Home Home > GIT Browse > SLE15-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKernel Build Daemon <kbuild@suse.de>2019-10-17 07:17:10 +0200
committerKernel Build Daemon <kbuild@suse.de>2019-10-17 07:17:10 +0200
commit6e0324fdf3d798239337625f985a14f24ef4e500 (patch)
tree7738fdc5f6f40f1652df310418254c7fdc7242c5
parent70acad5d63875ec1b5035f078efd913d5ea04b80 (diff)
parente5d56481c2f705c964c98c46fa036abee4cdebc6 (diff)
Merge branch 'SLE15' into SLE15-AZURESLE15-AZURE
-rw-r--r--patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch33
-rw-r--r--patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch104
-rw-r--r--patches.suse/ipv6-Fix-the-link-time-qualifier-of-ping_v6_proc_exi.patch29
-rw-r--r--patches.suse/net-Fix-null-de-reference-of-device-refcount.patch52
-rw-r--r--patches.suse/net-gso-Fix-skb_segment-splat-when-splitting-gso_siz.patch104
-rw-r--r--patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch38
-rw-r--r--patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch30
-rw-r--r--patches.suse/sctp-use-transport-pf_retrans-in-sctp_do_8_2_transpo.patch32
-rw-r--r--patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch57
-rw-r--r--patches.suse/tipc-add-NULL-pointer-check-before-calling-kfree_rcu.patch54
-rw-r--r--patches.suse/tun-fix-use-after-free-when-register-netdev-failed.patch192
-rw-r--r--series.conf11
12 files changed, 736 insertions, 0 deletions
diff --git a/patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch b/patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch
new file mode 100644
index 0000000000..f6e468ded0
--- /dev/null
+++ b/patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch
@@ -0,0 +1,33 @@
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Fri, 6 Sep 2019 11:47:02 +0200
+Subject: bridge/mdb: remove wrong use of NLM_F_MULTI
+Git-commit: 94a72b3f024fc7e9ab640897a1e38583a470659d
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+NLM_F_MULTI must be used only when a NLMSG_DONE message is sent at the end.
+In fact, NLMSG_DONE is sent only at the end of a dump.
+
+Libraries like libnl will wait forever for NLMSG_DONE.
+
+Fixes: 949f1e39a617 ("bridge: mdb: notify on router port add and del")
+CC: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/bridge/br_mdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -372,7 +372,7 @@ static int nlmsg_populate_rtr_fill(struc
+ struct nlmsghdr *nlh;
+ struct nlattr *nest;
+
+- nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), NLM_F_MULTI);
++ nlh = nlmsg_put(skb, pid, seq, type, sizeof(*bpm), 0);
+ if (!nlh)
+ return -EMSGSIZE;
+
diff --git a/patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch b/patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch
new file mode 100644
index 0000000000..cde0393ed3
--- /dev/null
+++ b/patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch
@@ -0,0 +1,104 @@
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Thu, 12 Sep 2019 10:42:00 +0200
+Subject: cdc_ether: fix rndis support for Mediatek based smartphones
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: 4d7ffcf3bf1be98d876c570cab8fc31d9fa92725
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+A Mediatek based smartphone owner reports problems with USB
+tethering in Linux. The verbose USB listing shows a rndis_host
+interface pair (e0/01/03 + 10/00/00), but the driver fails to
+bind with
+
+[ 355.960428] usb 1-4: bad CDC descriptors
+
+The problem is a failsafe test intended to filter out ACM serial
+functions using the same 02/02/ff class/subclass/protocol as RNDIS.
+The serial functions are recognized by their non-zero bmCapabilities.
+
+No RNDIS function with non-zero bmCapabilities were known at the time
+this failsafe was added. But it turns out that some Wireless class
+RNDIS functions are using the bmCapabilities field. These functions
+are uniquely identified as RNDIS by their class/subclass/protocol, so
+the failing test can safely be disabled. The same applies to the two
+types of Misc class RNDIS functions.
+
+Applying the failsafe to Communication class functions only retains
+the original functionality, and fixes the problem for the Mediatek based
+smartphone.
+
+Tow examples of CDC functional descriptors with non-zero bmCapabilities
+from Wireless class RNDIS functions are:
+
+0e8d:000a Mediatek Crosscall Spider X5 3G Phone
+
+ CDC Header:
+ bcdCDC 1.10
+ CDC ACM:
+ bmCapabilities 0x0f
+ connection notifications
+ sends break
+ line coding and serial state
+ get/set/clear comm features
+ CDC Union:
+ bMasterInterface 0
+ bSlaveInterface 1
+ CDC Call Management:
+ bmCapabilities 0x03
+ call management
+ use DataInterface
+ bDataInterface 1
+
+and
+
+19d2:1023 ZTE K4201-z
+
+ CDC Header:
+ bcdCDC 1.10
+ CDC ACM:
+ bmCapabilities 0x02
+ line coding and serial state
+ CDC Call Management:
+ bmCapabilities 0x03
+ call management
+ use DataInterface
+ bDataInterface 1
+ CDC Union:
+ bMasterInterface 0
+ bSlaveInterface 1
+
+The Mediatek example is believed to apply to most smartphones with
+Mediatek firmware. The ZTE example is most likely also part of a larger
+family of devices/firmwares.
+
+Suggested-by: Lars Melin <larsm17@gmail.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/usb/cdc_ether.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -212,8 +212,15 @@ int usbnet_generic_cdc_bind(struct usbne
+ goto bad_desc;
+ }
+ skip:
+- if ( rndis &&
+- header.usb_cdc_acm_descriptor &&
++ /* Communcation class functions with bmCapabilities are not
++ * RNDIS. But some Wireless class RNDIS functions use
++ * bmCapabilities for their own purpose. The failsafe is
++ * therefore applied only to Communication class RNDIS
++ * functions. The rndis test is redundant, but a cheap
++ * optimization.
++ */
++ if (rndis && is_rndis(&intf->cur_altsetting->desc) &&
++ header.usb_cdc_acm_descriptor &&
+ header.usb_cdc_acm_descriptor->bmCapabilities) {
+ dev_dbg(&intf->dev,
+ "ACM capabilities %02x, not really RNDIS?\n",
diff --git a/patches.suse/ipv6-Fix-the-link-time-qualifier-of-ping_v6_proc_exi.patch b/patches.suse/ipv6-Fix-the-link-time-qualifier-of-ping_v6_proc_exi.patch
new file mode 100644
index 0000000000..447e708f57
--- /dev/null
+++ b/patches.suse/ipv6-Fix-the-link-time-qualifier-of-ping_v6_proc_exi.patch
@@ -0,0 +1,29 @@
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 10 Sep 2019 13:29:59 +0200
+Subject: ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
+Git-commit: d23dbc479a8e813db4161a695d67da0e36557846
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+The '.exit' functions from 'pernet_operations' structure should be marked
+as __net_exit, not __net_init.
+
+Fixes: d862e5461423 ("net: ipv6: Implement /proc/net/icmp6.")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv6/ping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ping.c
++++ b/net/ipv6/ping.c
+@@ -233,7 +233,7 @@ static int __net_init ping_v6_proc_init_
+ return ping_proc_register(net, &ping_v6_seq_afinfo);
+ }
+
+-static void __net_init ping_v6_proc_exit_net(struct net *net)
++static void __net_exit ping_v6_proc_exit_net(struct net *net)
+ {
+ return ping_proc_unregister(net, &ping_v6_seq_afinfo);
+ }
diff --git a/patches.suse/net-Fix-null-de-reference-of-device-refcount.patch b/patches.suse/net-Fix-null-de-reference-of-device-refcount.patch
new file mode 100644
index 0000000000..825d093ba4
--- /dev/null
+++ b/patches.suse/net-Fix-null-de-reference-of-device-refcount.patch
@@ -0,0 +1,52 @@
+From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Date: Tue, 10 Sep 2019 14:02:57 -0600
+Subject: net: Fix null de-reference of device refcount
+Git-commit: 10cc514f451a0f239aa34f91bc9dc954a9397840
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+In event of failure during register_netdevice, free_netdev is
+invoked immediately. free_netdev assumes that all the netdevice
+refcounts have been dropped prior to it being called and as a
+result frees and clears out the refcount pointer.
+
+However, this is not necessarily true as some of the operations
+in the NETDEV_UNREGISTER notifier handlers queue RCU callbacks for
+invocation after a grace period. The IPv4 callback in_dev_rcu_put
+tries to access the refcount after free_netdev is called which
+leads to a null de-reference-
+
+44837.761523: <6> Unable to handle kernel paging request at
+ virtual address 0000004a88287000
+44837.761651: <2> pc : in_dev_finish_destroy+0x4c/0xc8
+44837.761654: <2> lr : in_dev_finish_destroy+0x2c/0xc8
+44837.762393: <2> Call trace:
+44837.762398: <2> in_dev_finish_destroy+0x4c/0xc8
+44837.762404: <2> in_dev_rcu_put+0x24/0x30
+44837.762412: <2> rcu_nocb_kthread+0x43c/0x468
+44837.762418: <2> kthread+0x118/0x128
+44837.762424: <2> ret_from_fork+0x10/0x1c
+
+Fix this by waiting for the completion of the call_rcu() in
+case of register_netdevice errors.
+
+Fixes: 93ee31f14f6f ("[NET]: Fix free_netdev on register_netdev failure.")
+Cc: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -7648,6 +7648,8 @@ int register_netdevice(struct net_device
+ ret = notifier_to_errno(ret);
+ if (ret) {
+ rollback_registered(dev);
++ rcu_barrier();
++
+ dev->reg_state = NETREG_UNREGISTERED;
+ }
+ /*
diff --git a/patches.suse/net-gso-Fix-skb_segment-splat-when-splitting-gso_siz.patch b/patches.suse/net-gso-Fix-skb_segment-splat-when-splitting-gso_siz.patch
new file mode 100644
index 0000000000..31c3faa99d
--- /dev/null
+++ b/patches.suse/net-gso-Fix-skb_segment-splat-when-splitting-gso_siz.patch
@@ -0,0 +1,104 @@
+From: Shmulik Ladkani <shmulik@metanetworks.com>
+Date: Fri, 6 Sep 2019 12:23:50 +0300
+Subject: net: gso: Fix skb_segment splat when splitting gso_size mangled skb
+ having linear-headed frag_list
+Git-commit: 3dcbdb134f329842a38f0e6797191b885ab00a00
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+Historically, support for frag_list packets entering skb_segment() was
+limited to frag_list members terminating on exact same gso_size
+boundaries. This is verified with a BUG_ON since commit 89319d3801d1
+("net: Add frag_list support to skb_segment"), quote:
+
+ As such we require all frag_list members terminate on exact MSS
+ boundaries. This is checked using BUG_ON.
+ As there should only be one producer in the kernel of such packets,
+ namely GRO, this requirement should not be difficult to maintain.
+
+However, since commit 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper"),
+the "exact MSS boundaries" assumption no longer holds:
+An eBPF program using bpf_skb_change_proto() DOES modify 'gso_size', but
+leaves the frag_list members as originally merged by GRO with the
+original 'gso_size'. Example of such programs are bpf-based NAT46 or
+NAT64.
+
+This lead to a kernel BUG_ON for flows involving:
+ - GRO generating a frag_list skb
+ - bpf program performing bpf_skb_change_proto() or bpf_skb_adjust_room()
+ - skb_segment() of the skb
+
+See example BUG_ON reports in [0].
+
+In commit 13acc94eff12 ("net: permit skb_segment on head_frag frag_list skb"),
+skb_segment() was modified to support the "gso_size mangling" case of
+a frag_list GRO'ed skb, but *only* for frag_list members having
+head_frag==true (having a page-fragment head).
+
+Alas, GRO packets having frag_list members with a linear kmalloced head
+(head_frag==false) still hit the BUG_ON.
+
+This commit adds support to skb_segment() for a 'head_skb' packet having
+a frag_list whose members are *non* head_frag, with gso_size mangled, by
+disabling SG and thus falling-back to copying the data from the given
+'head_skb' into the generated segmented skbs - as suggested by Willem de
+Bruijn [1].
+
+Since this approach involves the penalty of skb_copy_and_csum_bits()
+when building the segments, care was taken in order to enable this
+solution only when required:
+ - untrusted gso_size, by testing SKB_GSO_DODGY is set
+ (SKB_GSO_DODGY is set by any gso_size mangling functions in
+ net/core/filter.c)
+ - the frag_list is non empty, its item is a non head_frag, *and* the
+ headlen of the given 'head_skb' does not match the gso_size.
+
+[0]
+https://lore.kernel.org/netdev/20190826170724.25ff616f@pixies/
+https://lore.kernel.org/netdev/9265b93f-253d-6b8c-f2b8-4b54eff1835c@fb.com/
+
+[1]
+https://lore.kernel.org/netdev/CA+FuTSfVsgNDi7c=GUU8nMg2hWxF2SjCNLXetHeVPdnxAW5K-w@mail.gmail.com/
+
+Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper")
+Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: Alexander Duyck <alexander.duyck@gmail.com>
+Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/core/skbuff.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3097,6 +3097,25 @@ struct sk_buff *skb_segment(struct sk_bu
+ int pos;
+ int dummy;
+
++ if (list_skb && !list_skb->head_frag && skb_headlen(list_skb) &&
++ (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) {
++ /* gso_size is untrusted, and we have a frag_list with a linear
++ * non head_frag head.
++ *
++ * (we assume checking the first list_skb member suffices;
++ * i.e if either of the list_skb members have non head_frag
++ * head, then the first one has too).
++ *
++ * If head_skb's headlen does not fit requested gso_size, it
++ * means that the frag_list members do NOT terminate on exact
++ * gso_size boundaries. Hence we cannot perform skb_frag_t page
++ * sharing. Therefore we must fallback to copying the frag_list
++ * skbs; we do so by disabling SG.
++ */
++ if (mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb))
++ features &= ~NETIF_F_SG;
++ }
++
+ __skb_push(head_skb, doffset);
+ proto = skb_network_protocol(head_skb, &dummy);
+ if (unlikely(!proto))
diff --git a/patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch b/patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch
new file mode 100644
index 0000000000..96b11fa2ab
--- /dev/null
+++ b/patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch
@@ -0,0 +1,38 @@
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 8 Sep 2019 13:40:51 -0700
+Subject: sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
+Git-commit: d4d6ec6dac07f263f06d847d6f732d6855522845
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+In case of TCA_HHF_NON_HH_WEIGHT or TCA_HHF_QUANTUM is zero,
+it would make no progress inside the loop in hhf_dequeue() thus
+kernel would get stuck.
+
+Fix this by checking this corner case in hhf_change().
+
+Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
+Reported-by: syzbot+bc6297c11f19ee807dc2@syzkaller.appspotmail.com
+Reported-by: syzbot+041483004a7f45f1f20a@syzkaller.appspotmail.com
+Reported-by: syzbot+55be5f513bed37fc4367@syzkaller.appspotmail.com
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: Terry Lam <vtlam@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/sch_hhf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_hhf.c
++++ b/net/sched/sch_hhf.c
+@@ -528,7 +528,7 @@ static int hhf_change(struct Qdisc *sch,
+ new_hhf_non_hh_weight = nla_get_u32(tb[TCA_HHF_NON_HH_WEIGHT]);
+
+ non_hh_quantum = (u64)new_quantum * new_hhf_non_hh_weight;
+- if (non_hh_quantum > INT_MAX)
++ if (non_hh_quantum == 0 || non_hh_quantum > INT_MAX)
+ return -EINVAL;
+
+ sch_tree_lock(sch);
diff --git a/patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch b/patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch
new file mode 100644
index 0000000000..35575bedd9
--- /dev/null
+++ b/patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch
@@ -0,0 +1,30 @@
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 11 Sep 2019 18:02:39 +0200
+Subject: sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
+Git-commit: b456d72412ca8797234449c25815e82f4e1426c0
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+The '.exit' functions from 'pernet_operations' structure should be marked
+as __net_exit, not __net_init.
+
+Fixes: 8e2d61e0aed2 ("sctp: fix race on protocol/netns initialization")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/protocol.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/protocol.c
++++ b/net/sctp/protocol.c
+@@ -1346,7 +1346,7 @@ static int __net_init sctp_ctrlsock_init
+ return status;
+ }
+
+-static void __net_init sctp_ctrlsock_exit(struct net *net)
++static void __net_exit sctp_ctrlsock_exit(struct net *net)
+ {
+ /* Free the control endpoint. */
+ inet_ctl_sock_destroy(net->sctp.ctl_sock);
diff --git a/patches.suse/sctp-use-transport-pf_retrans-in-sctp_do_8_2_transpo.patch b/patches.suse/sctp-use-transport-pf_retrans-in-sctp_do_8_2_transpo.patch
new file mode 100644
index 0000000000..d9310076f0
--- /dev/null
+++ b/patches.suse/sctp-use-transport-pf_retrans-in-sctp_do_8_2_transpo.patch
@@ -0,0 +1,32 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 2 Sep 2019 23:24:21 +0800
+Subject: sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
+Git-commit: 10eb56c582c557c629271f1ee31e15e7a9b2558b
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+Transport should use its own pf_retrans to do the error_count
+check, instead of asoc's. Otherwise, it's meaningless to make
+pf_retrans per transport.
+
+Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sctp/sm_sideeffect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -541,7 +541,7 @@ static void sctp_do_8_2_transport_strike
+ if (net->sctp.pf_enable &&
+ (transport->state == SCTP_ACTIVE) &&
+ (transport->error_count < transport->pathmaxrxt) &&
+- (transport->error_count > asoc->pf_retrans)) {
++ (transport->error_count > transport->pf_retrans)) {
+
+ sctp_assoc_control_transport(asoc, transport,
+ SCTP_TRANSPORT_PF,
diff --git a/patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch b/patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch
new file mode 100644
index 0000000000..c81b2c0329
--- /dev/null
+++ b/patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch
@@ -0,0 +1,57 @@
+From: Neal Cardwell <ncardwell@google.com>
+Date: Mon, 9 Sep 2019 16:56:02 -0400
+Subject: tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
+Git-commit: af38d07ed391b21f7405fa1f936ca9686787d6d2
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+Fix tcp_ecn_withdraw_cwr() to clear the correct bit:
+TCP_ECN_QUEUE_CWR.
+
+Rationale: basically, TCP_ECN_DEMAND_CWR is a bit that is purely about
+the behavior of data receivers, and deciding whether to reflect
+incoming IP ECN CE marks as outgoing TCP th->ece marks. The
+TCP_ECN_QUEUE_CWR bit is purely about the behavior of data senders,
+and deciding whether to send CWR. The tcp_ecn_withdraw_cwr() function
+is only called from tcp_undo_cwnd_reduction() by data senders during
+an undo, so it should zero the sender-side state,
+TCP_ECN_QUEUE_CWR. It does not make sense to stop the reflection of
+incoming CE bits on incoming data packets just because outgoing
+packets were spuriously retransmitted.
+
+The bug has been reproduced with packetdrill to manifest in a scenario
+with RFC3168 ECN, with an incoming data packet with CE bit set and
+carrying a TCP timestamp value that causes cwnd undo. Before this fix,
+the IP CE bit was ignored and not reflected in the TCP ECE header bit,
+and sender sent a TCP CWR ('W') bit on the next outgoing data packet,
+even though the cwnd reduction had been undone. After this fix, the
+sender properly reflects the CE bit and does not set the W bit.
+
+Note: the bug actually predates 2005 git history; this Fixes footer is
+chosen to be the oldest SHA1 I have tested (from Sep 2007) for which
+the patch applies cleanly (since before this commit the code was in a
+.h file).
+
+Fixes: bdf1ee5d3bd3 ("[TCP]: Move code from tcp_ecn.h to tcp*.c and tcp.h & remove it")
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/ipv4/tcp_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -249,7 +249,7 @@ static void tcp_ecn_accept_cwr(struct tc
+
+ static void tcp_ecn_withdraw_cwr(struct tcp_sock *tp)
+ {
+- tp->ecn_flags &= ~TCP_ECN_DEMAND_CWR;
++ tp->ecn_flags &= ~TCP_ECN_QUEUE_CWR;
+ }
+
+ static void __tcp_ecn_check_ce(struct sock *sk, const struct sk_buff *skb)
diff --git a/patches.suse/tipc-add-NULL-pointer-check-before-calling-kfree_rcu.patch b/patches.suse/tipc-add-NULL-pointer-check-before-calling-kfree_rcu.patch
new file mode 100644
index 0000000000..fc439b7db1
--- /dev/null
+++ b/patches.suse/tipc-add-NULL-pointer-check-before-calling-kfree_rcu.patch
@@ -0,0 +1,54 @@
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 3 Sep 2019 17:53:12 +0800
+Subject: tipc: add NULL pointer check before calling kfree_rcu
+Git-commit: 42dec1dbe38239cf91cc1f4df7830c66276ced37
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+Unlike kfree(p), kfree_rcu(p, rcu) won't do NULL pointer check. When
+tipc_nametbl_remove_publ returns NULL, the panic below happens:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
+ RIP: 0010:__call_rcu+0x1d/0x290
+ Call Trace:
+ <IRQ>
+ tipc_publ_notify+0xa9/0x170 [tipc]
+ tipc_node_write_unlock+0x8d/0x100 [tipc]
+ tipc_node_link_down+0xae/0x1d0 [tipc]
+ tipc_node_check_dest+0x3ea/0x8f0 [tipc]
+ ? tipc_disc_rcv+0x2c7/0x430 [tipc]
+ tipc_disc_rcv+0x2c7/0x430 [tipc]
+ ? tipc_rcv+0x6bb/0xf20 [tipc]
+ tipc_rcv+0x6bb/0xf20 [tipc]
+ ? ip_route_input_slow+0x9cf/0xb10
+ tipc_udp_recv+0x195/0x1e0 [tipc]
+ ? tipc_udp_is_known_peer+0x80/0x80 [tipc]
+ udp_queue_rcv_skb+0x180/0x460
+ udp_unicast_rcv_skb.isra.56+0x75/0x90
+ __udp4_lib_rcv+0x4ce/0xb90
+ ip_local_deliver_finish+0x11c/0x210
+ ip_local_deliver+0x6b/0xe0
+ ? ip_rcv_finish+0xa9/0x410
+ ip_rcv+0x273/0x362
+
+Fixes: 97ede29e80ee ("tipc: convert name table read-write lock to RCU")
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/tipc/name_distr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/name_distr.c
++++ b/net/tipc/name_distr.c
+@@ -224,7 +224,8 @@ static void tipc_publ_purge(struct net *
+ publ->key);
+ }
+
+- kfree_rcu(p, rcu);
++ if (p)
++ kfree_rcu(p, rcu);
+ }
+
+ /**
diff --git a/patches.suse/tun-fix-use-after-free-when-register-netdev-failed.patch b/patches.suse/tun-fix-use-after-free-when-register-netdev-failed.patch
new file mode 100644
index 0000000000..e88990b777
--- /dev/null
+++ b/patches.suse/tun-fix-use-after-free-when-register-netdev-failed.patch
@@ -0,0 +1,192 @@
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Tue, 10 Sep 2019 18:56:57 +0800
+Subject: tun: fix use-after-free when register netdev failed
+Git-commit: 77f22f92dff8e7b45c7786a430626d38071d4670
+Patch-mainline: 5.3
+References: networking-stable-19_09_15
+
+I got a UAF repport in tun driver when doing fuzzy test:
+
+[ 466.269490] ==================================================================
+[ 466.271792] BUG: KASAN: use-after-free in tun_chr_read_iter+0x2ca/0x2d0
+[ 466.271806] Read of size 8 at addr ffff888372139250 by task tun-test/2699
+[ 466.271810]
+[ 466.271824] CPU: 1 PID: 2699 Comm: tun-test Not tainted 5.3.0-rc1-00001-g5a9433db2614-dirty #427
+[ 466.271833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
+[ 466.271838] Call Trace:
+[ 466.271858] dump_stack+0xca/0x13e
+[ 466.271871] ? tun_chr_read_iter+0x2ca/0x2d0
+[ 466.271890] print_address_description+0x79/0x440
+[ 466.271906] ? vprintk_func+0x5e/0xf0
+[ 466.271920] ? tun_chr_read_iter+0x2ca/0x2d0
+[ 466.271935] __kasan_report+0x15c/0x1df
+[ 466.271958] ? tun_chr_read_iter+0x2ca/0x2d0
+[ 466.271976] kasan_report+0xe/0x20
+[ 466.271987] tun_chr_read_iter+0x2ca/0x2d0
+[ 466.272013] do_iter_readv_writev+0x4b7/0x740
+[ 466.272032] ? default_llseek+0x2d0/0x2d0
+[ 466.272072] do_iter_read+0x1c5/0x5e0
+[ 466.272110] vfs_readv+0x108/0x180
+[ 466.299007] ? compat_rw_copy_check_uvector+0x440/0x440
+[ 466.299020] ? fsnotify+0x888/0xd50
+[ 466.299040] ? __fsnotify_parent+0xd0/0x350
+[ 466.299064] ? fsnotify_first_mark+0x1e0/0x1e0
+[ 466.304548] ? vfs_write+0x264/0x510
+[ 466.304569] ? ksys_write+0x101/0x210
+[ 466.304591] ? do_preadv+0x116/0x1a0
+[ 466.304609] do_preadv+0x116/0x1a0
+[ 466.309829] do_syscall_64+0xc8/0x600
+[ 466.309849] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 466.309861] RIP: 0033:0x4560f9
+[ 466.309875] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+[ 466.309889] RSP: 002b:00007ffffa5166e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000127
+[ 466.322992] RAX: ffffffffffffffda RBX: 0000000000400460 RCX: 00000000004560f9
+[ 466.322999] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
+[ 466.323007] RBP: 00007ffffa516700 R08: 0000000000000004 R09: 0000000000000000
+[ 466.323014] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000040cb10
+[ 466.323021] R13: 0000000000000000 R14: 00000000006d7018 R15: 0000000000000000
+[ 466.323057]
+[ 466.323064] Allocated by task 2605:
+[ 466.335165] save_stack+0x19/0x80
+[ 466.336240] __kasan_kmalloc.constprop.8+0xa0/0xd0
+[ 466.337755] kmem_cache_alloc+0xe8/0x320
+[ 466.339050] getname_flags+0xca/0x560
+[ 466.340229] user_path_at_empty+0x2c/0x50
+[ 466.341508] vfs_statx+0xe6/0x190
+[ 466.342619] __do_sys_newstat+0x81/0x100
+[ 466.343908] do_syscall_64+0xc8/0x600
+[ 466.345303] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 466.347034]
+[ 466.347517] Freed by task 2605:
+[ 466.348471] save_stack+0x19/0x80
+[ 466.349476] __kasan_slab_free+0x12e/0x180
+[ 466.350726] kmem_cache_free+0xc8/0x430
+[ 466.351874] putname+0xe2/0x120
+[ 466.352921] filename_lookup+0x257/0x3e0
+[ 466.354319] vfs_statx+0xe6/0x190
+[ 466.355498] __do_sys_newstat+0x81/0x100
+[ 466.356889] do_syscall_64+0xc8/0x600
+[ 466.358037] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 466.359567]
+[ 466.360050] The buggy address belongs to the object at ffff888372139100
+[ 466.360050] which belongs to the cache names_cache of size 4096
+[ 466.363735] The buggy address is located 336 bytes inside of
+[ 466.363735] 4096-byte region [ffff888372139100, ffff88837213a100)
+[ 466.367179] The buggy address belongs to the page:
+[ 466.368604] page:ffffea000dc84e00 refcount:1 mapcount:0 mapping:ffff8883df1b4f00 index:0x0 compound_mapcount: 0
+[ 466.371582] flags: 0x2fffff80010200(slab|head)
+[ 466.372910] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8883df1b4f00
+[ 466.375209] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
+[ 466.377778] page dumped because: kasan: bad access detected
+[ 466.379730]
+[ 466.380288] Memory state around the buggy address:
+[ 466.381844] ffff888372139100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 466.384009] ffff888372139180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 466.386131] >ffff888372139200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 466.388257] ^
+[ 466.390234] ffff888372139280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 466.392512] ffff888372139300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 466.394667] ==================================================================
+
+tun_chr_read_iter() accessed the memory which freed by free_netdev()
+called by tun_set_iff():
+
+ CPUA CPUB
+ tun_set_iff()
+ alloc_netdev_mqs()
+ tun_attach()
+ tun_chr_read_iter()
+ tun_get()
+ tun_do_read()
+ tun_ring_recv()
+ register_netdevice() <-- inject error
+ goto err_detach
+ tun_detach_all() <-- set RCV_SHUTDOWN
+ free_netdev() <-- called from
+ err_free_dev path
+ netdev_freemem() <-- free the memory
+ without check refcount
+ (In this path, the refcount cannot prevent
+ freeing the memory of dev, and the memory
+ will be used by dev_put() called by
+ tun_chr_read_iter() on CPUB.)
+ (Break from tun_ring_recv(),
+ because RCV_SHUTDOWN is set)
+ tun_put()
+ dev_put() <-- use the memory
+ freed by netdev_freemem()
+
+Put the publishing of tfile->tun after register_netdevice(),
+so tun_get() won't get the tun pointer that freed by
+err_detach path if register_netdevice() failed.
+
+Fixes: eb0fb363f920 ("tuntap: attach queue 0 before registering netdevice")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Suggested-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/tun.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -632,7 +632,8 @@ static void tun_detach_all(struct net_de
+ module_put(THIS_MODULE);
+ }
+
+-static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filter)
++static int tun_attach(struct tun_struct *tun, struct file *file, bool skip_filter,
++ bool publish_tun)
+ {
+ struct tun_file *tfile = file->private_data;
+ struct net_device *dev = tun->dev;
+@@ -674,7 +675,8 @@ static int tun_attach(struct tun_struct
+
+ tfile->queue_index = tun->numqueues;
+ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
+- rcu_assign_pointer(tfile->tun, tun);
++ if (publish_tun)
++ rcu_assign_pointer(tfile->tun, tun);
+ rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
+ tun->numqueues++;
+
+@@ -1779,7 +1781,8 @@ static int tun_set_iff(struct net *net,
+ if (err < 0)
+ return err;
+
+- err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER);
++ err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER,
++ true);
+ if (err < 0)
+ return err;
+
+@@ -1868,13 +1871,17 @@ static int tun_set_iff(struct net *net,
+ NETIF_F_HW_VLAN_STAG_TX);
+
+ INIT_LIST_HEAD(&tun->disabled);
+- err = tun_attach(tun, file, false);
++ err = tun_attach(tun, file, false, false);
+ if (err < 0)
+ goto err_free_flow;
+
+ err = register_netdevice(tun->dev);
+ if (err < 0)
+ goto err_detach;
++ /* free_netdev() won't check refcnt, to aovid race
++ * with dev_put() we need publish tun after registration.
++ */
++ rcu_assign_pointer(tfile->tun, tun);
+ }
+
+ netif_carrier_on(tun->dev);
+@@ -2020,7 +2027,7 @@ static int tun_set_queue(struct file *fi
+ ret = security_tun_dev_attach_queue(tun->security);
+ if (ret < 0)
+ goto unlock;
+- ret = tun_attach(tun, file, false);
++ ret = tun_attach(tun, file, false, true);
+ } else if (ifr->ifr_flags & IFF_DETACH_QUEUE) {
+ tun = rtnl_dereference(tfile->tun);
+ if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached)
diff --git a/series.conf b/series.conf
index 546ed6288b..0136fc4950 100644
--- a/series.conf
+++ b/series.conf
@@ -24653,12 +24653,23 @@
patches.suse/vhost-make-sure-log_num-in_num.patch
patches.suse/Btrfs-fix-assertion-failure-during-fsync-and-use-of-.patch
patches.suse/0001-drm-i915-Restore-relaxed-padding-OCL_OOB_SUPPRES_ENA.patch
+ patches.suse/sctp-use-transport-pf_retrans-in-sctp_do_8_2_transpo.patch
patches.suse/Revert-Bluetooth-validate-BLE-connection-interval-up.patch
+ patches.suse/tipc-add-NULL-pointer-check-before-calling-kfree_rcu.patch
patches.suse/mwifiex-Fix-three-heap-overflow-at-parsing-element.patch
patches.suse/net-ibmvnic-free-reset-work-of-removed-device-from-q.patch
patches.suse/isdn-capi-check-message-length-in-capi_write.patch
+ patches.suse/net-gso-Fix-skb_segment-splat-when-splitting-gso_siz.patch
patches.suse/net-ibmvnic-Fix-missing-in-__ibmvnic_reset.patch
+ patches.suse/bridge-mdb-remove-wrong-use-of-NLM_F_MULTI.patch
+ patches.suse/sch_hhf-ensure-quantum-and-hhf_non_hh_weight-are-non.patch
+ patches.suse/tcp-fix-tcp_ecn_withdraw_cwr-to-clear-TCP_ECN_QUEUE_.patch
patches.suse/ixgbe-Prevent-u8-wrapping-of-ITR-value-to-something-.patch
+ patches.suse/tun-fix-use-after-free-when-register-netdev-failed.patch
+ patches.suse/ipv6-Fix-the-link-time-qualifier-of-ping_v6_proc_exi.patch
+ patches.suse/net-Fix-null-de-reference-of-device-refcount.patch
+ patches.suse/sctp-Fix-the-link-time-qualifier-of-sctp_ctrlsock_ex.patch
+ patches.suse/cdc_ether-fix-rndis-support-for-Mediatek-based-smart.patch
patches.suse/tpm_tis_core-Set-TPM_CHIP_FLAG_IRQ-before-probing-fo.patch
patches.suse/edac-amd64-decode-syndrome-before-translating-address.patch
patches.suse/hwmon-lm75-Fix-write-operations-for-negative-tempera.patch