--- /dev/null
+From df81dfcfd6991d547653d46c051bac195cd182c1 Mon Sep 17 00:00:00 2001
+From: Edward Cree <ecree@solarflare.com>
+Date: Fri, 13 Mar 2020 20:33:07 +0000
+Subject: genirq: Fix reference leaks on irq affinity notifiers
+
+From: Edward Cree <ecree@solarflare.com>
+
+commit df81dfcfd6991d547653d46c051bac195cd182c1 upstream.
+
+The handling of notify->work did not properly maintain notify->kref in two
+ cases:
+1) where the work was already scheduled, another irq_set_affinity_locked()
+ would get the ref and (no-op-ly) schedule the work. Thus when
+ irq_affinity_notify() ran, it would drop the original ref but not the
+ additional one.
+2) when cancelling the (old) work in irq_set_affinity_notifier(), if there
+ was outstanding work a ref had been got for it but was never put.
+Fix both by checking the return values of the work handling functions
+ (schedule_work() for (1) and cancel_work_sync() for (2)) and put the
+ extra ref if the return value indicates preexisting work.
+
+Fixes: cd7eab44e994 ("genirq: Add IRQ affinity notifiers")
+Fixes: 59c39840f5ab ("genirq: Prevent use-after-free and work list corruption")
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Ben Hutchings <ben@decadent.org.uk>
+Link: https://lkml.kernel.org/r/24f5983f-2ab5-e83a-44ee-a45b5f9300f5@solarflare.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/irq/manage.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -224,7 +224,11 @@ int irq_set_affinity_locked(struct irq_d
+
+ if (desc->affinity_notify) {
+ kref_get(&desc->affinity_notify->kref);
+- schedule_work(&desc->affinity_notify->work);
++ if (!schedule_work(&desc->affinity_notify->work)) {
++ /* Work was already scheduled, drop our extra ref */
++ kref_put(&desc->affinity_notify->kref,
++ desc->affinity_notify->release);
++ }
+ }
+ irqd_set(data, IRQD_AFFINITY_SET);
+
+@@ -324,7 +328,10 @@ irq_set_affinity_notifier(unsigned int i
+ raw_spin_unlock_irqrestore(&desc->lock, flags);
+
+ if (old_notify) {
+- cancel_work_sync(&old_notify->work);
++ if (cancel_work_sync(&old_notify->work)) {
++ /* Pending work had a ref, put that one too */
++ kref_put(&old_notify->kref, old_notify->release);
++ }
+ kref_put(&old_notify->kref, old_notify->release);
+ }
+
--- /dev/null
+From 0e91506ba00730f088961a8d39f8693b0f8e3fea Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 2 Mar 2020 12:12:24 +0100
+Subject: gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 0e91506ba00730f088961a8d39f8693b0f8e3fea upstream.
+
+Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
+quirk mechanism") was added to deal with spurious wakeups on one specific
+model of the HP x2 10 series. In the mean time I have learned that there
+are at least 3 different HP x2 10 models:
+
+Bay Trail SoC + AXP288 PMIC
+Cherry Trail SoC + AXP288 PMIC
+Cherry Trail SoC + TI PMIC
+
+And the original quirk is only correct for (and only matches the)
+Cherry Trail SoC + TI PMIC model.
+
+The Bay Trail SoC + AXP288 PMIC model has different DMI strings, has
+the external EC interrupt on a different GPIO pin and only needs to ignore
+wakeups on the EC interrupt, the INT0002 device works fine on this model.
+
+This commit adds an extra DMI based quirk for the HP x2 10 BYT + AXP288
+model, ignoring wakeups for ACPI GPIO events on the EC interrupt pin
+on this model. This fixes spurious wakeups from suspend on this model.
+
+Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200302111225.6641-3-hdegoede@redhat.com
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1425,6 +1425,21 @@ static const struct dmi_system_id gpioli
+ .ignore_wake = "INT33FF:01@0,INT0002:00@2",
+ },
+ },
++ {
++ /*
++ * HP X2 10 models with Bay Trail SoC + AXP288 PMIC use an
++ * external embedded-controller connected via I2C + an ACPI GPIO
++ * event handler on INT33FC:02 pin 28, causing spurious wakeups.
++ */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
++ DMI_MATCH(DMI_BOARD_NAME, "815D"),
++ },
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .ignore_wake = "INT33FC:02@28",
++ },
++ },
+ {} /* Terminating entry */
+ };
+
--- /dev/null
+From efaa87fa0947d525cf7c075316adde4e3ac7720b Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 2 Mar 2020 12:12:22 +0100
+Subject: gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit efaa87fa0947d525cf7c075316adde4e3ac7720b upstream.
+
+Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
+quirk mechanism") added a quirk for some models of the HP x2 10 series.
+
+There are 2 issues with the comment describing the quirk:
+1) The comment claims the DMI quirk applies to all Cherry Trail based HP x2
+ 10 models. In the mean time I have learned that there are at least 3
+ models of the HP x2 10 models:
+
+ Bay Trail SoC + AXP288 PMIC
+ Cherry Trail SoC + AXP288 PMIC
+ Cherry Trail SoC + TI PMIC
+
+ And this quirk's DMI matches only match the Cherry Trail SoC + TI PMIC
+ SoC, which is good because we want a slightly different quirk for the
+ others. This commit updates the comment to make it clear that the quirk
+ is only for the Cherry Trail SoC + TI PMIC models.
+
+2) The comment says that it is ok to disable wakeup on all ACPI GPIO event
+ handlers, because there is only the one for the embedded-controller
+ events. This is not true, there also is a handler for the special
+ INT0002 device which is related to USB wakeups. We need to also disable
+ wakeups on that one because the device turns of the USB-keyboard built
+ into the dock when closing the lid. The XHCI controller takes a while
+ to notice this, so it only notices it when already suspended, causing
+ a spurious wakeup because of this. So disabling wakeup on all handlers
+ is the right thing to do, but not because there only is the one handler
+ for the EC events. This commit updates the comment to correctly reflect
+ this.
+
+Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200302111225.6641-1-hdegoede@redhat.com
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -1348,12 +1348,14 @@ static const struct dmi_system_id gpioli
+ },
+ {
+ /*
+- * Various HP X2 10 Cherry Trail models use an external
+- * embedded-controller connected via I2C + an ACPI GPIO
+- * event handler. The embedded controller generates various
+- * spurious wakeup events when suspended. So disable wakeup
+- * for its handler (it uses the only ACPI GPIO event handler).
+- * This breaks wakeup when opening the lid, the user needs
++ * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
++ * external embedded-controller connected via I2C + an ACPI GPIO
++ * event handler on INT33FF:01 pin 0, causing spurious wakeups.
++ * When suspending by closing the LID, the power to the USB
++ * keyboard is turned off, causing INT0002 ACPI events to
++ * trigger once the XHCI controller notices the keyboard is
++ * gone. So INT0002 events cause spurious wakeups too. Ignoring
++ * EC wakes breaks wakeup when opening the lid, the user needs
+ * to press the power-button to wakeup the system. The
+ * alternative is suspend simply not working, which is worse.
+ */
--- /dev/null
+From 2ccb21f5516afef5e251184eeefbf36db90206d7 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 2 Mar 2020 12:12:23 +0100
+Subject: gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2ccb21f5516afef5e251184eeefbf36db90206d7 upstream.
+
+Commit aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option +
+quirk mechanism") was added to deal with spurious wakeups on one specific
+model of the HP x2 10 series.
+
+The approach taken there was to add a bool controlling wakeup support for
+all ACPI GPIO events. This was sufficient for the specific HP x2 10 model
+the commit was trying to fix, but in the mean time other models have
+turned up which need a similar workaround to avoid spurious wakeups from
+suspend, but only for one of the pins on which the ACPI tables request
+ACPI GPIO events.
+
+Since the honor_wakeup option was added to be able to ignore wake events,
+the name was perhaps not the best, this commit renames it to ignore_wake
+and changes it to a string with the following format:
+gpiolib_acpi.ignore_wake=controller@pin[,controller@pin[,...]]
+
+This allows working around spurious wakeup issues on a per pin basis.
+
+This commit also reworks the existing quirk for the HP x2 10 so that
+it functions as before.
+
+Note:
+-This removes the honor_wakeup parameter. This has only been upstream for
+ a short time and to the best of my knowledge there are no users using
+ this module parameter.
+
+-The controller@pin[,controller@pin[,...]] syntax is based on an existing
+ kernel module parameter using the same controller@pin format. That version
+ uses ';' as separator, but in practice that is problematic because grub2
+ cannot handle this without taking special care to escape the ';', so here
+ we are using a ',' as separator instead which does not have this issue.
+
+Fixes: aa23ca3d98f7 ("gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20200302111225.6641-2-hdegoede@redhat.com
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpiolib-acpi.c | 96 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 76 insertions(+), 20 deletions(-)
+
+--- a/drivers/gpio/gpiolib-acpi.c
++++ b/drivers/gpio/gpiolib-acpi.c
+@@ -24,18 +24,21 @@
+
+ #include "gpiolib.h"
+
+-#define QUIRK_NO_EDGE_EVENTS_ON_BOOT 0x01l
+-#define QUIRK_NO_WAKEUP 0x02l
+-
+ static int run_edge_events_on_boot = -1;
+ module_param(run_edge_events_on_boot, int, 0444);
+ MODULE_PARM_DESC(run_edge_events_on_boot,
+ "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
+
+-static int honor_wakeup = -1;
+-module_param(honor_wakeup, int, 0444);
+-MODULE_PARM_DESC(honor_wakeup,
+- "Honor the ACPI wake-capable flag: 0=no, 1=yes, -1=auto");
++static char *ignore_wake;
++module_param(ignore_wake, charp, 0444);
++MODULE_PARM_DESC(ignore_wake,
++ "controller@pin combos on which to ignore the ACPI wake flag "
++ "ignore_wake=controller@pin[,controller@pin[,...]]");
++
++struct acpi_gpiolib_dmi_quirk {
++ bool no_edge_events_on_boot;
++ char *ignore_wake;
++};
+
+ /**
+ * struct acpi_gpio_event - ACPI GPIO event handler data
+@@ -262,6 +265,57 @@ static void acpi_gpiochip_request_irqs(s
+ acpi_gpiochip_request_irq(acpi_gpio, event);
+ }
+
++static bool acpi_gpio_in_ignore_list(const char *controller_in, int pin_in)
++{
++ const char *controller, *pin_str;
++ int len, pin;
++ char *endp;
++
++ controller = ignore_wake;
++ while (controller) {
++ pin_str = strchr(controller, '@');
++ if (!pin_str)
++ goto err;
++
++ len = pin_str - controller;
++ if (len == strlen(controller_in) &&
++ strncmp(controller, controller_in, len) == 0) {
++ pin = simple_strtoul(pin_str + 1, &endp, 10);
++ if (*endp != 0 && *endp != ',')
++ goto err;
++
++ if (pin == pin_in)
++ return true;
++ }
++
++ controller = strchr(controller, ',');
++ if (controller)
++ controller++;
++ }
++
++ return false;
++err:
++ pr_err_once("Error invalid value for gpiolib_acpi.ignore_wake: %s\n",
++ ignore_wake);
++ return false;
++}
++
++static bool acpi_gpio_irq_is_wake(struct device *parent,
++ struct acpi_resource_gpio *agpio)
++{
++ int pin = agpio->pin_table[0];
++
++ if (agpio->wake_capable != ACPI_WAKE_CAPABLE)
++ return false;
++
++ if (acpi_gpio_in_ignore_list(dev_name(parent), pin)) {
++ dev_info(parent, "Ignoring wakeup on pin %d\n", pin);
++ return false;
++ }
++
++ return true;
++}
++
+ static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares,
+ void *context)
+ {
+@@ -347,7 +401,7 @@ static acpi_status acpi_gpiochip_alloc_e
+ event->handle = evt_handle;
+ event->handler = handler;
+ event->irq = irq;
+- event->irq_is_wake = honor_wakeup && agpio->wake_capable == ACPI_WAKE_CAPABLE;
++ event->irq_is_wake = acpi_gpio_irq_is_wake(chip->parent, agpio);
+ event->pin = pin;
+ event->desc = desc;
+
+@@ -1331,7 +1385,9 @@ static const struct dmi_system_id gpioli
+ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
+ },
+- .driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .no_edge_events_on_boot = true,
++ },
+ },
+ {
+ /*
+@@ -1344,7 +1400,9 @@ static const struct dmi_system_id gpioli
+ DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
+ },
+- .driver_data = (void *)QUIRK_NO_EDGE_EVENTS_ON_BOOT,
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .no_edge_events_on_boot = true,
++ },
+ },
+ {
+ /*
+@@ -1363,33 +1421,31 @@ static const struct dmi_system_id gpioli
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"),
+ },
+- .driver_data = (void *)QUIRK_NO_WAKEUP,
++ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
++ .ignore_wake = "INT33FF:01@0,INT0002:00@2",
++ },
+ },
+ {} /* Terminating entry */
+ };
+
+ static int acpi_gpio_setup_params(void)
+ {
++ const struct acpi_gpiolib_dmi_quirk *quirk = NULL;
+ const struct dmi_system_id *id;
+- long quirks = 0;
+
+ id = dmi_first_match(gpiolib_acpi_quirks);
+ if (id)
+- quirks = (long)id->driver_data;
++ quirk = id->driver_data;
+
+ if (run_edge_events_on_boot < 0) {
+- if (quirks & QUIRK_NO_EDGE_EVENTS_ON_BOOT)
++ if (quirk && quirk->no_edge_events_on_boot)
+ run_edge_events_on_boot = 0;
+ else
+ run_edge_events_on_boot = 1;
+ }
+
+- if (honor_wakeup < 0) {
+- if (quirks & QUIRK_NO_WAKEUP)
+- honor_wakeup = 0;
+- else
+- honor_wakeup = 1;
+- }
++ if (ignore_wake == NULL && quirk && quirk->ignore_wake)
++ ignore_wake = quirk->ignore_wake;
+
+ return 0;
+ }
--- /dev/null
+From bcfabee1afd99484b6ba067361b8678e28bbc065 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 23 Mar 2020 19:53:10 +0100
+Subject: netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream.
+
+Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet.
+Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress
+path after leaving the ifb egress path.
+
+This patch inconditionally sets on these two skb fields that are
+meaningful to the ifb driver. The existing forward action is guaranteed
+to run from ingress path.
+
+Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_fwd_netdev.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nft_fwd_netdev.c
++++ b/net/netfilter/nft_fwd_netdev.c
+@@ -26,6 +26,10 @@ static void nft_fwd_netdev_eval(const st
+ struct nft_fwd_netdev *priv = nft_expr_priv(expr);
+ int oif = regs->data[priv->sreg_dev];
+
++ /* These are used by ifb only. */
++ pkt->skb->tc_redirected = 1;
++ pkt->skb->tc_from_ingress = 1;
++
+ nf_fwd_netdev_egress(pkt, oif);
+ regs->verdict.code = NF_STOLEN;
+ }
--- /dev/null
+From 76a109fac206e158eb3c967af98c178cff738e6a Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 23 Mar 2020 14:27:16 +0100
+Subject: netfilter: nft_fwd_netdev: validate family and chain type
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 76a109fac206e158eb3c967af98c178cff738e6a upstream.
+
+Make sure the forward action is only used from ingress.
+
+Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_fwd_netdev.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/netfilter/nft_fwd_netdev.c
++++ b/net/netfilter/nft_fwd_netdev.c
+@@ -62,6 +62,13 @@ nla_put_failure:
+ return -1;
+ }
+
++static int nft_fwd_validate(const struct nft_ctx *ctx,
++ const struct nft_expr *expr,
++ const struct nft_data **data)
++{
++ return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
++}
++
+ static struct nft_expr_type nft_fwd_netdev_type;
+ static const struct nft_expr_ops nft_fwd_netdev_ops = {
+ .type = &nft_fwd_netdev_type,
+@@ -69,6 +76,7 @@ static const struct nft_expr_ops nft_fwd
+ .eval = nft_fwd_netdev_eval,
+ .init = nft_fwd_netdev_init,
+ .dump = nft_fwd_netdev_dump,
++ .validate = nft_fwd_validate,
+ };
+
+ static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {
--- /dev/null
+From 2d47fbacf2725a67869f4d3634c2415e7dfab2f4 Mon Sep 17 00:00:00 2001
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Date: Fri, 13 Mar 2020 08:47:05 -0400
+Subject: RDMA/core: Ensure security pkey modify is not lost
+
+From: Mike Marciniszyn <mike.marciniszyn@intel.com>
+
+commit 2d47fbacf2725a67869f4d3634c2415e7dfab2f4 upstream.
+
+The following modify sequence (loosely based on ipoib) will lose a pkey
+modifcation:
+
+- Modify (pkey index, port)
+- Modify (new pkey index, NO port)
+
+After the first modify, the qp_pps list will have saved the pkey and the
+unit on the main list.
+
+During the second modify, get_new_pps() will fetch the port from qp_pps
+and read the new pkey index from qp_attr->pkey_index. The state will
+still be zero, or IB_PORT_PKEY_NOT_VALID. Because of the invalid state,
+the new values will never replace the one in the qp pps list, losing the
+new pkey.
+
+This happens because the following if statements will never correct the
+state because the first term will be false. If the code had been executed,
+it would incorrectly overwrite valid values.
+
+ if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
+ new_pps->main.state = IB_PORT_PKEY_VALID;
+
+ if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
+ new_pps->main.port_num = qp_pps->main.port_num;
+ new_pps->main.pkey_index = qp_pps->main.pkey_index;
+ if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
+ new_pps->main.state = IB_PORT_PKEY_VALID;
+ }
+
+Fix by joining the two if statements with an or test to see if qp_pps is
+non-NULL and in the correct state.
+
+Fixes: 1dd017882e01 ("RDMA/core: Fix protection fault in get_pkey_idx_qp_list")
+Link: https://lore.kernel.org/r/20200313124704.14982.55907.stgit@awfm-01.aw.intel.com
+Reviewed-by: Kaike Wan <kaike.wan@intel.com>
+Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/security.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/infiniband/core/security.c
++++ b/drivers/infiniband/core/security.c
+@@ -348,16 +348,11 @@ static struct ib_ports_pkeys *get_new_pp
+ else if (qp_pps)
+ new_pps->main.pkey_index = qp_pps->main.pkey_index;
+
+- if ((qp_attr_mask & IB_QP_PKEY_INDEX) && (qp_attr_mask & IB_QP_PORT))
++ if (((qp_attr_mask & IB_QP_PKEY_INDEX) &&
++ (qp_attr_mask & IB_QP_PORT)) ||
++ (qp_pps && qp_pps->main.state != IB_PORT_PKEY_NOT_VALID))
+ new_pps->main.state = IB_PORT_PKEY_VALID;
+
+- if (!(qp_attr_mask & (IB_QP_PKEY_INDEX | IB_QP_PORT)) && qp_pps) {
+- new_pps->main.port_num = qp_pps->main.port_num;
+- new_pps->main.pkey_index = qp_pps->main.pkey_index;
+- if (qp_pps->main.state != IB_PORT_PKEY_NOT_VALID)
+- new_pps->main.state = IB_PORT_PKEY_VALID;
+- }
+-
+ if (qp_attr_mask & IB_QP_ALT_PATH) {
+ new_pps->alt.port_num = qp_attr->alt_port_num;
+ new_pps->alt.pkey_index = qp_attr->alt_pkey_index;
--- /dev/null
+From ba80013fba656b9830ef45cd40a6a1e44707f47a Mon Sep 17 00:00:00 2001
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Sun, 22 Mar 2020 14:49:06 +0200
+Subject: RDMA/mlx5: Block delay drop to unprivileged users
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+commit ba80013fba656b9830ef45cd40a6a1e44707f47a upstream.
+
+It has been discovered that this feature can globally block the RX port,
+so it should be allowed for highly privileged users only.
+
+Fixes: 03404e8ae652("IB/mlx5: Add support to dropless RQ")
+Link: https://lore.kernel.org/r/20200322124906.1173790-1-leon@kernel.org
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -4896,6 +4896,10 @@ struct ib_wq *mlx5_ib_create_wq(struct i
+ if (udata->outlen && udata->outlen < min_resp_len)
+ return ERR_PTR(-EINVAL);
+
++ if (!capable(CAP_SYS_RAWIO) &&
++ init_attr->create_flags & IB_WQ_FLAGS_DELAY_DROP)
++ return ERR_PTR(-EPERM);
++
+ dev = to_mdev(pd->device);
+ switch (init_attr->wq_type) {
+ case IB_WQT_RQ:
scripts-dtc-remove-redundant-yyloc-global-declaration.patch
scsi-sd-fix-optimal-i-o-size-for-devices-that-change-reported-values.patch
mac80211-mark-station-unauthorized-before-key-removal.patch
+gpiolib-acpi-correct-comment-for-hp-x2-10-honor_wakeup-quirk.patch
+gpiolib-acpi-rework-honor_wakeup-option-into-an-ignore_wake-option.patch
+gpiolib-acpi-add-quirk-to-ignore-ec-wakeups-on-hp-x2-10-byt-axp288-model.patch
+rdma-core-ensure-security-pkey-modify-is-not-lost.patch
+genirq-fix-reference-leaks-on-irq-affinity-notifiers.patch
+xfrm-handle-netdev_unregister-for-xfrm-device.patch
+vti-fix-packet-tx-through-bpf_redirect-in-xiny-cases.patch
+rdma-mlx5-block-delay-drop-to-unprivileged-users.patch
+xfrm-fix-uctx-len-check-in-verify_sec_ctx_len.patch
+xfrm-add-the-missing-verify_sec_ctx_len-check-in-xfrm_add_acquire.patch
+xfrm-policy-fix-doulbe-free-in-xfrm_policy_timer.patch
+netfilter-nft_fwd_netdev-validate-family-and-chain-type.patch
+netfilter-nft_fwd_netdev-allow-to-redirect-to-ifb-via-ingress.patch
--- /dev/null
+From f1ed10264ed6b66b9cd5e8461cffce69be482356 Mon Sep 17 00:00:00 2001
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Tue, 4 Feb 2020 17:00:27 +0100
+Subject: vti[6]: fix packet tx through bpf_redirect() in XinY cases
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+commit f1ed10264ed6b66b9cd5e8461cffce69be482356 upstream.
+
+I forgot the 4in6/6in4 cases in my previous patch. Let's fix them.
+
+Fixes: 95224166a903 ("vti[6]: fix packet tx through bpf_redirect()")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/Kconfig | 1 +
+ net/ipv4/ip_vti.c | 36 +++++++++++++++++++++++++++++-------
+ net/ipv6/ip6_vti.c | 32 +++++++++++++++++++++++++-------
+ 3 files changed, 55 insertions(+), 14 deletions(-)
+
+--- a/net/ipv4/Kconfig
++++ b/net/ipv4/Kconfig
+@@ -297,6 +297,7 @@ config SYN_COOKIES
+
+ config NET_IPVTI
+ tristate "Virtual (secure) IP: tunneling"
++ depends on IPV6 || IPV6=n
+ select INET_TUNNEL
+ select NET_IP_TUNNEL
+ depends on INET_XFRM_MODE_TUNNEL
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -208,17 +208,39 @@ static netdev_tx_t vti_xmit(struct sk_bu
+ int mtu;
+
+ if (!dst) {
+- struct rtable *rt;
++ switch (skb->protocol) {
++ case htons(ETH_P_IP): {
++ struct rtable *rt;
+
+- fl->u.ip4.flowi4_oif = dev->ifindex;
+- fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+- rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
+- if (IS_ERR(rt)) {
++ fl->u.ip4.flowi4_oif = dev->ifindex;
++ fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
++ rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
++ if (IS_ERR(rt)) {
++ dev->stats.tx_carrier_errors++;
++ goto tx_error_icmp;
++ }
++ dst = &rt->dst;
++ skb_dst_set(skb, dst);
++ break;
++ }
++#if IS_ENABLED(CONFIG_IPV6)
++ case htons(ETH_P_IPV6):
++ fl->u.ip6.flowi6_oif = dev->ifindex;
++ fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
++ dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
++ if (dst->error) {
++ dst_release(dst);
++ dst = NULL;
++ dev->stats.tx_carrier_errors++;
++ goto tx_error_icmp;
++ }
++ skb_dst_set(skb, dst);
++ break;
++#endif
++ default:
+ dev->stats.tx_carrier_errors++;
+ goto tx_error_icmp;
+ }
+- dst = &rt->dst;
+- skb_dst_set(skb, dst);
+ }
+
+ dst_hold(dst);
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -454,15 +454,33 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ int mtu;
+
+ if (!dst) {
+- fl->u.ip6.flowi6_oif = dev->ifindex;
+- fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+- dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
+- if (dst->error) {
+- dst_release(dst);
+- dst = NULL;
++ switch (skb->protocol) {
++ case htons(ETH_P_IP): {
++ struct rtable *rt;
++
++ fl->u.ip4.flowi4_oif = dev->ifindex;
++ fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
++ rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
++ if (IS_ERR(rt))
++ goto tx_err_link_failure;
++ dst = &rt->dst;
++ skb_dst_set(skb, dst);
++ break;
++ }
++ case htons(ETH_P_IPV6):
++ fl->u.ip6.flowi6_oif = dev->ifindex;
++ fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
++ dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
++ if (dst->error) {
++ dst_release(dst);
++ dst = NULL;
++ goto tx_err_link_failure;
++ }
++ skb_dst_set(skb, dst);
++ break;
++ default:
+ goto tx_err_link_failure;
+ }
+- skb_dst_set(skb, dst);
+ }
+
+ dst_hold(dst);
--- /dev/null
+From a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 9 Feb 2020 21:16:38 +0800
+Subject: xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream.
+
+Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
+out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
+syz:
+
+ BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
+ Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650
+
+ Call Trace:
+ dump_stack+0xe8/0x16e
+ print_address_description.cold.3+0x9/0x23b
+ kasan_report.cold.4+0x64/0x95
+ memcpy+0x1f/0x50
+ selinux_xfrm_alloc_user+0x237/0x430
+ security_xfrm_policy_alloc+0x5c/0xb0
+ xfrm_policy_construct+0x2b1/0x650
+ xfrm_add_acquire+0x21d/0xa10
+ xfrm_user_rcv_msg+0x431/0x6f0
+ netlink_rcv_skb+0x15a/0x410
+ xfrm_netlink_rcv+0x6d/0x90
+ netlink_unicast+0x50e/0x6a0
+ netlink_sendmsg+0x8ae/0xd40
+ sock_sendmsg+0x133/0x170
+ ___sys_sendmsg+0x834/0x9a0
+ __sys_sendmsg+0x100/0x1e0
+ do_syscall_64+0xe5/0x660
+ entry_SYSCALL_64_after_hwframe+0x6a/0xdf
+
+So fix it by adding the missing verify_sec_ctx_len check there.
+
+Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2214,6 +2214,9 @@ static int xfrm_add_acquire(struct sk_bu
+ err = verify_newpolicy_info(&ua->policy);
+ if (err)
+ goto free_state;
++ err = verify_sec_ctx_len(attrs);
++ if (err)
++ goto free_state;
+
+ /* build an XP */
+ xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
--- /dev/null
+From 171d449a028573b2f0acdc7f31ecbb045391b320 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 9 Feb 2020 21:15:29 +0800
+Subject: xfrm: fix uctx len check in verify_sec_ctx_len
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.
+
+It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
+uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
+in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
+later.
+
+This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
+
+Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_user.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(str
+ return 0;
+
+ uctx = nla_data(rt);
+- if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
++ if (uctx->len > nla_len(rt) ||
++ uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+ return -EINVAL;
+
+ return 0;
--- /dev/null
+From 03891f820c2117b19e80b370281eb924a09cf79f Mon Sep 17 00:00:00 2001
+From: Raed Salem <raeds@mellanox.com>
+Date: Sun, 2 Feb 2020 13:19:34 +0200
+Subject: xfrm: handle NETDEV_UNREGISTER for xfrm device
+
+From: Raed Salem <raeds@mellanox.com>
+
+commit 03891f820c2117b19e80b370281eb924a09cf79f upstream.
+
+This patch to handle the asynchronous unregister
+device event so the device IPsec offload resources
+could be cleanly released.
+
+Fixes: e4db5b61c572 ("xfrm: policy: remove pcpu policy cache")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -187,6 +187,7 @@ static int xfrm_dev_event(struct notifie
+ return xfrm_dev_feat_change(dev);
+
+ case NETDEV_DOWN:
++ case NETDEV_UNREGISTER:
+ return xfrm_dev_down(dev);
+ }
+ return NOTIFY_DONE;
--- /dev/null
+From 4c59406ed00379c8663f8663d82b2537467ce9d7 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 23 Mar 2020 15:32:39 +0800
+Subject: xfrm: policy: Fix doulbe free in xfrm_policy_timer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 4c59406ed00379c8663f8663d82b2537467ce9d7 upstream.
+
+After xfrm_add_policy add a policy, its ref is 2, then
+
+ xfrm_policy_timer
+ read_lock
+ xp->walk.dead is 0
+ ....
+ mod_timer()
+xfrm_policy_kill
+ policy->walk.dead = 1
+ ....
+ del_timer(&policy->timer)
+ xfrm_pol_put //ref is 1
+ xfrm_pol_put //ref is 0
+ xfrm_policy_destroy
+ call_rcu
+ xfrm_pol_hold //ref is 1
+ read_unlock
+ xfrm_pol_put //ref is 0
+ xfrm_policy_destroy
+ call_rcu
+
+xfrm_policy_destroy is called twice, which may leads to
+double free.
+
+Call Trace:
+RIP: 0010:refcount_warn_saturate+0x161/0x210
+...
+ xfrm_policy_timer+0x522/0x600
+ call_timer_fn+0x1b3/0x5e0
+ ? __xfrm_decode_session+0x2990/0x2990
+ ? msleep+0xb0/0xb0
+ ? _raw_spin_unlock_irq+0x24/0x40
+ ? __xfrm_decode_session+0x2990/0x2990
+ ? __xfrm_decode_session+0x2990/0x2990
+ run_timer_softirq+0x5c5/0x10e0
+
+Fix this by use write_lock_bh in xfrm_policy_kill.
+
+Fixes: ea2dea9dacc2 ("xfrm: remove policy lock when accessing policy->walk.dead")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Timo Teräs <timo.teras@iki.fi>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -301,7 +301,9 @@ EXPORT_SYMBOL(xfrm_policy_destroy);
+
+ static void xfrm_policy_kill(struct xfrm_policy *policy)
+ {
++ write_lock_bh(&policy->lock);
+ policy->walk.dead = 1;
++ write_unlock_bh(&policy->lock);
+
+ atomic_inc(&policy->genid);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
