Home Home > GIT Browse > SLE15-SP1-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPetr Tesarik <ptesarik@suse.cz>2019-03-07 13:11:49 +0100
committerPetr Tesarik <ptesarik@suse.cz>2019-03-07 13:11:49 +0100
commit5c1f744e376b2fbb00fa5f63906f12b7444cec71 (patch)
tree6441a5d44ebde46fb27402d3fa7704987868e951
parentdb43aaa9f8831eba4d4ba45f730080a4a0e0c3f4 (diff)
parentad202d720c9f29ac2bae00e09a7bf7b5516704db (diff)
Merge branch 'users/jslaby/SLE15/for-next' into SLE15
Pull networking fixes from Jiri Slaby
-rw-r--r--patches.suse/net-dp83640-expire-old-TX-skb.patch86
-rw-r--r--patches.suse/net-dsa-slave-Don-t-propagate-flag-changes-on-down-s.patch53
-rw-r--r--patches.suse/net-netem-fix-skb-length-BUG_ON-in-__skb_to_sgvec.patch106
-rw-r--r--patches.suse/net-systemport-Fix-WoL-with-password-after-deep-slee.patch102
-rw-r--r--patches.suse/netfilter-nf_tables-check-the-result-of-dereferencin.patch67
-rw-r--r--patches.suse/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch89
-rw-r--r--series.conf6
7 files changed, 509 insertions, 0 deletions
diff --git a/patches.suse/net-dp83640-expire-old-TX-skb.patch b/patches.suse/net-dp83640-expire-old-TX-skb.patch
new file mode 100644
index 0000000000..ef503a34f9
--- /dev/null
+++ b/patches.suse/net-dp83640-expire-old-TX-skb.patch
@@ -0,0 +1,86 @@
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Mon, 4 Feb 2019 11:20:29 +0100
+Subject: net: dp83640: expire old TX-skb
+Git-commit: 53bc8d2af08654659abfadfd3e98eb9922ff787c
+Patch-mainline: v5.0-rc6
+References: networking-stable-19_02_10
+
+During sendmsg() a cloned skb is saved via dp83640_txtstamp() in
+->tx_queue. After the NIC sends this packet, the PHY will reply with a
+timestamp for that TX packet. If the cable is pulled at the right time I
+don't see that packet. It might gets flushed as part of queue shutdown
+on NIC's side.
+Once the link is up again then after the next sendmsg() we enqueue
+another skb in dp83640_txtstamp() and have two on the list. Then the PHY
+will send a reply and decode_txts() attaches it to the first skb on the
+list.
+No crash occurs since refcounting works but we are one packet behind.
+linuxptp/ptp4l usually closes the socket and opens a new one (in such a
+timeout case) so those "stale" replies never get there. However it does
+not resume normal operation anymore.
+
+Purge old skbs in decode_txts().
+
+Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/phy/dp83640.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c
+index 18b41bc345ab..6e8807212aa3 100644
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -898,14 +898,14 @@ static void decode_txts(struct dp83640_private *dp83640,
+ struct phy_txts *phy_txts)
+ {
+ struct skb_shared_hwtstamps shhwtstamps;
++ struct dp83640_skb_info *skb_info;
+ struct sk_buff *skb;
+- u64 ns;
+ u8 overflow;
++ u64 ns;
+
+ /* We must already have the skb that triggered this. */
+-
++again:
+ skb = skb_dequeue(&dp83640->tx_queue);
+-
+ if (!skb) {
+ pr_debug("have timestamp but tx_queue empty\n");
+ return;
+@@ -920,6 +920,11 @@ static void decode_txts(struct dp83640_private *dp83640,
+ }
+ return;
+ }
++ skb_info = (struct dp83640_skb_info *)skb->cb;
++ if (time_after(jiffies, skb_info->tmo)) {
++ kfree_skb(skb);
++ goto again;
++ }
+
+ ns = phy2txts(phy_txts);
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+@@ -1472,6 +1477,7 @@ static bool dp83640_rxtstamp(struct phy_device *phydev,
+ static void dp83640_txtstamp(struct phy_device *phydev,
+ struct sk_buff *skb, int type)
+ {
++ struct dp83640_skb_info *skb_info = (struct dp83640_skb_info *)skb->cb;
+ struct dp83640_private *dp83640 = phydev->priv;
+
+ switch (dp83640->hwts_tx_en) {
+@@ -1484,6 +1490,7 @@ static void dp83640_txtstamp(struct phy_device *phydev,
+ /* fall through */
+ case HWTSTAMP_TX_ON:
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
++ skb_info->tmo = jiffies + SKB_TIMESTAMP_TIMEOUT;
+ skb_queue_tail(&dp83640->tx_queue, skb);
+ break;
+
+--
+2.21.0
+
diff --git a/patches.suse/net-dsa-slave-Don-t-propagate-flag-changes-on-down-s.patch b/patches.suse/net-dsa-slave-Don-t-propagate-flag-changes-on-down-s.patch
new file mode 100644
index 0000000000..181ca4e0d2
--- /dev/null
+++ b/patches.suse/net-dsa-slave-Don-t-propagate-flag-changes-on-down-s.patch
@@ -0,0 +1,53 @@
+From: Rundong Ge <rdong.ge@gmail.com>
+Date: Sat, 2 Feb 2019 14:29:35 +0000
+Subject: net: dsa: slave: Don't propagate flag changes on down slave
+ interfaces
+Git-commit: 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5
+Patch-mainline: v5.0-rc6
+References: networking-stable-19_02_10
+
+The unbalance of master's promiscuity or allmulti will happen after ifdown
+and ifup a slave interface which is in a bridge.
+
+When we ifdown a slave interface , both the 'dsa_slave_close' and
+'dsa_slave_change_rx_flags' will clear the master's flags. The flags
+of master will be decrease twice.
+In the other hand, if we ifup the slave interface again, since the
+slave's flags were cleared the 'dsa_slave_open' won't set the master's
+flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
+will set the master's flags. The flags of master is increase once.
+
+Only propagating flag changes when a slave interface is up makes
+sure this does not happen. The 'vlan_dev_change_rx_flags' had the
+same problem and was fixed, and changes here follows that fix.
+
+Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
+Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/dsa/slave.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -199,11 +199,14 @@ static void dsa_slave_change_rx_flags(st
+ {
+ struct dsa_slave_priv *p = netdev_priv(dev);
+ struct net_device *master = p->dp->ds->dst->master_netdev;
+-
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
+- dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
++ if (dev->flags & IFF_UP) {
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(master,
++ dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (change & IFF_PROMISC)
++ dev_set_promiscuity(master,
++ dev->flags & IFF_PROMISC ? 1 : -1);
++ }
+ }
+
+ static void dsa_slave_set_rx_mode(struct net_device *dev)
diff --git a/patches.suse/net-netem-fix-skb-length-BUG_ON-in-__skb_to_sgvec.patch b/patches.suse/net-netem-fix-skb-length-BUG_ON-in-__skb_to_sgvec.patch
new file mode 100644
index 0000000000..c75967048e
--- /dev/null
+++ b/patches.suse/net-netem-fix-skb-length-BUG_ON-in-__skb_to_sgvec.patch
@@ -0,0 +1,106 @@
+From: Sheng Lan <lansheng@huawei.com>
+Date: Thu, 28 Feb 2019 18:47:58 +0800
+Subject: net: netem: fix skb length BUG_ON in __skb_to_sgvec
+Git-commit: 5845f706388a4cde0f6b80f9e5d33527e942b7d9
+Patch-mainline: v5.0
+References: git-fixes
+
+It can be reproduced by following steps:
+1. virtio_net NIC is configured with gso/tso on
+2. configure nginx as http server with an index file bigger than 1M bytes
+3. use tc netem to produce duplicate packets and delay:
+ tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
+4. continually curl the nginx http server to get index file on client
+5. BUG_ON is seen quickly
+
+[10258690.371129] kernel BUG at net/core/skbuff.c:4028!
+[10258690.371748] invalid opcode: 0000 [#1] SMP PTI
+[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2
+[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202
+[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea
+[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002
+[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028
+[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000
+[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0
+[10258690.372094] Call Trace:
+[10258690.372094] <IRQ>
+[10258690.372094] skb_to_sgvec+0x11/0x40
+[10258690.372094] start_xmit+0x38c/0x520 [virtio_net]
+[10258690.372094] dev_hard_start_xmit+0x9b/0x200
+[10258690.372094] sch_direct_xmit+0xff/0x260
+[10258690.372094] __qdisc_run+0x15e/0x4e0
+[10258690.372094] net_tx_action+0x137/0x210
+[10258690.372094] __do_softirq+0xd6/0x2a9
+[10258690.372094] irq_exit+0xde/0xf0
+[10258690.372094] smp_apic_timer_interrupt+0x74/0x140
+[10258690.372094] apic_timer_interrupt+0xf/0x20
+[10258690.372094] </IRQ>
+
+In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
+linear data size and nonlinear data size, thus BUG_ON triggered.
+Because the skb is cloned and a part of nonlinear data is split off.
+
+Duplicate packet is cloned in netem_enqueue() and may be delayed
+some time in qdisc. When qdisc len reached the limit and returns
+NET_XMIT_DROP, the skb will be retransmit later in write queue.
+the skb will be fragmented by tso_fragment(), the limit size
+that depends on cwnd and mss decrease, the skb's nonlinear
+data will be split off. The length of the skb cloned by netem
+will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
+the BUG_ON trigger.
+
+To fix it, netem returns NET_XMIT_SUCCESS to upper stack
+when it clones a duplicate packet.
+
+Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
+Signed-off-by: Sheng Lan <lansheng@huawei.com>
+Reported-by: Qin Ji <jiqin.ji@huawei.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/sched/sch_netem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -435,6 +435,7 @@ static int netem_enqueue(struct sk_buff
+ int nb = 0;
+ int count = 1;
+ int rc = NET_XMIT_SUCCESS;
++ int rc_drop = NET_XMIT_DROP;
+
+ /* Random duplication */
+ if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
+@@ -471,6 +472,7 @@ static int netem_enqueue(struct sk_buff
+ q->duplicate = 0;
+ rootq->enqueue(skb2, rootq, to_free);
+ q->duplicate = dupsave;
++ rc_drop = NET_XMIT_SUCCESS;
+ }
+
+ /*
+@@ -483,7 +485,7 @@ static int netem_enqueue(struct sk_buff
+ if (skb_is_gso(skb)) {
+ segs = netem_segment(skb, sch, to_free);
+ if (!segs)
+- return NET_XMIT_DROP;
++ return rc_drop;
+ } else {
+ segs = skb;
+ }
+@@ -506,8 +508,10 @@ static int netem_enqueue(struct sk_buff
+ 1<<(prandom_u32() % 8);
+ }
+
+- if (unlikely(sch->q.qlen >= sch->limit))
+- return qdisc_drop_all(skb, sch, to_free);
++ if (unlikely(sch->q.qlen >= sch->limit)) {
++ qdisc_drop_all(skb, sch, to_free);
++ return rc_drop;
++ }
+
+ qdisc_qstats_backlog_inc(sch, skb);
+
diff --git a/patches.suse/net-systemport-Fix-WoL-with-password-after-deep-slee.patch b/patches.suse/net-systemport-Fix-WoL-with-password-after-deep-slee.patch
new file mode 100644
index 0000000000..dae3933bc9
--- /dev/null
+++ b/patches.suse/net-systemport-Fix-WoL-with-password-after-deep-slee.patch
@@ -0,0 +1,102 @@
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 1 Feb 2019 13:23:38 -0800
+Subject: net: systemport: Fix WoL with password after deep sleep
+Git-commit: 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e
+Patch-mainline: v5.0-rc6
+References: networking-stable-19_02_10
+
+Broadcom STB chips support a deep sleep mode where all register
+contents are lost. Because we were stashing the MagicPacket password
+into some of these registers a suspend into that deep sleep then a
+resumption would not lead to being able to wake-up from MagicPacket with
+password again.
+
+Fix this by keeping a software copy of the password and program it
+during suspend.
+
+Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 25 ++++++++++---------------
+ drivers/net/ethernet/broadcom/bcmsysport.h | 2 ++
+ 2 files changed, 12 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -475,7 +475,6 @@ static void bcm_sysport_get_wol(struct n
+ struct ethtool_wolinfo *wol)
+ {
+ struct bcm_sysport_priv *priv = netdev_priv(dev);
+- u32 reg;
+
+ wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE;
+ wol->wolopts = priv->wolopts;
+@@ -483,11 +482,7 @@ static void bcm_sysport_get_wol(struct n
+ if (!(priv->wolopts & WAKE_MAGICSECURE))
+ return;
+
+- /* Return the programmed SecureOn password */
+- reg = umac_readl(priv, UMAC_PSW_MS);
+- put_unaligned_be16(reg, &wol->sopass[0]);
+- reg = umac_readl(priv, UMAC_PSW_LS);
+- put_unaligned_be32(reg, &wol->sopass[2]);
++ memcpy(wol->sopass, priv->sopass, sizeof(priv->sopass));
+ }
+
+ static int bcm_sysport_set_wol(struct net_device *dev,
+@@ -503,13 +498,8 @@ static int bcm_sysport_set_wol(struct ne
+ if (wol->wolopts & ~supported)
+ return -EINVAL;
+
+- /* Program the SecureOn password */
+- if (wol->wolopts & WAKE_MAGICSECURE) {
+- umac_writel(priv, get_unaligned_be16(&wol->sopass[0]),
+- UMAC_PSW_MS);
+- umac_writel(priv, get_unaligned_be32(&wol->sopass[2]),
+- UMAC_PSW_LS);
+- }
++ if (wol->wolopts & WAKE_MAGICSECURE)
++ memcpy(priv->sopass, wol->sopass, sizeof(priv->sopass));
+
+ /* Flag the device and relevant IRQ as wakeup capable */
+ if (wol->wolopts) {
+@@ -2142,12 +2132,17 @@ static int bcm_sysport_suspend_to_wol(st
+ unsigned int timeout = 1000;
+ u32 reg;
+
+- /* Password has already been programmed */
+ reg = umac_readl(priv, UMAC_MPD_CTRL);
+ reg |= MPD_EN;
+ reg &= ~PSW_EN;
+- if (priv->wolopts & WAKE_MAGICSECURE)
++ if (priv->wolopts & WAKE_MAGICSECURE) {
++ /* Program the SecureOn password */
++ umac_writel(priv, get_unaligned_be16(&priv->sopass[0]),
++ UMAC_PSW_MS);
++ umac_writel(priv, get_unaligned_be32(&priv->sopass[2]),
++ UMAC_PSW_LS);
+ reg |= PSW_EN;
++ }
+ umac_writel(priv, reg, UMAC_MPD_CTRL);
+
+ /* Make sure RBUF entered WoL mode as result */
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -11,6 +11,7 @@
+ #ifndef __BCM_SYSPORT_H
+ #define __BCM_SYSPORT_H
+
++#include <linux/ethtool.h>
+ #include <linux/if_vlan.h>
+
+ /* Receive/transmit descriptor format */
+@@ -737,6 +738,7 @@ struct bcm_sysport_priv {
+ unsigned int crc_fwd:1;
+ u16 rev;
+ u32 wolopts;
++ u8 sopass[SOPASS_MAX];
+ unsigned int wol_irq_disabled:1;
+
+ /* MIB related fields */
diff --git a/patches.suse/netfilter-nf_tables-check-the-result-of-dereferencin.patch b/patches.suse/netfilter-nf_tables-check-the-result-of-dereferencin.patch
new file mode 100644
index 0000000000..b9b5a662d3
--- /dev/null
+++ b/patches.suse/netfilter-nf_tables-check-the-result-of-dereferencin.patch
@@ -0,0 +1,67 @@
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 26 Feb 2019 17:13:56 +0800
+Subject: netfilter: nf_tables: check the result of dereferencing
+ base_chain->stats
+Git-commit: a9f5e78c403d2d62ade4f4c85040efc85f4049b8
+Patch-mainline: 5.1-rc1
+References: git-fixes
+
+Check the result of dereferencing base_chain->stats, instead of result
+of this_cpu_ptr with NULL.
+
+base_chain->stats maybe be changed to NULL when a chain is updated and a
+new NULL counter can be attached.
+
+And we do not need to check returning of this_cpu_ptr since
+base_chain->stats is from percpu allocator if it is non-NULL,
+this_cpu_ptr returns a valid value.
+
+And fix two sparse error by replacing rcu_access_pointer and
+rcu_dereference with READ_ONCE under rcu_read_lock.
+
+Thanks for Eric's help to finish this patch.
+
+Fixes: 009240940e84c1 ("netfilter: nf_tables: don't assume chain stats are set when jumplabel is set")
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/netfilter/nf_tables_core.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/netfilter/nf_tables_core.c
++++ b/net/netfilter/nf_tables_core.c
+@@ -126,6 +126,7 @@ nft_do_chain(struct nft_pktinfo *pkt, vo
+ const struct nft_chain *chain = priv, *basechain = chain;
+ struct nft_base_chain *base_chain;
+ const struct net *net = nft_net(pkt);
++ struct nft_stats __percpu *pstats;
+ const struct nft_rule *rule;
+ const struct nft_expr *expr, *last;
+ struct nft_regs regs;
+@@ -223,19 +224,18 @@ next_rule:
+ NFT_TRACETYPE_POLICY);
+
+ base_chain = nft_base_chain(basechain);
+- if (!base_chain->stats)
+- goto end;
+
+ rcu_read_lock_bh();
+- stats = this_cpu_ptr(rcu_dereference(base_chain->stats));
+- if (stats) {
++ pstats = READ_ONCE(base_chain->stats);
++ if (pstats) {
++ stats = this_cpu_ptr(pstats);
+ u64_stats_update_begin(&stats->syncp);
+ stats->pkts++;
+ stats->bytes += pkt->skb->len;
+ u64_stats_update_end(&stats->syncp);
+ }
+ rcu_read_unlock_bh();
+-end:
++
+ return nft_base_chain(basechain)->policy;
+ }
+ EXPORT_SYMBOL_GPL(nft_do_chain);
diff --git a/patches.suse/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch b/patches.suse/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch
new file mode 100644
index 0000000000..ecda490c99
--- /dev/null
+++ b/patches.suse/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch
@@ -0,0 +1,89 @@
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 4 Feb 2019 08:36:06 -0800
+Subject: rxrpc: bad unlock balance in rxrpc_recvmsg
+Git-commit: 6dce3c20ac429e7a651d728e375853370c796e8d
+Patch-mainline: v5.0-rc6
+References: networking-stable-19_02_10
+
+When either "goto wait_interrupted;" or "goto wait_error;"
+paths are taken, socket lock has already been released.
+
+This patch fixes following syzbot splat :
+
+WARNING: bad unlock balance detected!
+5.0.0-rc4+ #59 Not tainted
+-------------------------------------
+syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at:
+[<ffffffff86651353>] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
+but there are no more locks to release!
+
+other info that might help us debug this:
+1 lock held by syz-executor223/8256:
+ #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
+ #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798
+
+stack backtrace:
+CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline]
+ print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368
+ __lock_release kernel/locking/lockdep.c:3601 [inline]
+ lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860
+ sock_release_ownership include/net/sock.h:1471 [inline]
+ release_sock+0x183/0x1c0 net/core/sock.c:2808
+ rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
+ sock_recvmsg_nosec net/socket.c:794 [inline]
+ sock_recvmsg net/socket.c:801 [inline]
+ sock_recvmsg+0xd0/0x110 net/socket.c:797
+ __sys_recvfrom+0x1ff/0x350 net/socket.c:1845
+ __do_sys_recvfrom net/socket.c:1863 [inline]
+ __se_sys_recvfrom net/socket.c:1859 [inline]
+ __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859
+ do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x446379
+Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
+RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
+R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
+
+Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ net/rxrpc/recvmsg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
+index eaf19ebaa964..3f7bb11f3290 100644
+--- a/net/rxrpc/recvmsg.c
++++ b/net/rxrpc/recvmsg.c
+@@ -596,6 +596,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ }
+ error_no_call:
+ release_sock(&rx->sk);
++error_trace:
+ trace_rxrpc_recvmsg(call, rxrpc_recvmsg_return, 0, 0, 0, ret);
+ return ret;
+
+@@ -604,7 +605,7 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ wait_error:
+ finish_wait(sk_sleep(&rx->sk), &wait);
+ call = NULL;
+- goto error_no_call;
++ goto error_trace;
+ }
+
+ /**
+--
+2.21.0
+
diff --git a/series.conf b/series.conf
index 87749d9329..a20241bee9 100644
--- a/series.conf
+++ b/series.conf
@@ -20568,9 +20568,13 @@
patches.fixes/dccp-fool-proof-ccid_hc_-rt-x_parse_options.patch
patches.fixes/bpf-fix-lockdep-false-positive-in-percpu_freelist.patch
patches.fixes/bpf-Fix-syscall-s-stackmap-lookup-potential-deadlock.patch
+ patches.suse/net-systemport-Fix-WoL-with-password-after-deep-slee.patch
+ patches.suse/net-dp83640-expire-old-TX-skb.patch
patches.suse/0001-s390-qeth-fix-use-after-free-in-error-path.patch
patches.fixes/0001-s390-qeth-cancel-close_dev-work-before-removing-a-ca.patch
+ patches.suse/net-dsa-slave-Don-t-propagate-flag-changes-on-down-s.patch
patches.fixes/mISDN-fix-a-race-in-dev_expire_timer.patch
+ patches.suse/rxrpc-bad-unlock-balance-in-rxrpc_recvmsg.patch
patches.fixes/scsi-target-make-the-pi_prot_format-ConfigFS-path-re.patch
patches.fixes/ARM-iop32x-n2100-fix-PCI-IRQ-mapping.patch
patches.fixes/ARM-tango-Improve-ARCH_MULTIPLATFORM-compatibility.patch
@@ -20622,9 +20626,11 @@
patches.fixes/mdio_bus-Fix-use-after-free-on-device_register-fails.patch
patches.fixes/bpf-lpm-fix-lookup-bug-in-map_delete_elem.patch
patches.fixes/0001-mm-enforce-min-addr-even-if-capable-in-expand_downwa.patch
+ patches.suse/net-netem-fix-skb-length-BUG_ON-in-__skb_to_sgvec.patch
patches.fixes/bpf-decrease-usercnt-if-bpf_map_new_fd-fails-in-bpf_.patch
patches.fixes/bpf-drop-refcount-if-bpf_map_new_fd-fails-in-map_cre.patch
patches.fixes/bpf-fix-sanitation-rewrite-in-case-of-non-pointers.patch
+ patches.suse/netfilter-nf_tables-check-the-result-of-dereferencin.patch
# git://linuxtv.org/media_tree.git
patches.fixes/0001-media-usb-pwc-Don-t-use-coherent-DMA-buffers-for-ISO.patch