--- /dev/null
+From foo@baz Fri Sep 25 10:42:34 AM CEST 2020
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 20 Sep 2020 21:08:56 -0400
+Subject: bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit a53906908148d64423398a62c4435efb0d09652c ]
+
+All changes related to bp->link_info require the protection of the
+link_lock mutex. It's not sufficient to rely just on RTNL.
+
+Fixes: 163e9ef63641 ("bnxt_en: Fix race when modifying pause settings.")
+Reviewed-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 31 ++++++++++++++--------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -1369,9 +1369,12 @@ static int bnxt_set_pauseparam(struct ne
+ if (!BNXT_SINGLE_PF(bp))
+ return -EOPNOTSUPP;
+
++ mutex_lock(&bp->link_lock);
+ if (epause->autoneg) {
+- if (!(link_info->autoneg & BNXT_AUTONEG_SPEED))
+- return -EINVAL;
++ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
++ rc = -EINVAL;
++ goto pause_exit;
++ }
+
+ link_info->autoneg |= BNXT_AUTONEG_FLOW_CTRL;
+ if (bp->hwrm_spec_code >= 0x10201)
+@@ -1392,11 +1395,11 @@ static int bnxt_set_pauseparam(struct ne
+ if (epause->tx_pause)
+ link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX;
+
+- if (netif_running(dev)) {
+- mutex_lock(&bp->link_lock);
++ if (netif_running(dev))
+ rc = bnxt_hwrm_set_pause(bp);
+- mutex_unlock(&bp->link_lock);
+- }
++
++pause_exit:
++ mutex_unlock(&bp->link_lock);
+ return rc;
+ }
+
+@@ -2113,8 +2116,7 @@ static int bnxt_set_eee(struct net_devic
+ struct bnxt *bp = netdev_priv(dev);
+ struct ethtool_eee *eee = &bp->eee;
+ struct bnxt_link_info *link_info = &bp->link_info;
+- u32 advertising =
+- _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
++ u32 advertising;
+ int rc = 0;
+
+ if (!BNXT_SINGLE_PF(bp))
+@@ -2123,19 +2125,23 @@ static int bnxt_set_eee(struct net_devic
+ if (!(bp->flags & BNXT_FLAG_EEE_CAP))
+ return -EOPNOTSUPP;
+
++ mutex_lock(&bp->link_lock);
++ advertising = _bnxt_fw_to_ethtool_adv_spds(link_info->advertising, 0);
+ if (!edata->eee_enabled)
+ goto eee_ok;
+
+ if (!(link_info->autoneg & BNXT_AUTONEG_SPEED)) {
+ netdev_warn(dev, "EEE requires autoneg\n");
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ }
+ if (edata->tx_lpi_enabled) {
+ if (bp->lpi_tmr_hi && (edata->tx_lpi_timer > bp->lpi_tmr_hi ||
+ edata->tx_lpi_timer < bp->lpi_tmr_lo)) {
+ netdev_warn(dev, "Valid LPI timer range is %d and %d microsecs\n",
+ bp->lpi_tmr_lo, bp->lpi_tmr_hi);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ } else if (!bp->lpi_tmr_hi) {
+ edata->tx_lpi_timer = eee->tx_lpi_timer;
+ }
+@@ -2145,7 +2151,8 @@ static int bnxt_set_eee(struct net_devic
+ } else if (edata->advertised & ~advertising) {
+ netdev_warn(dev, "EEE advertised %x must be a subset of autoneg advertised speeds %x\n",
+ edata->advertised, advertising);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto eee_exit;
+ }
+
+ eee->advertised = edata->advertised;
+@@ -2157,6 +2164,8 @@ eee_ok:
+ if (netif_running(dev))
+ rc = bnxt_hwrm_set_link_setting(bp, false, true);
+
++eee_exit:
++ mutex_unlock(&bp->link_lock);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Fri Sep 25 10:42:34 AM CEST 2020
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Sun, 20 Sep 2020 21:08:55 -0400
+Subject: bnxt_en: return proper error codes in bnxt_show_temp
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit d69753fa1ecb3218b56b022722f7a5822735b876 ]
+
+Returning "unknown" as a temperature value violates the hwmon interface
+rules. Appropriate error codes should be returned via device_attribute
+show instead. These will ultimately be propagated to the user via the
+file system interface.
+
+In addition to the corrected error handling, it is an even better idea to
+not present the sensor in sysfs at all if it is known that the read will
+definitely fail. Given that temp1_input is currently the only sensor
+reported, ensure no hwmon registration if TEMP_MONITOR_QUERY is not
+supported or if it will fail due to access permissions. Something smarter
+may be needed if and when other sensors are added.
+
+Fixes: 12cce90b934b ("bnxt_en: fix HWRM error when querying VF temperature")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6837,18 +6837,16 @@ static ssize_t bnxt_show_temp(struct dev
+ struct hwrm_temp_monitor_query_output *resp;
+ struct bnxt *bp = dev_get_drvdata(dev);
+ u32 len = 0;
++ int rc;
+
+ resp = bp->hwrm_cmd_resp_addr;
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1);
+ mutex_lock(&bp->hwrm_cmd_lock);
+- if (!_hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT))
++ rc = _hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
++ if (!rc)
+ len = sprintf(buf, "%u\n", resp->temp * 1000); /* display millidegree */
+ mutex_unlock(&bp->hwrm_cmd_lock);
+-
+- if (len)
+- return len;
+-
+- return sprintf(buf, "unknown\n");
++ return rc ?: len;
+ }
+ static SENSOR_DEVICE_ATTR(temp1_input, 0444, bnxt_show_temp, NULL, 0);
+
+@@ -6868,7 +6866,16 @@ static void bnxt_hwmon_close(struct bnxt
+
+ static void bnxt_hwmon_open(struct bnxt *bp)
+ {
++ struct hwrm_temp_monitor_query_input req = {0};
+ struct pci_dev *pdev = bp->pdev;
++ int rc;
++
++ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_TEMP_MONITOR_QUERY, -1, -1);
++ rc = hwrm_send_message_silent(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
++ if (rc == -EACCES || rc == -EOPNOTSUPP) {
++ bnxt_hwmon_close(bp);
++ return;
++ }
+
+ bp->hwmon_dev = hwmon_device_register_with_groups(&pdev->dev,
+ DRV_MODULE_NAME, bp,
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Ganji Aravind <ganji.aravind@chelsio.com>
+Date: Fri, 4 Sep 2020 15:58:18 +0530
+Subject: cxgb4: Fix offset when clearing filter byte counters
+
+From: Ganji Aravind <ganji.aravind@chelsio.com>
+
+[ Upstream commit 94cc242a067a869c29800aa789d38b7676136e50 ]
+
+Pass the correct offset to clear the stale filter hit
+bytes counter. Otherwise, the counter starts incrementing
+from the stale information, instead of 0.
+
+Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters")
+Signed-off-by: Ganji Aravind <ganji.aravind@chelsio.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+@@ -1591,13 +1591,16 @@ out:
+ static int configure_filter_tcb(struct adapter *adap, unsigned int tid,
+ struct filter_entry *f)
+ {
+- if (f->fs.hitcnts)
++ if (f->fs.hitcnts) {
+ set_tcb_field(adap, f, tid, TCB_TIMESTAMP_W,
+- TCB_TIMESTAMP_V(TCB_TIMESTAMP_M) |
++ TCB_TIMESTAMP_V(TCB_TIMESTAMP_M),
++ TCB_TIMESTAMP_V(0ULL),
++ 1);
++ set_tcb_field(adap, f, tid, TCB_RTT_TS_RECENT_AGE_W,
+ TCB_RTT_TS_RECENT_AGE_V(TCB_RTT_TS_RECENT_AGE_M),
+- TCB_TIMESTAMP_V(0ULL) |
+ TCB_RTT_TS_RECENT_AGE_V(0ULL),
+ 1);
++ }
+
+ if (f->fs.newdmac)
+ set_tcb_tflag(adap, f, tid, TF_CCTRL_ECE_S, 1,
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Mark Gray <mark.d.gray@redhat.com>
+Date: Wed, 16 Sep 2020 05:19:35 -0400
+Subject: geneve: add transport ports in route lookup for geneve
+
+From: Mark Gray <mark.d.gray@redhat.com>
+
+[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ]
+
+This patch adds transport ports information for route lookup so that
+IPsec can select Geneve tunnel traffic to do encryption. This is
+needed for OVS/OVN IPsec with encrypted Geneve tunnels.
+
+This can be tested by configuring a host-host VPN using an IKE
+daemon and specifying port numbers. For example, for an
+Openswan-type configuration, the following parameters should be
+configured on both hosts and IPsec set up as-per normal:
+
+$ cat /etc/ipsec.conf
+
+conn in
+...
+left=$IP1
+right=$IP2
+...
+leftprotoport=udp/6081
+rightprotoport=udp
+...
+conn out
+...
+left=$IP1
+right=$IP2
+...
+leftprotoport=udp
+rightprotoport=udp/6081
+...
+
+The tunnel can then be setup using "ip" on both hosts (but
+changing the relevant IP addresses):
+
+$ ip link add tun type geneve id 1000 remote $IP2
+$ ip addr add 192.168.0.1/24 dev tun
+$ ip link set tun up
+
+This can then be tested by pinging from $IP1:
+
+$ ping 192.168.0.2
+
+Without this patch the traffic is unencrypted on the wire.
+
+Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
+Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
+Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -721,7 +721,8 @@ static struct rtable *geneve_get_v4_rt(s
+ struct net_device *dev,
+ struct geneve_sock *gs4,
+ struct flowi4 *fl4,
+- const struct ip_tunnel_info *info)
++ const struct ip_tunnel_info *info,
++ __be16 dport, __be16 sport)
+ {
+ bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
+ struct geneve_dev *geneve = netdev_priv(dev);
+@@ -737,6 +738,8 @@ static struct rtable *geneve_get_v4_rt(s
+ fl4->flowi4_proto = IPPROTO_UDP;
+ fl4->daddr = info->key.u.ipv4.dst;
+ fl4->saddr = info->key.u.ipv4.src;
++ fl4->fl4_dport = dport;
++ fl4->fl4_sport = sport;
+
+ tos = info->key.tos;
+ if ((tos == 1) && !geneve->collect_md) {
+@@ -771,7 +774,8 @@ static struct dst_entry *geneve_get_v6_d
+ struct net_device *dev,
+ struct geneve_sock *gs6,
+ struct flowi6 *fl6,
+- const struct ip_tunnel_info *info)
++ const struct ip_tunnel_info *info,
++ __be16 dport, __be16 sport)
+ {
+ bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
+ struct geneve_dev *geneve = netdev_priv(dev);
+@@ -787,6 +791,9 @@ static struct dst_entry *geneve_get_v6_d
+ fl6->flowi6_proto = IPPROTO_UDP;
+ fl6->daddr = info->key.u.ipv6.dst;
+ fl6->saddr = info->key.u.ipv6.src;
++ fl6->fl6_dport = dport;
++ fl6->fl6_sport = sport;
++
+ prio = info->key.tos;
+ if ((prio == 1) && !geneve->collect_md) {
+ prio = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
+@@ -833,14 +840,15 @@ static int geneve_xmit_skb(struct sk_buf
+ __be16 df;
+ int err;
+
+- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info);
++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+
+ skb_tunnel_check_pmtu(skb, &rt->dst,
+ GENEVE_IPV4_HLEN + info->options_len);
+
+- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ if (geneve->collect_md) {
+ tos = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
+ ttl = key->ttl;
+@@ -875,13 +883,14 @@ static int geneve6_xmit_skb(struct sk_bu
+ __be16 sport;
+ int err;
+
+- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info);
++ sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
+
+ skb_tunnel_check_pmtu(skb, dst, GENEVE_IPV6_HLEN + info->options_len);
+
+- sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
+ if (geneve->collect_md) {
+ prio = ip_tunnel_ecn_encap(key->tos, ip_hdr(skb), skb);
+ ttl = key->ttl;
+@@ -958,13 +967,18 @@ static int geneve_fill_metadata_dst(stru
+ {
+ struct ip_tunnel_info *info = skb_tunnel_info(skb);
+ struct geneve_dev *geneve = netdev_priv(dev);
++ __be16 sport;
+
+ if (ip_tunnel_info_af(info) == AF_INET) {
+ struct rtable *rt;
+ struct flowi4 fl4;
++
+ struct geneve_sock *gs4 = rcu_dereference(geneve->sock4);
++ sport = udp_flow_src_port(geneve->net, skb,
++ 1, USHRT_MAX, true);
+
+- rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info);
++ rt = geneve_get_v4_rt(skb, dev, gs4, &fl4, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(rt))
+ return PTR_ERR(rt);
+
+@@ -974,9 +988,13 @@ static int geneve_fill_metadata_dst(stru
+ } else if (ip_tunnel_info_af(info) == AF_INET6) {
+ struct dst_entry *dst;
+ struct flowi6 fl6;
++
+ struct geneve_sock *gs6 = rcu_dereference(geneve->sock6);
++ sport = udp_flow_src_port(geneve->net, skb,
++ 1, USHRT_MAX, true);
+
+- dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info);
++ dst = geneve_get_v6_dst(skb, dev, gs6, &fl6, info,
++ geneve->info.key.tp_dst, sport);
+ if (IS_ERR(dst))
+ return PTR_ERR(dst);
+
+@@ -987,8 +1005,7 @@ static int geneve_fill_metadata_dst(stru
+ return -EINVAL;
+ }
+
+- info->key.tp_src = udp_flow_src_port(geneve->net, skb,
+- 1, USHRT_MAX, true);
++ info->key.tp_src = sport;
+ info->key.tp_dst = geneve->info.key.tp_dst;
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 9 Sep 2020 12:46:48 +0300
+Subject: hdlc_ppp: add range checks in ppp_cp_parse_cr()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 ]
+
+There are a couple bugs here:
+1) If opt[1] is zero then this results in a forever loop. If the value
+ is less than 2 then it is invalid.
+2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
+ result in memory corruption.
+
+In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
+of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
+"nak_len" gets out of sync and it can lead to memory corruption in the
+next iterations through the loop. In case of LCP_OPTION_MAGIC, the
+only valid value for opt[1] is 6, but the code is trying to log invalid
+data so we should only discard the data when "len" is less than 6
+because that leads to a read overflow.
+
+Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
+Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wan/hdlc_ppp.c
++++ b/drivers/net/wan/hdlc_ppp.c
+@@ -386,11 +386,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+
+ for (opt = data; len; len -= opt[1], opt += opt[1]) {
+- if (len < 2 || len < opt[1]) {
+- dev->stats.rx_errors++;
+- kfree(out);
+- return; /* bad packet, drop silently */
+- }
++ if (len < 2 || opt[1] < 2 || len < opt[1])
++ goto err_out;
+
+ if (pid == PID_LCP)
+ switch (opt[0]) {
+@@ -398,6 +395,8 @@ static void ppp_cp_parse_cr(struct net_d
+ continue; /* MRU always OK and > 1500 bytes? */
+
+ case LCP_OPTION_ACCM: /* async control character map */
++ if (opt[1] < sizeof(valid_accm))
++ goto err_out;
+ if (!memcmp(opt, valid_accm,
+ sizeof(valid_accm)))
+ continue;
+@@ -409,6 +408,8 @@ static void ppp_cp_parse_cr(struct net_d
+ }
+ break;
+ case LCP_OPTION_MAGIC:
++ if (len < 6)
++ goto err_out;
+ if (opt[1] != 6 || (!opt[2] && !opt[3] &&
+ !opt[4] && !opt[5]))
+ break; /* reject invalid magic number */
+@@ -427,6 +428,11 @@ static void ppp_cp_parse_cr(struct net_d
+ ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
+
+ kfree(out);
++ return;
++
++err_out:
++ dev->stats.rx_errors++;
++ kfree(out);
+ }
+
+ static int ppp_rx(struct sk_buff *skb)
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Wei Wang <weiwan@google.com>
+Date: Tue, 8 Sep 2020 14:09:34 -0700
+Subject: ip: fix tos reflection in ack and reset packets
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit ba9e04a7ddf4f22a10e05bf9403db6b97743c7bf ]
+
+Currently, in tcp_v4_reqsk_send_ack() and tcp_v4_send_reset(), we
+echo the TOS value of the received packets in the response.
+However, we do not want to echo the lower 2 ECN bits in accordance
+with RFC 3168 6.1.5 robustness principles.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+
+Signed-off-by: Wei Wang <weiwan@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -73,6 +73,7 @@
+ #include <net/icmp.h>
+ #include <net/checksum.h>
+ #include <net/inetpeer.h>
++#include <net/inet_ecn.h>
+ #include <net/lwtunnel.h>
+ #include <linux/bpf-cgroup.h>
+ #include <linux/igmp.h>
+@@ -1582,7 +1583,7 @@ void ip_send_unicast_reply(struct sock *
+ if (IS_ERR(rt))
+ return;
+
+- inet_sk(sk)->tos = arg->tos;
++ inet_sk(sk)->tos = arg->tos & ~INET_ECN_MASK;
+
+ sk->sk_priority = skb->priority;
+ sk->sk_protocol = ip_hdr(skb)->protocol;
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: David Ahern <dsahern@kernel.org>
+Date: Mon, 14 Sep 2020 21:03:54 -0600
+Subject: ipv4: Update exception handling for multipath routes via same device
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 ]
+
+Kfir reported that pmtu exceptions are not created properly for
+deployments where multipath routes use the same device.
+
+After some digging I see 2 compounding problems:
+1. ip_route_output_key_hash_rcu is updating the flowi4_oif *after*
+ the route lookup. This is the second use case where this has
+ been a problem (the first is related to use of vti devices with
+ VRF). I can not find any reason for the oif to be changed after the
+ lookup; the code goes back to the start of git. It does not seem
+ logical so remove it.
+
+2. fib_lookups for exceptions do not call fib_select_path to handle
+ multipath route selection based on the hash.
+
+The end result is that the fib_lookup used to add the exception
+always creates it based using the first leg of the route.
+
+An example topology showing the problem:
+
+ | host1
+ +------+
+ | eth0 | .209
+ +------+
+ |
+ +------+
+ switch | br0 |
+ +------+
+ |
+ +---------+---------+
+ | host2 | host3
+ +------+ +------+
+ | eth0 | .250 | eth0 | 192.168.252.252
+ +------+ +------+
+
+ +-----+ +-----+
+ | vti | .2 | vti | 192.168.247.3
+ +-----+ +-----+
+ \ /
+ =================================
+ tunnels
+ 192.168.247.1/24
+
+for h in host1 host2 host3; do
+ ip netns add ${h}
+ ip -netns ${h} link set lo up
+ ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1
+done
+
+ip netns add switch
+ip -netns switch li set lo up
+ip -netns switch link add br0 type bridge stp 0
+ip -netns switch link set br0 up
+
+for n in 1 2 3; do
+ ip -netns switch link add eth-sw type veth peer name eth-h${n}
+ ip -netns switch li set eth-h${n} master br0 up
+ ip -netns switch li set eth-sw netns host${n} name eth0
+done
+
+ip -netns host1 addr add 192.168.252.209/24 dev eth0
+ip -netns host1 link set dev eth0 up
+ip -netns host1 route add 192.168.247.0/24 \
+ nexthop via 192.168.252.250 dev eth0 nexthop via 192.168.252.252 dev eth0
+
+ip -netns host2 addr add 192.168.252.250/24 dev eth0
+ip -netns host2 link set dev eth0 up
+
+ip -netns host2 addr add 192.168.252.252/24 dev eth0
+ip -netns host3 link set dev eth0 up
+
+ip netns add tunnel
+ip -netns tunnel li set lo up
+ip -netns tunnel li add br0 type bridge
+ip -netns tunnel li set br0 up
+for n in $(seq 11 20); do
+ ip -netns tunnel addr add dev br0 192.168.247.${n}/24
+done
+
+for n in 2 3
+do
+ ip -netns tunnel link add vti${n} type veth peer name eth${n}
+ ip -netns tunnel link set eth${n} mtu 1360 master br0 up
+ ip -netns tunnel link set vti${n} netns host${n} mtu 1360 up
+ ip -netns host${n} addr add dev vti${n} 192.168.247.${n}/24
+done
+ip -netns tunnel ro add default nexthop via 192.168.247.2 nexthop via 192.168.247.3
+
+ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.11
+ip netns exec host1 ping -M do -s 1400 -c3 -I 192.168.252.209 192.168.247.15
+ip -netns host1 ro ls cache
+
+Before this patch the cache always shows exceptions against the first
+leg in the multipath route; 192.168.252.250 per this example. Since the
+hash has an initial random seed, you may need to vary the final octet
+more than what is listed. In my tests, using addresses between 11 and 19
+usually found 1 that used both legs.
+
+With this patch, the cache will have exceptions for both legs.
+
+Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions")
+Reported-by: Kfir Itzhak <mastertheknife@gmail.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -779,6 +779,8 @@ static void __ip_do_redirect(struct rtab
+ if (fib_lookup(net, fl4, &res, 0) == 0) {
+ struct fib_nh *nh = &FIB_RES_NH(res);
+
++ fib_select_path(net, &res, fl4, skb);
++ nh = &FIB_RES_NH(res);
+ update_or_create_fnhe(nh, fl4->daddr, new_gw,
+ 0, false,
+ jiffies + ip_rt_gc_timeout);
+@@ -1004,6 +1006,7 @@ out: kfree_skb(skb);
+ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
+ {
+ struct dst_entry *dst = &rt->dst;
++ struct net *net = dev_net(dst->dev);
+ u32 old_mtu = ipv4_mtu(dst);
+ struct fib_result res;
+ bool lock = false;
+@@ -1024,9 +1027,11 @@ static void __ip_rt_update_pmtu(struct r
+ return;
+
+ rcu_read_lock();
+- if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
+- struct fib_nh *nh = &FIB_RES_NH(res);
++ if (fib_lookup(net, fl4, &res, 0) == 0) {
++ struct fib_nh *nh;
+
++ fib_select_path(net, &res, fl4, NULL);
++ nh = &FIB_RES_NH(res);
+ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
+ jiffies + ip_rt_mtu_expires);
+ }
+@@ -2536,8 +2541,6 @@ struct rtable *ip_route_output_key_hash_
+ fib_select_path(net, res, fl4, skb);
+
+ dev_out = FIB_RES_DEV(*res);
+- fl4->flowi4_oif = dev_out->ifindex;
+-
+
+ make_route:
+ rth = __mkroute_output(res, fl4, orig_oif, dev_out, flags);
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 8 Sep 2020 01:20:23 -0700
+Subject: ipv6: avoid lockdep issue in fib6_del()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 843d926b003ea692468c8cc5bea1f9f58dfa8c75 ]
+
+syzbot reported twice a lockdep issue in fib6_del() [1]
+which I think is caused by net->ipv6.fib6_null_entry
+having a NULL fib6_table pointer.
+
+fib6_del() already checks for fib6_null_entry special
+case, we only need to return earlier.
+
+Bug seems to occur very rarely, I have thus chosen
+a 'bug origin' that makes backports not too complex.
+
+[1]
+WARNING: suspicious RCU usage
+5.9.0-rc4-syzkaller #0 Not tainted
+-----------------------------
+net/ipv6/ip6_fib.c:1996 suspicious rcu_dereference_protected() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+4 locks held by syz-executor.5/8095:
+ #0: ffffffff8a7ea708 (rtnl_mutex){+.+.}-{3:3}, at: ppp_release+0x178/0x240 drivers/net/ppp/ppp_generic.c:401
+ #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: spin_trylock_bh include/linux/spinlock.h:414 [inline]
+ #1: ffff88804c422dd8 (&net->ipv6.fib6_gc_lock){+.-.}-{2:2}, at: fib6_run_gc+0x21b/0x2d0 net/ipv6/ip6_fib.c:2312
+ #2: ffffffff89bd6a40 (rcu_read_lock){....}-{1:2}, at: __fib6_clean_all+0x0/0x290 net/ipv6/ip6_fib.c:2613
+ #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline]
+ #3: ffff8880a82e6430 (&tb->tb6_lock){+.-.}-{2:2}, at: __fib6_clean_all+0x107/0x290 net/ipv6/ip6_fib.c:2245
+
+stack backtrace:
+CPU: 1 PID: 8095 Comm: syz-executor.5 Not tainted 5.9.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x198/0x1fd lib/dump_stack.c:118
+ fib6_del+0x12b4/0x1630 net/ipv6/ip6_fib.c:1996
+ fib6_clean_node+0x39b/0x570 net/ipv6/ip6_fib.c:2180
+ fib6_walk_continue+0x4aa/0x8e0 net/ipv6/ip6_fib.c:2102
+ fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2150
+ fib6_clean_tree+0xdb/0x120 net/ipv6/ip6_fib.c:2230
+ __fib6_clean_all+0x120/0x290 net/ipv6/ip6_fib.c:2246
+ fib6_clean_all net/ipv6/ip6_fib.c:2257 [inline]
+ fib6_run_gc+0x113/0x2d0 net/ipv6/ip6_fib.c:2320
+ ndisc_netdev_event+0x217/0x350 net/ipv6/ndisc.c:1805
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2033
+ call_netdevice_notifiers_extack net/core/dev.c:2045 [inline]
+ call_netdevice_notifiers net/core/dev.c:2059 [inline]
+ dev_close_many+0x30b/0x650 net/core/dev.c:1634
+ rollback_registered_many+0x3a8/0x1210 net/core/dev.c:9261
+ rollback_registered net/core/dev.c:9329 [inline]
+ unregister_netdevice_queue+0x2dd/0x570 net/core/dev.c:10410
+ unregister_netdevice include/linux/netdevice.h:2774 [inline]
+ ppp_release+0x216/0x240 drivers/net/ppp/ppp_generic.c:403
+ __fput+0x285/0x920 fs/file_table.c:281
+ task_work_run+0xdd/0x190 kernel/task_work.c:141
+ tracehook_notify_resume include/linux/tracehook.h:188 [inline]
+ exit_to_user_mode_loop kernel/entry/common.c:163 [inline]
+ exit_to_user_mode_prepare+0x1e1/0x200 kernel/entry/common.c:190
+ syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:265
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 421842edeaf6 ("net/ipv6: Add fib6_null_entry")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Ahern <dsahern@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1811,14 +1811,19 @@ static void fib6_del_route(struct fib6_t
+ /* Need to own table->tb6_lock */
+ int fib6_del(struct fib6_info *rt, struct nl_info *info)
+ {
+- struct fib6_node *fn = rcu_dereference_protected(rt->fib6_node,
+- lockdep_is_held(&rt->fib6_table->tb6_lock));
+- struct fib6_table *table = rt->fib6_table;
+ struct net *net = info->nl_net;
+ struct fib6_info __rcu **rtp;
+ struct fib6_info __rcu **rtp_next;
++ struct fib6_table *table;
++ struct fib6_node *fn;
+
+- if (!fn || rt == net->ipv6.fib6_null_entry)
++ if (rt == net->ipv6.fib6_null_entry)
++ return -ENOENT;
++
++ table = rt->fib6_table;
++ fn = rcu_dereference_protected(rt->fib6_node,
++ lockdep_is_held(&table->tb6_lock));
++ if (!fn)
+ return -ENOENT;
+
+ WARN_ON(!(fn->fn_flags & RTN_RTINFO));
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- mm/huge_memory.c | 40 +++++++++++++++++++++++-----------------
+ mm/huge_memory.c | 40 +++++++++++++++++++++++-----------------
1 file changed, 23 insertions(+), 17 deletions(-)
-diff --git a/mm/huge_memory.c b/mm/huge_memory.c
-index 1443ae6fee9bd..8b137248b146d 100644
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
-@@ -2145,7 +2145,7 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
+@@ -2145,7 +2145,7 @@ static void __split_huge_pmd_locked(stru
put_page(page);
add_mm_counter(mm, mm_counter_file(page), -HPAGE_PMD_NR);
return;
/*
* FIXME: Do we want to invalidate secondary mmu by calling
* mmu_notifier_invalidate_range() see comments below inside
-@@ -2233,27 +2233,33 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
+@@ -2233,27 +2233,33 @@ static void __split_huge_pmd_locked(stru
pte = pte_offset_map(&_pmd, addr);
BUG_ON(!pte_none(*pte));
set_pte_at(mm, addr, pte, entry);
}
smp_wmb(); /* make pte visible before pmd */
---
-2.25.1
-
--- /dev/null
+From foo@baz Fri Sep 25 10:42:34 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Sep 2020 01:27:40 -0700
+Subject: net: add __must_check to skb_put_padto()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ]
+
+skb_put_padto() and __skb_put_padto() callers
+must check return values or risk use-after-free.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3014,8 +3014,9 @@ static inline int skb_padto(struct sk_bu
+ * is untouched. Otherwise it is extended. Returns zero on
+ * success. The skb is freed on error if @free_on_error is true.
+ */
+-static inline int __skb_put_padto(struct sk_buff *skb, unsigned int len,
+- bool free_on_error)
++static inline int __must_check __skb_put_padto(struct sk_buff *skb,
++ unsigned int len,
++ bool free_on_error)
+ {
+ unsigned int size = skb->len;
+
+@@ -3038,7 +3039,7 @@ static inline int __skb_put_padto(struct
+ * is untouched. Otherwise it is extended. Returns zero on
+ * success. The skb is freed on error.
+ */
+-static inline int skb_put_padto(struct sk_buff *skb, unsigned int len)
++static inline int __must_check skb_put_padto(struct sk_buff *skb, unsigned int len)
+ {
+ return __skb_put_padto(skb, len, true);
+ }
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Petr Machata <petrm@nvidia.com>
+Date: Thu, 10 Sep 2020 14:09:05 +0200
+Subject: net: DCB: Validate DCB_ATTR_DCB_BUFFER argument
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit 297e77e53eadb332d5062913447b104a772dc33b ]
+
+The parameter passed via DCB_ATTR_DCB_BUFFER is a struct dcbnl_buffer. The
+field prio2buffer is an array of IEEE_8021Q_MAX_PRIORITIES bytes, where
+each value is a number of a buffer to direct that priority's traffic to.
+That value is however never validated to lie within the bounds set by
+DCBX_MAX_BUFFERS. The only driver that currently implements the callback is
+mlx5 (maintainers CCd), and that does not do any validation either, in
+particual allowing incorrect configuration if the prio2buffer value does
+not fit into 4 bits.
+
+Instead of offloading the need to validate the buffer index to drivers, do
+it right there in core, and bounce the request if the value is too large.
+
+CC: Parav Pandit <parav@nvidia.com>
+CC: Saeed Mahameed <saeedm@nvidia.com>
+Fixes: e549f6f9c098 ("net/dcb: Add dcbnl buffer attribute")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -1421,6 +1421,7 @@ static int dcbnl_ieee_set(struct net_dev
+ {
+ const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops;
+ struct nlattr *ieee[DCB_ATTR_IEEE_MAX + 1];
++ int prio;
+ int err;
+
+ if (!ops)
+@@ -1469,6 +1470,13 @@ static int dcbnl_ieee_set(struct net_dev
+ struct dcbnl_buffer *buffer =
+ nla_data(ieee[DCB_ATTR_DCB_BUFFER]);
+
++ for (prio = 0; prio < ARRAY_SIZE(buffer->prio2buffer); prio++) {
++ if (buffer->prio2buffer[prio] >= DCBX_MAX_BUFFERS) {
++ err = -EINVAL;
++ goto err;
++ }
++ }
++
+ err = ops->dcbnl_setbuffer(netdev, buffer);
+ if (err)
+ goto err;
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Sat, 5 Sep 2020 12:32:33 +0200
+Subject: net: dsa: rtl8366: Properly clear member config
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 4ddcaf1ebb5e4e99240f29d531ee69d4244fe416 ]
+
+When removing a port from a VLAN we are just erasing the
+member config for the VLAN, which is wrong: other ports
+can be using it.
+
+Just mask off the port and only zero out the rest of the
+member config once ports using of the VLAN are removed
+from it.
+
+Reported-by: Florian Fainelli <f.fainelli@gmail.com>
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/rtl8366.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -452,13 +452,19 @@ int rtl8366_vlan_del(struct dsa_switch *
+ return ret;
+
+ if (vid == vlanmc.vid) {
+- /* clear VLAN member configurations */
+- vlanmc.vid = 0;
+- vlanmc.priority = 0;
+- vlanmc.member = 0;
+- vlanmc.untag = 0;
+- vlanmc.fid = 0;
+-
++ /* Remove this port from the VLAN */
++ vlanmc.member &= ~BIT(port);
++ vlanmc.untag &= ~BIT(port);
++ /*
++ * If no ports are members of this VLAN
++ * anymore then clear the whole member
++ * config so it can be reused.
++ */
++ if (!vlanmc.member && vlanmc.untag) {
++ vlanmc.vid = 0;
++ vlanmc.priority = 0;
++ vlanmc.fid = 0;
++ }
+ ret = smi->ops->set_vlan_mc(smi, i, &vlanmc);
+ if (ret) {
+ dev_err(smi->dev,
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Date: Thu, 17 Sep 2020 19:46:43 +0300
+Subject: net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC
+
+From: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+
+[ Upstream commit db7cd91a4be15e1485d6b58c6afc8761c59c4efb ]
+
+When IPV6_SEG6_HMAC is enabled and CRYPTO is disabled, it results in the
+following Kbuild warning:
+
+WARNING: unmet direct dependencies detected for CRYPTO_HMAC
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+WARNING: unmet direct dependencies detected for CRYPTO_SHA1
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+WARNING: unmet direct dependencies detected for CRYPTO_SHA256
+ Depends on [n]: CRYPTO [=n]
+ Selected by [y]:
+ - IPV6_SEG6_HMAC [=y] && NET [=y] && INET [=y] && IPV6 [=y]
+
+The reason is that IPV6_SEG6_HMAC selects CRYPTO_HMAC, CRYPTO_SHA1, and
+CRYPTO_SHA256 without depending on or selecting CRYPTO while those configs
+are subordinate to CRYPTO.
+
+Honor the kconfig menu hierarchy to remove kconfig dependency warnings.
+
+Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
+Signed-off-by: Necip Fazil Yildiran <fazilyildiran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/Kconfig
++++ b/net/ipv6/Kconfig
+@@ -321,6 +321,7 @@ config IPV6_SEG6_LWTUNNEL
+ config IPV6_SEG6_HMAC
+ bool "IPv6: Segment Routing HMAC support"
+ depends on IPV6
++ select CRYPTO
+ select CRYPTO_HMAC
+ select CRYPTO_SHA1
+ select CRYPTO_SHA256
--- /dev/null
+From foo@baz Fri Sep 25 10:42:34 AM CEST 2020
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 16 Sep 2020 20:43:09 -0700
+Subject: net: phy: Avoid NPD upon phy_detach() when driver is unbound
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit c2b727df7caa33876e7066bde090f40001b6d643 ]
+
+If we have unbound the PHY driver prior to calling phy_detach() (often
+via phy_disconnect()) then we can cause a NULL pointer de-reference
+accessing the driver owner member. The steps to reproduce are:
+
+echo unimac-mdio-0:01 > /sys/class/net/eth0/phydev/driver/unbind
+ip link set eth0 down
+
+Fixes: cafe8df8b9bc ("net: phy: Fix lack of reference count on PHY driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1154,7 +1154,8 @@ void phy_detach(struct phy_device *phyde
+
+ phy_led_triggers_unregister(phydev);
+
+- module_put(phydev->mdio.dev.driver->owner);
++ if (phydev->mdio.dev.driver)
++ module_put(phydev->mdio.dev.driver->owner);
+
+ /* If the device had no specific driver before (i.e. - it
+ * was using the generic driver), we unbind the device
--- /dev/null
+From foo@baz Fri Sep 25 10:42:34 AM CEST 2020
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 9 Sep 2020 01:27:39 -0700
+Subject: net: qrtr: check skb_put_padto() return value
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3ca1a42a52ca4b4f02061683851692ad65fefac8 ]
+
+If skb_put_padto() returns an error, skb has been freed.
+Better not touch it anymore, as reported by syzbot [1]
+
+Note to qrtr maintainers : this suggests qrtr_sendmsg()
+should adjust sock_alloc_send_skb() second parameter
+to account for the potential added alignment to avoid
+reallocation.
+
+[1]
+
+BUG: KASAN: use-after-free in __skb_insert include/linux/skbuff.h:1907 [inline]
+BUG: KASAN: use-after-free in __skb_queue_before include/linux/skbuff.h:2016 [inline]
+BUG: KASAN: use-after-free in __skb_queue_tail include/linux/skbuff.h:2049 [inline]
+BUG: KASAN: use-after-free in skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146
+Write of size 8 at addr ffff88804d8ab3c0 by task syz-executor.4/4316
+
+CPU: 1 PID: 4316 Comm: syz-executor.4 Not tainted 5.9.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1d6/0x29e lib/dump_stack.c:118
+ print_address_description+0x66/0x620 mm/kasan/report.c:383
+ __kasan_report mm/kasan/report.c:513 [inline]
+ kasan_report+0x132/0x1d0 mm/kasan/report.c:530
+ __skb_insert include/linux/skbuff.h:1907 [inline]
+ __skb_queue_before include/linux/skbuff.h:2016 [inline]
+ __skb_queue_tail include/linux/skbuff.h:2049 [inline]
+ skb_queue_tail+0x6b/0x120 net/core/skbuff.c:3146
+ qrtr_tun_send+0x1a/0x40 net/qrtr/tun.c:23
+ qrtr_node_enqueue+0x44f/0xc00 net/qrtr/qrtr.c:364
+ qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861
+ qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:671 [inline]
+ sock_write_iter+0x317/0x470 net/socket.c:998
+ call_write_iter include/linux/fs.h:1882 [inline]
+ new_sync_write fs/read_write.c:503 [inline]
+ vfs_write+0xa96/0xd10 fs/read_write.c:578
+ ksys_write+0x11b/0x220 fs/read_write.c:631
+ do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45d5b9
+Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f84b5b81c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000038b40 RCX: 000000000045d5b9
+RDX: 0000000000000055 RSI: 0000000020001240 RDI: 0000000000000003
+RBP: 00007f84b5b81ca0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000f
+R13: 00007ffcbbf86daf R14: 00007f84b5b829c0 R15: 000000000118cf4c
+
+Allocated by task 4316:
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track mm/kasan/common.c:56 [inline]
+ __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
+ slab_post_alloc_hook+0x3e/0x290 mm/slab.h:518
+ slab_alloc mm/slab.c:3312 [inline]
+ kmem_cache_alloc+0x1c1/0x2d0 mm/slab.c:3482
+ skb_clone+0x1b2/0x370 net/core/skbuff.c:1449
+ qrtr_bcast_enqueue+0x6d/0x140 net/qrtr/qrtr.c:857
+ qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:671 [inline]
+ sock_write_iter+0x317/0x470 net/socket.c:998
+ call_write_iter include/linux/fs.h:1882 [inline]
+ new_sync_write fs/read_write.c:503 [inline]
+ vfs_write+0xa96/0xd10 fs/read_write.c:578
+ ksys_write+0x11b/0x220 fs/read_write.c:631
+ do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Freed by task 4316:
+ kasan_save_stack mm/kasan/common.c:48 [inline]
+ kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
+ kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
+ __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
+ __cache_free mm/slab.c:3418 [inline]
+ kmem_cache_free+0x82/0xf0 mm/slab.c:3693
+ __skb_pad+0x3f5/0x5a0 net/core/skbuff.c:1823
+ __skb_put_padto include/linux/skbuff.h:3233 [inline]
+ skb_put_padto include/linux/skbuff.h:3252 [inline]
+ qrtr_node_enqueue+0x62f/0xc00 net/qrtr/qrtr.c:360
+ qrtr_bcast_enqueue+0xbe/0x140 net/qrtr/qrtr.c:861
+ qrtr_sendmsg+0x680/0x9c0 net/qrtr/qrtr.c:960
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ sock_sendmsg net/socket.c:671 [inline]
+ sock_write_iter+0x317/0x470 net/socket.c:998
+ call_write_iter include/linux/fs.h:1882 [inline]
+ new_sync_write fs/read_write.c:503 [inline]
+ vfs_write+0xa96/0xd10 fs/read_write.c:578
+ ksys_write+0x11b/0x220 fs/read_write.c:631
+ do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The buggy address belongs to the object at ffff88804d8ab3c0
+ which belongs to the cache skbuff_head_cache of size 224
+The buggy address is located 0 bytes inside of
+ 224-byte region [ffff88804d8ab3c0, ffff88804d8ab4a0)
+The buggy address belongs to the page:
+page:00000000ea8cccfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804d8abb40 pfn:0x4d8ab
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea0002237ec8 ffffea00029b3388 ffff88821bb66800
+raw: ffff88804d8abb40 ffff88804d8ab000 000000010000000b 0000000000000000
+page dumped because: kasan: bad access detected
+
+Fixes: ce57785bf91b ("net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Carl Huang <cjhuang@codeaurora.org>
+Cc: Wen Gong <wgong@codeaurora.org>
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -185,7 +185,7 @@ static int qrtr_node_enqueue(struct qrtr
+ {
+ struct qrtr_hdr_v1 *hdr;
+ size_t len = skb->len;
+- int rc = -ENODEV;
++ int rc;
+
+ hdr = skb_push(skb, sizeof(*hdr));
+ hdr->version = cpu_to_le32(QRTR_PROTO_VER_1);
+@@ -203,15 +203,17 @@ static int qrtr_node_enqueue(struct qrtr
+ hdr->size = cpu_to_le32(len);
+ hdr->confirm_rx = 0;
+
+- skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr));
+-
+- mutex_lock(&node->ep_lock);
+- if (node->ep)
+- rc = node->ep->xmit(node->ep, skb);
+- else
+- kfree_skb(skb);
+- mutex_unlock(&node->ep_lock);
++ rc = skb_put_padto(skb, ALIGN(len, 4) + sizeof(*hdr));
+
++ if (!rc) {
++ mutex_lock(&node->ep_lock);
++ rc = -ENODEV;
++ if (node->ep)
++ rc = node->ep->xmit(node->ep, skb);
++ else
++ kfree_skb(skb);
++ mutex_unlock(&node->ep_lock);
++ }
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Tue, 8 Sep 2020 19:02:34 +0800
+Subject: net: sch_generic: aviod concurrent reset and enqueue op for lockless qdisc
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 2fb541c862c987d02dfdf28f1545016deecfa0d5 ]
+
+Currently there is concurrent reset and enqueue operation for the
+same lockless qdisc when there is no lock to synchronize the
+q->enqueue() in __dev_xmit_skb() with the qdisc reset operation in
+qdisc_deactivate() called by dev_deactivate_queue(), which may cause
+out-of-bounds access for priv->ring[] in hns3 driver if user has
+requested a smaller queue num when __dev_xmit_skb() still enqueue a
+skb with a larger queue_mapping after the corresponding qdisc is
+reset, and call hns3_nic_net_xmit() with that skb later.
+
+Reused the existing synchronize_net() in dev_deactivate_many() to
+make sure skb with larger queue_mapping enqueued to old qdisc(which
+is saved in dev_queue->qdisc_sleeping) will always be reset when
+dev_reset_queue() is called.
+
+Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_generic.c | 49 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 33 insertions(+), 16 deletions(-)
+
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -1115,27 +1115,36 @@ static void dev_deactivate_queue(struct
+ struct netdev_queue *dev_queue,
+ void *_qdisc_default)
+ {
+- struct Qdisc *qdisc_default = _qdisc_default;
+- struct Qdisc *qdisc;
++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc);
+
+- qdisc = rtnl_dereference(dev_queue->qdisc);
+ if (qdisc) {
+- bool nolock = qdisc->flags & TCQ_F_NOLOCK;
+-
+- if (nolock)
+- spin_lock_bh(&qdisc->seqlock);
+- spin_lock_bh(qdisc_lock(qdisc));
+-
+ if (!(qdisc->flags & TCQ_F_BUILTIN))
+ set_bit(__QDISC_STATE_DEACTIVATED, &qdisc->state);
++ }
++}
+
+- rcu_assign_pointer(dev_queue->qdisc, qdisc_default);
+- qdisc_reset(qdisc);
++static void dev_reset_queue(struct net_device *dev,
++ struct netdev_queue *dev_queue,
++ void *_unused)
++{
++ struct Qdisc *qdisc;
++ bool nolock;
+
+- spin_unlock_bh(qdisc_lock(qdisc));
+- if (nolock)
+- spin_unlock_bh(&qdisc->seqlock);
+- }
++ qdisc = dev_queue->qdisc_sleeping;
++ if (!qdisc)
++ return;
++
++ nolock = qdisc->flags & TCQ_F_NOLOCK;
++
++ if (nolock)
++ spin_lock_bh(&qdisc->seqlock);
++ spin_lock_bh(qdisc_lock(qdisc));
++
++ qdisc_reset(qdisc);
++
++ spin_unlock_bh(qdisc_lock(qdisc));
++ if (nolock)
++ spin_unlock_bh(&qdisc->seqlock);
+ }
+
+ static bool some_qdisc_is_busy(struct net_device *dev)
+@@ -1196,12 +1205,20 @@ void dev_deactivate_many(struct list_hea
+ dev_watchdog_down(dev);
+ }
+
+- /* Wait for outstanding qdisc-less dev_queue_xmit calls.
++ /* Wait for outstanding qdisc-less dev_queue_xmit calls or
++ * outstanding qdisc enqueuing calls.
+ * This is avoided if all devices are in dismantle phase :
+ * Caller will call synchronize_net() for us
+ */
+ synchronize_net();
+
++ list_for_each_entry(dev, head, close_list) {
++ netdev_for_each_tx_queue(dev, dev_reset_queue, NULL);
++
++ if (dev_ingress_queue(dev))
++ dev_reset_queue(dev, dev_ingress_queue(dev), NULL);
++ }
++
+ /* Wait for outstanding qdisc_run calls. */
+ list_for_each_entry(dev, head, close_list) {
+ while (some_qdisc_is_busy(dev))
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Thu, 17 Sep 2020 10:52:57 -0700
+Subject: nfp: use correct define to return NONE fec
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 5f6857e808a8bd078296575b417c4b9d160b9779 ]
+
+struct ethtool_fecparam carries bitmasks not bit numbers.
+We want to return 1 (NONE), not 0.
+
+Fixes: 0d0870938337 ("nfp: implement ethtool FEC mode settings")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -744,8 +744,8 @@ nfp_port_get_fecparam(struct net_device
+ struct nfp_eth_table_port *eth_port;
+ struct nfp_port *port;
+
+- param->active_fec = ETHTOOL_FEC_NONE_BIT;
+- param->fec = ETHTOOL_FEC_NONE_BIT;
++ param->active_fec = ETHTOOL_FEC_NONE;
++ param->fec = ETHTOOL_FEC_NONE;
+
+ port = nfp_port_from_netdev(netdev);
+ eth_port = nfp_port_get_eth_port(port);
kvm-fix-memory-leak-in-kvm_io_bus_unregister_dev.patch
kprobes-fix-kill-kprobe-which-has-been-marked-as-gon.patch
mm-thp-fix-__split_huge_pmd_locked-for-migration-pmd.patch
+cxgb4-fix-offset-when-clearing-filter-byte-counters.patch
+geneve-add-transport-ports-in-route-lookup-for-geneve.patch
+hdlc_ppp-add-range-checks-in-ppp_cp_parse_cr.patch
+ip-fix-tos-reflection-in-ack-and-reset-packets.patch
+ipv6-avoid-lockdep-issue-in-fib6_del.patch
+net-dcb-validate-dcb_attr_dcb_buffer-argument.patch
+net-dsa-rtl8366-properly-clear-member-config.patch
+net-ipv6-fix-kconfig-dependency-warning-for-ipv6_seg6_hmac.patch
+net-sch_generic-aviod-concurrent-reset-and-enqueue-op-for-lockless-qdisc.patch
+nfp-use-correct-define-to-return-none-fec.patch
+tipc-fix-memory-leak-in-tipc_group_create_member.patch
+tipc-fix-shutdown-of-connection-oriented-socket.patch
+tipc-use-skb_unshare-instead-in-tipc_buf_append.patch
+bnxt_en-return-proper-error-codes-in-bnxt_show_temp.patch
+bnxt_en-protect-bnxt_set_eee-and-bnxt_set_pauseparam-with-mutex.patch
+net-phy-avoid-npd-upon-phy_detach-when-driver-is-unbound.patch
+net-qrtr-check-skb_put_padto-return-value.patch
+net-add-__must_check-to-skb_put_padto.patch
+ipv4-update-exception-handling-for-multipath-routes-via-same-device.patch
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Sun, 13 Sep 2020 04:06:05 -0400
+Subject: tipc: Fix memory leak in tipc_group_create_member()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+[ Upstream commit bb3a420d47ab00d7e1e5083286cab15235a96680 ]
+
+tipc_group_add_to_tree() returns silently if `key` matches `nkey` of an
+existing node, causing tipc_group_create_member() to leak memory. Let
+tipc_group_add_to_tree() return an error in such a case, so that
+tipc_group_create_member() can handle it properly.
+
+Fixes: 75da2163dbb6 ("tipc: introduce communication groups")
+Reported-and-tested-by: syzbot+f95d90c454864b3b5bc9@syzkaller.appspotmail.com
+Cc: Hillf Danton <hdanton@sina.com>
+Link: https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/group.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/tipc/group.c
++++ b/net/tipc/group.c
+@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_fi
+ return NULL;
+ }
+
+-static void tipc_group_add_to_tree(struct tipc_group *grp,
+- struct tipc_member *m)
++static int tipc_group_add_to_tree(struct tipc_group *grp,
++ struct tipc_member *m)
+ {
+ u64 nkey, key = (u64)m->node << 32 | m->port;
+ struct rb_node **n, *parent = NULL;
+@@ -291,10 +291,11 @@ static void tipc_group_add_to_tree(struc
+ else if (key > nkey)
+ n = &(*n)->rb_right;
+ else
+- return;
++ return -EEXIST;
+ }
+ rb_link_node(&m->tree_node, parent, n);
+ rb_insert_color(&m->tree_node, &grp->members);
++ return 0;
+ }
+
+ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
+@@ -302,6 +303,7 @@ static struct tipc_member *tipc_group_cr
+ u32 instance, int state)
+ {
+ struct tipc_member *m;
++ int ret;
+
+ m = kzalloc(sizeof(*m), GFP_ATOMIC);
+ if (!m)
+@@ -314,8 +316,12 @@ static struct tipc_member *tipc_group_cr
+ m->port = port;
+ m->instance = instance;
+ m->bc_acked = grp->bc_snd_nxt - 1;
++ ret = tipc_group_add_to_tree(grp, m);
++ if (ret < 0) {
++ kfree(m);
++ return NULL;
++ }
+ grp->member_cnt++;
+- tipc_group_add_to_tree(grp, m);
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ return m;
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 5 Sep 2020 15:14:47 +0900
+Subject: tipc: fix shutdown() of connection oriented socket
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit a4b5cc9e10803ecba64a7d54c0f47e4564b4a980 ]
+
+I confirmed that the problem fixed by commit 2a63866c8b51a3f7 ("tipc: fix
+shutdown() of connectionless socket") also applies to stream socket.
+
+----------
+#include <sys/socket.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+int main(int argc, char *argv[])
+{
+ int fds[2] = { -1, -1 };
+ socketpair(PF_TIPC, SOCK_STREAM /* or SOCK_DGRAM */, 0, fds);
+ if (fork() == 0)
+ _exit(read(fds[0], NULL, 1));
+ shutdown(fds[0], SHUT_RDWR); /* This must make read() return. */
+ wait(NULL); /* To be woken up by _exit(). */
+ return 0;
+}
+----------
+
+Since shutdown(SHUT_RDWR) should affect all processes sharing that socket,
+unconditionally setting sk->sk_shutdown to SHUTDOWN_MASK will be the right
+behavior.
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2565,10 +2565,7 @@ static int tipc_shutdown(struct socket *
+ lock_sock(sk);
+
+ __tipc_shutdown(sock, TIPC_CONN_SHUTDOWN);
+- if (tipc_sk_type_connectionless(sk))
+- sk->sk_shutdown = SHUTDOWN_MASK;
+- else
+- sk->sk_shutdown = SEND_SHUTDOWN;
++ sk->sk_shutdown = SHUTDOWN_MASK;
+
+ if (sk->sk_state == TIPC_DISCONNECTING) {
+ /* Discard any unreceived messages */
--- /dev/null
+From foo@baz Fri Sep 25 10:42:33 AM CEST 2020
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 13 Sep 2020 19:37:31 +0800
+Subject: tipc: use skb_unshare() instead in tipc_buf_append()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ff48b6222e65ebdba5a403ef1deba6214e749193 ]
+
+In tipc_buf_append() it may change skb's frag_list, and it causes
+problems when this skb is cloned. skb_unclone() doesn't really
+make this skb's flag_list available to change.
+
+Shuang Li has reported an use-after-free issue because of this
+when creating quite a few macvlan dev over the same dev, where
+the broadcast packets will be cloned and go up to the stack:
+
+ [ ] BUG: KASAN: use-after-free in pskb_expand_head+0x86d/0xea0
+ [ ] Call Trace:
+ [ ] dump_stack+0x7c/0xb0
+ [ ] print_address_description.constprop.7+0x1a/0x220
+ [ ] kasan_report.cold.10+0x37/0x7c
+ [ ] check_memory_region+0x183/0x1e0
+ [ ] pskb_expand_head+0x86d/0xea0
+ [ ] process_backlog+0x1df/0x660
+ [ ] net_rx_action+0x3b4/0xc90
+ [ ]
+ [ ] Allocated by task 1786:
+ [ ] kmem_cache_alloc+0xbf/0x220
+ [ ] skb_clone+0x10a/0x300
+ [ ] macvlan_broadcast+0x2f6/0x590 [macvlan]
+ [ ] macvlan_process_broadcast+0x37c/0x516 [macvlan]
+ [ ] process_one_work+0x66a/0x1060
+ [ ] worker_thread+0x87/0xb10
+ [ ]
+ [ ] Freed by task 3253:
+ [ ] kmem_cache_free+0x82/0x2a0
+ [ ] skb_release_data+0x2c3/0x6e0
+ [ ] kfree_skb+0x78/0x1d0
+ [ ] tipc_recvmsg+0x3be/0xa40 [tipc]
+
+So fix it by using skb_unshare() instead, which would create a new
+skb for the cloned frag and it'll be safe to change its frag_list.
+The similar things were also done in sctp_make_reassembled_event(),
+which is using skb_copy().
+
+Reported-by: Shuang Li <shuali@redhat.com>
+Fixes: 37e22164a8a3 ("tipc: rename and move message reassembly function")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/msg.c
++++ b/net/tipc/msg.c
+@@ -140,7 +140,8 @@ int tipc_buf_append(struct sk_buff **hea
+ if (fragid == FIRST_FRAGMENT) {
+ if (unlikely(head))
+ goto err;
+- if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
++ frag = skb_unshare(frag, GFP_ATOMIC);
++ if (unlikely(!frag))
+ goto err;
+ head = *headbuf = frag;
+ *buf = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
