From 4e31dca55932808b0394e97d827b61b0b195a4e3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 May 2020 14:43:30 +0200 Subject: [PATCH] 4.14-stable patches added patches: ax25-fix-setsockopt-so_bindtodevice.patch net-ipip-fix-wrong-address-family-in-init-error-path.patch net-mlx5-add-command-entry-handling-completion.patch net-mlx5e-update-netdev-txq-on-completions-during-closure.patch net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch net-sched-fix-reporting-the-first-time-use-timestamp.patch r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch --- .../ax25-fix-setsockopt-so_bindtodevice.patch | 72 ++++++++++++++ ...ng-address-family-in-init-error-path.patch | 31 ++++++ ...dd-command-entry-handling-completion.patch | 96 +++++++++++++++++++ ...ev-txq-on-completions-during-closure.patch | 48 ++++++++++ ...alid-reference-to-qrtr_local_enqueue.patch | 38 ++++++++ ...nteger-overflow-in-ip_idents_reserve.patch | 66 +++++++++++++ ...porting-the-first-time-use-timestamp.patch | 37 +++++++ ...oft-surface-ethernet-adapter-variant.patch | 60 ++++++++++++ ...down-sent-state-and-socket-is-closed.patch | 69 +++++++++++++ queue-4.14/series | 9 ++ 10 files changed, 526 insertions(+) create mode 100644 queue-4.14/ax25-fix-setsockopt-so_bindtodevice.patch create mode 100644 queue-4.14/net-ipip-fix-wrong-address-family-in-init-error-path.patch create mode 100644 queue-4.14/net-mlx5-add-command-entry-handling-completion.patch create mode 100644 queue-4.14/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch create mode 100644 queue-4.14/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch create mode 100644 queue-4.14/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch create mode 100644 queue-4.14/net-sched-fix-reporting-the-first-time-use-timestamp.patch create mode 100644 queue-4.14/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch create mode 100644 queue-4.14/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch create mode 100644 queue-4.14/series diff --git a/queue-4.14/ax25-fix-setsockopt-so_bindtodevice.patch b/queue-4.14/ax25-fix-setsockopt-so_bindtodevice.patch new file mode 100644 index 00000000000..23ac68b207d --- /dev/null +++ b/queue-4.14/ax25-fix-setsockopt-so_bindtodevice.patch @@ -0,0 +1,72 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Eric Dumazet +Date: Tue, 19 May 2020 18:24:43 -0700 +Subject: ax25: fix setsockopt(SO_BINDTODEVICE) + +From: Eric Dumazet + +[ Upstream commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 ] + +syzbot was able to trigger this trace [1], probably by using +a zero optlen. + +While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ. + +[1] +BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569 +CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + strnlen+0xf9/0x170 lib/string.c:569 + dev_name_hash net/core/dev.c:207 [inline] + netdev_name_node_lookup net/core/dev.c:277 [inline] + __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778 + ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654 + __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403 + __do_compat_sys_setsockopt net/compat.c:413 [inline] + __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410 + __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410 + do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] + do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 + entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 +RIP: 0023:0xf7f57dd9 +Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101 +RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004 +RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Local variable ----devname@ax25_setsockopt created at: + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ax25/af_ax25.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -639,8 +639,10 @@ static int ax25_setsockopt(struct socket + break; + + case SO_BINDTODEVICE: +- if (optlen > IFNAMSIZ) +- optlen = IFNAMSIZ; ++ if (optlen > IFNAMSIZ - 1) ++ optlen = IFNAMSIZ - 1; ++ ++ memset(devname, 0, sizeof(devname)); + + if (copy_from_user(devname, optval, optlen)) { + res = -EFAULT; diff --git a/queue-4.14/net-ipip-fix-wrong-address-family-in-init-error-path.patch b/queue-4.14/net-ipip-fix-wrong-address-family-in-init-error-path.patch new file mode 100644 index 00000000000..73d8da124a4 --- /dev/null +++ b/queue-4.14/net-ipip-fix-wrong-address-family-in-init-error-path.patch @@ -0,0 +1,31 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Vadim Fedorenko +Date: Wed, 20 May 2020 11:50:48 +0300 +Subject: net: ipip: fix wrong address family in init error path + +From: Vadim Fedorenko + +[ Upstream commit 57ebc8f08504f176eb0f25b3e0fde517dec61a4f ] + +In case of error with MPLS support the code is misusing AF_INET +instead of AF_MPLS. + +Fixes: 1b69e7e6c4da ("ipip: support MPLS over IPv4") +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipip.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -702,7 +702,7 @@ out: + + rtnl_link_failed: + #if IS_ENABLED(CONFIG_MPLS) +- xfrm4_tunnel_deregister(&mplsip_handler, AF_INET); ++ xfrm4_tunnel_deregister(&mplsip_handler, AF_MPLS); + xfrm_tunnel_mplsip_failed: + + #endif diff --git a/queue-4.14/net-mlx5-add-command-entry-handling-completion.patch b/queue-4.14/net-mlx5-add-command-entry-handling-completion.patch new file mode 100644 index 00000000000..497c205522d --- /dev/null +++ b/queue-4.14/net-mlx5-add-command-entry-handling-completion.patch @@ -0,0 +1,96 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Moshe Shemesh +Date: Fri, 27 Dec 2019 07:01:53 +0200 +Subject: net/mlx5: Add command entry handling completion + +From: Moshe Shemesh + +[ Upstream commit 17d00e839d3b592da9659c1977d45f85b77f986a ] + +When FW response to commands is very slow and all command entries in +use are waiting for completion we can have a race where commands can get +timeout before they get out of the queue and handled. Timeout +completion on uninitialized command will cause releasing command's +buffers before accessing it for initialization and then we will get NULL +pointer exception while trying access it. It may also cause releasing +buffers of another command since we may have timeout completion before +even allocating entry index for this command. +Add entry handling completion to avoid this race. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Moshe Shemesh +Signed-off-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 14 ++++++++++++++ + include/linux/mlx5/driver.h | 1 + + 2 files changed, 15 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -804,6 +804,7 @@ static void cmd_work_handler(struct work + int alloc_ret; + int cmd_mode; + ++ complete(&ent->handling); + sem = ent->page_queue ? &cmd->pages_sem : &cmd->sem; + down(sem); + if (!ent->page_queue) { +@@ -922,6 +923,11 @@ static int wait_func(struct mlx5_core_de + struct mlx5_cmd *cmd = &dev->cmd; + int err; + ++ if (!wait_for_completion_timeout(&ent->handling, timeout) && ++ cancel_work_sync(&ent->work)) { ++ ent->ret = -ECANCELED; ++ goto out_err; ++ } + if (cmd->mode == CMD_MODE_POLLING || ent->polling) { + wait_for_completion(&ent->done); + } else if (!wait_for_completion_timeout(&ent->done, timeout)) { +@@ -929,12 +935,17 @@ static int wait_func(struct mlx5_core_de + mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true); + } + ++out_err: + err = ent->ret; + + if (err == -ETIMEDOUT) { + mlx5_core_warn(dev, "%s(0x%x) timeout. Will cause a leak of a command resource\n", + mlx5_command_str(msg_to_opcode(ent->in)), + msg_to_opcode(ent->in)); ++ } else if (err == -ECANCELED) { ++ mlx5_core_warn(dev, "%s(0x%x) canceled on out of queue timeout.\n", ++ mlx5_command_str(msg_to_opcode(ent->in)), ++ msg_to_opcode(ent->in)); + } + mlx5_core_dbg(dev, "err %d, delivery status %s(%d)\n", + err, deliv_status_to_str(ent->status), ent->status); +@@ -970,6 +981,7 @@ static int mlx5_cmd_invoke(struct mlx5_c + ent->token = token; + ent->polling = force_polling; + ++ init_completion(&ent->handling); + if (!callback) + init_completion(&ent->done); + +@@ -989,6 +1001,8 @@ static int mlx5_cmd_invoke(struct mlx5_c + err = wait_func(dev, ent); + if (err == -ETIMEDOUT) + goto out; ++ if (err == -ECANCELED) ++ goto out_free; + + ds = ent->ts2 - ent->ts1; + op = MLX5_GET(mbox_in, in->first.data, opcode); +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -841,6 +841,7 @@ struct mlx5_cmd_work_ent { + struct delayed_work cb_timeout_work; + void *context; + int idx; ++ struct completion handling; + struct completion done; + struct mlx5_cmd *cmd; + struct work_struct work; diff --git a/queue-4.14/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch b/queue-4.14/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch new file mode 100644 index 00000000000..e3cd85548ff --- /dev/null +++ b/queue-4.14/net-mlx5e-update-netdev-txq-on-completions-during-closure.patch @@ -0,0 +1,48 @@ +From foo@baz Thu 28 May 2020 01:21:48 PM CEST +From: Moshe Shemesh +Date: Tue, 7 Apr 2020 17:38:28 +0300 +Subject: net/mlx5e: Update netdev txq on completions during closure + +From: Moshe Shemesh + +[ Upstream commit 5e911e2c06bd8c17df29147a5e2d4b17fafda024 ] + +On sq closure when we free its descriptors, we should also update netdev +txq on completions which would not arrive. Otherwise if we reopen sqs +and attach them back, for example on fw fatal recovery flow, we may get +tx timeout. + +Fixes: 29429f3300a3 ("net/mlx5e: Timeout if SQ doesn't flush during close") +Signed-off-by: Moshe Shemesh +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c +@@ -496,8 +496,9 @@ bool mlx5e_poll_tx_cq(struct mlx5e_cq *c + void mlx5e_free_txqsq_descs(struct mlx5e_txqsq *sq) + { + struct mlx5e_tx_wqe_info *wi; ++ u32 nbytes = 0; ++ u16 ci, npkts = 0; + struct sk_buff *skb; +- u16 ci; + int i; + + while (sq->cc != sq->pc) { +@@ -518,8 +519,11 @@ void mlx5e_free_txqsq_descs(struct mlx5e + } + + dev_kfree_skb_any(skb); ++ npkts++; ++ nbytes += wi->num_bytes; + sq->cc += wi->num_wqebbs; + } ++ netdev_tx_completed_queue(sq->txq, npkts, nbytes); + } + + #ifdef CONFIG_MLX5_CORE_IPOIB diff --git a/queue-4.14/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch b/queue-4.14/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch new file mode 100644 index 00000000000..a8eec1e77e8 --- /dev/null +++ b/queue-4.14/net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch @@ -0,0 +1,38 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Manivannan Sadhasivam +Date: Tue, 19 May 2020 23:44:16 +0530 +Subject: net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() + +From: Manivannan Sadhasivam + +[ Upstream commit d28ea1fbbf437054ef339afec241019f2c4e2bb6 ] + +Once the traversal of the list is completed with list_for_each_entry(), +the iterator (node) will point to an invalid object. So passing this to +qrtr_local_enqueue() which is outside of the iterator block is erroneous +eventhough the object is not used. + +So fix this by passing NULL to qrtr_local_enqueue(). + +Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") +Reported-by: kbuild test robot +Reported-by: Julia Lawall +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Bjorn Andersson +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -660,7 +660,7 @@ static int qrtr_bcast_enqueue(struct qrt + } + mutex_unlock(&qrtr_node_lock); + +- qrtr_local_enqueue(node, skb); ++ qrtr_local_enqueue(NULL, skb); + + return 0; + } diff --git a/queue-4.14/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch b/queue-4.14/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch new file mode 100644 index 00000000000..886b1600f1b --- /dev/null +++ b/queue-4.14/net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch @@ -0,0 +1,66 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Yuqi Jin +Date: Sat, 16 May 2020 11:46:49 +0800 +Subject: net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" + +From: Yuqi Jin + +[ Upstream commit a6211caa634da39d861a47437ffcda8b38ef421b ] + +Commit adb03115f459 ("net: get rid of an signed integer overflow in ip_idents_reserve()") +used atomic_cmpxchg to replace "atomic_add_return" inside the function +"ip_idents_reserve". The reason was to avoid UBSAN warning. +However, this change has caused performance degrade and in GCC-8, +fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer +and signed integer overflow is now undefined by default at all +optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv +/-fno-strict-overflow, so Let's revert it safely. + +[1] https://gcc.gnu.org/gcc-8/changes.html + +Suggested-by: Peter Zijlstra +Suggested-by: Eric Dumazet +Cc: "David S. Miller" +Cc: Alexey Kuznetsov +Cc: Hideaki YOSHIFUJI +Cc: Jakub Kicinski +Cc: Jiri Pirko +Cc: Arvind Sankar +Cc: Peter Zijlstra +Cc: Eric Dumazet +Cc: Jiong Wang +Signed-off-by: Yuqi Jin +Signed-off-by: Shaokun Zhang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/route.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -499,18 +499,16 @@ u32 ip_idents_reserve(u32 hash, int segs + atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ; + u32 old = ACCESS_ONCE(*p_tstamp); + u32 now = (u32)jiffies; +- u32 new, delta = 0; ++ u32 delta = 0; + + if (old != now && cmpxchg(p_tstamp, old, now) == old) + delta = prandom_u32_max(now - old); + +- /* Do not use atomic_add_return() as it makes UBSAN unhappy */ +- do { +- old = (u32)atomic_read(p_id); +- new = old + delta + segs; +- } while (atomic_cmpxchg(p_id, old, new) != old); +- +- return new - segs; ++ /* If UBSAN reports an error there, please make sure your compiler ++ * supports -fno-strict-overflow before reporting it that was a bug ++ * in UBSAN, and it has been fixed in GCC-8. ++ */ ++ return atomic_add_return(segs + delta, p_id) - segs; + } + EXPORT_SYMBOL(ip_idents_reserve); + diff --git a/queue-4.14/net-sched-fix-reporting-the-first-time-use-timestamp.patch b/queue-4.14/net-sched-fix-reporting-the-first-time-use-timestamp.patch new file mode 100644 index 00000000000..07a8455786c --- /dev/null +++ b/queue-4.14/net-sched-fix-reporting-the-first-time-use-timestamp.patch @@ -0,0 +1,37 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Roman Mashak +Date: Sun, 17 May 2020 08:46:31 -0400 +Subject: net sched: fix reporting the first-time use timestamp + +From: Roman Mashak + +[ Upstream commit b15e62631c5f19fea9895f7632dae9c1b27fe0cd ] + +When a new action is installed, firstuse field of 'tcf_t' is explicitly set +to 0. Value of zero means "new action, not yet used"; as a packet hits the +action, 'firstuse' is stamped with the current jiffies value. + +tcf_tm_dump() should return 0 for firstuse if action has not yet been hit. + +Fixes: 48d8ee1694dd ("net sched actions: aggregate dumping of actions timeinfo") +Cc: Jamal Hadi Salim +Signed-off-by: Roman Mashak +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/act_api.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/net/act_api.h ++++ b/include/net/act_api.h +@@ -69,7 +69,8 @@ static inline void tcf_tm_dump(struct tc + { + dtm->install = jiffies_to_clock_t(jiffies - stm->install); + dtm->lastuse = jiffies_to_clock_t(jiffies - stm->lastuse); +- dtm->firstuse = jiffies_to_clock_t(jiffies - stm->firstuse); ++ dtm->firstuse = stm->firstuse ? ++ jiffies_to_clock_t(jiffies - stm->firstuse) : 0; + dtm->expires = jiffies_to_clock_t(stm->expires); + } + diff --git a/queue-4.14/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch b/queue-4.14/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch new file mode 100644 index 00000000000..6d1a399b824 --- /dev/null +++ b/queue-4.14/r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch @@ -0,0 +1,60 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: Marc Payne +Date: Tue, 19 May 2020 19:01:46 +0100 +Subject: r8152: support additional Microsoft Surface Ethernet Adapter variant + +From: Marc Payne + +[ Upstream commit c27a204383616efba5a4194075e90819961ff66a ] + +Device id 0927 is the RTL8153B-based component of the 'Surface USB-C to +Ethernet and USB Adapter' and may be used as a component of other devices +in future. Tested and working with the r8152 driver. + +Update the cdc_ether blacklist due to the RTL8153 'network jam on suspend' +issue which this device will cause (personally confirmed). + +Signed-off-by: Marc Payne +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ether.c | 11 +++++++++-- + drivers/net/usb/r8152.c | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/cdc_ether.c ++++ b/drivers/net/usb/cdc_ether.c +@@ -821,14 +821,21 @@ static const struct usb_device_id produc + .driver_info = 0, + }, + +-/* Microsoft Surface 3 dock (based on Realtek RTL8153) */ ++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x07c6, USB_CLASS_COMM, + USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), + .driver_info = 0, + }, + +- /* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ ++/* Microsoft Surface Ethernet Adapter (based on Realtek RTL8153B) */ ++{ ++ USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x0927, USB_CLASS_COMM, ++ USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), ++ .driver_info = 0, ++}, ++ ++/* TP-LINK UE300 USB 3.0 Ethernet Adapters (based on Realtek RTL8153) */ + { + USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, 0x0601, USB_CLASS_COMM, + USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE), +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -5329,6 +5329,7 @@ static const struct usb_device_id rtl815 + {REALTEK_USB_DEVICE(VENDOR_ID_REALTEK, 0x8153)}, + {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07ab)}, + {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07c6)}, ++ {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x0927)}, + {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x304f)}, + {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO, 0x3062)}, diff --git a/queue-4.14/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch b/queue-4.14/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch new file mode 100644 index 00000000000..bf0024a59ba --- /dev/null +++ b/queue-4.14/sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch @@ -0,0 +1,69 @@ +From foo@baz Thu 28 May 2020 02:29:37 PM CEST +From: "Jere Leppänen" +Date: Wed, 20 May 2020 18:15:31 +0300 +Subject: sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed + +From: "Jere Leppänen" + +[ Upstream commit d3e8e4c11870413789f029a71e72ae6e971fe678 ] + +Commit bdf6fa52f01b ("sctp: handle association restarts when the +socket is closed.") starts shutdown when an association is restarted, +if in SHUTDOWN-PENDING state and the socket is closed. However, the +rationale stated in that commit applies also when in SHUTDOWN-SENT +state - we don't want to move an association to ESTABLISHED state when +the socket has been closed, because that results in an association +that is unreachable from user space. + +The problem scenario: + +1. Client crashes and/or restarts. + +2. Server (using one-to-one socket) calls close(). SHUTDOWN is lost. + +3. Client reconnects using the same addresses and ports. + +4. Server's association is restarted. The association and the socket + move to ESTABLISHED state, even though the server process has + closed its descriptor. + +Also, after step 4 when the server process exits, some resources are +leaked in an attempt to release the underlying inet sock structure in +ESTABLISHED state: + + IPv4: Attempt to release TCP socket in state 1 00000000377288c7 + +Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if +an association is restarted in SHUTDOWN-SENT state and the socket is +closed, then start shutdown and don't move the association or the +socket to ESTABLISHED state. + +Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") +Signed-off-by: Jere Leppänen +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -1829,12 +1829,13 @@ static enum sctp_disposition sctp_sf_do_ + /* Update the content of current association. */ + sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); + sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); +- if (sctp_state(asoc, SHUTDOWN_PENDING) && ++ if ((sctp_state(asoc, SHUTDOWN_PENDING) || ++ sctp_state(asoc, SHUTDOWN_SENT)) && + (sctp_sstate(asoc->base.sk, CLOSING) || + sock_flag(asoc->base.sk, SOCK_DEAD))) { +- /* if were currently in SHUTDOWN_PENDING, but the socket +- * has been closed by user, don't transition to ESTABLISHED. +- * Instead trigger SHUTDOWN bundled with COOKIE_ACK. ++ /* If the socket has been closed by user, don't ++ * transition to ESTABLISHED. Instead trigger SHUTDOWN ++ * bundled with COOKIE_ACK. + */ + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl)); + return sctp_sf_do_9_2_start_shutdown(net, ep, asoc, diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..75514cdfc62 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,9 @@ +ax25-fix-setsockopt-so_bindtodevice.patch +net-ipip-fix-wrong-address-family-in-init-error-path.patch +net-mlx5-add-command-entry-handling-completion.patch +net-revert-net-get-rid-of-an-signed-integer-overflow-in-ip_idents_reserve.patch +net-sched-fix-reporting-the-first-time-use-timestamp.patch +r8152-support-additional-microsoft-surface-ethernet-adapter-variant.patch +sctp-start-shutdown-on-association-restart-if-in-shutdown-sent-state-and-socket-is-closed.patch +net-mlx5e-update-netdev-txq-on-completions-during-closure.patch +net-qrtr-fix-passing-invalid-reference-to-qrtr_local_enqueue.patch -- 2.47.3