--- /dev/null
+From a6ce84fcf27edf1434b6682e5a974df713b1d535 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 21:27:54 -0800
+Subject: appletalk: Fix skb allocation size in loopback case
+
+From: Doug Brown <doug@schmorgal.com>
+
+[ Upstream commit 39935dccb21c60f9bbf1bb72d22ab6fd14ae7705 ]
+
+If a DDP broadcast packet is sent out to a non-gateway target, it is
+also looped back. There is a potential for the loopback device to have a
+longer hardware header length than the original target route's device,
+which can result in the skb not being created with enough room for the
+loopback device's hardware header. This patch fixes the issue by
+determining that a loopback will be necessary prior to allocating the
+skb, and if so, ensuring the skb has enough room.
+
+This was discovered while testing a new driver that creates a LocalTalk
+network interface (LTALK_HLEN = 1). It caused an skb_under_panic.
+
+Signed-off-by: Doug Brown <doug@schmorgal.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index b4268bd2e557..36a67e62710c 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1575,8 +1575,8 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct ddpehdr *ddp;
+- int size;
+- struct atalk_route *rt;
++ int size, hard_header_len;
++ struct atalk_route *rt, *rt_lo = NULL;
+ int err;
+
+ if (flags & ~(MSG_DONTWAIT|MSG_CMSG_COMPAT))
+@@ -1639,7 +1639,22 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ SOCK_DEBUG(sk, "SK %p: Size needed %d, device %s\n",
+ sk, size, dev->name);
+
+- size += dev->hard_header_len;
++ hard_header_len = dev->hard_header_len;
++ /* Leave room for loopback hardware header if necessary */
++ if (usat->sat_addr.s_node == ATADDR_BCAST &&
++ (dev->flags & IFF_LOOPBACK || !(rt->flags & RTF_GATEWAY))) {
++ struct atalk_addr at_lo;
++
++ at_lo.s_node = 0;
++ at_lo.s_net = 0;
++
++ rt_lo = atrtr_find(&at_lo);
++
++ if (rt_lo && rt_lo->dev->hard_header_len > hard_header_len)
++ hard_header_len = rt_lo->dev->hard_header_len;
++ }
++
++ size += hard_header_len;
+ release_sock(sk);
+ skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+ lock_sock(sk);
+@@ -1647,7 +1662,7 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ goto out;
+
+ skb_reserve(skb, ddp_dl->header_length);
+- skb_reserve(skb, dev->hard_header_len);
++ skb_reserve(skb, hard_header_len);
+ skb->dev = dev;
+
+ SOCK_DEBUG(sk, "SK %p: Begin build.\n", sk);
+@@ -1698,18 +1713,12 @@ static int atalk_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
+ /* loop back */
+ skb_orphan(skb);
+ if (ddp->deh_dnode == ATADDR_BCAST) {
+- struct atalk_addr at_lo;
+-
+- at_lo.s_node = 0;
+- at_lo.s_net = 0;
+-
+- rt = atrtr_find(&at_lo);
+- if (!rt) {
++ if (!rt_lo) {
+ kfree_skb(skb);
+ err = -ENETUNREACH;
+ goto out;
+ }
+- dev = rt->dev;
++ dev = rt_lo->dev;
+ skb->dev = dev;
+ }
+ ddp_dl->request(ddp_dl, skb, dev->dev_addr);
+--
+2.30.1
+
--- /dev/null
+From 5f96506e0562f0d579a5ab80765a3f4da96f0409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Dec 2020 11:51:59 +0100
+Subject: brcmfmac: clear EAP/association status bits on linkdown events
+
+From: Luca Pesce <luca.pesce@vimar.com>
+
+[ Upstream commit e862a3e4088070de352fdafe9bd9e3ae0a95a33c ]
+
+This ensure that previous association attempts do not leave stale statuses
+on subsequent attempts.
+
+This fixes the WARN_ON(!cr->bss)) from __cfg80211_connect_result() when
+connecting to an AP after a previous connection failure (e.g. where EAP fails
+due to incorrect psk but association succeeded). In some scenarios, indeed,
+brcmf_is_linkup() was reporting a link up event too early due to stale
+BRCMF_VIF_STATUS_ASSOC_SUCCESS bit, thus reporting to cfg80211 a connection
+result with a zeroed bssid (vif->profile.bssid is still empty), causing the
+WARN_ON due to the call to cfg80211_get_bss() with the empty bssid.
+
+Signed-off-by: Luca Pesce <luca.pesce@vimar.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1608807119-21785-1-git-send-email-luca.pesce@vimar.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index 04fa66ed99a0..b5fceba10806 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5381,7 +5381,8 @@ static bool brcmf_is_linkup(struct brcmf_cfg80211_vif *vif,
+ return false;
+ }
+
+-static bool brcmf_is_linkdown(const struct brcmf_event_msg *e)
++static bool brcmf_is_linkdown(struct brcmf_cfg80211_vif *vif,
++ const struct brcmf_event_msg *e)
+ {
+ u32 event = e->event_code;
+ u16 flags = e->flags;
+@@ -5390,6 +5391,8 @@ static bool brcmf_is_linkdown(const struct brcmf_event_msg *e)
+ (event == BRCMF_E_DISASSOC_IND) ||
+ ((event == BRCMF_E_LINK) && (!(flags & BRCMF_EVENT_MSG_LINK)))) {
+ brcmf_dbg(CONN, "Processing link down\n");
++ clear_bit(BRCMF_VIF_STATUS_EAP_SUCCESS, &vif->sme_state);
++ clear_bit(BRCMF_VIF_STATUS_ASSOC_SUCCESS, &vif->sme_state);
+ return true;
+ }
+ return false;
+@@ -5674,7 +5677,7 @@ brcmf_notify_connect_status(struct brcmf_if *ifp,
+ } else
+ brcmf_bss_connect_done(cfg, ndev, e, true);
+ brcmf_net_setcarrier(ifp, true);
+- } else if (brcmf_is_linkdown(e)) {
++ } else if (brcmf_is_linkdown(ifp->vif, e)) {
+ brcmf_dbg(CONN, "Linkdown\n");
+ if (!brcmf_is_ibssmode(ifp->vif)) {
+ brcmf_bss_connect_done(cfg, ndev, e, false);
+--
+2.30.1
+
--- /dev/null
+From 47cf5df5fadf232921faf83b2831f4dc93722edf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Jan 2021 15:19:17 +0100
+Subject: can: dev: move driver related infrastructure into separate subdir
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+[ Upstream commit 3e77f70e734584e0ad1038e459ed3fd2400f873a ]
+
+This patch moves the CAN driver related infrastructure into a separate subdir.
+It will be split into more files in the coming patches.
+
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20210111141930.693847-3-mkl@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/Makefile | 7 +------
+ drivers/net/can/dev/Makefile | 7 +++++++
+ drivers/net/can/{ => dev}/dev.c | 0
+ drivers/net/can/{ => dev}/rx-offload.c | 0
+ 4 files changed, 8 insertions(+), 6 deletions(-)
+ create mode 100644 drivers/net/can/dev/Makefile
+ rename drivers/net/can/{ => dev}/dev.c (100%)
+ rename drivers/net/can/{ => dev}/rx-offload.c (100%)
+
+diff --git a/drivers/net/can/Makefile b/drivers/net/can/Makefile
+index 02b8ed794564..fc1d8bd73fab 100644
+--- a/drivers/net/can/Makefile
++++ b/drivers/net/can/Makefile
+@@ -7,12 +7,7 @@ obj-$(CONFIG_CAN_VCAN) += vcan.o
+ obj-$(CONFIG_CAN_VXCAN) += vxcan.o
+ obj-$(CONFIG_CAN_SLCAN) += slcan.o
+
+-obj-$(CONFIG_CAN_DEV) += can-dev.o
+-can-dev-y += dev.o
+-can-dev-y += rx-offload.o
+-
+-can-dev-$(CONFIG_CAN_LEDS) += led.o
+-
++obj-y += dev/
+ obj-y += rcar/
+ obj-y += spi/
+ obj-y += usb/
+diff --git a/drivers/net/can/dev/Makefile b/drivers/net/can/dev/Makefile
+new file mode 100644
+index 000000000000..cba92e6bcf6f
+--- /dev/null
++++ b/drivers/net/can/dev/Makefile
+@@ -0,0 +1,7 @@
++# SPDX-License-Identifier: GPL-2.0
++
++obj-$(CONFIG_CAN_DEV) += can-dev.o
++can-dev-y += dev.o
++can-dev-y += rx-offload.o
++
++can-dev-$(CONFIG_CAN_LEDS) += led.o
+diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev/dev.c
+similarity index 100%
+rename from drivers/net/can/dev.c
+rename to drivers/net/can/dev/dev.c
+diff --git a/drivers/net/can/rx-offload.c b/drivers/net/can/dev/rx-offload.c
+similarity index 100%
+rename from drivers/net/can/rx-offload.c
+rename to drivers/net/can/dev/rx-offload.c
+--
+2.30.1
+
--- /dev/null
+From ed00b7e876b00f241f8a5ecc008cdd722d8c1921 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Feb 2021 05:17:57 +0000
+Subject: net: ethernet: aquantia: Handle error cleanup of start on open
+
+From: Nathan Rossi <nathan.rossi@digi.com>
+
+[ Upstream commit 8a28af7a3e85ddf358f8c41e401a33002f7a9587 ]
+
+The aq_nic_start function can fail in a variety of cases which leaves
+the device in broken state.
+
+An example case where the start function fails is the
+request_threaded_irq which can be interrupted, resulting in a EINTR
+result. This can be manually triggered by bringing the link up (e.g. ip
+link set up) and triggering a SIGINT on the initiating process (e.g.
+Ctrl+C). This would put the device into a half configured state.
+Subsequently bringing the link up again would cause the napi_enable to
+BUG.
+
+In order to correctly clean up the failed attempt to start a device call
+aq_nic_stop.
+
+Signed-off-by: Nathan Rossi <nathan.rossi@digi.com>
+Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+index 5d6c40d86775..2fb532053d6d 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+@@ -60,8 +60,10 @@ static int aq_ndev_open(struct net_device *ndev)
+ if (err < 0)
+ goto err_exit;
+ err = aq_nic_start(aq_nic);
+- if (err < 0)
++ if (err < 0) {
++ aq_nic_stop(aq_nic);
+ goto err_exit;
++ }
+
+ err_exit:
+ if (err < 0)
+--
+2.30.1
+
--- /dev/null
+From 34ef4301ceb59f2d5f20d78bc0d1fed558b05704 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Feb 2021 14:17:56 -0500
+Subject: net: wan/lmc: unregister device when no matching device is found
+
+From: Tong Zhang <ztong0001@gmail.com>
+
+[ Upstream commit 62e69bc419772638369eff8ff81340bde8aceb61 ]
+
+lmc set sc->lmc_media pointer when there is a matching device.
+However, when no matching device is found, this pointer is NULL
+and the following dereference will result in a null-ptr-deref.
+
+To fix this issue, unregister the hdlc device and return an error.
+
+[ 4.569359] BUG: KASAN: null-ptr-deref in lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.569748] Read of size 8 at addr 0000000000000008 by task modprobe/95
+[ 4.570102]
+[ 4.570187] CPU: 0 PID: 95 Comm: modprobe Not tainted 5.11.0-rc7 #94
+[ 4.570527] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812dda519-preb4
+[ 4.571125] Call Trace:
+[ 4.571261] dump_stack+0x7d/0xa3
+[ 4.571445] kasan_report.cold+0x10c/0x10e
+[ 4.571667] ? lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.571932] lmc_init_one.cold+0x2b6/0x55d [lmc]
+[ 4.572186] ? lmc_mii_readreg+0xa0/0xa0 [lmc]
+[ 4.572432] local_pci_probe+0x6f/0xb0
+[ 4.572639] pci_device_probe+0x171/0x240
+[ 4.572857] ? pci_device_remove+0xe0/0xe0
+[ 4.573080] ? kernfs_create_link+0xb6/0x110
+[ 4.573315] ? sysfs_do_create_link_sd.isra.0+0x76/0xe0
+[ 4.573598] really_probe+0x161/0x420
+[ 4.573799] driver_probe_device+0x6d/0xd0
+[ 4.574022] device_driver_attach+0x82/0x90
+[ 4.574249] ? device_driver_attach+0x90/0x90
+[ 4.574485] __driver_attach+0x60/0x100
+[ 4.574694] ? device_driver_attach+0x90/0x90
+[ 4.574931] bus_for_each_dev+0xe1/0x140
+[ 4.575146] ? subsys_dev_iter_exit+0x10/0x10
+[ 4.575387] ? klist_node_init+0x61/0x80
+[ 4.575602] bus_add_driver+0x254/0x2a0
+[ 4.575812] driver_register+0xd3/0x150
+[ 4.576021] ? 0xffffffffc0018000
+[ 4.576202] do_one_initcall+0x84/0x250
+[ 4.576411] ? trace_event_raw_event_initcall_finish+0x150/0x150
+[ 4.576733] ? unpoison_range+0xf/0x30
+[ 4.576938] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.577219] ? unpoison_range+0xf/0x30
+[ 4.577423] ? unpoison_range+0xf/0x30
+[ 4.577628] do_init_module+0xf8/0x350
+[ 4.577833] load_module+0x3fe6/0x4340
+[ 4.578038] ? vm_unmap_ram+0x1d0/0x1d0
+[ 4.578247] ? ____kasan_kmalloc.constprop.0+0x84/0xa0
+[ 4.578526] ? module_frob_arch_sections+0x20/0x20
+[ 4.578787] ? __do_sys_finit_module+0x108/0x170
+[ 4.579037] __do_sys_finit_module+0x108/0x170
+[ 4.579278] ? __ia32_sys_init_module+0x40/0x40
+[ 4.579523] ? file_open_root+0x200/0x200
+[ 4.579742] ? do_sys_open+0x85/0xe0
+[ 4.579938] ? filp_open+0x50/0x50
+[ 4.580125] ? exit_to_user_mode_prepare+0xfc/0x130
+[ 4.580390] do_syscall_64+0x33/0x40
+[ 4.580586] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 4.580859] RIP: 0033:0x7f1a724c3cf7
+[ 4.581054] Code: 48 89 57 30 48 8b 04 24 48 89 47 38 e9 1d a0 02 00 48 89 f8 48 89 f7 48 89 d6 48 891
+[ 4.582043] RSP: 002b:00007fff44941c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 4.582447] RAX: ffffffffffffffda RBX: 00000000012ada70 RCX: 00007f1a724c3cf7
+[ 4.582827] RDX: 0000000000000000 RSI: 00000000012ac9e0 RDI: 0000000000000003
+[ 4.583207] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
+[ 4.583587] R10: 00007f1a72527300 R11: 0000000000000246 R12: 00000000012ac9e0
+[ 4.583968] R13: 0000000000000000 R14: 00000000012acc90 R15: 0000000000000001
+[ 4.584349] ==================================================================
+
+Signed-off-by: Tong Zhang <ztong0001@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wan/lmc/lmc_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c
+index bb43d176eb4e..41b5c6b236d2 100644
+--- a/drivers/net/wan/lmc/lmc_main.c
++++ b/drivers/net/wan/lmc/lmc_main.c
+@@ -922,6 +922,8 @@ static int lmc_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
+ break;
+ default:
+ printk(KERN_WARNING "%s: LMC UNKNOWN CARD!\n", dev->name);
++ unregister_hdlc_device(dev);
++ return -EIO;
+ break;
+ }
+
+--
+2.30.1
+
staging-comedi-cb_pcidas64-fix-request_irq-warn.patch
asoc-rt5659-update-mclk-rate-in-set_sysclk.patch
ext4-do-not-iput-inode-under-running-transaction-in-.patch
+can-dev-move-driver-related-infrastructure-into-sepa.patch
+brcmfmac-clear-eap-association-status-bits-on-linkdo.patch
+net-ethernet-aquantia-handle-error-cleanup-of-start-.patch
+appletalk-fix-skb-allocation-size-in-loopback-case.patch
+net-wan-lmc-unregister-device-when-no-matching-devic.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
