--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Sat, 30 May 2020 11:34:33 +0800
+Subject: devinet: fix memleak in inetdev_init()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
+
+When devinet_sysctl_register() failed, the memory allocated
+in neigh_parms_alloc() should be freed.
+
+Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -276,6 +276,7 @@ static struct in_device *inetdev_init(st
+ err = devinet_sysctl_register(in_dev);
+ if (err) {
+ in_dev->dead = 1;
++ neigh_parms_release(&arp_tbl, in_dev->arp_parms);
+ in_dev_put(in_dev);
+ in_dev = NULL;
+ goto out;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:32:25 -0700
+Subject: l2tp: add sk_family checks to l2tp_validate_socket
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ]
+
+syzbot was able to trigger a crash after using an ISDN socket
+and fool l2tp.
+
+Fix this by making sure the UDP socket is of the proper family.
+
+BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
+
+CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
+ __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
+ l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
+ l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
+ genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2406
+ __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x45ca29
+Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
+
+Allocated by task 3018:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ __kasan_kmalloc mm/kasan/common.c:495 [inline]
+ __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
+ __do_kmalloc mm/slab.c:3656 [inline]
+ __kmalloc+0x161/0x7a0 mm/slab.c:3665
+ kmalloc include/linux/slab.h:560 [inline]
+ sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
+ sk_alloc+0x36/0x1100 net/core/sock.c:1666
+ data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
+ mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+Freed by task 2484:
+ save_stack+0x1b/0x40 mm/kasan/common.c:49
+ set_track mm/kasan/common.c:57 [inline]
+ kasan_set_free_info mm/kasan/common.c:317 [inline]
+ __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x109/0x2b0 mm/slab.c:3757
+ kvfree+0x42/0x50 mm/util.c:603
+ __free_fdtable+0x2d/0x70 fs/file.c:31
+ put_files_struct fs/file.c:420 [inline]
+ put_files_struct+0x248/0x2e0 fs/file.c:413
+ exit_files+0x7e/0xa0 fs/file.c:445
+ do_exit+0xb04/0x2dd0 kernel/exit.c:791
+ do_group_exit+0x125/0x340 kernel/exit.c:894
+ get_signal+0x47b/0x24e0 kernel/signal.c:2739
+ do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
+ exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
+ prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
+ do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+
+The buggy address belongs to the object at ffff88808ed0c000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1424 bytes inside of
+ 2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
+The buggy address belongs to the page:
+page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
+flags: 0xfffe0000000200(slab)
+raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
+raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation")
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Guillaume Nault <gnault@redhat.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1458,6 +1458,9 @@ static int l2tp_validate_socket(const st
+ if (sk->sk_type != SOCK_DGRAM)
+ return -EPROTONOSUPPORT;
+
++ if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
++ return -EPROTONOSUPPORT;
++
+ if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) ||
+ (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP))
+ return -EPROTONOSUPPORT;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 29 May 2020 11:20:53 -0700
+Subject: l2tp: do not use inet_hash()/inet_unhash()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ]
+
+syzbot recently found a way to crash the kernel [1]
+
+Issue here is that inet_hash() & inet_unhash() are currently
+only meant to be used by TCP & DCCP, since only these protocols
+provide the needed hashinfo pointer.
+
+L2TP uses a single list (instead of a hash table)
+
+This old bug became an issue after commit 610236587600
+("bpf: Add new cgroup attach type to enable sock modifications")
+since after this commit, sk_common_release() can be called
+while the L2TP socket is still considered 'hashed'.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ sk_common_release+0xba/0x370 net/core/sock.c:3210
+ inet_create net/ipv4/af_inet.c:390 [inline]
+ inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
+ __sock_create+0x3cb/0x730 net/socket.c:1428
+ sock_create net/socket.c:1479 [inline]
+ __sys_socket+0xef/0x200 net/socket.c:1521
+ __do_sys_socket net/socket.c:1530 [inline]
+ __se_sys_socket net/socket.c:1528 [inline]
+ __x64_sys_socket+0x6f/0xb0 net/socket.c:1528
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x441e29
+Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
+RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
+Modules linked in:
+---[ end trace 23b6578228ce553e ]---
+RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
+Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
+RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
+RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
+RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
+R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
+R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
+FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Chapman <jchapman@katalix.com>
+Cc: Andrii Nakryiko <andriin@fb.com>
+Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 29 ++++++++++++++++++++++-------
+ net/l2tp/l2tp_ip6.c | 30 ++++++++++++++++++++++--------
+ 2 files changed, 44 insertions(+), 15 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -20,7 +20,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -209,15 +208,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip_open(struct sock *sk)
++static int l2tp_ip_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip_lock);
++ sk_add_node(sk, &l2tp_ip_table);
++ write_unlock_bh(&l2tp_ip_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip_lock);
+- sk_add_node(sk, &l2tp_ip_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip_lock);
++}
++
++static int l2tp_ip_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip_hash(sk);
+ return 0;
+ }
+
+@@ -594,8 +609,8 @@ static struct proto l2tp_ip_prot = {
+ .sendmsg = l2tp_ip_sendmsg,
+ .recvmsg = l2tp_ip_recvmsg,
+ .backlog_rcv = l2tp_ip_backlog_recv,
+- .hash = inet_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip_hash,
++ .unhash = l2tp_ip_unhash,
+ .obj_size = sizeof(struct l2tp_ip_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ip_setsockopt,
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -20,8 +20,6 @@
+ #include <net/icmp.h>
+ #include <net/udp.h>
+ #include <net/inet_common.h>
+-#include <net/inet_hashtables.h>
+-#include <net/inet6_hashtables.h>
+ #include <net/tcp_states.h>
+ #include <net/protocol.h>
+ #include <net/xfrm.h>
+@@ -222,15 +220,31 @@ discard:
+ return 0;
+ }
+
+-static int l2tp_ip6_open(struct sock *sk)
++static int l2tp_ip6_hash(struct sock *sk)
+ {
+- /* Prevent autobind. We don't have ports. */
+- inet_sk(sk)->inet_num = IPPROTO_L2TP;
++ if (sk_unhashed(sk)) {
++ write_lock_bh(&l2tp_ip6_lock);
++ sk_add_node(sk, &l2tp_ip6_table);
++ write_unlock_bh(&l2tp_ip6_lock);
++ }
++ return 0;
++}
+
++static void l2tp_ip6_unhash(struct sock *sk)
++{
++ if (sk_unhashed(sk))
++ return;
+ write_lock_bh(&l2tp_ip6_lock);
+- sk_add_node(sk, &l2tp_ip6_table);
++ sk_del_node_init(sk);
+ write_unlock_bh(&l2tp_ip6_lock);
++}
++
++static int l2tp_ip6_open(struct sock *sk)
++{
++ /* Prevent autobind. We don't have ports. */
++ inet_sk(sk)->inet_num = IPPROTO_L2TP;
+
++ l2tp_ip6_hash(sk);
+ return 0;
+ }
+
+@@ -728,8 +742,8 @@ static struct proto l2tp_ip6_prot = {
+ .sendmsg = l2tp_ip6_sendmsg,
+ .recvmsg = l2tp_ip6_recvmsg,
+ .backlog_rcv = l2tp_ip6_backlog_recv,
+- .hash = inet6_hash,
+- .unhash = inet_unhash,
++ .hash = l2tp_ip6_hash,
++ .unhash = l2tp_ip6_unhash,
+ .obj_size = sizeof(struct l2tp_ip6_sock),
+ #ifdef CONFIG_COMPAT
+ .compat_setsockopt = compat_ipv6_setsockopt,
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 29 May 2020 17:43:29 +0200
+Subject: mptcp: fix unblocking connect()
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 41be81a8d3d09acb9033799938306349328861f9 ]
+
+Currently unblocking connect() on MPTCP sockets fails frequently.
+If mptcp_stream_connect() is invoked to complete a previously
+attempted unblocking connection, it will still try to create
+the first subflow via __mptcp_socket_create(). If the 3whs is
+completed and the 'can_ack' flag is already set, the latter
+will fail with -EINVAL.
+
+This change addresses the issue checking for pending connect and
+delegating the completion to the first subflow. Additionally
+do msk addresses and sk_state changes only when needed.
+
+Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -920,6 +920,14 @@ static int mptcp_stream_connect(struct s
+ int err;
+
+ lock_sock(sock->sk);
++ if (sock->state != SS_UNCONNECTED && msk->subflow) {
++ /* pending connection or invalid state, let existing subflow
++ * cope with that
++ */
++ ssock = msk->subflow;
++ goto do_connect;
++ }
++
+ ssock = __mptcp_socket_create(msk, TCP_SYN_SENT);
+ if (IS_ERR(ssock)) {
+ err = PTR_ERR(ssock);
+@@ -934,9 +942,17 @@ static int mptcp_stream_connect(struct s
+ mptcp_subflow_ctx(ssock->sk)->request_mptcp = 0;
+ #endif
+
++do_connect:
+ err = ssock->ops->connect(ssock, uaddr, addr_len, flags);
+- inet_sk_state_store(sock->sk, inet_sk_state_load(ssock->sk));
+- mptcp_copy_inaddrs(sock->sk, ssock->sk);
++ sock->state = ssock->state;
++
++ /* on successful connect, the msk state will be moved to established by
++ * subflow_finish_connect()
++ */
++ if (!err || err == EINPROGRESS)
++ mptcp_copy_inaddrs(sock->sk, ssock->sk);
++ else
++ inet_sk_state_store(sock->sk, inet_sk_state_load(ssock->sk));
+
+ unlock:
+ release_sock(sock->sk);
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 May 2020 14:57:47 -0700
+Subject: net: be more gentle about silly gso requests coming from user
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 ]
+
+Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests.
+
+When --mss=XXX option is set, packetdrill always provide gso_type & gso_size
+for its inbound packets, regardless of packet size.
+
+ if (packet->tcp && packet->mss) {
+ if (packet->ipv4)
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
+ gso.gso_size = packet->mss;
+ }
+
+Since many other programs could do the same, relax virtio_net_hdr_to_skb()
+to no longer return an error, but instead ignore gso settings.
+
+This keeps Willem intent to make sure no malicious packet could
+reach gso stack.
+
+Note that TCP stack has a special logic in tcp_set_skb_tso_segs()
+to clear gso_size for small packets.
+
+Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -109,16 +109,17 @@ retry:
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+- if (skb->len - p_off <= gso_size)
+- return -EINVAL;
++ /* Too small packets are not really GSO ones. */
++ if (skb->len - p_off > gso_size) {
++ shinfo->gso_size = gso_size;
++ shinfo->gso_type = gso_type;
+
+- skb_shinfo(skb)->gso_size = gso_size;
+- skb_shinfo(skb)->gso_type = gso_type;
+-
+- /* Header must be checked, and gso_segs computed. */
+- skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+- skb_shinfo(skb)->gso_segs = 0;
++ /* Header must be checked, and gso_segs computed. */
++ shinfo->gso_type |= SKB_GSO_DODGY;
++ shinfo->gso_segs = 0;
++ }
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 25 May 2020 15:07:40 -0400
+Subject: net: check untrusted gso_size at kernel entry
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ]
+
+Syzkaller again found a path to a kernel crash through bad gso input:
+a packet with gso size exceeding len.
+
+These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment.
+But they may affect gso size calculations earlier in the path.
+
+Now that we have thlen as of commit 9274124f023b ("net: stricter
+validation of untrusted gso packets"), check gso_size at entry too.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb(
+ {
+ unsigned int gso_type = 0;
+ unsigned int thlen = 0;
++ unsigned int p_off = 0;
+ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+@@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb(
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
+
+- if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ p_off = skb_transport_offset(skb) + thlen;
++ if (p_off > skb_headlen(skb))
+ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+@@ -92,17 +94,25 @@ retry:
+ return -EINVAL;
+ }
+
+- if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ p_off = keys.control.thoff + thlen;
++ if (p_off > skb_headlen(skb) ||
+ keys.basic.ip_proto != ip_proto)
+ return -EINVAL;
+
+ skb_set_transport_header(skb, keys.control.thoff);
++ } else if (gso_type) {
++ p_off = thlen;
++ if (p_off > skb_headlen(skb))
++ return -EINVAL;
+ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size);
+
++ if (skb->len - p_off <= gso_size)
++ return -EINVAL;
++
+ skb_shinfo(skb)->gso_size = gso_size;
+ skb_shinfo(skb)->gso_type = gso_type;
+
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Wed, 27 May 2020 19:48:03 +0300
+Subject: net: dsa: felix: send VLANs on CPU port as egress-tagged
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 183be6f967fe37c3154bfac39e913c3bafe89d1b ]
+
+As explained in other commits before (b9cd75e66895 and 87b0f983f66f),
+ocelot switches have a single egress-untagged VLAN per port, and the
+driver would deny adding a second one while an egress-untagged VLAN
+already exists.
+
+But on the CPU port (where the VLAN configuration is implicit, because
+there is no net device for the bridge to control), the DSA core attempts
+to add a VLAN using the same flags as were used for the front-panel
+port. This would make adding any untagged VLAN fail due to the CPU port
+rejecting the configuration:
+
+bridge vlan add dev swp0 vid 100 pvid untagged
+[ 1865.854253] mscc_felix 0000:00:00.5: Port already has a native VLAN: 1
+[ 1865.860824] mscc_felix 0000:00:00.5: Failed to add VLAN 100 to port 5: -16
+
+(note that port 5 is the CPU port and not the front-panel swp0).
+
+So this hardware will send all VLANs as tagged towards the CPU.
+
+Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/ocelot/felix.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/ocelot/felix.c
++++ b/drivers/net/dsa/ocelot/felix.c
+@@ -100,13 +100,17 @@ static void felix_vlan_add(struct dsa_sw
+ const struct switchdev_obj_port_vlan *vlan)
+ {
+ struct ocelot *ocelot = ds->priv;
++ u16 flags = vlan->flags;
+ u16 vid;
+ int err;
+
++ if (dsa_is_cpu_port(ds, port))
++ flags &= ~BRIDGE_VLAN_INFO_UNTAGGED;
++
+ for (vid = vlan->vid_begin; vid <= vlan->vid_end; vid++) {
+ err = ocelot_vlan_add(ocelot, port, vid,
+- vlan->flags & BRIDGE_VLAN_INFO_PVID,
+- vlan->flags & BRIDGE_VLAN_INFO_UNTAGGED);
++ flags & BRIDGE_VLAN_INFO_PVID,
++ flags & BRIDGE_VLAN_INFO_UNTAGGED);
+ if (err) {
+ dev_err(ds->dev, "Failed to add VLAN %d to port %d: %d\n",
+ vid, port, err);
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Mark Bloch <markb@mellanox.com>
+Date: Wed, 20 May 2020 17:32:08 +0000
+Subject: net/mlx5: Fix crash upon suspend/resume
+
+From: Mark Bloch <markb@mellanox.com>
+
+[ Upstream commit 8fc3e29be9248048f449793502c15af329f35c6e ]
+
+Currently a Linux system with the mlx5 NIC always crashes upon
+hibernation - suspend/resume.
+
+Add basic callbacks so the NIC could be suspended and resumed.
+
+Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core")
+Tested-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Mark Bloch <markb@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1552,6 +1552,22 @@ static void shutdown(struct pci_dev *pde
+ mlx5_pci_disable_device(dev);
+ }
+
++static int mlx5_suspend(struct pci_dev *pdev, pm_message_t state)
++{
++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
++
++ mlx5_unload_one(dev, false);
++
++ return 0;
++}
++
++static int mlx5_resume(struct pci_dev *pdev)
++{
++ struct mlx5_core_dev *dev = pci_get_drvdata(pdev);
++
++ return mlx5_load_one(dev, false);
++}
++
+ static const struct pci_device_id mlx5_core_pci_table[] = {
+ { PCI_VDEVICE(MELLANOX, PCI_DEVICE_ID_MELLANOX_CONNECTIB) },
+ { PCI_VDEVICE(MELLANOX, 0x1012), MLX5_PCI_DEV_IS_VF}, /* Connect-IB VF */
+@@ -1595,6 +1611,8 @@ static struct pci_driver mlx5_core_drive
+ .id_table = mlx5_core_pci_table,
+ .probe = init_one,
+ .remove = remove_one,
++ .suspend = mlx5_suspend,
++ .resume = mlx5_resume,
+ .shutdown = shutdown,
+ .err_handler = &mlx5_err_handler,
+ .sriov_configure = mlx5_core_sriov_configure,
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 19 Apr 2020 14:12:35 +0200
+Subject: net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit a683012a8e77675a1947cc8f11f97cdc1d5bb769 ]
+
+The drivers reports EINVAL to userspace through netlink on invalid meta
+match. This is confusing since EINVAL is usually reserved for malformed
+netlink messages. Replace it by more meaningful codes.
+
+Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1824,7 +1824,7 @@ static int mlx5e_flower_parse_meta(struc
+ flow_rule_match_meta(rule, &match);
+ if (match.mask->ingress_ifindex != 0xFFFFFFFF) {
+ NL_SET_ERR_MSG_MOD(extack, "Unsupported ingress ifindex mask");
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ ingress_dev = __dev_get_by_index(dev_net(filter_dev),
+@@ -1832,13 +1832,13 @@ static int mlx5e_flower_parse_meta(struc
+ if (!ingress_dev) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Can't find the ingress port to match on");
+- return -EINVAL;
++ return -ENOENT;
+ }
+
+ if (ingress_dev != filter_dev) {
+ NL_SET_ERR_MSG_MOD(extack,
+ "Can't match on the ingress filter port");
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Wed, 27 May 2020 02:04:26 +0200
+Subject: net/sched: fix infinite loop in sch_fq_pie
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit bb2f930d6dd708469a587dc9ed1efe1ef969c0bf ]
+
+this command hangs forever:
+
+ # tc qdisc add dev eth0 root fq_pie flows 65536
+
+ watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [tc:1028]
+ [...]
+ CPU: 1 PID: 1028 Comm: tc Not tainted 5.7.0-rc6+ #167
+ RIP: 0010:fq_pie_init+0x60e/0x8b7 [sch_fq_pie]
+ Code: 4c 89 65 50 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 2a 02 00 00 48 8d 7d 10 4c 89 65 58 48 89 f8 48 c1 e8 03 42 80 3c 30 00 <0f> 85 a7 01 00 00 48 8d 7d 18 48 c7 45 10 46 c3 23 00 48 89 f8 48
+ RSP: 0018:ffff888138d67468 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+ RAX: 1ffff9200018d2b2 RBX: ffff888139c1c400 RCX: ffffffffffffffff
+ RDX: 000000000000c5e8 RSI: ffffc900000e5000 RDI: ffffc90000c69590
+ RBP: ffffc90000c69580 R08: fffffbfff79a9699 R09: fffffbfff79a9699
+ R10: 0000000000000700 R11: fffffbfff79a9698 R12: ffffc90000c695d0
+ R13: 0000000000000000 R14: dffffc0000000000 R15: 000000002347c5e8
+ FS: 00007f01e1850e40(0000) GS:ffff88814c880000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000067c340 CR3: 000000013864c000 CR4: 0000000000340ee0
+ Call Trace:
+ qdisc_create+0x3fd/0xeb0
+ tc_modify_qdisc+0x3be/0x14a0
+ rtnetlink_rcv_msg+0x5f3/0x920
+ netlink_rcv_skb+0x121/0x350
+ netlink_unicast+0x439/0x630
+ netlink_sendmsg+0x714/0xbf0
+ sock_sendmsg+0xe2/0x110
+ ____sys_sendmsg+0x5b4/0x890
+ ___sys_sendmsg+0xe9/0x160
+ __sys_sendmsg+0xd3/0x170
+ do_syscall_64+0x9a/0x370
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+we can't accept 65536 as a valid number for 'nflows', because the loop on
+'idx' in fq_pie_init() will never end. The extack message is correct, but
+it doesn't say that 0 is not a valid number for 'flows': while at it, fix
+this also. Add a tdc selftest to check correct validation of 'flows'.
+
+CC: Ivan Vecera <ivecera@redhat.com>
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_pie.c | 4 -
+ tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json | 21 ++++++++++
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+ create mode 100644 tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json
+
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -298,9 +298,9 @@ static int fq_pie_change(struct Qdisc *s
+ goto flow_error;
+ }
+ q->flows_cnt = nla_get_u32(tb[TCA_FQ_PIE_FLOWS]);
+- if (!q->flows_cnt || q->flows_cnt > 65536) {
++ if (!q->flows_cnt || q->flows_cnt >= 65536) {
+ NL_SET_ERR_MSG_MOD(extack,
+- "Number of flows must be < 65536");
++ "Number of flows must range in [1..65535]");
+ goto flow_error;
+ }
+ }
+--- /dev/null
++++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/fq_pie.json
+@@ -0,0 +1,21 @@
++[
++ {
++ "id": "83be",
++ "name": "Create FQ-PIE with invalid number of flows",
++ "category": [
++ "qdisc",
++ "fq_pie"
++ ],
++ "setup": [
++ "$IP link add dev $DUMMY type dummy || /bin/true"
++ ],
++ "cmdUnderTest": "$TC qdisc add dev $DUMMY root fq_pie flows 65536",
++ "expExitCode": "2",
++ "verifyCmd": "$TC qdisc show dev $DUMMY",
++ "matchPattern": "qdisc",
++ "matchCount": "0",
++ "teardown": [
++ "$IP link del dev $DUMMY"
++ ]
++ }
++]
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Fugang Duan <fugang.duan@nxp.com>
+Date: Mon, 25 May 2020 16:18:14 +0800
+Subject: net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a
+
+From: Fugang Duan <fugang.duan@nxp.com>
+
+[ Upstream commit f2fb6b6275eba9d312957ca44c487bd780da6169 ]
+
+For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be
+PTP v2/802.AS1, any layer, any kind of event packet, but HW only
+take timestamp snapshot for below PTP message: sync, Pdelay_req,
+Pdelay_resp.
+
+Then it causes below issue when test E2E case:
+ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp
+ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp
+ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp
+ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp
+ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp
+ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp
+ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp
+ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp
+ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp
+
+Timestamp snapshot dependency on register bits in received path:
+SNAPTYPSEL TSMSTRENA TSEVNTENA PTP_Messages
+01 x 0 SYNC, Follow_Up, Delay_Req,
+ Delay_Resp, Pdelay_Req, Pdelay_Resp,
+ Pdelay_Resp_Follow_Up
+01 0 1 SYNC, Pdelay_Req, Pdelay_Resp
+
+For dwmac v5.10a, enabling all events by setting register
+DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA]
+to 0’b0, which can support all required events.
+
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -630,7 +630,8 @@ static int stmmac_hwtstamp_set(struct ne
+ config.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT;
+ ptp_v2 = PTP_TCR_TSVER2ENA;
+ snap_type_sel = PTP_TCR_SNAPTYPSEL_1;
+- ts_event_en = PTP_TCR_TSEVNTENA;
++ if (priv->synopsys_id != DWMAC_CORE_5_10)
++ ts_event_en = PTP_TCR_TSEVNTENA;
+ ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA;
+ ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA;
+ ptp_over_ethernet = PTP_TCR_TSIPENA;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 25 May 2020 23:25:37 +0200
+Subject: net: usb: qmi_wwan: add Telit LE910C1-EUX composition
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 591612aa578cd7148b7b9d74869ef40118978389 ]
+
+Add support for Telit LE910C1-EUX composition
+
+0x1031: tty, tty, tty, rmnet
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1324,6 +1324,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bbb, 0x0203, 2)}, /* Alcatel L800MA */
+ {QMI_FIXED_INTF(0x2357, 0x0201, 4)}, /* TP-LINK HSUPA Modem MA180 */
+ {QMI_FIXED_INTF(0x2357, 0x9000, 4)}, /* TP-LINK MA260 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1031, 3)}, /* Telit LE910C1-EUX */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1040, 2)}, /* Telit LE922A */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1050, 2)}, /* Telit FN980 */
+ {QMI_FIXED_INTF(0x1bc7, 0x1100, 3)}, /* Telit ME910 */
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Chuhong Yuan <hslester96@gmail.com>
+Date: Thu, 28 May 2020 18:20:37 +0800
+Subject: NFC: st21nfca: add missed kfree_skb() in an error path
+
+From: Chuhong Yuan <hslester96@gmail.com>
+
+[ Upstream commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 ]
+
+st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path.
+Add the missed function call to fix it.
+
+Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode")
+Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/dep.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/nfc/st21nfca/dep.c
++++ b/drivers/nfc/st21nfca/dep.c
+@@ -173,8 +173,10 @@ static int st21nfca_tm_send_atr_res(stru
+ memcpy(atr_res->gbi, atr_req->gbi, gb_len);
+ r = nfc_set_remote_general_bytes(hdev->ndev, atr_res->gbi,
+ gb_len);
+- if (r < 0)
++ if (r < 0) {
++ kfree_skb(skb);
+ return r;
++ }
+ }
+
+ info->dep_info.curr_nfc_dep_pni = 0;
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+Date: Wed, 27 May 2020 09:44:20 +0200
+Subject: nfp: flower: fix used time of merge flow statistics
+
+From: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+
+[ Upstream commit 5b186cd60f033110960a3db424ffbd6de4cee528 ]
+
+Prior to this change the correct value for the used counter is calculated
+but not stored nor, therefore, propagated to user-space. In use-cases such
+as OVS use-case at least this results in active flows being removed from
+the hardware datapath. Which results in both unnecessary flow tear-down
+and setup, and packet processing on the host.
+
+This patch addresses the problem by saving the calculated used value
+which allows the value to propagate to user-space.
+
+Found by inspection.
+
+Fixes: aa6ce2ea0c93 ("nfp: flower: support stats update for merge flows")
+Signed-off-by: Heinrich Kuhn <heinrich.kuhn@netronome.com>
+Signed-off-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/offload.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/offload.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
+@@ -1440,7 +1440,8 @@ __nfp_flower_update_merge_stats(struct n
+ ctx_id = be32_to_cpu(sub_flow->meta.host_ctx_id);
+ priv->stats[ctx_id].pkts += pkts;
+ priv->stats[ctx_id].bytes += bytes;
+- max_t(u64, priv->stats[ctx_id].used, used);
++ priv->stats[ctx_id].used = max_t(u64, used,
++ priv->stats[ctx_id].used);
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Jonas Falkevik <jonas.falkevik@gmail.com>
+Date: Wed, 27 May 2020 11:56:40 +0200
+Subject: sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event
+
+From: Jonas Falkevik <jonas.falkevik@gmail.com>
+
+[ Upstream commit 45ebf73ebcec88a34a778f5feaa0b82b1c76069e ]
+
+Make sure SCTP_ADDR_{MADE_PRIM,ADDED} are sent only for associations
+that have been established.
+
+These events are described in rfc6458#section-6.1
+SCTP_PEER_ADDR_CHANGE:
+This tag indicates that an address that is
+part of an existing association has experienced a change of
+state (e.g., a failure or return to service of the reachability
+of an endpoint via a specific transport address).
+
+Signed-off-by: Jonas Falkevik <jonas.falkevik@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ulpevent.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/ulpevent.c
++++ b/net/sctp/ulpevent.c
+@@ -343,6 +343,9 @@ void sctp_ulpevent_nofity_peer_addr_chan
+ struct sockaddr_storage addr;
+ struct sctp_ulpevent *event;
+
++ if (asoc->state < SCTP_STATE_ESTABLISHED)
++ return;
++
+ memset(&addr, 0, sizeof(struct sockaddr_storage));
+ memcpy(&addr, &transport->ipaddr, transport->af_specific->sockaddr_len);
+
--- /dev/null
+devinet-fix-memleak-in-inetdev_init.patch
+l2tp-add-sk_family-checks-to-l2tp_validate_socket.patch
+l2tp-do-not-use-inet_hash-inet_unhash.patch
+net-check-untrusted-gso_size-at-kernel-entry.patch
+net-mlx5-fix-crash-upon-suspend-resume.patch
+net-stmmac-enable-timestamp-snapshot-for-required-ptp-packets-in-dwmac-v5.10a.patch
+net-usb-qmi_wwan-add-telit-le910c1-eux-composition.patch
+nfc-st21nfca-add-missed-kfree_skb-in-an-error-path.patch
+nfp-flower-fix-used-time-of-merge-flow-statistics.patch
+sctp-check-assoc-before-sctp_addr_-made_prim-added-event.patch
+virtio_vsock-fix-race-condition-in-virtio_transport_recv_pkt.patch
+vsock-fix-timeout-in-vsock_accept.patch
+net-be-more-gentle-about-silly-gso-requests-coming-from-user.patch
+net-dsa-felix-send-vlans-on-cpu-port-as-egress-tagged.patch
+mptcp-fix-unblocking-connect.patch
+net-sched-fix-infinite-loop-in-sch_fq_pie.patch
+net-mlx5e-replace-einval-in-mlx5e_flower_parse_meta.patch
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Jia He <justin.he@arm.com>
+Date: Sat, 30 May 2020 09:38:28 +0800
+Subject: virtio_vsock: Fix race condition in virtio_transport_recv_pkt
+
+From: Jia He <justin.he@arm.com>
+
+[ Upstream commit 8692cefc433f282228fd44938dd4d26ed38254a2 ]
+
+When client on the host tries to connect(SOCK_STREAM, O_NONBLOCK) to the
+server on the guest, there will be a panic on a ThunderX2 (armv8a server):
+
+[ 463.718844] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+[ 463.718848] Mem abort info:
+[ 463.718849] ESR = 0x96000044
+[ 463.718852] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 463.718853] SET = 0, FnV = 0
+[ 463.718854] EA = 0, S1PTW = 0
+[ 463.718855] Data abort info:
+[ 463.718856] ISV = 0, ISS = 0x00000044
+[ 463.718857] CM = 0, WnR = 1
+[ 463.718859] user pgtable: 4k pages, 48-bit VAs, pgdp=0000008f6f6e9000
+[ 463.718861] [0000000000000000] pgd=0000000000000000
+[ 463.718866] Internal error: Oops: 96000044 [#1] SMP
+[...]
+[ 463.718977] CPU: 213 PID: 5040 Comm: vhost-5032 Tainted: G O 5.7.0-rc7+ #139
+[ 463.718980] Hardware name: GIGABYTE R281-T91-00/MT91-FS1-00, BIOS F06 09/25/2018
+[ 463.718982] pstate: 60400009 (nZCv daif +PAN -UAO)
+[ 463.718995] pc : virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common]
+[ 463.718999] lr : virtio_transport_recv_pkt+0x1fc/0xd40 [vmw_vsock_virtio_transport_common]
+[ 463.719000] sp : ffff80002dbe3c40
+[...]
+[ 463.719025] Call trace:
+[ 463.719030] virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common]
+[ 463.719034] vhost_vsock_handle_tx_kick+0x360/0x408 [vhost_vsock]
+[ 463.719041] vhost_worker+0x100/0x1a0 [vhost]
+[ 463.719048] kthread+0x128/0x130
+[ 463.719052] ret_from_fork+0x10/0x18
+
+The race condition is as follows:
+Task1 Task2
+===== =====
+__sock_release virtio_transport_recv_pkt
+ __vsock_release vsock_find_bound_socket (found sk)
+ lock_sock_nested
+ vsock_remove_sock
+ sock_orphan
+ sk_set_socket(sk, NULL)
+ sk->sk_shutdown = SHUTDOWN_MASK
+ ...
+ release_sock
+ lock_sock
+ virtio_transport_recv_connecting
+ sk->sk_socket->state (panic!)
+
+The root cause is that vsock_find_bound_socket can't hold the lock_sock,
+so there is a small race window between vsock_find_bound_socket() and
+lock_sock(). If __vsock_release() is running in another task,
+sk->sk_socket will be set to NULL inadvertently.
+
+This fixes it by checking sk->sk_shutdown(suggested by Stefano) after
+lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the
+protection of lock_sock_nested.
+
+Signed-off-by: Jia He <justin.he@arm.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1128,6 +1128,14 @@ void virtio_transport_recv_pkt(struct vi
+
+ lock_sock(sk);
+
++ /* Check if sk has been released before lock_sock */
++ if (sk->sk_shutdown == SHUTDOWN_MASK) {
++ (void)virtio_transport_reset_no_sock(t, pkt);
++ release_sock(sk);
++ sock_put(sk);
++ goto free_pkt;
++ }
++
+ /* Update CID in case it has changed after a transport reset event */
+ vsk->local_addr.svm_cid = dst.svm_cid;
+
--- /dev/null
+From foo@baz Sun 07 Jun 2020 02:59:34 PM CEST
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Wed, 27 May 2020 09:56:55 +0200
+Subject: vsock: fix timeout in vsock_accept()
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
+
+The accept(2) is an "input" socket interface, so we should use
+SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
+
+So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
+use the right timeout in the vsock_accept().
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1408,7 +1408,7 @@ static int vsock_accept(struct socket *s
+ /* Wait for children sockets to appear; these are the new sockets
+ * created upon connection establishment.
+ */
+- timeout = sock_sndtimeo(listener, flags & O_NONBLOCK);
++ timeout = sock_rcvtimeo(listener, flags & O_NONBLOCK);
+ prepare_to_wait(sk_sleep(listener), &wait, TASK_INTERRUPTIBLE);
+
+ while ((connected = vsock_dequeue_accept(listener)) == NULL &&
projects / thirdparty / kernel / stable-queue.git / commitdiff
