--- /dev/null
+bonding-fix-state-transition-issue-in-link-monitoring.patch
+cdc-ncm-handle-incomplete-transfer-of-mtu.patch
+ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch
+net-ethernet-octeon_mgmt-account-for-second-possible-vlan-header.patch
+net-fix-data-race-in-neigh_event_send.patch
+net-qualcomm-rmnet-fix-potential-uaf-when-unregistering.patch
+net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch
+nfc-fdp-fix-incorrect-free-object.patch
+nfc-netlink-fix-double-device-reference-drop.patch
+nfc-st21nfca-fix-double-free.patch
+qede-fix-null-pointer-deref-in-__qede_remove.patch
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+Date: Fri, 1 Nov 2019 21:56:42 -0700
+Subject: bonding: fix state transition issue in link monitoring
+
+From: Jay Vosburgh <jay.vosburgh@canonical.com>
+
+[ Upstream commit 1899bb325149e481de31a4f32b59ea6f24e176ea ]
+
+Since de77ecd4ef02 ("bonding: improve link-status update in
+mii-monitoring"), the bonding driver has utilized two separate variables
+to indicate the next link state a particular slave should transition to.
+Each is used to communicate to a different portion of the link state
+change commit logic; one to the bond_miimon_commit function itself, and
+another to the state transition logic.
+
+ Unfortunately, the two variables can become unsynchronized,
+resulting in incorrect link state transitions within bonding. This can
+cause slaves to become stuck in an incorrect link state until a
+subsequent carrier state transition.
+
+ The issue occurs when a special case in bond_slave_netdev_event
+sets slave->link directly to BOND_LINK_FAIL. On the next pass through
+bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL
+case will set the proposed next state (link_new_state) to BOND_LINK_UP,
+but the new_link to BOND_LINK_DOWN. The setting of the final link state
+from new_link comes after that from link_new_state, and so the slave
+will end up incorrectly in _DOWN state.
+
+ Resolve this by combining the two variables into one.
+
+Reported-by: Aleksei Zakharov <zakharov.a.g@yandex.ru>
+Reported-by: Sha Zhang <zhangsha.zhang@huawei.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring")
+Signed-off-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 40 ++++++++++++++++++++--------------------
+ include/net/bonding.h | 1 -
+ 2 files changed, 20 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2031,7 +2031,7 @@ static int bond_miimon_inspect(struct bo
+ ignore_updelay = !rcu_dereference(bond->curr_active_slave);
+
+ bond_for_each_slave_rcu(bond, slave, iter) {
+- slave->new_link = BOND_LINK_NOCHANGE;
++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
+
+ link_state = bond_check_dev_link(bond, slave->dev, 0);
+
+@@ -2068,7 +2068,7 @@ static int bond_miimon_inspect(struct bo
+ }
+
+ if (slave->delay <= 0) {
+- slave->new_link = BOND_LINK_DOWN;
++ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ commit++;
+ continue;
+ }
+@@ -2109,7 +2109,7 @@ static int bond_miimon_inspect(struct bo
+ slave->delay = 0;
+
+ if (slave->delay <= 0) {
+- slave->new_link = BOND_LINK_UP;
++ bond_propose_link_state(slave, BOND_LINK_UP);
+ commit++;
+ ignore_updelay = false;
+ continue;
+@@ -2129,7 +2129,7 @@ static void bond_miimon_commit(struct bo
+ struct slave *slave, *primary;
+
+ bond_for_each_slave(bond, slave, iter) {
+- switch (slave->new_link) {
++ switch (slave->link_new_state) {
+ case BOND_LINK_NOCHANGE:
+ /* For 802.3ad mode, check current slave speed and
+ * duplex again in case its port was disabled after
+@@ -2222,8 +2222,8 @@ static void bond_miimon_commit(struct bo
+
+ default:
+ netdev_err(bond->dev, "invalid new link %d on slave %s\n",
+- slave->new_link, slave->dev->name);
+- slave->new_link = BOND_LINK_NOCHANGE;
++ slave->link_new_state, slave->dev->name);
++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
+
+ continue;
+ }
+@@ -2618,13 +2618,13 @@ static void bond_loadbalance_arp_mon(str
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ unsigned long trans_start = dev_trans_start(slave->dev);
+
+- slave->new_link = BOND_LINK_NOCHANGE;
++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, trans_start, 1) &&
+ bond_time_in_interval(bond, slave->last_rx, 1)) {
+
+- slave->new_link = BOND_LINK_UP;
++ bond_propose_link_state(slave, BOND_LINK_UP);
+ slave_state_changed = 1;
+
+ /* primary_slave has no meaning in round-robin
+@@ -2651,7 +2651,7 @@ static void bond_loadbalance_arp_mon(str
+ if (!bond_time_in_interval(bond, trans_start, 2) ||
+ !bond_time_in_interval(bond, slave->last_rx, 2)) {
+
+- slave->new_link = BOND_LINK_DOWN;
++ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ slave_state_changed = 1;
+
+ if (slave->link_failure_count < UINT_MAX)
+@@ -2683,8 +2683,8 @@ static void bond_loadbalance_arp_mon(str
+ goto re_arm;
+
+ bond_for_each_slave(bond, slave, iter) {
+- if (slave->new_link != BOND_LINK_NOCHANGE)
+- slave->link = slave->new_link;
++ if (slave->link_new_state != BOND_LINK_NOCHANGE)
++ slave->link = slave->link_new_state;
+ }
+
+ if (slave_state_changed) {
+@@ -2707,9 +2707,9 @@ re_arm:
+ }
+
+ /* Called to inspect slaves for active-backup mode ARP monitor link state
+- * changes. Sets new_link in slaves to specify what action should take
+- * place for the slave. Returns 0 if no changes are found, >0 if changes
+- * to link states must be committed.
++ * changes. Sets proposed link state in slaves to specify what action
++ * should take place for the slave. Returns 0 if no changes are found, >0
++ * if changes to link states must be committed.
+ *
+ * Called with rcu_read_lock held.
+ */
+@@ -2721,12 +2721,12 @@ static int bond_ab_arp_inspect(struct bo
+ int commit = 0;
+
+ bond_for_each_slave_rcu(bond, slave, iter) {
+- slave->new_link = BOND_LINK_NOCHANGE;
++ bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
+ last_rx = slave_last_rx(bond, slave);
+
+ if (slave->link != BOND_LINK_UP) {
+ if (bond_time_in_interval(bond, last_rx, 1)) {
+- slave->new_link = BOND_LINK_UP;
++ bond_propose_link_state(slave, BOND_LINK_UP);
+ commit++;
+ }
+ continue;
+@@ -2754,7 +2754,7 @@ static int bond_ab_arp_inspect(struct bo
+ if (!bond_is_active_slave(slave) &&
+ !rcu_access_pointer(bond->current_arp_slave) &&
+ !bond_time_in_interval(bond, last_rx, 3)) {
+- slave->new_link = BOND_LINK_DOWN;
++ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ commit++;
+ }
+
+@@ -2767,7 +2767,7 @@ static int bond_ab_arp_inspect(struct bo
+ if (bond_is_active_slave(slave) &&
+ (!bond_time_in_interval(bond, trans_start, 2) ||
+ !bond_time_in_interval(bond, last_rx, 2))) {
+- slave->new_link = BOND_LINK_DOWN;
++ bond_propose_link_state(slave, BOND_LINK_DOWN);
+ commit++;
+ }
+ }
+@@ -2787,7 +2787,7 @@ static void bond_ab_arp_commit(struct bo
+ struct slave *slave;
+
+ bond_for_each_slave(bond, slave, iter) {
+- switch (slave->new_link) {
++ switch (slave->link_new_state) {
+ case BOND_LINK_NOCHANGE:
+ continue;
+
+@@ -2840,7 +2840,7 @@ static void bond_ab_arp_commit(struct bo
+
+ default:
+ netdev_err(bond->dev, "impossible: new_link %d on slave %s\n",
+- slave->new_link, slave->dev->name);
++ slave->link_new_state, slave->dev->name);
+ continue;
+ }
+
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -148,7 +148,6 @@ struct slave {
+ unsigned long last_rx;
+ unsigned long target_last_arp_rx[BOND_MAX_ARP_TARGETS];
+ s8 link; /* one of BOND_LINK_XXXX */
+- s8 new_link;
+ u8 backup:1, /* indicates backup slave. Value corresponds with
+ BOND_STATE_ACTIVE and BOND_STATE_BACKUP */
+ inactive:1, /* indicates inactive slave */
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 7 Nov 2019 09:48:01 +0100
+Subject: CDC-NCM: handle incomplete transfer of MTU
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 332f989a3b0041b810836c5c3747e59aad7e9d0b ]
+
+A malicious device may give half an answer when asked
+for its MTU. The driver will proceed after this with
+a garbage MTU. Anything but a complete answer must be treated
+as an error.
+
+V2: used sizeof as request by Alexander
+
+Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -576,8 +576,8 @@ static void cdc_ncm_set_dgram_size(struc
+ /* read current mtu value from device */
+ err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
+ USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
+- 0, iface_no, &max_datagram_size, 2);
+- if (err < 0) {
++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
++ if (err < sizeof(max_datagram_size)) {
+ dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
+ goto out;
+ }
+@@ -588,7 +588,7 @@ static void cdc_ncm_set_dgram_size(struc
+ max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
+ err = usbnet_write_cmd(dev, USB_CDC_SET_MAX_DATAGRAM_SIZE,
+ USB_TYPE_CLASS | USB_DIR_OUT | USB_RECIP_INTERFACE,
+- 0, iface_no, &max_datagram_size, 2);
++ 0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
+ if (err < 0)
+ dev_dbg(&dev->intf->dev, "SET_MAX_DATAGRAM_SIZE failed\n");
+
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: David Ahern <dsahern@kernel.org>
+Date: Thu, 7 Nov 2019 18:29:52 +0000
+Subject: ipv4: Fix table id reference in fib_sync_down_addr
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit e0a312629fefa943534fc46f7bfbe6de3fdaf463 ]
+
+Hendrik reported routes in the main table using source address are not
+removed when the address is removed. The problem is that fib_sync_down_addr
+does not account for devices in the default VRF which are associated
+with the main table. Fix by updating the table id reference.
+
+Fixes: 5a56a0b3a45d ("net: Don't delete routes in different VRFs")
+Reported-by: Hendrik Donner <hd@os-cillation.de>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1358,8 +1358,8 @@ int fib_sync_down_addr(struct net_device
+ int ret = 0;
+ unsigned int hash = fib_laddr_hashfn(local);
+ struct hlist_head *head = &fib_info_laddrhash[hash];
++ int tb_id = l3mdev_fib_table(dev) ? : RT_TABLE_MAIN;
+ struct net *net = dev_net(dev);
+- int tb_id = l3mdev_fib_table(dev);
+ struct fib_info *fi;
+
+ if (!fib_info_laddrhash || local == 0)
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 7 Nov 2019 20:08:19 -0800
+Subject: net: fix data-race in neigh_event_send()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ]
+
+KCSAN reported the following data-race [1]
+
+The fix will also prevent the compiler from optimizing out
+the condition.
+
+[1]
+
+BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output
+
+write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1:
+ neigh_event_send include/net/neighbour.h:443 [inline]
+ neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
+ ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
+ __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:237
+ __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
+ tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
+ __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
+ tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
+ tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
+ tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618
+
+read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0:
+ neigh_event_send include/net/neighbour.h:442 [inline]
+ neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474
+ neigh_output include/net/neighbour.h:511 [inline]
+ ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
+ __ip_finish_output net/ipv4/ip_output.c:308 [inline]
+ __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
+ ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
+ NF_HOOK_COND include/linux/netfilter.h:294 [inline]
+ ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
+ dst_output include/net/dst.h:436 [inline]
+ ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
+ __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
+ ip_queue_xmit+0x45/0x60 include/net/ip.h:237
+ __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
+ tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
+ __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
+ tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
+ tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
+ tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/neighbour.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -425,8 +425,8 @@ static inline int neigh_event_send(struc
+ {
+ unsigned long now = jiffies;
+
+- if (neigh->used != now)
+- neigh->used = now;
++ if (READ_ONCE(neigh->used) != now)
++ WRITE_ONCE(neigh->used, now);
+ if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE)))
+ return __neigh_event_send(neigh, skb);
+ return 0;
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Thu, 7 Nov 2019 11:57:01 +0100
+Subject: net: usb: qmi_wwan: add support for DW5821e with eSIM support
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+[ Upstream commit e497df686e8fed8c1dd69179010656362858edb3 ]
+
+Exactly same layout as the default DW5821e module, just a different
+vid/pid.
+
+The QMI interface is exposed in USB configuration #1:
+
+P: Vendor=413c ProdID=81e0 Rev=03.18
+S: Manufacturer=Dell Inc.
+S: Product=DW5821e-eSIM Snapdragon X20 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -951,6 +951,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
++ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/
+ {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */
+ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Tue, 5 Nov 2019 16:34:07 +0800
+Subject: NFC: fdp: fix incorrect free object
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 517ce4e93368938b204451285e53014549804868 ]
+
+The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
+incorrect, which may result in a system crash or other security impacts.
+The expected object to free is *fw_vsc_cfg.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/fdp/i2c.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nfc/fdp/i2c.c
++++ b/drivers/nfc/fdp/i2c.c
+@@ -268,7 +268,7 @@ static void fdp_nci_i2c_read_device_prop
+ *fw_vsc_cfg, len);
+
+ if (r) {
+- devm_kfree(dev, fw_vsc_cfg);
++ devm_kfree(dev, *fw_vsc_cfg);
+ goto vsc_read_err;
+ }
+ } else {
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 7 Nov 2019 14:29:50 +0800
+Subject: nfc: netlink: fix double device reference drop
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 025ec40b81d785a98f76b8bdb509ac10773b4f12 ]
+
+The function nfc_put_device(dev) is called twice to drop the reference
+to dev when there is no associated local llcp. Remove one of them to fix
+the bug.
+
+Fixes: 52feb444a903 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support")
+Fixes: d9b8d8e19b07 ("NFC: llcp: Service Name Lookup netlink interface")
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -1103,7 +1103,6 @@ static int nfc_genl_llc_set_params(struc
+
+ local = nfc_llcp_find_local(dev);
+ if (!local) {
+- nfc_put_device(dev);
+ rc = -ENODEV;
+ goto exit;
+ }
+@@ -1163,7 +1162,6 @@ static int nfc_genl_llc_sdreq(struct sk_
+
+ local = nfc_llcp_find_local(dev);
+ if (!local) {
+- nfc_put_device(dev);
+ rc = -ENODEV;
+ goto exit;
+ }
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Pan Bian <bianpan2016@163.com>
+Date: Thu, 7 Nov 2019 09:33:20 +0800
+Subject: NFC: st21nfca: fix double free
+
+From: Pan Bian <bianpan2016@163.com>
+
+[ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ]
+
+The variable nfcid_skb is not changed in the callee nfc_hci_get_param()
+if error occurs. Consequently, the freed variable nfcid_skb will be
+freed again, resulting in a double free bug. Set nfcid_skb to NULL after
+releasing it to fix the bug.
+
+Signed-off-by: Pan Bian <bianpan2016@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nfc/st21nfca/core.c
++++ b/drivers/nfc/st21nfca/core.c
+@@ -719,6 +719,7 @@ static int st21nfca_hci_complete_target_
+ NFC_PROTO_FELICA_MASK;
+ } else {
+ kfree_skb(nfcid_skb);
++ nfcid_skb = NULL;
+ /* P2P in type A */
+ r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE,
+ ST21NFCA_RF_READER_F_NFCID1,
--- /dev/null
+From foo@baz Sun 10 Nov 2019 06:21:03 PM CET
+From: Manish Chopra <manishc@marvell.com>
+Date: Fri, 8 Nov 2019 02:42:30 -0800
+Subject: qede: fix NULL pointer deref in __qede_remove()
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit deabc87111c690097c03765ea017cd500f7376fc ]
+
+While rebooting the system with SR-IOV vfs enabled leads
+to below crash due to recurrence of __qede_remove() on the VF
+devices (first from .shutdown() flow of the VF itself and
+another from PF's .shutdown() flow executing pci_disable_sriov())
+
+This patch adds a safeguard in __qede_remove() flow to fix this,
+so that driver doesn't attempt to remove "already removed" devices.
+
+[ 194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc
+[ 194.360227] IP: [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.360304] PGD 0
+[ 194.360325] Oops: 0000 [#1] SMP
+[ 194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200
+[ 194.361044] qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables]
+[ 194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1
+[ 194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019
+[ 194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000
+[ 194.361463] RIP: 0010:[<ffffffffc03553c4>] [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.361534] RSP: 0018:ffff9ceabebdfac0 EFLAGS: 00010282
+[ 194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000
+[ 194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098
+[ 194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000
+[ 194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000
+[ 194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000
+[ 194.361810] FS: 00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000
+[ 194.361865] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0
+[ 194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 194.362051] PKRU: 55555554
+[ 194.362073] Call Trace:
+[ 194.362109] [<ffffffffc0355500>] qede_remove+0x10/0x20 [qede]
+[ 194.362180] [<ffffffffb97d0f3e>] pci_device_remove+0x3e/0xc0
+[ 194.362240] [<ffffffffb98b3c52>] __device_release_driver+0x82/0xf0
+[ 194.362285] [<ffffffffb98b3ce3>] device_release_driver+0x23/0x30
+[ 194.362343] [<ffffffffb97c86d4>] pci_stop_bus_device+0x84/0xa0
+[ 194.362388] [<ffffffffb97c87e2>] pci_stop_and_remove_bus_device+0x12/0x20
+[ 194.362450] [<ffffffffb97f153f>] pci_iov_remove_virtfn+0xaf/0x160
+[ 194.362496] [<ffffffffb97f1aec>] sriov_disable+0x3c/0xf0
+[ 194.362534] [<ffffffffb97f1bc3>] pci_disable_sriov+0x23/0x30
+[ 194.362599] [<ffffffffc02f83c3>] qed_sriov_disable+0x5e3/0x650 [qed]
+[ 194.362658] [<ffffffffb9622df6>] ? kfree+0x106/0x140
+[ 194.362709] [<ffffffffc02cc0c0>] ? qed_free_stream_mem+0x70/0x90 [qed]
+[ 194.362754] [<ffffffffb9622df6>] ? kfree+0x106/0x140
+[ 194.362803] [<ffffffffc02cd659>] qed_slowpath_stop+0x1a9/0x1d0 [qed]
+[ 194.362854] [<ffffffffc035544e>] __qede_remove+0xae/0x130 [qede]
+[ 194.362904] [<ffffffffc03554e0>] qede_shutdown+0x10/0x20 [qede]
+[ 194.362956] [<ffffffffb97cf90a>] pci_device_shutdown+0x3a/0x60
+[ 194.363010] [<ffffffffb98b180b>] device_shutdown+0xfb/0x1f0
+[ 194.363066] [<ffffffffb94b66c6>] kernel_restart_prepare+0x36/0x40
+[ 194.363107] [<ffffffffb94b66e2>] kernel_restart+0x12/0x60
+[ 194.363146] [<ffffffffb94b6959>] SYSC_reboot+0x229/0x260
+[ 194.363196] [<ffffffffb95f200d>] ? handle_mm_fault+0x39d/0x9b0
+[ 194.363253] [<ffffffffb942b621>] ? __switch_to+0x151/0x580
+[ 194.363304] [<ffffffffb9b7ec28>] ? __schedule+0x448/0x9c0
+[ 194.363343] [<ffffffffb94b69fe>] SyS_reboot+0xe/0x10
+[ 194.363387] [<ffffffffb9b8bede>] system_call_fastpath+0x25/0x2a
+[ 194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0
+[ 194.363712] RIP [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
+[ 194.363764] RSP <ffff9ceabebdfac0>
+[ 194.363791] CR2: 00000000000008dc
+
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Ariel Elior <aelior@marvell.com>
+Signed-off-by: Sudarsana Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -2619,8 +2619,16 @@ enum qede_remove_mode {
+ static void __qede_remove(struct pci_dev *pdev, enum qede_remove_mode mode)
+ {
+ struct net_device *ndev = pci_get_drvdata(pdev);
+- struct qede_dev *edev = netdev_priv(ndev);
+- struct qed_dev *cdev = edev->cdev;
++ struct qede_dev *edev;
++ struct qed_dev *cdev;
++
++ if (!ndev) {
++ dev_info(&pdev->dev, "Device has already been removed\n");
++ return;
++ }
++
++ edev = netdev_priv(ndev);
++ cdev = edev->cdev;
+
+ DP_INFO(edev, "Starting qede_remove\n");
+
--- /dev/null
+bonding-fix-state-transition-issue-in-link-monitoring.patch
+cdc-ncm-handle-incomplete-transfer-of-mtu.patch
+ipv4-fix-table-id-reference-in-fib_sync_down_addr.patch
+net-fix-data-race-in-neigh_event_send.patch
+net-usb-qmi_wwan-add-support-for-dw5821e-with-esim-support.patch
+nfc-fdp-fix-incorrect-free-object.patch
+nfc-netlink-fix-double-device-reference-drop.patch
+nfc-st21nfca-fix-double-free.patch
+qede-fix-null-pointer-deref-in-__qede_remove.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
