--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 16:40:52 -0700
+Subject: ax25: fix inconsistent lock state in ax25_destroy_timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 ]
+
+Before thread in process context uses bh_lock_sock()
+we must disable bh.
+
+sysbot reported :
+
+WARNING: inconsistent lock state
+5.2.0-rc3+ #32 Not tainted
+
+inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes:
+00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
+{SOFTIRQ-ON-W} state was registered at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429
+ ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221
+ __sys_connect+0x264/0x330 net/socket.c:1834
+ __do_sys_connect net/socket.c:1845 [inline]
+ __se_sys_connect net/socket.c:1842 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:1842
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 2272
+hardirqs last enabled at (2272): [<ffffffff810065f3>] trace_hardirqs_on_thunk+0x1a/0x1c
+hardirqs last disabled at (2271): [<ffffffff8100660f>] trace_hardirqs_off_thunk+0x1a/0x1c
+softirqs last enabled at (1522): [<ffffffff87400654>] __do_softirq+0x654/0x94c kernel/softirq.c:320
+softirqs last disabled at (2267): [<ffffffff81449010>] invoke_softirq kernel/softirq.c:374 [inline]
+softirqs last disabled at (2267): [<ffffffff81449010>] irq_exit+0x180/0x1d0 kernel/softirq.c:414
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(slock-AF_AX25);
+ <Interrupt>
+ lock(slock-AF_AX25);
+
+ *** DEADLOCK ***
+
+1 lock held by blkid/26581:
+ #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline]
+ #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312
+
+stack backtrace:
+CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935
+ valid_state kernel/locking/lockdep.c:2948 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3138 [inline]
+ mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513
+ mark_irqflags kernel/locking/lockdep.c:3391 [inline]
+ __lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
+ call_timer_fn+0x193/0x720 kernel/time/timer.c:1322
+ expire_timers kernel/time/timer.c:1366 [inline]
+ __run_timers kernel/time/timer.c:1685 [inline]
+ __run_timers kernel/time/timer.c:1653 [inline]
+ run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698
+ __do_softirq+0x25c/0x94c kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
+ </IRQ>
+RIP: 0033:0x7f858d5c3232
+Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24
+RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8
+RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee
+RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480
+R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005
+R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/ax25_route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ax25/ax25_route.c
++++ b/net/ax25/ax25_route.c
+@@ -429,9 +429,11 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25
+ }
+
+ if (ax25->sk != NULL) {
++ local_bh_disable();
+ bh_lock_sock(ax25->sk);
+ sock_reset_flag(ax25->sk, SOCK_ZAPPED);
+ bh_unlock_sock(ax25->sk);
++ local_bh_enable();
+ }
+
+ put:
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Fri, 14 Jun 2019 17:48:36 +0200
+Subject: be2net: Fix number of Rx queues used for flow hashing
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 718f4a2537089ea41903bf357071306163bc7c04 ]
+
+Number of Rx queues used for flow hashing returned by the driver is
+incorrect and this bug prevents user to use the last Rx queue in
+indirection table.
+
+Let's say we have a NIC with 6 combined queues:
+
+[root@sm-03 ~]# ethtool -l enp4s0f0
+Channel parameters for enp4s0f0:
+Pre-set maximums:
+RX: 5
+TX: 5
+Other: 0
+Combined: 6
+Current hardware settings:
+RX: 0
+TX: 0
+Other: 0
+Combined: 6
+
+Default indirection table maps all (6) queues equally but the driver
+reports only 5 rings available.
+
+[root@sm-03 ~]# ethtool -x enp4s0f0
+RX flow hash indirection table for enp4s0f0 with 5 RX ring(s):
+ 0: 0 1 2 3 4 5 0 1
+ 8: 2 3 4 5 0 1 2 3
+ 16: 4 5 0 1 2 3 4 5
+ 24: 0 1 2 3 4 5 0 1
+...
+
+Now change indirection table somehow:
+
+[root@sm-03 ~]# ethtool -X enp4s0f0 weight 1 1
+[root@sm-03 ~]# ethtool -x enp4s0f0
+RX flow hash indirection table for enp4s0f0 with 6 RX ring(s):
+ 0: 0 0 0 0 0 0 0 0
+...
+ 64: 1 1 1 1 1 1 1 1
+...
+
+Now it is not possible to change mapping back to equal (default) state:
+
+[root@sm-03 ~]# ethtool -X enp4s0f0 equal 6
+Cannot set RX flow hash configuration: Invalid argument
+
+Fixes: 594ad54a2c3b ("be2net: Add support for setting and getting rx flow hash options")
+Reported-by: Tianhao <tizhao@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c
++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c
+@@ -1105,7 +1105,7 @@ static int be_get_rxnfc(struct net_devic
+ cmd->data = be_get_rss_hash_opts(adapter, cmd->flow_type);
+ break;
+ case ETHTOOL_GRXRINGS:
+- cmd->data = adapter->num_rx_qs - 1;
++ cmd->data = adapter->num_rx_qs;
+ break;
+ default:
+ return -EINVAL;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Thu, 13 Jun 2019 21:06:53 +0000
+Subject: hv_netvsc: Set probe mode to sync
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 9a33629ba6b26caebd73e3c581ba1e6068c696a7 ]
+
+For better consistency of synthetic NIC names, we set the probe mode to
+PROBE_FORCE_SYNCHRONOUS. So the names can be aligned with the vmbus
+channel offer sequence.
+
+Fixes: af0a5646cb8d ("use the new async probing feature for the hyperv drivers")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2405,7 +2405,7 @@ static struct hv_driver netvsc_drv = {
+ .probe = netvsc_probe,
+ .remove = netvsc_remove,
+ .driver = {
+- .probe_type = PROBE_PREFER_ASYNCHRONOUS,
++ .probe_type = PROBE_FORCE_SYNCHRONOUS,
+ },
+ };
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 6 Jun 2019 14:32:34 -0700
+Subject: ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ]
+
+Before taking a refcount, make sure the object is not already
+scheduled for deletion.
+
+Same fix is needed in ipv6_flowlabel_opt()
+
+Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_flowlabel.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(st
+ rcu_read_lock_bh();
+ for_each_sk_fl_rcu(np, sfl) {
+ struct ip6_flowlabel *fl = sfl->fl;
+- if (fl->label == label) {
++
++ if (fl->label == label && atomic_inc_not_zero(&fl->users)) {
+ fl->lastuse = jiffies;
+- atomic_inc(&fl->users);
+ rcu_read_unlock_bh();
+ return fl;
+ }
+@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk,
+ goto done;
+ }
+ fl1 = sfl->fl;
+- atomic_inc(&fl1->users);
++ if (!atomic_inc_not_zero(&fl1->users))
++ fl1 = NULL;
+ break;
+ }
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sun, 16 Jun 2019 16:54:37 +0100
+Subject: lapb: fixed leak of control-blocks.
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ]
+
+lapb_register calls lapb_create_cb, which initializes the control-
+block's ref-count to one, and __lapb_insert_cb, which increments it when
+adding the new block to the list of blocks.
+
+lapb_unregister calls __lapb_remove_cb, which decrements the ref-count
+when removing control-block from the list of blocks, and calls lapb_put
+itself to decrement the ref-count before returning.
+
+However, lapb_unregister also calls __lapb_devtostruct to look up the
+right control-block for the given net_device, and __lapb_devtostruct
+also bumps the ref-count, which means that when lapb_unregister returns
+the ref-count is still 1 and the control-block is leaked.
+
+Call lapb_put after __lapb_devtostruct to fix leak.
+
+Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/lapb/lapb_iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/lapb/lapb_iface.c
++++ b/net/lapb/lapb_iface.c
+@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *d
+ lapb = __lapb_devtostruct(dev);
+ if (!lapb)
+ goto out;
++ lapb_put(lapb);
+
+ lapb_stop_t1timer(lapb);
+ lapb_stop_t2timer(lapb);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 16:28:48 -0700
+Subject: neigh: fix use-after-free read in pneigh_get_next
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ]
+
+Nine years ago, I added RCU handling to neighbours, not pneighbours.
+(pneigh are not commonly used)
+
+Unfortunately I missed that /proc dump operations would use a
+common entry and exit point : neigh_seq_start() and neigh_seq_stop()
+
+We need to read_lock(tbl->lock) or risk use-after-free while
+iterating the pneigh structures.
+
+We might later convert pneigh to RCU and revert this patch.
+
+sysbot reported :
+
+BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
+Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825
+
+CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
+ __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ kasan_report+0x12/0x20 mm/kasan/common.c:614
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+ pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
+ neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240
+ seq_read+0x9cf/0x1110 fs/seq_file.c:258
+ proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221
+ do_loop_readv_writev fs/read_write.c:714 [inline]
+ do_loop_readv_writev fs/read_write.c:701 [inline]
+ do_iter_read+0x4a4/0x660 fs/read_write.c:935
+ vfs_readv+0xf0/0x160 fs/read_write.c:997
+ kernel_readv fs/splice.c:359 [inline]
+ default_file_splice_read+0x475/0x890 fs/splice.c:414
+ do_splice_to+0x127/0x180 fs/splice.c:877
+ splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954
+ do_splice_direct+0x1da/0x2a0 fs/splice.c:1063
+ do_sendfile+0x597/0xd00 fs/read_write.c:1464
+ __do_sys_sendfile64 fs/read_write.c:1525 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1511 [inline]
+ __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4592c9
+Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4
+R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
+
+Allocated by task 9827:
+ save_stack+0x23/0x90 mm/kasan/common.c:71
+ set_track mm/kasan/common.c:79 [inline]
+ __kasan_kmalloc mm/kasan/common.c:489 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
+ __do_kmalloc mm/slab.c:3660 [inline]
+ __kmalloc+0x15c/0x740 mm/slab.c:3669
+ kmalloc include/linux/slab.h:552 [inline]
+ pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731
+ arp_req_set_public net/ipv4/arp.c:1010 [inline]
+ arp_req_set+0x613/0x720 net/ipv4/arp.c:1026
+ arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226
+ inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926
+ sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043
+ sock_ioctl+0x3ed/0x780 net/socket.c:1194
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 9824:
+ save_stack+0x23/0x90 mm/kasan/common.c:71
+ set_track mm/kasan/common.c:79 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
+ __cache_free mm/slab.c:3432 [inline]
+ kfree+0xcf/0x220 mm/slab.c:3755
+ pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline]
+ __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356
+ neigh_ifdown+0x20/0x30 net/core/neighbour.c:372
+ arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274
+ inetdev_destroy net/ipv4/devinet.c:319 [inline]
+ inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544
+ notifier_call_chain+0xc2/0x230 kernel/notifier.c:95
+ __raw_notifier_call_chain kernel/notifier.c:396 [inline]
+ raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403
+ call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749
+ call_netdevice_notifiers_extack net/core/dev.c:1761 [inline]
+ call_netdevice_notifiers net/core/dev.c:1775 [inline]
+ rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178
+ rollback_registered+0x109/0x1d0 net/core/dev.c:8220
+ unregister_netdevice_queue net/core/dev.c:9267 [inline]
+ unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260
+ unregister_netdevice include/linux/netdevice.h:2631 [inline]
+ __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724
+ tun_detach drivers/net/tun.c:741 [inline]
+ tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:185 [inline]
+ exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168
+ prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
+ do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff888097f2a700
+ which belongs to the cache kmalloc-64 of size 64
+The buggy address is located 0 bytes inside of
+ 64-byte region [ffff888097f2a700, ffff888097f2a740)
+The buggy address belongs to the page:
+page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
+flags: 0x1fffc0000000200(slab)
+raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340
+raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2751,6 +2751,7 @@ static void *neigh_get_idx_any(struct se
+ }
+
+ void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
++ __acquires(tbl->lock)
+ __acquires(rcu_bh)
+ {
+ struct neigh_seq_state *state = seq->private;
+@@ -2761,6 +2762,7 @@ void *neigh_seq_start(struct seq_file *s
+
+ rcu_read_lock_bh();
+ state->nht = rcu_dereference_bh(tbl->nht);
++ read_lock(&tbl->lock);
+
+ return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
+ }
+@@ -2794,8 +2796,13 @@ out:
+ EXPORT_SYMBOL(neigh_seq_next);
+
+ void neigh_seq_stop(struct seq_file *seq, void *v)
++ __releases(tbl->lock)
+ __releases(rcu_bh)
+ {
++ struct neigh_seq_state *state = seq->private;
++ struct neigh_table *tbl = state->tbl;
++
++ read_unlock(&tbl->lock);
+ rcu_read_unlock_bh();
+ }
+ EXPORT_SYMBOL(neigh_seq_stop);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 14 Jun 2019 00:25:20 +0200
+Subject: net: dsa: rtl8366: Fix up VLAN filtering
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 760c80b70bed2cd01630e8595d1bbde910339f31 ]
+
+We get this regression when using RTL8366RB as part of a bridge
+with OpenWrt:
+
+WARNING: CPU: 0 PID: 1347 at net/switchdev/switchdev.c:291
+ switchdev_port_attr_set_now+0x80/0xa4
+lan0: Commit of attribute (id=7) failed.
+(...)
+realtek-smi switch lan0: failed to initialize vlan filtering on this port
+
+This is because it is trying to disable VLAN filtering
+on VLAN0, as we have forgot to add 1 to the port number
+to get the right VLAN in rtl8366_vlan_filtering(): when
+we initialize the VLAN we associate VLAN1 with port 0,
+VLAN2 with port 1 etc, so we need to add 1 to the port
+offset.
+
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/rtl8366.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -307,7 +307,8 @@ int rtl8366_vlan_filtering(struct dsa_sw
+ struct rtl8366_vlan_4k vlan4k;
+ int ret;
+
+- if (!smi->ops->is_vlan_valid(smi, port))
++ /* Use VLAN nr port + 1 since VLAN0 is not valid */
++ if (!smi->ops->is_vlan_valid(smi, port + 1))
+ return -EINVAL;
+
+ dev_info(smi->dev, "%s filtering on port %d\n",
+@@ -318,12 +319,12 @@ int rtl8366_vlan_filtering(struct dsa_sw
+ * The hardware support filter ID (FID) 0..7, I have no clue how to
+ * support this in the driver when the callback only says on/off.
+ */
+- ret = smi->ops->get_vlan_4k(smi, port, &vlan4k);
++ ret = smi->ops->get_vlan_4k(smi, port + 1, &vlan4k);
+ if (ret)
+ return ret;
+
+ /* Just set the filter to FID 1 for now then */
+- ret = rtl8366_set_vlan(smi, port,
++ ret = rtl8366_set_vlan(smi, port + 1,
+ vlan4k.member,
+ vlan4k.untag,
+ 1);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Sun, 19 May 2019 11:11:49 +0300
+Subject: net/mlx5: Avoid reloading already removed devices
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+Prior to reloading a device we must first verify that it was not already
+removed. Otherwise, the attempt to remove the device will do nothing, and
+in that case we will end up proceeding with adding an new device that no
+one was expecting to remove, leaving behind used resources such as EQs that
+causes a failure to destroy comp EQs and syndrome (0x30f433).
+
+Fix that by making sure that we try to remove and add a device (based on a
+protocol) only if the device is already added.
+
+Fixes: c5447c70594b ("net/mlx5: E-Switch, Reload IB interface when switching devlink modes")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -342,11 +342,32 @@ void mlx5_unregister_interface(struct ml
+ }
+ EXPORT_SYMBOL(mlx5_unregister_interface);
+
++/* Must be called with intf_mutex held */
++static bool mlx5_has_added_dev_by_protocol(struct mlx5_core_dev *mdev, int protocol)
++{
++ struct mlx5_device_context *dev_ctx;
++ struct mlx5_interface *intf;
++ bool found = false;
++
++ list_for_each_entry(intf, &intf_list, list) {
++ if (intf->protocol == protocol) {
++ dev_ctx = mlx5_get_device(intf, &mdev->priv);
++ if (dev_ctx && test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state))
++ found = true;
++ break;
++ }
++ }
++
++ return found;
++}
++
+ void mlx5_reload_interface(struct mlx5_core_dev *mdev, int protocol)
+ {
+ mutex_lock(&mlx5_intf_mutex);
+- mlx5_remove_dev_by_protocol(mdev, protocol);
+- mlx5_add_dev_by_protocol(mdev, protocol);
++ if (mlx5_has_added_dev_by_protocol(mdev, protocol)) {
++ mlx5_remove_dev_by_protocol(mdev, protocol);
++ mlx5_add_dev_by_protocol(mdev, protocol);
++ }
+ mutex_unlock(&mlx5_intf_mutex);
+ }
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Tue, 11 Jun 2019 11:51:42 +0200
+Subject: net: mvpp2: prs: Fix parser range for VID filtering
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 46b0090a6636cf34c0e856f15dd03e15ba4cdda6 ]
+
+VID filtering is implemented in the Header Parser, with one range of 11
+vids being assigned for each no-loopback port.
+
+Make sure we use the per-port range when looking for existing entries in
+the Parser.
+
+Since we used a global range instead of a per-port one, this causes VIDs
+to be removed from the whitelist from all ports of the same PPv2
+instance.
+
+Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering")
+Suggested-by: Yuri Chipchev <yuric@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -1905,8 +1905,7 @@ static int mvpp2_prs_ip6_init(struct mvp
+ }
+
+ /* Find tcam entry with matched pair <vid,port> */
+-static int mvpp2_prs_vid_range_find(struct mvpp2 *priv, int pmap, u16 vid,
+- u16 mask)
++static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask)
+ {
+ unsigned char byte[2], enable[2];
+ struct mvpp2_prs_entry pe;
+@@ -1914,13 +1913,13 @@ static int mvpp2_prs_vid_range_find(stru
+ int tid;
+
+ /* Go through the all entries with MVPP2_PRS_LU_VID */
+- for (tid = MVPP2_PE_VID_FILT_RANGE_START;
+- tid <= MVPP2_PE_VID_FILT_RANGE_END; tid++) {
+- if (!priv->prs_shadow[tid].valid ||
+- priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
++ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
++ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
++ if (!port->priv->prs_shadow[tid].valid ||
++ port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+
+ mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]);
+ mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]);
+@@ -1950,7 +1949,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2
+ memset(&pe, 0, sizeof(pe));
+
+ /* Scan TCAM and see if entry with this <vid,port> already exist */
+- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, mask);
++ tid = mvpp2_prs_vid_range_find(port, vid, mask);
+
+ reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id));
+ if (reg_val & MVPP2_DSA_EXTENDED)
+@@ -2008,7 +2007,7 @@ void mvpp2_prs_vid_entry_remove(struct m
+ int tid;
+
+ /* Scan TCAM and see if entry with this <vid,port> already exist */
+- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, 0xfff);
++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
+
+ /* No such entry */
+ if (tid < 0)
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Tue, 11 Jun 2019 11:51:43 +0200
+Subject: net: mvpp2: prs: Use the correct helpers when removing all VID filters
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 6b7a3430c163455cf8a514d636bda52b04654972 ]
+
+When removing all VID filters, the mvpp2_prs_vid_entry_remove would be
+called with the TCAM id incorrectly used as a VID, causing the wrong
+TCAM entries to be invalidated.
+
+Fix this by directly invalidating entries in the VID range.
+
+Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering")
+Suggested-by: Yuri Chipchev <yuric@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -2025,8 +2025,10 @@ void mvpp2_prs_vid_remove_all(struct mvp
+
+ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
+ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
+- if (priv->prs_shadow[tid].valid)
+- mvpp2_prs_vid_entry_remove(port, tid);
++ if (priv->prs_shadow[tid].valid) {
++ mvpp2_prs_hw_inv(priv, tid);
++ priv->prs_shadow[tid].valid = false;
++ }
+ }
+ }
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sun, 9 Jun 2019 23:26:21 +0900
+Subject: net: openvswitch: do not free vport if register_netdevice() is failed.
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 309b66970ee2abf721ecd0876a48940fa0b99a35 ]
+
+In order to create an internal vport, internal_dev_create() is used and
+that calls register_netdevice() internally.
+If register_netdevice() fails, it calls dev->priv_destructor() to free
+private data of netdev. actually, a private data of this is a vport.
+
+Hence internal_dev_create() should not free and use a vport after failure
+of register_netdevice().
+
+Test command
+ ovs-dpctl add-dp bonding_masters
+
+Splat looks like:
+[ 1035.667767] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 1035.675958] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 1035.676916] CPU: 1 PID: 1028 Comm: ovs-vswitchd Tainted: G B 5.2.0-rc3+ #240
+[ 1035.676916] RIP: 0010:internal_dev_create+0x2e5/0x4e0 [openvswitch]
+[ 1035.676916] Code: 48 c1 ea 03 80 3c 02 00 0f 85 9f 01 00 00 4c 8b 23 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 60 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 86 01 00 00 49 8b bc 24 60 05 00 00 e8 e4 68 f4
+[ 1035.713720] RSP: 0018:ffff88810dcb7578 EFLAGS: 00010206
+[ 1035.713720] RAX: dffffc0000000000 RBX: ffff88810d13fe08 RCX: ffffffff84297704
+[ 1035.713720] RDX: 00000000000000ac RSI: 0000000000000000 RDI: 0000000000000560
+[ 1035.713720] RBP: 00000000ffffffef R08: fffffbfff0d3b881 R09: fffffbfff0d3b881
+[ 1035.713720] R10: 0000000000000001 R11: fffffbfff0d3b880 R12: 0000000000000000
+[ 1035.768776] R13: 0000607ee460b900 R14: ffff88810dcb7690 R15: ffff88810dcb7698
+[ 1035.777709] FS: 00007f02095fc980(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000
+[ 1035.777709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1035.777709] CR2: 00007ffdf01d2f28 CR3: 0000000108258000 CR4: 00000000001006e0
+[ 1035.777709] Call Trace:
+[ 1035.777709] ovs_vport_add+0x267/0x4f0 [openvswitch]
+[ 1035.777709] new_vport+0x15/0x1e0 [openvswitch]
+[ 1035.777709] ovs_vport_cmd_new+0x567/0xd10 [openvswitch]
+[ 1035.777709] ? ovs_dp_cmd_dump+0x490/0x490 [openvswitch]
+[ 1035.777709] ? __kmalloc+0x131/0x2e0
+[ 1035.777709] ? genl_family_rcv_msg+0xa54/0x1030
+[ 1035.777709] genl_family_rcv_msg+0x63a/0x1030
+[ 1035.777709] ? genl_unregister_family+0x630/0x630
+[ 1035.841681] ? debug_show_all_locks+0x2d0/0x2d0
+[ ... ]
+
+Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/vport-internal_dev.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -169,7 +169,9 @@ static struct vport *internal_dev_create
+ {
+ struct vport *vport;
+ struct internal_dev *internal_dev;
++ struct net_device *dev;
+ int err;
++ bool free_vport = true;
+
+ vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms);
+ if (IS_ERR(vport)) {
+@@ -177,8 +179,9 @@ static struct vport *internal_dev_create
+ goto error;
+ }
+
+- vport->dev = alloc_netdev(sizeof(struct internal_dev),
+- parms->name, NET_NAME_USER, do_setup);
++ dev = alloc_netdev(sizeof(struct internal_dev),
++ parms->name, NET_NAME_USER, do_setup);
++ vport->dev = dev;
+ if (!vport->dev) {
+ err = -ENOMEM;
+ goto error_free_vport;
+@@ -199,8 +202,10 @@ static struct vport *internal_dev_create
+
+ rtnl_lock();
+ err = register_netdevice(vport->dev);
+- if (err)
++ if (err) {
++ free_vport = false;
+ goto error_unlock;
++ }
+
+ dev_set_promiscuity(vport->dev, 1);
+ rtnl_unlock();
+@@ -210,11 +215,12 @@ static struct vport *internal_dev_create
+
+ error_unlock:
+ rtnl_unlock();
+- free_percpu(vport->dev->tstats);
++ free_percpu(dev->tstats);
+ error_free_netdev:
+- free_netdev(vport->dev);
++ free_netdev(dev);
+ error_free_vport:
+- ovs_vport_free(vport);
++ if (free_vport)
++ ovs_vport_free(vport);
+ error:
+ return ERR_PTR(err);
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Thu, 13 Jun 2019 09:37:51 +0300
+Subject: net: phylink: set the autoneg state in phylink_phy_change
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb ]
+
+The phy_state field of phylink should carry only valid information
+especially when this can be passed to the .mac_config callback.
+Update the an_enabled field with the autoneg state in the
+phylink_phy_change function.
+
+Fixes: 9525ae83959b ("phylink: add phylink infrastructure")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phylink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -662,6 +662,7 @@ static void phylink_phy_change(struct ph
+ pl->phy_state.pause |= MLO_PAUSE_ASYM;
+ pl->phy_state.interface = phydev->interface;
+ pl->phy_state.link = up;
++ pl->phy_state.an_enabled = phydev->autoneg;
+ mutex_unlock(&pl->state_mutex);
+
+ phylink_run_resolve(pl);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Young Xiao <92siuyang@gmail.com>
+Date: Fri, 14 Jun 2019 15:13:02 +0800
+Subject: nfc: Ensure presence of required attributes in the deactivate_target handler
+
+From: Young Xiao <92siuyang@gmail.com>
+
+[ Upstream commit 385097a3675749cbc9e97c085c0e5dfe4269ca51 ]
+
+Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to
+NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to
+accessing them. This prevents potential unhandled NULL pointer dereference
+exceptions which can be triggered by malicious user-mode programs,
+if they omit one or both of these attributes.
+
+Signed-off-by: Young Xiao <92siuyang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -922,7 +922,8 @@ static int nfc_genl_deactivate_target(st
+ u32 device_idx, target_idx;
+ int rc;
+
+- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++ !info->attrs[NFC_ATTR_TARGET_INDEX])
+ return -EINVAL;
+
+ device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Thu, 13 Jun 2019 06:35:59 -0400
+Subject: sctp: Free cookie before we memdup a new one
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]
+
+Based on comments from Xin, even after fixes for our recent syzbot
+report of cookie memory leaks, its possible to get a resend of an INIT
+chunk which would lead to us leaking cookie memory.
+
+To ensure that we don't leak cookie memory, free any previously
+allocated cookie first.
+
+Change notes
+v1->v2
+update subsystem tag in subject (davem)
+repeat kfree check for peer_random and peer_hmacs (xin)
+
+v2->v3
+net->sctp
+also free peer_chunks
+
+v3->v4
+fix subject tags
+
+v4->v5
+remove cut line
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
+CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+CC: Xin Long <lucien.xin@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2600,6 +2600,8 @@ do_addr_param:
+ case SCTP_PARAM_STATE_COOKIE:
+ asoc->peer.cookie_len =
+ ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
++ if (asoc->peer.cookie)
++ kfree(asoc->peer.cookie);
+ asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
+ if (!asoc->peer.cookie)
+ retval = 0;
+@@ -2664,6 +2666,8 @@ do_addr_param:
+ goto fall_through;
+
+ /* Save peer's random parameter */
++ if (asoc->peer.peer_random)
++ kfree(asoc->peer.peer_random);
+ asoc->peer.peer_random = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_random) {
+@@ -2677,6 +2681,8 @@ do_addr_param:
+ goto fall_through;
+
+ /* Save peer's HMAC list */
++ if (asoc->peer.peer_hmacs)
++ kfree(asoc->peer.peer_hmacs);
+ asoc->peer.peer_hmacs = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_hmacs) {
+@@ -2692,6 +2698,8 @@ do_addr_param:
+ if (!ep->auth_enable)
+ goto fall_through;
+
++ if (asoc->peer.peer_chunks)
++ kfree(asoc->peer.peer_chunks);
+ asoc->peer.peer_chunks = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_chunks)
--- /dev/null
+ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch
+be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch
+hv_netvsc-set-probe-mode-to-sync.patch
+ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch
+lapb-fixed-leak-of-control-blocks.patch
+neigh-fix-use-after-free-read-in-pneigh_get_next.patch
+net-dsa-rtl8366-fix-up-vlan-filtering.patch
+net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch
+net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch
+nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch
+sctp-free-cookie-before-we-memdup-a-new-one.patch
+sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch
+tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch
+vsock-virtio-set-sock_done-on-peer-shutdown.patch
+net-mlx5-avoid-reloading-already-removed-devices.patch
+net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch
+net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Tue, 11 Jun 2019 17:38:37 +0200
+Subject: sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
+
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+
+[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ]
+
+In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS"
+to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged.
+
+This results in the hypervisor console device to be listed as "ttyHV0" under
+/proc/consoles while the device node is still named "ttyS0":
+
+root@osaka:~# cat /proc/consoles
+ttyHV0 -W- (EC p ) 4:64
+tty0 -WU (E ) 4:1
+root@osaka:~# readlink /sys/dev/char/4:64
+../../devices/root/f02836f0/f0285690/tty/ttyS0
+root@osaka:~#
+
+This means that any userland code which tries to determine the name of the
+device file of the hypervisor console device can not rely on the information
+provided by /proc/consoles. In particular, booting current versions of debian-
+installer inside a SPARC LDOM will fail with the installer unable to determine
+the console device.
+
+After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well,
+the inconsistency is fixed and it is possible again to determine the name
+of the device file of the hypervisor console device by reading the contents
+of /proc/console:
+
+root@osaka:~# cat /proc/consoles
+ttyHV0 -W- (EC p ) 4:64
+tty0 -WU (E ) 4:1
+root@osaka:~# readlink /sys/dev/char/4:64
+../../devices/root/f02836f0/f0285690/tty/ttyHV0
+root@osaka:~#
+
+With this change, debian-installer works correctly when installing inside
+a SPARC LDOM.
+
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sunhv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sunhv.c
++++ b/drivers/tty/serial/sunhv.c
+@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops
+ static struct uart_driver sunhv_reg = {
+ .owner = THIS_MODULE,
+ .driver_name = "sunhv",
+- .dev_name = "ttyS",
++ .dev_name = "ttyHV",
+ .major = TTY_MAJOR,
+ };
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 16 Jun 2019 17:24:07 +0800
+Subject: tipc: purge deferredq list for each grp member in tipc_group_delete
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ]
+
+Syzbot reported a memleak caused by grp members' deferredq list not
+purged when the grp is be deleted.
+
+The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in
+tipc_group_filter_msg() and the skb will stay in deferredq.
+
+So fix it by calling __skb_queue_purge for each member's deferredq
+in tipc_group_delete() when a tipc sk leaves the grp.
+
+Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast")
+Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/group.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/group.c
++++ b/net/tipc/group.c
+@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net,
+
+ rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
+ tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
++ __skb_queue_purge(&m->deferredq);
+ list_del(&m->list);
+ kfree(m);
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:34:37 PM CEST
+From: Stephen Barber <smbarber@chromium.org>
+Date: Fri, 14 Jun 2019 23:42:37 -0700
+Subject: vsock/virtio: set SOCK_DONE on peer shutdown
+
+From: Stephen Barber <smbarber@chromium.org>
+
+[ Upstream commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c ]
+
+Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has
+shut down and there is nothing left to read.
+
+This fixes the following bug:
+1) Peer sends SHUTDOWN(RDWR).
+2) Socket enters TCP_CLOSING but SOCK_DONE is not set.
+3) read() returns -ENOTCONN until close() is called, then returns 0.
+
+Signed-off-by: Stephen Barber <smbarber@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -871,8 +871,10 @@ virtio_transport_recv_connected(struct s
+ if (le32_to_cpu(pkt->hdr.flags) & VIRTIO_VSOCK_SHUTDOWN_SEND)
+ vsk->peer_shutdown |= SEND_SHUTDOWN;
+ if (vsk->peer_shutdown == SHUTDOWN_MASK &&
+- vsock_stream_has_data(vsk) <= 0)
++ vsock_stream_has_data(vsk) <= 0) {
++ sock_set_flag(sk, SOCK_DONE);
+ sk->sk_state = TCP_CLOSING;
++ }
+ if (le32_to_cpu(pkt->hdr.flags))
+ sk->sk_state_change(sk);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
