efi-fix-null-deref-in-init-error-path.patch
mm-always-release-pages-to-the-buddy-allocator-in-memblock_free_late.patch
revert-usb-ulpi-defer-ulpi_register-on-ulpi_read_id-timeout.patch
+tipc-fix-use-after-free-in-tipc_disc_rcv.patch
+tty-serial-tegra-handle-rx-transfer-in-pio-mode-if-dma-wasn-t-started.patch
+tipc-add-a-missing-case-of-tipc_direct_msg-type.patch
--- /dev/null
+From 8b1e5b0a99f04bda2d6c85ecfe5e68a356c10914 Mon Sep 17 00:00:00 2001
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Thu, 26 Mar 2020 09:50:29 +0700
+Subject: tipc: Add a missing case of TIPC_DIRECT_MSG type
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+commit 8b1e5b0a99f04bda2d6c85ecfe5e68a356c10914 upstream.
+
+In the commit f73b12812a3d
+("tipc: improve throughput between nodes in netns"), we're missing a check
+to handle TIPC_DIRECT_MSG type, it's still using old sending mechanism for
+this message type. So, throughput improvement is not significant as
+expected.
+
+Besides that, when sending a large message with that type, we're also
+handle wrong receiving queue, it should be enqueued in socket receiving
+instead of multicast messages.
+
+Fix this by adding the missing case for TIPC_DIRECT_MSG.
+
+Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
+Reported-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/msg.h | 5 +++++
+ net/tipc/node.c | 3 ++-
+ net/tipc/socket.c | 2 +-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/msg.h
++++ b/net/tipc/msg.h
+@@ -358,6 +358,11 @@ static inline u32 msg_connected(struct t
+ return msg_type(m) == TIPC_CONN_MSG;
+ }
+
++static inline u32 msg_direct(struct tipc_msg *m)
++{
++ return msg_type(m) == TIPC_DIRECT_MSG;
++}
++
+ static inline u32 msg_errcode(struct tipc_msg *m)
+ {
+ return msg_bits(m, 1, 25, 0xf);
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -1489,7 +1489,8 @@ static void tipc_lxc_xmit(struct net *pe
+ case TIPC_MEDIUM_IMPORTANCE:
+ case TIPC_HIGH_IMPORTANCE:
+ case TIPC_CRITICAL_IMPORTANCE:
+- if (msg_connected(hdr) || msg_named(hdr)) {
++ if (msg_connected(hdr) || msg_named(hdr) ||
++ msg_direct(hdr)) {
+ tipc_loopback_trace(peer_net, list);
+ spin_lock_init(&list->lock);
+ tipc_sk_rcv(peer_net, list);
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1407,7 +1407,7 @@ static int __tipc_sendmsg(struct socket
+ }
+
+ __skb_queue_head_init(&pkts);
+- mtu = tipc_node_get_mtu(net, dnode, tsk->portid, false);
++ mtu = tipc_node_get_mtu(net, dnode, tsk->portid, true);
+ rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts);
+ if (unlikely(rc != dlen))
+ return rc;
--- /dev/null
+From 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 Mon Sep 17 00:00:00 2001
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+Date: Tue, 10 Dec 2019 15:21:05 +0700
+Subject: tipc: fix use-after-free in tipc_disc_rcv()
+
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+
+commit 31e4ccc99eda8a5a7e6902c98bee6e78ffd3edb9 upstream.
+
+In the function 'tipc_disc_rcv()', the 'msg_peer_net_hash()' is called
+to read the header data field but after the message skb has been freed,
+that might result in a garbage value...
+
+This commit fixes it by defining a new local variable to store the data
+first, just like the other header fields' handling.
+
+Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns")
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/discover.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/discover.c
++++ b/net/tipc/discover.c
+@@ -194,6 +194,7 @@ void tipc_disc_rcv(struct net *net, stru
+ {
+ struct tipc_net *tn = tipc_net(net);
+ struct tipc_msg *hdr = buf_msg(skb);
++ u32 pnet_hash = msg_peer_net_hash(hdr);
+ u16 caps = msg_node_capabilities(hdr);
+ bool legacy = tn->legacy_addr_format;
+ u32 sugg = msg_sugg_node_addr(hdr);
+@@ -245,9 +246,8 @@ void tipc_disc_rcv(struct net *net, stru
+ return;
+ if (!tipc_in_scope(legacy, b->domain, src))
+ return;
+- tipc_node_check_dest(net, src, peer_id, b, caps, signature,
+- msg_peer_net_hash(hdr), &maddr, &respond,
+- &dupl_addr);
++ tipc_node_check_dest(net, src, peer_id, b, caps, signature, pnet_hash,
++ &maddr, &respond, &dupl_addr);
+ if (dupl_addr)
+ disc_dupl_alert(b, src, &maddr);
+ if (!respond)
--- /dev/null
+From 1f69a1273b3f204a9c00dc3bbdcc4afcd0787428 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 9 Feb 2020 19:44:15 +0300
+Subject: tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 1f69a1273b3f204a9c00dc3bbdcc4afcd0787428 upstream.
+
+It is possible to get an instant RX timeout or end-of-transfer interrupt
+before RX DMA was started, if transaction is less than 16 bytes. Transfer
+should be handled in PIO mode in this case because DMA can't handle it.
+This patch brings back the original behaviour of the driver that was
+changed by accident by a previous commit, it fixes occasional Bluetooth HW
+initialization failures which I started to notice recently.
+
+Fixes: d5e3fadb7012 ("tty: serial: tegra: Activate RX DMA transfer by request")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Link: https://lore.kernel.org/r/20200209164415.9632-1-digetx@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/serial-tegra.c | 35 ++++++++++++++++-------------------
+ 1 file changed, 16 insertions(+), 19 deletions(-)
+
+--- a/drivers/tty/serial/serial-tegra.c
++++ b/drivers/tty/serial/serial-tegra.c
+@@ -694,11 +694,22 @@ static void tegra_uart_copy_rx_to_tty(st
+ TEGRA_UART_RX_DMA_BUFFER_SIZE, DMA_TO_DEVICE);
+ }
+
++static void do_handle_rx_pio(struct tegra_uart_port *tup)
++{
++ struct tty_struct *tty = tty_port_tty_get(&tup->uport.state->port);
++ struct tty_port *port = &tup->uport.state->port;
++
++ tegra_uart_handle_rx_pio(tup, port);
++ if (tty) {
++ tty_flip_buffer_push(port);
++ tty_kref_put(tty);
++ }
++}
++
+ static void tegra_uart_rx_buffer_push(struct tegra_uart_port *tup,
+ unsigned int residue)
+ {
+ struct tty_port *port = &tup->uport.state->port;
+- struct tty_struct *tty = tty_port_tty_get(port);
+ unsigned int count;
+
+ async_tx_ack(tup->rx_dma_desc);
+@@ -707,11 +718,7 @@ static void tegra_uart_rx_buffer_push(st
+ /* If we are here, DMA is stopped */
+ tegra_uart_copy_rx_to_tty(tup, port, count);
+
+- tegra_uart_handle_rx_pio(tup, port);
+- if (tty) {
+- tty_flip_buffer_push(port);
+- tty_kref_put(tty);
+- }
++ do_handle_rx_pio(tup);
+ }
+
+ static void tegra_uart_rx_dma_complete(void *args)
+@@ -751,8 +758,10 @@ static void tegra_uart_terminate_rx_dma(
+ {
+ struct dma_tx_state state;
+
+- if (!tup->rx_dma_active)
++ if (!tup->rx_dma_active) {
++ do_handle_rx_pio(tup);
+ return;
++ }
+
+ dmaengine_pause(tup->rx_dma_chan);
+ dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state);
+@@ -821,18 +830,6 @@ static void tegra_uart_handle_modem_sign
+ uart_handle_cts_change(&tup->uport, msr & UART_MSR_CTS);
+ }
+
+-static void do_handle_rx_pio(struct tegra_uart_port *tup)
+-{
+- struct tty_struct *tty = tty_port_tty_get(&tup->uport.state->port);
+- struct tty_port *port = &tup->uport.state->port;
+-
+- tegra_uart_handle_rx_pio(tup, port);
+- if (tty) {
+- tty_flip_buffer_push(port);
+- tty_kref_put(tty);
+- }
+-}
+-
+ static irqreturn_t tegra_uart_isr(int irq, void *data)
+ {
+ struct tegra_uart_port *tup = data;
projects / thirdparty / kernel / stable-queue.git / commitdiff
