--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Bassem Boubaker <bassem.boubaker@actia.fr>
+Date: Wed, 11 Apr 2018 13:15:53 +0200
+Subject: cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN
+
+From: Bassem Boubaker <bassem.boubaker@actia.fr>
+
+
+[ Upstream commit 53765341ee821c0a0f1dec41adc89c9096ad694c ]
+
+The Cinterion AHS8 is a 3G device with one embedded WWAN interface
+using cdc_ether as a driver.
+
+The modem is controlled via AT commands through the exposed TTYs.
+
+AT+CGDCONT write command can be used to activate or deactivate a WWAN
+connection for a PDP context defined with the same command. UE
+supports one WWAN adapter.
+
+Signed-off-by: Bassem Boubaker <bassem.boubaker@actia.fr>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ether.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -896,6 +896,12 @@ static const struct usb_device_id produc
+ USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long)&wwan_info,
+ }, {
++ /* Cinterion AHS3 modem by GEMALTO */
++ USB_DEVICE_AND_INTERFACE_INFO(0x1e2d, 0x0055, USB_CLASS_COMM,
++ USB_CDC_SUBCLASS_ETHERNET,
++ USB_CDC_PROTO_NONE),
++ .driver_info = (unsigned long)&wwan_info,
++}, {
+ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET,
+ USB_CDC_PROTO_NONE),
+ .driver_info = (unsigned long) &cdc_info,
--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Phil Elwell <phil@raspberrypi.org>
+Date: Wed, 11 Apr 2018 10:59:17 +0100
+Subject: lan78xx: Correctly indicate invalid OTP
+
+From: Phil Elwell <phil@raspberrypi.org>
+
+
+[ Upstream commit 4bfc33807a9a02764bdd1e42e794b3b401240f27 ]
+
+lan78xx_read_otp tries to return -EINVAL in the event of invalid OTP
+content, but the value gets overwritten before it is returned and the
+read goes ahead anyway. Make the read conditional as it should be
+and preserve the error code.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Phil Elwell <phil@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -928,7 +928,8 @@ static int lan78xx_read_otp(struct lan78
+ offset += 0x100;
+ else
+ ret = -EINVAL;
+- ret = lan78xx_read_raw_otp(dev, offset, length, data);
++ if (!ret)
++ ret = lan78xx_read_raw_otp(dev, offset, length, data);
+ }
+
+ return ret;
--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Wed, 11 Apr 2018 00:57:25 -0700
+Subject: rds: MP-RDS may use an invalid c_path
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+
+[ Upstream commit a43cced9a348901f9015f4730b70b69e7c41a9c9 ]
+
+rds_sendmsg() calls rds_send_mprds_hash() to find a c_path to use to
+send a message. Suppose the RDS connection is not yet up. In
+rds_send_mprds_hash(), it does
+
+ if (conn->c_npaths == 0)
+ wait_event_interruptible(conn->c_hs_waitq,
+ (conn->c_npaths != 0));
+
+If it is interrupted before the connection is set up,
+rds_send_mprds_hash() will return a non-zero hash value. Hence
+rds_sendmsg() will use a non-zero c_path to send the message. But if
+the RDS connection ends up to be non-MP capable, the message will be
+lost as only the zero c_path can be used.
+
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/send.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/rds/send.c
++++ b/net/rds/send.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2006 Oracle. All rights reserved.
++ * Copyright (c) 2006, 2018 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This software is available to you under a choice of one of two
+ * licenses. You may choose to be licensed under the terms of the GNU
+@@ -986,10 +986,15 @@ static int rds_send_mprds_hash(struct rd
+ if (conn->c_npaths == 0 && hash != 0) {
+ rds_send_ping(conn, 0);
+
+- if (conn->c_npaths == 0) {
+- wait_event_interruptible(conn->c_hs_waitq,
+- (conn->c_npaths != 0));
+- }
++ /* The underlying connection is not up yet. Need to wait
++ * until it is up to be sure that the non-zero c_path can be
++ * used. But if we are interrupted, we have to use the zero
++ * c_path in case the connection ends up being non-MP capable.
++ */
++ if (conn->c_npaths == 0)
++ if (wait_event_interruptible(conn->c_hs_waitq,
++ conn->c_npaths != 0))
++ hash = 0;
+ if (conn->c_npaths == 1)
+ hash = 0;
+ }
netfilter-ipset-missing-nfnl_lock-nfnl_unlock-is-added-to-ip_set_net_exit.patch
+cdc_ether-flag-the-cinterion-ahs8-modem-by-gemalto-as-wwan.patch
+rds-mp-rds-may-use-an-invalid-c_path.patch
+slip-check-if-rstate-is-initialized-before-uncompressing.patch
+vhost-fix-vhost_vq_access_ok-log-check.patch
+vhost-fix-vhost_copy_to_user.patch
+lan78xx-correctly-indicate-invalid-otp.patch
--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Tejaswi Tanikella <tejaswit@codeaurora.org>
+Date: Wed, 11 Apr 2018 16:34:47 +0530
+Subject: slip: Check if rstate is initialized before uncompressing
+
+From: Tejaswi Tanikella <tejaswit@codeaurora.org>
+
+
+[ Upstream commit 3f01ddb962dc506916c243f9524e8bef97119b77 ]
+
+On receiving a packet the state index points to the rstate which must be
+used to fill up IP and TCP headers. But if the state index points to a
+rstate which is unitialized, i.e. filled with zeros, it gets stuck in an
+infinite loop inside ip_fast_csum trying to compute the ip checsum of a
+header with zero length.
+
+89.666953: <2> [<ffffff9dd3e94d38>] slhc_uncompress+0x464/0x468
+89.666965: <2> [<ffffff9dd3e87d88>] ppp_receive_nonmp_frame+0x3b4/0x65c
+89.666978: <2> [<ffffff9dd3e89dd4>] ppp_receive_frame+0x64/0x7e0
+89.666991: <2> [<ffffff9dd3e8a708>] ppp_input+0x104/0x198
+89.667005: <2> [<ffffff9dd3e93868>] pppopns_recv_core+0x238/0x370
+89.667027: <2> [<ffffff9dd4428fc8>] __sk_receive_skb+0xdc/0x250
+89.667040: <2> [<ffffff9dd3e939e4>] pppopns_recv+0x44/0x60
+89.667053: <2> [<ffffff9dd4426848>] __sock_queue_rcv_skb+0x16c/0x24c
+89.667065: <2> [<ffffff9dd4426954>] sock_queue_rcv_skb+0x2c/0x38
+89.667085: <2> [<ffffff9dd44f7358>] raw_rcv+0x124/0x154
+89.667098: <2> [<ffffff9dd44f7568>] raw_local_deliver+0x1e0/0x22c
+89.667117: <2> [<ffffff9dd44c8ba0>] ip_local_deliver_finish+0x70/0x24c
+89.667131: <2> [<ffffff9dd44c92f4>] ip_local_deliver+0x100/0x10c
+
+./scripts/faddr2line vmlinux slhc_uncompress+0x464/0x468 output:
+ ip_fast_csum at arch/arm64/include/asm/checksum.h:40
+ (inlined by) slhc_uncompress at drivers/net/slip/slhc.c:615
+
+Adding a variable to indicate if the current rstate is initialized. If
+such a packet arrives, move to toss state.
+
+Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slhc.c | 5 +++++
+ include/net/slhc_vj.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -509,6 +509,10 @@ slhc_uncompress(struct slcompress *comp,
+ if(x < 0 || x > comp->rslot_limit)
+ goto bad;
+
++ /* Check if the cstate is initialized */
++ if (!comp->rstate[x].initialized)
++ goto bad;
++
+ comp->flags &=~ SLF_TOSS;
+ comp->recv_current = x;
+ } else {
+@@ -673,6 +677,7 @@ slhc_remember(struct slcompress *comp, u
+ if (cs->cs_tcp.doff > 5)
+ memcpy(cs->cs_tcpopt, icp + ihl*4 + sizeof(struct tcphdr), (cs->cs_tcp.doff - 5) * 4);
+ cs->cs_hsize = ihl*2 + cs->cs_tcp.doff*2;
++ cs->initialized = true;
+ /* Put headers back on packet
+ * Neither header checksum is recalculated
+ */
+--- a/include/net/slhc_vj.h
++++ b/include/net/slhc_vj.h
+@@ -127,6 +127,7 @@ typedef __u32 int32;
+ */
+ struct cstate {
+ byte_t cs_this; /* connection id number (xmit) */
++ bool initialized; /* true if initialized */
+ struct cstate *next; /* next in ring (xmit) */
+ struct iphdr cs_ip; /* ip/tcp hdr from most recent packet */
+ struct tcphdr cs_tcp;
--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Eric Auger <eric.auger@redhat.com>
+Date: Wed, 11 Apr 2018 15:30:38 +0200
+Subject: vhost: Fix vhost_copy_to_user()
+
+From: Eric Auger <eric.auger@redhat.com>
+
+
+[ Upstream commit 7ced6c98c7ab7a1f6743931e28671b833af79b1e ]
+
+vhost_copy_to_user is used to copy vring used elements to userspace.
+We should use VHOST_ADDR_USED instead of VHOST_ADDR_DESC.
+
+Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache")
+Signed-off-by: Eric Auger <eric.auger@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -756,7 +756,7 @@ static int vhost_copy_to_user(struct vho
+ struct iov_iter t;
+ void __user *uaddr = vhost_vq_meta_fetch(vq,
+ (u64)(uintptr_t)to, size,
+- VHOST_ADDR_DESC);
++ VHOST_ADDR_USED);
+
+ if (uaddr)
+ return __copy_to_user(uaddr, from, size);
--- /dev/null
+From foo@baz Sat Apr 14 09:15:24 CEST 2018
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Wed, 11 Apr 2018 10:35:40 +0800
+Subject: vhost: fix vhost_vq_access_ok() log check
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+
+[ Upstream commit d14d2b78090c7de0557362b26a4ca591aa6a9faa ]
+
+Commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ("vhost: validate log
+when IOTLB is enabled") introduced a regression. The logic was
+originally:
+
+ if (vq->iotlb)
+ return 1;
+ return A && B;
+
+After the patch the short-circuit logic for A was inverted:
+
+ if (A || vq->iotlb)
+ return A;
+ return B;
+
+This patch fixes the regression by rewriting the checks in the obvious
+way, no longer returning A when vq->iotlb is non-NULL (which is hard to
+understand).
+
+Reported-by: syzbot+65a84dde0214b0387ccd@syzkaller.appspotmail.com
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1252,10 +1252,12 @@ static int vq_log_access_ok(struct vhost
+ /* Caller should have vq mutex and device mutex */
+ int vhost_vq_access_ok(struct vhost_virtqueue *vq)
+ {
+- int ret = vq_log_access_ok(vq, vq->log_base);
++ if (!vq_log_access_ok(vq, vq->log_base))
++ return 0;
+
+- if (ret || vq->iotlb)
+- return ret;
++ /* Access validation occurs at prefetch time with IOTLB */
++ if (vq->iotlb)
++ return 1;
+
+ return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
