--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Boris Sukholitko <boris.sukholitko@broadcom.com>
+Date: Tue, 19 May 2020 10:32:37 +0300
+Subject: __netif_receive_skb_core: pass skb by reference
+
+From: Boris Sukholitko <boris.sukholitko@broadcom.com>
+
+[ Upstream commit c0bbbdc32febd4f034ecbf3ea17865785b2c0652 ]
+
+__netif_receive_skb_core may change the skb pointer passed into it (e.g.
+in rx_handler). The original skb may be freed as a result of this
+operation.
+
+The callers of __netif_receive_skb_core may further process original skb
+by using pt_prev pointer returned by __netif_receive_skb_core thus
+leading to unpleasant effects.
+
+The solution is to pass skb by reference into __netif_receive_skb_core.
+
+v2: Added Fixes tag and comment regarding ppt_prev and skb invariant.
+
+Fixes: 88eb1944e18c ("net: core: propagate SKB lists through packet_type lookup")
+Signed-off-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
+Acked-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4778,11 +4778,12 @@ static inline int nf_ingress(struct sk_b
+ return 0;
+ }
+
+-static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc,
++static int __netif_receive_skb_core(struct sk_buff **pskb, bool pfmemalloc,
+ struct packet_type **ppt_prev)
+ {
+ struct packet_type *ptype, *pt_prev;
+ rx_handler_func_t *rx_handler;
++ struct sk_buff *skb = *pskb;
+ struct net_device *orig_dev;
+ bool deliver_exact = false;
+ int ret = NET_RX_DROP;
+@@ -4813,8 +4814,10 @@ another_round:
+ ret2 = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog), skb);
+ preempt_enable();
+
+- if (ret2 != XDP_PASS)
+- return NET_RX_DROP;
++ if (ret2 != XDP_PASS) {
++ ret = NET_RX_DROP;
++ goto out;
++ }
+ skb_reset_mac_len(skb);
+ }
+
+@@ -4936,6 +4939,13 @@ drop:
+ }
+
+ out:
++ /* The invariant here is that if *ppt_prev is not NULL
++ * then skb should also be non-NULL.
++ *
++ * Apparently *ppt_prev assignment above holds this invariant due to
++ * skb dereferencing near it.
++ */
++ *pskb = skb;
+ return ret;
+ }
+
+@@ -4945,7 +4955,7 @@ static int __netif_receive_skb_one_core(
+ struct packet_type *pt_prev = NULL;
+ int ret;
+
+- ret = __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
++ ret = __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev);
+ if (pt_prev)
+ ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
+ return ret;
+@@ -5021,7 +5031,7 @@ static void __netif_receive_skb_list_cor
+ struct packet_type *pt_prev = NULL;
+
+ skb_list_del_init(skb);
+- __netif_receive_skb_core(skb, pfmemalloc, &pt_prev);
++ __netif_receive_skb_core(&skb, pfmemalloc, &pt_prev);
+ if (!pt_prev)
+ continue;
+ if (pt_curr != pt_prev || od_curr != orig_dev) {
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 19 May 2020 18:24:43 -0700
+Subject: ax25: fix setsockopt(SO_BINDTODEVICE)
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 ]
+
+syzbot was able to trigger this trace [1], probably by using
+a zero optlen.
+
+While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ.
+
+[1]
+BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569
+CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ strnlen+0xf9/0x170 lib/string.c:569
+ dev_name_hash net/core/dev.c:207 [inline]
+ netdev_name_node_lookup net/core/dev.c:277 [inline]
+ __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778
+ ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654
+ __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403
+ __do_compat_sys_setsockopt net/compat.c:413 [inline]
+ __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410
+ __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f57dd9
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101
+RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004
+RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable ----devname@ax25_setsockopt created at:
+ ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536
+ ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -638,8 +638,10 @@ static int ax25_setsockopt(struct socket
+ break;
+
+ case SO_BINDTODEVICE:
+- if (optlen > IFNAMSIZ)
+- optlen = IFNAMSIZ;
++ if (optlen > IFNAMSIZ - 1)
++ optlen = IFNAMSIZ - 1;
++
++ memset(devname, 0, sizeof(devname));
+
+ if (copy_from_user(devname, optval, optlen)) {
+ res = -EFAULT;
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Mon, 25 May 2020 00:22:51 +0300
+Subject: dpaa_eth: fix usage as DSA master, try 3
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 5d14c304bfc14b4fd052dc83d5224376b48f52f0 ]
+
+The dpaa-eth driver probes on compatible string for the MAC node, and
+the fman/mac.c driver allocates a dpaa-ethernet platform device that
+triggers the probing of the dpaa-eth net device driver.
+
+All of this is fine, but the problem is that the struct device of the
+dpaa_eth net_device is 2 parents away from the MAC which can be
+referenced via of_node. So of_find_net_device_by_node can't find it, and
+DSA switches won't be able to probe on top of FMan ports.
+
+It would be a bit silly to modify a core function
+(of_find_net_device_by_node) to look for dev->parent->parent->of_node
+just for one driver. We're just 1 step away from implementing full
+recursion.
+
+Actually there have already been at least 2 previous attempts to make
+this work:
+- Commit a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node")
+- One or more of the patches in "[v3,0/6] adapt DPAA drivers for DSA":
+ https://patchwork.ozlabs.org/project/netdev/cover/1508178970-28945-1-git-send-email-madalin.bucur@nxp.com/
+ (I couldn't really figure out which one was supposed to solve the
+ problem and how).
+
+Point being, it looks like this is still pretty much a problem today.
+On T1040, the /sys/class/net/eth0 symlink currently points to
+
+../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/dpaa-ethernet.0/net/eth0
+
+which pretty much illustrates the problem. The closest of_node we've got
+is the "fsl,fman-memac" at /soc@ffe000000/fman@400000/ethernet@e6000,
+which is what we'd like to be able to reference from DSA as host port.
+
+For of_find_net_device_by_node to find the eth0 port, we would need the
+parent of the eth0 net_device to not be the "dpaa-ethernet" platform
+device, but to point 1 level higher, aka the "fsl,fman-memac" node
+directly. The new sysfs path would look like this:
+
+../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/net/eth0
+
+And this is exactly what SET_NETDEV_DEV does. It sets the parent of the
+net_device. The new parent has an of_node associated with it, and
+of_dev_node_match already checks for the of_node of the device or of its
+parent.
+
+Fixes: a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node")
+Fixes: c6e26ea8c893 ("dpaa_eth: change device used")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -2796,7 +2796,7 @@ static int dpaa_eth_probe(struct platfor
+ }
+
+ /* Do this here, so we can be verbose early */
+- SET_NETDEV_DEV(net_dev, dev);
++ SET_NETDEV_DEV(net_dev, dev->parent);
+ dev_set_drvdata(dev, net_dev);
+
+ priv = netdev_priv(net_dev);
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: DENG Qingfang <dqfext@gmail.com>
+Date: Wed, 13 May 2020 23:10:16 +0800
+Subject: net: dsa: mt7530: fix roaming from DSA user ports
+
+From: DENG Qingfang <dqfext@gmail.com>
+
+[ Upstream commit 5e5502e012b8129e11be616acb0f9c34bc8f8adb ]
+
+When a client moves from a DSA user port to a software port in a bridge,
+it cannot reach any other clients that connected to the DSA user ports.
+That is because SA learning on the CPU port is disabled, so the switch
+ignores the client's frames from the CPU port and still thinks it is at
+the user port.
+
+Fix it by enabling SA learning on the CPU port.
+
+To prevent the switch from learning from flooding frames from the CPU
+port, set skb->offload_fwd_mark to 1 for unicast and broadcast frames,
+and let the switch flood them instead of trapping to the CPU port.
+Multicast frames still need to be trapped to the CPU port for snooping,
+so set the SA_DIS bit of the MTK tag to 1 when transmitting those frames
+to disable SA learning.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Signed-off-by: DENG Qingfang <dqfext@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 9 ++-------
+ drivers/net/dsa/mt7530.h | 1 +
+ net/dsa/tag_mtk.c | 15 +++++++++++++++
+ 3 files changed, 18 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -685,11 +685,8 @@ mt7530_cpu_port_enable(struct mt7530_pri
+ /* Setup the MAC by default for the cpu port */
+ mt7530_write(priv, MT7530_PMCR_P(port), PMCR_CPUP_LINK);
+
+- /* Disable auto learning on the cpu port */
+- mt7530_set(priv, MT7530_PSC_P(port), SA_DIS);
+-
+- /* Unknown unicast frame fordwarding to the cpu port */
+- mt7530_set(priv, MT7530_MFC, UNU_FFP(BIT(port)));
++ /* Unknown multicast frame forwarding to the cpu port */
++ mt7530_rmw(priv, MT7530_MFC, UNM_FFP_MASK, UNM_FFP(BIT(port)));
+
+ /* CPU port gets connected to all user ports of
+ * the switch
+@@ -1288,8 +1285,6 @@ mt7530_setup(struct dsa_switch *ds)
+ /* Enable and reset MIB counters */
+ mt7530_mib_reset(ds);
+
+- mt7530_clear(priv, MT7530_MFC, UNU_FFP_MASK);
+-
+ for (i = 0; i < MT7530_NUM_PORTS; i++) {
+ /* Disable forwarding by default on all ports */
+ mt7530_rmw(priv, MT7530_PCR_P(i), PCR_MATRIX_MASK,
+--- a/drivers/net/dsa/mt7530.h
++++ b/drivers/net/dsa/mt7530.h
+@@ -34,6 +34,7 @@
+ #define MT7530_MFC 0x10
+ #define BC_FFP(x) (((x) & 0xff) << 24)
+ #define UNM_FFP(x) (((x) & 0xff) << 16)
++#define UNM_FFP_MASK UNM_FFP(~0)
+ #define UNU_FFP(x) (((x) & 0xff) << 8)
+ #define UNU_FFP_MASK UNU_FFP(~0)
+
+--- a/net/dsa/tag_mtk.c
++++ b/net/dsa/tag_mtk.c
+@@ -22,6 +22,7 @@
+ #define MTK_HDR_XMIT_TAGGED_TPID_8100 1
+ #define MTK_HDR_RECV_SOURCE_PORT_MASK GENMASK(2, 0)
+ #define MTK_HDR_XMIT_DP_BIT_MASK GENMASK(5, 0)
++#define MTK_HDR_XMIT_SA_DIS BIT(6)
+
+ static struct sk_buff *mtk_tag_xmit(struct sk_buff *skb,
+ struct net_device *dev)
+@@ -29,6 +30,9 @@ static struct sk_buff *mtk_tag_xmit(stru
+ struct dsa_port *dp = dsa_slave_to_port(dev);
+ u8 *mtk_tag;
+ bool is_vlan_skb = true;
++ unsigned char *dest = eth_hdr(skb)->h_dest;
++ bool is_multicast_skb = is_multicast_ether_addr(dest) &&
++ !is_broadcast_ether_addr(dest);
+
+ /* Build the special tag after the MAC Source Address. If VLAN header
+ * is present, it's required that VLAN header and special tag is
+@@ -54,6 +58,10 @@ static struct sk_buff *mtk_tag_xmit(stru
+ MTK_HDR_XMIT_UNTAGGED;
+ mtk_tag[1] = (1 << dp->index) & MTK_HDR_XMIT_DP_BIT_MASK;
+
++ /* Disable SA learning for multicast frames */
++ if (unlikely(is_multicast_skb))
++ mtk_tag[1] |= MTK_HDR_XMIT_SA_DIS;
++
+ /* Tag control information is kept for 802.1Q */
+ if (!is_vlan_skb) {
+ mtk_tag[2] = 0;
+@@ -68,6 +76,9 @@ static struct sk_buff *mtk_tag_rcv(struc
+ {
+ int port;
+ __be16 *phdr, hdr;
++ unsigned char *dest = eth_hdr(skb)->h_dest;
++ bool is_multicast_skb = is_multicast_ether_addr(dest) &&
++ !is_broadcast_ether_addr(dest);
+
+ if (unlikely(!pskb_may_pull(skb, MTK_HDR_LEN)))
+ return NULL;
+@@ -93,6 +104,10 @@ static struct sk_buff *mtk_tag_rcv(struc
+ if (!skb->dev)
+ return NULL;
+
++ /* Only unicast or broadcast frames are offloaded */
++ if (likely(!is_multicast_skb))
++ skb->offload_fwd_mark = 1;
++
+ return skb;
+ }
+
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Mon, 18 May 2020 17:13:34 -0700
+Subject: net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+[ Upstream commit 88d7fcfa3b1fe670f0412b95be785aafca63352b ]
+
+The commit 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk")
+added a bind-address cache in tb->fast*. The tb->fast* caches the address
+of a sk which has successfully been binded with SO_REUSEPORT ON. The idea
+is to avoid the expensive conflict search in inet_csk_bind_conflict().
+
+There is an issue with wildcard matching where sk_reuseport_match() should
+have returned false but it is currently returning true. It ends up
+hiding bind conflict. For example,
+
+bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */
+bind("[::2]:443"); /* with SO_REUSEPORT. Succeed. */
+bind("[::]:443"); /* with SO_REUSEPORT. Still Succeed where it shouldn't */
+
+The last bind("[::]:443") with SO_REUSEPORT on should have failed because
+it should have a conflict with the very first bind("[::1]:443") which
+has SO_REUSEPORT off. However, the address "[::2]" is cached in
+tb->fast* in the second bind. In the last bind, the sk_reuseport_match()
+returns true because the binding sk's wildcard addr "[::]" matches with
+the "[::2]" cached in tb->fast*.
+
+The correct bind conflict is reported by removing the second
+bind such that tb->fast* cache is not involved and forces the
+bind("[::]:443") to go through the inet_csk_bind_conflict():
+
+bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */
+bind("[::]:443"); /* with SO_REUSEPORT. -EADDRINUSE */
+
+The expected behavior for sk_reuseport_match() is, it should only allow
+the "cached" tb->fast* address to be used as a wildcard match but not
+the address of the binding sk. To do that, the current
+"bool match_wildcard" arg is split into
+"bool match_sk1_wildcard" and "bool match_sk2_wildcard".
+
+This change only affects the sk_reuseport_match() which is only
+used by inet_csk (e.g. TCP).
+The other use cases are calling inet_rcv_saddr_equal() and
+this patch makes it pass the same "match_wildcard" arg twice to
+the "ipv[46]_rcv_saddr_equal(..., match_wildcard, match_wildcard)".
+
+Cc: Josef Bacik <jbacik@fb.com>
+Fixes: 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk")
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_connection_sock.c | 43 ++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 19 deletions(-)
+
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -28,17 +28,19 @@
+ #include <net/addrconf.h>
+
+ #if IS_ENABLED(CONFIG_IPV6)
+-/* match_wildcard == true: IPV6_ADDR_ANY equals to any IPv6 addresses if IPv6
+- * only, and any IPv4 addresses if not IPv6 only
+- * match_wildcard == false: addresses must be exactly the same, i.e.
+- * IPV6_ADDR_ANY only equals to IPV6_ADDR_ANY,
+- * and 0.0.0.0 equals to 0.0.0.0 only
++/* match_sk*_wildcard == true: IPV6_ADDR_ANY equals to any IPv6 addresses
++ * if IPv6 only, and any IPv4 addresses
++ * if not IPv6 only
++ * match_sk*_wildcard == false: addresses must be exactly the same, i.e.
++ * IPV6_ADDR_ANY only equals to IPV6_ADDR_ANY,
++ * and 0.0.0.0 equals to 0.0.0.0 only
+ */
+ static bool ipv6_rcv_saddr_equal(const struct in6_addr *sk1_rcv_saddr6,
+ const struct in6_addr *sk2_rcv_saddr6,
+ __be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr,
+ bool sk1_ipv6only, bool sk2_ipv6only,
+- bool match_wildcard)
++ bool match_sk1_wildcard,
++ bool match_sk2_wildcard)
+ {
+ int addr_type = ipv6_addr_type(sk1_rcv_saddr6);
+ int addr_type2 = sk2_rcv_saddr6 ? ipv6_addr_type(sk2_rcv_saddr6) : IPV6_ADDR_MAPPED;
+@@ -48,8 +50,8 @@ static bool ipv6_rcv_saddr_equal(const s
+ if (!sk2_ipv6only) {
+ if (sk1_rcv_saddr == sk2_rcv_saddr)
+ return true;
+- if (!sk1_rcv_saddr || !sk2_rcv_saddr)
+- return match_wildcard;
++ return (match_sk1_wildcard && !sk1_rcv_saddr) ||
++ (match_sk2_wildcard && !sk2_rcv_saddr);
+ }
+ return false;
+ }
+@@ -57,11 +59,11 @@ static bool ipv6_rcv_saddr_equal(const s
+ if (addr_type == IPV6_ADDR_ANY && addr_type2 == IPV6_ADDR_ANY)
+ return true;
+
+- if (addr_type2 == IPV6_ADDR_ANY && match_wildcard &&
++ if (addr_type2 == IPV6_ADDR_ANY && match_sk2_wildcard &&
+ !(sk2_ipv6only && addr_type == IPV6_ADDR_MAPPED))
+ return true;
+
+- if (addr_type == IPV6_ADDR_ANY && match_wildcard &&
++ if (addr_type == IPV6_ADDR_ANY && match_sk1_wildcard &&
+ !(sk1_ipv6only && addr_type2 == IPV6_ADDR_MAPPED))
+ return true;
+
+@@ -73,18 +75,19 @@ static bool ipv6_rcv_saddr_equal(const s
+ }
+ #endif
+
+-/* match_wildcard == true: 0.0.0.0 equals to any IPv4 addresses
+- * match_wildcard == false: addresses must be exactly the same, i.e.
+- * 0.0.0.0 only equals to 0.0.0.0
++/* match_sk*_wildcard == true: 0.0.0.0 equals to any IPv4 addresses
++ * match_sk*_wildcard == false: addresses must be exactly the same, i.e.
++ * 0.0.0.0 only equals to 0.0.0.0
+ */
+ static bool ipv4_rcv_saddr_equal(__be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr,
+- bool sk2_ipv6only, bool match_wildcard)
++ bool sk2_ipv6only, bool match_sk1_wildcard,
++ bool match_sk2_wildcard)
+ {
+ if (!sk2_ipv6only) {
+ if (sk1_rcv_saddr == sk2_rcv_saddr)
+ return true;
+- if (!sk1_rcv_saddr || !sk2_rcv_saddr)
+- return match_wildcard;
++ return (match_sk1_wildcard && !sk1_rcv_saddr) ||
++ (match_sk2_wildcard && !sk2_rcv_saddr);
+ }
+ return false;
+ }
+@@ -100,10 +103,12 @@ bool inet_rcv_saddr_equal(const struct s
+ sk2->sk_rcv_saddr,
+ ipv6_only_sock(sk),
+ ipv6_only_sock(sk2),
++ match_wildcard,
+ match_wildcard);
+ #endif
+ return ipv4_rcv_saddr_equal(sk->sk_rcv_saddr, sk2->sk_rcv_saddr,
+- ipv6_only_sock(sk2), match_wildcard);
++ ipv6_only_sock(sk2), match_wildcard,
++ match_wildcard);
+ }
+ EXPORT_SYMBOL(inet_rcv_saddr_equal);
+
+@@ -274,10 +279,10 @@ static inline int sk_reuseport_match(str
+ tb->fast_rcv_saddr,
+ sk->sk_rcv_saddr,
+ tb->fast_ipv6_only,
+- ipv6_only_sock(sk), true);
++ ipv6_only_sock(sk), true, false);
+ #endif
+ return ipv4_rcv_saddr_equal(tb->fast_rcv_saddr, sk->sk_rcv_saddr,
+- ipv6_only_sock(sk), true);
++ ipv6_only_sock(sk), true, false);
+ }
+
+ /* Obtain a reference to a local port for the given sock,
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Wed, 20 May 2020 11:50:48 +0300
+Subject: net: ipip: fix wrong address family in init error path
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+[ Upstream commit 57ebc8f08504f176eb0f25b3e0fde517dec61a4f ]
+
+In case of error with MPLS support the code is misusing AF_INET
+instead of AF_MPLS.
+
+Fixes: 1b69e7e6c4da ("ipip: support MPLS over IPv4")
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ipip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/ipip.c
++++ b/net/ipv4/ipip.c
+@@ -704,7 +704,7 @@ out:
+
+ rtnl_link_failed:
+ #if IS_ENABLED(CONFIG_MPLS)
+- xfrm4_tunnel_deregister(&mplsip_handler, AF_INET);
++ xfrm4_tunnel_deregister(&mplsip_handler, AF_MPLS);
+ xfrm_tunnel_mplsip_failed:
+
+ #endif
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Fri, 27 Dec 2019 07:01:53 +0200
+Subject: net/mlx5: Add command entry handling completion
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit 17d00e839d3b592da9659c1977d45f85b77f986a ]
+
+When FW response to commands is very slow and all command entries in
+use are waiting for completion we can have a race where commands can get
+timeout before they get out of the queue and handled. Timeout
+completion on uninitialized command will cause releasing command's
+buffers before accessing it for initialization and then we will get NULL
+pointer exception while trying access it. It may also cause releasing
+buffers of another command since we may have timeout completion before
+even allocating entry index for this command.
+Add entry handling completion to avoid this race.
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 14 ++++++++++++++
+ include/linux/mlx5/driver.h | 1 +
+ 2 files changed, 15 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -835,6 +835,7 @@ static void cmd_work_handler(struct work
+ int alloc_ret;
+ int cmd_mode;
+
++ complete(&ent->handling);
+ sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem;
+ down(sem);
+ if (!ent->page_queue) {
+@@ -953,6 +954,11 @@ static int wait_func(struct mlx5_core_de
+ struct mlx5_cmd *cmd = &dev->cmd;
+ int err;
+
++ if (!wait_for_completion_timeout(&ent->handling, timeout) &&
++ cancel_work_sync(&ent->work)) {
++ ent->ret = -ECANCELED;
++ goto out_err;
++ }
+ if (cmd->mode == CMD_MODE_POLLING || ent->polling) {
+ wait_for_completion(&ent->done);
+ } else if (!wait_for_completion_timeout(&ent->done, timeout)) {
+@@ -960,12 +966,17 @@ static int wait_func(struct mlx5_core_de
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
+ }
+
++out_err:
+ err = ent->ret;
+
+ if (err == -ETIMEDOUT) {
+ mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n",
+ mlx5_command_str(msg_to_opcode(ent->in)),
+ msg_to_opcode(ent->in));
++ } else if (err == -ECANCELED) {
++ mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n",
++ mlx5_command_str(msg_to_opcode(ent->in)),
++ msg_to_opcode(ent->in));
+ }
+ mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n",
+ err, deliv_status_to_str(ent->status), ent->status);
+@@ -1001,6 +1012,7 @@ static int mlx5_cmd_invoke(struct mlx5_c
+ ent->token = token;
+ ent->polling = force_polling;
+
++ init_completion(&ent->handling);
+ if (!callback)
+ init_completion(&ent->done);
+
+@@ -1020,6 +1032,8 @@ static int mlx5_cmd_invoke(struct mlx5_c
+ err = wait_func(dev, ent);
+ if (err == -ETIMEDOUT)
+ goto out;
++ if (err == -ECANCELED)
++ goto out_free;
+
+ ds = ent->ts2 - ent->ts1;
+ op = MLX5_GET(mbox_in, in->first.data, opcode);
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -902,6 +902,7 @@ struct mlx5_cmd_work_ent {
+ struct delayed_work cb_timeout_work;
+ void *context;
+ int idx;
++ struct completion handling;
+ struct completion done;
+ struct mlx5_cmd *cmd;
+ struct work_struct work;
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Tue, 7 Apr 2020 17:38:28 +0300
+Subject: net/mlx5e: Update netdev txq on completions during closure
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit 5e911e2c06bd8c17df29147a5e2d4b17fafda024 ]
+
+On sq closure when we free its descriptors, we should also update netdev
+txq on completions which would not arrive. Otherwise if we reopen sqs
+and attach them back, for example on fw fatal recovery flow, we may get
+tx timeout.
+
+Fixes: 29429f3300a3 ("net/mlx5e: Timeout if SQ doesn't flush during close")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+@@ -595,8 +595,9 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *c
+ void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq)
+ {
+ struct mlx5e_tx_wqe_info *wi;
++ u32 nbytes = 0;
++ u16 ci, npkts = 0;
+ struct sk_buff *skb;
+- u16 ci;
+ int i;
+
+ while (sq->cc != sq->pc) {
+@@ -617,8 +618,11 @@ void mlx5e_free_txqsq_descs(struct mlx5e
+ }
+
+ dev_kfree_skb_any(skb);
++ npkts++;
++ nbytes += wi->num_bytes;
+ sq->cc += wi->num_wqebbs;
+ }
++ netdev_tx_completed_queue(sq->txq, npkts, nbytes);
+ }
+
+ #ifdef CONFIG_MLX5_CORE_IPOIB
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Tue, 19 May 2020 23:44:16 +0530
+Subject: net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit d28ea1fbbf437054ef339afec241019f2c4e2bb6 ]
+
+Once the traversal of the list is completed with list_for_each_entry(),
+the iterator (node) will point to an invalid object. So passing this to
+qrtr_local_enqueue() which is outside of the iterator block is erroneous
+eventhough the object is not used.
+
+So fix this by passing NULL to qrtr_local_enqueue().
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Julia Lawall <julia.lawall@lip6.fr>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -718,7 +718,7 @@ static int qrtr_bcast_enqueue(struct qrt
+ }
+ mutex_unlock(&qrtr_node_lock);
+
+- qrtr_local_enqueue(node, skb, type, from, to);
++ qrtr_local_enqueue(NULL, skb, type, from, to);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Yuqi Jin <jinyuqi@huawei.com>
+Date: Sat, 16 May 2020 11:46:49 +0800
+Subject: net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()"
+
+From: Yuqi Jin <jinyuqi@huawei.com>
+
+[ Upstream commit a6211caa634da39d861a47437ffcda8b38ef421b ]
+
+Commit adb03115f459 ("net: get rid of an signed integer overflow in ip_idents_reserve()")
+used atomic_cmpxchg to replace "atomic_add_return" inside the function
+"ip_idents_reserve". The reason was to avoid UBSAN warning.
+However, this change has caused performance degrade and in GCC-8,
+fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer
+and signed integer overflow is now undefined by default at all
+optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv
+/-fno-strict-overflow, so Let's revert it safely.
+
+[1] https://gcc.gnu.org/gcc-8/changes.html
+
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Arvind Sankar <nivedita@alum.mit.edu>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jiong Wang <jiongwang@huawei.com>
+Signed-off-by: Yuqi Jin <jinyuqi@huawei.com>
+Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -484,18 +484,16 @@ u32 ip_idents_reserve(u32 hash, int segs
+ atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
+ u32 old = READ_ONCE(*p_tstamp);
+ u32 now = (u32)jiffies;
+- u32 new, delta = 0;
++ u32 delta = 0;
+
+ if (old != now && cmpxchg(p_tstamp, old, now) == old)
+ delta = prandom_u32_max(now - old);
+
+- /* Do not use atomic_add_return() as it makes UBSAN unhappy */
+- do {
+- old = (u32)atomic_read(p_id);
+- new = old + delta + segs;
+- } while (atomic_cmpxchg(p_id, old, new) != old);
+-
+- return new - segs;
++ /* If UBSAN reports an error there, please make sure your compiler
++ * supports -fno-strict-overflow before reporting it that was a bug
++ * in UBSAN, and it has been fixed in GCC-8.
++ */
++ return atomic_add_return(segs + delta, p_id) - segs;
+ }
+ EXPORT_SYMBOL(ip_idents_reserve);
+
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Sun, 17 May 2020 08:46:31 -0400
+Subject: net sched: fix reporting the first-time use timestamp
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+[ Upstream commit b15e62631c5f19fea9895f7632dae9c1b27fe0cd ]
+
+When a new action is installed, firstuse field of 'tcf_t' is explicitly set
+to 0. Value of zero means "new action, not yet used"; as a packet hits the
+action, 'firstuse' is stamped with the current jiffies value.
+
+tcf_tm_dump() should return 0 for firstuse if action has not yet been hit.
+
+Fixes: 48d8ee1694dd ("net sched actions: aggregate dumping of actions timeinfo")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/act_api.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/act_api.h
++++ b/include/net/act_api.h
+@@ -67,7 +67,8 @@ static inline void tcf_tm_dump(struct tc
+ {
+ dtm->install = jiffies_to_clock_t(jiffies - stm->install);
+ dtm->lastuse = jiffies_to_clock_t(jiffies - stm->lastuse);
+- dtm->firstuse = jiffies_to_clock_t(jiffies - stm->firstuse);
++ dtm->firstuse = stm->firstuse ?
++ jiffies_to_clock_t(jiffies - stm->firstuse) : 0;
+ dtm->expires = jiffies_to_clock_t(stm->expires);
+ }
+
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Marc Payne <marc.payne@mdpsys.co.uk>
+Date: Tue, 19 May 2020 19:01:46 +0100
+Subject: r8152: support additional Microsoft Surface Ethernet Adapter variant
+
+From: Marc Payne <marc.payne@mdpsys.co.uk>
+
+[ Upstream commit c27a204383616efba5a4194075e90819961ff66a ]
+
+Device id 0927 is the RTL8153B-based component of the 'Surface USB-C to
+Ethernet and USB Adapter' and may be used as a component of other devices
+in future. Tested and working with the r8152 driver.
+
+Update the cdc_ether blacklist due to the RTL8153 'network jam on suspend'
+issue which this device will cause (personally confirmed).
+
+Signed-off-by: Marc Payne <marc.payne@mdpsys.co.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ether.c | 11 +++++++++--
+ drivers/net/usb/r8152.c | 1 +
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -821,14 +821,21 @@ static const struct usb_device_id produc
+ .driver_info = 0,
+ },
+
+-/* Microsoft Surface 3 dock (based on Realtek RTL8153) */
++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153) */
+ {
+ USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x07c6, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+ .driver_info = 0,
+ },
+
+- /* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */
++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153B) */
++{
++ USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x0927, USB_CLASS_COMM,
++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
++ .driver_info = 0,
++},
++
++/* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */
+ {
+ USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, 0x0601, USB_CLASS_COMM,
+ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -5344,6 +5344,7 @@ static const struct usb_device_id rtl815
+ {REALTEK_USB_DEVICE(VENDOR_ID_REALTEK, 0x8153)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07ab)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07c6)},
++ {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x0927)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x304f)},
+ {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x3062)},
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue, 19 May 2020 16:04:05 -0400
+Subject: sctp: Don't add the shutdown timer if its already been added
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 20a785aa52c82246055a089e55df9dac47d67da1 ]
+
+This BUG halt was reported a while back, but the patch somehow got
+missed:
+
+PID: 2879 TASK: c16adaa0 CPU: 1 COMMAND: "sctpn"
+ #0 [f418dd28] crash_kexec at c04a7d8c
+ #1 [f418dd7c] oops_end at c0863e02
+ #2 [f418dd90] do_invalid_op at c040aaca
+ #3 [f418de28] error_code (via invalid_op) at c08631a5
+ EAX: f34baac0 EBX: 00000090 ECX: f418deb0 EDX: f5542950 EBP: 00000000
+ DS: 007b ESI: f34ba800 ES: 007b EDI: f418dea0 GS: 00e0
+ CS: 0060 EIP: c046fa5e ERR: ffffffff EFLAGS: 00010286
+ #4 [f418de5c] add_timer at c046fa5e
+ #5 [f418de68] sctp_do_sm at f8db8c77 [sctp]
+ #6 [f418df30] sctp_primitive_SHUTDOWN at f8dcc1b5 [sctp]
+ #7 [f418df48] inet_shutdown at c080baf9
+ #8 [f418df5c] sys_shutdown at c079eedf
+ #9 [f418df70] sys_socketcall at c079fe88
+ EAX: ffffffda EBX: 0000000d ECX: bfceea90 EDX: 0937af98
+ DS: 007b ESI: 0000000c ES: 007b EDI: b7150ae4
+ SS: 007b ESP: bfceea7c EBP: bfceeaa8 GS: 0033
+ CS: 0073 EIP: b775c424 ERR: 00000066 EFLAGS: 00000282
+
+It appears that the side effect that starts the shutdown timer was processed
+multiple times, which can happen as multiple paths can trigger it. This of
+course leads to the BUG halt in add_timer getting called.
+
+Fix seems pretty straightforward, just check before the timer is added if its
+already been started. If it has mod the timer instead to min(current
+expiration, new expiration)
+
+Its been tested but not confirmed to fix the problem, as the issue has only
+occured in production environments where test kernels are enjoined from being
+installed. It appears to be a sane fix to me though. Also, recentely,
+Jere found a reproducer posted on list to confirm that this resolves the
+issues
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+CC: Vlad Yasevich <vyasevich@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: jere.leppanen@nokia.com
+CC: marcelo.leitner@gmail.com
+CC: netdev@vger.kernel.org
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -1537,9 +1537,17 @@ static int sctp_cmd_interpreter(enum sct
+ timeout = asoc->timeouts[cmd->obj.to];
+ BUG_ON(!timeout);
+
+- timer->expires = jiffies + timeout;
+- sctp_association_hold(asoc);
+- add_timer(timer);
++ /*
++ * SCTP has a hard time with timer starts. Because we process
++ * timer starts as side effects, it can be hard to tell if we
++ * have already started a timer or not, which leads to BUG
++ * halts when we call add_timer. So here, instead of just starting
++ * a timer, if the timer is already started, and just mod
++ * the timer with the shorter of the two expiration times
++ */
++ if (!timer_pending(timer))
++ sctp_association_hold(asoc);
++ timer_reduce(timer, jiffies + timeout);
+ break;
+
+ case SCTP_CMD_TIMER_RESTART:
--- /dev/null
+From foo@baz Thu 28 May 2020 01:21:48 PM CEST
+From: "Jere Leppänen" <jere.leppanen@nokia.com>
+Date: Wed, 20 May 2020 18:15:31 +0300
+Subject: sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed
+
+From: "Jere Leppänen" <jere.leppanen@nokia.com>
+
+[ Upstream commit d3e8e4c11870413789f029a71e72ae6e971fe678 ]
+
+Commit bdf6fa52f01b ("sctp: handle association restarts when the
+socket is closed.") starts shutdown when an association is restarted,
+if in SHUTDOWN-PENDING state and the socket is closed. However, the
+rationale stated in that commit applies also when in SHUTDOWN-SENT
+state - we don't want to move an association to ESTABLISHED state when
+the socket has been closed, because that results in an association
+that is unreachable from user space.
+
+The problem scenario:
+
+1. Client crashes and/or restarts.
+
+2. Server (using one-to-one socket) calls close(). SHUTDOWN is lost.
+
+3. Client reconnects using the same addresses and ports.
+
+4. Server's association is restarted. The association and the socket
+ move to ESTABLISHED state, even though the server process has
+ closed its descriptor.
+
+Also, after step 4 when the server process exits, some resources are
+leaked in an attempt to release the underlying inet sock structure in
+ESTABLISHED state:
+
+ IPv4: Attempt to release TCP socket in state 1 00000000377288c7
+
+Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if
+an association is restarted in SHUTDOWN-SENT state and the socket is
+closed, then start shutdown and don't move the association or the
+socket to ESTABLISHED state.
+
+Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.")
+Signed-off-by: Jere Leppänen <jere.leppanen@nokia.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_statefuns.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -1871,12 +1871,13 @@ static enum sctp_disposition sctp_sf_do_
+ /* Update the content of current association. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
+ sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
+- if (sctp_state(asoc, SHUTDOWN_PENDING) &&
++ if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
++ sctp_state(asoc, SHUTDOWN_SENT)) &&
+ (sctp_sstate(asoc->base.sk, CLOSING) ||
+ sock_flag(asoc->base.sk, SOCK_DEAD))) {
+- /* if were currently in SHUTDOWN_PENDING, but the socket
+- * has been closed by user, don't transition to ESTABLISHED.
+- * Instead trigger SHUTDOWN bundled with COOKIE_ACK.
++ /* If the socket has been closed by user, don't
++ * transition to ESTABLISHED. Instead trigger SHUTDOWN
++ * bundled with COOKIE_ACK.
+ */
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
+ return sctp_sf_do_9_2_start_shutdown(net, ep, asoc,
--- /dev/null
+ax25-fix-setsockopt-so_bindtodevice.patch
+dpaa_eth-fix-usage-as-dsa-master-try-3.patch
+net-dsa-mt7530-fix-roaming-from-dsa-user-ports.patch
+__netif_receive_skb_core-pass-skb-by-reference.patch
+net-inet_csk-fix-so_reuseport-bind-address-cache-in-tb-fast.patch
+net-ipip-fix-wrong-address-family-in-init-error-path.patch
+net-mlx5-add-command-entry-handling-completion.patch
+net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch
+net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch
+net-sched-fix-reporting-the-first-time-use-timestamp.patch
+r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch
+sctp-don-t-add-the-shutdown-timer-if-its-already-been-added.patch
+sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch
+net-mlx5e-update-netdev-txq-on-completions-during-closure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
