+++ /dev/null
-From nobuhiro1.iwamatsu@toshiba.co.jp Thu Feb 6 07:00:30 2020
-From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
-Date: Thu, 6 Feb 2020 12:36:11 +0900
-Subject: ASoC: qcom: Fix of-node refcount unbalance to link->codec_of_node
-To: stable@vger.kernel.org
-Message-ID: <20200206033611.10593-1-nobuhiro1.iwamatsu@toshiba.co.jp>
-
-From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
-
-[ This is a fix specific to 4.4.y and 4.9.y stable trees;
- 4.14.y and older are not affected ]
-
-The of-node refcount fixes were made in commit 8d1667200850 ("ASoC: qcom:
-Fix of-node refcount unbalance in apq8016_sbc_parse_of()"), but not enough
-in 4.4.y and 4.9.y. The modification of link->codec_of_node is missing.
-This fixes of-node refcount unbalance to link->codec_of_node.
-
-Fixes: 8d1667200850 ("ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()")
-Cc: Patrick Lai <plai@codeaurora.org>
-Cc: Banajit Goswami <bgoswami@codeaurora.org>
-Cc: Takashi Iwai <tiwai@suse.de>
-Cc: Mark Brown <broonie@kernel.org>
-Cc: Sasha Levin <sashal@kernel.org>
-Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/soc/qcom/apq8016_sbc.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/sound/soc/qcom/apq8016_sbc.c b/sound/soc/qcom/apq8016_sbc.c
-index 886f2027e671..f2c71bcd06fa 100644
---- a/sound/soc/qcom/apq8016_sbc.c
-+++ b/sound/soc/qcom/apq8016_sbc.c
-@@ -112,7 +112,8 @@ static struct apq8016_sbc_data *apq8016_sbc_parse_of(struct snd_soc_card *card)
- link->codec_of_node = of_parse_phandle(codec, "sound-dai", 0);
- if (!link->codec_of_node) {
- dev_err(card->dev, "error getting codec phandle\n");
-- return ERR_PTR(-EINVAL);
-+ ret = -EINVAL;
-+ goto error;
- }
-
- ret = snd_soc_of_get_dai_name(cpu, &link->cpu_dai_name);
---
-2.23.0
-
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 2 Feb 2020 02:41:38 -0500
+Subject: bnxt_en: Fix TC queue mapping.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 18e4960c18f484ac288f41b43d0e6c4c88e6ea78 ]
+
+The driver currently only calls netdev_set_tc_queue when the number of
+TCs is greater than 1. Instead, the comparison should be greater than
+or equal to 1. Even with 1 TC, we need to set the queue mapping.
+
+This bug can cause warnings when the number of TCs is changed back to 1.
+
+Fixes: 7809592d3e2e ("bnxt_en: Enable MSIX early in bnxt_init_one().")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5375,7 +5375,7 @@ static void bnxt_setup_msix(struct bnxt
+ int tcs, i;
+
+ tcs = netdev_get_num_tc(dev);
+- if (tcs > 1) {
++ if (tcs) {
+ int i, off, count;
+
+ for (i = 0; i < tcs; i++) {
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 15:27:04 -0800
+Subject: cls_rsvp: fix rsvp_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ]
+
+NLA_BINARY can be confusing, since .len value represents
+the max size of the blob.
+
+cls_rsvp really wants user space to provide long enough data
+for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
+
+BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
+BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
+BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
+CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ rsvp_get net/sched/cls_rsvp.h:258 [inline]
+ gen_handle net/sched/cls_rsvp.h:402 [inline]
+ rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
+ tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
+ rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
+ netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45b349
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
+RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
+RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2774 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
+ netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_rsvp.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/sched/cls_rsvp.h
++++ b/net/sched/cls_rsvp.h
+@@ -475,10 +475,8 @@ static u32 gen_tunnel(struct rsvp_head *
+
+ static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = {
+ [TCA_RSVP_CLASSID] = { .type = NLA_U32 },
+- [TCA_RSVP_DST] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
+- [TCA_RSVP_SRC] = { .type = NLA_BINARY,
+- .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) },
++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) },
+ [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) },
+ };
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 4 Feb 2020 03:24:59 +0000
+Subject: gtp: use __GFP_NOWARN to avoid memalloc warning
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit bd5cd35b782abf5437fbd01dfaee12437d20e832 ]
+
+gtp hashtable size is received by user-space.
+So, this hashtable size could be too large. If so, kmalloc will internally
+print a warning message.
+This warning message is actually not necessary for the gtp module.
+So, this patch adds __GFP_NOWARN to avoid this message.
+
+Splat looks like:
+[ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
+[ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
+[ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
+[ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
+[ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
+[ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
+[ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
+[ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
+[ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
+[ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
+[ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
+[ 2171.292328][ T1860] FS: 00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
+[ 2171.293409][ T1860] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
+[ 2171.295424][ T1860] Call Trace:
+[ 2171.295756][ T1860] ? mark_held_locks+0xa5/0xe0
+[ 2171.296659][ T1860] ? __alloc_pages_slowpath+0x21b0/0x21b0
+[ 2171.298283][ T1860] ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
+[ 2171.298962][ T1860] ? alloc_pages_current+0xc1/0x1a0
+[ 2171.299475][ T1860] kmalloc_order+0x22/0x80
+[ 2171.299936][ T1860] kmalloc_order_trace+0x1d/0x140
+[ 2171.300437][ T1860] __kmalloc+0x302/0x3a0
+[ 2171.300896][ T1860] gtp_newlink+0x293/0xba0 [gtp]
+[ ... ]
+
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/gtp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -771,11 +771,13 @@ static int gtp_hashtable_new(struct gtp_
+ {
+ int i;
+
+- gtp->addr_hash = kmalloc(sizeof(struct hlist_head) * hsize, GFP_KERNEL);
++ gtp->addr_hash = kmalloc(sizeof(struct hlist_head) * hsize,
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->addr_hash == NULL)
+ return -ENOMEM;
+
+- gtp->tid_hash = kmalloc(sizeof(struct hlist_head) * hsize, GFP_KERNEL);
++ gtp->tid_hash = kmalloc(sizeof(struct hlist_head) * hsize,
++ GFP_KERNEL | __GFP_NOWARN);
+ if (gtp->tid_hash == NULL)
+ goto err1;
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+Date: Tue, 4 Feb 2020 12:24:00 +1300
+Subject: l2tp: Allow duplicate session creation with UDP
+
+From: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+
+[ Upstream commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 ]
+
+In the past it was possible to create multiple L2TPv3 sessions with the
+same session id as long as the sessions belonged to different tunnels.
+The resulting sessions had issues when used with IP encapsulated tunnels,
+but worked fine with UDP encapsulated ones. Some applications began to
+rely on this behaviour to avoid having to negotiate unique session ids.
+
+Some time ago a change was made to require session ids to be unique across
+all tunnels, breaking the applications making use of this "feature".
+
+This change relaxes the duplicate session id check to allow duplicates
+if both of the colliding sessions belong to UDP encapsulated tunnels.
+
+Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation")
+Signed-off-by: Ridge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
+Acked-by: James Chapman <jchapman@katalix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -358,8 +358,13 @@ static int l2tp_session_add_to_tunnel(st
+
+ spin_lock_bh(&pn->l2tp_session_hlist_lock);
+
++ /* IP encap expects session IDs to be globally unique, while
++ * UDP encap doesn't.
++ */
+ hlist_for_each_entry(session_walk, g_head, global_hlist)
+- if (session_walk->session_id == session->session_id) {
++ if (session_walk->session_id == session->session_id &&
++ (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP ||
++ tunnel->encap == L2TP_ENCAPTYPE_IP)) {
+ err = -EEXIST;
+ goto err_tlock_pnlock;
+ }
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 3 Feb 2020 10:15:07 -0800
+Subject: net: hsr: fix possible NULL deref in hsr_handle_frame()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ]
+
+hsr_port_get_rcu() can return NULL, so we need to be careful.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
+RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
+Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
+RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
+RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
+RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
+R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
+R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
+FS: 00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <IRQ>
+ hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
+ __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
+ __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
+ __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
+ process_backlog+0x206/0x750 net/core/dev.c:6144
+ napi_poll net/core/dev.c:6582 [inline]
+ net_rx_action+0x508/0x1120 net/core/dev.c:6650
+ __do_softirq+0x262/0x98c kernel/softirq.c:292
+ do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
+ </IRQ>
+
+Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_slave.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/hsr/hsr_slave.c
++++ b/net/hsr/hsr_slave.c
+@@ -32,6 +32,8 @@ static rx_handler_result_t hsr_handle_fr
+
+ rcu_read_lock(); /* hsr->node_db, hsr->ports */
+ port = hsr_port_get_rcu(skb->dev);
++ if (!port)
++ goto finish_pass;
+
+ if (hsr_addr_is_self(port->hsr, eth_hdr(skb)->h_source)) {
+ /* Directly kill frames sent by ourselves */
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 2 Feb 2020 21:14:35 -0800
+Subject: net_sched: fix an OOB access in cls_tcindex
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ]
+
+As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
+to compute the size of memory allocation, but cp->hash is
+set again after the allocation, this caused an out-of-bound
+access.
+
+So we have to move all cp->hash initialization and computation
+before the memory allocation. Move cp->mask and cp->shift together
+as cp->hash may need them for computation too.
+
+Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
+Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex")
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_tcindex.c | 40 ++++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 20 deletions(-)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -351,12 +351,31 @@ tcindex_set_parms(struct net *net, struc
+ cp->fall_through = p->fall_through;
+ cp->tp = tp;
+
++ if (tb[TCA_TCINDEX_HASH])
++ cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
++
++ if (tb[TCA_TCINDEX_MASK])
++ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
++
++ if (tb[TCA_TCINDEX_SHIFT])
++ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
++
++ if (!cp->hash) {
++ /* Hash not specified, use perfect hash if the upper limit
++ * of the hashing index is below the threshold.
++ */
++ if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
++ cp->hash = (cp->mask >> cp->shift) + 1;
++ else
++ cp->hash = DEFAULT_HASH_SIZE;
++ }
++
+ if (p->perfect) {
+ int i;
+
+ if (tcindex_alloc_perfect_hash(cp) < 0)
+ goto errout;
+- for (i = 0; i < cp->hash; i++)
++ for (i = 0; i < min(cp->hash, p->hash); i++)
+ cp->perfect[i].res = p->perfect[i].res;
+ balloc = 1;
+ }
+@@ -368,15 +387,6 @@ tcindex_set_parms(struct net *net, struc
+ if (old_r)
+ cr = r->res;
+
+- if (tb[TCA_TCINDEX_HASH])
+- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
+-
+- if (tb[TCA_TCINDEX_MASK])
+- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
+-
+- if (tb[TCA_TCINDEX_SHIFT])
+- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
+-
+ err = -EBUSY;
+
+ /* Hash already allocated, make sure that we still meet the
+@@ -394,16 +404,6 @@ tcindex_set_parms(struct net *net, struc
+ if (tb[TCA_TCINDEX_FALL_THROUGH])
+ cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]);
+
+- if (!cp->hash) {
+- /* Hash not specified, use perfect hash if the upper limit
+- * of the hashing index is below the threshold.
+- */
+- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD)
+- cp->hash = (cp->mask >> cp->shift) + 1;
+- else
+- cp->hash = DEFAULT_HASH_SIZE;
+- }
+-
+ if (!cp->perfect && !cp->h)
+ cp->alloc_hash = cp->hash;
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:36 +0000
+Subject: rxrpc: Fix insufficient receive notification generation
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b ]
+
+In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
+number of the packet is immediately following the hard-ack point at the end
+of the function. However, this isn't sufficient, since the recvmsg side
+may have been advancing the window and then overrun the position in which
+we're adding - at which point rx_hard_ack >= seq0 and no notification is
+generated.
+
+Fix this by always generating a notification at the end of the input
+function.
+
+Without this, a long call may stall, possibly indefinitely.
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/input.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/rxrpc/input.c
++++ b/net/rxrpc/input.c
+@@ -585,8 +585,7 @@ ack:
+ immediate_ack, true,
+ rxrpc_propose_ack_input_data);
+
+- if (sp->hdr.seq == READ_ONCE(call->rx_hard_ack) + 1)
+- rxrpc_notify_socket(call);
++ rxrpc_notify_socket(call);
+ _leave(" [queued]");
+ }
+
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 30 Jan 2020 21:50:36 +0000
+Subject: rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 5273a191dca65a675dc0bcf3909e59c6933e2831 ]
+
+When a call is disconnected, the connection pointer from the call is
+cleared to make sure it isn't used again and to prevent further attempted
+transmission for the call. Unfortunately, there might be a daemon trying
+to use it at the same time to transmit a packet.
+
+Fix this by keeping call->conn set, but setting a flag on the call to
+indicate disconnection instead.
+
+Remove also the bits in the transmission functions where the conn pointer is
+checked and a ref taken under spinlock as this is now redundant.
+
+Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/ar-internal.h | 1 +
+ net/rxrpc/call_object.c | 4 ++--
+ net/rxrpc/conn_client.c | 3 +--
+ net/rxrpc/conn_object.c | 4 ++--
+ net/rxrpc/output.c | 26 +++++++++-----------------
+ 5 files changed, 15 insertions(+), 23 deletions(-)
+
+--- a/net/rxrpc/ar-internal.h
++++ b/net/rxrpc/ar-internal.h
+@@ -451,6 +451,7 @@ enum rxrpc_call_flag {
+ RXRPC_CALL_SEND_PING, /* A ping will need to be sent */
+ RXRPC_CALL_PINGING, /* Ping in process */
+ RXRPC_CALL_RETRANS_TIMEOUT, /* Retransmission due to timeout occurred */
++ RXRPC_CALL_DISCONNECTED, /* The call has been disconnected */
+ };
+
+ /*
+--- a/net/rxrpc/call_object.c
++++ b/net/rxrpc/call_object.c
+@@ -505,7 +505,7 @@ void rxrpc_release_call(struct rxrpc_soc
+
+ _debug("RELEASE CALL %p (%d CONN %p)", call, call->debug_id, conn);
+
+- if (conn)
++ if (conn && !test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ rxrpc_disconnect_call(call);
+
+ for (i = 0; i < RXRPC_RXTX_BUFF_SIZE; i++) {
+@@ -639,6 +639,7 @@ static void rxrpc_rcu_destroy_call(struc
+ {
+ struct rxrpc_call *call = container_of(rcu, struct rxrpc_call, rcu);
+
++ rxrpc_put_connection(call->conn);
+ rxrpc_put_peer(call->peer);
+ kfree(call->rxtx_buffer);
+ kfree(call->rxtx_annotations);
+@@ -660,7 +661,6 @@ void rxrpc_cleanup_call(struct rxrpc_cal
+
+ ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
+ ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags));
+- ASSERTCMP(call->conn, ==, NULL);
+
+ /* Clean up the Rx/Tx buffer */
+ for (i = 0; i < RXRPC_RXTX_BUFF_SIZE; i++)
+--- a/net/rxrpc/conn_client.c
++++ b/net/rxrpc/conn_client.c
+@@ -762,9 +762,9 @@ void rxrpc_disconnect_client_call(struct
+ struct rxrpc_net *rxnet = rxrpc_net(sock_net(&call->socket->sk));
+
+ trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect);
+- call->conn = NULL;
+
+ spin_lock(&conn->channel_lock);
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
+
+ /* Calls that have never actually been assigned a channel can simply be
+ * discarded. If the conn didn't get used either, it will follow
+@@ -863,7 +863,6 @@ out:
+ spin_unlock(&rxnet->client_conn_cache_lock);
+ out_2:
+ spin_unlock(&conn->channel_lock);
+- rxrpc_put_connection(conn);
+ _leave("");
+ return;
+
+--- a/net/rxrpc/conn_object.c
++++ b/net/rxrpc/conn_object.c
+@@ -163,6 +163,8 @@ void __rxrpc_disconnect_call(struct rxrp
+
+ _enter("%d,%x", conn->debug_id, call->cid);
+
++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags);
++
+ if (rcu_access_pointer(chan->call) == call) {
+ /* Save the result of the call so that we can repeat it if necessary
+ * through the channel, whilst disposing of the actual call record.
+@@ -207,9 +209,7 @@ void rxrpc_disconnect_call(struct rxrpc_
+ __rxrpc_disconnect_call(conn, call);
+ spin_unlock(&conn->channel_lock);
+
+- call->conn = NULL;
+ conn->idle_timestamp = jiffies;
+- rxrpc_put_connection(conn);
+ }
+
+ /*
+--- a/net/rxrpc/output.c
++++ b/net/rxrpc/output.c
+@@ -96,7 +96,7 @@ static size_t rxrpc_fill_out_ack(struct
+ */
+ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_ack_buffer *pkt;
+ struct msghdr msg;
+ struct kvec iov[2];
+@@ -106,18 +106,14 @@ int rxrpc_send_ack_packet(struct rxrpc_c
+ int ret;
+ u8 reason;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
+ pkt = kzalloc(sizeof(*pkt), GFP_KERNEL);
+- if (!pkt) {
+- rxrpc_put_connection(conn);
++ if (!pkt)
+ return -ENOMEM;
+- }
++
++ conn = call->conn;
+
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+@@ -204,7 +200,6 @@ int rxrpc_send_ack_packet(struct rxrpc_c
+ }
+
+ out:
+- rxrpc_put_connection(conn);
+ kfree(pkt);
+ return ret;
+ }
+@@ -214,20 +209,18 @@ out:
+ */
+ int rxrpc_send_abort_packet(struct rxrpc_call *call)
+ {
+- struct rxrpc_connection *conn = NULL;
++ struct rxrpc_connection *conn;
+ struct rxrpc_abort_buffer pkt;
+ struct msghdr msg;
+ struct kvec iov[1];
+ rxrpc_serial_t serial;
+ int ret;
+
+- spin_lock_bh(&call->lock);
+- if (call->conn)
+- conn = rxrpc_get_connection_maybe(call->conn);
+- spin_unlock_bh(&call->lock);
+- if (!conn)
++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags))
+ return -ECONNRESET;
+
++ conn = call->conn;
++
+ msg.msg_name = &call->peer->srx.transport;
+ msg.msg_namelen = call->peer->srx.transport_len;
+ msg.msg_control = NULL;
+@@ -255,7 +248,6 @@ int rxrpc_send_abort_packet(struct rxrpc
+ ret = kernel_sendmsg(conn->params.local->socket,
+ &msg, iov, 1, sizeof(pkt));
+
+- rxrpc_put_connection(conn);
+ return ret;
+ }
+
x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl.patch
iwlwifi-mvm-fix-nvm-check-for-3168-devices.patch
sparc32-fix-struct-ipc64_perm-type-definition.patch
-asoc-qcom-fix-of-node-refcount-unbalance-to-link-codec_of_node.patch
+cls_rsvp-fix-rsvp_policy.patch
+gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch
+l2tp-allow-duplicate-session-creation-with-udp.patch
+net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch
+net_sched-fix-an-oob-access-in-cls_tcindex.patch
+bnxt_en-fix-tc-queue-mapping.patch
+tcp-clear-tp-total_retrans-in-tcp_disconnect.patch
+tcp-clear-tp-delivered-in-tcp_disconnect.patch
+tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch
+tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch
+rxrpc-fix-insufficient-receive-notification-generation.patch
+rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:32:41 -0800
+Subject: tcp: clear tp->data_segs{in|out} in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit db7ffee6f3eb3683cdcaeddecc0a630a14546fe3 ]
+
+tp->data_segs_in and tp->data_segs_out need to be cleared
+in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2381,6 +2381,8 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_saved_syn_free(tp);
+ tp->bytes_acked = 0;
+ tp->bytes_received = 0;
++ tp->data_segs_in = 0;
++ tp->data_segs_out = 0;
+
+ /* Clean up fastopen related fields */
+ tcp_free_fastopen_req(tp);
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:22:47 -0800
+Subject: tcp: clear tp->delivered in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2fbdd56251b5c62f96589f39eded277260de7267 ]
+
+tp->delivered needs to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: ddf1af6fa00e ("tcp: new delivery accounting")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2363,6 +2363,7 @@ int tcp_disconnect(struct sock *sk, int
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ tp->snd_cwnd_cnt = 0;
+ tp->window_clamp = 0;
++ tp->delivered = 0;
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tp->is_sack_reneg = 0;
+ tcp_clear_retrans(tp);
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 10:44:50 -0800
+Subject: tcp: clear tp->segs_{in|out} in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 784f8344de750a41344f4bbbebb8507a730fc99c ]
+
+tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: 2efd055c53c0 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2379,6 +2379,8 @@ int tcp_disconnect(struct sock *sk, int
+ dst_release(sk->sk_rx_dst);
+ sk->sk_rx_dst = NULL;
+ tcp_saved_syn_free(tp);
++ tp->segs_in = 0;
++ tp->segs_out = 0;
+ tp->bytes_acked = 0;
+ tp->bytes_received = 0;
+ tp->data_segs_in = 0;
--- /dev/null
+From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 31 Jan 2020 09:14:47 -0800
+Subject: tcp: clear tp->total_retrans in tcp_disconnect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c13c48c00a6bc1febc73902505bdec0967bd7095 ]
+
+total_retrans needs to be cleared in tcp_disconnect().
+
+tcp_disconnect() is rarely used, but it is worth fixing it.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: SeongJae Park <sjpark@amazon.de>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2366,6 +2366,7 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tp->is_sack_reneg = 0;
+ tcp_clear_retrans(tp);
++ tp->total_retrans = 0;
+ inet_csk_delack_init(sk);
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window()
projects / thirdparty / kernel / stable-queue.git / commitdiff
