_queue_local(struct rxrpc_loca
+ void rxrpc_put_local(struct rxrpc_local *local)
+ {
+ const void *here = __builtin_return_address(0);
++ unsigned int debug_id;
+ int n;
+
+ if (local) {
++ debug_id = local->debug_id;
++
+ n = atomic_dec_return(&local->usage);
+- trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here);
++ trace_rxrpc_local(debug_id, rxrpc_local_put, n, here);
+
+ if (n == 0)
+ call_rcu(&local->rcu, rxrpc_local_rcu);
sparc32-fix-struct-ipc64_perm-type-definition.patch
+bnxt_en-move-devlink_register-before-registering-netdev.patch
+cls_rsvp-fix-rsvp_policy.patch
+gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch
+l2tp-allow-duplicate-session-creation-with-udp.patch
+net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch
+net_sched-fix-an-oob-access-in-cls_tcindex.patch
+net-stmmac-delete-txtimer-in-suspend.patch
+bnxt_en-fix-tc-queue-mapping.patch
+rxrpc-fix-use-after-free-in-rxrpc_put_local.patch
+rxrpc-fix-insufficient-receive-notification-generation.patch
+rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch
+rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch
+tcp-clear-tp-total_retrans-in-tcp_disconnect.patch
+tcp-clear-tp-delivered-in-tcp_disconnect.patch
+tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch
+tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch
+ionic-fix-rxq-comp-packet-type-mask.patch
+maintainers-correct-entries-for-isdn-misdn-section.patch
+netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch
+bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:32:41 -0800
+Subject: tcp: clear tp->data_segs{in|out} in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db7ffee6f3eb3683cdcaeddecc0a630a14546fe3 ]
+
+tp->data_segs_in and tp->data_segs_out need to be cleared
+in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2639,6 +2639,8 @@ int tcp_disconnect(struct sock *sk, int
+ tp->bytes_acked = 0;
+ tp->bytes_received = 0;
+ tp->bytes_retrans = 0;
++ tp->data_segs_in = 0;
++ tp->data_segs_out = 0;
+ tp->duplicate_sack[0].start_seq = 0;
+ tp->duplicate_sack[0].end_seq = 0;
+ tp->dsack_dups = 0;
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:22:47 -0800
+Subject: tcp: clear tp->delivered in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2fbdd56251b5c62f96589f39eded277260de7267 ]
+
+tp->delivered needs to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: ddf1af6fa00e ("tcp: new delivery accounting")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2618,6 +2618,7 @@ int tcp_disconnect(struct sock *sk, int
+ tp->snd_cwnd = TCP_INIT_CWND;
+ tp->snd_cwnd_cnt = 0;
+ tp->window_clamp = 0;
++ tp->delivered = 0;
+ tp->delivered_ce = 0;
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tp->is_sack_reneg = 0;
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:44:50 -0800
+Subject: tcp: clear tp->segs_{in|out} in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 784f8344de750a41344f4bbbebb8507a730fc99c ]
+
+tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: 2efd055c53c0 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2635,6 +2635,8 @@ int tcp_disconnect(struct sock *sk, int
+ sk->sk_rx_dst = NULL;
+ tcp_saved_syn_free(tp);
+ tp->compressed_ack = 0;
++ tp->segs_in = 0;
++ tp->segs_out = 0;
+ tp->bytes_sent = 0;
+ tp->bytes_acked = 0;
+ tp->bytes_received = 0;
--- /dev/null
+From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 09:14:47 -0800
+Subject: tcp: clear tp->total_retrans in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c13c48c00a6bc1febc73902505bdec0967bd7095 ]
+
+total_retrans needs to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: SeongJae Park <sjpark@amazon.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2622,6 +2622,7 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tp->is_sack_reneg = 0;
+ tcp_clear_retrans(tp);
++ tp->total_retrans = 0;
+ inet_csk_delack_init(sk);
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window()
projects / thirdparty / kernel / stable-queue.git / commitdiff
