From 4865634d292121d787c5c22ef7ff076c2e807203 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Jan 2020 16:27:12 +0100 Subject: [PATCH] 5.4-stable patches added patches: bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch bnxt_en-fix-ntuple-firmware-command-failures.patch hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch net-dsa-tag_gswip-fix-typo-in-tagger-name.patch net-dsa-tag_qca-fix-doubled-tx-statistics.patch net-ethernet-ave-avoid-lockdep-warning.patch net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch net-phy-dp83867-set-force_link_good-to-default-after-reset.patch net-sched-act_ctinfo-fix-memory-leak.patch net-sched-act_ife-initalize-ife-metalist-earlier.patch net-systemport-fixed-queue-mapping-in-internal-ring-map.patch net-usb-lan78xx-limit-size-of-local-tso-packets.patch net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch ptp-free-ptp-device-pin-descriptors-properly.patch r8152-add-missing-endpoint-sanity-check.patch tcp-fix-marked-lost-packets-not-being-retransmitted.patch wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch wimax-i2400-fix-memory-leak.patch --- ...-serial-number-read-failure-as-fatal.patch | 78 +++++++++++++++ ...n-fix-ipv6-rfs-filter-matching-logic.patch | 52 ++++++++++ ...fix-ntuple-firmware-command-failures.patch | 34 +++++++ ...mory-leak-when-removing-rndis-device.patch | 61 ++++++++++++ ...t-memory-leak-in-i40e_setup_macvlans.patch | 30 ++++++ ...ock_key-in-netdev_update_lockdep_key.patch | 65 +++++++++++++ ...m_sf2-configure-imp-port-for-2gb-sec.patch | 34 +++++++ ...t-on-disabled-ports-with-no-phy-mode.patch | 34 +++++++ ...sa-tag_gswip-fix-typo-in-tagger-name.patch | 35 +++++++ ...sa-tag_qca-fix-doubled-tx-statistics.patch | 37 ++++++++ ...t-ethernet-ave-avoid-lockdep-warning.patch | 78 +++++++++++++++ ...ckup-when-there-is-not-enough-memory.patch | 57 +++++++++++ ...frame-before-sending-to-the-hardware.patch | 47 ++++++++++ ...rce_link_good-to-default-after-reset.patch | 46 +++++++++ ...net-sched-act_ctinfo-fix-memory-leak.patch | 84 +++++++++++++++++ ...t_ife-initalize-ife-metalist-earlier.patch | 94 +++++++++++++++++++ ...d-queue-mapping-in-internal-ring-map.patch | 64 +++++++++++++ ...78xx-limit-size-of-local-tso-packets.patch | 46 +++++++++ ...t-of-bounds-write-on-array-utdm_info.patch | 35 +++++++ ...-ptp-device-pin-descriptors-properly.patch | 51 ++++++++++ ...52-add-missing-endpoint-sanity-check.patch | 35 +++++++ queue-5.4/series | 24 +++++ ...lost-packets-not-being-retransmitted.patch | 83 ++++++++++++++++ ...y-leak-in-i2400m_op_rfkill_sw_toggle.patch | 33 +++++++ queue-5.4/wimax-i2400-fix-memory-leak.patch | 29 ++++++ 25 files changed, 1266 insertions(+) create mode 100644 queue-5.4/bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch create mode 100644 queue-5.4/bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch create mode 100644 queue-5.4/bnxt_en-fix-ntuple-firmware-command-failures.patch create mode 100644 queue-5.4/hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch create mode 100644 queue-5.4/i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch create mode 100644 queue-5.4/net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch create mode 100644 queue-5.4/net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch create mode 100644 queue-5.4/net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch create mode 100644 queue-5.4/net-dsa-tag_gswip-fix-typo-in-tagger-name.patch create mode 100644 queue-5.4/net-dsa-tag_qca-fix-doubled-tx-statistics.patch create mode 100644 queue-5.4/net-ethernet-ave-avoid-lockdep-warning.patch create mode 100644 queue-5.4/net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch create mode 100644 queue-5.4/net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch create mode 100644 queue-5.4/net-phy-dp83867-set-force_link_good-to-default-after-reset.patch create mode 100644 queue-5.4/net-sched-act_ctinfo-fix-memory-leak.patch create mode 100644 queue-5.4/net-sched-act_ife-initalize-ife-metalist-earlier.patch create mode 100644 queue-5.4/net-systemport-fixed-queue-mapping-in-internal-ring-map.patch create mode 100644 queue-5.4/net-usb-lan78xx-limit-size-of-local-tso-packets.patch create mode 100644 queue-5.4/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch create mode 100644 queue-5.4/ptp-free-ptp-device-pin-descriptors-properly.patch create mode 100644 queue-5.4/r8152-add-missing-endpoint-sanity-check.patch create mode 100644 queue-5.4/tcp-fix-marked-lost-packets-not-being-retransmitted.patch create mode 100644 queue-5.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch create mode 100644 queue-5.4/wimax-i2400-fix-memory-leak.patch diff --git a/queue-5.4/bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch b/queue-5.4/bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch new file mode 100644 index 00000000000..6426c6f3695 --- /dev/null +++ b/queue-5.4/bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch @@ -0,0 +1,78 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Michael Chan +Date: Fri, 17 Jan 2020 00:32:47 -0500 +Subject: bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal. + +From: Michael Chan + +[ Upstream commit d061b2411d5f3d6272187ab734ce0640827fca13 ] + +DSN read can fail, for example on a kdump kernel without PCIe extended +config space support. If DSN read fails, don't set the +BNXT_FLAG_DSN_VALID flag and continue loading. Check the flag +to see if the stored DSN is valid before using it. Only VF reps +creation should fail without valid DSN. + +Fixes: 03213a996531 ("bnxt: move bp->switch_id initialization to PF probe") +Reported-by: Marc Smith +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++---- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 + + drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 3 +++ + 3 files changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -11299,7 +11299,7 @@ int bnxt_get_port_parent_id(struct net_d + return -EOPNOTSUPP; + + /* The PF and it's VF-reps only support the switchdev framework */ +- if (!BNXT_PF(bp)) ++ if (!BNXT_PF(bp) || !(bp->flags & BNXT_FLAG_DSN_VALID)) + return -EOPNOTSUPP; + + ppid->id_len = sizeof(bp->switch_id); +@@ -11691,6 +11691,7 @@ static int bnxt_pcie_dsn_get(struct bnxt + put_unaligned_le32(dw, &dsn[0]); + pci_read_config_dword(pdev, pos + 4, &dw); + put_unaligned_le32(dw, &dsn[4]); ++ bp->flags |= BNXT_FLAG_DSN_VALID; + return 0; + } + +@@ -11802,9 +11803,7 @@ static int bnxt_init_one(struct pci_dev + + if (BNXT_PF(bp)) { + /* Read the adapter's DSN to use as the eswitch switch_id */ +- rc = bnxt_pcie_dsn_get(bp, bp->switch_id); +- if (rc) +- goto init_err_pci_clean; ++ bnxt_pcie_dsn_get(bp, bp->switch_id); + } + + /* MTU range: 60 - FW defined max */ +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1510,6 +1510,7 @@ struct bnxt { + #define BNXT_FLAG_NO_AGG_RINGS 0x20000 + #define BNXT_FLAG_RX_PAGE_MODE 0x40000 + #define BNXT_FLAG_MULTI_HOST 0x100000 ++ #define BNXT_FLAG_DSN_VALID 0x200000 + #define BNXT_FLAG_DOUBLE_DB 0x400000 + #define BNXT_FLAG_CHIP_NITRO_A0 0x1000000 + #define BNXT_FLAG_DIM 0x2000000 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c +@@ -398,6 +398,9 @@ static int bnxt_vf_reps_create(struct bn + struct net_device *dev; + int rc, i; + ++ if (!(bp->flags & BNXT_FLAG_DSN_VALID)) ++ return -ENODEV; ++ + bp->vf_reps = kcalloc(num_vfs, sizeof(vf_rep), GFP_KERNEL); + if (!bp->vf_reps) + return -ENOMEM; diff --git a/queue-5.4/bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch b/queue-5.4/bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch new file mode 100644 index 00000000000..7fbf4d5aa47 --- /dev/null +++ b/queue-5.4/bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch @@ -0,0 +1,52 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Michael Chan +Date: Fri, 17 Jan 2020 00:32:46 -0500 +Subject: bnxt_en: Fix ipv6 RFS filter matching logic. + +From: Michael Chan + +[ Upstream commit 6fc7caa84e713f7627e171ab1e7c4b5be0dc9b3d ] + +Fix bnxt_fltr_match() to match ipv6 source and destination addresses. +The function currently only checks ipv4 addresses and will not work +corrently on ipv6 filters. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -10991,11 +10991,23 @@ static bool bnxt_fltr_match(struct bnxt_ + struct flow_keys *keys1 = &f1->fkeys; + struct flow_keys *keys2 = &f2->fkeys; + +- if (keys1->addrs.v4addrs.src == keys2->addrs.v4addrs.src && +- keys1->addrs.v4addrs.dst == keys2->addrs.v4addrs.dst && +- keys1->ports.ports == keys2->ports.ports && +- keys1->basic.ip_proto == keys2->basic.ip_proto && +- keys1->basic.n_proto == keys2->basic.n_proto && ++ if (keys1->basic.n_proto != keys2->basic.n_proto || ++ keys1->basic.ip_proto != keys2->basic.ip_proto) ++ return false; ++ ++ if (keys1->basic.n_proto == htons(ETH_P_IP)) { ++ if (keys1->addrs.v4addrs.src != keys2->addrs.v4addrs.src || ++ keys1->addrs.v4addrs.dst != keys2->addrs.v4addrs.dst) ++ return false; ++ } else { ++ if (memcmp(&keys1->addrs.v6addrs.src, &keys2->addrs.v6addrs.src, ++ sizeof(keys1->addrs.v6addrs.src)) || ++ memcmp(&keys1->addrs.v6addrs.dst, &keys2->addrs.v6addrs.dst, ++ sizeof(keys1->addrs.v6addrs.dst))) ++ return false; ++ } ++ ++ if (keys1->ports.ports == keys2->ports.ports && + keys1->control.flags == keys2->control.flags && + ether_addr_equal(f1->src_mac_addr, f2->src_mac_addr) && + ether_addr_equal(f1->dst_mac_addr, f2->dst_mac_addr)) diff --git a/queue-5.4/bnxt_en-fix-ntuple-firmware-command-failures.patch b/queue-5.4/bnxt_en-fix-ntuple-firmware-command-failures.patch new file mode 100644 index 00000000000..f54c783e1ec --- /dev/null +++ b/queue-5.4/bnxt_en-fix-ntuple-firmware-command-failures.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Michael Chan +Date: Fri, 17 Jan 2020 00:32:45 -0500 +Subject: bnxt_en: Fix NTUPLE firmware command failures. + +From: Michael Chan + +[ Upstream commit ceb3284c588eee5ea256c70e4d8d7cf399b8134e ] + +The NTUPLE related firmware commands are sent to the wrong firmware +channel, causing all these commands to fail on new firmware that +supports the new firmware channel. Fix it by excluding the 3 +NTUPLE firmware commands from the list for the new firmware channel. + +Fixes: 760b6d33410c ("bnxt_en: Add support for 2nd firmware message channel.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h +@@ -1904,9 +1904,6 @@ static inline bool bnxt_cfa_hwrm_message + case HWRM_CFA_ENCAP_RECORD_FREE: + case HWRM_CFA_DECAP_FILTER_ALLOC: + case HWRM_CFA_DECAP_FILTER_FREE: +- case HWRM_CFA_NTUPLE_FILTER_ALLOC: +- case HWRM_CFA_NTUPLE_FILTER_FREE: +- case HWRM_CFA_NTUPLE_FILTER_CFG: + case HWRM_CFA_EM_FLOW_ALLOC: + case HWRM_CFA_EM_FLOW_FREE: + case HWRM_CFA_EM_FLOW_CFG: diff --git a/queue-5.4/hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch b/queue-5.4/hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch new file mode 100644 index 00000000000..114636d1743 --- /dev/null +++ b/queue-5.4/hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch @@ -0,0 +1,61 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Mohammed Gamal +Date: Tue, 14 Jan 2020 15:09:50 +0200 +Subject: hv_netvsc: Fix memory leak when removing rndis device + +From: Mohammed Gamal + +[ Upstream commit 536dc5df2808efbefc5acee334d3c4f701790ec0 ] + +kmemleak detects the following memory leak when hot removing +a network device: + +unreferenced object 0xffff888083f63600 (size 256): + comm "kworker/0:1", pid 12, jiffies 4294831717 (age 1113.676s) + hex dump (first 32 bytes): + 00 40 c7 33 80 88 ff ff 00 00 00 00 10 00 00 00 .@.3............ + 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... + backtrace: + [<00000000d4a8f5be>] rndis_filter_device_add+0x117/0x11c0 [hv_netvsc] + [<000000009c02d75b>] netvsc_probe+0x5e7/0xbf0 [hv_netvsc] + [<00000000ddafce23>] vmbus_probe+0x74/0x170 [hv_vmbus] + [<00000000046e64f1>] really_probe+0x22f/0xb50 + [<000000005cc35eb7>] driver_probe_device+0x25e/0x370 + [<0000000043c642b2>] bus_for_each_drv+0x11f/0x1b0 + [<000000005e3d09f0>] __device_attach+0x1c6/0x2f0 + [<00000000a72c362f>] bus_probe_device+0x1a6/0x260 + [<0000000008478399>] device_add+0x10a3/0x18e0 + [<00000000cf07b48c>] vmbus_device_register+0xe7/0x1e0 [hv_vmbus] + [<00000000d46cf032>] vmbus_add_channel_work+0x8ab/0x1770 [hv_vmbus] + [<000000002c94bb64>] process_one_work+0x919/0x17d0 + [<0000000096de6781>] worker_thread+0x87/0xb40 + [<00000000fbe7397e>] kthread+0x333/0x3f0 + [<000000004f844269>] ret_from_fork+0x3a/0x50 + +rndis_filter_device_add() allocates an instance of struct rndis_device +which never gets deallocated as rndis_filter_device_remove() sets +net_device->extension which points to the rndis_device struct to NULL, +leaving the rndis_device dangling. + +Since net_device->extension is eventually freed in free_netvsc_device(), +we refrain from setting it to NULL inside rndis_filter_device_remove() + +Signed-off-by: Mohammed Gamal +Reviewed-by: Haiyang Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/rndis_filter.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -1436,8 +1436,6 @@ void rndis_filter_device_remove(struct h + /* Halt and release the rndis device */ + rndis_filter_halt_device(net_dev, rndis_dev); + +- net_dev->extension = NULL; +- + netvsc_device_remove(dev); + } + diff --git a/queue-5.4/i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch b/queue-5.4/i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch new file mode 100644 index 00000000000..25cdcb2cc7e --- /dev/null +++ b/queue-5.4/i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch @@ -0,0 +1,30 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Navid Emamdoost +Date: Wed, 25 Sep 2019 10:48:30 -0500 +Subject: i40e: prevent memory leak in i40e_setup_macvlans + +From: Navid Emamdoost + +[ Upstream commit 27d461333459d282ffa4a2bdb6b215a59d493a8f ] + +In i40e_setup_macvlans if i40e_setup_channel fails the allocated memory +for ch should be released. + +Signed-off-by: Navid Emamdoost +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7168,6 +7168,7 @@ static int i40e_setup_macvlans(struct i4 + ch->num_queue_pairs = qcnt; + if (!i40e_setup_channel(pf, vsi, ch)) { + ret = -EINVAL; ++ kfree(ch); + goto err_free; + } + ch->parent_vsi = vsi; diff --git a/queue-5.4/net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch b/queue-5.4/net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch new file mode 100644 index 00000000000..76ef52eb4e8 --- /dev/null +++ b/queue-5.4/net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch @@ -0,0 +1,65 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Cong Wang +Date: Wed, 15 Jan 2020 13:02:38 -0800 +Subject: net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key() + +From: Cong Wang + +[ Upstream commit 53d374979ef147ab51f5d632dfe20b14aebeccd0 ] + +syzbot reported some bogus lockdep warnings, for example bad unlock +balance in sch_direct_xmit(). They are due to a race condition between +slow path and fast path, that is qdisc_xmit_lock_key gets re-registered +in netdev_update_lockdep_key() on slow path, while we could still +acquire the queue->_xmit_lock on fast path in this small window: + +CPU A CPU B + __netif_tx_lock(); +lockdep_unregister_key(qdisc_xmit_lock_key); + __netif_tx_unlock(); +lockdep_register_key(qdisc_xmit_lock_key); + +In fact, unlike the addr_list_lock which has to be reordered when +the master/slave device relationship changes, queue->_xmit_lock is +only acquired on fast path and only when NETIF_F_LLTX is not set, +so there is likely no nested locking for it. + +Therefore, we can just get rid of re-registration of +qdisc_xmit_lock_key. + +Reported-by: syzbot+4ec99438ed7450da6272@syzkaller.appspotmail.com +Fixes: ab92d68fc22f ("net: core: add generic lockdep keys") +Cc: Taehee Yoo +Signed-off-by: Cong Wang +Acked-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -8953,22 +8953,10 @@ static void netdev_unregister_lockdep_ke + + void netdev_update_lockdep_key(struct net_device *dev) + { +- struct netdev_queue *queue; +- int i; +- +- lockdep_unregister_key(&dev->qdisc_xmit_lock_key); + lockdep_unregister_key(&dev->addr_list_lock_key); +- +- lockdep_register_key(&dev->qdisc_xmit_lock_key); + lockdep_register_key(&dev->addr_list_lock_key); + + lockdep_set_class(&dev->addr_list_lock, &dev->addr_list_lock_key); +- for (i = 0; i < dev->num_tx_queues; i++) { +- queue = netdev_get_tx_queue(dev, i); +- +- lockdep_set_class(&queue->_xmit_lock, +- &dev->qdisc_xmit_lock_key); +- } + } + EXPORT_SYMBOL(netdev_update_lockdep_key); + diff --git a/queue-5.4/net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch b/queue-5.4/net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch new file mode 100644 index 00000000000..9f4cb98c8b9 --- /dev/null +++ b/queue-5.4/net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Florian Fainelli +Date: Thu, 16 Jan 2020 12:55:48 -0800 +Subject: net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec + +From: Florian Fainelli + +[ Upstream commit 8f1880cbe8d0d49ebb7e9ae409b3b96676e5aa97 ] + +With the implementation of the system reset controller we lost a setting +that is currently applied by the bootloader and which configures the IMP +port for 2Gb/sec, the default is 1Gb/sec. This is needed given the +number of ports and applications we expect to run so bring back that +setting. + +Fixes: 01b0ac07589e ("net: dsa: bcm_sf2: Add support for optional reset controller line") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/bcm_sf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/bcm_sf2.c ++++ b/drivers/net/dsa/bcm_sf2.c +@@ -68,7 +68,7 @@ static void bcm_sf2_imp_setup(struct dsa + + /* Force link status for IMP port */ + reg = core_readl(priv, offset); +- reg |= (MII_SW_OR | LINK_STS); ++ reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G); + core_writel(priv, reg, offset); + + /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */ diff --git a/queue-5.4/net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch b/queue-5.4/net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch new file mode 100644 index 00000000000..436fc468a58 --- /dev/null +++ b/queue-5.4/net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch @@ -0,0 +1,34 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Vladimir Oltean +Date: Thu, 16 Jan 2020 20:43:27 +0200 +Subject: net: dsa: sja1105: Don't error out on disabled ports with no phy-mode + +From: Vladimir Oltean + +[ Upstream commit 27afe0d34e9121a3d61cc0af9b17c2542dadde24 ] + +The sja1105_parse_ports_node function was tested only on device trees +where all ports were enabled. Fix this check so that the driver +continues to probe only with the ports where status is not "disabled", +as expected. + +Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch") +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/sja1105/sja1105_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/dsa/sja1105/sja1105_main.c ++++ b/drivers/net/dsa/sja1105/sja1105_main.c +@@ -619,7 +619,7 @@ static int sja1105_parse_ports_node(stru + struct device *dev = &priv->spidev->dev; + struct device_node *child; + +- for_each_child_of_node(ports_node, child) { ++ for_each_available_child_of_node(ports_node, child) { + struct device_node *phy_node; + int phy_mode; + u32 index; diff --git a/queue-5.4/net-dsa-tag_gswip-fix-typo-in-tagger-name.patch b/queue-5.4/net-dsa-tag_gswip-fix-typo-in-tagger-name.patch new file mode 100644 index 00000000000..a0bcad4e9f4 --- /dev/null +++ b/queue-5.4/net-dsa-tag_gswip-fix-typo-in-tagger-name.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Alexander Lobakin +Date: Wed, 15 Jan 2020 11:54:38 +0300 +Subject: net: dsa: tag_gswip: fix typo in tagger name + +From: Alexander Lobakin + +[ Upstream commit ad32205470919c8e04cdd33e0613bdba50c2376d ] + +The correct name is GSWIP (Gigabit Switch IP). Typo was introduced in +875138f81d71a ("dsa: Move tagger name into its ops structure") while +moving tagger names to their structures. + +Fixes: 875138f81d71a ("dsa: Move tagger name into its ops structure") +Reviewed-by: Andrew Lunn +Signed-off-by: Alexander Lobakin +Reviewed-by: Florian Fainelli +Acked-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_gswip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/dsa/tag_gswip.c ++++ b/net/dsa/tag_gswip.c +@@ -104,7 +104,7 @@ static struct sk_buff *gswip_tag_rcv(str + } + + static const struct dsa_device_ops gswip_netdev_ops = { +- .name = "gwsip", ++ .name = "gswip", + .proto = DSA_TAG_PROTO_GSWIP, + .xmit = gswip_tag_xmit, + .rcv = gswip_tag_rcv, diff --git a/queue-5.4/net-dsa-tag_qca-fix-doubled-tx-statistics.patch b/queue-5.4/net-dsa-tag_qca-fix-doubled-tx-statistics.patch new file mode 100644 index 00000000000..c3fede3e764 --- /dev/null +++ b/queue-5.4/net-dsa-tag_qca-fix-doubled-tx-statistics.patch @@ -0,0 +1,37 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Alexander Lobakin +Date: Wed, 15 Jan 2020 11:56:52 +0300 +Subject: net: dsa: tag_qca: fix doubled Tx statistics + +From: Alexander Lobakin + +[ Upstream commit bd5874da57edd001b35cf28ae737779498c16a56 ] + +DSA subsystem takes care of netdev statistics since commit 4ed70ce9f01c +("net: dsa: Refactor transmit path to eliminate duplication"), so +any accounting inside tagger callbacks is redundant and can lead to +messing up the stats. +This bug is present in Qualcomm tagger since day 0. + +Fixes: cafdc45c949b ("net-next: dsa: add Qualcomm tag RX/TX handler") +Reviewed-by: Andrew Lunn +Signed-off-by: Alexander Lobakin +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/tag_qca.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/dsa/tag_qca.c ++++ b/net/dsa/tag_qca.c +@@ -33,9 +33,6 @@ static struct sk_buff *qca_tag_xmit(stru + struct dsa_port *dp = dsa_slave_to_port(dev); + u16 *phdr, hdr; + +- dev->stats.tx_packets++; +- dev->stats.tx_bytes += skb->len; +- + if (skb_cow_head(skb, 0) < 0) + return NULL; + diff --git a/queue-5.4/net-ethernet-ave-avoid-lockdep-warning.patch b/queue-5.4/net-ethernet-ave-avoid-lockdep-warning.patch new file mode 100644 index 00000000000..bc6c8288c93 --- /dev/null +++ b/queue-5.4/net-ethernet-ave-avoid-lockdep-warning.patch @@ -0,0 +1,78 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Kunihiko Hayashi +Date: Wed, 15 Jan 2020 13:02:42 +0900 +Subject: net: ethernet: ave: Avoid lockdep warning + +From: Kunihiko Hayashi + +[ Upstream commit 82d5d6a638cbd12b7dfe8acafd9efd87a656cc06 ] + +When building with PROVE_LOCKING=y, lockdep shows the following +dump message. + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + ... + +Calling device_set_wakeup_enable() directly occurs this issue, +and it isn't necessary for initialization, so this patch creates +internal function __ave_ethtool_set_wol() and replaces with this +in ave_init() and ave_resume(). + +Fixes: 7200f2e3c9e2 ("net: ethernet: ave: Set initial wol state to disabled") +Signed-off-by: Kunihiko Hayashi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/socionext/sni_ave.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/socionext/sni_ave.c ++++ b/drivers/net/ethernet/socionext/sni_ave.c +@@ -424,16 +424,22 @@ static void ave_ethtool_get_wol(struct n + phy_ethtool_get_wol(ndev->phydev, wol); + } + +-static int ave_ethtool_set_wol(struct net_device *ndev, +- struct ethtool_wolinfo *wol) ++static int __ave_ethtool_set_wol(struct net_device *ndev, ++ struct ethtool_wolinfo *wol) + { +- int ret; +- + if (!ndev->phydev || + (wol->wolopts & (WAKE_ARP | WAKE_MAGICSECURE))) + return -EOPNOTSUPP; + +- ret = phy_ethtool_set_wol(ndev->phydev, wol); ++ return phy_ethtool_set_wol(ndev->phydev, wol); ++} ++ ++static int ave_ethtool_set_wol(struct net_device *ndev, ++ struct ethtool_wolinfo *wol) ++{ ++ int ret; ++ ++ ret = __ave_ethtool_set_wol(ndev, wol); + if (!ret) + device_set_wakeup_enable(&ndev->dev, !!wol->wolopts); + +@@ -1216,7 +1222,7 @@ static int ave_init(struct net_device *n + + /* set wol initial state disabled */ + wol.wolopts = 0; +- ave_ethtool_set_wol(ndev, &wol); ++ __ave_ethtool_set_wol(ndev, &wol); + + if (!phy_interface_is_rgmii(phydev)) + phy_set_max_speed(phydev, SPEED_100); +@@ -1768,7 +1774,7 @@ static int ave_resume(struct device *dev + + ave_ethtool_get_wol(ndev, &wol); + wol.wolopts = priv->wolopts; +- ave_ethtool_set_wol(ndev, &wol); ++ __ave_ethtool_set_wol(ndev, &wol); + + if (ndev->phydev) { + ret = phy_resume(ndev->phydev); diff --git a/queue-5.4/net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch b/queue-5.4/net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch new file mode 100644 index 00000000000..21f06fd144b --- /dev/null +++ b/queue-5.4/net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch @@ -0,0 +1,57 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Yonglong Liu +Date: Thu, 16 Jan 2020 15:41:17 +0800 +Subject: net: hns: fix soft lockup when there is not enough memory + +From: Yonglong Liu + +[ Upstream commit 49edd6a2c456150870ddcef5b7ed11b21d849e13 ] + +When there is not enough memory and napi_alloc_skb() return NULL, +the HNS driver will print error message, and than try again, if +the memory is not enough for a while, huge error message and the +retry operation will cause soft lockup. + +When napi_alloc_skb() return NULL because of no memory, we can +get a warn_alloc() call trace, so this patch deletes the error +message. We already use polling mode to handle irq, but the +retry operation will render the polling weight inactive, this +patch just return budget when the rx is not completed to avoid +dead loop. + +Fixes: 36eedfde1a36 ("net: hns: Optimize hns_nic_common_poll for better performance") +Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support") +Signed-off-by: Yonglong Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -565,7 +565,6 @@ static int hns_nic_poll_rx_skb(struct hn + skb = *out_skb = napi_alloc_skb(&ring_data->napi, + HNS_RX_HEAD_SIZE); + if (unlikely(!skb)) { +- netdev_err(ndev, "alloc rx skb fail\n"); + ring->stats.sw_err_cnt++; + return -ENOMEM; + } +@@ -1056,7 +1055,6 @@ static int hns_nic_common_poll(struct na + container_of(napi, struct hns_nic_ring_data, napi); + struct hnae_ring *ring = ring_data->ring; + +-try_again: + clean_complete += ring_data->poll_one( + ring_data, budget - clean_complete, + ring_data->ex_process); +@@ -1066,7 +1064,7 @@ try_again: + napi_complete(napi); + ring->q->handle->dev->ops->toggle_ring_irq(ring, 0); + } else { +- goto try_again; ++ return budget; + } + } + diff --git a/queue-5.4/net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch b/queue-5.4/net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch new file mode 100644 index 00000000000..18cd3bbcddb --- /dev/null +++ b/queue-5.4/net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch @@ -0,0 +1,47 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Yunsheng Lin +Date: Wed, 15 Jan 2020 10:46:45 +0800 +Subject: net: hns3: pad the short frame before sending to the hardware + +From: Yunsheng Lin + +[ Upstream commit 36c67349a1a1c88b9cf11d7ca7762ababdb38867 ] + +The hardware can not handle short frames below or equal to 32 +bytes according to the hardware user manual, and it will trigger +a RAS error when the frame's length is below 33 bytes. + +This patch pads the SKB when skb->len is below 33 bytes before +sending it to hardware. + +Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") +Signed-off-by: Yunsheng Lin +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c +@@ -54,6 +54,8 @@ MODULE_PARM_DESC(debug, " Network interf + #define HNS3_INNER_VLAN_TAG 1 + #define HNS3_OUTER_VLAN_TAG 2 + ++#define HNS3_MIN_TX_LEN 33U ++ + /* hns3_pci_tbl - PCI Device ID Table + * + * Last entry must be all 0s +@@ -1329,6 +1331,10 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_ + int ret; + int i; + ++ /* Hardware can only handle short frames above 32 bytes */ ++ if (skb_put_padto(skb, HNS3_MIN_TX_LEN)) ++ return NETDEV_TX_OK; ++ + /* Prefetch the data used later */ + prefetch(skb->data); + diff --git a/queue-5.4/net-phy-dp83867-set-force_link_good-to-default-after-reset.patch b/queue-5.4/net-phy-dp83867-set-force_link_good-to-default-after-reset.patch new file mode 100644 index 00000000000..3b749f72894 --- /dev/null +++ b/queue-5.4/net-phy-dp83867-set-force_link_good-to-default-after-reset.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Michael Grzeschik +Date: Thu, 16 Jan 2020 14:16:31 +0100 +Subject: net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset + +From: Michael Grzeschik + +[ Upstream commit 86ffe920e669ec73035e84553e18edf17d16317c ] + +According to the Datasheet this bit should be 0 (Normal operation) in +default. With the FORCE_LINK_GOOD bit set, it is not possible to get a +link. This patch sets FORCE_LINK_GOOD to the default value after +resetting the phy. + +Signed-off-by: Michael Grzeschik +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83867.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/dp83867.c ++++ b/drivers/net/phy/dp83867.c +@@ -80,6 +80,7 @@ + #define DP83867_PHYCR_FIFO_DEPTH_MAX 0x03 + #define DP83867_PHYCR_FIFO_DEPTH_MASK GENMASK(15, 14) + #define DP83867_PHYCR_RESERVED_MASK BIT(11) ++#define DP83867_PHYCR_FORCE_LINK_GOOD BIT(10) + + /* RGMIIDCTL bits */ + #define DP83867_RGMII_TX_CLK_DELAY_MAX 0xf +@@ -454,7 +455,12 @@ static int dp83867_phy_reset(struct phy_ + + usleep_range(10, 20); + +- return 0; ++ /* After reset FORCE_LINK_GOOD bit is set. Although the ++ * default value should be unset. Disable FORCE_LINK_GOOD ++ * for the phy to work properly. ++ */ ++ return phy_modify(phydev, MII_DP83867_PHYCTRL, ++ DP83867_PHYCR_FORCE_LINK_GOOD, 0); + } + + static struct phy_driver dp83867_driver[] = { diff --git a/queue-5.4/net-sched-act_ctinfo-fix-memory-leak.patch b/queue-5.4/net-sched-act_ctinfo-fix-memory-leak.patch new file mode 100644 index 00000000000..e498f4a23ee --- /dev/null +++ b/queue-5.4/net-sched-act_ctinfo-fix-memory-leak.patch @@ -0,0 +1,84 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Eric Dumazet +Date: Sat, 18 Jan 2020 20:45:06 -0800 +Subject: net: sched: act_ctinfo: fix memory leak + +From: Eric Dumazet + +[ Upstream commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 ] + +Implement a cleanup method to properly free ci->params + +BUG: memory leak +unreferenced object 0xffff88811746e2c0 (size 64): + comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00 .4`............. + backtrace: + [<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] + [<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline] + [<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline] + [<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549 + [<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline] + [<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline] + [<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236 + [<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944 + [<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000 + [<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410 + [<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465 + [<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424 + [<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 + [<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + [<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + [<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 + [<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 + [<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline] + [<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659 + [<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 + [<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 + [<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 + [<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline] + [<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline] + [<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 + +Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Kevin 'ldir' Darbyshire-Bryant +Cc: Cong Wang +Cc: Toke Høiland-Jørgensen +Acked-by: Kevin 'ldir' Darbyshire-Bryant +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ctinfo.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/net/sched/act_ctinfo.c ++++ b/net/sched/act_ctinfo.c +@@ -360,6 +360,16 @@ static int tcf_ctinfo_search(struct net + return tcf_idr_search(tn, a, index); + } + ++static void tcf_ctinfo_cleanup(struct tc_action *a) ++{ ++ struct tcf_ctinfo *ci = to_ctinfo(a); ++ struct tcf_ctinfo_params *cp; ++ ++ cp = rcu_dereference_protected(ci->params, 1); ++ if (cp) ++ kfree_rcu(cp, rcu); ++} ++ + static struct tc_action_ops act_ctinfo_ops = { + .kind = "ctinfo", + .id = TCA_ID_CTINFO, +@@ -367,6 +377,7 @@ static struct tc_action_ops act_ctinfo_o + .act = tcf_ctinfo_act, + .dump = tcf_ctinfo_dump, + .init = tcf_ctinfo_init, ++ .cleanup= tcf_ctinfo_cleanup, + .walk = tcf_ctinfo_walker, + .lookup = tcf_ctinfo_search, + .size = sizeof(struct tcf_ctinfo), diff --git a/queue-5.4/net-sched-act_ife-initalize-ife-metalist-earlier.patch b/queue-5.4/net-sched-act_ife-initalize-ife-metalist-earlier.patch new file mode 100644 index 00000000000..7b4511eee62 --- /dev/null +++ b/queue-5.4/net-sched-act_ife-initalize-ife-metalist-earlier.patch @@ -0,0 +1,94 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Eric Dumazet +Date: Wed, 15 Jan 2020 08:20:39 -0800 +Subject: net/sched: act_ife: initalize ife->metalist earlier + +From: Eric Dumazet + +[ Upstream commit 44c23d71599f81a1c7fe8389e0319822dd50c37c ] + +It seems better to init ife->metalist earlier in tcf_ife_init() +to avoid the following crash : + +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN +CPU: 0 PID: 10483 Comm: syz-executor216 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:_tcf_ife_cleanup net/sched/act_ife.c:412 [inline] +RIP: 0010:tcf_ife_cleanup+0x6e/0x400 net/sched/act_ife.c:431 +Code: 48 c1 ea 03 80 3c 02 00 0f 85 94 03 00 00 49 8b bd f8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 67 e8 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5c 03 00 00 48 bb 00 00 00 00 00 fc ff df 48 8b +RSP: 0018:ffffc90001dc6d00 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffffffff864619c0 RCX: ffffffff815bfa09 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000 +RBP: ffffc90001dc6d50 R08: 0000000000000004 R09: fffff520003b8d8e +R10: fffff520003b8d8d R11: 0000000000000003 R12: ffffffffffffffe8 +R13: ffff8880a79fc000 R14: ffff88809aba0e00 R15: 0000000000000000 +FS: 0000000001b51880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000563f52cce140 CR3: 0000000093541000 CR4: 00000000001406f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + tcf_action_cleanup+0x62/0x1b0 net/sched/act_api.c:119 + __tcf_action_put+0xfa/0x130 net/sched/act_api.c:135 + __tcf_idr_release net/sched/act_api.c:165 [inline] + __tcf_idr_release+0x59/0xf0 net/sched/act_api.c:145 + tcf_idr_release include/net/act_api.h:171 [inline] + tcf_ife_init+0x97c/0x1870 net/sched/act_ife.c:616 + tcf_action_init_1+0x6b6/0xa40 net/sched/act_api.c:944 + tcf_action_init+0x21a/0x330 net/sched/act_api.c:1000 + tcf_action_add+0xf5/0x3b0 net/sched/act_api.c:1410 + tc_ctl_action+0x390/0x488 net/sched/act_api.c:1465 + rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:659 + ____sys_sendmsg+0x753/0x880 net/socket.c:2330 + ___sys_sendmsg+0x100/0x170 net/socket.c:2384 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg net/socket.c:2424 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fixes: 11a94d7fd80f ("net/sched: act_ife: validate the control action inside init()") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Davide Caratti +Reviewed-by: Davide Caratti +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ife.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/sched/act_ife.c ++++ b/net/sched/act_ife.c +@@ -536,6 +536,9 @@ static int tcf_ife_init(struct net *net, + } + + ife = to_ife(*a); ++ if (ret == ACT_P_CREATED) ++ INIT_LIST_HEAD(&ife->metalist); ++ + err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack); + if (err < 0) + goto release_idr; +@@ -565,10 +568,6 @@ static int tcf_ife_init(struct net *net, + p->eth_type = ife_type; + } + +- +- if (ret == ACT_P_CREATED) +- INIT_LIST_HEAD(&ife->metalist); +- + if (tb[TCA_IFE_METALST]) { + err = nla_parse_nested_deprecated(tb2, IFE_META_MAX, + tb[TCA_IFE_METALST], NULL, diff --git a/queue-5.4/net-systemport-fixed-queue-mapping-in-internal-ring-map.patch b/queue-5.4/net-systemport-fixed-queue-mapping-in-internal-ring-map.patch new file mode 100644 index 00000000000..b5a64a38416 --- /dev/null +++ b/queue-5.4/net-systemport-fixed-queue-mapping-in-internal-ring-map.patch @@ -0,0 +1,64 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Florian Fainelli +Date: Thu, 16 Jan 2020 13:08:58 -0800 +Subject: net: systemport: Fixed queue mapping in internal ring map + +From: Florian Fainelli + +[ Upstream commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 ] + +We would not be transmitting using the correct SYSTEMPORT transmit queue +during ndo_select_queue() which looks up the internal TX ring map +because while establishing the mapping we would be off by 4, so for +instance, when we populate switch port mappings we would be doing: + +switch port 0, queue 0 -> ring index #0 +switch port 0, queue 1 -> ring index #1 +... +switch port 0, queue 3 -> ring index #3 +switch port 1, queue 0 -> ring index #8 (4 + 4 * 1) +... + +instead of using ring index #4. This would cause our ndo_select_queue() +to use the fallback queue mechanism which would pick up an incorrect +ring for that switch port. Fix this by using the correct switch queue +number instead of SYSTEMPORT queue number. + +Fixes: 25c440704661 ("net: systemport: Simplify queue mapping logic") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -2323,7 +2323,7 @@ static int bcm_sysport_map_queues(struct + ring->switch_queue = qp; + ring->switch_port = port; + ring->inspect = true; +- priv->ring_map[q + port * num_tx_queues] = ring; ++ priv->ring_map[qp + port * num_tx_queues] = ring; + qp++; + } + +@@ -2338,7 +2338,7 @@ static int bcm_sysport_unmap_queues(stru + struct net_device *slave_dev; + unsigned int num_tx_queues; + struct net_device *dev; +- unsigned int q, port; ++ unsigned int q, qp, port; + + priv = container_of(nb, struct bcm_sysport_priv, dsa_notifier); + if (priv->netdev != info->master) +@@ -2364,7 +2364,8 @@ static int bcm_sysport_unmap_queues(stru + continue; + + ring->inspect = false; +- priv->ring_map[q + port * num_tx_queues] = NULL; ++ qp = ring->switch_queue; ++ priv->ring_map[qp + port * num_tx_queues] = NULL; + } + + return 0; diff --git a/queue-5.4/net-usb-lan78xx-limit-size-of-local-tso-packets.patch b/queue-5.4/net-usb-lan78xx-limit-size-of-local-tso-packets.patch new file mode 100644 index 00000000000..0ff4ae3e0b7 --- /dev/null +++ b/queue-5.4/net-usb-lan78xx-limit-size-of-local-tso-packets.patch @@ -0,0 +1,46 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Eric Dumazet +Date: Mon, 13 Jan 2020 09:27:11 -0800 +Subject: net: usb: lan78xx: limit size of local TSO packets + +From: Eric Dumazet + +[ Upstream commit f8d7408a4d7f60f8b2df0f81decdc882dd9c20dc ] + +lan78xx_tx_bh() makes sure to not exceed MAX_SINGLE_PACKET_SIZE +bytes in the aggregated packets it builds, but does +nothing to prevent large GSO packets being submitted. + +Pierre-Francois reported various hangs when/if TSO is enabled. + +For localy generated packets, we can use netif_set_gso_max_size() +to limit the size of TSO packets. + +Note that forwarded packets could still hit the issue, +so a complete fix might require implementing .ndo_features_check +for this driver, forcing a software segmentation if the size +of the TSO packet exceeds MAX_SINGLE_PACKET_SIZE. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Eric Dumazet +Reported-by: RENARD Pierre-Francois +Tested-by: RENARD Pierre-Francois +Cc: Stefan Wahren +Cc: Woojung Huh +Cc: Microchip Linux Driver Support +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3750,6 +3750,7 @@ static int lan78xx_probe(struct usb_inte + + /* MTU range: 68 - 9000 */ + netdev->max_mtu = MAX_SINGLE_PACKET_SIZE; ++ netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER); + + dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0; + dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1; diff --git a/queue-5.4/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch b/queue-5.4/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch new file mode 100644 index 00000000000..74855df3edf --- /dev/null +++ b/queue-5.4/net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Colin Ian King +Date: Tue, 14 Jan 2020 14:54:48 +0000 +Subject: net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info + +From: Colin Ian King + +[ Upstream commit ddf420390526ede3b9ff559ac89f58cb59d9db2f ] + +Array utdm_info is declared as an array of MAX_HDLC_NUM (4) elements +however up to UCC_MAX_NUM (8) elements are potentially being written +to it. Currently we have an array out-of-bounds write error on the +last 4 elements. Fix this by making utdm_info UCC_MAX_NUM elements in +size. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -73,7 +73,7 @@ static struct ucc_tdm_info utdm_primary_ + }, + }; + +-static struct ucc_tdm_info utdm_info[MAX_HDLC_NUM]; ++static struct ucc_tdm_info utdm_info[UCC_MAX_NUM]; + + static int uhdlc_init(struct ucc_hdlc_private *priv) + { diff --git a/queue-5.4/ptp-free-ptp-device-pin-descriptors-properly.patch b/queue-5.4/ptp-free-ptp-device-pin-descriptors-properly.patch new file mode 100644 index 00000000000..792989cd6f5 --- /dev/null +++ b/queue-5.4/ptp-free-ptp-device-pin-descriptors-properly.patch @@ -0,0 +1,51 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Vladis Dronov +Date: Mon, 13 Jan 2020 14:00:09 +0100 +Subject: ptp: free ptp device pin descriptors properly + +From: Vladis Dronov + +[ Upstream commit 75718584cb3c64e6269109d4d54f888ac5a5fd15 ] + +There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups() +first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs +them to destroy a related sysfs device. + +These functions can not be just swapped, as posix_clock_unregister() frees +ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling +ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed. + +This makes this patch fix an UAF bug in a patch which fixes an UAF bug. + +Reported-by: Antti Laakso +Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev") +Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/ +Signed-off-by: Vladis Dronov +Acked-by: Richard Cochran +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -170,6 +170,7 @@ static void ptp_clock_release(struct dev + { + struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev); + ++ ptp_cleanup_pin_groups(ptp); + mutex_destroy(&ptp->tsevq_mux); + mutex_destroy(&ptp->pincfg_mux); + ida_simple_remove(&ptp_clocks_map, ptp->index); +@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_cloc + if (ptp->pps_source) + pps_unregister_source(ptp->pps_source); + +- ptp_cleanup_pin_groups(ptp); +- + posix_clock_unregister(&ptp->clock); ++ + return 0; + } + EXPORT_SYMBOL(ptp_clock_unregister); diff --git a/queue-5.4/r8152-add-missing-endpoint-sanity-check.patch b/queue-5.4/r8152-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..c84b4a36492 --- /dev/null +++ b/queue-5.4/r8152-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,35 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Johan Hovold +Date: Tue, 14 Jan 2020 09:27:29 +0100 +Subject: r8152: add missing endpoint sanity check + +From: Johan Hovold + +[ Upstream commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 ] + +Add missing endpoint sanity check to probe in order to prevent a +NULL-pointer dereference (or slab out-of-bounds access) when retrieving +the interrupt-endpoint bInterval on ndo_open() in case a device lacks +the expected endpoints. + +Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer") +Cc: hayeswang +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5587,6 +5587,9 @@ static int rtl8152_probe(struct usb_inte + return -ENODEV; + } + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + usb_reset_device(udev); + netdev = alloc_etherdev(sizeof(struct r8152)); + if (!netdev) { diff --git a/queue-5.4/series b/queue-5.4/series index bdd4daa5d97..cfcc2d0cf46 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -134,3 +134,27 @@ net-bpf-don-t-leak-time-wait-and-request-sockets.patch bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch +hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch +net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch +net-dsa-tag_qca-fix-doubled-tx-statistics.patch +net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch +net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch +net-phy-dp83867-set-force_link_good-to-default-after-reset.patch +net-sched-act_ife-initalize-ife-metalist-earlier.patch +net-usb-lan78xx-limit-size-of-local-tso-packets.patch +net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch +ptp-free-ptp-device-pin-descriptors-properly.patch +r8152-add-missing-endpoint-sanity-check.patch +tcp-fix-marked-lost-packets-not-being-retransmitted.patch +bnxt_en-fix-ntuple-firmware-command-failures.patch +bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch +bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch +net-ethernet-ave-avoid-lockdep-warning.patch +net-systemport-fixed-queue-mapping-in-internal-ring-map.patch +net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch +net-dsa-tag_gswip-fix-typo-in-tagger-name.patch +net-sched-act_ctinfo-fix-memory-leak.patch +net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch +wimax-i2400-fix-memory-leak.patch +wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch +i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch diff --git a/queue-5.4/tcp-fix-marked-lost-packets-not-being-retransmitted.patch b/queue-5.4/tcp-fix-marked-lost-packets-not-being-retransmitted.patch new file mode 100644 index 00000000000..d22ad492e27 --- /dev/null +++ b/queue-5.4/tcp-fix-marked-lost-packets-not-being-retransmitted.patch @@ -0,0 +1,83 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Pengcheng Yang +Date: Tue, 14 Jan 2020 17:23:40 +0800 +Subject: tcp: fix marked lost packets not being retransmitted + +From: Pengcheng Yang + +[ Upstream commit e176b1ba476cf36f723cfcc7a9e57f3cb47dec70 ] + +When the packet pointed to by retransmit_skb_hint is unlinked by ACK, +retransmit_skb_hint will be set to NULL in tcp_clean_rtx_queue(). +If packet loss is detected at this time, retransmit_skb_hint will be set +to point to the current packet loss in tcp_verify_retransmit_hint(), +then the packets that were previously marked lost but not retransmitted +due to the restriction of cwnd will be skipped and cannot be +retransmitted. + +To fix this, when retransmit_skb_hint is NULL, retransmit_skb_hint can +be reset only after all marked lost packets are retransmitted +(retrans_out >= lost_out), otherwise we need to traverse from +tcp_rtx_queue_head in tcp_xmit_retransmit_queue(). + +Packetdrill to demonstrate: + +// Disable RACK and set max_reordering to keep things simple + 0 `sysctl -q net.ipv4.tcp_recovery=0` + +0 `sysctl -q net.ipv4.tcp_max_reordering=3` + +// Establish a connection + +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 + +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 + +0 bind(3, ..., ...) = 0 + +0 listen(3, 1) = 0 + + +.1 < S 0:0(0) win 32792 + +0 > S. 0:0(0) ack 1 <...> + +.01 < . 1:1(0) ack 1 win 257 + +0 accept(3, ..., ...) = 4 + +// Send 8 data segments + +0 write(4, ..., 8000) = 8000 + +0 > P. 1:8001(8000) ack 1 + +// Enter recovery and 1:3001 is marked lost + +.01 < . 1:1(0) ack 1 win 257 + +0 < . 1:1(0) ack 1 win 257 + +0 < . 1:1(0) ack 1 win 257 + +// Retransmit 1:1001, now retransmit_skb_hint points to 1001:2001 + +0 > . 1:1001(1000) ack 1 + +// 1001:2001 was ACKed causing retransmit_skb_hint to be set to NULL + +.01 < . 1:1(0) ack 2001 win 257 +// Now retransmit_skb_hint points to 4001:5001 which is now marked lost + +// BUG: 2001:3001 was not retransmitted + +0 > . 2001:3001(1000) ack 1 + +Signed-off-by: Pengcheng Yang +Acked-by: Neal Cardwell +Tested-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -915,9 +915,10 @@ static void tcp_check_sack_reordering(st + /* This must be called before lost_out is incremented */ + static void tcp_verify_retransmit_hint(struct tcp_sock *tp, struct sk_buff *skb) + { +- if (!tp->retransmit_skb_hint || +- before(TCP_SKB_CB(skb)->seq, +- TCP_SKB_CB(tp->retransmit_skb_hint)->seq)) ++ if ((!tp->retransmit_skb_hint && tp->retrans_out >= tp->lost_out) || ++ (tp->retransmit_skb_hint && ++ before(TCP_SKB_CB(skb)->seq, ++ TCP_SKB_CB(tp->retransmit_skb_hint)->seq))) + tp->retransmit_skb_hint = skb; + } + diff --git a/queue-5.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch b/queue-5.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch new file mode 100644 index 00000000000..ee573b0e09f --- /dev/null +++ b/queue-5.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch @@ -0,0 +1,33 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Navid Emamdoost +Date: Fri, 25 Oct 2019 23:53:30 -0500 +Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle + +From: Navid Emamdoost + +[ Upstream commit 6f3ef5c25cc762687a7341c18cbea5af54461407 ] + +In the implementation of i2400m_op_rfkill_sw_toggle() the allocated +buffer for cmd should be released before returning. The +documentation for i2400m_msg_to_dev() says when it returns the buffer +can be reused. Meaning cmd should be released in either case. Move +kfree(cmd) before return to be reached by all execution paths. + +Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -127,7 +127,6 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: +- kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: diff --git a/queue-5.4/wimax-i2400-fix-memory-leak.patch b/queue-5.4/wimax-i2400-fix-memory-leak.patch new file mode 100644 index 00000000000..e63f92f569e --- /dev/null +++ b/queue-5.4/wimax-i2400-fix-memory-leak.patch @@ -0,0 +1,29 @@ +From foo@baz Tue 21 Jan 2020 04:26:29 PM CET +From: Navid Emamdoost +Date: Tue, 10 Sep 2019 18:01:40 -0500 +Subject: wimax: i2400: fix memory leak + +From: Navid Emamdoost + +[ Upstream commit 2507e6ab7a9a440773be476141a255934468c5ef ] + +In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with +skb response. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -127,6 +127,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: ++ kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: -- 2.47.3