--- /dev/null
+From foo@baz Mon 02 Mar 2020 06:40:09 PM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:07 +0900
+Subject: ipv6: Fix nlmsg_flags when splitting a multipath route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit afecdb376bd81d7e16578f0cfe82a1aec7ae18f3 ]
+
+When splitting an RTA_MULTIPATH request into multiple routes and adding the
+second and later components, we must not simply remove NLM_F_REPLACE but
+instead replace it by NLM_F_CREATE. Otherwise, it may look like the netlink
+message was malformed.
+
+For example,
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 \
+ nexthop via fe80::30:2 dev dummy0
+results in the following warnings:
+[ 1035.057019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
+[ 1035.057517] IPv6: NLM_F_CREATE should be set when creating new route
+
+This patch makes the nlmsg sequence look equivalent for __ip6_ins_rt() to
+what it would get if the multipath route had been added in multiple netlink
+operations:
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0
+ ip route append 2001:db8::1/128 nexthop via fe80::30:2 dev dummy0
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2953,6 +2953,7 @@ static int ip6_route_multipath_add(struc
+ */
+ cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
+ NLM_F_REPLACE);
++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
+ nhn++;
+ }
+
--- /dev/null
+From foo@baz Mon 02 Mar 2020 05:05:39 PM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:06 +0900
+Subject: ipv6: Fix route replacement with dev-only route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit e404b8c7cfb31654c9024d497cec58a501501692 ]
+
+After commit 27596472473a ("ipv6: fix ECMP route replacement") it is no
+longer possible to replace an ECMP-able route by a non ECMP-able route.
+For example,
+ ip route add 2001:db8::1/128 via fe80::1 dev dummy0
+ ip route replace 2001:db8::1/128 dev dummy0
+does not work as expected.
+
+Tweak the replacement logic so that point 3 in the log of the above commit
+becomes:
+3. If the new route is not ECMP-able, and no matching non-ECMP-able route
+exists, replace matching ECMP-able route (if any) or add the new route.
+
+We can now summarize the entire replace semantics to:
+When doing a replace, prefer replacing a matching route of the same
+"ECMP-able-ness" as the replace argument. If there is no such candidate,
+fallback to the first route found.
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -780,8 +780,7 @@ static int fib6_add_rt2node(struct fib6_
+ found++;
+ break;
+ }
+- if (rt_can_ecmp)
+- fallback_ins = fallback_ins ?: ins;
++ fallback_ins = fallback_ins ?: ins;
+ goto next_iter;
+ }
+
+@@ -821,7 +820,9 @@ next_iter:
+ }
+
+ if (fallback_ins && !found) {
+- /* No ECMP-able route found, replace first non-ECMP one */
++ /* No matching route with same ecmp-able-ness found, replace
++ * first matching route
++ */
+ ins = fallback_ins;
+ iter = *ins;
+ found++;
--- /dev/null
+From foo@baz Mon 02 Mar 2020 06:40:09 PM CET
+From: Jethro Beekman <jethro@fortanix.com>
+Date: Wed, 12 Feb 2020 16:43:41 +0100
+Subject: net: fib_rules: Correctly set table field when table number exceeds 8 bits
+
+From: Jethro Beekman <jethro@fortanix.com>
+
+[ Upstream commit 540e585a79e9d643ede077b73bcc7aa2d7b4d919 ]
+
+In 709772e6e06564ed94ba740de70185ac3d792773, RT_TABLE_COMPAT was added to
+allow legacy software to deal with routing table numbers >= 256, but the
+same change to FIB rule queries was overlooked.
+
+Signed-off-by: Jethro Beekman <jethro@fortanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/fib_rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -570,7 +570,7 @@ static int fib_nl_fill_rule(struct sk_bu
+
+ frh = nlmsg_data(nlh);
+ frh->family = ops->family;
+- frh->table = rule->table;
++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT;
+ if (nla_put_u32(skb, FRA_TABLE, rule->table))
+ goto nla_put_failure;
+ if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen))
--- /dev/null
+From foo@baz Mon 02 Mar 2020 06:40:09 PM CET
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Date: Fri, 14 Feb 2020 13:47:46 -0800
+Subject: net: phy: restore mdio regs in the iproc mdio driver
+
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+
+The mii management register in iproc mdio block
+does not have a retention register so it is lost on suspend.
+Save and restore value of register while resuming from suspend.
+
+Fixes: bb1a619735b4 ("net: phy: Initialize mdio clock at probe function")
+Signed-off-by: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/net/phy/mdio-bcm-iproc.c
++++ b/drivers/net/phy/mdio-bcm-iproc.c
+@@ -188,6 +188,23 @@ static int iproc_mdio_remove(struct plat
+ return 0;
+ }
+
++#ifdef CONFIG_PM_SLEEP
++int iproc_mdio_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev);
++
++ /* restore the mii clock configuration */
++ iproc_mdio_config_clk(priv->base);
++
++ return 0;
++}
++
++static const struct dev_pm_ops iproc_mdio_pm_ops = {
++ .resume = iproc_mdio_resume
++};
++#endif /* CONFIG_PM_SLEEP */
++
+ static const struct of_device_id iproc_mdio_of_match[] = {
+ { .compatible = "brcm,iproc-mdio", },
+ { /* sentinel */ },
+@@ -198,6 +215,9 @@ static struct platform_driver iproc_mdio
+ .driver = {
+ .name = "iproc-mdio",
+ .of_match_table = iproc_mdio_of_match,
++#ifdef CONFIG_PM_SLEEP
++ .pm = &iproc_mdio_pm_ops,
++#endif
+ },
+ .probe = iproc_mdio_probe,
+ .remove = iproc_mdio_remove,
--- /dev/null
+From foo@baz Mon 02 Mar 2020 05:05:39 PM CET
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 17 Feb 2020 15:38:09 -0500
+Subject: net: sched: correct flower port blocking
+
+From: Jason Baron <jbaron@akamai.com>
+
+[ Upstream commit 8a9093c79863b58cc2f9874d7ae788f0d622a596 ]
+
+tc flower rules that are based on src or dst port blocking are sometimes
+ineffective due to uninitialized stack data. __skb_flow_dissect() extracts
+ports from the skb for tc flower to match against. However, the port
+dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in
+key_control->flags. All callers of __skb_flow_dissect(), zero-out the
+key_control field except for fl_classify() as used by the flower
+classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to
+__skb_flow_dissect(), since key_control is allocated on the stack
+and may not be initialized.
+
+Since key_basic and key_control are present for all flow keys, let's
+make sure they are initialized.
+
+Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments")
+Co-developed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/flow_dissector.h | 9 +++++++++
+ net/sched/cls_flower.c | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/include/net/flow_dissector.h
++++ b/include/net/flow_dissector.h
+@@ -4,6 +4,7 @@
+ #include <linux/types.h>
+ #include <linux/in6.h>
+ #include <linux/siphash.h>
++#include <linux/string.h>
+ #include <uapi/linux/if_ether.h>
+
+ /**
+@@ -185,4 +186,12 @@ static inline bool flow_keys_have_l4(str
+
+ u32 flow_hash_from_keys(struct flow_keys *keys);
+
++static inline void
++flow_dissector_init_keys(struct flow_dissector_key_control *key_control,
++ struct flow_dissector_key_basic *key_basic)
++{
++ memset(key_control, 0, sizeof(*key_control));
++ memset(key_basic, 0, sizeof(*key_basic));
++}
++
+ #endif
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -127,6 +127,7 @@ static int fl_classify(struct sk_buff *s
+ struct fl_flow_key skb_key;
+ struct fl_flow_key skb_mkey;
+
++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic);
+ fl_clear_masked_range(&skb_key, &head->mask);
+ skb_key.indev_ifindex = skb->skb_iif;
+ /* skb_flow_dissect() does not set n_proto in case an unknown protocol,
--- /dev/null
+From foo@baz Mon 02 Mar 2020 05:10:46 PM CET
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Wed, 19 Feb 2020 18:01:22 +0300
+Subject: nfc: pn544: Fix occasional HW initialization failure
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c3331d2fe3fd4d5e321f2467d01f72de7edfb5d0 ]
+
+The PN544 driver checks the "enable" polarity during of driver's probe and
+it's doing that by turning ON and OFF NFC with different polarities until
+enabling succeeds. It takes some time for the hardware to power-down, and
+thus, to deassert the IRQ that is raised by turning ON the hardware.
+Since the delay after last power-down of the polarity-checking process is
+missed in the code, the interrupt may trigger immediately after installing
+the IRQ handler (right after the checking is done), which results in IRQ
+handler trying to touch the disabled HW and ends with marking NFC as
+'DEAD' during of the driver's probe:
+
+ pn544_hci_i2c 1-002a: NFC: nfc_en polarity : active high
+ pn544_hci_i2c 1-002a: NFC: invalid len byte
+ shdlc: llc_shdlc_recv_frame: NULL Frame -> link is dead
+
+This patch fixes the occasional NFC initialization failure on Nexus 7
+device.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/pn544/i2c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nfc/pn544/i2c.c
++++ b/drivers/nfc/pn544/i2c.c
+@@ -241,6 +241,7 @@ static void pn544_hci_i2c_platform_init(
+
+ out:
+ gpio_set_value_cansleep(phy->gpio_en, !phy->en_polarity);
++ usleep_range(10000, 15000);
+ }
+
+ static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode)
--- /dev/null
+From foo@baz Mon 02 Mar 2020 05:10:46 PM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 18 Feb 2020 12:07:53 +0800
+Subject: sctp: move the format error check out of __sctp_sf_do_9_1_abort
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ]
+
+When T2 timer is to be stopped, the asoc should also be deleted,
+otherwise, there will be no chance to call sctp_association_free
+and the asoc could last in memory forever.
+
+However, in sctp_sf_shutdown_sent_abort(), after adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the
+format error from __sctp_sf_do_9_1_abort() and miss adding
+SCTP_CMD_ASSOC_FAILED where the asoc will be deleted.
+
+This patch is to fix it by moving the format error check out of
+__sctp_sf_do_9_1_abort(), and do it before adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer.
+
+Thanks Hangbin for reporting this issue by the fuzz testing.
+
+v1->v2:
+ - improve the comment in the code as Marcelo's suggestion.
+
+Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_statefuns.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -177,6 +177,16 @@ sctp_chunk_length_valid(struct sctp_chun
+ return 1;
+ }
+
++/* Check for format error in an ABORT chunk */
++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
++{
++ struct sctp_errhdr *err;
++
++ sctp_walk_errors(err, chunk->chunk_hdr);
++
++ return (void *)err == (void *)chunk->chunk_end;
++}
++
+ /**********************************************************
+ * These are the state functions for handling chunk events.
+ **********************************************************/
+@@ -2159,6 +2169,9 @@ sctp_disposition_t sctp_sf_shutdown_pend
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2201,6 +2214,9 @@ sctp_disposition_t sctp_sf_shutdown_sent
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ /* Stop the T2-shutdown timer. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
+ SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
+@@ -2466,6 +2482,9 @@ sctp_disposition_t sctp_sf_do_9_1_abort(
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2482,15 +2501,9 @@ static sctp_disposition_t __sctp_sf_do_9
+
+ /* See if we have an error cause code in the chunk. */
+ len = ntohs(chunk->chunk_hdr->length);
+- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+-
+- sctp_errhdr_t *err;
+- sctp_walk_errors(err, chunk->chunk_hdr);
+- if ((void *)err != (void *)chunk->chunk_end)
+- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+ error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+- }
+
+ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
+ /* ASSOC_FAILED will DELETE_TCB. */
cfg80211-add-missing-policy-for-nl80211_attr_status_.patch
sysrq-restore-original-console_loglevel-when-sysrq-disabled.patch
sysrq-remove-duplicated-sysrq-message.patch
+net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch
+net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch
+ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch
+ipv6-fix-route-replacement-with-dev-only-route.patch
+sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch
+nfc-pn544-fix-occasional-hw-initialization-failure.patch
+net-sched-correct-flower-port-blocking.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
