--- /dev/null
+From foo@baz Wed Feb 7 11:38:15 PST 2018
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Wed, 31 Jan 2018 16:29:30 +0200
+Subject: ip6mr: fix stale iterator
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+
+[ Upstream commit 4adfa79fc254efb7b0eb3cd58f62c2c3f805f1ba ]
+
+When we dump the ip6mr mfc entries via proc, we initialize an iterator
+with the table to dump but we don't clear the cache pointer which might
+be initialized from a prior read on the same descriptor that ended. This
+can result in lock imbalance (an unnecessary unlock) leading to other
+crashes and hangs. Clear the cache pointer like ipmr does to fix the issue.
+Thanks for the reliable reproducer.
+
+Here's syzbot's trace:
+ WARNING: bad unlock balance detected!
+ 4.15.0-rc3+ #128 Not tainted
+ syzkaller971460/3195 is trying to release lock (mrt_lock) at:
+ [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
+ but there are no more locks to release!
+
+ other info that might help us debug this:
+ 1 lock held by syzkaller971460/3195:
+ #0: (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0
+ fs/seq_file.c:165
+
+ stack backtrace:
+ CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561
+ __lock_release kernel/locking/lockdep.c:3775 [inline]
+ lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023
+ __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
+ _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255
+ ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
+ traverse+0x3bc/0xa00 fs/seq_file.c:135
+ seq_read+0x96a/0x13d0 fs/seq_file.c:189
+ proc_reg_read+0xef/0x170 fs/proc/inode.c:217
+ do_loop_readv_writev fs/read_write.c:673 [inline]
+ do_iter_read+0x3db/0x5b0 fs/read_write.c:897
+ compat_readv+0x1bf/0x270 fs/read_write.c:1140
+ do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
+ C_SYSC_preadv fs/read_write.c:1209 [inline]
+ compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
+ do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
+ do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
+ entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
+ RIP: 0023:0xf7f73c79
+ RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
+ RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
+ RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ BUG: sleeping function called from invalid context at lib/usercopy.c:25
+ in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460
+ INFO: lockdep is turned off.
+ CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+ Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
+ __might_sleep+0x95/0x190 kernel/sched/core.c:6013
+ __might_fault+0xab/0x1d0 mm/memory.c:4525
+ _copy_to_user+0x2c/0xc0 lib/usercopy.c:25
+ copy_to_user include/linux/uaccess.h:155 [inline]
+ seq_read+0xcb4/0x13d0 fs/seq_file.c:279
+ proc_reg_read+0xef/0x170 fs/proc/inode.c:217
+ do_loop_readv_writev fs/read_write.c:673 [inline]
+ do_iter_read+0x3db/0x5b0 fs/read_write.c:897
+ compat_readv+0x1bf/0x270 fs/read_write.c:1140
+ do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
+ C_SYSC_preadv fs/read_write.c:1209 [inline]
+ compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
+ do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
+ do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
+ entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
+ RIP: 0023:0xf7f73c79
+ RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
+ RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
+ RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0
+ lib/usercopy.c:26
+
+Reported-by: syzbot <bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -498,6 +498,7 @@ static void *ipmr_mfc_seq_start(struct s
+ return ERR_PTR(-ENOENT);
+
+ it->mrt = mrt;
++ it->cache = NULL;
+ return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
+ : SEQ_START_TOKEN;
+ }
--- /dev/null
+From foo@baz Wed Feb 7 11:38:15 PST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 1 Feb 2018 10:26:57 -0800
+Subject: net: igmp: add a missing rcu locking section
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit e7aadb27a5415e8125834b84a74477bfbee4eff5 ]
+
+Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
+
+Timer callbacks do not ensure this locking.
+
+=============================
+WARNING: suspicious RCU usage
+4.15.0+ #200 Not tainted
+-----------------------------
+./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+3 locks held by syzkaller616973/4074:
+ #0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
+ #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
+ #1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
+ #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
+ #2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
+
+stack backtrace:
+CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
+ __in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
+ igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
+ igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
+ add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
+ add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
+ igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
+ igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
+ igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
+ call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
+ expire_timers kernel/time/timer.c:1363 [inline]
+ __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
+ run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+ invoke_softirq kernel/softirq.c:365 [inline]
+ irq_exit+0x1cc/0x200 kernel/softirq.c:405
+ exiting_irq arch/x86/include/asm/apic.h:541 [inline]
+ smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
+ apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
+
+Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -384,7 +384,11 @@ static struct sk_buff *igmpv3_newpack(st
+ pip->frag_off = htons(IP_DF);
+ pip->ttl = 1;
+ pip->daddr = fl4.daddr;
++
++ rcu_read_lock();
+ pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
++ rcu_read_unlock();
++
+ pip->protocol = IPPROTO_IGMP;
+ pip->tot_len = 0; /* filled in later */
+ ip_select_ident(skb, NULL);
--- /dev/null
+From foo@baz Wed Feb 7 11:38:15 PST 2018
+From: Junxiao Bi <junxiao.bi@oracle.com>
+Date: Mon, 29 Jan 2018 17:53:42 +0800
+Subject: qlcnic: fix deadlock bug
+
+From: Junxiao Bi <junxiao.bi@oracle.com>
+
+
+[ Upstream commit 233ac3891607f501f08879134d623b303838f478 ]
+
+The following soft lockup was caught. This is a deadlock caused by
+recusive locking.
+
+Process kworker/u40:1:28016 was holding spin lock "mbx->queue_lock" in
+qlcnic_83xx_mailbox_worker(), while a softirq came in and ask the same spin
+lock in qlcnic_83xx_enqueue_mbx_cmd(). This lock should be hold by disable
+bh..
+
+[161846.962125] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [kworker/u40:1:28016]
+[161846.962367] Modules linked in: tun ocfs2 xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn xenfs xen_privcmd autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc sunrpc 8021q mrp garp bridge stp llc bonding dm_round_robin dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 shpchp lpc_ich mfd_core ioatdma ipmi_devintf ipmi_si ipmi_msghandler sg ext4 jbd2 mbcache2 sr_mod cdrom sd_mod igb i2c_algo_bit i2c_core ahci libahci megaraid_sas ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel qla2xxx scsi_transport_fc qlcnic crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi dm_mirror dm_region_hash dm_log dm_mod
+[161846.962454]
+[161846.962460] CPU: 1 PID: 28016 Comm: kworker/u40:1 Not tainted 4.1.12-94.5.9.el6uek.x86_64 #2
+[161846.962463] Hardware name: Oracle Corporation SUN SERVER X4-2L /ASSY,MB,X4-2L , BIOS 26050100 09/19/2017
+[161846.962489] Workqueue: qlcnic_mailbox qlcnic_83xx_mailbox_worker [qlcnic]
+[161846.962493] task: ffff8801f2e34600 ti: ffff88004ca5c000 task.ti: ffff88004ca5c000
+[161846.962496] RIP: e030:[<ffffffff810013aa>] [<ffffffff810013aa>] xen_hypercall_sched_op+0xa/0x20
+[161846.962506] RSP: e02b:ffff880202e43388 EFLAGS: 00000206
+[161846.962509] RAX: 0000000000000000 RBX: ffff8801f6996b70 RCX: ffffffff810013aa
+[161846.962511] RDX: ffff880202e433cc RSI: ffff880202e433b0 RDI: 0000000000000003
+[161846.962513] RBP: ffff880202e433d0 R08: 0000000000000000 R09: ffff8801fe893200
+[161846.962516] R10: ffff8801fe400538 R11: 0000000000000206 R12: ffff880202e4b000
+[161846.962518] R13: 0000000000000050 R14: 0000000000000001 R15: 000000000000020d
+[161846.962528] FS: 0000000000000000(0000) GS:ffff880202e40000(0000) knlGS:ffff880202e40000
+[161846.962531] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033
+[161846.962533] CR2: 0000000002612640 CR3: 00000001bb796000 CR4: 0000000000042660
+[161846.962536] Stack:
+[161846.962538] ffff880202e43608 0000000000000000 ffffffff813f0442 ffff880202e433b0
+[161846.962543] 0000000000000000 ffff880202e433cc ffffffff00000001 0000000000000000
+[161846.962547] 00000009813f03d6 ffff880202e433e0 ffffffff813f0460 ffff880202e43440
+[161846.962552] Call Trace:
+[161846.962555] <IRQ>
+[161846.962565] [<ffffffff813f0442>] ? xen_poll_irq_timeout+0x42/0x50
+[161846.962570] [<ffffffff813f0460>] xen_poll_irq+0x10/0x20
+[161846.962578] [<ffffffff81014222>] xen_lock_spinning+0xe2/0x110
+[161846.962583] [<ffffffff81013f01>] __raw_callee_save_xen_lock_spinning+0x11/0x20
+[161846.962592] [<ffffffff816e5c57>] ? _raw_spin_lock+0x57/0x80
+[161846.962609] [<ffffffffa028acfc>] qlcnic_83xx_enqueue_mbx_cmd+0x7c/0xe0 [qlcnic]
+[161846.962623] [<ffffffffa028e008>] qlcnic_83xx_issue_cmd+0x58/0x210 [qlcnic]
+[161846.962636] [<ffffffffa028caf2>] qlcnic_83xx_sre_macaddr_change+0x162/0x1d0 [qlcnic]
+[161846.962649] [<ffffffffa028cb8b>] qlcnic_83xx_change_l2_filter+0x2b/0x30 [qlcnic]
+[161846.962657] [<ffffffff8160248b>] ? __skb_flow_dissect+0x18b/0x650
+[161846.962670] [<ffffffffa02856e5>] qlcnic_send_filter+0x205/0x250 [qlcnic]
+[161846.962682] [<ffffffffa0285c77>] qlcnic_xmit_frame+0x547/0x7b0 [qlcnic]
+[161846.962691] [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
+[161846.962696] [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
+[161846.962701] [<ffffffff81630112>] sch_direct_xmit+0x112/0x220
+[161846.962706] [<ffffffff8160b80f>] __dev_queue_xmit+0x1df/0x5e0
+[161846.962710] [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
+[161846.962721] [<ffffffffa0575bd5>] bond_dev_queue_xmit+0x35/0x80 [bonding]
+[161846.962729] [<ffffffffa05769fb>] __bond_start_xmit+0x1cb/0x210 [bonding]
+[161846.962736] [<ffffffffa0576a71>] bond_start_xmit+0x31/0x60 [bonding]
+[161846.962740] [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
+[161846.962745] [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
+[161846.962749] [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
+[161846.962754] [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
+[161846.962760] [<ffffffffa05cfa72>] vlan_dev_hard_start_xmit+0xb2/0x150 [8021q]
+[161846.962764] [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
+[161846.962769] [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
+[161846.962773] [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
+[161846.962777] [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
+[161846.962789] [<ffffffffa05adf74>] br_dev_queue_push_xmit+0x54/0xa0 [bridge]
+[161846.962797] [<ffffffffa05ae4ff>] br_forward_finish+0x2f/0x90 [bridge]
+[161846.962807] [<ffffffff810b0dad>] ? ttwu_do_wakeup+0x1d/0x100
+[161846.962811] [<ffffffff815f929b>] ? __alloc_skb+0x8b/0x1f0
+[161846.962818] [<ffffffffa05ae04d>] __br_forward+0x8d/0x120 [bridge]
+[161846.962822] [<ffffffff815f613b>] ? __kmalloc_reserve+0x3b/0xa0
+[161846.962829] [<ffffffff810be55e>] ? update_rq_runnable_avg+0xee/0x230
+[161846.962836] [<ffffffffa05ae176>] br_forward+0x96/0xb0 [bridge]
+[161846.962845] [<ffffffffa05af85e>] br_handle_frame_finish+0x1ae/0x420 [bridge]
+[161846.962853] [<ffffffffa05afc4f>] br_handle_frame+0x17f/0x260 [bridge]
+[161846.962862] [<ffffffffa05afad0>] ? br_handle_frame_finish+0x420/0x420 [bridge]
+[161846.962867] [<ffffffff8160d057>] __netif_receive_skb_core+0x1f7/0x870
+[161846.962872] [<ffffffff8160d6f2>] __netif_receive_skb+0x22/0x70
+[161846.962877] [<ffffffff8160d913>] netif_receive_skb_internal+0x23/0x90
+[161846.962884] [<ffffffffa07512ea>] ? xenvif_idx_release+0xea/0x100 [xen_netback]
+[161846.962889] [<ffffffff816e5a10>] ? _raw_spin_unlock_irqrestore+0x20/0x50
+[161846.962893] [<ffffffff8160e624>] netif_receive_skb_sk+0x24/0x90
+[161846.962899] [<ffffffffa075269a>] xenvif_tx_submit+0x2ca/0x3f0 [xen_netback]
+[161846.962906] [<ffffffffa0753f0c>] xenvif_tx_action+0x9c/0xd0 [xen_netback]
+[161846.962915] [<ffffffffa07567f5>] xenvif_poll+0x35/0x70 [xen_netback]
+[161846.962920] [<ffffffff8160e01b>] napi_poll+0xcb/0x1e0
+[161846.962925] [<ffffffff8160e1c0>] net_rx_action+0x90/0x1c0
+[161846.962931] [<ffffffff8108aaba>] __do_softirq+0x10a/0x350
+[161846.962938] [<ffffffff8108ae75>] irq_exit+0x125/0x130
+[161846.962943] [<ffffffff813f03a9>] xen_evtchn_do_upcall+0x39/0x50
+[161846.962950] [<ffffffff816e7ffe>] xen_do_hypervisor_callback+0x1e/0x40
+[161846.962952] <EOI>
+[161846.962959] [<ffffffff816e5c4a>] ? _raw_spin_lock+0x4a/0x80
+[161846.962964] [<ffffffff816e5b1e>] ? _raw_spin_lock_irqsave+0x1e/0xa0
+[161846.962978] [<ffffffffa028e279>] ? qlcnic_83xx_mailbox_worker+0xb9/0x2a0 [qlcnic]
+[161846.962991] [<ffffffff810a14e1>] ? process_one_work+0x151/0x4b0
+[161846.962995] [<ffffffff8100c3f2>] ? check_events+0x12/0x20
+[161846.963001] [<ffffffff810a1960>] ? worker_thread+0x120/0x480
+[161846.963005] [<ffffffff816e187b>] ? __schedule+0x30b/0x890
+[161846.963010] [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
+[161846.963015] [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
+[161846.963021] [<ffffffff810a6b3e>] ? kthread+0xce/0xf0
+[161846.963025] [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
+[161846.963031] [<ffffffff816e6522>] ? ret_from_fork+0x42/0x70
+[161846.963035] [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
+[161846.963037] Code: cc 51 41 53 b8 1c 00 00 00 0f 05 41 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 41 53 b8 1d 00 00 00 0f 05 <41> 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
+
+Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -3825,7 +3825,7 @@ static void qlcnic_83xx_flush_mbx_queue(
+ struct list_head *head = &mbx->cmd_q;
+ struct qlcnic_cmd_args *cmd = NULL;
+
+- spin_lock(&mbx->queue_lock);
++ spin_lock_bh(&mbx->queue_lock);
+
+ while (!list_empty(head)) {
+ cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
+@@ -3836,7 +3836,7 @@ static void qlcnic_83xx_flush_mbx_queue(
+ qlcnic_83xx_notify_cmd_completion(adapter, cmd);
+ }
+
+- spin_unlock(&mbx->queue_lock);
++ spin_unlock_bh(&mbx->queue_lock);
+ }
+
+ static int qlcnic_83xx_check_mbx_status(struct qlcnic_adapter *adapter)
+@@ -3872,12 +3872,12 @@ static void qlcnic_83xx_dequeue_mbx_cmd(
+ {
+ struct qlcnic_mailbox *mbx = adapter->ahw->mailbox;
+
+- spin_lock(&mbx->queue_lock);
++ spin_lock_bh(&mbx->queue_lock);
+
+ list_del(&cmd->list);
+ mbx->num_cmds--;
+
+- spin_unlock(&mbx->queue_lock);
++ spin_unlock_bh(&mbx->queue_lock);
+
+ qlcnic_83xx_notify_cmd_completion(adapter, cmd);
+ }
+@@ -3942,7 +3942,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(s
+ init_completion(&cmd->completion);
+ cmd->rsp_opcode = QLC_83XX_MBX_RESPONSE_UNKNOWN;
+
+- spin_lock(&mbx->queue_lock);
++ spin_lock_bh(&mbx->queue_lock);
+
+ list_add_tail(&cmd->list, &mbx->cmd_q);
+ mbx->num_cmds++;
+@@ -3950,7 +3950,7 @@ static int qlcnic_83xx_enqueue_mbx_cmd(s
+ *timeout = cmd->total_cmds * QLC_83XX_MBX_TIMEOUT;
+ queue_work(mbx->work_q, &mbx->work);
+
+- spin_unlock(&mbx->queue_lock);
++ spin_unlock_bh(&mbx->queue_lock);
+
+ return 0;
+ }
+@@ -4046,15 +4046,15 @@ static void qlcnic_83xx_mailbox_worker(s
+ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT;
+ spin_unlock_irqrestore(&mbx->aen_lock, flags);
+
+- spin_lock(&mbx->queue_lock);
++ spin_lock_bh(&mbx->queue_lock);
+
+ if (list_empty(head)) {
+- spin_unlock(&mbx->queue_lock);
++ spin_unlock_bh(&mbx->queue_lock);
+ return;
+ }
+ cmd = list_entry(head->next, struct qlcnic_cmd_args, list);
+
+- spin_unlock(&mbx->queue_lock);
++ spin_unlock_bh(&mbx->queue_lock);
+
+ mbx_ops->encode_cmd(adapter, cmd);
+ mbx_ops->nofity_fw(adapter, QLC_83XX_MBX_REQUEST);
--- /dev/null
+From foo@baz Wed Feb 7 11:38:15 PST 2018
+From: Chunhao Lin <hau@realtek.com>
+Date: Wed, 31 Jan 2018 01:32:36 +0800
+Subject: r8169: fix RTL8168EP take too long to complete driver initialization.
+
+From: Chunhao Lin <hau@realtek.com>
+
+
+[ Upstream commit 086ca23d03c0d2f4088f472386778d293e15c5f6 ]
+
+Driver check the wrong register bit in rtl_ocp_tx_cond() that keep driver
+waiting until timeout.
+
+Fix this by waiting for the right register bit.
+
+Signed-off-by: Chunhao Lin <hau@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -1375,7 +1375,7 @@ DECLARE_RTL_COND(rtl_ocp_tx_cond)
+ {
+ void __iomem *ioaddr = tp->mmio_addr;
+
+- return RTL_R8(IBISR0) & 0x02;
++ return RTL_R8(IBISR0) & 0x20;
+ }
+
+ static void rtl8168dp_driver_start(struct rtl8169_private *tp)
+@@ -1421,7 +1421,7 @@ static void rtl8168ep_driver_stop(struct
+ void __iomem *ioaddr = tp->mmio_addr;
+
+ RTL_W8(IBCR2, RTL_R8(IBCR2) & ~0x01);
+- rtl_msleep_loop_wait_low(tp, &rtl_ocp_tx_cond, 50, 2000);
++ rtl_msleep_loop_wait_high(tp, &rtl_ocp_tx_cond, 50, 2000);
+ RTL_W8(IBISR0, RTL_R8(IBISR0) | 0x20);
+ RTL_W8(IBCR0, RTL_R8(IBCR0) & ~0x01);
+ ocp_write(tp, 0x01, 0x180, OOB_CMD_DRIVER_STOP);
vhost_net-stop-device-during-reset-owner.patch
+ip6mr-fix-stale-iterator.patch
+net-igmp-add-a-missing-rcu-locking-section.patch
+qlcnic-fix-deadlock-bug.patch
+r8169-fix-rtl8168ep-take-too-long-to-complete-driver-initialization.patch
+tcp-release-sk_frag.page-in-tcp_disconnect.patch
--- /dev/null
+From foo@baz Wed Feb 7 11:38:15 PST 2018
+From: Li RongQing <lirongqing@baidu.com>
+Date: Fri, 26 Jan 2018 16:40:41 +0800
+Subject: tcp: release sk_frag.page in tcp_disconnect
+
+From: Li RongQing <lirongqing@baidu.com>
+
+
+[ Upstream commit 9b42d55a66d388e4dd5550107df051a9637564fc ]
+
+socket can be disconnected and gets transformed back to a listening
+socket, if sk_frag.page is not released, which will be cloned into
+a new socket by sk_clone_lock, but the reference count of this page
+is increased, lead to a use after free or double free issue
+
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2280,6 +2280,12 @@ int tcp_disconnect(struct sock *sk, int
+
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+
++ if (sk->sk_frag.page) {
++ put_page(sk->sk_frag.page);
++ sk->sk_frag.page = NULL;
++ sk->sk_frag.offset = 0;
++ }
++
+ sk->sk_error_report(sk);
+ return err;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
