--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: John Ogness <john.ogness@linutronix.de>
+Date: Thu, 13 Aug 2020 21:45:25 +0206
+Subject: af_packet: TPACKET_V3: fix fill status rwlock imbalance
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 88fd1cb80daa20af063bce81e1fad14e945a8dc4 ]
+
+After @blk_fill_in_prog_lock is acquired there is an early out vnet
+situation that can occur. In that case, the rwlock needs to be
+released.
+
+Also, since @blk_fill_in_prog_lock is only acquired when @tp_version
+is exactly TPACKET_V3, only release it on that exact condition as
+well.
+
+And finally, add sparse annotation so that it is clearer that
+prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring
+and releasing @blk_fill_in_prog_lock, respectively. sparse is still
+unable to understand the balance, but the warnings are now on a
+higher level that make more sense.
+
+Fixes: 632ca50f2cbd ("af_packet: TPACKET_V3: replace busy-wait loop")
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -942,6 +942,7 @@ static int prb_queue_frozen(struct tpack
+ }
+
+ static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb)
++ __releases(&pkc->blk_fill_in_prog_lock)
+ {
+ struct tpacket_kbdq_core *pkc = GET_PBDQC_FROM_RB(rb);
+ atomic_dec(&pkc->blk_fill_in_prog);
+@@ -989,6 +990,7 @@ static void prb_fill_curr_block(char *cu
+ struct tpacket_kbdq_core *pkc,
+ struct tpacket_block_desc *pbd,
+ unsigned int len)
++ __acquires(&pkc->blk_fill_in_prog_lock)
+ {
+ struct tpacket3_hdr *ppd;
+
+@@ -2286,8 +2288,11 @@ static int tpacket_rcv(struct sk_buff *s
+ if (do_vnet &&
+ virtio_net_hdr_from_skb(skb, h.raw + macoff -
+ sizeof(struct virtio_net_hdr),
+- vio_le(), true, 0))
++ vio_le(), true, 0)) {
++ if (po->tp_version == TPACKET_V3)
++ prb_clear_blk_fill_status(&po->rx_ring);
+ goto drop_n_account;
++ }
+
+ if (po->tp_version <= TPACKET_V2) {
+ packet_increment_rx_head(po, &po->rx_ring);
+@@ -2393,7 +2398,7 @@ static int tpacket_rcv(struct sk_buff *s
+ __clear_bit(slot_id, po->rx_ring.rx_owner_map);
+ spin_unlock(&sk->sk_receive_queue.lock);
+ sk->sk_data_ready(sk);
+- } else {
++ } else if (po->tp_version == TPACKET_V3) {
+ prb_clear_blk_fill_status(&po->rx_ring);
+ }
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Xie He <xie.he.0141@gmail.com>
+Date: Wed, 5 Aug 2020 18:50:40 -0700
+Subject: drivers/net/wan/lapbether: Added needed_headroom and a skb->len check
+
+From: Xie He <xie.he.0141@gmail.com>
+
+[ Upstream commit c7ca03c216acb14466a713fedf1b9f2c24994ef2 ]
+
+1. Added a skb->len check
+
+This driver expects upper layers to include a pseudo header of 1 byte
+when passing down a skb for transmission. This driver will read this
+1-byte header. This patch added a skb->len check before reading the
+header to make sure the header exists.
+
+2. Changed to use needed_headroom instead of hard_header_len to request
+necessary headroom to be allocated
+
+In net/packet/af_packet.c, the function packet_snd first reserves a
+headroom of length (dev->hard_header_len + dev->needed_headroom).
+Then if the socket is a SOCK_DGRAM socket, it calls dev_hard_header,
+which calls dev->header_ops->create, to create the link layer header.
+If the socket is a SOCK_RAW socket, it "un-reserves" a headroom of
+length (dev->hard_header_len), and assumes the user to provide the
+appropriate link layer header.
+
+So according to the logic of af_packet.c, dev->hard_header_len should
+be the length of the header that would be created by
+dev->header_ops->create.
+
+However, this driver doesn't provide dev->header_ops, so logically
+dev->hard_header_len should be 0.
+
+So we should use dev->needed_headroom instead of dev->hard_header_len
+to request necessary headroom to be allocated.
+
+This change fixes kernel panic when this driver is used with AF_PACKET
+SOCK_RAW sockets.
+
+Call stack when panic:
+
+[ 168.399197] skbuff: skb_under_panic: text:ffffffff819d95fb len:20
+put:14 head:ffff8882704c0a00 data:ffff8882704c09fd tail:0x11 end:0xc0
+dev:veth0
+...
+[ 168.399255] Call Trace:
+[ 168.399259] skb_push.cold+0x14/0x24
+[ 168.399262] eth_header+0x2b/0xc0
+[ 168.399267] lapbeth_data_transmit+0x9a/0xb0 [lapbether]
+[ 168.399275] lapb_data_transmit+0x22/0x2c [lapb]
+[ 168.399277] lapb_transmit_buffer+0x71/0xb0 [lapb]
+[ 168.399279] lapb_kick+0xe3/0x1c0 [lapb]
+[ 168.399281] lapb_data_request+0x76/0xc0 [lapb]
+[ 168.399283] lapbeth_xmit+0x56/0x90 [lapbether]
+[ 168.399286] dev_hard_start_xmit+0x91/0x1f0
+[ 168.399289] ? irq_init_percpu_irqstack+0xc0/0x100
+[ 168.399291] __dev_queue_xmit+0x721/0x8e0
+[ 168.399295] ? packet_parse_headers.isra.0+0xd2/0x110
+[ 168.399297] dev_queue_xmit+0x10/0x20
+[ 168.399298] packet_sendmsg+0xbf0/0x19b0
+......
+
+Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Martin Schiller <ms@dev.tdt.de>
+Cc: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Xie He <xie.he.0141@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/lapbether.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wan/lapbether.c
++++ b/drivers/net/wan/lapbether.c
+@@ -157,6 +157,12 @@ static netdev_tx_t lapbeth_xmit(struct s
+ if (!netif_running(dev))
+ goto drop;
+
++ /* There should be a pseudo header of 1 byte added by upper layers.
++ * Check to make sure it is there before reading it.
++ */
++ if (skb->len < 1)
++ goto drop;
++
+ switch (skb->data[0]) {
+ case X25_IFACE_DATA:
+ break;
+@@ -305,6 +311,7 @@ static void lapbeth_setup(struct net_dev
+ dev->netdev_ops = &lapbeth_netdev_ops;
+ dev->needs_free_netdev = true;
+ dev->type = ARPHRD_X25;
++ dev->hard_header_len = 0;
+ dev->mtu = 1000;
+ dev->addr_len = 0;
+ }
+@@ -331,7 +338,8 @@ static int lapbeth_new_device(struct net
+ * then this driver prepends a length field of 2 bytes,
+ * then the underlying Ethernet device prepends its own header.
+ */
+- ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len;
++ ndev->needed_headroom = -1 + 3 + 2 + dev->hard_header_len
++ + dev->needed_headroom;
+
+ lapbeth = netdev_priv(ndev);
+ lapbeth->axdev = ndev;
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 14 Aug 2020 15:56:34 +0200
+Subject: mptcp: sendmsg: reset iter on error
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 35759383133f64d90eba120a0d3efe8f71241650 ]
+
+Once we've copied data from the iterator we need to revert in case we
+end up not sending any data.
+
+This bug doesn't trigger with normal 'poll' based tests, because
+we only feed a small chunk of data to kernel after poll indicated
+POLLOUT. With blocking IO and large writes this triggers. Receiver
+ends up with less data than it should get.
+
+Fixes: 72511aab95c94d ("mptcp: avoid blocking in tcp_sendpages")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -605,8 +605,10 @@ static int mptcp_sendmsg_frag(struct soc
+ if (!psize)
+ return -EINVAL;
+
+- if (!sk_wmem_schedule(sk, psize + dfrag->overhead))
++ if (!sk_wmem_schedule(sk, psize + dfrag->overhead)) {
++ iov_iter_revert(&msg->msg_iter, psize);
+ return -ENOMEM;
++ }
+ } else {
+ offset = dfrag->offset;
+ psize = min_t(size_t, dfrag->data_len, avail_size);
+@@ -617,8 +619,10 @@ static int mptcp_sendmsg_frag(struct soc
+ */
+ ret = do_tcp_sendpages(ssk, page, offset, psize,
+ msg->msg_flags | MSG_SENDPAGE_NOTLAST | MSG_DONTWAIT);
+- if (ret <= 0)
++ if (ret <= 0) {
++ iov_iter_revert(&msg->msg_iter, psize);
+ return ret;
++ }
+
+ frag_truesize += ret;
+ if (!retransmission) {
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Mon, 10 Aug 2020 08:16:58 -0400
+Subject: net: Fix potential memory leak in proto_register()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit 0f5907af39137f8183ed536aaa00f322d7365130 ]
+
+If we failed to assign proto idx, we free the twsk_slab_name but forget to
+free the twsk_slab. Add a helper function tw_prot_cleanup() to free these
+together and also use this helper function in proto_unregister().
+
+Fixes: b45ce32135d1 ("sock: fix potential memory leak in proto_register()")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3443,6 +3443,16 @@ static void sock_inuse_add(struct net *n
+ }
+ #endif
+
++static void tw_prot_cleanup(struct timewait_sock_ops *twsk_prot)
++{
++ if (!twsk_prot)
++ return;
++ kfree(twsk_prot->twsk_slab_name);
++ twsk_prot->twsk_slab_name = NULL;
++ kmem_cache_destroy(twsk_prot->twsk_slab);
++ twsk_prot->twsk_slab = NULL;
++}
++
+ static void req_prot_cleanup(struct request_sock_ops *rsk_prot)
+ {
+ if (!rsk_prot)
+@@ -3513,7 +3523,7 @@ int proto_register(struct proto *prot, i
+ prot->slab_flags,
+ NULL);
+ if (prot->twsk_prot->twsk_slab == NULL)
+- goto out_free_timewait_sock_slab_name;
++ goto out_free_timewait_sock_slab;
+ }
+ }
+
+@@ -3521,15 +3531,15 @@ int proto_register(struct proto *prot, i
+ ret = assign_proto_idx(prot);
+ if (ret) {
+ mutex_unlock(&proto_list_mutex);
+- goto out_free_timewait_sock_slab_name;
++ goto out_free_timewait_sock_slab;
+ }
+ list_add(&prot->node, &proto_list);
+ mutex_unlock(&proto_list_mutex);
+ return ret;
+
+-out_free_timewait_sock_slab_name:
++out_free_timewait_sock_slab:
+ if (alloc_slab && prot->twsk_prot)
+- kfree(prot->twsk_prot->twsk_slab_name);
++ tw_prot_cleanup(prot->twsk_prot);
+ out_free_request_sock_slab:
+ if (alloc_slab) {
+ req_prot_cleanup(prot->rsk_prot);
+@@ -3553,12 +3563,7 @@ void proto_unregister(struct proto *prot
+ prot->slab = NULL;
+
+ req_prot_cleanup(prot->rsk_prot);
+-
+- if (prot->twsk_prot != NULL && prot->twsk_prot->twsk_slab != NULL) {
+- kmem_cache_destroy(prot->twsk_prot->twsk_slab);
+- kfree(prot->twsk_prot->twsk_slab_name);
+- prot->twsk_prot->twsk_slab = NULL;
+- }
++ tw_prot_cleanup(prot->twsk_prot);
+ }
+ EXPORT_SYMBOL(proto_unregister);
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Date: Tue, 11 Aug 2020 20:33:24 +0200
+Subject: net: initialize fastreuse on inet_inherit_port
+
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+
+[ Upstream commit d76f3351cea2d927fdf70dd7c06898235035e84e ]
+
+In the case of TPROXY, bind_conflict optimizations for SO_REUSEADDR or
+SO_REUSEPORT are broken, possibly resulting in O(n) instead of O(1) bind
+behaviour or in the incorrect reuse of a bind.
+
+the kernel keeps track for each bind_bucket if all sockets in the
+bind_bucket support SO_REUSEADDR or SO_REUSEPORT in two fastreuse flags.
+These flags allow skipping the costly bind_conflict check when possible
+(meaning when all sockets have the proper SO_REUSE option).
+
+For every socket added to a bind_bucket, these flags need to be updated.
+As soon as a socket that does not support reuse is added, the flag is
+set to false and will never go back to true, unless the bind_bucket is
+deleted.
+
+Note that there is no mechanism to re-evaluate these flags when a socket
+is removed (this might make sense when removing a socket that would not
+allow reuse; this leaves room for a future patch).
+
+For this optimization to work, it is mandatory that these flags are
+properly initialized and updated.
+
+When a child socket is created from a listen socket in
+__inet_inherit_port, the TPROXY case could create a new bind bucket
+without properly initializing these flags, thus preventing the
+optimization to work. Alternatively, a socket not allowing reuse could
+be added to an existing bind bucket without updating the flags, causing
+bind_conflict to never be called as it should.
+
+Call inet_csk_update_fastreuse when __inet_inherit_port decides to create
+a new bind_bucket or use a different bind_bucket than the one of the
+listen socket.
+
+Fixes: 093d282321da ("tproxy: fix hash locking issue when using port redirection in __inet_inherit_port()")
+Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_hashtables.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -163,6 +163,7 @@ int __inet_inherit_port(const struct soc
+ return -ENOMEM;
+ }
+ }
++ inet_csk_update_fastreuse(tb, child);
+ }
+ inet_bind_hash(child, tb, port);
+ spin_unlock(&head->lock);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+Date: Mon, 10 Aug 2020 09:51:00 +0800
+Subject: net/nfc/rawsock.c: add CAP_NET_RAW check.
+
+From: Qingyu Li <ieatmuttonchuan@gmail.com>
+
+[ Upstream commit 26896f01467a28651f7a536143fe5ac8449d4041 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first.
+
+Signed-off-by: Qingyu Li <ieatmuttonchuan@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/rawsock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/rawsock.c
++++ b/net/nfc/rawsock.c
+@@ -332,10 +332,13 @@ static int rawsock_create(struct net *ne
+ if ((sock->type != SOCK_SEQPACKET) && (sock->type != SOCK_RAW))
+ return -ESOCKTNOSUPPORT;
+
+- if (sock->type == SOCK_RAW)
++ if (sock->type == SOCK_RAW) {
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ sock->ops = &rawsock_raw_ops;
+- else
++ } else {
+ sock->ops = &rawsock_ops;
++ }
+
+ sk = sk_alloc(net, PF_NFC, GFP_ATOMIC, nfc_proto->proto, kern);
+ if (!sk)
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 6 Aug 2020 17:37:53 +0200
+Subject: net: phy: fix memory leak in device-create error path
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit d02cbc46136105cf86f84ac355e16f04696f538d ]
+
+A recent commit introduced a late error path in phy_device_create()
+which fails to release the device name allocated by dev_set_name().
+
+Fixes: 13d0ab6750b2 ("net: phy: check return code when requesting PHY driver module")
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -616,7 +616,9 @@ struct phy_device *phy_device_create(str
+ if (c45_ids)
+ dev->c45_ids = *c45_ids;
+ dev->irq = bus->irq[addr];
++
+ dev_set_name(&mdiodev->dev, PHY_ID_FMT, bus->id, addr);
++ device_initialize(&mdiodev->dev);
+
+ dev->state = PHY_DOWN;
+
+@@ -650,10 +652,8 @@ struct phy_device *phy_device_create(str
+ ret = phy_request_driver_module(dev, phy_id);
+ }
+
+- if (!ret) {
+- device_initialize(&mdiodev->dev);
+- } else {
+- kfree(dev);
++ if (ret) {
++ put_device(&mdiodev->dev);
+ dev = ERR_PTR(ret);
+ }
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: "Marek Behún" <marek.behun@nic.cz>
+Date: Mon, 10 Aug 2020 17:01:58 +0200
+Subject: net: phy: marvell10g: fix null pointer dereference
+
+From: "Marek Behún" <marek.behun@nic.cz>
+
+[ Upstream commit 1b8ef1423dbfd34de2439a2db457b84480b7c8a8 ]
+
+Commit c3e302edca24 ("net: phy: marvell10g: fix temperature sensor on 2110")
+added a check for PHY ID via phydev->drv->phy_id in a function which is
+called by devres at a time when phydev->drv is already set to null by
+phy_remove function.
+
+This null pointer dereference can be triggered via SFP subsystem with a
+SFP module containing this Marvell PHY. When the SFP interface is put
+down, the SFP subsystem removes the PHY.
+
+Fixes: c3e302edca24 ("net: phy: marvell10g: fix temperature sensor on 2110")
+Signed-off-by: Marek Behún <marek.behun@nic.cz>
+Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Baruch Siach <baruch@tkos.co.il>
+Cc: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/marvell10g.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/phy/marvell10g.c
++++ b/drivers/net/phy/marvell10g.c
+@@ -205,13 +205,6 @@ static int mv3310_hwmon_config(struct ph
+ MV_V2_TEMP_CTRL_MASK, val);
+ }
+
+-static void mv3310_hwmon_disable(void *data)
+-{
+- struct phy_device *phydev = data;
+-
+- mv3310_hwmon_config(phydev, false);
+-}
+-
+ static int mv3310_hwmon_probe(struct phy_device *phydev)
+ {
+ struct device *dev = &phydev->mdio.dev;
+@@ -235,10 +228,6 @@ static int mv3310_hwmon_probe(struct phy
+ if (ret)
+ return ret;
+
+- ret = devm_add_action_or_reset(dev, mv3310_hwmon_disable, phydev);
+- if (ret)
+- return ret;
+-
+ priv->hwmon_dev = devm_hwmon_device_register_with_info(dev,
+ priv->hwmon_name, phydev,
+ &mv3310_hwmon_chip_info, NULL);
+@@ -423,6 +412,11 @@ static int mv3310_probe(struct phy_devic
+ return phy_sfp_probe(phydev, &mv3310_sfp_ops);
+ }
+
++static void mv3310_remove(struct phy_device *phydev)
++{
++ mv3310_hwmon_config(phydev, false);
++}
++
+ static int mv3310_suspend(struct phy_device *phydev)
+ {
+ return mv3310_power_down(phydev);
+@@ -762,6 +756,7 @@ static struct phy_driver mv3310_drivers[
+ .read_status = mv3310_read_status,
+ .get_tunable = mv3310_get_tunable,
+ .set_tunable = mv3310_set_tunable,
++ .remove = mv3310_remove,
+ },
+ {
+ .phy_id = MARVELL_PHY_ID_88E2110,
+@@ -776,6 +771,7 @@ static struct phy_driver mv3310_drivers[
+ .read_status = mv3310_read_status,
+ .get_tunable = mv3310_get_tunable,
+ .set_tunable = mv3310_set_tunable,
++ .remove = mv3310_remove,
+ },
+ };
+
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Date: Tue, 11 Aug 2020 20:33:23 +0200
+Subject: net: refactor bind_bucket fastreuse into helper
+
+From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+
+[ Upstream commit 62ffc589abb176821662efc4525ee4ac0b9c3894 ]
+
+Refactor the fastreuse update code in inet_csk_get_port into a small
+helper function that can be called from other places.
+
+Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_connection_sock.h | 4 +
+ net/ipv4/inet_connection_sock.c | 97 ++++++++++++++++++++-----------------
+ 2 files changed, 57 insertions(+), 44 deletions(-)
+
+--- a/include/net/inet_connection_sock.h
++++ b/include/net/inet_connection_sock.h
+@@ -316,6 +316,10 @@ int inet_csk_compat_getsockopt(struct so
+ int inet_csk_compat_setsockopt(struct sock *sk, int level, int optname,
+ char __user *optval, unsigned int optlen);
+
++/* update the fast reuse flag when adding a socket */
++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
++ struct sock *sk);
++
+ struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu);
+
+ #define TCP_PINGPONG_THRESH 3
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -296,6 +296,57 @@ static inline int sk_reuseport_match(str
+ ipv6_only_sock(sk), true, false);
+ }
+
++void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
++ struct sock *sk)
++{
++ kuid_t uid = sock_i_uid(sk);
++ bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN;
++
++ if (hlist_empty(&tb->owners)) {
++ tb->fastreuse = reuse;
++ if (sk->sk_reuseport) {
++ tb->fastreuseport = FASTREUSEPORT_ANY;
++ tb->fastuid = uid;
++ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
++ tb->fast_ipv6_only = ipv6_only_sock(sk);
++ tb->fast_sk_family = sk->sk_family;
++#if IS_ENABLED(CONFIG_IPV6)
++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
++#endif
++ } else {
++ tb->fastreuseport = 0;
++ }
++ } else {
++ if (!reuse)
++ tb->fastreuse = 0;
++ if (sk->sk_reuseport) {
++ /* We didn't match or we don't have fastreuseport set on
++ * the tb, but we have sk_reuseport set on this socket
++ * and we know that there are no bind conflicts with
++ * this socket in this tb, so reset our tb's reuseport
++ * settings so that any subsequent sockets that match
++ * our current socket will be put on the fast path.
++ *
++ * If we reset we need to set FASTREUSEPORT_STRICT so we
++ * do extra checking for all subsequent sk_reuseport
++ * socks.
++ */
++ if (!sk_reuseport_match(tb, sk)) {
++ tb->fastreuseport = FASTREUSEPORT_STRICT;
++ tb->fastuid = uid;
++ tb->fast_rcv_saddr = sk->sk_rcv_saddr;
++ tb->fast_ipv6_only = ipv6_only_sock(sk);
++ tb->fast_sk_family = sk->sk_family;
++#if IS_ENABLED(CONFIG_IPV6)
++ tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
++#endif
++ }
++ } else {
++ tb->fastreuseport = 0;
++ }
++ }
++}
++
+ /* Obtain a reference to a local port for the given sock,
+ * if snum is zero it means select any available local port.
+ * We try to allocate an odd port (and leave even ports for connect())
+@@ -308,7 +359,6 @@ int inet_csk_get_port(struct sock *sk, u
+ struct inet_bind_hashbucket *head;
+ struct net *net = sock_net(sk);
+ struct inet_bind_bucket *tb = NULL;
+- kuid_t uid = sock_i_uid(sk);
+ int l3mdev;
+
+ l3mdev = inet_sk_bound_l3mdev(sk);
+@@ -345,49 +395,8 @@ tb_found:
+ goto fail_unlock;
+ }
+ success:
+- if (hlist_empty(&tb->owners)) {
+- tb->fastreuse = reuse;
+- if (sk->sk_reuseport) {
+- tb->fastreuseport = FASTREUSEPORT_ANY;
+- tb->fastuid = uid;
+- tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+- tb->fast_ipv6_only = ipv6_only_sock(sk);
+- tb->fast_sk_family = sk->sk_family;
+-#if IS_ENABLED(CONFIG_IPV6)
+- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
+-#endif
+- } else {
+- tb->fastreuseport = 0;
+- }
+- } else {
+- if (!reuse)
+- tb->fastreuse = 0;
+- if (sk->sk_reuseport) {
+- /* We didn't match or we don't have fastreuseport set on
+- * the tb, but we have sk_reuseport set on this socket
+- * and we know that there are no bind conflicts with
+- * this socket in this tb, so reset our tb's reuseport
+- * settings so that any subsequent sockets that match
+- * our current socket will be put on the fast path.
+- *
+- * If we reset we need to set FASTREUSEPORT_STRICT so we
+- * do extra checking for all subsequent sk_reuseport
+- * socks.
+- */
+- if (!sk_reuseport_match(tb, sk)) {
+- tb->fastreuseport = FASTREUSEPORT_STRICT;
+- tb->fastuid = uid;
+- tb->fast_rcv_saddr = sk->sk_rcv_saddr;
+- tb->fast_ipv6_only = ipv6_only_sock(sk);
+- tb->fast_sk_family = sk->sk_family;
+-#if IS_ENABLED(CONFIG_IPV6)
+- tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
+-#endif
+- }
+- } else {
+- tb->fastreuseport = 0;
+- }
+- }
++ inet_csk_update_fastreuse(tb, sk);
++
+ if (!inet_csk(sk)->icsk_bind_hash)
+ inet_bind_hash(sk, tb, port);
+ WARN_ON(inet_csk(sk)->icsk_bind_hash != tb);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Thu, 6 Aug 2020 19:53:16 +0800
+Subject: net: Set fput_needed iff FDPUT_FPUT is set
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit ce787a5a074a86f76f5d3fd804fa78e01bfb9e89 ]
+
+We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed
+accordingly.
+
+Fixes: 00e188ef6a7e ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -500,7 +500,7 @@ static struct socket *sockfd_lookup_ligh
+ if (f.file) {
+ sock = sock_from_file(f.file, err);
+ if (likely(sock)) {
+- *fput_needed = f.flags;
++ *fput_needed = f.flags & FDPUT_FPUT;
+ return sock;
+ }
+ fdput(f);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Ira Weiny <ira.weiny@intel.com>
+Date: Mon, 10 Aug 2020 17:02:58 -0700
+Subject: net/tls: Fix kmap usage
+
+From: Ira Weiny <ira.weiny@intel.com>
+
+[ Upstream commit b06c19d9f827f6743122795570bfc0c72db482b0 ]
+
+When MSG_OOB is specified to tls_device_sendpage() the mapped page is
+never unmapped.
+
+Hold off mapping the page until after the flags are checked and the page
+is actually needed.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -561,7 +561,7 @@ int tls_device_sendpage(struct sock *sk,
+ {
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct iov_iter msg_iter;
+- char *kaddr = kmap(page);
++ char *kaddr;
+ struct kvec iov;
+ int rc;
+
+@@ -576,6 +576,7 @@ int tls_device_sendpage(struct sock *sk,
+ goto out;
+ }
+
++ kaddr = kmap(page);
+ iov.iov_base = kaddr + offset;
+ iov.iov_len = size;
+ iov_iter_kvec(&msg_iter, WRITE, &iov, 1, size);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Thierry Reding <treding@nvidia.com>
+Date: Fri, 7 Aug 2020 09:36:32 +0200
+Subject: r8152: Use MAC address from correct device tree node
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit b9b40ee4db6cb186341b97bca4f0d7aa2a042a66 ]
+
+Query the USB device's device tree node when looking for a MAC address.
+The struct device embedded into the struct net_device does not have a
+device tree node attached at all.
+
+The reason why this went unnoticed is because the system where this was
+tested was one of the few development units that had its OTP programmed,
+as opposed to production systems where the MAC address is stored in a
+separate EEPROM and is passed via device tree by the firmware.
+
+Reported-by: EJ Hsu <ejh@nvidia.com>
+Fixes: acb6d3771a03 ("r8152: Use MAC address from device tree if available")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Reviewed-by: EJ Hsu <ejh@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1504,7 +1504,7 @@ static int determine_ethernet_addr(struc
+
+ sa->sa_family = dev->type;
+
+- ret = eth_platform_get_mac_address(&dev->dev, sa->sa_data);
++ ret = eth_platform_get_mac_address(&tp->udev->dev, sa->sa_data);
+ if (ret < 0) {
+ if (tp->version == RTL_VER_01) {
+ ret = pla_ocp_read(tp, PLA_IDR, 8, sa->sa_data);
sunrpc-fix-sunrpc-add-len-parameter-to-gss_unwrap.patch
x86-fsgsbase-64-fix-null-deref-in-86_fsgsbase_read_t.patch
crypto-aesni-add-compatibility-with-ias.patch
+af_packet-tpacket_v3-fix-fill-status-rwlock-imbalance.patch
+drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch
+net-fix-potential-memory-leak-in-proto_register.patch
+net-nfc-rawsock.c-add-cap_net_raw-check.patch
+net-phy-fix-memory-leak-in-device-create-error-path.patch
+net-set-fput_needed-iff-fdput_fput-is-set.patch
+net-tls-fix-kmap-usage.patch
+tcp-correct-read-of-tfo-keys-on-big-endian-systems.patch
+vmxnet3-use-correct-tcp-hdr-length-when-packet-is-encapsulated.patch
+net-refactor-bind_bucket-fastreuse-into-helper.patch
+net-initialize-fastreuse-on-inet_inherit_port.patch
+vsock-fix-potential-null-pointer-dereference-in-vsock_poll.patch
+net-phy-marvell10g-fix-null-pointer-dereference.patch
+mptcp-sendmsg-reset-iter-on-error.patch
+r8152-use-mac-address-from-correct-device-tree-node.patch
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 10 Aug 2020 13:38:39 -0400
+Subject: tcp: correct read of TFO keys on big endian systems
+
+From: Jason Baron <jbaron@akamai.com>
+
+[ Upstream commit f19008e676366c44e9241af57f331b6c6edf9552 ]
+
+When TFO keys are read back on big endian systems either via the global
+sysctl interface or via getsockopt() using TCP_FASTOPEN_KEY, the values
+don't match what was written.
+
+For example, on s390x:
+
+# echo "1-2-3-4" > /proc/sys/net/ipv4/tcp_fastopen_key
+# cat /proc/sys/net/ipv4/tcp_fastopen_key
+02000000-01000000-04000000-03000000
+
+Instead of:
+
+# cat /proc/sys/net/ipv4/tcp_fastopen_key
+00000001-00000002-00000003-00000004
+
+Fix this by converting to the correct endianness on read. This was
+reported by Colin Ian King when running the 'tcp_fastopen_backup_key' net
+selftest on s390x, which depends on the read value matching what was
+written. I've confirmed that the test now passes on big and little endian
+systems.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Fixes: 438ac88009bc ("net: fastopen: robustness and endianness fixes for SipHash")
+Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Reported-and-tested-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 2 ++
+ net/ipv4/sysctl_net_ipv4.c | 16 ++++------------
+ net/ipv4/tcp.c | 16 ++++------------
+ net/ipv4/tcp_fastopen.c | 23 +++++++++++++++++++++++
+ 4 files changed, 33 insertions(+), 24 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1664,6 +1664,8 @@ void tcp_fastopen_destroy_cipher(struct
+ void tcp_fastopen_ctx_destroy(struct net *net);
+ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
+ void *primary_key, void *backup_key);
++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
++ u64 *key);
+ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
+ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+ struct request_sock *req,
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -301,24 +301,16 @@ static int proc_tcp_fastopen_key(struct
+ struct ctl_table tbl = { .maxlen = ((TCP_FASTOPEN_KEY_LENGTH *
+ 2 * TCP_FASTOPEN_KEY_MAX) +
+ (TCP_FASTOPEN_KEY_MAX * 5)) };
+- struct tcp_fastopen_context *ctx;
+- u32 user_key[TCP_FASTOPEN_KEY_MAX * 4];
+- __le32 key[TCP_FASTOPEN_KEY_MAX * 4];
++ u32 user_key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u32)];
++ __le32 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(__le32)];
+ char *backup_data;
+- int ret, i = 0, off = 0, n_keys = 0;
++ int ret, i = 0, off = 0, n_keys;
+
+ tbl.data = kmalloc(tbl.maxlen, GFP_KERNEL);
+ if (!tbl.data)
+ return -ENOMEM;
+
+- rcu_read_lock();
+- ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
+- if (ctx) {
+- n_keys = tcp_fastopen_context_len(ctx);
+- memcpy(&key[0], &ctx->key[0], TCP_FASTOPEN_KEY_LENGTH * n_keys);
+- }
+- rcu_read_unlock();
+-
++ n_keys = tcp_fastopen_get_cipher(net, NULL, (u64 *)key);
+ if (!n_keys) {
+ memset(&key[0], 0, TCP_FASTOPEN_KEY_LENGTH);
+ n_keys = 1;
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -3694,22 +3694,14 @@ static int do_tcp_getsockopt(struct sock
+ return 0;
+
+ case TCP_FASTOPEN_KEY: {
+- __u8 key[TCP_FASTOPEN_KEY_BUF_LENGTH];
+- struct tcp_fastopen_context *ctx;
+- unsigned int key_len = 0;
++ u64 key[TCP_FASTOPEN_KEY_BUF_LENGTH / sizeof(u64)];
++ unsigned int key_len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+- rcu_read_lock();
+- ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
+- if (ctx) {
+- key_len = tcp_fastopen_context_len(ctx) *
+- TCP_FASTOPEN_KEY_LENGTH;
+- memcpy(&key[0], &ctx->key[0], key_len);
+- }
+- rcu_read_unlock();
+-
++ key_len = tcp_fastopen_get_cipher(net, icsk, key) *
++ TCP_FASTOPEN_KEY_LENGTH;
+ len = min_t(unsigned int, len, key_len);
+ if (put_user(len, optlen))
+ return -EFAULT;
+--- a/net/ipv4/tcp_fastopen.c
++++ b/net/ipv4/tcp_fastopen.c
+@@ -108,6 +108,29 @@ out:
+ return err;
+ }
+
++int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
++ u64 *key)
++{
++ struct tcp_fastopen_context *ctx;
++ int n_keys = 0, i;
++
++ rcu_read_lock();
++ if (icsk)
++ ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
++ else
++ ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
++ if (ctx) {
++ n_keys = tcp_fastopen_context_len(ctx);
++ for (i = 0; i < n_keys; i++) {
++ put_unaligned_le64(ctx->key[i].key[0], key + (i * 2));
++ put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1);
++ }
++ }
++ rcu_read_unlock();
++
++ return n_keys;
++}
++
+ static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req,
+ struct sk_buff *syn,
+ const siphash_key_t *key,
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Ronak Doshi <doshir@vmware.com>
+Date: Mon, 10 Aug 2020 09:55:55 -0700
+Subject: vmxnet3: use correct tcp hdr length when packet is encapsulated
+
+From: Ronak Doshi <doshir@vmware.com>
+
+[ Upstream commit 8a7f280f29a80f6e0798f5d6e07c5dd8726620fe ]
+
+Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload
+support") added support for encapsulation offload. However, while
+calculating tcp hdr length, it does not take into account if the
+packet is encapsulated or not.
+
+This patch fixes this issue by using correct reference for inner
+tcp header.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -886,7 +886,8 @@ vmxnet3_parse_hdr(struct sk_buff *skb, s
+
+ switch (protocol) {
+ case IPPROTO_TCP:
+- ctx->l4_hdr_size = tcp_hdrlen(skb);
++ ctx->l4_hdr_size = skb->encapsulation ? inner_tcp_hdrlen(skb) :
++ tcp_hdrlen(skb);
+ break;
+ case IPPROTO_UDP:
+ ctx->l4_hdr_size = sizeof(struct udphdr);
--- /dev/null
+From foo@baz Mon 17 Aug 2020 11:30:09 AM CEST
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Wed, 12 Aug 2020 14:56:02 +0200
+Subject: vsock: fix potential null pointer dereference in vsock_poll()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 1980c05844830a44708c98c96d600833aa3fae08 ]
+
+syzbot reported this issue where in the vsock_poll() we find the
+socket state at TCP_ESTABLISHED, but 'transport' is null:
+ general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN
+ KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
+ CPU: 0 PID: 8227 Comm: syz-executor.2 Not tainted 5.8.0-rc7-syzkaller #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ RIP: 0010:vsock_poll+0x75a/0x8e0 net/vmw_vsock/af_vsock.c:1038
+ Call Trace:
+ sock_poll+0x159/0x460 net/socket.c:1266
+ vfs_poll include/linux/poll.h:90 [inline]
+ do_pollfd fs/select.c:869 [inline]
+ do_poll fs/select.c:917 [inline]
+ do_sys_poll+0x607/0xd40 fs/select.c:1011
+ __do_sys_poll fs/select.c:1069 [inline]
+ __se_sys_poll fs/select.c:1057 [inline]
+ __x64_sys_poll+0x18c/0x440 fs/select.c:1057
+ do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+This issue can happen if the TCP_ESTABLISHED state is set after we read
+the vsk->transport in the vsock_poll().
+
+We could put barriers to synchronize, but this can only happen during
+connection setup, so we can simply check that 'transport' is valid.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Reported-and-tested-by: syzbot+a61bac2fcc1a7c6623fe@syzkaller.appspotmail.com
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1032,7 +1032,7 @@ static __poll_t vsock_poll(struct file *
+ }
+
+ /* Connected sockets that can produce data can be written. */
+- if (sk->sk_state == TCP_ESTABLISHED) {
++ if (transport && sk->sk_state == TCP_ESTABLISHED) {
+ if (!(sk->sk_shutdown & SEND_SHUTDOWN)) {
+ bool space_avail_now = false;
+ int ret = transport->notify_poll_out(
projects / thirdparty / kernel / stable-queue.git / commitdiff
