--- /dev/null
+From 4e1a720d0312fd510699032c7694a362a010170f Mon Sep 17 00:00:00 2001
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Date: Sun, 15 Jul 2018 20:36:50 +0100
+Subject: Bluetooth: avoid killing an already killed socket
+
+From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+
+commit 4e1a720d0312fd510699032c7694a362a010170f upstream.
+
+slub debug reported:
+
+[ 440.648642] =============================================================================
+[ 440.648649] BUG kmalloc-1024 (Tainted: G BU O ): Poison overwritten
+[ 440.648651] -----------------------------------------------------------------------------
+
+[ 440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
+[ 440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
+[ 440.648671] ___slab_alloc.constprop.24+0x1fc/0x292
+[ 440.648675] __slab_alloc.isra.18.constprop.23+0x1c/0x25
+[ 440.648677] __kmalloc+0xb6/0x17f
+[ 440.648680] sk_prot_alloc+0x6b/0xc6
+[ 440.648683] sk_alloc+0x1e/0xa1
+[ 440.648700] sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
+[ 440.648716] sco_connect_cfm+0x166/0x281 [bluetooth]
+[ 440.648731] hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
+[ 440.648746] hci_event_packet+0x28b/0x2326 [bluetooth]
+[ 440.648759] hci_rx_work+0x161/0x291 [bluetooth]
+[ 440.648764] process_one_work+0x163/0x2b2
+[ 440.648767] worker_thread+0x1a9/0x25c
+[ 440.648770] kthread+0xf8/0xfd
+[ 440.648774] ret_from_fork+0x2e/0x38
+[ 440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
+[ 440.648782] __slab_free+0x4b/0x27a
+[ 440.648784] kfree+0x12e/0x155
+[ 440.648787] __sk_destruct+0xd3/0xdf
+[ 440.648790] sk_destruct+0x27/0x29
+[ 440.648793] __sk_free+0x75/0x91
+[ 440.648795] sk_free+0x1c/0x1e
+[ 440.648810] sco_sock_kill+0x5a/0x5f [bluetooth]
+[ 440.648825] sco_conn_del+0x8e/0xba [bluetooth]
+[ 440.648840] sco_disconn_cfm+0x3a/0x41 [bluetooth]
+[ 440.648855] hci_event_packet+0x45e/0x2326 [bluetooth]
+[ 440.648868] hci_rx_work+0x161/0x291 [bluetooth]
+[ 440.648872] process_one_work+0x163/0x2b2
+[ 440.648875] worker_thread+0x1a9/0x25c
+[ 440.648877] kthread+0xf8/0xfd
+[ 440.648880] ret_from_fork+0x2e/0x38
+[ 440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x (null) flags=0x40008100
+[ 440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
+
+When KASAN was enabled, it reported:
+
+[ 210.096613] ==================================================================
+[ 210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
+[ 210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
+
+[ 210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G U O 4.14.47-20180606+ #2
+[ 210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
+[ 210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
+[ 210.096698] Call Trace:
+[ 210.096711] dump_stack+0x46/0x59
+[ 210.096722] print_address_description+0x6b/0x23b
+[ 210.096729] ? ex_handler_refcount+0x5b/0x127
+[ 210.096736] kasan_report+0x220/0x246
+[ 210.096744] ex_handler_refcount+0x5b/0x127
+[ 210.096751] ? ex_handler_clear_fs+0x85/0x85
+[ 210.096757] fixup_exception+0x8c/0x96
+[ 210.096766] do_trap+0x66/0x2c1
+[ 210.096773] do_error_trap+0x152/0x180
+[ 210.096781] ? fixup_bug+0x78/0x78
+[ 210.096817] ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
+[ 210.096824] ? __schedule+0x113b/0x1453
+[ 210.096830] ? sysctl_net_exit+0xe/0xe
+[ 210.096837] ? __wake_up_common+0x343/0x343
+[ 210.096843] ? insert_work+0x107/0x163
+[ 210.096850] invalid_op+0x1b/0x40
+[ 210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
+[ 210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
+[ 210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
+[ 210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
+[ 210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
+[ 210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
+[ 210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
+[ 210.096920] ? __sk_destruct+0x2c6/0x2d4
+[ 210.096959] hci_event_packet+0xff5/0x7de2 [bluetooth]
+[ 210.096969] ? __local_bh_enable_ip+0x43/0x5b
+[ 210.097004] ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
+[ 210.097039] ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
+[ 210.097075] ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
+[ 210.097093] ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
+[ 210.097102] ? __accumulate_pelt_segments+0x24/0x33
+[ 210.097109] ? __accumulate_pelt_segments+0x24/0x33
+[ 210.097115] ? __update_load_avg_se.isra.2+0x217/0x3a4
+[ 210.097122] ? set_next_entity+0x7c3/0x12cd
+[ 210.097128] ? pick_next_entity+0x25e/0x26c
+[ 210.097135] ? pick_next_task_fair+0x2ca/0xc1a
+[ 210.097141] ? switch_mm_irqs_off+0x346/0xb4f
+[ 210.097147] ? __switch_to+0x769/0xbc4
+[ 210.097153] ? compat_start_thread+0x66/0x66
+[ 210.097188] ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
+[ 210.097195] ? finish_task_switch+0x392/0x431
+[ 210.097228] ? hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097260] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097269] process_one_work+0x579/0x9e9
+[ 210.097277] worker_thread+0x68f/0x804
+[ 210.097285] kthread+0x31c/0x32b
+[ 210.097292] ? rescuer_thread+0x70c/0x70c
+[ 210.097299] ? kthread_create_on_node+0xa3/0xa3
+[ 210.097306] ret_from_fork+0x35/0x40
+
+[ 210.097314] Allocated by task 2040:
+[ 210.097323] kasan_kmalloc.part.1+0x51/0xc7
+[ 210.097328] __kmalloc+0x17f/0x1b6
+[ 210.097335] sk_prot_alloc+0xf2/0x1a3
+[ 210.097340] sk_alloc+0x22/0x297
+[ 210.097375] sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
+[ 210.097410] sco_connect_cfm+0x2d0/0x566 [bluetooth]
+[ 210.097443] hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
+[ 210.097476] hci_event_packet+0x85e/0x7de2 [bluetooth]
+[ 210.097507] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097512] process_one_work+0x579/0x9e9
+[ 210.097517] worker_thread+0x68f/0x804
+[ 210.097523] kthread+0x31c/0x32b
+[ 210.097529] ret_from_fork+0x35/0x40
+
+[ 210.097533] Freed by task 2040:
+[ 210.097539] kasan_slab_free+0xb3/0x15e
+[ 210.097544] kfree+0x103/0x1a9
+[ 210.097549] __sk_destruct+0x2c6/0x2d4
+[ 210.097584] sco_conn_del.isra.1+0xba/0x10e [bluetooth]
+[ 210.097617] hci_event_packet+0xff5/0x7de2 [bluetooth]
+[ 210.097648] hci_rx_work+0x154/0x487 [bluetooth]
+[ 210.097653] process_one_work+0x579/0x9e9
+[ 210.097658] worker_thread+0x68f/0x804
+[ 210.097663] kthread+0x31c/0x32b
+[ 210.097670] ret_from_fork+0x35/0x40
+
+[ 210.097676] The buggy address belongs to the object at ffff880107e170e8
+ which belongs to the cache kmalloc-1024 of size 1024
+[ 210.097681] The buggy address is located 120 bytes inside of
+ 1024-byte region [ffff880107e170e8, ffff880107e174e8)
+[ 210.097683] The buggy address belongs to the page:
+[ 210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping: (null) index:0xffff880107e15b68 compound_mapcount: 0
+[ 210.110194] flags: 0x8000000000008100(slab|head)
+[ 210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
+[ 210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
+[ 210.115451] page dumped because: kasan: bad access detected
+
+[ 210.115454] Memory state around the buggy address:
+[ 210.115460] ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 210.115465] ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
+[ 210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115472] ^
+[ 210.115477] ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115481] ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 210.115483] ==================================================================
+
+And finally when BT_DBG() and ftrace was enabled it showed:
+
+ <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_close
+ <...>-14979 [001] .... 186.104191: sco_sock_kill <-sco_sock_release
+ <...>-14979 [001] .... 186.104192: sco_sock_kill: sk ef0497a0 state 9
+ <...>-14979 [001] .... 186.104193: bt_sock_unlink <-sco_sock_kill
+kworker/u9:2-792 [001] .... 186.104246: sco_sock_kill <-sco_conn_del
+kworker/u9:2-792 [001] .... 186.104248: sco_sock_kill: sk ef0497a0 state 9
+kworker/u9:2-792 [001] .... 186.104249: bt_sock_unlink <-sco_sock_kill
+kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct <-__sk_destruct
+kworker/u9:2-792 [001] .... 186.104250: sco_sock_destruct: sk ef0497a0
+kworker/u9:2-792 [001] .... 186.104860: hci_conn_del <-hci_event_packet
+kworker/u9:2-792 [001] .... 186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
+
+Only in the failed case, sco_sock_kill() gets called with the same sock
+pointer two times. Add a check for SOCK_DEAD to avoid continue killing
+a socket which has already been killed.
+
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/sco.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -393,7 +393,8 @@ static void sco_sock_cleanup_listen(stru
+ */
+ static void sco_sock_kill(struct sock *sk)
+ {
+- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket ||
++ sock_flag(sk, SOCK_DEAD))
+ return;
+
+ BT_DBG("sk %p state %d", sk, sk->sk_state);
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 14 Aug 2018 17:28:26 +0800
+Subject: cls_matchall: fix tcf_unbind_filter missing
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit a51c76b4dfb30496dc65396a957ef0f06af7fb22 ]
+
+Fix tcf_unbind_filter missing in cls_matchall as this will trigger
+WARN_ON() in cbq_destroy_class().
+
+Fixes: fd62d9f5c575f ("net/sched: matchall: Fix configuration race")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_matchall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sched/cls_matchall.c
++++ b/net/sched/cls_matchall.c
+@@ -111,6 +111,8 @@ static void mall_destroy(struct tcf_prot
+ if (!head)
+ return;
+
++ tcf_unbind_filter(tp, &head->res);
++
+ if (!tc_skip_hw(head->flags))
+ mall_destroy_hw_filter(tp, head, (unsigned long) head, extack);
+
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 14 Aug 2018 19:10:50 +0200
+Subject: hv/netvsc: Fix NULL dereference at single queue mode fallback
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b19b46346f483ae055fa027cb2d5c2ca91484b91 ]
+
+The recent commit 916c5e1413be ("hv/netvsc: fix handling of fallback
+to single queue mode") tried to fix the fallback behavior to a single
+queue mode, but it changed the function to return zero incorrectly,
+while the function should return an object pointer. Eventually this
+leads to a NULL dereference at the callers that expect non-NULL
+value.
+
+Fix it by returning the proper net_device object.
+
+Fixes: 916c5e1413be ("hv/netvsc: fix handling of fallback to single queue mode")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -1338,7 +1338,7 @@ out:
+ /* setting up multiple channels failed */
+ net_device->max_chn = 1;
+ net_device->num_chn = 1;
+- return 0;
++ return net_device;
+
+ err_dev_remv:
+ rndis_filter_device_remove(dev, net_device);
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 19 Aug 2018 15:05:04 +0800
+Subject: ip_vti: fix a null pointer deferrence when create vti fallback tunnel
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit cd1aa9c2c665cafbd05b83507d3f1096f3912aa4 ]
+
+After set fb_tunnels_only_for_init_net to 1, the itn->fb_tunnel_dev will
+be NULL and will cause following crash:
+
+[ 2742.849298] BUG: unable to handle kernel NULL pointer dereference at 0000000000000941
+[ 2742.851380] PGD 800000042c21a067 P4D 800000042c21a067 PUD 42aaed067 PMD 0
+[ 2742.852818] Oops: 0002 [#1] SMP PTI
+[ 2742.853570] CPU: 7 PID: 2484 Comm: unshare Kdump: loaded Not tainted 4.18.0-rc8+ #2
+[ 2742.855163] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014
+[ 2742.856970] RIP: 0010:vti_init_net+0x3a/0x50 [ip_vti]
+[ 2742.858034] Code: 90 83 c0 48 c7 c2 20 a1 83 c0 48 89 fb e8 6e 3b f6 ff 85 c0 75 22 8b 0d f4 19 00 00 48 8b 93 00 14 00 00 48 8b 14 ca 48 8b 12 <c6> 82 41 09 00 00 04 c6 82 38 09 00 00 45 5b c3 66 0f 1f 44 00 00
+[ 2742.861940] RSP: 0018:ffff9be28207fde0 EFLAGS: 00010246
+[ 2742.863044] RAX: 0000000000000000 RBX: ffff8a71ebed4980 RCX: 0000000000000013
+[ 2742.864540] RDX: 0000000000000000 RSI: 0000000000000013 RDI: ffff8a71ebed4980
+[ 2742.866020] RBP: ffff8a71ea717000 R08: ffffffffc083903c R09: ffff8a71ea717000
+[ 2742.867505] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a71ebed4980
+[ 2742.868987] R13: 0000000000000013 R14: ffff8a71ea5b49c0 R15: 0000000000000000
+[ 2742.870473] FS: 00007f02266c9740(0000) GS:ffff8a71ffdc0000(0000) knlGS:0000000000000000
+[ 2742.872143] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2742.873340] CR2: 0000000000000941 CR3: 000000042bc20006 CR4: 00000000001606e0
+[ 2742.874821] Call Trace:
+[ 2742.875358] ops_init+0x38/0xf0
+[ 2742.876078] setup_net+0xd9/0x1f0
+[ 2742.876789] copy_net_ns+0xb7/0x130
+[ 2742.877538] create_new_namespaces+0x11a/0x1d0
+[ 2742.878525] unshare_nsproxy_namespaces+0x55/0xa0
+[ 2742.879526] ksys_unshare+0x1a7/0x330
+[ 2742.880313] __x64_sys_unshare+0xe/0x20
+[ 2742.881131] do_syscall_64+0x5b/0x180
+[ 2742.881933] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reproduce:
+echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net
+modprobe ip_vti
+unshare -n
+
+Fixes: 79134e6ce2c9 ("net: do not create fallback tunnels for non-default namespaces")
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_vti.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -438,7 +438,8 @@ static int __net_init vti_init_net(struc
+ if (err)
+ return err;
+ itn = net_generic(net, vti_net_id);
+- vti_fb_tunnel_init(itn->fb_tunnel_dev);
++ if (itn->fb_tunnel_dev)
++ vti_fb_tunnel_init(itn->fb_tunnel_dev);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 15 Aug 2018 12:14:05 -0700
+Subject: isdn: Disable IIOCDBGVAR
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 5e22002aa8809e2efab2da95855f73f63e14a36c ]
+
+It was possible to directly leak the kernel address where the isdn_dev
+structure pointer was stored. This is a kernel ASLR bypass for anyone
+with access to the ioctl. The code had been present since the beginning
+of git history, though this shouldn't ever be needed for normal operation,
+therefore remove it.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/i4l/isdn_common.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1640,13 +1640,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ } else
+ return -EINVAL;
+ case IIOCDBGVAR:
+- if (arg) {
+- if (copy_to_user(argp, &dev, sizeof(ulong)))
+- return -EFAULT;
+- return 0;
+- } else
+- return -EINVAL;
+- break;
++ return -EINVAL;
+ default:
+ if ((cmd & IIOCDRVCTL) == IIOCDRVCTL)
+ cmd = ((cmd >> _IOC_NRSHIFT) & _IOC_NRMASK) & ISDN_DRVIOCTL_MASK;
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Wed, 18 Jul 2018 18:10:50 +0200
+Subject: net: ethernet: mvneta: Fix napi structure mixup on armada 3700
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit 7a86f05faf112463cfbbdfd222012e247de461a1 ]
+
+The mvneta Ethernet driver is used on a few different Marvell SoCs.
+Some SoCs have per cpu interrupts for Ethernet events. Some SoCs have
+a single interrupt, independent of the CPU. The driver handles this by
+having a per CPU napi structure when there are per CPU interrupts, and
+a global napi structure when there is a single interrupt.
+
+When the napi core calls mvneta_poll(), it passes the napi
+instance. This was not being propagated through the call chain, and
+instead the per-cpu napi instance was passed to napi_gro_receive()
+call. This breaks when there is a single global napi instance.
+
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -1901,10 +1901,10 @@ static void mvneta_rxq_drop_pkts(struct
+ }
+
+ /* Main rx processing when using software buffer management */
+-static int mvneta_rx_swbm(struct mvneta_port *pp, int rx_todo,
++static int mvneta_rx_swbm(struct napi_struct *napi,
++ struct mvneta_port *pp, int rx_todo,
+ struct mvneta_rx_queue *rxq)
+ {
+- struct mvneta_pcpu_port *port = this_cpu_ptr(pp->ports);
+ struct net_device *dev = pp->dev;
+ int rx_done;
+ u32 rcvd_pkts = 0;
+@@ -1959,7 +1959,7 @@ err_drop_frame:
+
+ skb->protocol = eth_type_trans(skb, dev);
+ mvneta_rx_csum(pp, rx_status, skb);
+- napi_gro_receive(&port->napi, skb);
++ napi_gro_receive(napi, skb);
+
+ rcvd_pkts++;
+ rcvd_bytes += rx_bytes;
+@@ -2001,7 +2001,7 @@ err_drop_frame:
+
+ mvneta_rx_csum(pp, rx_status, skb);
+
+- napi_gro_receive(&port->napi, skb);
++ napi_gro_receive(napi, skb);
+ }
+
+ if (rcvd_pkts) {
+@@ -2020,10 +2020,10 @@ err_drop_frame:
+ }
+
+ /* Main rx processing when using hardware buffer management */
+-static int mvneta_rx_hwbm(struct mvneta_port *pp, int rx_todo,
++static int mvneta_rx_hwbm(struct napi_struct *napi,
++ struct mvneta_port *pp, int rx_todo,
+ struct mvneta_rx_queue *rxq)
+ {
+- struct mvneta_pcpu_port *port = this_cpu_ptr(pp->ports);
+ struct net_device *dev = pp->dev;
+ int rx_done;
+ u32 rcvd_pkts = 0;
+@@ -2085,7 +2085,7 @@ err_drop_frame:
+
+ skb->protocol = eth_type_trans(skb, dev);
+ mvneta_rx_csum(pp, rx_status, skb);
+- napi_gro_receive(&port->napi, skb);
++ napi_gro_receive(napi, skb);
+
+ rcvd_pkts++;
+ rcvd_bytes += rx_bytes;
+@@ -2129,7 +2129,7 @@ err_drop_frame:
+
+ mvneta_rx_csum(pp, rx_status, skb);
+
+- napi_gro_receive(&port->napi, skb);
++ napi_gro_receive(napi, skb);
+ }
+
+ if (rcvd_pkts) {
+@@ -2722,9 +2722,11 @@ static int mvneta_poll(struct napi_struc
+ if (rx_queue) {
+ rx_queue = rx_queue - 1;
+ if (pp->bm_priv)
+- rx_done = mvneta_rx_hwbm(pp, budget, &pp->rxqs[rx_queue]);
++ rx_done = mvneta_rx_hwbm(napi, pp, budget,
++ &pp->rxqs[rx_queue]);
+ else
+- rx_done = mvneta_rx_swbm(pp, budget, &pp->rxqs[rx_queue]);
++ rx_done = mvneta_rx_swbm(napi, pp, budget,
++ &pp->rxqs[rx_queue]);
+ }
+
+ if (rx_done < budget) {
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Fri, 10 Aug 2018 11:36:27 +0800
+Subject: net: mvneta: fix mvneta_config_rss on armada 3700
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 0f5c6c30a0f8c629b92ecdaef61b315c43fde10a ]
+
+The mvneta Ethernet driver is used on a few different Marvell SoCs.
+Some SoCs have per cpu interrupts for Ethernet events, the driver uses
+a per CPU napi structure for this case. Some SoCs such as armada 3700
+have a single interrupt for Ethernet events, the driver uses a global
+napi structure for this case.
+
+Current mvneta_config_rss() always operates the per cpu napi structure.
+Fix it by operating a global napi for "single interrupt" case, and per
+cpu napi structure for remaining cases.
+
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 35 +++++++++++++++++++++-------------
+ 1 file changed, 22 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -4020,13 +4020,18 @@ static int mvneta_config_rss(struct mvn
+
+ on_each_cpu(mvneta_percpu_mask_interrupt, pp, true);
+
+- /* We have to synchronise on the napi of each CPU */
+- for_each_online_cpu(cpu) {
+- struct mvneta_pcpu_port *pcpu_port =
+- per_cpu_ptr(pp->ports, cpu);
+-
+- napi_synchronize(&pcpu_port->napi);
+- napi_disable(&pcpu_port->napi);
++ if (!pp->neta_armada3700) {
++ /* We have to synchronise on the napi of each CPU */
++ for_each_online_cpu(cpu) {
++ struct mvneta_pcpu_port *pcpu_port =
++ per_cpu_ptr(pp->ports, cpu);
++
++ napi_synchronize(&pcpu_port->napi);
++ napi_disable(&pcpu_port->napi);
++ }
++ } else {
++ napi_synchronize(&pp->napi);
++ napi_disable(&pp->napi);
+ }
+
+ pp->rxq_def = pp->indir[0];
+@@ -4043,12 +4048,16 @@ static int mvneta_config_rss(struct mvn
+ mvneta_percpu_elect(pp);
+ spin_unlock(&pp->lock);
+
+- /* We have to synchronise on the napi of each CPU */
+- for_each_online_cpu(cpu) {
+- struct mvneta_pcpu_port *pcpu_port =
+- per_cpu_ptr(pp->ports, cpu);
+-
+- napi_enable(&pcpu_port->napi);
++ if (!pp->neta_armada3700) {
++ /* We have to synchronise on the napi of each CPU */
++ for_each_online_cpu(cpu) {
++ struct mvneta_pcpu_port *pcpu_port =
++ per_cpu_ptr(pp->ports, cpu);
++
++ napi_enable(&pcpu_port->napi);
++ }
++ } else {
++ napi_enable(&pp->napi);
+ }
+
+ netif_tx_start_all_queues(pp->dev);
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Jeremy Cline <jcline@redhat.com>
+Date: Mon, 13 Aug 2018 22:23:13 +0000
+Subject: net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
+
+From: Jeremy Cline <jcline@redhat.com>
+
+[ Upstream commit 66b51b0a0341fd42ce657739bdae0561b0410a85 ]
+
+req->sdiag_family is a user-controlled value that's used as an array
+index. Sanitize it after the bounds check to avoid speculative
+out-of-bounds array access.
+
+This also protects the sock_is_registered() call, so this removes the
+sanitize call there.
+
+Fixes: e978de7a6d38 ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: konrad.wilk@oracle.com
+Cc: jamie.iles@oracle.com
+Cc: liran.alon@oracle.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeremy Cline <jcline@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock_diag.c | 2 ++
+ net/socket.c | 3 +--
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/core/sock_diag.c
++++ b/net/core/sock_diag.c
+@@ -10,6 +10,7 @@
+ #include <linux/kernel.h>
+ #include <linux/tcp.h>
+ #include <linux/workqueue.h>
++#include <linux/nospec.h>
+
+ #include <linux/inet_diag.h>
+ #include <linux/sock_diag.h>
+@@ -218,6 +219,7 @@ static int __sock_diag_cmd(struct sk_buf
+
+ if (req->sdiag_family >= AF_MAX)
+ return -EINVAL;
++ req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
+
+ if (sock_diag_handlers[req->sdiag_family] == NULL)
+ sock_load_diag_module(req->sdiag_family, 0);
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2690,8 +2690,7 @@ EXPORT_SYMBOL(sock_unregister);
+
+ bool sock_is_registered(int family)
+ {
+- return family < NPROTO &&
+- rcu_access_pointer(net_families[array_index_nospec(family, NPROTO)]);
++ return family < NPROTO && rcu_access_pointer(net_families[family]);
+ }
+
+ static int __init sock_init(void)
--- /dev/null
+From foo@baz Tue Aug 21 07:22:30 CEST 2018
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+Date: Fri, 17 Aug 2018 13:07:35 +0800
+Subject: r8169: don't use MSI-X on RTL8106e
+
+From: Jian-Hong Pan <jian-hong@endlessm.com>
+
+[ Upstream commit 7bb05b85bc2d1a1b647b91424b2ed4a18e6ecd81 ]
+
+Found the ethernet network on ASUS X441UAR doesn't come back on resume
+from suspend when using MSI-X. The chip is RTL8106e - version 39.
+
+[ 21.848357] libphy: r8169: probed
+[ 21.848473] r8169 0000:02:00.0 eth0: RTL8106e, 0c:9d:92:32:67:b4, XID
+44900000, IRQ 127
+[ 22.518860] r8169 0000:02:00.0 enp2s0: renamed from eth0
+[ 29.458041] Generic PHY r8169-200:00: attached PHY driver [Generic
+PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE)
+[ 63.227398] r8169 0000:02:00.0 enp2s0: Link is Up - 100Mbps/Full -
+flow control off
+[ 124.514648] Generic PHY r8169-200:00: attached PHY driver [Generic
+PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE)
+
+Here is the ethernet controller in detail:
+
+02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
+RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller [10ec:8136]
+(rev 07)
+ Subsystem: ASUSTeK Computer Inc. RTL810xE PCI Express Fast
+Ethernet controller [1043:200f]
+ Flags: bus master, fast devsel, latency 0, IRQ 16
+ I/O ports at e000 [size=256]
+ Memory at ef100000 (64-bit, non-prefetchable) [size=4K]
+ Memory at e0000000 (64-bit, prefetchable) [size=16K]
+ Capabilities: <access denied>
+ Kernel driver in use: r8169
+ Kernel modules: r8169
+
+Falling back to MSI fixes the issue.
+
+Fixes: 6c6aa15fdea5 ("r8169: improve interrupt handling")
+Signed-off-by: Jian-Hong Pan <jian-hong@endlessm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -7539,17 +7539,20 @@ static int rtl_alloc_irq(struct rtl8169_
+ {
+ unsigned int flags;
+
+- if (tp->mac_version <= RTL_GIGA_MAC_VER_06) {
++ switch (tp->mac_version) {
++ case RTL_GIGA_MAC_VER_01 ... RTL_GIGA_MAC_VER_06:
+ RTL_W8(tp, Cfg9346, Cfg9346_Unlock);
+ RTL_W8(tp, Config2, RTL_R8(tp, Config2) & ~MSIEnable);
+ RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+ flags = PCI_IRQ_LEGACY;
+- } else if (tp->mac_version == RTL_GIGA_MAC_VER_40) {
++ break;
++ case RTL_GIGA_MAC_VER_39 ... RTL_GIGA_MAC_VER_40:
+ /* This version was reported to have issues with resume
+ * from suspend when using MSI-X
+ */
+ flags = PCI_IRQ_LEGACY | PCI_IRQ_MSI;
+- } else {
++ break;
++ default:
+ flags = PCI_IRQ_ALL_TYPES;
+ }
+
uio-fix-wrong-return-value-from-uio_mmap.patch
misc-sram-fix-resource-leaks-in-probe-error-path.patch
revert-uio-use-request_threaded_irq-instead.patch
+bluetooth-avoid-killing-an-already-killed-socket.patch
+isdn-disable-iiocdbgvar.patch
+net-sock_diag-fix-spectre-v1-gadget-in-__sock_diag_cmd.patch
+hv-netvsc-fix-null-dereference-at-single-queue-mode-fallback.patch
+r8169-don-t-use-msi-x-on-rtl8106e.patch
+ip_vti-fix-a-null-pointer-deferrence-when-create-vti-fallback-tunnel.patch
+net-ethernet-mvneta-fix-napi-structure-mixup-on-armada-3700.patch
+net-mvneta-fix-mvneta_config_rss-on-armada-3700.patch
+cls_matchall-fix-tcf_unbind_filter-missing.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
