--- /dev/null
+From 3d0bc44d39bca615b72637e340317b7899b7f911 Mon Sep 17 00:00:00 2001
+From: Norbert Slusarek <nslusarek@gmx.net>
+Date: Fri, 5 Feb 2021 13:14:05 +0100
+Subject: net/vmw_vsock: improve locking in vsock_connect_timeout()
+
+From: Norbert Slusarek <nslusarek@gmx.net>
+
+commit 3d0bc44d39bca615b72637e340317b7899b7f911 upstream.
+
+A possible locking issue in vsock_connect_timeout() was recognized by
+Eric Dumazet which might cause a null pointer dereference in
+vsock_transport_cancel_pkt(). This patch assures that
+vsock_transport_cancel_pkt() will be called within the lock, so a race
+condition won't occur which could result in vsk->transport to be set to NULL.
+
+Fixes: 380feae0def7 ("vsock: cancel packets when failing to connect")
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://lore.kernel.org/r/trinity-f8e0937a-cf0e-4d80-a76e-d9a958ba3ef1-1612535522360@3c-app-gmx-bap12
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1114,7 +1114,6 @@ static void vsock_connect_timeout(struct
+ {
+ struct sock *sk;
+ struct vsock_sock *vsk;
+- int cancel = 0;
+
+ vsk = container_of(work, struct vsock_sock, connect_work.work);
+ sk = sk_vsock(vsk);
+@@ -1125,11 +1124,9 @@ static void vsock_connect_timeout(struct
+ sk->sk_state = TCP_CLOSE;
+ sk->sk_err = ETIMEDOUT;
+ sk->sk_error_report(sk);
+- cancel = 1;
++ vsock_transport_cancel_pkt(vsk);
+ }
+ release_sock(sk);
+- if (cancel)
+- vsock_transport_cancel_pkt(vsk);
+
+ sock_put(sk);
+ }
--- /dev/null
+From 3aa6bce9af0e25b735c9c1263739a5639a336ae8 Mon Sep 17 00:00:00 2001
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Fri, 5 Feb 2021 17:37:32 -0800
+Subject: net: watchdog: hold device global xmit lock during tx disable
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+commit 3aa6bce9af0e25b735c9c1263739a5639a336ae8 upstream.
+
+Prevent netif_tx_disable() running concurrently with dev_watchdog() by
+taking the device global xmit lock. Otherwise, the recommended:
+
+ netif_carrier_off(dev);
+ netif_tx_disable(dev);
+
+driver shutdown sequence can happen after the watchdog has already
+checked carrier, resulting in possible false alarms. This is because
+netif_tx_lock() only sets the frozen bit without maintaining the locks
+on the individual queues.
+
+Fixes: c3f26a269c24 ("netdev: Fix lockdep warnings in multiqueue configurations.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -3674,6 +3674,7 @@ static inline void netif_tx_disable(stru
+
+ local_bh_disable();
+ cpu = smp_processor_id();
++ spin_lock(&dev->tx_global_lock);
+ for (i = 0; i < dev->num_tx_queues; i++) {
+ struct netdev_queue *txq = netdev_get_tx_queue(dev, i);
+
+@@ -3681,6 +3682,7 @@ static inline void netif_tx_disable(stru
+ netif_tx_stop_queue(txq);
+ __netif_tx_unlock(txq);
+ }
++ spin_unlock(&dev->tx_global_lock);
+ local_bh_enable();
+ }
+
netfilter-conntrack-skip-identical-origin-tuple-in-s.patch
usb-dwc3-ulpi-fix-checkpatch-warning.patch
usb-dwc3-ulpi-replace-cpu-based-busyloop-with-protocol-based-one.patch
+net-vmw_vsock-improve-locking-in-vsock_connect_timeout.patch
+net-watchdog-hold-device-global-xmit-lock-during-tx-disable.patch
+vsock-virtio-update-credit-only-if-socket-is-not-closed.patch
+vsock-fix-locking-in-vsock_shutdown.patch
i2c-stm32f7-fix-configuration-of-the-digital-filter.patch
h8300-fix-preemption-build-ti_pre_count-undefined.patch
--- /dev/null
+From 1c5fae9c9a092574398a17facc31c533791ef232 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Tue, 9 Feb 2021 09:52:19 +0100
+Subject: vsock: fix locking in vsock_shutdown()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 1c5fae9c9a092574398a17facc31c533791ef232 upstream.
+
+In vsock_shutdown() we touched some socket fields without holding the
+socket lock, such as 'state' and 'sk_flags'.
+
+Also, after the introduction of multi-transport, we are accessing
+'vsk->transport' in vsock_send_shutdown() without holding the lock
+and this call can be made while the connection is in progress, so
+the transport can change in the meantime.
+
+To avoid issues, we hold the socket lock when we enter in
+vsock_shutdown() and release it when we leave.
+
+Among the transports that implement the 'shutdown' callback, only
+hyperv_transport acquired the lock. Since the caller now holds it,
+we no longer take it.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 8 +++++---
+ net/vmw_vsock/hyperv_transport.c | 4 ----
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -823,10 +823,12 @@ static int vsock_shutdown(struct socket
+ */
+
+ sk = sock->sk;
++
++ lock_sock(sk);
+ if (sock->state == SS_UNCONNECTED) {
+ err = -ENOTCONN;
+ if (sk->sk_type == SOCK_STREAM)
+- return err;
++ goto out;
+ } else {
+ sock->state = SS_DISCONNECTING;
+ err = 0;
+@@ -835,10 +837,8 @@ static int vsock_shutdown(struct socket
+ /* Receive and send shutdowns are treated alike. */
+ mode = mode & (RCV_SHUTDOWN | SEND_SHUTDOWN);
+ if (mode) {
+- lock_sock(sk);
+ sk->sk_shutdown |= mode;
+ sk->sk_state_change(sk);
+- release_sock(sk);
+
+ if (sk->sk_type == SOCK_STREAM) {
+ sock_reset_flag(sk, SOCK_DONE);
+@@ -846,6 +846,8 @@ static int vsock_shutdown(struct socket
+ }
+ }
+
++out:
++ release_sock(sk);
+ return err;
+ }
+
+--- a/net/vmw_vsock/hyperv_transport.c
++++ b/net/vmw_vsock/hyperv_transport.c
+@@ -444,14 +444,10 @@ static void hvs_shutdown_lock_held(struc
+
+ static int hvs_shutdown(struct vsock_sock *vsk, int mode)
+ {
+- struct sock *sk = sk_vsock(vsk);
+-
+ if (!(mode & SEND_SHUTDOWN))
+ return 0;
+
+- lock_sock(sk);
+ hvs_shutdown_lock_held(vsk->trans, mode);
+- release_sock(sk);
+ return 0;
+ }
+
--- /dev/null
+From ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Mon, 8 Feb 2021 15:44:54 +0100
+Subject: vsock/virtio: update credit only if socket is not closed
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 upstream.
+
+If the socket is closed or is being released, some resources used by
+virtio_transport_space_update() such as 'vsk->trans' may be released.
+
+To avoid a use after free bug we should only update the available credit
+when we are sure the socket is still open and we have the lock held.
+
+Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://lore.kernel.org/r/20210208144454.84438-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1029,10 +1029,10 @@ void virtio_transport_recv_pkt(struct vi
+
+ vsk = vsock_sk(sk);
+
+- space_available = virtio_transport_space_update(sk, pkt);
+-
+ lock_sock(sk);
+
++ space_available = virtio_transport_space_update(sk, pkt);
++
+ /* Update CID in case it has changed after a transport reset event */
+ vsk->local_addr.svm_cid = dst.svm_cid;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
