--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Petr Oros <poros@redhat.com>
+Date: Wed, 5 Sep 2018 14:37:45 +0200
+Subject: be2net: Fix memory leak in be_cmd_get_profile_config()
+
+From: Petr Oros <poros@redhat.com>
+
+[ Upstream commit 9d7f19dc4673fbafebfcbf30eb90e09fa7d1c037 ]
+
+DMA allocated memory is lost in be_cmd_get_profile_config() when we
+call it with non-NULL port_res parameter.
+
+Signed-off-by: Petr Oros <poros@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
+@@ -4500,7 +4500,7 @@ int be_cmd_get_profile_config(struct be_
+ port_res->max_vfs += le16_to_cpu(pcie->num_vfs);
+ }
+ }
+- return status;
++ goto err;
+ }
+
+ pcie = be_get_pcie_desc(resp->func_param, desc_count,
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Mon, 10 Sep 2018 22:19:48 +0800
+Subject: erspan: fix error handling for erspan tunnel
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 51dc63e3911fbb1f0a7a32da2fe56253e2040ea4 ]
+
+When processing icmp unreachable message for erspan tunnel, tunnel id
+should be erspan_net_id instead of ipgre_net_id.
+
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Cc: William Tu <u9012063@gmail.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -177,6 +177,9 @@ static void ipgre_err(struct sk_buff *sk
+
+ if (tpi->proto == htons(ETH_P_TEB))
+ itn = net_generic(net, gre_tap_net_id);
++ else if (tpi->proto == htons(ETH_P_ERSPAN) ||
++ tpi->proto == htons(ETH_P_ERSPAN2))
++ itn = net_generic(net, erspan_net_id);
+ else
+ itn = net_generic(net, ipgre_net_id);
+
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Mon, 10 Sep 2018 22:19:47 +0800
+Subject: erspan: return PACKET_REJECT when the appropriate tunnel is not found
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 5a64506b5c2c3cdb29d817723205330378075448 ]
+
+If erspan tunnel hasn't been established, we'd better send icmp port
+unreachable message after receive erspan packets.
+
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Cc: William Tu <u9012063@gmail.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -323,6 +323,8 @@ static int erspan_rcv(struct sk_buff *sk
+ ip_tunnel_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error);
+ return PACKET_RCVD;
+ }
++ return PACKET_REJECT;
++
+ drop:
+ kfree_skb(skb);
+ return PACKET_RCVD;
--- /dev/null
+From b19b46346f483ae055fa027cb2d5c2ca91484b91 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 14 Aug 2018 19:10:50 +0200
+Subject: hv/netvsc: Fix NULL dereference at single queue mode fallback
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b19b46346f483ae055fa027cb2d5c2ca91484b91 upstream.
+
+The recent commit 916c5e1413be ("hv/netvsc: fix handling of fallback
+to single queue mode") tried to fix the fallback behavior to a single
+queue mode, but it changed the function to return zero incorrectly,
+while the function should return an object pointer. Eventually this
+leads to a NULL dereference at the callers that expect non-NULL
+value.
+
+Fix it by returning the proper net_device object.
+
+Fixes: 916c5e1413be ("hv/netvsc: fix handling of fallback to single queue mode")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Alakesh Haloi <alakeshh@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/hyperv/rndis_filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -1299,7 +1299,7 @@ out:
+ /* setting up multiple channels failed */
+ net_device->max_chn = 1;
+ net_device->num_chn = 1;
+- return 0;
++ return net_device;
+
+ err_dev_remv:
+ rndis_filter_device_remove(dev, net_device);
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Wed, 15 Aug 2018 11:08:48 -0500
+Subject: net/mlx5: Check for error in mlx5_attach_interface
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 47bc94b82291e007da61ee1b3d18c77871f3e158 ]
+
+Currently, mlx5_attach_interface does not check for error
+after calling intf->attach or intf->add. When these two calls
+fails, the client is not initialized and will cause issues such as
+kernel panic on invalid address in the teardown path (mlx5_detach_interface)
+
+Fixes: 737a234bb638 ("net/mlx5: Introduce attach/detach to interface API")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -132,11 +132,11 @@ void mlx5_add_device(struct mlx5_interfa
+ delayed_event_start(priv);
+
+ dev_ctx->context = intf->add(dev);
+- set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
+- if (intf->attach)
+- set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
+-
+ if (dev_ctx->context) {
++ set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
++ if (intf->attach)
++ set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
++
+ spin_lock_irq(&priv->ctx_lock);
+ list_add_tail(&dev_ctx->list, &priv->ctx_list);
+
+@@ -211,12 +211,17 @@ static void mlx5_attach_interface(struct
+ if (intf->attach) {
+ if (test_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state))
+ goto out;
+- intf->attach(dev, dev_ctx->context);
++ if (intf->attach(dev, dev_ctx->context))
++ goto out;
++
+ set_bit(MLX5_INTERFACE_ATTACHED, &dev_ctx->state);
+ } else {
+ if (test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state))
+ goto out;
+ dev_ctx->context = intf->add(dev);
++ if (!dev_ctx->context)
++ goto out;
++
+ set_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state);
+ }
+
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Raed Salem <raeds@mellanox.com>
+Date: Tue, 21 Aug 2018 15:22:42 +0300
+Subject: net/mlx5: E-Switch, Fix memory leak when creating switchdev mode FDB tables
+
+From: Raed Salem <raeds@mellanox.com>
+
+[ Upstream commit c88a026e01219488e745f4f0267fd76c2bb68421 ]
+
+The memory allocated for the slow path table flow group input structure
+was not freed upon successful return, fix that.
+
+Fixes: 1967ce6ea5c8 ("net/mlx5: E-Switch, Refactor fast path FDB table creation in switchdev mode")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+@@ -557,6 +557,7 @@ static int esw_create_offloads_fdb_table
+ if (err)
+ goto miss_rule_err;
+
++ kvfree(flow_group_in);
+ return 0;
+
+ miss_rule_err:
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Tue, 7 Aug 2018 09:59:03 +0300
+Subject: net/mlx5: Fix debugfs cleanup in the device init/remove flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 5df816e7f43f1297c40021ef17ec6e722b45c82f ]
+
+When initializing the device (procedure init_one), the driver
+calls mlx5_pci_init to perform pci initialization. As part of this
+initialization, mlx5_pci_init creates a debugfs directory.
+If this creation fails, init_one aborts, returning failure to
+the caller (which is the probe method caller).
+
+The main reason for such a failure to occur is if the debugfs
+directory already exists. This can happen if the last time
+mlx5_pci_close was called, debugfs_remove (silently) failed due
+to the debugfs directory not being empty.
+
+Guarantee that such a debugfs_remove failure will not occur by
+instead calling debugfs_remove_recursive in procedure mlx5_pci_close.
+
+Fixes: 59211bd3b632 ("net/mlx5: Split the load/unload flow into hardware and software flows")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -857,8 +857,10 @@ static int mlx5_pci_init(struct mlx5_cor
+ priv->numa_node = dev_to_node(&dev->pdev->dev);
+
+ priv->dbg_root = debugfs_create_dir(dev_name(&pdev->dev), mlx5_debugfs_root);
+- if (!priv->dbg_root)
++ if (!priv->dbg_root) {
++ dev_err(&pdev->dev, "Cannot create debugfs dir, aborting\n");
+ return -ENOMEM;
++ }
+
+ err = mlx5_pci_enable_device(dev);
+ if (err) {
+@@ -907,7 +909,7 @@ static void mlx5_pci_close(struct mlx5_c
+ pci_clear_master(dev->pdev);
+ release_bar(dev->pdev);
+ mlx5_pci_disable_device(dev);
+- debugfs_remove(priv->dbg_root);
++ debugfs_remove_recursive(priv->dbg_root);
+ }
+
+ static int mlx5_init_once(struct mlx5_core_dev *dev, struct mlx5_priv *priv)
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Date: Sun, 5 Aug 2018 09:19:33 +0300
+Subject: net/mlx5: Fix use-after-free in self-healing flow
+
+From: Jack Morgenstein <jackm@dev.mellanox.co.il>
+
+[ Upstream commit 76d5581c870454be5f1f1a106c57985902e7ea20 ]
+
+When the mlx5 health mechanism detects a problem while the driver
+is in the middle of init_one or remove_one, the driver needs to prevent
+the health mechanism from scheduling future work; if future work
+is scheduled, there is a problem with use-after-free: the system WQ
+tries to run the work item (which has been freed) at the scheduled
+future time.
+
+Prevent this by disabling work item scheduling in the health mechanism
+when the driver is in the middle of init_one() or remove_one().
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
+Reviewed-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/health.c | 10 +++++++++-
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 6 +++---
+ include/linux/mlx5/driver.h | 2 +-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
+@@ -333,9 +333,17 @@ void mlx5_start_health_poll(struct mlx5_
+ add_timer(&health->timer);
+ }
+
+-void mlx5_stop_health_poll(struct mlx5_core_dev *dev)
++void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health)
+ {
+ struct mlx5_core_health *health = &dev->priv.health;
++ unsigned long flags;
++
++ if (disable_health) {
++ spin_lock_irqsave(&health->wq_lock, flags);
++ set_bit(MLX5_DROP_NEW_HEALTH_WORK, &health->flags);
++ set_bit(MLX5_DROP_NEW_RECOVERY_WORK, &health->flags);
++ spin_unlock_irqrestore(&health->wq_lock, flags);
++ }
+
+ del_timer_sync(&health->timer);
+ }
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1227,7 +1227,7 @@ err_cleanup_once:
+ mlx5_cleanup_once(dev);
+
+ err_stop_poll:
+- mlx5_stop_health_poll(dev);
++ mlx5_stop_health_poll(dev, boot);
+ if (mlx5_cmd_teardown_hca(dev)) {
+ dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
+ goto out_err;
+@@ -1286,7 +1286,7 @@ static int mlx5_unload_one(struct mlx5_c
+ mlx5_free_irq_vectors(dev);
+ if (cleanup)
+ mlx5_cleanup_once(dev);
+- mlx5_stop_health_poll(dev);
++ mlx5_stop_health_poll(dev, cleanup);
+ err = mlx5_cmd_teardown_hca(dev);
+ if (err) {
+ dev_err(&dev->pdev->dev, "tear_down_hca failed, skip cleanup\n");
+@@ -1548,7 +1548,7 @@ static int mlx5_try_fast_unload(struct m
+ * with the HCA, so the health polll is no longer needed.
+ */
+ mlx5_drain_health_wq(dev);
+- mlx5_stop_health_poll(dev);
++ mlx5_stop_health_poll(dev, false);
+
+ ret = mlx5_cmd_force_teardown_hca(dev);
+ if (ret) {
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -950,7 +950,7 @@ int mlx5_cmd_free_uar(struct mlx5_core_d
+ void mlx5_health_cleanup(struct mlx5_core_dev *dev);
+ int mlx5_health_init(struct mlx5_core_dev *dev);
+ void mlx5_start_health_poll(struct mlx5_core_dev *dev);
+-void mlx5_stop_health_poll(struct mlx5_core_dev *dev);
++void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health);
+ void mlx5_drain_health_wq(struct mlx5_core_dev *dev);
+ void mlx5_trigger_health_work(struct mlx5_core_dev *dev);
+ void mlx5_drain_health_recovery(struct mlx5_core_dev *dev);
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Stefan Wahren <stefan.wahren@i2se.com>
+Date: Wed, 5 Sep 2018 15:23:18 +0200
+Subject: net: qca_spi: Fix race condition in spi transfers
+
+From: Stefan Wahren <stefan.wahren@i2se.com>
+
+[ Upstream commit e65a9e480e91ddf9e15155454d370cead64689c8 ]
+
+With performance optimization the spi transfer and messages of basic
+register operations like qcaspi_read_register moved into the private
+driver structure. But they weren't protected against mutual access
+(e.g. between driver kthread and ethtool). So dumping the QCA7000
+registers via ethtool during network traffic could make spi_sync
+hang forever, because the completion in spi_message is overwritten.
+
+So revert the optimization completely.
+
+Fixes: 291ab06ecf676 ("net: qualcomm: new Ethernet over SPI driver for QCA700")
+Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/qca_7k.c | 76 ++++++++++-----------
+ drivers/net/ethernet/qualcomm/qca_spi.c | 114 ++++++++++++++++----------------
+ drivers/net/ethernet/qualcomm/qca_spi.h | 5 -
+ 3 files changed, 95 insertions(+), 100 deletions(-)
+
+--- a/drivers/net/ethernet/qualcomm/qca_7k.c
++++ b/drivers/net/ethernet/qualcomm/qca_7k.c
+@@ -45,34 +45,33 @@ qcaspi_read_register(struct qcaspi *qca,
+ {
+ __be16 rx_data;
+ __be16 tx_data;
+- struct spi_transfer *transfer;
+- struct spi_message *msg;
++ struct spi_transfer transfer[2];
++ struct spi_message msg;
+ int ret;
+
++ memset(transfer, 0, sizeof(transfer));
++
++ spi_message_init(&msg);
++
+ tx_data = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_INTERNAL | reg);
++ *result = 0;
++
++ transfer[0].tx_buf = &tx_data;
++ transfer[0].len = QCASPI_CMD_LEN;
++ transfer[1].rx_buf = &rx_data;
++ transfer[1].len = QCASPI_CMD_LEN;
++
++ spi_message_add_tail(&transfer[0], &msg);
+
+ if (qca->legacy_mode) {
+- msg = &qca->spi_msg1;
+- transfer = &qca->spi_xfer1;
+- transfer->tx_buf = &tx_data;
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- spi_sync(qca->spi_dev, msg);
+- } else {
+- msg = &qca->spi_msg2;
+- transfer = &qca->spi_xfer2[0];
+- transfer->tx_buf = &tx_data;
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- transfer = &qca->spi_xfer2[1];
++ spi_sync(qca->spi_dev, &msg);
++ spi_message_init(&msg);
+ }
+- transfer->tx_buf = NULL;
+- transfer->rx_buf = &rx_data;
+- transfer->len = QCASPI_CMD_LEN;
+- ret = spi_sync(qca->spi_dev, msg);
++ spi_message_add_tail(&transfer[1], &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+ if (!ret)
+- ret = msg->status;
++ ret = msg.status;
+
+ if (ret)
+ qcaspi_spi_error(qca);
+@@ -86,35 +85,32 @@ int
+ qcaspi_write_register(struct qcaspi *qca, u16 reg, u16 value)
+ {
+ __be16 tx_data[2];
+- struct spi_transfer *transfer;
+- struct spi_message *msg;
++ struct spi_transfer transfer[2];
++ struct spi_message msg;
+ int ret;
+
++ memset(&transfer, 0, sizeof(transfer));
++
++ spi_message_init(&msg);
++
+ tx_data[0] = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_INTERNAL | reg);
+ tx_data[1] = cpu_to_be16(value);
+
++ transfer[0].tx_buf = &tx_data[0];
++ transfer[0].len = QCASPI_CMD_LEN;
++ transfer[1].tx_buf = &tx_data[1];
++ transfer[1].len = QCASPI_CMD_LEN;
++
++ spi_message_add_tail(&transfer[0], &msg);
+ if (qca->legacy_mode) {
+- msg = &qca->spi_msg1;
+- transfer = &qca->spi_xfer1;
+- transfer->tx_buf = &tx_data[0];
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- spi_sync(qca->spi_dev, msg);
+- } else {
+- msg = &qca->spi_msg2;
+- transfer = &qca->spi_xfer2[0];
+- transfer->tx_buf = &tx_data[0];
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- transfer = &qca->spi_xfer2[1];
++ spi_sync(qca->spi_dev, &msg);
++ spi_message_init(&msg);
+ }
+- transfer->tx_buf = &tx_data[1];
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- ret = spi_sync(qca->spi_dev, msg);
++ spi_message_add_tail(&transfer[1], &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+ if (!ret)
+- ret = msg->status;
++ ret = msg.status;
+
+ if (ret)
+ qcaspi_spi_error(qca);
+--- a/drivers/net/ethernet/qualcomm/qca_spi.c
++++ b/drivers/net/ethernet/qualcomm/qca_spi.c
+@@ -99,22 +99,24 @@ static u32
+ qcaspi_write_burst(struct qcaspi *qca, u8 *src, u32 len)
+ {
+ __be16 cmd;
+- struct spi_message *msg = &qca->spi_msg2;
+- struct spi_transfer *transfer = &qca->spi_xfer2[0];
++ struct spi_message msg;
++ struct spi_transfer transfer[2];
+ int ret;
+
+- cmd = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_EXTERNAL);
+- transfer->tx_buf = &cmd;
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- transfer = &qca->spi_xfer2[1];
+- transfer->tx_buf = src;
+- transfer->rx_buf = NULL;
+- transfer->len = len;
++ memset(&transfer, 0, sizeof(transfer));
++ spi_message_init(&msg);
+
+- ret = spi_sync(qca->spi_dev, msg);
++ cmd = cpu_to_be16(QCA7K_SPI_WRITE | QCA7K_SPI_EXTERNAL);
++ transfer[0].tx_buf = &cmd;
++ transfer[0].len = QCASPI_CMD_LEN;
++ transfer[1].tx_buf = src;
++ transfer[1].len = len;
++
++ spi_message_add_tail(&transfer[0], &msg);
++ spi_message_add_tail(&transfer[1], &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+- if (ret || (msg->actual_length != QCASPI_CMD_LEN + len)) {
++ if (ret || (msg.actual_length != QCASPI_CMD_LEN + len)) {
+ qcaspi_spi_error(qca);
+ return 0;
+ }
+@@ -125,17 +127,20 @@ qcaspi_write_burst(struct qcaspi *qca, u
+ static u32
+ qcaspi_write_legacy(struct qcaspi *qca, u8 *src, u32 len)
+ {
+- struct spi_message *msg = &qca->spi_msg1;
+- struct spi_transfer *transfer = &qca->spi_xfer1;
++ struct spi_message msg;
++ struct spi_transfer transfer;
+ int ret;
+
+- transfer->tx_buf = src;
+- transfer->rx_buf = NULL;
+- transfer->len = len;
++ memset(&transfer, 0, sizeof(transfer));
++ spi_message_init(&msg);
++
++ transfer.tx_buf = src;
++ transfer.len = len;
+
+- ret = spi_sync(qca->spi_dev, msg);
++ spi_message_add_tail(&transfer, &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+- if (ret || (msg->actual_length != len)) {
++ if (ret || (msg.actual_length != len)) {
+ qcaspi_spi_error(qca);
+ return 0;
+ }
+@@ -146,23 +151,25 @@ qcaspi_write_legacy(struct qcaspi *qca,
+ static u32
+ qcaspi_read_burst(struct qcaspi *qca, u8 *dst, u32 len)
+ {
+- struct spi_message *msg = &qca->spi_msg2;
++ struct spi_message msg;
+ __be16 cmd;
+- struct spi_transfer *transfer = &qca->spi_xfer2[0];
++ struct spi_transfer transfer[2];
+ int ret;
+
+- cmd = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_EXTERNAL);
+- transfer->tx_buf = &cmd;
+- transfer->rx_buf = NULL;
+- transfer->len = QCASPI_CMD_LEN;
+- transfer = &qca->spi_xfer2[1];
+- transfer->tx_buf = NULL;
+- transfer->rx_buf = dst;
+- transfer->len = len;
++ memset(&transfer, 0, sizeof(transfer));
++ spi_message_init(&msg);
+
+- ret = spi_sync(qca->spi_dev, msg);
++ cmd = cpu_to_be16(QCA7K_SPI_READ | QCA7K_SPI_EXTERNAL);
++ transfer[0].tx_buf = &cmd;
++ transfer[0].len = QCASPI_CMD_LEN;
++ transfer[1].rx_buf = dst;
++ transfer[1].len = len;
++
++ spi_message_add_tail(&transfer[0], &msg);
++ spi_message_add_tail(&transfer[1], &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+- if (ret || (msg->actual_length != QCASPI_CMD_LEN + len)) {
++ if (ret || (msg.actual_length != QCASPI_CMD_LEN + len)) {
+ qcaspi_spi_error(qca);
+ return 0;
+ }
+@@ -173,17 +180,20 @@ qcaspi_read_burst(struct qcaspi *qca, u8
+ static u32
+ qcaspi_read_legacy(struct qcaspi *qca, u8 *dst, u32 len)
+ {
+- struct spi_message *msg = &qca->spi_msg1;
+- struct spi_transfer *transfer = &qca->spi_xfer1;
++ struct spi_message msg;
++ struct spi_transfer transfer;
+ int ret;
+
+- transfer->tx_buf = NULL;
+- transfer->rx_buf = dst;
+- transfer->len = len;
++ memset(&transfer, 0, sizeof(transfer));
++ spi_message_init(&msg);
++
++ transfer.rx_buf = dst;
++ transfer.len = len;
+
+- ret = spi_sync(qca->spi_dev, msg);
++ spi_message_add_tail(&transfer, &msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+- if (ret || (msg->actual_length != len)) {
++ if (ret || (msg.actual_length != len)) {
+ qcaspi_spi_error(qca);
+ return 0;
+ }
+@@ -195,19 +205,23 @@ static int
+ qcaspi_tx_cmd(struct qcaspi *qca, u16 cmd)
+ {
+ __be16 tx_data;
+- struct spi_message *msg = &qca->spi_msg1;
+- struct spi_transfer *transfer = &qca->spi_xfer1;
++ struct spi_message msg;
++ struct spi_transfer transfer;
+ int ret;
+
++ memset(&transfer, 0, sizeof(transfer));
++
++ spi_message_init(&msg);
++
+ tx_data = cpu_to_be16(cmd);
+- transfer->len = sizeof(tx_data);
+- transfer->tx_buf = &tx_data;
+- transfer->rx_buf = NULL;
++ transfer.len = sizeof(cmd);
++ transfer.tx_buf = &tx_data;
++ spi_message_add_tail(&transfer, &msg);
+
+- ret = spi_sync(qca->spi_dev, msg);
++ ret = spi_sync(qca->spi_dev, &msg);
+
+ if (!ret)
+- ret = msg->status;
++ ret = msg.status;
+
+ if (ret)
+ qcaspi_spi_error(qca);
+@@ -836,16 +850,6 @@ qcaspi_netdev_setup(struct net_device *d
+ qca = netdev_priv(dev);
+ memset(qca, 0, sizeof(struct qcaspi));
+
+- memset(&qca->spi_xfer1, 0, sizeof(struct spi_transfer));
+- memset(&qca->spi_xfer2, 0, sizeof(struct spi_transfer) * 2);
+-
+- spi_message_init(&qca->spi_msg1);
+- spi_message_add_tail(&qca->spi_xfer1, &qca->spi_msg1);
+-
+- spi_message_init(&qca->spi_msg2);
+- spi_message_add_tail(&qca->spi_xfer2[0], &qca->spi_msg2);
+- spi_message_add_tail(&qca->spi_xfer2[1], &qca->spi_msg2);
+-
+ memset(&qca->txr, 0, sizeof(qca->txr));
+ qca->txr.count = TX_RING_MAX_LEN;
+ }
+--- a/drivers/net/ethernet/qualcomm/qca_spi.h
++++ b/drivers/net/ethernet/qualcomm/qca_spi.h
+@@ -83,11 +83,6 @@ struct qcaspi {
+ struct tx_ring txr;
+ struct qcaspi_stats stats;
+
+- struct spi_message spi_msg1;
+- struct spi_message spi_msg2;
+- struct spi_transfer spi_xfer1;
+- struct spi_transfer spi_xfer2[2];
+-
+ u8 *rx_buffer;
+ u32 buffer_size;
+ u8 sync;
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Vakul Garg <vakul.garg@nxp.com>
+Date: Thu, 6 Sep 2018 21:41:40 +0530
+Subject: net/tls: Set count of SG entries if sk_alloc_sg returns -ENOSPC
+
+From: Vakul Garg <vakul.garg@nxp.com>
+
+[ Upstream commit 52ea992cfac357b73180d5c051dca43bc8d20c2a ]
+
+tls_sw_sendmsg() allocates plaintext and encrypted SG entries using
+function sk_alloc_sg(). In case the number of SG entries hit
+MAX_SKB_FRAGS, sk_alloc_sg() returns -ENOSPC and sets the variable for
+current SG index to '0'. This leads to calling of function
+tls_push_record() with 'sg_encrypted_num_elem = 0' and later causes
+kernel crash. To fix this, set the number of SG elements to the number
+of elements in plaintext/encrypted SG arrays in case sk_alloc_sg()
+returns -ENOSPC.
+
+Fixes: 3c4d7559159b ("tls: kernel TLS support")
+Signed-off-by: Vakul Garg <vakul.garg@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -170,6 +170,9 @@ static int alloc_encrypted_sg(struct soc
+ rc = alloc_sg(sk, len, ctx->sg_encrypted_data,
+ &ctx->sg_encrypted_num_elem, &ctx->sg_encrypted_size, 0);
+
++ if (rc == -ENOSPC)
++ ctx->sg_encrypted_num_elem = ARRAY_SIZE(ctx->sg_encrypted_data);
++
+ return rc;
+ }
+
+@@ -183,6 +186,9 @@ static int alloc_plaintext_sg(struct soc
+ &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
+ tls_ctx->pending_open_record_frags);
+
++ if (rc == -ENOSPC)
++ ctx->sg_plaintext_num_elem = ARRAY_SIZE(ctx->sg_plaintext_data);
++
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 10 Sep 2018 18:27:26 -0700
+Subject: rds: fix two RCU related problems
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit cc4dfb7f70a344f24c1c71e298deea0771dadcb2 ]
+
+When a rds sock is bound, it is inserted into the bind_hash_table
+which is protected by RCU. But when releasing rds sock, after it
+is removed from this hash table, it is freed immediately without
+respecting RCU grace period. This could cause some use-after-free
+as reported by syzbot.
+
+Mark the rds sock with SOCK_RCU_FREE before inserting it into the
+bind_hash_table, so that it would be always freed after a RCU grace
+period.
+
+The other problem is in rds_find_bound(), the rds sock could be
+freed in between rhashtable_lookup_fast() and rds_sock_addref(),
+so we need to extend RCU read lock protection in rds_find_bound()
+to close this race condition.
+
+Reported-and-tested-by: syzbot+8967084bcac563795dc6@syzkaller.appspotmail.com
+Reported-by: syzbot+93a5839deb355537440f@syzkaller.appspotmail.com
+Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Cc: rds-devel@oss.oracle.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oarcle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/bind.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -60,11 +60,13 @@ struct rds_sock *rds_find_bound(__be32 a
+ u64 key = ((u64)addr << 32) | port;
+ struct rds_sock *rs;
+
+- rs = rhashtable_lookup_fast(&bind_hash_table, &key, ht_parms);
++ rcu_read_lock();
++ rs = rhashtable_lookup(&bind_hash_table, &key, ht_parms);
+ if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
+ rds_sock_addref(rs);
+ else
+ rs = NULL;
++ rcu_read_unlock();
+
+ rdsdebug("returning rs %p for %pI4:%u\n", rs, &addr,
+ ntohs(port));
+@@ -157,6 +159,7 @@ int rds_bind(struct socket *sock, struct
+ goto out;
+ }
+
++ sock_set_flag(sk, SOCK_RCU_FREE);
+ ret = rds_add_bound(rs, sin->sin_addr.s_addr, &sin->sin_port);
+ if (ret)
+ goto out;
--- /dev/null
+be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch
+net-mlx5-fix-use-after-free-in-self-healing-flow.patch
+net-qca_spi-fix-race-condition-in-spi-transfers.patch
+rds-fix-two-rcu-related-problems.patch
+net-mlx5-check-for-error-in-mlx5_attach_interface.patch
+net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch
+net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch
+net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch
+erspan-fix-error-handling-for-erspan-tunnel.patch
+erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch
+tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch
+hv-netvsc-fix-null-dereference-at-single-queue-mode-fallback.patch
--- /dev/null
+From foo@baz Thu Sep 20 07:23:51 CEST 2018
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Thu, 6 Sep 2018 15:54:59 +0200
+Subject: tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit 5cf4a8532c992bb22a9ecd5f6d93f873f4eaccc2 ]
+
+According to the documentation in msg_zerocopy.rst, the SO_ZEROCOPY
+flag was introduced because send(2) ignores unknown message flags and
+any legacy application which was accidentally passing the equivalent of
+MSG_ZEROCOPY earlier should not see any new behaviour.
+
+Before commit f214f915e7db ("tcp: enable MSG_ZEROCOPY"), a send(2) call
+which passed the equivalent of MSG_ZEROCOPY without setting SO_ZEROCOPY
+would succeed. However, after that commit, it fails with -ENOBUFS. So
+it appears that the SO_ZEROCOPY flag fails to fulfill its intended
+purpose. Fix it.
+
+Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 3 ---
+ net/ipv4/tcp.c | 2 +-
+ 2 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -937,9 +937,6 @@ struct ubuf_info *sock_zerocopy_alloc(st
+
+ WARN_ON_ONCE(!in_task());
+
+- if (!sock_flag(sk, SOCK_ZEROCOPY))
+- return NULL;
+-
+ skb = sock_omalloc(sk, 0, GFP_KERNEL);
+ if (!skb)
+ return NULL;
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1177,7 +1177,7 @@ int tcp_sendmsg_locked(struct sock *sk,
+
+ flags = msg->msg_flags;
+
+- if (flags & MSG_ZEROCOPY && size) {
++ if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ err = -EINVAL;
+ goto out_err;
--- /dev/null
+be2net-fix-memory-leak-in-be_cmd_get_profile_config.patch
+net-mlx5-fix-use-after-free-in-self-healing-flow.patch
+net-qca_spi-fix-race-condition-in-spi-transfers.patch
+rds-fix-two-rcu-related-problems.patch
+tipc-orphan-sock-in-tipc_release.patch
+net-mlx5-e-switch-fix-memory-leak-when-creating-switchdev-mode-fdb-tables.patch
+net-tls-set-count-of-sg-entries-if-sk_alloc_sg-returns-enospc.patch
+net-mlx5-check-for-error-in-mlx5_attach_interface.patch
+net-mlx5-fix-debugfs-cleanup-in-the-device-init-remove-flow.patch
+erspan-fix-error-handling-for-erspan-tunnel.patch
+erspan-return-packet_reject-when-the-appropriate-tunnel-is-not-found.patch
+tcp-really-ignore-msg_zerocopy-if-no-so_zerocopy.patch
+net-mlx5-fix-not-releasing-read-lock-when-adding-flow-rules.patch
+net-mlx5-fix-possible-deadlock-from-lockdep-when-adding-fte-to-fg.patch
+net-mlx5-use-u16-for-work-queue-buffer-fragment-size.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
