Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- arch/sparc/kernel/ptrace_32.c | 9 +++++++--
+ arch/sparc/kernel/ptrace_32.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/arch/sparc/kernel/ptrace_32.c b/arch/sparc/kernel/ptrace_32.c
-index 396dbdea0cfa0..2f4316c142664 100644
--- a/arch/sparc/kernel/ptrace_32.c
+++ b/arch/sparc/kernel/ptrace_32.c
-@@ -167,12 +167,17 @@ static int genregs32_set(struct task_struct *target,
+@@ -167,12 +167,17 @@ static int genregs32_set(struct task_str
if (ret || !count)
return ret;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
}
static int fpregs32_get(struct task_struct *target,
---
-2.25.1
-
--- /dev/null
+From foo@baz Sun 28 Jun 2020 03:29:00 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 16 Jun 2020 16:04:00 +0000
+Subject: ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit dafabb6590cb15f300b77c095d50312e2c7c8e0f ]
+
+In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
+fallback tunnel device pointer, which is fb_tunnel_dev.
+This pointer variable should be set to NULL when a fb interface is deleted.
+But there is no routine to set fb_tunnel_dev pointer to NULL.
+So, this pointer will be still used after interface is deleted and
+it eventually results in the use-after-free problem.
+
+Test commands:
+ ip netns add A
+ ip netns add B
+ ip link add eth0 type veth peer name eth1
+ ip link set eth0 netns A
+ ip link set eth1 netns B
+
+ ip netns exec A ip link set lo up
+ ip netns exec A ip link set eth0 up
+ ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \
+ remote fc:0::2
+ ip netns exec A ip -6 a a fc:100::1/64 dev ip6gre1
+ ip netns exec A ip link set ip6gre1 up
+ ip netns exec A ip -6 a a fc:0::1/64 dev eth0
+ ip netns exec A ip link set ip6gre0 up
+
+ ip netns exec B ip link set lo up
+ ip netns exec B ip link set eth1 up
+ ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \
+ remote fc:0::1
+ ip netns exec B ip -6 a a fc:100::2/64 dev ip6gre1
+ ip netns exec B ip link set ip6gre1 up
+ ip netns exec B ip -6 a a fc:0::2/64 dev eth1
+ ip netns exec B ip link set ip6gre0 up
+ ip netns exec A ping fc:100::2 -s 60000 &
+ ip netns del B
+
+Splat looks like:
+[ 73.087285][ C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.088361][ C1] Read of size 4 at addr ffff888040559218 by task ping/1429
+[ 73.089317][ C1]
+[ 73.089638][ C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602
+[ 73.090531][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 73.091725][ C1] Call Trace:
+[ 73.092160][ C1] <IRQ>
+[ 73.092556][ C1] dump_stack+0x96/0xdb
+[ 73.093122][ C1] print_address_description.constprop.6+0x2cc/0x450
+[ 73.094016][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.094894][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.095767][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.096619][ C1] kasan_report+0x154/0x190
+[ 73.097209][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.097989][ C1] ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
+[ 73.098750][ C1] ? gre_del_protocol+0x60/0x60 [gre]
+[ 73.099500][ C1] gre_rcv+0x1c5/0x1450 [ip6_gre]
+[ 73.100199][ C1] ? ip6gre_header+0xf00/0xf00 [ip6_gre]
+[ 73.100985][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
+[ 73.101830][ C1] ? ip6_input_finish+0x5/0xf0
+[ 73.102483][ C1] ip6_protocol_deliver_rcu+0xcbb/0x1510
+[ 73.103296][ C1] ip6_input_finish+0x5b/0xf0
+[ 73.103920][ C1] ip6_input+0xcd/0x2c0
+[ 73.104473][ C1] ? ip6_input_finish+0xf0/0xf0
+[ 73.105115][ C1] ? rcu_read_lock_held+0x90/0xa0
+[ 73.105783][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
+[ 73.106548][ C1] ipv6_rcv+0x1f1/0x300
+[ ... ]
+
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -125,6 +125,7 @@ static struct ip6_tnl *ip6gre_tunnel_loo
+ int dev_type = (gre_proto == htons(ETH_P_TEB)) ?
+ ARPHRD_ETHER : ARPHRD_IP6GRE;
+ int score, cand_score = 4;
++ struct net_device *ndev;
+
+ for_each_ip_tunnel_rcu(t, ign->tunnels_r_l[h0 ^ h1]) {
+ if (!ipv6_addr_equal(local, &t->parms.laddr) ||
+@@ -227,9 +228,9 @@ static struct ip6_tnl *ip6gre_tunnel_loo
+ if (cand)
+ return cand;
+
+- dev = ign->fb_tunnel_dev;
+- if (dev->flags & IFF_UP)
+- return netdev_priv(dev);
++ ndev = READ_ONCE(ign->fb_tunnel_dev);
++ if (ndev && ndev->flags & IFF_UP)
++ return netdev_priv(ndev);
+
+ return NULL;
+ }
+@@ -364,6 +365,8 @@ static void ip6gre_tunnel_uninit(struct
+ struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
+
+ ip6gre_tunnel_unlink(ign, t);
++ if (ign->fb_tunnel_dev == dev)
++ WRITE_ONCE(ign->fb_tunnel_dev, NULL);
+ dst_cache_reset(&t->dst_cache);
+ dev_put(dev);
+ }
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 16 Jun 2020 16:51:51 +0000
+Subject: ip_tunnel: fix use-after-free in ip_tunnel_lookup()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit ba61539c6ae57f4146284a5cb4f7b7ed8d42bf45 ]
+
+In the datapath, the ip_tunnel_lookup() is used and it internally uses
+fallback tunnel device pointer, which is fb_tunnel_dev.
+This pointer variable should be set to NULL when a fb interface is deleted.
+But there is no routine to set fb_tunnel_dev pointer to NULL.
+So, this pointer will be still used after interface is deleted and
+it eventually results in the use-after-free problem.
+
+Test commands:
+ ip netns add A
+ ip netns add B
+ ip link add eth0 type veth peer name eth1
+ ip link set eth0 netns A
+ ip link set eth1 netns B
+
+ ip netns exec A ip link set lo up
+ ip netns exec A ip link set eth0 up
+ ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
+ remote 10.0.0.2
+ ip netns exec A ip link set gre1 up
+ ip netns exec A ip a a 10.0.100.1/24 dev gre1
+ ip netns exec A ip a a 10.0.0.1/24 dev eth0
+
+ ip netns exec B ip link set lo up
+ ip netns exec B ip link set eth1 up
+ ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
+ remote 10.0.0.1
+ ip netns exec B ip link set gre1 up
+ ip netns exec B ip a a 10.0.100.2/24 dev gre1
+ ip netns exec B ip a a 10.0.0.2/24 dev eth1
+ ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
+ ip netns del B
+
+Splat looks like:
+[ 77.793450][ C3] ==================================================================
+[ 77.794702][ C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
+[ 77.795573][ C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
+[ 77.796398][ C3]
+[ 77.796664][ C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
+[ 77.797474][ C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 77.798453][ C3] Call Trace:
+[ 77.798815][ C3] <IRQ>
+[ 77.799142][ C3] dump_stack+0x9d/0xdb
+[ 77.799605][ C3] print_address_description.constprop.7+0x2cc/0x450
+[ 77.800365][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
+[ 77.800908][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
+[ 77.801517][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
+[ 77.802145][ C3] kasan_report+0x154/0x190
+[ 77.802821][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
+[ 77.803503][ C3] ip_tunnel_lookup+0xcc4/0xf30
+[ 77.804165][ C3] __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
+[ 77.804862][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
+[ 77.805621][ C3] gre_rcv+0x304/0x1910 [ip_gre]
+[ 77.806293][ C3] ? lock_acquire+0x1a9/0x870
+[ 77.806925][ C3] ? gre_rcv+0xfe/0x354 [gre]
+[ 77.807559][ C3] ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
+[ 77.808305][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
+[ 77.809032][ C3] ? rcu_read_lock_held+0x90/0xa0
+[ 77.809713][ C3] gre_rcv+0x1b8/0x354 [gre]
+[ ... ]
+
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -98,9 +98,10 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ __be32 remote, __be32 local,
+ __be32 key)
+ {
+- unsigned int hash;
+ struct ip_tunnel *t, *cand = NULL;
+ struct hlist_head *head;
++ struct net_device *ndev;
++ unsigned int hash;
+
+ hash = ip_tunnel_hash(key, remote);
+ head = &itn->tunnels[hash];
+@@ -175,8 +176,9 @@ struct ip_tunnel *ip_tunnel_lookup(struc
+ if (t)
+ return t;
+
+- if (itn->fb_tunnel_dev && itn->fb_tunnel_dev->flags & IFF_UP)
+- return netdev_priv(itn->fb_tunnel_dev);
++ ndev = READ_ONCE(itn->fb_tunnel_dev);
++ if (ndev && ndev->flags & IFF_UP)
++ return netdev_priv(ndev);
+
+ return NULL;
+ }
+@@ -1160,9 +1162,9 @@ void ip_tunnel_uninit(struct net_device
+ struct ip_tunnel_net *itn;
+
+ itn = net_generic(net, tunnel->ip_tnl_net_id);
+- /* fb_tunnel_dev will be unregisted in net-exit call. */
+- if (itn->fb_tunnel_dev != dev)
+- ip_tunnel_del(itn, netdev_priv(dev));
++ ip_tunnel_del(itn, netdev_priv(dev));
++ if (itn->fb_tunnel_dev == dev)
++ WRITE_ONCE(itn->fb_tunnel_dev, NULL);
+
+ dst_cache_reset(&tunnel->dst_cache);
+ }
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Wang Hai <wanghai38@huawei.com>
+Date: Thu, 11 Jun 2020 15:57:50 +0800
+Subject: mld: fix memory leak in ipv6_mc_destroy_dev()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit ea2fce88d2fd678ed9d45354ff49b73f1d5615dd ]
+
+Commit a84d01647989 ("mld: fix memory leak in mld_del_delrec()") fixed
+the memory leak of MLD, but missing the ipv6_mc_destroy_dev() path, in
+which mca_sources are leaked after ma_put().
+
+Using ip6_mc_clear_src() to take care of the missing free.
+
+BUG: memory leak
+unreferenced object 0xffff8881113d3180 (size 64):
+ comm "syz-executor071", pid 389, jiffies 4294887985 (age 17.943s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 ff 02 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000002cbc483c>] kmalloc include/linux/slab.h:555 [inline]
+ [<000000002cbc483c>] kzalloc include/linux/slab.h:669 [inline]
+ [<000000002cbc483c>] ip6_mc_add1_src net/ipv6/mcast.c:2237 [inline]
+ [<000000002cbc483c>] ip6_mc_add_src+0x7f5/0xbb0 net/ipv6/mcast.c:2357
+ [<0000000058b8b1ff>] ip6_mc_source+0xe0c/0x1530 net/ipv6/mcast.c:449
+ [<000000000bfc4fb5>] do_ipv6_setsockopt.isra.12+0x1b2c/0x3b30 net/ipv6/ipv6_sockglue.c:754
+ [<00000000e4e7a722>] ipv6_setsockopt+0xda/0x150 net/ipv6/ipv6_sockglue.c:950
+ [<0000000029260d9a>] rawv6_setsockopt+0x45/0x100 net/ipv6/raw.c:1081
+ [<000000005c1b46f9>] __sys_setsockopt+0x131/0x210 net/socket.c:2132
+ [<000000008491f7db>] __do_sys_setsockopt net/socket.c:2148 [inline]
+ [<000000008491f7db>] __se_sys_setsockopt net/socket.c:2145 [inline]
+ [<000000008491f7db>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145
+ [<00000000c7bc11c5>] do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
+ [<000000005fb7a3f3>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Acked-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/mcast.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -2580,6 +2580,7 @@ void ipv6_mc_destroy_dev(struct inet6_de
+ write_unlock_bh(&idev->lock);
+
+ igmp6_group_dropped(i);
++ ip6_mc_clear_src(i);
+ ma_put(i);
+
+ write_lock_bh(&idev->lock);
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Tue, 16 Jun 2020 15:52:05 +0000
+Subject: net: core: reduce recursion limit value
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit fb7861d14c8d7edac65b2fcb6e8031cb138457b2 ]
+
+In the current code, ->ndo_start_xmit() can be executed recursively only
+10 times because of stack memory.
+But, in the case of the vxlan, 10 recursion limit value results in
+a stack overflow.
+In the current code, the nested interface is limited by 8 depth.
+There is no critical reason that the recursion limitation value should
+be 10.
+So, it would be good to be the same value with the limitation value of
+nesting interface depth.
+
+Test commands:
+ ip link add vxlan10 type vxlan vni 10 dstport 4789 srcport 4789 4789
+ ip link set vxlan10 up
+ ip a a 192.168.10.1/24 dev vxlan10
+ ip n a 192.168.10.2 dev vxlan10 lladdr fc:22:33:44:55:66 nud permanent
+
+ for i in {9..0}
+ do
+ let A=$i+1
+ ip link add vxlan$i type vxlan vni $i dstport 4789 srcport 4789 4789
+ ip link set vxlan$i up
+ ip a a 192.168.$i.1/24 dev vxlan$i
+ ip n a 192.168.$i.2 dev vxlan$i lladdr fc:22:33:44:55:66 nud permanent
+ bridge fdb add fc:22:33:44:55:66 dev vxlan$A dst 192.168.$i.2 self
+ done
+ hping3 192.168.10.2 -2 -d 60000
+
+Splat looks like:
+[ 103.814237][ T1127] =============================================================================
+[ 103.871955][ T1127] BUG kmalloc-2k (Tainted: G B ): Padding overwritten. 0x00000000897a2e4f-0x000
+[ 103.873187][ T1127] -----------------------------------------------------------------------------
+[ 103.873187][ T1127]
+[ 103.874252][ T1127] INFO: Slab 0x000000005cccc724 objects=5 used=5 fp=0x0000000000000000 flags=0x10000000001020
+[ 103.881323][ T1127] CPU: 3 PID: 1127 Comm: hping3 Tainted: G B 5.7.0+ #575
+[ 103.882131][ T1127] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 103.883006][ T1127] Call Trace:
+[ 103.883324][ T1127] dump_stack+0x96/0xdb
+[ 103.883716][ T1127] slab_err+0xad/0xd0
+[ 103.884106][ T1127] ? _raw_spin_unlock+0x1f/0x30
+[ 103.884620][ T1127] ? get_partial_node.isra.78+0x140/0x360
+[ 103.885214][ T1127] slab_pad_check.part.53+0xf7/0x160
+[ 103.885769][ T1127] ? pskb_expand_head+0x110/0xe10
+[ 103.886316][ T1127] check_slab+0x97/0xb0
+[ 103.886763][ T1127] alloc_debug_processing+0x84/0x1a0
+[ 103.887308][ T1127] ___slab_alloc+0x5a5/0x630
+[ 103.887765][ T1127] ? pskb_expand_head+0x110/0xe10
+[ 103.888265][ T1127] ? lock_downgrade+0x730/0x730
+[ 103.888762][ T1127] ? pskb_expand_head+0x110/0xe10
+[ 103.889244][ T1127] ? __slab_alloc+0x3e/0x80
+[ 103.889675][ T1127] __slab_alloc+0x3e/0x80
+[ 103.890108][ T1127] __kmalloc_node_track_caller+0xc7/0x420
+[ ... ]
+
+Fixes: 11a766ce915f ("net: Increase xmit RECURSION_LIMIT to 10.")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3017,7 +3017,7 @@ static void skb_update_prio(struct sk_bu
+ DEFINE_PER_CPU(int, xmit_recursion);
+ EXPORT_SYMBOL(xmit_recursion);
+
+-#define RECURSION_LIMIT 10
++#define RECURSION_LIMIT 8
+
+ /**
+ * dev_loopback_xmit - loop back @skb
--- /dev/null
+From foo@baz Sun 28 Jun 2020 02:29:11 PM CEST
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 22 Jun 2020 23:26:04 +0300
+Subject: net: Do not clear the sock TX queue in sk_set_socket()
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 41b14fb8724d5a4b382a63cb4a1a61880347ccb8 ]
+
+Clearing the sock TX queue in sk_set_socket() might cause unexpected
+out-of-order transmit when called from sock_orphan(), as outstanding
+packets can pick a different TX queue and bypass the ones already queued.
+
+This is undesired in general. More specifically, it breaks the in-order
+scheduling property guarantee for device-offloaded TLS sockets.
+
+Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it
+explicitly only where needed.
+
+Fixes: e022f0b4a03f ("net: Introduce sk_tx_queue_mapping")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 1 -
+ net/core/sock.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1678,7 +1678,6 @@ static inline int sk_tx_queue_get(const
+
+ static inline void sk_set_socket(struct sock *sk, struct socket *sock)
+ {
+- sk_tx_queue_clear(sk);
+ sk->sk_socket = sock;
+ }
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1435,6 +1435,7 @@ struct sock *sk_alloc(struct net *net, i
+
+ sock_update_classid(sk);
+ sock_update_netprioidx(sk);
++ sk_tx_queue_clear(sk);
+ }
+
+ return sk;
+@@ -1601,6 +1602,7 @@ struct sock *sk_clone_lock(const struct
+ */
+ sk_refcnt_debug_inc(newsk);
+ sk_set_socket(newsk, NULL);
++ sk_tx_queue_clear(newsk);
+ newsk->sk_wq = NULL;
+
+ sk_update_clone(sk, newsk);
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Tue, 16 Jun 2020 09:39:21 +0000
+Subject: net: fix memleak in register_netdevice()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 814152a89ed52c722ab92e9fbabcac3cb8a39245 ]
+
+I got a memleak report when doing some fuzz test:
+
+unreferenced object 0xffff888112584000 (size 13599):
+ comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
+ hex dump (first 32 bytes):
+ 74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00 tap0............
+ 00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000002f60ba65>] __kmalloc_node+0x309/0x3a0
+ [<0000000075b211ec>] kvmalloc_node+0x7f/0xc0
+ [<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0
+ [<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70
+ [<000000001127ca24>] ksys_ioctl+0xe5/0x130
+ [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
+ [<00000000e1023498>] do_syscall_64+0x56/0xa0
+ [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+unreferenced object 0xffff888111845cc0 (size 8):
+ comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
+ hex dump (first 8 bytes):
+ 74 61 70 30 00 88 ff ff tap0....
+ backtrace:
+ [<000000004c159777>] kstrdup+0x35/0x70
+ [<00000000d8b496ad>] kstrdup_const+0x3d/0x50
+ [<00000000494e884a>] kvasprintf_const+0xf1/0x180
+ [<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140
+ [<000000008fbdfc7b>] dev_set_name+0xab/0xe0
+ [<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390
+ [<00000000602704fe>] register_netdevice+0xb61/0x1250
+ [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
+ [<000000001127ca24>] ksys_ioctl+0xe5/0x130
+ [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
+ [<00000000e1023498>] do_syscall_64+0x56/0xa0
+ [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+unreferenced object 0xffff88811886d800 (size 512):
+ comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff .........f=.....
+ backtrace:
+ [<0000000050315800>] device_add+0x61e/0x1950
+ [<0000000021008dfb>] netdev_register_kobject+0x17e/0x390
+ [<00000000602704fe>] register_netdevice+0xb61/0x1250
+ [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
+ [<000000001127ca24>] ksys_ioctl+0xe5/0x130
+ [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
+ [<00000000e1023498>] do_syscall_64+0x56/0xa0
+ [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+If call_netdevice_notifiers() failed, then rollback_registered()
+calls netdev_unregister_kobject() which holds the kobject. The
+reference cannot be put because the netdev won't be add to todo
+list, so it will leads a memleak, we need put the reference to
+avoid memleak.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6840,6 +6840,13 @@ int register_netdevice(struct net_device
+ rcu_barrier();
+
+ dev->reg_state = NETREG_UNREGISTERED;
++ /* We should put the kobject that hold in
++ * netdev_unregister_kobject(), otherwise
++ * the net device cannot be freed when
++ * driver calls free_netdev(), because the
++ * kobject is being hold.
++ */
++ kobject_put(&dev->dev.kobj);
+ }
+ /*
+ * Prevent userspace races by waiting until the network
--- /dev/null
+From foo@baz Sun 28 Jun 2020 02:29:11 PM CEST
+From: guodeqing <geffrey.guo@huawei.com>
+Date: Wed, 17 Jun 2020 10:07:16 +0800
+Subject: net: Fix the arp error in some cases
+
+From: guodeqing <geffrey.guo@huawei.com>
+
+[ Upstream commit 5eea3a63ff4aba6a26002e657a6d21934b7e2b96 ]
+
+ie.,
+$ ifconfig eth0 6.6.6.6 netmask 255.255.255.0
+
+$ ip rule add from 6.6.6.6 table 6666
+
+$ ip route add 9.9.9.9 via 6.6.6.6
+
+$ ping -I 6.6.6.6 9.9.9.9
+PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data.
+
+3 packets transmitted, 0 received, 100% packet loss, time 2079ms
+
+$ arp
+Address HWtype HWaddress Flags Mask Iface
+6.6.6.6 (incomplete) eth0
+
+The arp request address is error, this is because fib_table_lookup in
+fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of
+the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST.
+Here I add a check of whether this is RT_TABLE_MAIN to solve this problem.
+
+Fixes: 3bfd847203c6 ("net: Use passed in table for nexthop lookups")
+Signed-off-by: guodeqing <geffrey.guo@huawei.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -776,7 +776,7 @@ static int fib_check_nh(struct fib_confi
+ if (fl4.flowi4_scope < RT_SCOPE_LINK)
+ fl4.flowi4_scope = RT_SCOPE_LINK;
+
+- if (cfg->fc_table)
++ if (cfg->fc_table && cfg->fc_table != RT_TABLE_MAIN)
+ tbl = fib_get_table(net, cfg->fc_table);
+
+ if (tbl)
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Jeremy Kerr <jk@ozlabs.org>
+Date: Mon, 15 Jun 2020 10:54:56 +0800
+Subject: net: usb: ax88179_178a: fix packet alignment padding
+
+From: Jeremy Kerr <jk@ozlabs.org>
+
+[ Upstream commit e869e7a17798d85829fa7d4f9bbe1eebd4b2d3f6 ]
+
+Using a AX88179 device (0b95:1790), I see two bytes of appended data on
+every RX packet. For example, this 48-byte ping, using 0xff as a
+payload byte:
+
+ 04:20:22.528472 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 2447, seq 1, length 64
+ 0x0000: 000a cd35 ea50 000a cd35 ea4f 0800 4500
+ 0x0010: 0054 c116 4000 4001 f63e c0a8 0101 c0a8
+ 0x0020: 0102 0800 b633 098f 0001 87ea cd5e 0000
+ 0x0030: 0000 dcf2 0600 0000 0000 ffff ffff ffff
+ 0x0040: ffff ffff ffff ffff ffff ffff ffff ffff
+ 0x0050: ffff ffff ffff ffff ffff ffff ffff ffff
+ 0x0060: ffff 961f
+
+Those last two bytes - 96 1f - aren't part of the original packet.
+
+In the ax88179 RX path, the usbnet rx_fixup function trims a 2-byte
+'alignment pseudo header' from the start of the packet, and sets the
+length from a per-packet field populated by hardware. It looks like that
+length field *includes* the 2-byte header; the current driver assumes
+that it's excluded.
+
+This change trims the 2-byte alignment header after we've set the packet
+length, so the resulting packet length is correct. While we're moving
+the comment around, this also fixes the spelling of 'pseudo'.
+
+Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ax88179_178a.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -1396,10 +1396,10 @@ static int ax88179_rx_fixup(struct usbne
+ }
+
+ if (pkt_cnt == 0) {
+- /* Skip IP alignment psudo header */
+- skb_pull(skb, 2);
+ skb->len = pkt_len;
+- skb_set_tail_pointer(skb, pkt_len);
++ /* Skip IP alignment pseudo header */
++ skb_pull(skb, 2);
++ skb_set_tail_pointer(skb, skb->len);
+ skb->truesize = pkt_len + sizeof(struct sk_buff);
+ ax88179_rx_checksum(skb, pkt_hdr);
+ return 1;
+@@ -1408,8 +1408,9 @@ static int ax88179_rx_fixup(struct usbne
+ ax_skb = skb_clone(skb, GFP_ATOMIC);
+ if (ax_skb) {
+ ax_skb->len = pkt_len;
+- ax_skb->data = skb->data + 2;
+- skb_set_tail_pointer(ax_skb, pkt_len);
++ /* Skip IP alignment pseudo header */
++ skb_pull(ax_skb, 2);
++ skb_set_tail_pointer(ax_skb, ax_skb->len);
+ ax_skb->truesize = pkt_len + sizeof(struct sk_buff);
+ ax88179_rx_checksum(ax_skb, pkt_hdr);
+ usbnet_skb_return(dev, ax_skb);
--- /dev/null
+From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Wed, 24 Jun 2020 17:34:18 -0300
+Subject: sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 471e39df96b9a4c4ba88a2da9e25a126624d7a9c ]
+
+If a socket is set ipv6only, it will still send IPv4 addresses in the
+INIT and INIT_ACK packets. This potentially misleads the peer into using
+them, which then would cause association termination.
+
+The fix is to not add IPv4 addresses to ipv6only sockets.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Tested-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sctp/constants.h | 8 +++++---
+ net/sctp/associola.c | 5 ++++-
+ net/sctp/bind_addr.c | 1 +
+ net/sctp/protocol.c | 1 +
+ 4 files changed, 11 insertions(+), 4 deletions(-)
+
+--- a/include/net/sctp/constants.h
++++ b/include/net/sctp/constants.h
+@@ -357,11 +357,13 @@ typedef enum {
+ ipv4_is_anycast_6to4(a))
+
+ /* Flags used for the bind address copy functions. */
+-#define SCTP_ADDR6_ALLOWED 0x00000001 /* IPv6 address is allowed by
++#define SCTP_ADDR4_ALLOWED 0x00000001 /* IPv4 address is allowed by
+ local sock family */
+-#define SCTP_ADDR4_PEERSUPP 0x00000002 /* IPv4 address is supported by
++#define SCTP_ADDR6_ALLOWED 0x00000002 /* IPv6 address is allowed by
++ local sock family */
++#define SCTP_ADDR4_PEERSUPP 0x00000004 /* IPv4 address is supported by
+ peer */
+-#define SCTP_ADDR6_PEERSUPP 0x00000004 /* IPv6 address is supported by
++#define SCTP_ADDR6_PEERSUPP 0x00000008 /* IPv6 address is supported by
+ peer */
+
+ /* Reasons to retransmit. */
+--- a/net/sctp/associola.c
++++ b/net/sctp/associola.c
+@@ -1575,12 +1575,15 @@ void sctp_assoc_rwnd_decrease(struct sct
+ int sctp_assoc_set_bind_addr_from_ep(struct sctp_association *asoc,
+ sctp_scope_t scope, gfp_t gfp)
+ {
++ struct sock *sk = asoc->base.sk;
+ int flags;
+
+ /* Use scoping rules to determine the subset of addresses from
+ * the endpoint.
+ */
+- flags = (PF_INET6 == asoc->base.sk->sk_family) ? SCTP_ADDR6_ALLOWED : 0;
++ flags = (PF_INET6 == sk->sk_family) ? SCTP_ADDR6_ALLOWED : 0;
++ if (!inet_v6_ipv6only(sk))
++ flags |= SCTP_ADDR4_ALLOWED;
+ if (asoc->peer.ipv4_address)
+ flags |= SCTP_ADDR4_PEERSUPP;
+ if (asoc->peer.ipv6_address)
+--- a/net/sctp/bind_addr.c
++++ b/net/sctp/bind_addr.c
+@@ -449,6 +449,7 @@ static int sctp_copy_one_addr(struct net
+ * well as the remote peer.
+ */
+ if ((((AF_INET == addr->sa.sa_family) &&
++ (flags & SCTP_ADDR4_ALLOWED) &&
+ (flags & SCTP_ADDR4_PEERSUPP))) ||
+ (((AF_INET6 == addr->sa.sa_family) &&
+ (flags & SCTP_ADDR6_ALLOWED) &&
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -210,6 +210,7 @@ int sctp_copy_local_addr_list(struct net
+ * sock as well as the remote peer.
+ */
+ if ((((AF_INET == addr->a.sa.sa_family) &&
++ (copy_flags & SCTP_ADDR4_ALLOWED) &&
+ (copy_flags & SCTP_ADDR4_PEERSUPP))) ||
+ (((AF_INET6 == addr->a.sa.sa_family) &&
+ (copy_flags & SCTP_ADDR6_ALLOWED) &&
l2tp-allow-duplicate-session-creation-with-udp.patch
net-sched-export-__netdev_watchdog_up.patch
fix-a-braino-in-sparc32-fix-register-window-handling.patch
+net-fix-memleak-in-register_netdevice.patch
+net-usb-ax88179_178a-fix-packet-alignment-padding.patch
+tg3-driver-sleeps-indefinitely-when-eeh-errors-exceed-eeh_max_freezes.patch
+ip_tunnel-fix-use-after-free-in-ip_tunnel_lookup.patch
+tcp_cubic-fix-spurious-hystart_delay-exit-upon-drop-in-min-rtt.patch
+ip6_gre-fix-use-after-free-in-ip6gre_tunnel_lookup.patch
+tcp-grow-window-for-ooo-packets-only-for-sack-flows.patch
+sctp-don-t-advertise-ipv4-addresses-if-ipv6only-is-set-on-the-socket.patch
+net-fix-the-arp-error-in-some-cases.patch
+net-do-not-clear-the-sock-tx-queue-in-sk_set_socket.patch
+net-core-reduce-recursion-limit-value.patch
+mld-fix-memory-leak-in-ipv6_mc_destroy_dev.patch
--- /dev/null
+From foo@baz Sun 28 Jun 2020 04:14:51 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 15 Jun 2020 20:37:07 -0700
+Subject: tcp: grow window for OOO packets only for SACK flows
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 662051215c758ae8545451628816204ed6cd372d ]
+
+Back in 2013, we made a change that broke fast retransmit
+for non SACK flows.
+
+Indeed, for these flows, a sender needs to receive three duplicate
+ACK before starting fast retransmit. Sending ACK with different
+receive window do not count.
+
+Even if enabling SACK is strongly recommended these days,
+there still are some cases where it has to be disabled.
+
+Not increasing the window seems better than having to
+rely on RTO.
+
+After the fix, following packetdrill test gives :
+
+// Initialize connection
+ 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+ +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+ +0 bind(3, ..., ...) = 0
+ +0 listen(3, 1) = 0
+
+ +0 < S 0:0(0) win 32792 <mss 1000,nop,wscale 7>
+ +0 > S. 0:0(0) ack 1 <mss 1460,nop,wscale 8>
+ +0 < . 1:1(0) ack 1 win 514
+
+ +0 accept(3, ..., ...) = 4
+
+ +0 < . 1:1001(1000) ack 1 win 514
+// Quick ack
+ +0 > . 1:1(0) ack 1001 win 264
+
+ +0 < . 2001:3001(1000) ack 1 win 514
+// DUPACK : Normally we should not change the window
+ +0 > . 1:1(0) ack 1001 win 264
+
+ +0 < . 3001:4001(1000) ack 1 win 514
+// DUPACK : Normally we should not change the window
+ +0 > . 1:1(0) ack 1001 win 264
+
+ +0 < . 4001:5001(1000) ack 1 win 514
+// DUPACK : Normally we should not change the window
+ +0 > . 1:1(0) ack 1001 win 264
+
+ +0 < . 1001:2001(1000) ack 1 win 514
+// Hole is repaired.
+ +0 > . 1:1(0) ack 5001 win 272
+
+Fixes: 4e4f1fc22681 ("tcp: properly increase rcv_ssthresh for ofo packets")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -4465,7 +4465,11 @@ static void tcp_data_queue_ofo(struct so
+ if (tcp_ooo_try_coalesce(sk, tp->ooo_last_skb,
+ skb, &fragstolen)) {
+ coalesce_done:
+- tcp_grow_window(sk, skb);
++ /* For non sack flows, do not grow window to force DUPACK
++ * and trigger fast retransmit.
++ */
++ if (tcp_is_sack(tp))
++ tcp_grow_window(sk, skb);
+ kfree_skb_partial(skb, fragstolen);
+ skb = NULL;
+ goto add_sack;
+@@ -4545,7 +4549,11 @@ add_sack:
+ tcp_sack_new_ofo_skb(sk, seq, end_seq);
+ end:
+ if (skb) {
+- tcp_grow_window(sk, skb);
++ /* For non sack flows, do not grow window to force DUPACK
++ * and trigger fast retransmit.
++ */
++ if (tcp_is_sack(tp))
++ tcp_grow_window(sk, skb);
+ skb_set_owner_r(skb, sk);
+ }
+ }
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: Neal Cardwell <ncardwell@google.com>
+Date: Wed, 24 Jun 2020 12:42:02 -0400
+Subject: tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
+
+From: Neal Cardwell <ncardwell@google.com>
+
+[ Upstream commit b344579ca8478598937215f7005d6c7b84d28aee ]
+
+Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
+Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
+ACK when the minimum rtt of a connection goes down. From inspection it
+is clear from the existing code that this could happen in an example
+like the following:
+
+o The first 8 RTT samples in a round trip are 150ms, resulting in a
+ curr_rtt of 150ms and a delay_min of 150ms.
+
+o The 9th RTT sample is 100ms. The curr_rtt does not change after the
+ first 8 samples, so curr_rtt remains 150ms. But delay_min can be
+ lowered at any time, so delay_min falls to 100ms. The code executes
+ the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
+ of 100ms, and the curr_rtt is declared far enough above delay_min to
+ force a (spurious) exit of Slow start.
+
+The fix here is simple: allow every RTT sample in a round trip to
+lower the curr_rtt.
+
+Fixes: ae27e98a5152 ("[TCP] CUBIC v2.3")
+Reported-by: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_cubic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp_cubic.c
++++ b/net/ipv4/tcp_cubic.c
+@@ -414,6 +414,8 @@ static void hystart_update(struct sock *
+
+ if (hystart_detect & HYSTART_DELAY) {
+ /* obtain the minimum delay of more than sampling packets */
++ if (ca->curr_rtt > delay)
++ ca->curr_rtt = delay;
+ if (ca->sample_cnt < HYSTART_MIN_SAMPLES) {
+ if (ca->curr_rtt == 0 || ca->curr_rtt > delay)
+ ca->curr_rtt = delay;
--- /dev/null
+From foo@baz Sun 28 Jun 2020 05:06:04 PM CEST
+From: David Christensen <drc@linux.vnet.ibm.com>
+Date: Wed, 17 Jun 2020 11:51:17 -0700
+Subject: tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
+
+From: David Christensen <drc@linux.vnet.ibm.com>
+
+[ Upstream commit 3a2656a211caf35e56afc9425e6e518fa52f7fbc ]
+
+The driver function tg3_io_error_detected() calls napi_disable twice,
+without an intervening napi_enable, when the number of EEH errors exceeds
+eeh_max_freezes, resulting in an indefinite sleep while holding rtnl_lock.
+
+Add check for pcierr_recovery which skips code already executed for the
+"Frozen" state.
+
+Signed-off-by: David Christensen <drc@linux.vnet.ibm.com>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -18182,8 +18182,8 @@ static pci_ers_result_t tg3_io_error_det
+
+ rtnl_lock();
+
+- /* We probably don't have netdev yet */
+- if (!netdev || !netif_running(netdev))
++ /* Could be second call or maybe we don't have netdev yet */
++ if (!netdev || tp->pcierr_recovery || !netif_running(netdev))
+ goto done;
+
+ /* We needn't recover from permanent error */
projects / thirdparty / kernel / stable-queue.git / commitdiff
