From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 06:55:07 +0000 (+0000) Subject: 5.4-stable patches X-Git-Tag: v4.19.103~151 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=54d5cb7e069c0eb8f8f5eb8a43de09921c76311c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch bnxt_en-fix-tc-queue-mapping.patch bnxt_en-move-devlink_register-before-registering-netdev.patch cls_rsvp-fix-rsvp_policy.patch gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch ionic-fix-rxq-comp-packet-type-mask.patch l2tp-allow-duplicate-session-creation-with-udp.patch maintainers-correct-entries-for-isdn-misdn-section.patch net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch net-stmmac-delete-txtimer-in-suspend.patch net_sched-fix-an-oob-access-in-cls_tcindex.patch netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch rxrpc-fix-insufficient-receive-notification-generation.patch rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch rxrpc-fix-use-after-free-in-rxrpc_put_local.patch tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch tcp-clear-tp-delivered-in-tcp_disconnect.patch tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch tcp-clear-tp-total_retrans-in-tcp_disconnect.patch --- diff --git a/queue-5.4/bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch b/queue-5.4/bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch new file mode 100644 index 00000000000..bdda775fbde --- /dev/null +++ b/queue-5.4/bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch @@ -0,0 +1,58 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Vasundhara Volam +Date: Sun, 2 Feb 2020 02:41:37 -0500 +Subject: bnxt_en: Fix logic that disables Bus Master during firmware reset. + +From: Vasundhara Volam + +[ Upstream commit d407302895d3f3ca3a333c711744a95e0b1b0150 ] + +The current logic that calls pci_disable_device() in __bnxt_close_nic() +during firmware reset is flawed. If firmware is still alive, we're +disabling the device too early, causing some firmware commands to +not reach the firmware. + +Fix it by moving the logic to bnxt_reset_close(). If firmware is +in fatal condition, we call pci_disable_device() before we free +any of the rings to prevent DMA corruption of the freed rings. If +firmware is still alive, we call pci_disable_device() after the +last firmware message has been sent. + +Fixes: 3bc7d4a352ef ("bnxt_en: Add BNXT_STATE_IN_FW_RESET state.") +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9273,10 +9273,6 @@ static void __bnxt_close_nic(struct bnxt + bnxt_debug_dev_exit(bp); + bnxt_disable_napi(bp); + del_timer_sync(&bp->timer); +- if (test_bit(BNXT_STATE_IN_FW_RESET, &bp->state) && +- pci_is_enabled(bp->pdev)) +- pci_disable_device(bp->pdev); +- + bnxt_free_skbs(bp); + + /* Save ring stats before shutdown */ +@@ -10052,8 +10048,15 @@ static void bnxt_fw_reset_close(struct b + { + __bnxt_close_nic(bp, true, false); + bnxt_ulp_irq_stop(bp); ++ /* When firmware is fatal state, disable PCI device to prevent ++ * any potential bad DMAs before freeing kernel memory. ++ */ ++ if (test_bit(BNXT_STATE_FW_FATAL_COND, &bp->state)) ++ pci_disable_device(bp->pdev); + bnxt_clear_int_mode(bp); + bnxt_hwrm_func_drv_unrgtr(bp); ++ if (pci_is_enabled(bp->pdev)) ++ pci_disable_device(bp->pdev); + bnxt_free_ctx_mem(bp); + kfree(bp->ctx); + bp->ctx = NULL; diff --git a/queue-5.4/bnxt_en-fix-tc-queue-mapping.patch b/queue-5.4/bnxt_en-fix-tc-queue-mapping.patch new file mode 100644 index 00000000000..92c40236d41 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-tc-queue-mapping.patch @@ -0,0 +1,34 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Michael Chan +Date: Sun, 2 Feb 2020 02:41:38 -0500 +Subject: bnxt_en: Fix TC queue mapping. + +From: Michael Chan + +[ Upstream commit 18e4960c18f484ac288f41b43d0e6c4c88e6ea78 ] + +The driver currently only calls netdev_set_tc_queue when the number of +TCs is greater than 1. Instead, the comparison should be greater than +or equal to 1. Even with 1 TC, we need to set the queue mapping. + +This bug can cause warnings when the number of TCs is changed back to 1. + +Fixes: 7809592d3e2e ("bnxt_en: Enable MSIX early in bnxt_init_one().") +Signed-off-by: Michael Chan +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -7873,7 +7873,7 @@ static void bnxt_setup_msix(struct bnxt + int tcs, i; + + tcs = netdev_get_num_tc(dev); +- if (tcs > 1) { ++ if (tcs) { + int i, off, count; + + for (i = 0; i < tcs; i++) { diff --git a/queue-5.4/bnxt_en-move-devlink_register-before-registering-netdev.patch b/queue-5.4/bnxt_en-move-devlink_register-before-registering-netdev.patch new file mode 100644 index 00000000000..ad51927d6da --- /dev/null +++ b/queue-5.4/bnxt_en-move-devlink_register-before-registering-netdev.patch @@ -0,0 +1,76 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Vasundhara Volam +Date: Mon, 27 Jan 2020 04:56:22 -0500 +Subject: bnxt_en: Move devlink_register before registering netdev + +From: Vasundhara Volam + +[ Upstream commit cda2cab0771183932d6ba73c5ac63bb63decdadf ] + +Latest kernels get the phys_port_name via devlink, if +ndo_get_phys_port_name is not defined. To provide the phys_port_name +correctly, register devlink before registering netdev. + +Also call devlink_port_type_eth_set() after registering netdev as +devlink port updates the netdev structure and notifies user. + +Cc: Jiri Pirko +Signed-off-by: Vasundhara Volam +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 12 ++++++++---- + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 1 - + 2 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11359,9 +11359,9 @@ static void bnxt_remove_one(struct pci_d + bnxt_sriov_disable(bp); + + bnxt_dl_fw_reporters_destroy(bp, true); +- bnxt_dl_unregister(bp); + pci_disable_pcie_error_reporting(pdev); + unregister_netdev(dev); ++ bnxt_dl_unregister(bp); + bnxt_shutdown_tc(bp); + bnxt_cancel_sp_work(bp); + bp->sp_event = 0; +@@ -11850,11 +11850,14 @@ static int bnxt_init_one(struct pci_dev + bnxt_init_tc(bp); + } + ++ bnxt_dl_register(bp); ++ + rc = register_netdev(dev); + if (rc) +- goto init_err_cleanup_tc; ++ goto init_err_cleanup; + +- bnxt_dl_register(bp); ++ if (BNXT_PF(bp)) ++ devlink_port_type_eth_set(&bp->dl_port, bp->dev); + bnxt_dl_fw_reporters_create(bp); + + netdev_info(dev, "%s found at mem %lx, node addr %pM\n", +@@ -11864,7 +11867,8 @@ static int bnxt_init_one(struct pci_dev + + return 0; + +-init_err_cleanup_tc: ++init_err_cleanup: ++ bnxt_dl_unregister(bp); + bnxt_shutdown_tc(bp); + bnxt_clear_int_mode(bp); + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +@@ -482,7 +482,6 @@ int bnxt_dl_register(struct bnxt *bp) + netdev_err(bp->dev, "devlink_port_register failed"); + goto err_dl_param_unreg; + } +- devlink_port_type_eth_set(&bp->dl_port, bp->dev); + + rc = devlink_port_params_register(&bp->dl_port, bnxt_dl_port_params, + ARRAY_SIZE(bnxt_dl_port_params)); diff --git a/queue-5.4/cls_rsvp-fix-rsvp_policy.patch b/queue-5.4/cls_rsvp-fix-rsvp_policy.patch new file mode 100644 index 00000000000..475ed2e7b2f --- /dev/null +++ b/queue-5.4/cls_rsvp-fix-rsvp_policy.patch @@ -0,0 +1,101 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 15:27:04 -0800 +Subject: cls_rsvp: fix rsvp_policy + +From: Eric Dumazet + +[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ] + +NLA_BINARY can be confusing, since .len value represents +the max size of the blob. + +cls_rsvp really wants user space to provide long enough data +for TCA_RSVP_DST and TCA_RSVP_SRC attributes. + +BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline] +BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline] +BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 +CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + rsvp_get net/sched/cls_rsvp.h:258 [inline] + gen_handle net/sched/cls_rsvp.h:402 [inline] + rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 + tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104 + rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45b349 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2774 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] + netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Cong Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_rsvp.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/sched/cls_rsvp.h ++++ b/net/sched/cls_rsvp.h +@@ -463,10 +463,8 @@ static u32 gen_tunnel(struct rsvp_head * + + static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = { + [TCA_RSVP_CLASSID] = { .type = NLA_U32 }, +- [TCA_RSVP_DST] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, +- [TCA_RSVP_SRC] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) }, + [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) }, + }; + diff --git a/queue-5.4/gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch b/queue-5.4/gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch new file mode 100644 index 00000000000..9e15e6cb22c --- /dev/null +++ b/queue-5.4/gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch @@ -0,0 +1,67 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Taehee Yoo +Date: Tue, 4 Feb 2020 03:24:59 +0000 +Subject: gtp: use __GFP_NOWARN to avoid memalloc warning + +From: Taehee Yoo + +[ Upstream commit bd5cd35b782abf5437fbd01dfaee12437d20e832 ] + +gtp hashtable size is received by user-space. +So, this hashtable size could be too large. If so, kmalloc will internally +print a warning message. +This warning message is actually not necessary for the gtp module. +So, this patch adds __GFP_NOWARN to avoid this message. + +Splat looks like: +[ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740 +[ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv] +[ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321 +[ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740 +[ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0 +[ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246 +[ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000 +[ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000 +[ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000 +[ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43 +[ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240 +[ 2171.292328][ T1860] FS: 00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000 +[ 2171.293409][ T1860] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0 +[ 2171.295424][ T1860] Call Trace: +[ 2171.295756][ T1860] ? mark_held_locks+0xa5/0xe0 +[ 2171.296659][ T1860] ? __alloc_pages_slowpath+0x21b0/0x21b0 +[ 2171.298283][ T1860] ? gtp_encap_enable_socket+0x13e/0x400 [gtp] +[ 2171.298962][ T1860] ? alloc_pages_current+0xc1/0x1a0 +[ 2171.299475][ T1860] kmalloc_order+0x22/0x80 +[ 2171.299936][ T1860] kmalloc_order_trace+0x1d/0x140 +[ 2171.300437][ T1860] __kmalloc+0x302/0x3a0 +[ 2171.300896][ T1860] gtp_newlink+0x293/0xba0 [gtp] +[ ... ] + +Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/gtp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -767,12 +767,12 @@ static int gtp_hashtable_new(struct gtp_ + int i; + + gtp->addr_hash = kmalloc_array(hsize, sizeof(struct hlist_head), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (gtp->addr_hash == NULL) + return -ENOMEM; + + gtp->tid_hash = kmalloc_array(hsize, sizeof(struct hlist_head), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (gtp->tid_hash == NULL) + goto err1; + diff --git a/queue-5.4/ionic-fix-rxq-comp-packet-type-mask.patch b/queue-5.4/ionic-fix-rxq-comp-packet-type-mask.patch new file mode 100644 index 00000000000..7cf6f9a23ac --- /dev/null +++ b/queue-5.4/ionic-fix-rxq-comp-packet-type-mask.patch @@ -0,0 +1,30 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Shannon Nelson +Date: Thu, 30 Jan 2020 10:07:06 -0800 +Subject: ionic: fix rxq comp packet type mask + +From: Shannon Nelson + +[ Upstream commit b5ce31b5e11b768b7d685b2bab7db09ad5549493 ] + +Be sure to include all the packet type bits in the mask. + +Fixes: fbfb8031533c ("ionic: Add hardware init and device commands") +Signed-off-by: Shannon Nelson +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/pensando/ionic/ionic_if.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/pensando/ionic/ionic_if.h ++++ b/drivers/net/ethernet/pensando/ionic/ionic_if.h +@@ -862,7 +862,7 @@ struct ionic_rxq_comp { + #define IONIC_RXQ_COMP_CSUM_F_VLAN 0x40 + #define IONIC_RXQ_COMP_CSUM_F_CALC 0x80 + u8 pkt_type_color; +-#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x0f ++#define IONIC_RXQ_COMP_PKT_TYPE_MASK 0x7f + }; + + enum ionic_pkt_type { diff --git a/queue-5.4/l2tp-allow-duplicate-session-creation-with-udp.patch b/queue-5.4/l2tp-allow-duplicate-session-creation-with-udp.patch new file mode 100644 index 00000000000..b8c01d09075 --- /dev/null +++ b/queue-5.4/l2tp-allow-duplicate-session-creation-with-udp.patch @@ -0,0 +1,47 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Ridge Kennedy +Date: Tue, 4 Feb 2020 12:24:00 +1300 +Subject: l2tp: Allow duplicate session creation with UDP + +From: Ridge Kennedy + +[ Upstream commit 0d0d9a388a858e271bb70e71e99e7fe2a6fd6f64 ] + +In the past it was possible to create multiple L2TPv3 sessions with the +same session id as long as the sessions belonged to different tunnels. +The resulting sessions had issues when used with IP encapsulated tunnels, +but worked fine with UDP encapsulated ones. Some applications began to +rely on this behaviour to avoid having to negotiate unique session ids. + +Some time ago a change was made to require session ids to be unique across +all tunnels, breaking the applications making use of this "feature". + +This change relaxes the duplicate session id check to allow duplicates +if both of the colliding sessions belong to UDP encapsulated tunnels. + +Fixes: dbdbc73b4478 ("l2tp: fix duplicate session creation") +Signed-off-by: Ridge Kennedy +Acked-by: James Chapman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -322,8 +322,13 @@ int l2tp_session_register(struct l2tp_se + + spin_lock_bh(&pn->l2tp_session_hlist_lock); + ++ /* IP encap expects session IDs to be globally unique, while ++ * UDP encap doesn't. ++ */ + hlist_for_each_entry(session_walk, g_head, global_hlist) +- if (session_walk->session_id == session->session_id) { ++ if (session_walk->session_id == session->session_id && ++ (session_walk->tunnel->encap == L2TP_ENCAPTYPE_IP || ++ tunnel->encap == L2TP_ENCAPTYPE_IP)) { + err = -EEXIST; + goto err_tlock_pnlock; + } diff --git a/queue-5.4/maintainers-correct-entries-for-isdn-misdn-section.patch b/queue-5.4/maintainers-correct-entries-for-isdn-misdn-section.patch new file mode 100644 index 00000000000..be38fb52d3c --- /dev/null +++ b/queue-5.4/maintainers-correct-entries-for-isdn-misdn-section.patch @@ -0,0 +1,46 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Lukas Bulwahn +Date: Sat, 1 Feb 2020 13:43:01 +0100 +Subject: MAINTAINERS: correct entries for ISDN/mISDN section + +From: Lukas Bulwahn + +[ Upstream commit dff6bc1bfd462b76dc13ec19dedc2c134a62ac59 ] + +Commit 6d97985072dc ("isdn: move capi drivers to staging") cleaned up the +isdn drivers and split the MAINTAINERS section for ISDN, but missed to add +the terminal slash for the two directories mISDN and hardware. Hence, all +files in those directories were not part of the new ISDN/mISDN SUBSYSTEM, +but were considered to be part of "THE REST". + +Rectify the situation, and while at it, also complete the section with two +further build files that belong to that subsystem. + +This was identified with a small script that finds all files belonging to +"THE REST" according to the current MAINTAINERS file, and I investigated +upon its output. + +Fixes: 6d97985072dc ("isdn: move capi drivers to staging") +Signed-off-by: Lukas Bulwahn +Acked-by: Arnd Bergmann +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + MAINTAINERS | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -8704,8 +8704,10 @@ L: isdn4linux@listserv.isdn4linux.de (su + L: netdev@vger.kernel.org + W: http://www.isdn4linux.de + S: Maintained +-F: drivers/isdn/mISDN +-F: drivers/isdn/hardware ++F: drivers/isdn/mISDN/ ++F: drivers/isdn/hardware/ ++F: drivers/isdn/Kconfig ++F: drivers/isdn/Makefile + + ISDN/CAPI SUBSYSTEM + M: Karsten Keil diff --git a/queue-5.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch b/queue-5.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch new file mode 100644 index 00000000000..a6c3cadb6c0 --- /dev/null +++ b/queue-5.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch @@ -0,0 +1,62 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Mon, 3 Feb 2020 10:15:07 -0800 +Subject: net: hsr: fix possible NULL deref in hsr_handle_frame() + +From: Eric Dumazet + +[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ] + +hsr_port_get_rcu() can return NULL, so we need to be careful. + +general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] +RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44 +Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f +RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33 +RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000 +RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c +R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e +R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8 +FS: 00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31 + __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099 + __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196 + __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312 + process_backlog+0x206/0x750 net/core/dev.c:6144 + napi_poll net/core/dev.c:6582 [inline] + net_rx_action+0x508/0x1120 net/core/dev.c:6650 + __do_softirq+0x262/0x98c kernel/softirq.c:292 + do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082 + + +Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_slave.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/hsr/hsr_slave.c ++++ b/net/hsr/hsr_slave.c +@@ -27,6 +27,8 @@ static rx_handler_result_t hsr_handle_fr + + rcu_read_lock(); /* hsr->node_db, hsr->ports */ + port = hsr_port_get_rcu(skb->dev); ++ if (!port) ++ goto finish_pass; + + if (hsr_addr_is_self(port->hsr, eth_hdr(skb)->h_source)) { + /* Directly kill frames sent by ourselves */ diff --git a/queue-5.4/net-stmmac-delete-txtimer-in-suspend.patch b/queue-5.4/net-stmmac-delete-txtimer-in-suspend.patch new file mode 100644 index 00000000000..ee65ca2fd29 --- /dev/null +++ b/queue-5.4/net-stmmac-delete-txtimer-in-suspend.patch @@ -0,0 +1,72 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Nicolin Chen +Date: Fri, 31 Jan 2020 18:01:24 -0800 +Subject: net: stmmac: Delete txtimer in suspend() + +From: Nicolin Chen + +[ Upstream commit 14b41a2959fbaa50932699d32ceefd6643abacc6 ] + +When running v5.5 with a rootfs on NFS, memory abort may happen in +the system resume stage: + Unable to handle kernel paging request at virtual address dead00000000012a + [dead00000000012a] address between user and kernel address ranges + pc : run_timer_softirq+0x334/0x3d8 + lr : run_timer_softirq+0x244/0x3d8 + x1 : ffff800011cafe80 x0 : dead000000000122 + Call trace: + run_timer_softirq+0x334/0x3d8 + efi_header_end+0x114/0x234 + irq_exit+0xd0/0xd8 + __handle_domain_irq+0x60/0xb0 + gic_handle_irq+0x58/0xa8 + el1_irq+0xb8/0x180 + arch_cpu_idle+0x10/0x18 + do_idle+0x1d8/0x2b0 + cpu_startup_entry+0x24/0x40 + secondary_start_kernel+0x1b4/0x208 + Code: f9000693 a9400660 f9000020 b4000040 (f9000401) + ---[ end trace bb83ceeb4c482071 ]--- + Kernel panic - not syncing: Fatal exception in interrupt + SMP: stopping secondary CPUs + SMP: failed to stop secondary CPUs 2-3 + Kernel Offset: disabled + CPU features: 0x00002,2300aa30 + Memory Limit: none + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +It's found that stmmac_xmit() and stmmac_resume() sometimes might +run concurrently, possibly resulting in a race condition between +mod_timer() and setup_timer(), being called by stmmac_xmit() and +stmmac_resume() respectively. + +Since the resume() runs setup_timer() every time, it'd be safer to +have del_timer_sync() in the suspend() as the counterpart. + +Signed-off-by: Nicolin Chen +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4763,6 +4763,7 @@ int stmmac_suspend(struct device *dev) + { + struct net_device *ndev = dev_get_drvdata(dev); + struct stmmac_priv *priv = netdev_priv(ndev); ++ u32 chan; + + if (!ndev || !netif_running(ndev)) + return 0; +@@ -4776,6 +4777,9 @@ int stmmac_suspend(struct device *dev) + + stmmac_disable_all_queues(priv); + ++ for (chan = 0; chan < priv->plat->tx_queues_to_use; chan++) ++ del_timer_sync(&priv->tx_queue[chan].txtimer); ++ + /* Stop TX/RX DMA */ + stmmac_stop_all_dma(priv); + diff --git a/queue-5.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch b/queue-5.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch new file mode 100644 index 00000000000..39b8ac5b357 --- /dev/null +++ b/queue-5.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch @@ -0,0 +1,100 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Cong Wang +Date: Sun, 2 Feb 2020 21:14:35 -0800 +Subject: net_sched: fix an OOB access in cls_tcindex + +From: Cong Wang + +[ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ] + +As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash +to compute the size of memory allocation, but cp->hash is +set again after the allocation, this caused an out-of-bound +access. + +So we have to move all cp->hash initialization and computation +before the memory allocation. Move cp->mask and cp->shift together +as cp->hash may need them for computation too. + +Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com +Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") +Cc: Eric Dumazet +Cc: John Fastabend +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Cc: Jakub Kicinski +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_tcindex.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -333,12 +333,31 @@ tcindex_set_parms(struct net *net, struc + cp->fall_through = p->fall_through; + cp->tp = tp; + ++ if (tb[TCA_TCINDEX_HASH]) ++ cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); ++ ++ if (tb[TCA_TCINDEX_MASK]) ++ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); ++ ++ if (tb[TCA_TCINDEX_SHIFT]) ++ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); ++ ++ if (!cp->hash) { ++ /* Hash not specified, use perfect hash if the upper limit ++ * of the hashing index is below the threshold. ++ */ ++ if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD) ++ cp->hash = (cp->mask >> cp->shift) + 1; ++ else ++ cp->hash = DEFAULT_HASH_SIZE; ++ } ++ + if (p->perfect) { + int i; + + if (tcindex_alloc_perfect_hash(net, cp) < 0) + goto errout; +- for (i = 0; i < cp->hash; i++) ++ for (i = 0; i < min(cp->hash, p->hash); i++) + cp->perfect[i].res = p->perfect[i].res; + balloc = 1; + } +@@ -350,15 +369,6 @@ tcindex_set_parms(struct net *net, struc + if (old_r) + cr = r->res; + +- if (tb[TCA_TCINDEX_HASH]) +- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); +- +- if (tb[TCA_TCINDEX_MASK]) +- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); +- +- if (tb[TCA_TCINDEX_SHIFT]) +- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); +- + err = -EBUSY; + + /* Hash already allocated, make sure that we still meet the +@@ -376,16 +386,6 @@ tcindex_set_parms(struct net *net, struc + if (tb[TCA_TCINDEX_FALL_THROUGH]) + cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]); + +- if (!cp->hash) { +- /* Hash not specified, use perfect hash if the upper limit +- * of the hashing index is below the threshold. +- */ +- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD) +- cp->hash = (cp->mask >> cp->shift) + 1; +- else +- cp->hash = DEFAULT_HASH_SIZE; +- } +- + if (!cp->perfect && !cp->h) + cp->alloc_hash = cp->hash; + diff --git a/queue-5.4/netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch b/queue-5.4/netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch new file mode 100644 index 00000000000..eb41989b13b --- /dev/null +++ b/queue-5.4/netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch @@ -0,0 +1,65 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Taehee Yoo +Date: Sat, 1 Feb 2020 16:43:22 +0000 +Subject: netdevsim: fix stack-out-of-bounds in nsim_dev_debugfs_init() + +From: Taehee Yoo + +[ Upstream commit 6fb8852b1298200da39bd85788bc5755d1d56f32 ] + +When netdevsim dev is being created, a debugfs directory is created. +The variable "dev_ddir_name" is 16bytes device name pointer and device +name is "netdevsim". +The maximum dev id length is 10. +So, 16bytes for device name isn't enough. + +Test commands: + modprobe netdevsim + echo "1000000000 0" > /sys/bus/netdevsim/new_device + +Splat looks like: +[ 249.622710][ T900] BUG: KASAN: stack-out-of-bounds in number+0x824/0x880 +[ 249.623658][ T900] Write of size 1 at addr ffff88804c527988 by task bash/900 +[ 249.624521][ T900] +[ 249.624830][ T900] CPU: 1 PID: 900 Comm: bash Not tainted 5.5.0+ #322 +[ 249.625691][ T900] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 +[ 249.626712][ T900] Call Trace: +[ 249.627103][ T900] dump_stack+0x96/0xdb +[ 249.627639][ T900] ? number+0x824/0x880 +[ 249.628173][ T900] print_address_description.constprop.5+0x1be/0x360 +[ 249.629022][ T900] ? number+0x824/0x880 +[ 249.629569][ T900] ? number+0x824/0x880 +[ 249.630105][ T900] __kasan_report+0x12a/0x170 +[ 249.630717][ T900] ? number+0x824/0x880 +[ 249.631201][ T900] kasan_report+0xe/0x20 +[ 249.631723][ T900] number+0x824/0x880 +[ 249.632235][ T900] ? put_dec+0xa0/0xa0 +[ 249.632716][ T900] ? rcu_read_lock_sched_held+0x90/0xc0 +[ 249.633392][ T900] vsnprintf+0x63c/0x10b0 +[ 249.633983][ T900] ? pointer+0x5b0/0x5b0 +[ 249.634543][ T900] ? mark_lock+0x11d/0xc40 +[ 249.635200][ T900] sprintf+0x9b/0xd0 +[ 249.635750][ T900] ? scnprintf+0xe0/0xe0 +[ 249.636370][ T900] nsim_dev_probe+0x63c/0xbf0 [netdevsim] +[ ... ] + +Reviewed-by: Jakub Kicinski +Fixes: ab1d0cc004d7 ("netdevsim: change debugfs tree topology") +Signed-off-by: Taehee Yoo +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/netdevsim/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/netdevsim/dev.c ++++ b/drivers/net/netdevsim/dev.c +@@ -73,7 +73,7 @@ static const struct file_operations nsim + + static int nsim_dev_debugfs_init(struct nsim_dev *nsim_dev) + { +- char dev_ddir_name[16]; ++ char dev_ddir_name[sizeof(DRV_NAME) + 10]; + + sprintf(dev_ddir_name, DRV_NAME "%u", nsim_dev->nsim_bus_dev->dev.id); + nsim_dev->ddir = debugfs_create_dir(dev_ddir_name, nsim_dev_ddir); diff --git a/queue-5.4/rxrpc-fix-insufficient-receive-notification-generation.patch b/queue-5.4/rxrpc-fix-insufficient-receive-notification-generation.patch new file mode 100644 index 00000000000..9eb8cfade8d --- /dev/null +++ b/queue-5.4/rxrpc-fix-insufficient-receive-notification-generation.patch @@ -0,0 +1,43 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: David Howells +Date: Thu, 30 Jan 2020 21:50:36 +0000 +Subject: rxrpc: Fix insufficient receive notification generation + +From: David Howells + +[ Upstream commit f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b ] + +In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence +number of the packet is immediately following the hard-ack point at the end +of the function. However, this isn't sufficient, since the recvmsg side +may have been advancing the window and then overrun the position in which +we're adding - at which point rx_hard_ack >= seq0 and no notification is +generated. + +Fix this by always generating a notification at the end of the input +function. + +Without this, a long call may stall, possibly indefinitely. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -599,10 +599,8 @@ ack: + false, true, + rxrpc_propose_ack_input_data); + +- if (seq0 == READ_ONCE(call->rx_hard_ack) + 1) { +- trace_rxrpc_notify_socket(call->debug_id, serial); +- rxrpc_notify_socket(call); +- } ++ trace_rxrpc_notify_socket(call->debug_id, serial); ++ rxrpc_notify_socket(call); + + unlock: + spin_unlock(&call->input_lock); diff --git a/queue-5.4/rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch b/queue-5.4/rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch new file mode 100644 index 00000000000..00f8aa2b526 --- /dev/null +++ b/queue-5.4/rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch @@ -0,0 +1,251 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: David Howells +Date: Thu, 30 Jan 2020 21:50:36 +0000 +Subject: rxrpc: Fix missing active use pinning of rxrpc_local object + +From: David Howells + +[ Upstream commit 04d36d748fac349b068ef621611f454010054c58 ] + +The introduction of a split between the reference count on rxrpc_local +objects and the usage count didn't quite go far enough. A number of kernel +work items need to make use of the socket to perform transmission. These +also need to get an active count on the local object to prevent the socket +from being closed. + +Fix this by getting the active count in those places. + +Also split out the raw active count get/put functions as these places tend +to hold refs on the rxrpc_local object already, so getting and putting an +extra object ref is just a waste of time. + +The problem can lead to symptoms like: + + BUG: kernel NULL pointer dereference, address: 0000000000000018 + .. + CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51 + ... + RIP: 0010:selinux_socket_sendmsg+0x5/0x13 + ... + Call Trace: + security_socket_sendmsg+0x2c/0x3e + sock_sendmsg+0x1a/0x46 + rxrpc_send_keepalive+0x131/0x1ae + rxrpc_peer_keepalive_worker+0x219/0x34b + process_one_work+0x18e/0x271 + worker_thread+0x1a3/0x247 + kthread+0xe6/0xeb + ret_from_fork+0x1f/0x30 + +Fixes: 730c5fd42c1e ("rxrpc: Fix local endpoint refcounting") +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 2 ++ + net/rxrpc/ar-internal.h | 10 ++++++++++ + net/rxrpc/conn_event.c | 30 ++++++++++++++++++++---------- + net/rxrpc/local_object.c | 18 +++++++----------- + net/rxrpc/peer_event.c | 40 ++++++++++++++++++++++------------------ + 5 files changed, 61 insertions(+), 39 deletions(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -194,6 +194,7 @@ static int rxrpc_bind(struct socket *soc + service_in_use: + write_unlock(&local->services_lock); + rxrpc_unuse_local(local); ++ rxrpc_put_local(local); + ret = -EADDRINUSE; + error_unlock: + release_sock(&rx->sk); +@@ -899,6 +900,7 @@ static int rxrpc_release_sock(struct soc + rxrpc_purge_queue(&sk->sk_receive_queue); + + rxrpc_unuse_local(rx->local); ++ rxrpc_put_local(rx->local); + rx->local = NULL; + key_put(rx->key); + rx->key = NULL; +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -1021,6 +1021,16 @@ void rxrpc_unuse_local(struct rxrpc_loca + void rxrpc_queue_local(struct rxrpc_local *); + void rxrpc_destroy_all_locals(struct rxrpc_net *); + ++static inline bool __rxrpc_unuse_local(struct rxrpc_local *local) ++{ ++ return atomic_dec_return(&local->active_users) == 0; ++} ++ ++static inline bool __rxrpc_use_local(struct rxrpc_local *local) ++{ ++ return atomic_fetch_add_unless(&local->active_users, 1, 0) != 0; ++} ++ + /* + * misc.c + */ +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -438,16 +438,12 @@ again: + /* + * connection-level event processor + */ +-void rxrpc_process_connection(struct work_struct *work) ++static void rxrpc_do_process_connection(struct rxrpc_connection *conn) + { +- struct rxrpc_connection *conn = +- container_of(work, struct rxrpc_connection, processor); + struct sk_buff *skb; + u32 abort_code = RX_PROTOCOL_ERROR; + int ret; + +- rxrpc_see_connection(conn); +- + if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events)) + rxrpc_secure_connection(conn); + +@@ -475,18 +471,32 @@ void rxrpc_process_connection(struct wor + } + } + +-out: +- rxrpc_put_connection(conn); +- _leave(""); + return; + + requeue_and_leave: + skb_queue_head(&conn->rx_queue, skb); +- goto out; ++ return; + + protocol_error: + if (rxrpc_abort_connection(conn, ret, abort_code) < 0) + goto requeue_and_leave; + rxrpc_free_skb(skb, rxrpc_skb_freed); +- goto out; ++ return; ++} ++ ++void rxrpc_process_connection(struct work_struct *work) ++{ ++ struct rxrpc_connection *conn = ++ container_of(work, struct rxrpc_connection, processor); ++ ++ rxrpc_see_connection(conn); ++ ++ if (__rxrpc_use_local(conn->params.local)) { ++ rxrpc_do_process_connection(conn); ++ rxrpc_unuse_local(conn->params.local); ++ } ++ ++ rxrpc_put_connection(conn); ++ _leave(""); ++ return; + } +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -383,14 +383,11 @@ void rxrpc_put_local(struct rxrpc_local + */ + struct rxrpc_local *rxrpc_use_local(struct rxrpc_local *local) + { +- unsigned int au; +- + local = rxrpc_get_local_maybe(local); + if (!local) + return NULL; + +- au = atomic_fetch_add_unless(&local->active_users, 1, 0); +- if (au == 0) { ++ if (!__rxrpc_use_local(local)) { + rxrpc_put_local(local); + return NULL; + } +@@ -404,14 +401,11 @@ struct rxrpc_local *rxrpc_use_local(stru + */ + void rxrpc_unuse_local(struct rxrpc_local *local) + { +- unsigned int au; +- + if (local) { +- au = atomic_dec_return(&local->active_users); +- if (au == 0) ++ if (__rxrpc_unuse_local(local)) { ++ rxrpc_get_local(local); + rxrpc_queue_local(local); +- else +- rxrpc_put_local(local); ++ } + } + } + +@@ -468,7 +462,7 @@ static void rxrpc_local_processor(struct + + do { + again = false; +- if (atomic_read(&local->active_users) == 0) { ++ if (!__rxrpc_use_local(local)) { + rxrpc_local_destroyer(local); + break; + } +@@ -482,6 +476,8 @@ static void rxrpc_local_processor(struct + rxrpc_process_local_events(local); + again = true; + } ++ ++ __rxrpc_unuse_local(local); + } while (again); + + rxrpc_put_local(local); +--- a/net/rxrpc/peer_event.c ++++ b/net/rxrpc/peer_event.c +@@ -364,27 +364,31 @@ static void rxrpc_peer_keepalive_dispatc + if (!rxrpc_get_peer_maybe(peer)) + continue; + +- spin_unlock_bh(&rxnet->peer_hash_lock); ++ if (__rxrpc_use_local(peer->local)) { ++ spin_unlock_bh(&rxnet->peer_hash_lock); + +- keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; +- slot = keepalive_at - base; +- _debug("%02x peer %u t=%d {%pISp}", +- cursor, peer->debug_id, slot, &peer->srx.transport); ++ keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME; ++ slot = keepalive_at - base; ++ _debug("%02x peer %u t=%d {%pISp}", ++ cursor, peer->debug_id, slot, &peer->srx.transport); + +- if (keepalive_at <= base || +- keepalive_at > base + RXRPC_KEEPALIVE_TIME) { +- rxrpc_send_keepalive(peer); +- slot = RXRPC_KEEPALIVE_TIME; +- } ++ if (keepalive_at <= base || ++ keepalive_at > base + RXRPC_KEEPALIVE_TIME) { ++ rxrpc_send_keepalive(peer); ++ slot = RXRPC_KEEPALIVE_TIME; ++ } + +- /* A transmission to this peer occurred since last we examined +- * it so put it into the appropriate future bucket. +- */ +- slot += cursor; +- slot &= mask; +- spin_lock_bh(&rxnet->peer_hash_lock); +- list_add_tail(&peer->keepalive_link, +- &rxnet->peer_keepalive[slot & mask]); ++ /* A transmission to this peer occurred since last we ++ * examined it so put it into the appropriate future ++ * bucket. ++ */ ++ slot += cursor; ++ slot &= mask; ++ spin_lock_bh(&rxnet->peer_hash_lock); ++ list_add_tail(&peer->keepalive_link, ++ &rxnet->peer_keepalive[slot & mask]); ++ rxrpc_unuse_local(peer->local); ++ } + rxrpc_put_peer_locked(peer); + } + diff --git a/queue-5.4/rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch b/queue-5.4/rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch new file mode 100644 index 00000000000..4e9503220b8 --- /dev/null +++ b/queue-5.4/rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch @@ -0,0 +1,192 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: David Howells +Date: Thu, 30 Jan 2020 21:50:36 +0000 +Subject: rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect + +From: David Howells + +[ Upstream commit 5273a191dca65a675dc0bcf3909e59c6933e2831 ] + +When a call is disconnected, the connection pointer from the call is +cleared to make sure it isn't used again and to prevent further attempted +transmission for the call. Unfortunately, there might be a daemon trying +to use it at the same time to transmit a packet. + +Fix this by keeping call->conn set, but setting a flag on the call to +indicate disconnection instead. + +Remove also the bits in the transmission functions where the conn pointer is +checked and a ref taken under spinlock as this is now redundant. + +Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs") +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/ar-internal.h | 1 + + net/rxrpc/call_object.c | 4 ++-- + net/rxrpc/conn_client.c | 3 +-- + net/rxrpc/conn_object.c | 4 ++-- + net/rxrpc/output.c | 27 +++++++++------------------ + 5 files changed, 15 insertions(+), 24 deletions(-) + +--- a/net/rxrpc/ar-internal.h ++++ b/net/rxrpc/ar-internal.h +@@ -490,6 +490,7 @@ enum rxrpc_call_flag { + RXRPC_CALL_RX_HEARD, /* The peer responded at least once to this call */ + RXRPC_CALL_RX_UNDERRUN, /* Got data underrun */ + RXRPC_CALL_IS_INTR, /* The call is interruptible */ ++ RXRPC_CALL_DISCONNECTED, /* The call has been disconnected */ + }; + + /* +--- a/net/rxrpc/call_object.c ++++ b/net/rxrpc/call_object.c +@@ -493,7 +493,7 @@ void rxrpc_release_call(struct rxrpc_soc + + _debug("RELEASE CALL %p (%d CONN %p)", call, call->debug_id, conn); + +- if (conn) ++ if (conn && !test_bit(RXRPC_CALL_DISCONNECTED, &call->flags)) + rxrpc_disconnect_call(call); + if (call->security) + call->security->free_call_crypto(call); +@@ -569,6 +569,7 @@ static void rxrpc_rcu_destroy_call(struc + struct rxrpc_call *call = container_of(rcu, struct rxrpc_call, rcu); + struct rxrpc_net *rxnet = call->rxnet; + ++ rxrpc_put_connection(call->conn); + rxrpc_put_peer(call->peer); + kfree(call->rxtx_buffer); + kfree(call->rxtx_annotations); +@@ -590,7 +591,6 @@ void rxrpc_cleanup_call(struct rxrpc_cal + + ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE); + ASSERT(test_bit(RXRPC_CALL_RELEASED, &call->flags)); +- ASSERTCMP(call->conn, ==, NULL); + + rxrpc_cleanup_ring(call); + rxrpc_free_skb(call->tx_pending, rxrpc_skb_cleaned); +--- a/net/rxrpc/conn_client.c ++++ b/net/rxrpc/conn_client.c +@@ -785,6 +785,7 @@ void rxrpc_disconnect_client_call(struct + u32 cid; + + spin_lock(&conn->channel_lock); ++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags); + + cid = call->cid; + if (cid) { +@@ -792,7 +793,6 @@ void rxrpc_disconnect_client_call(struct + chan = &conn->channels[channel]; + } + trace_rxrpc_client(conn, channel, rxrpc_client_chan_disconnect); +- call->conn = NULL; + + /* Calls that have never actually been assigned a channel can simply be + * discarded. If the conn didn't get used either, it will follow +@@ -908,7 +908,6 @@ out: + spin_unlock(&rxnet->client_conn_cache_lock); + out_2: + spin_unlock(&conn->channel_lock); +- rxrpc_put_connection(conn); + _leave(""); + return; + +--- a/net/rxrpc/conn_object.c ++++ b/net/rxrpc/conn_object.c +@@ -171,6 +171,8 @@ void __rxrpc_disconnect_call(struct rxrp + + _enter("%d,%x", conn->debug_id, call->cid); + ++ set_bit(RXRPC_CALL_DISCONNECTED, &call->flags); ++ + if (rcu_access_pointer(chan->call) == call) { + /* Save the result of the call so that we can repeat it if necessary + * through the channel, whilst disposing of the actual call record. +@@ -223,9 +225,7 @@ void rxrpc_disconnect_call(struct rxrpc_ + __rxrpc_disconnect_call(conn, call); + spin_unlock(&conn->channel_lock); + +- call->conn = NULL; + conn->idle_timestamp = jiffies; +- rxrpc_put_connection(conn); + } + + /* +--- a/net/rxrpc/output.c ++++ b/net/rxrpc/output.c +@@ -129,7 +129,7 @@ static size_t rxrpc_fill_out_ack(struct + int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping, + rxrpc_serial_t *_serial) + { +- struct rxrpc_connection *conn = NULL; ++ struct rxrpc_connection *conn; + struct rxrpc_ack_buffer *pkt; + struct msghdr msg; + struct kvec iov[2]; +@@ -139,18 +139,14 @@ int rxrpc_send_ack_packet(struct rxrpc_c + int ret; + u8 reason; + +- spin_lock_bh(&call->lock); +- if (call->conn) +- conn = rxrpc_get_connection_maybe(call->conn); +- spin_unlock_bh(&call->lock); +- if (!conn) ++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags)) + return -ECONNRESET; + + pkt = kzalloc(sizeof(*pkt), GFP_KERNEL); +- if (!pkt) { +- rxrpc_put_connection(conn); ++ if (!pkt) + return -ENOMEM; +- } ++ ++ conn = call->conn; + + msg.msg_name = &call->peer->srx.transport; + msg.msg_namelen = call->peer->srx.transport_len; +@@ -244,7 +240,6 @@ int rxrpc_send_ack_packet(struct rxrpc_c + } + + out: +- rxrpc_put_connection(conn); + kfree(pkt); + return ret; + } +@@ -254,7 +249,7 @@ out: + */ + int rxrpc_send_abort_packet(struct rxrpc_call *call) + { +- struct rxrpc_connection *conn = NULL; ++ struct rxrpc_connection *conn; + struct rxrpc_abort_buffer pkt; + struct msghdr msg; + struct kvec iov[1]; +@@ -271,13 +266,11 @@ int rxrpc_send_abort_packet(struct rxrpc + test_bit(RXRPC_CALL_TX_LAST, &call->flags)) + return 0; + +- spin_lock_bh(&call->lock); +- if (call->conn) +- conn = rxrpc_get_connection_maybe(call->conn); +- spin_unlock_bh(&call->lock); +- if (!conn) ++ if (test_bit(RXRPC_CALL_DISCONNECTED, &call->flags)) + return -ECONNRESET; + ++ conn = call->conn; ++ + msg.msg_name = &call->peer->srx.transport; + msg.msg_namelen = call->peer->srx.transport_len; + msg.msg_control = NULL; +@@ -312,8 +305,6 @@ int rxrpc_send_abort_packet(struct rxrpc + trace_rxrpc_tx_packet(call->debug_id, &pkt.whdr, + rxrpc_tx_point_call_abort); + rxrpc_tx_backoff(call, ret); +- +- rxrpc_put_connection(conn); + return ret; + } + diff --git a/queue-5.4/rxrpc-fix-use-after-free-in-rxrpc_put_local.patch b/queue-5.4/rxrpc-fix-use-after-free-in-rxrpc_put_local.patch new file mode 100644 index 00000000000..802ed4bb474 --- /dev/null +++ b/queue-5.4/rxrpc-fix-use-after-free-in-rxrpc_put_local.patch @@ -0,0 +1,38 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: David Howells +Date: Thu, 30 Jan 2020 21:50:35 +0000 +Subject: rxrpc: Fix use-after-free in rxrpc_put_local() + +From: David Howells + +[ Upstream commit fac20b9e738523fc884ee3ea5be360a321cd8bad ] + +Fix rxrpc_put_local() to not access local->debug_id after calling +atomic_dec_return() as, unless that returned n==0, we no longer have the +right to access the object. + +Fixes: 06d9532fa6b3 ("rxrpc: Fix read-after-free in rxrpc_queue_local()") +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/local_object.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -364,11 +364,14 @@ void rxrpc_queue_local(struct rxrpc_loca + void rxrpc_put_local(struct rxrpc_local *local) + { + const void *here = __builtin_return_address(0); ++ unsigned int debug_id; + int n; + + if (local) { ++ debug_id = local->debug_id; ++ + n = atomic_dec_return(&local->usage); +- trace_rxrpc_local(local->debug_id, rxrpc_local_put, n, here); ++ trace_rxrpc_local(debug_id, rxrpc_local_put, n, here); + + if (n == 0) + call_rcu(&local->rcu, rxrpc_local_rcu); diff --git a/queue-5.4/series b/queue-5.4/series index eaceec762fd..7a496813458 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1 +1,21 @@ sparc32-fix-struct-ipc64_perm-type-definition.patch +bnxt_en-move-devlink_register-before-registering-netdev.patch +cls_rsvp-fix-rsvp_policy.patch +gtp-use-__gfp_nowarn-to-avoid-memalloc-warning.patch +l2tp-allow-duplicate-session-creation-with-udp.patch +net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch +net_sched-fix-an-oob-access-in-cls_tcindex.patch +net-stmmac-delete-txtimer-in-suspend.patch +bnxt_en-fix-tc-queue-mapping.patch +rxrpc-fix-use-after-free-in-rxrpc_put_local.patch +rxrpc-fix-insufficient-receive-notification-generation.patch +rxrpc-fix-missing-active-use-pinning-of-rxrpc_local-object.patch +rxrpc-fix-null-pointer-deref-due-to-call-conn-being-cleared-on-disconnect.patch +tcp-clear-tp-total_retrans-in-tcp_disconnect.patch +tcp-clear-tp-delivered-in-tcp_disconnect.patch +tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch +tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch +ionic-fix-rxq-comp-packet-type-mask.patch +maintainers-correct-entries-for-isdn-misdn-section.patch +netdevsim-fix-stack-out-of-bounds-in-nsim_dev_debugfs_init.patch +bnxt_en-fix-logic-that-disables-bus-master-during-firmware-reset.patch diff --git a/queue-5.4/tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch b/queue-5.4/tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch new file mode 100644 index 00000000000..81f9b59f3f9 --- /dev/null +++ b/queue-5.4/tcp-clear-tp-data_segs-in-out-in-tcp_disconnect.patch @@ -0,0 +1,37 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 10:32:41 -0800 +Subject: tcp: clear tp->data_segs{in|out} in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit db7ffee6f3eb3683cdcaeddecc0a630a14546fe3 ] + +tp->data_segs_in and tp->data_segs_out need to be cleared +in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: a44d6eacdaf5 ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In") +Signed-off-by: Eric Dumazet +Cc: Martin KaFai Lau +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2639,6 +2639,8 @@ int tcp_disconnect(struct sock *sk, int + tp->bytes_acked = 0; + tp->bytes_received = 0; + tp->bytes_retrans = 0; ++ tp->data_segs_in = 0; ++ tp->data_segs_out = 0; + tp->duplicate_sack[0].start_seq = 0; + tp->duplicate_sack[0].end_seq = 0; + tp->dsack_dups = 0; diff --git a/queue-5.4/tcp-clear-tp-delivered-in-tcp_disconnect.patch b/queue-5.4/tcp-clear-tp-delivered-in-tcp_disconnect.patch new file mode 100644 index 00000000000..5f6088c6e2d --- /dev/null +++ b/queue-5.4/tcp-clear-tp-delivered-in-tcp_disconnect.patch @@ -0,0 +1,36 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 10:22:47 -0800 +Subject: tcp: clear tp->delivered in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit 2fbdd56251b5c62f96589f39eded277260de7267 ] + +tp->delivered needs to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: ddf1af6fa00e ("tcp: new delivery accounting") +Signed-off-by: Eric Dumazet +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Yuchung Cheng +Acked-by: Neal Cardwell +Acked-by: Soheil Hassas Yeganeh +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2618,6 +2618,7 @@ int tcp_disconnect(struct sock *sk, int + tp->snd_cwnd = TCP_INIT_CWND; + tp->snd_cwnd_cnt = 0; + tp->window_clamp = 0; ++ tp->delivered = 0; + tp->delivered_ce = 0; + tcp_set_ca_state(sk, TCP_CA_Open); + tp->is_sack_reneg = 0; diff --git a/queue-5.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch b/queue-5.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch new file mode 100644 index 00000000000..11d08c36b86 --- /dev/null +++ b/queue-5.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch @@ -0,0 +1,36 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 10:44:50 -0800 +Subject: tcp: clear tp->segs_{in|out} in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit 784f8344de750a41344f4bbbebb8507a730fc99c ] + +tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: 2efd055c53c0 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info") +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2635,6 +2635,8 @@ int tcp_disconnect(struct sock *sk, int + sk->sk_rx_dst = NULL; + tcp_saved_syn_free(tp); + tp->compressed_ack = 0; ++ tp->segs_in = 0; ++ tp->segs_out = 0; + tp->bytes_sent = 0; + tp->bytes_acked = 0; + tp->bytes_received = 0; diff --git a/queue-5.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch b/queue-5.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch new file mode 100644 index 00000000000..a2cc354388e --- /dev/null +++ b/queue-5.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch @@ -0,0 +1,32 @@ +From foo@baz Thu 06 Feb 2020 06:52:14 AM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 09:14:47 -0800 +Subject: tcp: clear tp->total_retrans in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit c13c48c00a6bc1febc73902505bdec0967bd7095 ] + +total_retrans needs to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: SeongJae Park +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2622,6 +2622,7 @@ int tcp_disconnect(struct sock *sk, int + tcp_set_ca_state(sk, TCP_CA_Open); + tp->is_sack_reneg = 0; + tcp_clear_retrans(tp); ++ tp->total_retrans = 0; + inet_csk_delack_init(sk); + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 + * issue in __tcp_select_window()