--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Tue, 6 Mar 2018 22:57:01 +0300
+Subject: dccp: check sk for closed state in dccp_sendmsg()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]
+
+dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
+therefore if DCCP socket is disconnected and dccp_sendmsg() is
+called after it, it will cause a NULL pointer dereference in
+dccp_write_xmit().
+
+This crash and the reproducer was reported by syzbot. Looks like
+it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
+use-after-free in DCCP code") is applied.
+
+Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct
+ if (skb == NULL)
+ goto out_release;
+
++ if (sk->sk_state == DCCP_CLOSED) {
++ rc = -ENOTCONN;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From 4f8413a3a799c958f7a10a6310a451e6b8aef5ad Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 9 Nov 2017 14:17:59 +0000
+Subject: genirq: Track whether the trigger type has been set
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 4f8413a3a799c958f7a10a6310a451e6b8aef5ad upstream.
+
+When requesting a shared interrupt, we assume that the firmware
+support code (DT or ACPI) has called irqd_set_trigger_type
+already, so that we can retrieve it and check that the requester
+is being reasonnable.
+
+Unfortunately, we still have non-DT, non-ACPI systems around,
+and these guys won't call irqd_set_trigger_type before requesting
+the interrupt. The consequence is that we fail the request that
+would have worked before.
+
+We can either chase all these use cases (boring), or address it
+in core code (easier). Let's have a per-irq_desc flag that
+indicates whether irqd_set_trigger_type has been called, and
+let's just check it when checking for a shared interrupt.
+If it hasn't been set, just take whatever the interrupt
+requester asks.
+
+Fixes: 382bd4de6182 ("genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: Petr Cvek <petrcvekcz@gmail.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irq.h | 11 ++++++++++-
+ kernel/irq/manage.c | 13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 2 deletions(-)
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -199,6 +199,7 @@ struct irq_data {
+ * IRQD_WAKEUP_ARMED - Wakeup mode armed
+ * IRQD_FORWARDED_TO_VCPU - The interrupt is forwarded to a VCPU
+ * IRQD_AFFINITY_MANAGED - Affinity is auto-managed by the kernel
++ * IRQD_DEFAULT_TRIGGER_SET - Expected trigger already been set
+ */
+ enum {
+ IRQD_TRIGGER_MASK = 0xf,
+@@ -216,6 +217,7 @@ enum {
+ IRQD_WAKEUP_ARMED = (1 << 19),
+ IRQD_FORWARDED_TO_VCPU = (1 << 20),
+ IRQD_AFFINITY_MANAGED = (1 << 21),
++ IRQD_DEFAULT_TRIGGER_SET = (1 << 25),
+ };
+
+ #define __irqd_to_state(d) ACCESS_PRIVATE((d)->common, state_use_accessors)
+@@ -245,18 +247,25 @@ static inline void irqd_mark_affinity_wa
+ __irqd_to_state(d) |= IRQD_AFFINITY_SET;
+ }
+
++static inline bool irqd_trigger_type_was_set(struct irq_data *d)
++{
++ return __irqd_to_state(d) & IRQD_DEFAULT_TRIGGER_SET;
++}
++
+ static inline u32 irqd_get_trigger_type(struct irq_data *d)
+ {
+ return __irqd_to_state(d) & IRQD_TRIGGER_MASK;
+ }
+
+ /*
+- * Must only be called inside irq_chip.irq_set_type() functions.
++ * Must only be called inside irq_chip.irq_set_type() functions or
++ * from the DT/ACPI setup code.
+ */
+ static inline void irqd_set_trigger_type(struct irq_data *d, u32 type)
+ {
+ __irqd_to_state(d) &= ~IRQD_TRIGGER_MASK;
+ __irqd_to_state(d) |= type & IRQD_TRIGGER_MASK;
++ __irqd_to_state(d) |= IRQD_DEFAULT_TRIGGER_SET;
+ }
+
+ static inline bool irqd_is_level_type(struct irq_data *d)
+--- a/kernel/irq/manage.c
++++ b/kernel/irq/manage.c
+@@ -1210,7 +1210,18 @@ __setup_irq(unsigned int irq, struct irq
+ * set the trigger type must match. Also all must
+ * agree on ONESHOT.
+ */
+- unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data);
++ unsigned int oldtype;
++
++ /*
++ * If nobody did set the configuration before, inherit
++ * the one provided by the requester.
++ */
++ if (irqd_trigger_type_was_set(&desc->irq_data)) {
++ oldtype = irqd_get_trigger_type(&desc->irq_data);
++ } else {
++ oldtype = new->flags & IRQF_TRIGGER_MASK;
++ irqd_set_trigger_type(&desc->irq_data, oldtype);
++ }
+
+ if (!((old->flags & new->flags) & IRQF_SHARED) ||
+ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) ||
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 5 Mar 2018 08:51:03 -0800
+Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
+
+A tun device type can trivially be set to arbitrary value using
+TUNSETLINK ioctl().
+
+Therefore, lowpan_device_event() must really check that ieee802154_ptr
+is not NULL.
+
+Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Alexander Aring <alex.aring@gmail.com>
+Cc: Stefan Schmidt <stefan@osg.samsung.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/6lowpan/core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ieee802154/6lowpan/core.c
++++ b/net/ieee802154/6lowpan/core.c
+@@ -204,9 +204,13 @@ static inline void lowpan_netlink_fini(v
+ static int lowpan_device_event(struct notifier_block *unused,
+ unsigned long event, void *ptr)
+ {
+- struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
++ struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
++ struct wpan_dev *wpan_dev;
+
+- if (wdev->type != ARPHRD_IEEE802154)
++ if (ndev->type != ARPHRD_IEEE802154)
++ return NOTIFY_DONE;
++ wpan_dev = ndev->ieee802154_ptr;
++ if (!wpan_dev)
+ return NOTIFY_DONE;
+
+ switch (event) {
+@@ -215,8 +219,8 @@ static int lowpan_device_event(struct no
+ * also delete possible lowpan interfaces which belongs
+ * to the wpan interface.
+ */
+- if (wdev->ieee802154_ptr->lowpan_dev)
+- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
++ if (wpan_dev->lowpan_dev)
++ lowpan_dellink(wpan_dev->lowpan_dev, NULL);
+ break;
+ default:
+ return NOTIFY_DONE;
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Thu, 8 Mar 2018 17:00:02 +0100
+Subject: ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+
+[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ]
+
+Fix the following slab-out-of-bounds kasan report in
+ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not
+linear and the accessed data are not in the linear data region of orig_skb.
+
+[ 1503.122508] ==================================================================
+[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990
+[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932
+
+[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124
+[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014
+[ 1503.123527] Call Trace:
+[ 1503.123579] <IRQ>
+[ 1503.123638] print_address_description+0x6e/0x280
+[ 1503.123849] kasan_report+0x233/0x350
+[ 1503.123946] memcpy+0x1f/0x50
+[ 1503.124037] ndisc_send_redirect+0x94e/0x990
+[ 1503.125150] ip6_forward+0x1242/0x13b0
+[...]
+[ 1503.153890] Allocated by task 1932:
+[ 1503.153982] kasan_kmalloc+0x9f/0xd0
+[ 1503.154074] __kmalloc_track_caller+0xb5/0x160
+[ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70
+[ 1503.154324] __alloc_skb+0x130/0x3e0
+[ 1503.154415] sctp_packet_transmit+0x21a/0x1810
+[ 1503.154533] sctp_outq_flush+0xc14/0x1db0
+[ 1503.154624] sctp_do_sm+0x34e/0x2740
+[ 1503.154715] sctp_primitive_SEND+0x57/0x70
+[ 1503.154807] sctp_sendmsg+0xaa6/0x1b10
+[ 1503.154897] sock_sendmsg+0x68/0x80
+[ 1503.154987] ___sys_sendmsg+0x431/0x4b0
+[ 1503.155078] __sys_sendmsg+0xa4/0x130
+[ 1503.155168] do_syscall_64+0x171/0x3f0
+[ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 1503.155436] Freed by task 1932:
+[ 1503.155527] __kasan_slab_free+0x134/0x180
+[ 1503.155618] kfree+0xbc/0x180
+[ 1503.155709] skb_release_data+0x27f/0x2c0
+[ 1503.155800] consume_skb+0x94/0xe0
+[ 1503.155889] sctp_chunk_put+0x1aa/0x1f0
+[ 1503.155979] sctp_inq_pop+0x2f8/0x6e0
+[ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230
+[ 1503.156164] sctp_inq_push+0x117/0x150
+[ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0
+[ 1503.156346] __release_sock+0x142/0x250
+[ 1503.156436] release_sock+0x80/0x180
+[ 1503.156526] sctp_sendmsg+0xbb0/0x1b10
+[ 1503.156617] sock_sendmsg+0x68/0x80
+[ 1503.156708] ___sys_sendmsg+0x431/0x4b0
+[ 1503.156799] __sys_sendmsg+0xa4/0x130
+[ 1503.156889] do_syscall_64+0x171/0x3f0
+[ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600
+ which belongs to the cache kmalloc-1024 of size 1024
+[ 1503.157444] The buggy address is located 176 bytes inside of
+ 1024-byte region [ffff8800298ab600, ffff8800298aba00)
+[ 1503.157702] The buggy address belongs to the page:
+[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
+[ 1503.158053] flags: 0x4000000000008100(slab|head)
+[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e
+[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000
+[ 1503.158523] page dumped because: kasan: bad access detected
+
+[ 1503.158698] Memory state around the buggy address:
+[ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 1503.159338] ^
+[ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1503.159785] ==================================================================
+[ 1503.159964] Disabling lock debugging due to kernel taint
+
+The test scenario to trigger the issue consists of 4 devices:
+- H0: data sender, connected to LAN0
+- H1: data receiver, connected to LAN1
+- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an
+ ethernet connection on LAN0 and LAN1
+On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for
+data from LAN0 to LAN1.
+Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent
+data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send
+buffer size is set to 16K). While data streams are active flush the route
+cache on HA multiple times.
+I have not been able to identify a given commit that introduced the issue
+since, using the reproducer described above, the kasan report has been
+triggered from 4.14 and I have not gone back further.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1516,7 +1516,8 @@ static void ndisc_fill_redirect_hdr_opti
+ *(opt++) = (rd_len >> 3);
+ opt += 6;
+
+- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
++ rd_len - 8);
+ }
+
+ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Tom Herbert <tom@quantonium.net>
+Date: Tue, 13 Mar 2018 12:01:43 -0700
+Subject: kcm: lock lower socket in kcm_attach
+
+From: Tom Herbert <tom@quantonium.net>
+
+
+[ Upstream commit 2cc683e88c0c993ac3721d9b702cb0630abe2879 ]
+
+Need to lock lower socket in order to provide mutual exclusion
+with kcm_unattach.
+
+v2: Add Reported-by for syzbot
+
+Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module")
+Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com
+Signed-off-by: Tom Herbert <tom@quantonium.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/kcm/kcmsock.c | 33 +++++++++++++++++++++++----------
+ 1 file changed, 23 insertions(+), 10 deletions(-)
+
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1375,24 +1375,32 @@ static int kcm_attach(struct socket *soc
+ struct list_head *head;
+ int index = 0;
+ struct strp_callbacks cb;
+- int err;
++ int err = 0;
+
+ csk = csock->sk;
+ if (!csk)
+ return -EINVAL;
+
++ lock_sock(csk);
++
+ /* Only allow TCP sockets to be attached for now */
+ if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) ||
+- csk->sk_protocol != IPPROTO_TCP)
+- return -EOPNOTSUPP;
++ csk->sk_protocol != IPPROTO_TCP) {
++ err = -EOPNOTSUPP;
++ goto out;
++ }
+
+ /* Don't allow listeners or closed sockets */
+- if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE)
+- return -EOPNOTSUPP;
++ if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) {
++ err = -EOPNOTSUPP;
++ goto out;
++ }
+
+ psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
+- if (!psock)
+- return -ENOMEM;
++ if (!psock) {
++ err = -ENOMEM;
++ goto out;
++ }
+
+ psock->mux = mux;
+ psock->sk = csk;
+@@ -1406,7 +1414,7 @@ static int kcm_attach(struct socket *soc
+ err = strp_init(&psock->strp, csk, &cb);
+ if (err) {
+ kmem_cache_free(kcm_psockp, psock);
+- return err;
++ goto out;
+ }
+
+ write_lock_bh(&csk->sk_callback_lock);
+@@ -1418,7 +1426,8 @@ static int kcm_attach(struct socket *soc
+ write_unlock_bh(&csk->sk_callback_lock);
+ strp_done(&psock->strp);
+ kmem_cache_free(kcm_psockp, psock);
+- return -EALREADY;
++ err = -EALREADY;
++ goto out;
+ }
+
+ psock->save_data_ready = csk->sk_data_ready;
+@@ -1454,7 +1463,10 @@ static int kcm_attach(struct socket *soc
+ /* Schedule RX work in case there are already bytes queued */
+ strp_check_rcv(&psock->strp);
+
+- return 0;
++out:
++ release_sock(csk);
++
++ return err;
+ }
+
+ static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info)
+@@ -1506,6 +1518,7 @@ static void kcm_unattach(struct kcm_psoc
+
+ if (WARN_ON(psock->rx_kcm)) {
+ write_unlock_bh(&csk->sk_callback_lock);
++ release_sock(csk);
+ return;
+ }
+
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 6 Mar 2018 07:54:53 -0800
+Subject: l2tp: do not accept arbitrary sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ]
+
+syzkaller found an issue caused by lack of sufficient checks
+in l2tp_tunnel_create()
+
+RAW sockets can not be considered as UDP ones for instance.
+
+In another patch, we shall replace all pr_err() by less intrusive
+pr_debug() so that syzkaller can find other bugs faster.
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Acked-by: James Chapman <jchapman@katalix.com>
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
+dst_release: dst:00000000d53d0d0f refcnt:-1
+Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242
+
+CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23b/0x360 mm/kasan/report.c:412
+ __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
+ setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
+ l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
+ pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
+ SYSC_connect+0x213/0x4a0 net/socket.c:1640
+ SyS_connect+0x24/0x30 net/socket.c:1621
+ do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1612,9 +1612,14 @@ int l2tp_tunnel_create(struct net *net,
+ encap = cfg->encap;
+
+ /* Quick sanity checks */
++ err = -EPROTONOSUPPORT;
++ if (sk->sk_type != SOCK_DGRAM) {
++ pr_debug("tunl %hu: fd %d wrong socket type\n",
++ tunnel_id, fd);
++ goto err;
++ }
+ switch (encap) {
+ case L2TP_ENCAPTYPE_UDP:
+- err = -EPROTONOSUPPORT;
+ if (sk->sk_protocol != IPPROTO_UDP) {
+ pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+ tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
+@@ -1622,7 +1627,6 @@ int l2tp_tunnel_create(struct net *net,
+ }
+ break;
+ case L2TP_ENCAPTYPE_IP:
+- err = -EPROTONOSUPPORT;
+ if (sk->sk_protocol != IPPROTO_L2TP) {
+ pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+ tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 18 Mar 2018 23:59:36 +0100
+Subject: net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 00777fac28ba3e126b9e63e789a613e8bd2cab25 ]
+
+If the optional regulator is deferred, we must release some resources.
+They will be re-allocated when the probe function will be called again.
+
+Fixes: 6eacf31139bf ("ethernet: arc: Add support for Rockchip SoC layer device tree bindings")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/arc/emac_rockchip.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/arc/emac_rockchip.c
++++ b/drivers/net/ethernet/arc/emac_rockchip.c
+@@ -169,8 +169,10 @@ static int emac_rockchip_probe(struct pl
+ /* Optional regulator for PHY */
+ priv->regulator = devm_regulator_get_optional(dev, "phy");
+ if (IS_ERR(priv->regulator)) {
+- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER)
+- return -EPROBE_DEFER;
++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) {
++ err = -EPROBE_DEFER;
++ goto out_clk_disable;
++ }
+ dev_err(dev, "no regulator found\n");
+ priv->regulator = NULL;
+ }
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: "SZ Lin (林上智)" <sz.lin@moxa.com>
+Date: Fri, 16 Mar 2018 00:56:01 +0800
+Subject: net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
+
+From: "SZ Lin (林上智)" <sz.lin@moxa.com>
+
+
+[ Upstream commit f9db50691db4a7d860fce985f080bb3fc23a7ede ]
+
+According to AM335x TRM[1] 14.3.6.2, AM437x TRM[2] 15.3.6.2 and
+DRA7 TRM[3] 24.11.4.8.7.3.3, in-band mode in EXT_EN(bit18) register is only
+available when PHY is configured in RGMII mode with 10Mbps speed. It will
+cause some networking issues without RGMII mode, such as carrier sense
+errors and low throughput. TI also mentioned this issue in their forum[4].
+
+This patch adds the check mechanism for PHY interface with RGMII interface
+type, the in-band mode can only be set in RGMII mode with 10Mbps speed.
+
+References:
+[1]: https://www.ti.com/lit/ug/spruh73p/spruh73p.pdf
+[2]: http://www.ti.com/lit/ug/spruhl7h/spruhl7h.pdf
+[3]: http://www.ti.com/lit/ug/spruic2b/spruic2b.pdf
+[4]: https://e2e.ti.com/support/arm/sitara_arm/f/791/p/640765/2392155
+
+Suggested-by: Holsety Chen (陳憲輝) <Holsety.Chen@moxa.com>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Schuyler Patton <spatton@ti.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -901,7 +901,8 @@ static void _cpsw_adjust_link(struct cps
+ /* set speed_in input in case RMII mode is used in 100Mbps */
+ if (phy->speed == 100)
+ mac_control |= BIT(15);
+- else if (phy->speed == 10)
++ /* in band mode only works in 10Mbps RGMII mode */
++ else if ((phy->speed == 10) && phy_interface_is_rgmii(phy))
+ mac_control |= BIT(18); /* In Band mode */
+
+ if (priv->rx_pause)
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 18 Mar 2018 12:49:51 -0700
+Subject: net: fec: Fix unbalanced PM runtime calls
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit a069215cf5985f3aa1bba550264907d6bd05c5f7 ]
+
+When unbinding/removing the driver, we will run into the following warnings:
+
+[ 259.655198] fec 400d1000.ethernet: 400d1000.ethernet supply phy not found, using dummy regulator
+[ 259.665065] fec 400d1000.ethernet: Unbalanced pm_runtime_enable!
+[ 259.672770] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+[ 259.683062] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: f2:3e:93:b7:29:c1
+[ 259.696239] libphy: fec_enet_mii_bus: probed
+
+Avoid these warnings by balancing the runtime PM calls during fec_drv_remove().
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3533,6 +3533,8 @@ fec_drv_remove(struct platform_device *p
+ fec_enet_mii_remove(fep);
+ if (fep->reg_phy)
+ regulator_disable(fep->reg_phy);
++ pm_runtime_put(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
+ if (of_phy_is_fixed_link(np))
+ of_phy_deregister_fixed_link(np);
+ of_node_put(fep->phy_node);
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 6 Mar 2018 18:46:39 +0300
+Subject: net: Fix hlist corruptions in inet_evict_bucket()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+
+[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]
+
+inet_evict_bucket() iterates global list, and
+several tasks may call it in parallel. All of
+them hash the same fq->list_evictor to different
+lists, which leads to list corruption.
+
+This patch makes fq be hashed to expired list
+only if this has not been made yet by another
+task. Since inet_frag_alloc() allocates fq
+using kmem_cache_zalloc(), we may rely on
+list_evictor is initially unhashed.
+
+The problem seems to exist before async
+pernet_operations, as there was possible to have
+exit method to be executed in parallel with
+inet_frags::frags_work, so I add two Fixes tags.
+This also may go to stable.
+
+Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
+Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_fragment.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -119,6 +119,9 @@ out:
+
+ static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
+ {
++ if (!hlist_unhashed(&q->list_evictor))
++ return false;
++
+ return q->net->low_thresh == 0 ||
+ frag_mem_limit(q->net) >= q->net->low_thresh;
+ }
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 13 Mar 2018 16:50:06 +0100
+Subject: net/iucv: Free memory obtained by kzalloc
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit fa6a91e9b907231d2e38ea5ed89c537b3525df3d ]
+
+Free memory by calling put_device(), if afiucv_iucv_init is not
+successful.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -2418,9 +2418,11 @@ static int afiucv_iucv_init(void)
+ af_iucv_dev->driver = &af_iucv_driver;
+ err = device_register(af_iucv_dev);
+ if (err)
+- goto out_driver;
++ goto out_iucv_dev;
+ return 0;
+
++out_iucv_dev:
++ put_device(af_iucv_dev);
+ out_driver:
+ driver_unregister(&af_iucv_driver);
+ out_iucv:
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Fri, 16 Feb 2018 11:03:03 -0800
+Subject: net: Only honor ifindex in IP_PKTINFO if non-0
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 ]
+
+Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings
+if the index is actually set in the message.
+
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -242,7 +242,8 @@ int ip_cmsg_send(struct sock *sk, struct
+ src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
+ if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
+ return -EINVAL;
+- ipc->oif = src_info->ipi6_ifindex;
++ if (src_info->ipi6_ifindex)
++ ipc->oif = src_info->ipi6_ifindex;
+ ipc->addr = src_info->ipi6_addr.s6_addr32[3];
+ continue;
+ }
+@@ -272,7 +273,8 @@ int ip_cmsg_send(struct sock *sk, struct
+ if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
+ return -EINVAL;
+ info = (struct in_pktinfo *)CMSG_DATA(cmsg);
+- ipc->oif = info->ipi_ifindex;
++ if (info->ipi_ifindex)
++ ipc->oif = info->ipi_ifindex;
+ ipc->addr = info->ipi_spec_dst.s_addr;
+ break;
+ }
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Mon, 12 Mar 2018 16:20:58 -0400
+Subject: net sched actions: return explicit error when tunnel_key mode is not specified
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+
+[ Upstream commit 51d4740f88affd85d49c04e3c9cd129c0e33bcb9 ]
+
+If set/unset mode of the tunnel_key action is not provided, ->init() still
+returns 0, and the caller proceeds with bogus 'struct tc_action *' object,
+this results in crash:
+
+% tc actions add action tunnel_key src_ip 1.1.1.1 dst_ip 2.2.2.1 id 7 index 1
+
+[ 35.805515] general protection fault: 0000 [#1] SMP PTI
+[ 35.806161] Modules linked in: act_tunnel_key kvm_intel kvm irqbypass
+crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64
+crypto_simd glue_helper cryptd serio_raw
+[ 35.808233] CPU: 1 PID: 428 Comm: tc Not tainted 4.16.0-rc4+ #286
+[ 35.808929] RIP: 0010:tcf_action_init+0x90/0x190
+[ 35.809457] RSP: 0018:ffffb8edc068b9a0 EFLAGS: 00010206
+[ 35.810053] RAX: 1320c000000a0003 RBX: 0000000000000001 RCX: 0000000000000000
+[ 35.810866] RDX: 0000000000000070 RSI: 0000000000007965 RDI: ffffb8edc068b910
+[ 35.811660] RBP: ffffb8edc068b9d0 R08: 0000000000000000 R09: ffffb8edc068b808
+[ 35.812463] R10: ffffffffc02bf040 R11: 0000000000000040 R12: ffffb8edc068bb38
+[ 35.813235] R13: 0000000000000000 R14: 0000000000000000 R15: ffffb8edc068b910
+[ 35.814006] FS: 00007f3d0d8556c0(0000) GS:ffff91d1dbc40000(0000)
+knlGS:0000000000000000
+[ 35.814881] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 35.815540] CR2: 000000000043f720 CR3: 0000000019248001 CR4: 00000000001606a0
+[ 35.816457] Call Trace:
+[ 35.817158] tc_ctl_action+0x11a/0x220
+[ 35.817795] rtnetlink_rcv_msg+0x23d/0x2e0
+[ 35.818457] ? __slab_alloc+0x1c/0x30
+[ 35.819079] ? __kmalloc_node_track_caller+0xb1/0x2b0
+[ 35.819544] ? rtnl_calcit.isra.30+0xe0/0xe0
+[ 35.820231] netlink_rcv_skb+0xce/0x100
+[ 35.820744] netlink_unicast+0x164/0x220
+[ 35.821500] netlink_sendmsg+0x293/0x370
+[ 35.822040] sock_sendmsg+0x30/0x40
+[ 35.822508] ___sys_sendmsg+0x2c5/0x2e0
+[ 35.823149] ? pagecache_get_page+0x27/0x220
+[ 35.823714] ? filemap_fault+0xa2/0x640
+[ 35.824423] ? page_add_file_rmap+0x108/0x200
+[ 35.825065] ? alloc_set_pte+0x2aa/0x530
+[ 35.825585] ? finish_fault+0x4e/0x70
+[ 35.826140] ? __handle_mm_fault+0xbc1/0x10d0
+[ 35.826723] ? __sys_sendmsg+0x41/0x70
+[ 35.827230] __sys_sendmsg+0x41/0x70
+[ 35.827710] do_syscall_64+0x68/0x120
+[ 35.828195] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[ 35.828859] RIP: 0033:0x7f3d0ca4da67
+[ 35.829331] RSP: 002b:00007ffc9f284338 EFLAGS: 00000246 ORIG_RAX:
+000000000000002e
+[ 35.830304] RAX: ffffffffffffffda RBX: 00007ffc9f284460 RCX: 00007f3d0ca4da67
+[ 35.831247] RDX: 0000000000000000 RSI: 00007ffc9f2843b0 RDI: 0000000000000003
+[ 35.832167] RBP: 000000005aa6a7a9 R08: 0000000000000001 R09: 0000000000000000
+[ 35.833075] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
+[ 35.833997] R13: 00007ffc9f2884c0 R14: 0000000000000001 R15: 0000000000674640
+[ 35.834923] Code: 24 30 bb 01 00 00 00 45 31 f6 eb 5e 8b 50 08 83 c2 07 83 e2
+fc 83 c2 70 49 8b 07 48 8b 40 70 48 85 c0 74 10 48 89 14 24 4c 89 ff <ff> d0 48
+8b 14 24 48 01 c2 49 01 d6 45 85 ed 74 05 41 83 47 2c
+[ 35.837442] RIP: tcf_action_init+0x90/0x190 RSP: ffffb8edc068b9a0
+[ 35.838291] ---[ end trace a095c06ee4b97a26 ]---
+
+Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key")
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_tunnel_key.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -141,6 +141,7 @@ static int tunnel_key_init(struct net *n
+ metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX;
+ break;
+ default:
++ ret = -EINVAL;
+ goto err_out;
+ }
+
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 13 Mar 2018 14:45:07 -0700
+Subject: net: systemport: Rewrite __bcm_sysport_tx_reclaim()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 484d802d0f2f29c335563fcac2a8facf174a1bbc ]
+
+There is no need for complex checking between the last consumed index
+and current consumed index, a simple subtraction will do.
+
+This also eliminates the possibility of a permanent transmit queue stall
+under the following conditions:
+
+- one CPU bursts ring->size worth of traffic (up to 256 buffers), to the
+ point where we run out of free descriptors, so we stop the transmit
+ queue at the end of bcm_sysport_xmit()
+
+- because of our locking, we have the transmit process disable
+ interrupts which means we can be blocking the TX reclamation process
+
+- when TX reclamation finally runs, we will be computing the difference
+ between ring->c_index (last consumed index by SW) and what the HW
+ reports through its register
+
+- this register is masked with (ring->size - 1) = 0xff, which will lead
+ to stripping the upper bits of the index (register is 16-bits wide)
+
+- we will be computing last_tx_cn as 0, which means there is no work to
+ be done, and we never wake-up the transmit queue, leaving it
+ permanently disabled
+
+A practical example is e.g: ring->c_index aka last_c_index = 12, we
+pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12,
+so last_tx_cn == 0, nothing happens.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 33 +++++++++++++----------------
+ drivers/net/ethernet/broadcom/bcmsysport.h | 2 -
+ 2 files changed, 16 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -707,37 +707,33 @@ static unsigned int __bcm_sysport_tx_rec
+ struct bcm_sysport_tx_ring *ring)
+ {
+ struct net_device *ndev = priv->netdev;
+- unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
+ unsigned int pkts_compl = 0, bytes_compl = 0;
++ unsigned int txbds_processed = 0;
+ struct bcm_sysport_cb *cb;
++ unsigned int txbds_ready;
++ unsigned int c_index;
+ u32 hw_ind;
+
+ /* Compute how many descriptors have been processed since last call */
+ hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
+ c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
+- ring->p_index = (hw_ind & RING_PROD_INDEX_MASK);
+-
+- last_c_index = ring->c_index;
+- num_tx_cbs = ring->size;
+-
+- c_index &= (num_tx_cbs - 1);
+-
+- if (c_index >= last_c_index)
+- last_tx_cn = c_index - last_c_index;
+- else
+- last_tx_cn = num_tx_cbs - last_c_index + c_index;
++ txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK;
+
+ netif_dbg(priv, tx_done, ndev,
+- "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n",
+- ring->index, c_index, last_tx_cn, last_c_index);
++ "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n",
++ ring->index, ring->c_index, c_index, txbds_ready);
+
+- while (last_tx_cn-- > 0) {
+- cb = ring->cbs + last_c_index;
++ while (txbds_processed < txbds_ready) {
++ cb = &ring->cbs[ring->clean_index];
+ bcm_sysport_tx_reclaim_one(priv, cb, &bytes_compl, &pkts_compl);
+
+ ring->desc_count++;
+- last_c_index++;
+- last_c_index &= (num_tx_cbs - 1);
++ txbds_processed++;
++
++ if (likely(ring->clean_index < ring->size - 1))
++ ring->clean_index++;
++ else
++ ring->clean_index = 0;
+ }
+
+ ring->c_index = c_index;
+@@ -1207,6 +1203,7 @@ static int bcm_sysport_init_tx_ring(stru
+ netif_tx_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64);
+ ring->index = index;
+ ring->size = size;
++ ring->clean_index = 0;
+ ring->alloc_size = ring->size;
+ ring->desc_cpu = p;
+ ring->desc_count = ring->size;
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -638,7 +638,7 @@ struct bcm_sysport_tx_ring {
+ unsigned int desc_count; /* Number of descriptors */
+ unsigned int curr_desc; /* Current descriptor */
+ unsigned int c_index; /* Last consumer index */
+- unsigned int p_index; /* Current producer index */
++ unsigned int clean_index; /* Current clean index */
+ struct bcm_sysport_cb *cbs; /* Transmit control blocks */
+ struct dma_desc *desc_cpu; /* CPU view of the descriptor */
+ struct bcm_sysport_priv *priv; /* private context backpointer */
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 14 Mar 2018 09:04:16 -0700
+Subject: net: use skb_to_full_sk() in skb_update_prio()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 4dcb31d4649df36297296b819437709f5407059c ]
+
+Andrei Vagin reported a KASAN: slab-out-of-bounds error in
+skb_update_prio()
+
+Since SYNACK might be attached to a request socket, we need to
+get back to the listener socket.
+Since this listener is manipulated without locks, add const
+qualifiers to sock_cgroup_prioidx() so that the const can also
+be used in skb_update_prio()
+
+Also add the const qualifier to sock_cgroup_classid() for consistency.
+
+Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrei Vagin <avagin@virtuozzo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cgroup-defs.h | 4 ++--
+ net/core/dev.c | 22 +++++++++++++++-------
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+--- a/include/linux/cgroup-defs.h
++++ b/include/linux/cgroup-defs.h
+@@ -609,13 +609,13 @@ struct sock_cgroup_data {
+ * updaters and return part of the previous pointer as the prioidx or
+ * classid. Such races are short-lived and the result isn't critical.
+ */
+-static inline u16 sock_cgroup_prioidx(struct sock_cgroup_data *skcd)
++static inline u16 sock_cgroup_prioidx(const struct sock_cgroup_data *skcd)
+ {
+ /* fallback to 1 which is always the ID of the root cgroup */
+ return (skcd->is_data & 1) ? skcd->prioidx : 1;
+ }
+
+-static inline u32 sock_cgroup_classid(struct sock_cgroup_data *skcd)
++static inline u32 sock_cgroup_classid(const struct sock_cgroup_data *skcd)
+ {
+ /* fallback to 0 which is the unconfigured default classid */
+ return (skcd->is_data & 1) ? skcd->classid : 0;
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3179,15 +3179,23 @@ static inline int __dev_xmit_skb(struct
+ #if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
+ static void skb_update_prio(struct sk_buff *skb)
+ {
+- struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
++ const struct netprio_map *map;
++ const struct sock *sk;
++ unsigned int prioidx;
+
+- if (!skb->priority && skb->sk && map) {
+- unsigned int prioidx =
+- sock_cgroup_prioidx(&skb->sk->sk_cgrp_data);
++ if (skb->priority)
++ return;
++ map = rcu_dereference_bh(skb->dev->priomap);
++ if (!map)
++ return;
++ sk = skb_to_full_sk(skb);
++ if (!sk)
++ return;
+
+- if (prioidx < map->priomap_len)
+- skb->priority = map->priomap[prioidx];
+- }
++ prioidx = sock_cgroup_prioidx(&sk->sk_cgrp_data);
++
++ if (prioidx < map->priomap_len)
++ skb->priority = map->priomap[prioidx];
+ }
+ #else
+ #define skb_update_prio(skb)
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Wed, 14 Mar 2018 21:10:23 +0100
+Subject: netlink: avoid a double skb free in genlmsg_mcast()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+
+[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ]
+
+nlmsg_multicast() consumes always the skb, thus the original skb must be
+freed only when this function is called with a clone.
+
+Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/genetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -1128,7 +1128,7 @@ static int genlmsg_mcast(struct sk_buff
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
+- goto error;
++ return err;
+ return delivered ? 0 : -ESRCH;
+ error:
+ kfree_skb(skb);
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Tue, 20 Mar 2018 16:49:26 +0100
+Subject: ppp: avoid loop in xmit recursion detection code
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit 6d066734e9f09cdea4a3b9cb76136db3f29cfb02 ]
+
+We already detect situations where a PPP channel sends packets back to
+its upper PPP device. While this is enough to avoid deadlocking on xmit
+locks, this doesn't prevent packets from looping between the channel
+and the unit.
+
+The problem is that ppp_start_xmit() enqueues packets in ppp->file.xq
+before checking for xmit recursion. Therefore, __ppp_xmit_process()
+might dequeue a packet from ppp->file.xq and send it on the channel
+which, in turn, loops it back on the unit. Then ppp_start_xmit()
+queues the packet back to ppp->file.xq and __ppp_xmit_process() picks
+it up and sends it again through the channel. Therefore, the packet
+will loop between __ppp_xmit_process() and ppp_start_xmit() until some
+other part of the xmit path drops it.
+
+For L2TP, we rapidly fill the skb's headroom and pppol2tp_xmit() drops
+the packet after a few iterations. But PPTP reallocates the headroom
+if necessary, letting the loop run and exhaust the machine resources
+(as reported in https://bugzilla.kernel.org/show_bug.cgi?id=199109).
+
+Fix this by letting __ppp_xmit_process() enqueue the skb to
+ppp->file.xq, so that we can check for recursion before adding it to
+the queue. Now ppp_xmit_process() can drop the packet when recursion is
+detected.
+
+__ppp_channel_push() is a bit special. It calls __ppp_xmit_process()
+without having any actual packet to send. This is used by
+ppp_output_wakeup() to re-enable transmission on the parent unit (for
+implementations like ppp_async.c, where the .start_xmit() function
+might not consume the skb, leaving it in ppp->xmit_pending and
+disabling transmission).
+Therefore, __ppp_xmit_process() needs to handle the case where skb is
+NULL, dequeuing as many packets as possible from ppp->file.xq.
+
+Reported-by: xu heng <xuheng333@zoho.com>
+Fixes: 55454a565836 ("ppp: avoid dealock on recursive xmit")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -255,7 +255,7 @@ struct ppp_net {
+ /* Prototypes. */
+ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
+ struct file *file, unsigned int cmd, unsigned long arg);
+-static void ppp_xmit_process(struct ppp *ppp);
++static void ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb);
+ static void ppp_send_frame(struct ppp *ppp, struct sk_buff *skb);
+ static void ppp_push(struct ppp *ppp);
+ static void ppp_channel_push(struct channel *pch);
+@@ -511,13 +511,12 @@ static ssize_t ppp_write(struct file *fi
+ goto out;
+ }
+
+- skb_queue_tail(&pf->xq, skb);
+-
+ switch (pf->kind) {
+ case INTERFACE:
+- ppp_xmit_process(PF_TO_PPP(pf));
++ ppp_xmit_process(PF_TO_PPP(pf), skb);
+ break;
+ case CHANNEL:
++ skb_queue_tail(&pf->xq, skb);
+ ppp_channel_push(PF_TO_CHANNEL(pf));
+ break;
+ }
+@@ -1261,8 +1260,8 @@ ppp_start_xmit(struct sk_buff *skb, stru
+ put_unaligned_be16(proto, pp);
+
+ skb_scrub_packet(skb, !net_eq(ppp->ppp_net, dev_net(dev)));
+- skb_queue_tail(&ppp->file.xq, skb);
+- ppp_xmit_process(ppp);
++ ppp_xmit_process(ppp, skb);
++
+ return NETDEV_TX_OK;
+
+ outf:
+@@ -1416,13 +1415,14 @@ static void ppp_setup(struct net_device
+ */
+
+ /* Called to do any work queued up on the transmit side that can now be done */
+-static void __ppp_xmit_process(struct ppp *ppp)
++static void __ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb)
+ {
+- struct sk_buff *skb;
+-
+ ppp_xmit_lock(ppp);
+ if (!ppp->closing) {
+ ppp_push(ppp);
++
++ if (skb)
++ skb_queue_tail(&ppp->file.xq, skb);
+ while (!ppp->xmit_pending &&
+ (skb = skb_dequeue(&ppp->file.xq)))
+ ppp_send_frame(ppp, skb);
+@@ -1436,7 +1436,7 @@ static void __ppp_xmit_process(struct pp
+ ppp_xmit_unlock(ppp);
+ }
+
+-static void ppp_xmit_process(struct ppp *ppp)
++static void ppp_xmit_process(struct ppp *ppp, struct sk_buff *skb)
+ {
+ local_bh_disable();
+
+@@ -1444,7 +1444,7 @@ static void ppp_xmit_process(struct ppp
+ goto err;
+
+ (*this_cpu_ptr(ppp->xmit_recursion))++;
+- __ppp_xmit_process(ppp);
++ __ppp_xmit_process(ppp, skb);
+ (*this_cpu_ptr(ppp->xmit_recursion))--;
+
+ local_bh_enable();
+@@ -1454,6 +1454,8 @@ static void ppp_xmit_process(struct ppp
+ err:
+ local_bh_enable();
+
++ kfree_skb(skb);
++
+ if (net_ratelimit())
+ netdev_err(ppp->dev, "recursion detected\n");
+ }
+@@ -1938,7 +1940,7 @@ static void __ppp_channel_push(struct ch
+ if (skb_queue_empty(&pch->file.xq)) {
+ ppp = pch->ppp;
+ if (ppp)
+- __ppp_xmit_process(ppp);
++ __ppp_xmit_process(ppp, NULL);
+ }
+ }
+
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Paul Blakey <paulb@mellanox.com>
+Date: Sun, 4 Mar 2018 17:29:48 +0200
+Subject: rhashtable: Fix rhlist duplicates insertion
+
+From: Paul Blakey <paulb@mellanox.com>
+
+
+[ Upstream commit d3dcf8eb615537526bd42ff27a081d46d337816e ]
+
+When inserting duplicate objects (those with the same key),
+current rhlist implementation messes up the chain pointers by
+updating the bucket pointer instead of prev next pointer to the
+newly inserted node. This causes missing elements on removal and
+travesal.
+
+Fix that by properly updating pprev pointer to point to
+the correct rhash_head next pointer.
+
+Issue: 1241076
+Change-Id: I86b2c140bcb4aeb10b70a72a267ff590bb2b17e7
+Fixes: ca26893f05e8 ('rhashtable: Add rhlist interface')
+Signed-off-by: Paul Blakey <paulb@mellanox.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/rhashtable.h | 4 +++-
+ lib/rhashtable.c | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/linux/rhashtable.h
++++ b/include/linux/rhashtable.h
+@@ -706,8 +706,10 @@ slow_path:
+ if (!key ||
+ (params.obj_cmpfn ?
+ params.obj_cmpfn(&arg, rht_obj(ht, head)) :
+- rhashtable_compare(&arg, rht_obj(ht, head))))
++ rhashtable_compare(&arg, rht_obj(ht, head)))) {
++ pprev = &head->next;
+ continue;
++ }
+
+ data = rht_obj(ht, head);
+
+--- a/lib/rhashtable.c
++++ b/lib/rhashtable.c
+@@ -448,8 +448,10 @@ static void *rhashtable_lookup_one(struc
+ if (!key ||
+ (ht->p.obj_cmpfn ?
+ ht->p.obj_cmpfn(&arg, rht_obj(ht, head)) :
+- rhashtable_compare(&arg, rht_obj(ht, head))))
++ rhashtable_compare(&arg, rht_obj(ht, head)))) {
++ pprev = &head->next;
+ continue;
++ }
+
+ if (!ht->rhlist)
+ return rht_obj(ht, head);
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:12 +0100
+Subject: s390/qeth: free netdevice when removing a card
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 6be687395b3124f002a653c1a50b3260222b3cd7 ]
+
+On removal, a qeth card's netdevice is currently not properly freed
+because the call chain looks as follows:
+
+qeth_core_remove_device(card)
+ lx_remove_device(card)
+ unregister_netdev(card->dev)
+ card->dev = NULL !!!
+ qeth_core_free_card(card)
+ if (card->dev) !!!
+ free_netdev(card->dev)
+
+Fix it by free'ing the netdev straight after unregistering. This also
+fixes the sysfs-driven layer switch case (qeth_dev_layer2_store()),
+where the need to free the current netdevice was not considered at all.
+
+Note that free_netdev() takes care of the netif_napi_del() for us too.
+
+Fixes: 4a71df50047f ("qeth: new qeth device driver")
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 2 --
+ drivers/s390/net/qeth_l2_main.c | 2 +-
+ drivers/s390/net/qeth_l3_main.c | 2 +-
+ 3 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -4989,8 +4989,6 @@ static void qeth_core_free_card(struct q
+ QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
+ qeth_clean_channel(&card->read);
+ qeth_clean_channel(&card->write);
+- if (card->dev)
+- free_netdev(card->dev);
+ qeth_free_qdio_buffers(card);
+ unregister_service_level(&card->qeth_service_level);
+ kfree(card);
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1057,8 +1057,8 @@ static void qeth_l2_remove_device(struct
+ qeth_l2_set_offline(cgdev);
+
+ if (card->dev) {
+- netif_napi_del(&card->napi);
+ unregister_netdev(card->dev);
++ free_netdev(card->dev);
+ card->dev = NULL;
+ }
+ return;
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -3192,8 +3192,8 @@ static void qeth_l3_remove_device(struct
+ qeth_l3_set_offline(cgdev);
+
+ if (card->dev) {
+- netif_napi_del(&card->napi);
+ unregister_netdev(card->dev);
++ free_netdev(card->dev);
+ card->dev = NULL;
+ }
+
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:14 +0100
+Subject: s390/qeth: lock read device while queueing next buffer
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 17bf8c9b3d499d5168537c98b61eb7a1fcbca6c2 ]
+
+For calling ccw_device_start(), issue_next_read() needs to hold the
+device's ccwlock.
+This is satisfied for the IRQ handler path (where qeth_irq() gets called
+under the ccwlock), but we need explicit locking for the initial call by
+the MPC initialization.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -522,8 +522,7 @@ static inline int qeth_is_cq(struct qeth
+ queue == card->qdio.no_in_queues - 1;
+ }
+
+-
+-static int qeth_issue_next_read(struct qeth_card *card)
++static int __qeth_issue_next_read(struct qeth_card *card)
+ {
+ int rc;
+ struct qeth_cmd_buffer *iob;
+@@ -554,6 +553,17 @@ static int qeth_issue_next_read(struct q
+ return rc;
+ }
+
++static int qeth_issue_next_read(struct qeth_card *card)
++{
++ int ret;
++
++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card)));
++ ret = __qeth_issue_next_read(card);
++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card)));
++
++ return ret;
++}
++
+ static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card)
+ {
+ struct qeth_reply *reply;
+@@ -1179,7 +1189,7 @@ static void qeth_irq(struct ccw_device *
+ return;
+ if (channel == &card->read &&
+ channel->state == CH_STATE_UP)
+- qeth_issue_next_read(card);
++ __qeth_issue_next_read(card);
+
+ iob = channel->iob;
+ index = channel->buf_no;
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:15 +0100
+Subject: s390/qeth: on channel error, reject further cmd requests
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit a6c3d93963e4b333c764fde69802c3ea9eaa9d5c ]
+
+When the IRQ handler determines that one of the cmd IO channels has
+failed and schedules recovery, block any further cmd requests from
+being submitted. The request would inevitably stall, and prevent the
+recovery from making progress until the request times out.
+
+This sort of error was observed after Live Guest Relocation, where
+the pending IO on the READ channel intentionally gets terminated to
+kick-start recovery. Simultaneously the guest executed SIOCETHTOOL,
+triggering qeth to issue a QUERY CARD INFO command. The command
+then stalled in the inoperabel WRITE channel.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -1171,6 +1171,7 @@ static void qeth_irq(struct ccw_device *
+ }
+ rc = qeth_get_problem(cdev, irb);
+ if (rc) {
++ card->read_or_write_problem = 1;
+ qeth_clear_ipacmd_list(card);
+ qeth_schedule_recovery(card);
+ goto out;
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:13 +0100
+Subject: s390/qeth: when thread completes, wake up all waiters
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 1063e432bb45be209427ed3f1ca3908e4aa3c7d7 ]
+
+qeth_wait_for_threads() is potentially called by multiple users, make
+sure to notify all of them after qeth_clear_thread_running_bit()
+adjusted the thread_running_mask. With no timeout, callers would
+otherwise stall.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -957,7 +957,7 @@ void qeth_clear_thread_running_bit(struc
+ spin_lock_irqsave(&card->thread_mask_lock, flags);
+ card->thread_running_mask &= ~thread;
+ spin_unlock_irqrestore(&card->thread_mask_lock, flags);
+- wake_up(&card->wait_q);
++ wake_up_all(&card->wait_q);
+ }
+ EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit);
+
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Mon, 5 Mar 2018 20:52:54 +0300
+Subject: sch_netem: fix skb leak in netem_enqueue()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 35d889d10b649fda66121891ec05eca88150059d ]
+
+When we exceed current packets limit and we have more than one
+segment in the list returned by skb_gso_segment(), netem drops
+only the first one, skipping the rest, hence kmemleak reports:
+
+unreferenced object 0xffff880b5d23b600 (size 1024):
+ comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
+ hex dump (first 32 bytes):
+ 00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
+ [<000000001709b32f>] skb_segment+0x8c8/0x3710
+ [<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
+ [<00000000c921cba1>] inet_gso_segment+0x476/0x1370
+ [<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
+ [<000000002182660a>] __skb_gso_segment+0x1dd/0x620
+ [<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
+ [<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
+ [<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
+ [<00000000d309e9d3>] ip_output+0x1aa/0x2c0
+ [<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
+ [<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
+ [<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
+ [<0000000013d06d02>] tasklet_action+0x1ca/0x250
+ [<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
+ [<00000000e7ed027c>] irq_exit+0x1e2/0x210
+
+Fix it by adding the rest of the segments, if any, to skb 'to_free'
+list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
+because they can be useful in the future if we need to drop segmented
+GSO packets in other places.
+
+Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sch_generic.h | 19 +++++++++++++++++++
+ net/sched/sch_netem.c | 2 +-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -675,6 +675,16 @@ static inline void __qdisc_drop(struct s
+ *to_free = skb;
+ }
+
++static inline void __qdisc_drop_all(struct sk_buff *skb,
++ struct sk_buff **to_free)
++{
++ if (skb->prev)
++ skb->prev->next = *to_free;
++ else
++ skb->next = *to_free;
++ *to_free = skb;
++}
++
+ static inline unsigned int __qdisc_queue_drop_head(struct Qdisc *sch,
+ struct qdisc_skb_head *qh,
+ struct sk_buff **to_free)
+@@ -793,6 +803,15 @@ static inline int qdisc_drop(struct sk_b
+ qdisc_qstats_drop(sch);
+
+ return NET_XMIT_DROP;
++}
++
++static inline int qdisc_drop_all(struct sk_buff *skb, struct Qdisc *sch,
++ struct sk_buff **to_free)
++{
++ __qdisc_drop_all(skb, to_free);
++ qdisc_qstats_drop(sch);
++
++ return NET_XMIT_DROP;
+ }
+
+ /* Length to Time (L2T) lookup in a qdisc_rate_table, to determine how
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -513,7 +513,7 @@ static int netem_enqueue(struct sk_buff
+ }
+
+ if (unlikely(sch->q.qlen >= sch->limit))
+- return qdisc_drop(skb, sch, to_free);
++ return qdisc_drop_all(skb, sch, to_free);
+
+ qdisc_qstats_backlog_inc(sch, skb);
+
--- /dev/null
+From 48ae8484e9fc324b4968d33c585e54bc98e44d61 Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <jthumshirn@suse.de>
+Date: Wed, 10 May 2017 09:53:40 +0200
+Subject: scsi: sg: don't return bogus Sg_requests
+
+From: Johannes Thumshirn <jthumshirn@suse.de>
+
+commit 48ae8484e9fc324b4968d33c585e54bc98e44d61 upstream.
+
+If the list search in sg_get_rq_mark() fails to find a valid request, we
+return a bogus element. This then can later lead to a GPF in
+sg_remove_scat().
+
+So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
+the list search doesn't find a valid request.
+
+Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Doug Gilbert <dgilbert@interlog.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Acked-by: Doug Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Tony Battersby <tonyb@cybernetics.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -2064,11 +2064,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
+ if ((1 == resp->done) && (!resp->sg_io_owned) &&
+ ((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
+ resp->done = 2; /* guard against other readers */
+- break;
++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
++ return resp;
+ }
+ }
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+- return resp;
++ return NULL;
+ }
+
+ /* always adds to end of list */
--- /dev/null
+scsi-sg-don-t-return-bogus-sg_requests.patch
+genirq-track-whether-the-trigger-type-has-been-set.patch
+net-sched-actions-return-explicit-error-when-tunnel_key-mode-is-not-specified.patch
+ppp-avoid-loop-in-xmit-recursion-detection-code.patch
+rhashtable-fix-rhlist-duplicates-insertion.patch
+sch_netem-fix-skb-leak-in-netem_enqueue.patch
+ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
+net-use-skb_to_full_sk-in-skb_update_prio.patch
+net-fix-hlist-corruptions-in-inet_evict_bucket.patch
+dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
+ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
+l2tp-do-not-accept-arbitrary-sockets.patch
+net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch
+net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch
+net-fec-fix-unbalanced-pm-runtime-calls.patch
+net-iucv-free-memory-obtained-by-kzalloc.patch
+netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch
+net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch
+skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch
+team-fix-double-free-in-error-path.patch
+soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch
+s390-qeth-free-netdevice-when-removing-a-card.patch
+s390-qeth-when-thread-completes-wake-up-all-waiters.patch
+s390-qeth-lock-read-device-while-queueing-next-buffer.patch
+s390-qeth-on-channel-error-reject-further-cmd-requests.patch
+net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch
+kcm-lock-lower-socket-in-kcm_attach.patch
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Wed, 14 Mar 2018 13:32:09 -0700
+Subject: skbuff: Fix not waking applications when errors are enqueued
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+
+[ Upstream commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 ]
+
+When errors are enqueued to the error queue via sock_queue_err_skb()
+function, it is possible that the waiting application is not notified.
+
+Calling 'sk->sk_data_ready()' would not notify applications that
+selected only POLLERR events in poll() (for example).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Randy E. Witt <randy.e.witt@intel.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3717,7 +3717,7 @@ int sock_queue_err_skb(struct sock *sk,
+
+ skb_queue_tail(&sk->sk_error_queue, skb);
+ if (!sock_flag(sk, SOCK_DEAD))
+- sk->sk_data_ready(sk);
++ sk->sk_error_report(sk);
+ return 0;
+ }
+ EXPORT_SYMBOL(sock_queue_err_skb);
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Madalin Bucur <madalin.bucur@nxp.com>
+Date: Wed, 14 Mar 2018 08:37:28 -0500
+Subject: soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
+
+From: Madalin Bucur <madalin.bucur@nxp.com>
+
+
+[ Upstream commit 96f413f47677366e0ae03797409bfcc4151dbf9e ]
+
+The wait_for_completion() call in qman_delete_cgr_safe()
+was triggering a scheduling while atomic bug, replacing the
+kthread with a smp_call_function_single() call to fix it.
+
+Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
+Signed-off-by: Roy Pledge <roy.pledge@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/fsl/qbman/qman.c | 28 +++++-----------------------
+ 1 file changed, 5 insertions(+), 23 deletions(-)
+
+--- a/drivers/soc/fsl/qbman/qman.c
++++ b/drivers/soc/fsl/qbman/qman.c
+@@ -2429,39 +2429,21 @@ struct cgr_comp {
+ struct completion completion;
+ };
+
+-static int qman_delete_cgr_thread(void *p)
++static void qman_delete_cgr_smp_call(void *p)
+ {
+- struct cgr_comp *cgr_comp = (struct cgr_comp *)p;
+- int ret;
+-
+- ret = qman_delete_cgr(cgr_comp->cgr);
+- complete(&cgr_comp->completion);
+-
+- return ret;
++ qman_delete_cgr((struct qman_cgr *)p);
+ }
+
+ void qman_delete_cgr_safe(struct qman_cgr *cgr)
+ {
+- struct task_struct *thread;
+- struct cgr_comp cgr_comp;
+-
+ preempt_disable();
+ if (qman_cgr_cpus[cgr->cgrid] != smp_processor_id()) {
+- init_completion(&cgr_comp.completion);
+- cgr_comp.cgr = cgr;
+- thread = kthread_create(qman_delete_cgr_thread, &cgr_comp,
+- "cgr_del");
+-
+- if (IS_ERR(thread))
+- goto out;
+-
+- kthread_bind(thread, qman_cgr_cpus[cgr->cgrid]);
+- wake_up_process(thread);
+- wait_for_completion(&cgr_comp.completion);
++ smp_call_function_single(qman_cgr_cpus[cgr->cgrid],
++ qman_delete_cgr_smp_call, cgr, true);
+ preempt_enable();
+ return;
+ }
+-out:
++
+ qman_delete_cgr(cgr);
+ preempt_enable();
+ }
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Arkadi Sharshevsky <arkadis@mellanox.com>
+Date: Thu, 8 Mar 2018 12:42:10 +0200
+Subject: team: Fix double free in error path
+
+From: Arkadi Sharshevsky <arkadis@mellanox.com>
+
+
+[ Upstream commit cbcc607e18422555db569b593608aec26111cb0b ]
+
+The __send_and_alloc_skb() receives a skb ptr as a parameter but in
+case it fails the skb is not valid:
+- Send failed and released the skb internally.
+- Allocation failed.
+
+The current code tries to release the skb in case of failure which
+causes redundant freeing.
+
+Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
+Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2403,7 +2403,7 @@ send_done:
+ if (!nlh) {
+ err = __send_and_alloc_skb(&skb, team, portid, send_func);
+ if (err)
+- goto errout;
++ return err;
+ goto send_done;
+ }
+
+@@ -2688,7 +2688,7 @@ send_done:
+ if (!nlh) {
+ err = __send_and_alloc_skb(&skb, team, portid, send_func);
+ if (err)
+- goto errout;
++ return err;
+ goto send_done;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
