--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 14 Nov 2019 11:16:01 +0100
+Subject: ax88172a: fix information leak on short answers
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]
+
+If a malicious device gives a short MAC it can elicit up to
+5 bytes of leaked memory out of the driver. We need to check for
+ETH_ALEN instead.
+
+Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ax88172a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/ax88172a.c
++++ b/drivers/net/usb/ax88172a.c
+@@ -196,7 +196,7 @@ static int ax88172a_bind(struct usbnet *
+
+ /* Get the MAC address */
+ ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
+- if (ret < 0) {
++ if (ret < ETH_ALEN) {
+ netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
+ goto free;
+ }
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Aya Levin <ayal@mellanox.com>
+Date: Sun, 10 Nov 2019 14:11:56 +0200
+Subject: devlink: Add method for time-stamp on reporter's dump
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit d279505b723cba058b604ed8cf9cd4c854e2a041 ]
+
+When setting the dump's time-stamp, use ktime_get_real in addition to
+jiffies. This simplifies the user space implementation and bypasses
+some inconsistent behavior with translating jiffies to current time.
+The time taken is transformed into nsec, to comply with y2038 issue.
+
+Fixes: c8e1da0bf923 ("devlink: Add health report functionality")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/devlink.h | 1 +
+ net/core/devlink.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/include/uapi/linux/devlink.h
++++ b/include/uapi/linux/devlink.h
+@@ -348,6 +348,7 @@ enum devlink_attr {
+ DEVLINK_ATTR_PORT_PCI_PF_NUMBER, /* u16 */
+ DEVLINK_ATTR_PORT_PCI_VF_NUMBER, /* u16 */
+
++ DEVLINK_ATTR_HEALTH_REPORTER_DUMP_TS_NS, /* u64 */
+ /* add new attributes above here, update the policy in devlink.c */
+
+ __DEVLINK_ATTR_MAX,
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -4577,6 +4577,7 @@ struct devlink_health_reporter {
+ bool auto_recover;
+ u8 health_state;
+ u64 dump_ts;
++ u64 dump_real_ts;
+ u64 error_count;
+ u64 recovery_count;
+ u64 last_recovery_ts;
+@@ -4749,6 +4750,7 @@ static int devlink_health_do_dump(struct
+ goto dump_err;
+
+ reporter->dump_ts = jiffies;
++ reporter->dump_real_ts = ktime_get_real_ns();
+
+ return 0;
+
+@@ -4911,6 +4913,10 @@ devlink_nl_health_reporter_fill(struct s
+ jiffies_to_msecs(reporter->dump_ts),
+ DEVLINK_ATTR_PAD))
+ goto reporter_nest_cancel;
++ if (reporter->dump_fmsg &&
++ nla_put_u64_64bit(msg, DEVLINK_ATTR_HEALTH_REPORTER_DUMP_TS_NS,
++ reporter->dump_real_ts, DEVLINK_ATTR_PAD))
++ goto reporter_nest_cancel;
+
+ nla_nest_end(msg, reporter_attr);
+ genlmsg_end(msg, hdr);
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Sat, 9 Nov 2019 11:29:46 +0100
+Subject: devlink: disallow reload operation during device cleanup
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 5a508a254bed9a2e36a5fb96c9065532a6bf1e9c ]
+
+There is a race between driver code that does setup/cleanup of device
+and devlink reload operation that in some drivers works with the same
+code. Use after free could we easily obtained by running:
+
+while true; do
+ echo "0000:00:10.0" >/sys/bus/pci/drivers/mlxsw_spectrum2/bind
+ devlink dev reload pci/0000:00:10.0 &
+ echo "0000:00:10.0" >/sys/bus/pci/drivers/mlxsw_spectrum2/unbind
+done
+
+Fix this by enabling reload only after setup of device is complete and
+disabling it at the beginning of the cleanup process.
+
+Reported-by: Ido Schimmel <idosch@mellanox.com>
+Fixes: 2d8dc5bbf4e7 ("devlink: Add support for reload")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 3 ++
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 6 +++-
+ drivers/net/netdevsim/dev.c | 2 +
+ include/net/devlink.h | 3 ++
+ net/core/devlink.c | 39 ++++++++++++++++++++++++++++-
+ 5 files changed, 51 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -3982,6 +3982,7 @@ static int mlx4_init_one(struct pci_dev
+ goto err_params_unregister;
+
+ devlink_params_publish(devlink);
++ devlink_reload_enable(devlink);
+ pci_save_state(pdev);
+ return 0;
+
+@@ -4093,6 +4094,8 @@ static void mlx4_remove_one(struct pci_d
+ struct devlink *devlink = priv_to_devlink(priv);
+ int active_vfs = 0;
+
++ devlink_reload_disable(devlink);
++
+ if (mlx4_is_slave(dev))
+ persist->interface_state |= MLX4_INTERFACE_STATE_NOWAIT;
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -1128,8 +1128,10 @@ __mlxsw_core_bus_device_register(const s
+ if (err)
+ goto err_thermal_init;
+
+- if (mlxsw_driver->params_register)
++ if (mlxsw_driver->params_register) {
+ devlink_params_publish(devlink);
++ devlink_reload_enable(devlink);
++ }
+
+ return 0;
+
+@@ -1191,6 +1193,8 @@ void mlxsw_core_bus_device_unregister(st
+ {
+ struct devlink *devlink = priv_to_devlink(mlxsw_core);
+
++ if (!reload)
++ devlink_reload_disable(devlink);
+ if (mlxsw_core->reload_fail) {
+ if (!reload)
+ /* Only the parts that were not de-initialized in the
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -297,6 +297,7 @@ nsim_dev_create(struct nsim_bus_dev *nsi
+ if (err)
+ goto err_debugfs_exit;
+
++ devlink_reload_enable(devlink);
+ return nsim_dev;
+
+ err_debugfs_exit:
+@@ -314,6 +315,7 @@ static void nsim_dev_destroy(struct nsim
+ {
+ struct devlink *devlink = priv_to_devlink(nsim_dev);
+
++ devlink_reload_disable(devlink);
+ nsim_bpf_dev_exit(nsim_dev);
+ nsim_dev_debugfs_exit(nsim_dev);
+ devlink_unregister(devlink);
+--- a/include/net/devlink.h
++++ b/include/net/devlink.h
+@@ -35,6 +35,7 @@ struct devlink {
+ struct device *dev;
+ possible_net_t _net;
+ struct mutex lock;
++ u8 reload_enabled:1;
+ char priv[0] __aligned(NETDEV_ALIGN);
+ };
+
+@@ -594,6 +595,8 @@ struct ib_device;
+ struct devlink *devlink_alloc(const struct devlink_ops *ops, size_t priv_size);
+ int devlink_register(struct devlink *devlink, struct device *dev);
+ void devlink_unregister(struct devlink *devlink);
++void devlink_reload_enable(struct devlink *devlink);
++void devlink_reload_disable(struct devlink *devlink);
+ void devlink_free(struct devlink *devlink);
+ int devlink_port_register(struct devlink *devlink,
+ struct devlink_port *devlink_port,
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -2677,7 +2677,7 @@ static int devlink_nl_cmd_reload(struct
+ struct devlink *devlink = info->user_ptr[0];
+ int err;
+
+- if (!devlink->ops->reload)
++ if (!devlink->ops->reload || !devlink->reload_enabled)
+ return -EOPNOTSUPP;
+
+ err = devlink_resources_validate(devlink, NULL, info);
+@@ -5559,6 +5559,8 @@ EXPORT_SYMBOL_GPL(devlink_register);
+ void devlink_unregister(struct devlink *devlink)
+ {
+ mutex_lock(&devlink_mutex);
++ WARN_ON(devlink_reload_supported(devlink) &&
++ devlink->reload_enabled);
+ devlink_notify(devlink, DEVLINK_CMD_DEL);
+ list_del(&devlink->list);
+ mutex_unlock(&devlink_mutex);
+@@ -5566,6 +5568,41 @@ void devlink_unregister(struct devlink *
+ EXPORT_SYMBOL_GPL(devlink_unregister);
+
+ /**
++ * devlink_reload_enable - Enable reload of devlink instance
++ *
++ * @devlink: devlink
++ *
++ * Should be called at end of device initialization
++ * process when reload operation is supported.
++ */
++void devlink_reload_enable(struct devlink *devlink)
++{
++ mutex_lock(&devlink_mutex);
++ devlink->reload_enabled = true;
++ mutex_unlock(&devlink_mutex);
++}
++EXPORT_SYMBOL_GPL(devlink_reload_enable);
++
++/**
++ * devlink_reload_disable - Disable reload of devlink instance
++ *
++ * @devlink: devlink
++ *
++ * Should be called at the beginning of device cleanup
++ * process when reload operation is supported.
++ */
++void devlink_reload_disable(struct devlink *devlink)
++{
++ mutex_lock(&devlink_mutex);
++ /* Mutex is taken which ensures that no reload operation is in
++ * progress while setting up forbidded flag.
++ */
++ devlink->reload_enabled = false;
++ mutex_unlock(&devlink_mutex);
++}
++EXPORT_SYMBOL_GPL(devlink_reload_disable);
++
++/**
+ * devlink_free - Free devlink instance resources
+ *
+ * @devlink: devlink
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Tue, 12 Nov 2019 18:21:52 +0200
+Subject: dpaa2-eth: free already allocated channels on probe defer
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 5aa4277d4368c099223bbcd3a9086f3351a12ce9 ]
+
+The setup_dpio() function tries to allocate a number of channels equal
+to the number of CPUs online. When there are not enough DPCON objects
+already probed, the function will return EPROBE_DEFER. When this
+happens, the already allocated channels are not freed. This results in
+the incapacity of properly probing the next time around.
+Fix this by freeing the channels on the error path.
+
+Fixes: d7f5a9d89a55 ("dpaa2-eth: defer probe on object allocate")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -2166,8 +2166,16 @@ err_set_cdan:
+ err_service_reg:
+ free_channel(priv, channel);
+ err_alloc_ch:
+- if (err == -EPROBE_DEFER)
++ if (err == -EPROBE_DEFER) {
++ for (i = 0; i < priv->num_channels; i++) {
++ channel = priv->channel[i];
++ nctx = &channel->nctx;
++ dpaa2_io_service_deregister(channel->dpio, nctx, dev);
++ free_channel(priv, channel);
++ }
++ priv->num_channels = 0;
+ return err;
++ }
+
+ if (cpumask_empty(&priv->dpio_cpumask)) {
+ dev_err(dev, "No cpu with an affine DPIO/DPCON\n");
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Guillaume Nault <gnault@redhat.com>
+Date: Fri, 15 Nov 2019 18:29:52 +0100
+Subject: ipmr: Fix skb headroom in ipmr_get_route().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 7901cd97963d6cbde88fa25a4a446db3554c16c6 ]
+
+In route.c, inet_rtm_getroute_build_skb() creates an skb with no
+headroom. This skb is then used by inet_rtm_getroute() which may pass
+it to rt_fill_info() and, from there, to ipmr_get_route(). The later
+might try to reuse this skb by cloning it and prepending an IPv4
+header. But since the original skb has no headroom, skb_push() triggers
+skb_under_panic():
+
+skbuff: skb_under_panic: text:00000000ca46ad8a len:80 put:20 head:00000000cd28494e data:000000009366fd6b tail:0x3c end:0xec0 dev:veth0
+------------[ cut here ]------------
+kernel BUG at net/core/skbuff.c:108!
+invalid opcode: 0000 [#1] SMP KASAN PTI
+CPU: 6 PID: 587 Comm: ip Not tainted 5.4.0-rc6+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+RIP: 0010:skb_panic+0xbf/0xd0
+Code: 41 a2 ff 8b 4b 70 4c 8b 4d d0 48 c7 c7 20 76 f5 8b 44 8b 45 bc 48 8b 55 c0 48 8b 75 c8 41 54 41 57 41 56 41 55 e8 75 dc 7a ff <0f> 0b 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
+RSP: 0018:ffff888059ddf0b0 EFLAGS: 00010286
+RAX: 0000000000000086 RBX: ffff888060a315c0 RCX: ffffffff8abe4822
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88806c9a79cc
+RBP: ffff888059ddf118 R08: ffffed100d9361b1 R09: ffffed100d9361b0
+R10: ffff88805c68aee3 R11: ffffed100d9361b1 R12: ffff88805d218000
+R13: ffff88805c689fec R14: 000000000000003c R15: 0000000000000ec0
+FS: 00007f6af184b700(0000) GS:ffff88806c980000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffc8204a000 CR3: 0000000057b40006 CR4: 0000000000360ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ skb_push+0x7e/0x80
+ ipmr_get_route+0x459/0x6fa
+ rt_fill_info+0x692/0x9f0
+ inet_rtm_getroute+0xd26/0xf20
+ rtnetlink_rcv_msg+0x45d/0x630
+ netlink_rcv_skb+0x1a5/0x220
+ rtnetlink_rcv+0x15/0x20
+ netlink_unicast+0x305/0x3a0
+ netlink_sendmsg+0x575/0x730
+ sock_sendmsg+0xb5/0xc0
+ ___sys_sendmsg+0x497/0x4f0
+ __sys_sendmsg+0xcb/0x150
+ __x64_sys_sendmsg+0x48/0x50
+ do_syscall_64+0xd2/0xac0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Actually the original skb used to have enough headroom, but the
+reserve_skb() call was lost with the introduction of
+inet_rtm_getroute_build_skb() by commit 404eb77ea766 ("ipv4: support
+sport, dport and ip_proto in RTM_GETROUTE").
+
+We could reserve some headroom again in inet_rtm_getroute_build_skb(),
+but this function shouldn't be responsible for handling the special
+case of ipmr_get_route(). Let's handle that directly in
+ipmr_get_route() by calling skb_realloc_headroom() instead of
+skb_clone().
+
+Fixes: 404eb77ea766 ("ipv4: support sport, dport and ip_proto in RTM_GETROUTE")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipmr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ipmr.c
++++ b/net/ipv4/ipmr.c
+@@ -2289,7 +2289,8 @@ int ipmr_get_route(struct net *net, stru
+ rcu_read_unlock();
+ return -ENODEV;
+ }
+- skb2 = skb_clone(skb, GFP_ATOMIC);
++
++ skb2 = skb_realloc_headroom(skb, sizeof(struct iphdr));
+ if (!skb2) {
+ read_unlock(&mrt_lock);
+ rcu_read_unlock();
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Sun, 10 Nov 2019 16:31:23 +0100
+Subject: mlxsw: core: Enable devlink reload only on probe
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 73a533ecf0af5f73ff72dd7c96d1c8598ca93649 ]
+
+Call devlink enable only during probe time and avoid deadlock
+during reload.
+
+Reported-by: Shalom Toledo <shalomt@mellanox.com>
+Fixes: 5a508a254bed ("devlink: disallow reload operation during device cleanup")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Tested-by: Shalom Toledo <shalomt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 5 +++--
+ net/core/devlink.c | 2 +-
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -1128,10 +1128,11 @@ __mlxsw_core_bus_device_register(const s
+ if (err)
+ goto err_thermal_init;
+
+- if (mlxsw_driver->params_register) {
++ if (mlxsw_driver->params_register)
+ devlink_params_publish(devlink);
++
++ if (!reload)
+ devlink_reload_enable(devlink);
+- }
+
+ return 0;
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -5559,7 +5559,7 @@ EXPORT_SYMBOL_GPL(devlink_register);
+ void devlink_unregister(struct devlink *devlink)
+ {
+ mutex_lock(&devlink_mutex);
+- WARN_ON(devlink_reload_supported(devlink) &&
++ WARN_ON(devlink->ops->reload &&
+ devlink->reload_enabled);
+ devlink_notify(devlink, DEVLINK_CMD_DEL);
+ list_del(&devlink->list);
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Fri, 15 Nov 2019 14:24:54 +0800
+Subject: net: gemini: add missed free_netdev
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 18d647ae74116bfee38953978501cea2960a0c25 ]
+
+This driver forgets to free allocated netdev in remove like
+what is done in probe failure.
+Add the free to fix it.
+
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2527,6 +2527,7 @@ static int gemini_ethernet_port_remove(s
+ struct gemini_ethernet_port *port = platform_get_drvdata(pdev);
+
+ gemini_port_remove(port);
++ free_netdev(port->netdev);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Fri, 15 Nov 2019 12:39:30 +0100
+Subject: net/smc: fix fastopen for non-blocking connect()
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit 8204df72bea1a7d83d0777add6da98a41dfbdc34 ]
+
+FASTOPEN does not work with SMC-sockets. Since SMC allows fallback to
+TCP native during connection start, the FASTOPEN setsockopts trigger
+this fallback, if the SMC-socket is still in state SMC_INIT.
+But if a FASTOPEN setsockopt is called after a non-blocking connect(),
+this is broken, and fallback does not make sense.
+This change complements
+commit cd2063604ea6 ("net/smc: avoid fallback in case of non-blocking connect")
+and fixes the syzbot reported problem "WARNING in smc_unhash_sk".
+
+Reported-by: syzbot+8488cc4cf1c9e09b8b86@syzkaller.appspotmail.com
+Fixes: e1bbdd570474 ("net/smc: reduce sock_put() for fallback sockets")
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1731,7 +1731,7 @@ static int smc_setsockopt(struct socket
+ case TCP_FASTOPEN_KEY:
+ case TCP_FASTOPEN_NO_COOKIE:
+ /* option not supported by SMC */
+- if (sk->sk_state == SMC_INIT) {
++ if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) {
+ smc_switch_to_fallback(smc);
+ smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
+ } else {
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Ursula Braun <ubraun@linux.ibm.com>
+Date: Tue, 12 Nov 2019 16:03:41 +0100
+Subject: net/smc: fix refcount non-blocking connect() -part 2
+
+From: Ursula Braun <ubraun@linux.ibm.com>
+
+[ Upstream commit 6d6dd528d5af05dc2d0c773951ed68d630a0c3f1 ]
+
+If an SMC socket is immediately terminated after a non-blocking connect()
+has been called, a memory leak is possible.
+Due to the sock_hold move in
+commit 301428ea3708 ("net/smc: fix refcounting for non-blocking connect()")
+an extra sock_put() is needed in smc_connect_work(), if the internal
+TCP socket is aborted and cancels the sk_stream_wait_connect() of the
+connect worker.
+
+Reported-by: syzbot+4b73ad6fc767e576e275@syzkaller.appspotmail.com
+Fixes: 301428ea3708 ("net/smc: fix refcounting for non-blocking connect()")
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -796,6 +796,7 @@ static void smc_connect_work(struct work
+ smc->sk.sk_err = EPIPE;
+ else if (signal_pending(current))
+ smc->sk.sk_err = -sock_intr_errno(timeo);
++ sock_put(&smc->sk); /* passive closing */
+ goto out;
+ }
+
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Wed, 13 Nov 2019 11:11:10 +0100
+Subject: net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+[ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ]
+
+These are the Foxconn-branded variants of the Dell DW5821e modules,
+same USB layout as those.
+
+The QMI interface is exposed in USB configuration #1:
+
+P: Vendor=0489 ProdID=e0b4 Rev=03.18
+S: Manufacturer=FII
+S: Product=T77W968 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1370,6 +1370,8 @@ static const struct usb_device_id produc
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
+ {QMI_FIXED_INTF(0x2c7c, 0x0296, 4)}, /* Quectel BG96 */
+ {QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)}, /* Fibocom NL678 series */
++ {QMI_FIXED_INTF(0x0489, 0xe0b4, 0)}, /* Foxconn T77W968 LTE */
++ {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
scsi-core-handle-drivers-which-set-sg_tablesize-to-zero.patch
+ax88172a-fix-information-leak-on-short-answers.patch
+devlink-disallow-reload-operation-during-device-cleanup.patch
+ipmr-fix-skb-headroom-in-ipmr_get_route.patch
+mlxsw-core-enable-devlink-reload-only-on-probe.patch
+net-gemini-add-missed-free_netdev.patch
+net-smc-fix-fastopen-for-non-blocking-connect.patch
+net-usb-qmi_wwan-add-support-for-foxconn-t77w968-lte-modules.patch
+slip-fix-memory-leak-in-slip_open-error-path.patch
+tcp-remove-redundant-new-line-from-tcp_event_sk_skb.patch
+dpaa2-eth-free-already-allocated-channels-on-probe-defer.patch
+devlink-add-method-for-time-stamp-on-reporter-s-dump.patch
+net-smc-fix-refcount-non-blocking-connect-part-2.patch
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Jouni Hogander <jouni.hogander@unikie.com>
+Date: Wed, 13 Nov 2019 13:45:02 +0200
+Subject: slip: Fix memory leak in slip_open error path
+
+From: Jouni Hogander <jouni.hogander@unikie.com>
+
+[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]
+
+Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
+by Syzkaller in slcan. Same issue exists in slip.c and this patch is
+addressing the leak in slip.c.
+
+Here is the slcan memory leak trace reported by Syzkaller:
+
+BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
+ comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
+ hex dump (first 32 bytes):
+ 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
+ [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
+ [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
+ [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
+ [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
+ [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
+ [<000000004de5a617>] tty_ioctl+0x48d/0x1590
+ [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
+ [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
+ [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
+ [<0000000053d0332e>] do_syscall_64+0x16f/0x580
+ [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ [<000000008ea75434>] 0xfffffffffffffff
+
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Oliver Hartkopp <socketcan@hartkopp.net>
+Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
+Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -855,6 +855,7 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ free_netdev(sl->dev);
+
+ err_exit:
+ rtnl_unlock();
--- /dev/null
+From foo@baz Mon 18 Nov 2019 09:15:35 AM CET
+From: Tony Lu <tonylu@linux.alibaba.com>
+Date: Sat, 9 Nov 2019 18:43:06 +0800
+Subject: tcp: remove redundant new line from tcp_event_sk_skb
+
+From: Tony Lu <tonylu@linux.alibaba.com>
+
+[ Upstream commit dd3d792def0d4f33bbf319982b1878b0c8aaca34 ]
+
+This removes '\n' from trace event class tcp_event_sk_skb to avoid
+redundant new blank line and make output compact.
+
+Fixes: af4325ecc24f ("tcp: expose sk_state in tcp_retransmit_skb tracepoint")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Yafang Shao <laoar.shao@gmail.com>
+Signed-off-by: Tony Lu <tonylu@linux.alibaba.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/trace/events/tcp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/trace/events/tcp.h
++++ b/include/trace/events/tcp.h
+@@ -86,7 +86,7 @@ DECLARE_EVENT_CLASS(tcp_event_sk_skb,
+ sk->sk_v6_rcv_saddr, sk->sk_v6_daddr);
+ ),
+
+- TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c state=%s\n",
++ TP_printk("sport=%hu dport=%hu saddr=%pI4 daddr=%pI4 saddrv6=%pI6c daddrv6=%pI6c state=%s",
+ __entry->sport, __entry->dport, __entry->saddr, __entry->daddr,
+ __entry->saddr_v6, __entry->daddr_v6,
+ show_tcp_state_name(__entry->state))
projects / thirdparty / kernel / stable-queue.git / commitdiff
