--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: John Ogness <john.ogness@linutronix.de>
+Date: Thu, 13 Aug 2020 21:45:25 +0206
+Subject: af_packet: TPACKET_V3: fix fill status rwlock imbalance
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ]
+
+After @blk_fill_in_prog_lock is acquired there is an early out vnet
+situation that can occur. In that case, the rwlock needs to be
+released.
+
+Also, since @blk_fill_in_prog_lock is only acquired when @tp_version
+is exactly TPACKET_V3, only release it on that exact condition as
+well.
+
+And finally, add sparse annotation so that it is clearer that
+prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring
+and releasing @blk_fill_in_prog_lock, respectively. sparse is still
+unable to understand the balance, but the warnings are now on a
+higher level that make more sense.
+
+Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -941,6 +941,7 @@ static int prb_queue_frozen(struct tpack
+ }
+
+ static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb)
++ __releases(&pkc->blk_fill_in_prog_lock)
+ {
+ struct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb);
+ atomic_dec(&pkc->blk_fill_in_prog);
+@@ -988,6 +989,7 @@ static void prb_fill_curr_block(char *cu
+ struct tpacket_kbdq_core *pkc,
+ struct tpacket_block_desc *pbd,
+ unsigned int len)
++ __acquires(&pkc->blk_fill_in_prog_lock)
+ {
+ struct tpacket3_hdr *ppd;
+
+@@ -2285,8 +2287,11 @@ static int tpacket_rcv(struct sk_buff *s
+ if (do_vnet &&
+ virtio_net_hdr_from_skb(skb, h.raw + macoff -
+ sizeof(struct virtio_net_hdr),
+- vio_le(), true, 0))
++ vio_le(), true, 0)) {
++ if (po->tp_version == TPACKET_V3)
++ prb_clear_blk_fill_status(&po->rx_ring);
+ goto drop_n_account;
++ }
+
+ if (po->tp_version <= TPACKET_V2) {
+ packet_increment_rx_head(po, &po->rx_ring);
+@@ -2392,7 +2397,7 @@ static int tpacket_rcv(struct sk_buff *s
+ __clear_bit(slot_id, po->rx_ring.rx_owner_map);
+ spin_unlock(&sk->sk_receive_queue.lock);
+ sk->sk_data_ready(sk);
+- } else {
++ } else if (po->tp_version == TPACKET_V3) {
+ prb_clear_blk_fill_status(&po->rx_ring);
+ }
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Xie He <xie.he.0141@gmail.com>
+Date: Wed, 5 Aug 2020 18:50:40 -0700
+Subject: drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ]
+
+1. Added a skb->len check
+
+This driver expects upper layers to include a pseudo header of 1 byte
+when passing down a skb for transmission. This driver will read this
+1-byte header. This patch added a skb->len check before reading the
+header to make sure the header exists.
+
+2. Changed to use needed_headroom instead of hard_header_len to request
+necessary headroom to be allocated
+
+In net/packet/af_packet.c, the function packet_snd first reserves a
+headroom of length (dev->hard_header_len + dev->needed_headroom).
+Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header,
+which calls dev->header_ops->create, to create the link layer header.
+If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of
+length (dev->hard_header_len), and assumes the user to provide the
+appropriate link layer header.
+
+So according to the logic of af_packet.c, dev->hard_header_len should
+be the length of the header that would be created by
+dev->header_ops->create.
+
+However, this driver doesn't provide dev->header_ops, so logically
+dev->hard_header_len should be 0.
+
+So we should use dev->needed_headroom instead of dev->hard_header_len
+to request necessary headroom to be allocated.
+
+This change fixes kernel panic when this driver is used with AF_PACKET
+SOCK_RAW sockets.
+
+Call stack when panic:
+
+[ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20
+put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0
+dev:veth0
+...
+[ 168.399255] Call Trace:
+[ 168.399259] skb_push.cold+0x14/0x24
+[ 168.399262] eth_header+0x2b/0xc0
+[ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether]
+[ 168.399275] lapb_data_transmit+0x22/0x2c [lapb]
+[ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb]
+[ 168.399279] lapb_kick+0xe3/0x1c0 [lapb]
+[ 168.399281] lapb_data_request+0x76/0xc0 [lapb]
+[ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether]
+[ 168.399286] dev_hard_start_xmit+0x91/0x1f0
+[ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100
+[ 168.399291] __dev_queue_xmit+0x721/0x8e0
+[ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110
+[ 168.399297] dev_queue_xmit+0x10/0x20
+[ 168.399298] packet_sendmsg+0xbf0/0x19b0
+......
+
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/lapbether.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -157,6 +157,12 @@ static netdev_tx_t lapbeth_xmit(struct s
+ if (!netif_running(dev))
+ goto drop;
+
++ /* There should be a pseudo header of 1 byte added by upper layers.
++ * Check to make sure it is there before reading it.
++ */
++ if (skb->len < 1)
++ goto drop;
++
+ switch (skb->data[0]) {
+ case X25_IFACE_DATA:
+ break;
+@@ -305,6 +311,7 @@ static void lapbeth_setup(struct net_dev
+ dev->netdev_ops = &lapbeth_netdev_ops;
+ dev->needs_free_netdev = true;
+ dev->type = ARPHRD_X25;
++ dev->hard_header_len = 0;
+ dev->mtu = 1000;
+ dev->addr_len = 0;
+ }
+@@ -331,7 +338,8 @@ static int lapbeth_new_device(struct net
+ * then this driver prepends a length field of 2 bytes,
+ * then the underlying Ethernet device prepends its own header.
+ */
+- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len;
++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len
++ + dev->needed_headroom;
+
+ lapbeth = netdev_priv(ndev);
+ lapbeth->axdev = ndev;
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Mon, 10 Aug 2020 08:16:58 -0400
+Subject: net: Fix potential memory leak in proto_register()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 0f5907af39137f8183ed536aaa00f322d7365130 ]
+
+If we failed to assign proto idx, we free the twsk_slab_name but forget to
+free the twsk_slab. Add a helper function tw_prot_cleanup() to free these
+together and also use this helper function in proto_unregister().
+
+Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3337,6 +3337,16 @@ static void sock_inuse_add(struct net *n
+ }
+ #endif
+
++static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot)
++{
++ if (!twsk_prot)
++ return;
++ kfree(twsk_prot->twsk_slab_name);
++ twsk_prot->twsk_slab_name = NULL;
++ kmem_cache_destroy(twsk_prot->twsk_slab);
++ twsk_prot->twsk_slab = NULL;
++}
++
+ static void req_prot_cleanup(struct request_sock_ops *rsk_prot)
+ {
+ if (!rsk_prot)
+@@ -3407,7 +3417,7 @@ int proto_register(struct proto *prot, i
+ prot->slab_flags,
+ NULL);
+ if (prot->twsk_prot->twsk_slab == NULL)
+- goto out_free_timewait_sock_slab_name;
++ goto out_free_timewait_sock_slab;
+ }
+ }
+
+@@ -3415,15 +3425,15 @@ int proto_register(struct proto *prot, i
+ ret = assign_proto_idx(prot);
+ if (ret) {
+ mutex_unlock(&proto_list_mutex);
+- goto out_free_timewait_sock_slab_name;
++ goto out_free_timewait_sock_slab;
+ }
+ list_add(&prot->node, &proto_list);
+ mutex_unlock(&proto_list_mutex);
+ return ret;
+
+-out_free_timewait_sock_slab_name:
++out_free_timewait_sock_slab:
+ if (alloc_slab && prot->twsk_prot)
+- kfree(prot->twsk_prot->twsk_slab_name);
++ tw_prot_cleanup(prot->twsk_prot);
+ out_free_request_sock_slab:
+ if (alloc_slab) {
+ req_prot_cleanup(prot->rsk_prot);
+@@ -3447,12 +3457,7 @@ void proto_unregister(struct proto *prot
+ prot->slab = NULL;
+
+ req_prot_cleanup(prot->rsk_prot);
+-
+- if (prot->twsk_prot != NULL && prot->twsk_prot->twsk_slab != NULL) {
+- kmem_cache_destroy(prot->twsk_prot->twsk_slab);
+- kfree(prot->twsk_prot->twsk_slab_name);
+- prot->twsk_prot->twsk_slab = NULL;
+- }
++ tw_prot_cleanup(prot->twsk_prot);
+ }
+ EXPORT_SYMBOL(proto_unregister);
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Date: Tue, 11 Aug 2020 20:33:24 +0200
+Subject: net: initialize fastreuse on inet_inherit_port
+
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+
+[ Upstream commit d76f3351cea2d927fdf70dd7c06898235035e84e ]
+
+In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or
+SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind
+behaviour or in the incorrect reuse of a bind.
+
+the kernel keeps track for each bind_bucket if all sockets in the
+bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags.
+These flags allow skipping the costly bind_conflict check when possible
+(meaning when all sockets have the proper SO_REUSE option).
+
+For every socket added to a bind_bucket, these flags need to be updated.
+As soon as a socket that does not support reuse is added, the flag is
+set to false and will never go back to true, unless the bind_bucket is
+deleted.
+
+Note that there is no mechanism to re-evaluate these flags when a socket
+is removed (this might make sense when removing a socket that would not
+allow reuse; this leaves room for a future patch).
+
+For this optimization to work, it is mandatory that these flags are
+properly initialized and updated.
+
+When a child socket is created from a listen socket in
+__inet_inherit_port, the TPROXY case could create a new bind bucket
+without properly initializing these flags, thus preventing the
+optimization to work. Alternatively, a socket not allowing reuse could
+be added to an existing bind bucket without updating the flags, causing
+bind_conflict to never be called as it should.
+
+Call inet_csk_update_fastreuse when __inet_inherit_port decides to create
+a new bind_bucket or use a different bind_bucket than the one of the
+listen socket.
+
+Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()")
+Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_hashtables.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -163,6 +163,7 @@ int __inet_inherit_port(const struct soc
+ return -ENOMEM;
+ }
+ }
++ inet_csk_update_fastreuse(tb, child);
+ }
+ inet_bind_hash(child, tb, port);
+ spin_unlock(&head->lock);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+Date: Mon, 10 Aug 2020 09:51:00 +0800
+Subject: net/nfc/rawsock.c: add CAP_NET_RAW check.
+
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+
+[ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.
+
+Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/rawsock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -332,10 +332,13 @@ static int rawsock_create(struct net *ne
+ if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW))
+ return -ESOCKTNOSUPPORT;
+
+- if (sock->type == SOCK_RAW)
++ if (sock->type == SOCK_RAW) {
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ sock->ops = &rawsock_raw_ops;
+- else
++ } else {
+ sock->ops = &rawsock_ops;
++ }
+
+ sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern);
+ if (!sk)
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 6 Aug 2020 17:37:53 +0200
+Subject: net: phy: fix memory leak in device-create error path
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit d02cbc46136105cf86f84ac355e16f04696f538d ]
+
+A recent commit introduced a late error path in phy_device_create()
+which fails to release the device name allocated by dev_set_name().
+
+Fixes: 13d0ab6750b2 ("net: phy: check return code when requesting PHY driver module")
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -615,7 +615,9 @@ struct phy_device *phy_device_create(str
+ if (c45_ids)
+ dev->c45_ids = *c45_ids;
+ dev->irq = bus->irq[addr];
++
+ dev_set_name(&mdiodev->dev, PHY_ID_FMT, bus->id, addr);
++ device_initialize(&mdiodev->dev);
+
+ dev->state = PHY_DOWN;
+
+@@ -649,10 +651,8 @@ struct phy_device *phy_device_create(str
+ ret = phy_request_driver_module(dev, phy_id);
+ }
+
+- if (!ret) {
+- device_initialize(&mdiodev->dev);
+- } else {
+- kfree(dev);
++ if (ret) {
++ put_device(&mdiodev->dev);
+ dev = ERR_PTR(ret);
+ }
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Date: Tue, 11 Aug 2020 20:33:23 +0200
+Subject: net: refactor bind_bucket fastreuse into helper
+
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+
+[ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ]
+
+Refactor the fastreuse update code in inet_csk_get_port into a small
+helper function that can be called from other places.
+
+Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_connection_sock.h | 4 +
+ net/ipv4/inet_connection_sock.c | 97 ++++++++++++++++++++-----------------
+ 2 files changed, 57 insertions(+), 44 deletions(-)
+
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -309,6 +309,10 @@ int inet_csk_compat_getsockopt(struct so
+ int inet_csk_compat_setsockopt(struct sock *sk, int level, int optname,
+ char __user *optval, unsigned int optlen);
+
++/* update the fast reuse flag when adding a socket */
++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
++ struct sock *sk);
++
+ struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu);
+
+ #define TCP_PINGPONG_THRESH 3
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -284,6 +284,57 @@ static inline int sk_reuseport_match(str
+ ipv6_only_sock(sk), true, false);
+ }
+
++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
++ struct sock *sk)
++{
++ kuid_t uid = sock_i_uid(sk);
++ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN;
++
++ if (hlist_empty(&tb->owners)) {
++ tb->fastreuse = reuse;
++ if (sk->sk_reuseport) {
++ tb->fastreuseport = FASTREUSEPORT_ANY;
++ tb->fastuid = uid;
++ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
++ tb->fast_ipv6_only = ipv6_only_sock(sk);
++ tb->fast_sk_family = sk->sk_family;
++#if IS_ENABLED(CONFIG_IPV6)
++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
++#endif
++ } else {
++ tb->fastreuseport = 0;
++ }
++ } else {
++ if (!reuse)
++ tb->fastreuse = 0;
++ if (sk->sk_reuseport) {
++ /* We didn't match or we don't have fastreuseport set on
++ * the tb, but we have sk_reuseport set on this socket
++ * and we know that there are no bind conflicts with
++ * this socket in this tb, so reset our tb's reuseport
++ * settings so that any subsequent sockets that match
++ * our current socket will be put on the fast path.
++ *
++ * If we reset we need to set FASTREUSEPORT_STRICT so we
++ * do extra checking for all subsequent sk_reuseport
++ * socks.
++ */
++ if (!sk_reuseport_match(tb, sk)) {
++ tb->fastreuseport = FASTREUSEPORT_STRICT;
++ tb->fastuid = uid;
++ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
++ tb->fast_ipv6_only = ipv6_only_sock(sk);
++ tb->fast_sk_family = sk->sk_family;
++#if IS_ENABLED(CONFIG_IPV6)
++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
++#endif
++ }
++ } else {
++ tb->fastreuseport = 0;
++ }
++ }
++}
++
+ /* Obtain a reference to a local port for the given sock,
+ * if snum is zero it means select any available local port.
+ * We try to allocate an odd port (and leave even ports for connect())
+@@ -296,7 +347,6 @@ int inet_csk_get_port(struct sock *sk, u
+ struct inet_bind_hashbucket *head;
+ struct net *net = sock_net(sk);
+ struct inet_bind_bucket *tb = NULL;
+- kuid_t uid = sock_i_uid(sk);
+ int l3mdev;
+
+ l3mdev = inet_sk_bound_l3mdev(sk);
+@@ -333,49 +383,8 @@ tb_found:
+ goto fail_unlock;
+ }
+ success:
+- if (hlist_empty(&tb->owners)) {
+- tb->fastreuse = reuse;
+- if (sk->sk_reuseport) {
+- tb->fastreuseport = FASTREUSEPORT_ANY;
+- tb->fastuid = uid;
+- tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+- tb->fast_ipv6_only = ipv6_only_sock(sk);
+- tb->fast_sk_family = sk->sk_family;
+-#if IS_ENABLED(CONFIG_IPV6)
+- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
+-#endif
+- } else {
+- tb->fastreuseport = 0;
+- }
+- } else {
+- if (!reuse)
+- tb->fastreuse = 0;
+- if (sk->sk_reuseport) {
+- /* We didn't match or we don't have fastreuseport set on
+- * the tb, but we have sk_reuseport set on this socket
+- * and we know that there are no bind conflicts with
+- * this socket in this tb, so reset our tb's reuseport
+- * settings so that any subsequent sockets that match
+- * our current socket will be put on the fast path.
+- *
+- * If we reset we need to set FASTREUSEPORT_STRICT so we
+- * do extra checking for all subsequent sk_reuseport
+- * socks.
+- */
+- if (!sk_reuseport_match(tb, sk)) {
+- tb->fastreuseport = FASTREUSEPORT_STRICT;
+- tb->fastuid = uid;
+- tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+- tb->fast_ipv6_only = ipv6_only_sock(sk);
+- tb->fast_sk_family = sk->sk_family;
+-#if IS_ENABLED(CONFIG_IPV6)
+- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
+-#endif
+- }
+- } else {
+- tb->fastreuseport = 0;
+- }
+- }
++ inet_csk_update_fastreuse(tb, sk);
++
+ if (!inet_csk(sk)->icsk_bind_hash)
+ inet_bind_hash(sk, tb, port);
+ WARN_ON(inet_csk(sk)->icsk_bind_hash != tb);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Thu, 6 Aug 2020 19:53:16 +0800
+Subject: net: Set fput_needed iff FDPUT_FPUT is set
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ]
+
+We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed
+accordingly.
+
+Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -485,7 +485,7 @@ static struct socket *sockfd_lookup_ligh
+ if (f.file) {
+ sock = sock_from_file(f.file, err);
+ if (likely(sock)) {
+- *fput_needed = f.flags;
++ *fput_needed = f.flags & FDPUT_FPUT;
+ return sock;
+ }
+ fdput(f);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Ira Weiny <ira.weiny@intel.com>
+Date: Mon, 10 Aug 2020 17:02:58 -0700
+Subject: net/tls: Fix kmap usage
+
+From: Ira Weiny <ira.weiny@intel.com>
+
+[ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ]
+
+When MSG_OOB is specified to tls_device_sendpage() the mapped page is
+never unmapped.
+
+Hold off mapping the page until after the flags are checked and the page
+is actually needed.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -549,7 +549,7 @@ int tls_device_sendpage(struct sock *sk,
+ {
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct iov_iter msg_iter;
+- char *kaddr = kmap(page);
++ char *kaddr;
+ struct kvec iov;
+ int rc;
+
+@@ -564,6 +564,7 @@ int tls_device_sendpage(struct sock *sk,
+ goto out;
+ }
+
++ kaddr = kmap(page);
+ iov.iov_base = kaddr + offset;
+ iov.iov_len = size;
+ iov_iter_kvec(&msg_iter, WRITE, &iov, 1, size);
sunrpc-fix-sunrpc-add-len-parameter-to-gss_unwrap.patch
x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch
crypto-aesni-add-compatibility-with-ias.patch
+af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch
+drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch
+net-fix-potential-memory-leak-in-proto_register.patch
+net-nfc-rawsock.c-add-cap_net_raw-check.patch
+net-phy-fix-memory-leak-in-device-create-error-path.patch
+net-set-fput_needed-iff-fdput_fput-is-set.patch
+net-tls-fix-kmap-usage.patch
+tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch
+vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch
+net-refactor-bind_bucket-fastreuse-into-helper.patch
+net-initialize-fastreuse-on-inet_inherit_port.patch
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 10 Aug 2020 13:38:39 -0400
+Subject: tcp: correct read of TFO keys on big endian systems
+
+From: Jason Baron <jbaron@akamai.com>
+
+[ Upstream commit f19008e676366c44e9241af57f331b6c6edf9552 ]
+
+When TFO keys are read back on big endian systems either via the global
+sysctl interface or via getsockopt() using TCP_FASTOPEN_KEY, the values
+don't match what was written.
+
+For example, on s390x:
+
+# echo "1-2-3-4" > /proc/sys/net/ipv4/tcp_fastopen_key
+# cat /proc/sys/net/ipv4/tcp_fastopen_key
+02000000-01000000-04000000-03000000
+
+Instead of:
+
+# cat /proc/sys/net/ipv4/tcp_fastopen_key
+00000001-00000002-00000003-00000004
+
+Fix this by converting to the correct endianness on read. This was
+reported by Colin Ian King when running the 'tcp_fastopen_backup_key' net
+selftest on s390x, which depends on the read value matching what was
+written. I've confirmed that the test now passes on big and little endian
+systems.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Fixes: 438ac88009bc ("net: fastopen: robustness and endianness fixes for SipHash")
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Reported-and-tested-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 2 ++
+ net/ipv4/sysctl_net_ipv4.c | 16 ++++------------
+ net/ipv4/tcp.c | 16 ++++------------
+ net/ipv4/tcp_fastopen.c | 23 +++++++++++++++++++++++
+ 4 files changed, 33 insertions(+), 24 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1650,6 +1650,8 @@ void tcp_fastopen_destroy_cipher(struct
+ void tcp_fastopen_ctx_destroy(struct net *net);
+ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
+ void *primary_key, void *backup_key);
++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
++ u64 *key);
+ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
+ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+ struct request_sock *req,
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -307,24 +307,16 @@ static int proc_tcp_fastopen_key(struct
+ struct ctl_table tbl = { .maxlen = ((TCP_FASTOPEN_KEY_LENGTH *
+ 2 * TCP_FASTOPEN_KEY_MAX) +
+ (TCP_FASTOPEN_KEY_MAX * 5)) };
+- struct tcp_fastopen_context *ctx;
+- u32 user_key[TCP_FASTOPEN_KEY_MAX * 4];
+- __le32 key[TCP_FASTOPEN_KEY_MAX * 4];
++ u32 user_key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u32)];
++ __le32 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(__le32)];
+ char *backup_data;
+- int ret, i = 0, off = 0, n_keys = 0;
++ int ret, i = 0, off = 0, n_keys;
+
+ tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
+ if (!tbl.data)
+ return -ENOMEM;
+
+- rcu_read_lock();
+- ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
+- if (ctx) {
+- n_keys = tcp_fastopen_context_len(ctx);
+- memcpy(&key[0], &ctx->key[0], TCP_FASTOPEN_KEY_LENGTH * n_keys);
+- }
+- rcu_read_unlock();
+-
++ n_keys = tcp_fastopen_get_cipher(net, NULL, (u64 *)key);
+ if (!n_keys) {
+ memset(&key[0], 0, TCP_FASTOPEN_KEY_LENGTH);
+ n_keys = 1;
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3527,22 +3527,14 @@ static int do_tcp_getsockopt(struct sock
+ return 0;
+
+ case TCP_FASTOPEN_KEY: {
+- __u8 key[TCP_FASTOPEN_KEY_BUF_LENGTH];
+- struct tcp_fastopen_context *ctx;
+- unsigned int key_len = 0;
++ u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)];
++ unsigned int key_len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- rcu_read_lock();
+- ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
+- if (ctx) {
+- key_len = tcp_fastopen_context_len(ctx) *
+- TCP_FASTOPEN_KEY_LENGTH;
+- memcpy(&key[0], &ctx->key[0], key_len);
+- }
+- rcu_read_unlock();
+-
++ key_len = tcp_fastopen_get_cipher(net, icsk, key) *
++ TCP_FASTOPEN_KEY_LENGTH;
+ len = min_t(unsigned int, len, key_len);
+ if (put_user(len, optlen))
+ return -EFAULT;
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -108,6 +108,29 @@ out:
+ return err;
+ }
+
++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
++ u64 *key)
++{
++ struct tcp_fastopen_context *ctx;
++ int n_keys = 0, i;
++
++ rcu_read_lock();
++ if (icsk)
++ ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
++ else
++ ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
++ if (ctx) {
++ n_keys = tcp_fastopen_context_len(ctx);
++ for (i = 0; i < n_keys; i++) {
++ put_unaligned_le64(ctx->key[i].key[0], key + (i * 2));
++ put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1);
++ }
++ }
++ rcu_read_unlock();
++
++ return n_keys;
++}
++
+ static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req,
+ struct sk_buff *syn,
+ const siphash_key_t *key,
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:40:15 AM CEST
+From: Ronak Doshi <doshir@vmware.com>
+Date: Mon, 10 Aug 2020 09:55:55 -0700
+Subject: vmxnet3: use correct tcp hdr length when packet is encapsulated
+
+From: Ronak Doshi <doshir@vmware.com>
+
+[ Upstream commit 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe ]
+
+Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload
+support") added support for encapsulation offload. However, while
+calculating tcp hdr length, it does not take into account if the
+packet is encapsulated or not.
+
+This patch fixes this issue by using correct reference for inner
+tcp header.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -861,7 +861,8 @@ vmxnet3_parse_hdr(struct sk_buff *skb, s
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+- ctx->l4_hdr_size = tcp_hdrlen(skb);
++ ctx->l4_hdr_size = skb->encapsulation ? inner_tcp_hdrlen(skb) :
++ tcp_hdrlen(skb);
+ break;
+ case IPPROTO_UDP:
+ ctx->l4_hdr_size = sizeof(struct udphdr);
projects / thirdparty / kernel / stable-queue.git / commitdiff
