--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Mar 2016 15:18:36 +0100
+Subject: ath9k: fix buffer overrun for ar9287
+Status: RO
+Content-Length: 2787
+Lines: 65
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]
+
+Code that was added back in 2.6.38 has an obvious overflow
+when accessing a static array, and at the time it was added
+only a code comment was put in front of it as a reminder
+to have it reviewed properly.
+
+This has not happened, but gcc-6 now points to the specific
+overflow:
+
+drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
+drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
+ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
+
+It turns out that the correct array length exists in the local
+'intercepts' variable of this function, so we can just use that
+instead of hardcoding '4', so this patch changes all three
+instances to use that variable. The other two instances were
+already correct, but it's more consistent this way.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/eeprom.c
+@@ -408,10 +408,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+
+ if (match) {
+ if (AR_SREV_9287(ah)) {
+- /* FIXME: array overrun? */
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_9287[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_9287[idxL].pwrPdg[i],
+ data_9287[idxL].vpdPdg[i],
+@@ -421,7 +420,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+ } else if (eeprom_4k) {
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_4k[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_4k[idxL].pwrPdg[i],
+ data_4k[idxL].vpdPdg[i],
+@@ -431,7 +430,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+ } else {
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_def[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_def[idxL].pwrPdg[i],
+ data_def[idxL].vpdPdg[i],
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Thu, 3 Mar 2016 22:20:53 +0100
+Subject: cdc_ncm: toggle altsetting to force reset before setup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Status: RO
+Content-Length: 1321
+Lines: 38
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit 48906f62c96cc2cd35753e59310cb70eb08cc6a5 ]
+
+Some devices will silently fail setup unless they are reset first.
+This is necessary even if the data interface is already in
+altsetting 0, which it will be when the device is probed for the
+first time. Briefly toggling the altsetting forces a function
+reset regardless of the initial state.
+
+This fixes a setup problem observed on a number of Huawei devices,
+appearing to operate in NTB-32 mode even if we explicitly set them
+to NTB-16 mode.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -423,7 +423,11 @@ advance:
+
+ iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber;
+
+- /* reset data interface */
++ /* Reset data interface. Some devices will not reset properly
++ * unless they are configured first. Toggle the altsetting to
++ * force a reset
++ */
++ usb_set_interface(dev->udev, iface_no, data_altsetting);
+ temp = usb_set_interface(dev->udev, iface_no, 0);
+ if (temp) {
+ dev_dbg(&intf->dev, "set interface failed\n");
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Mar 2016 15:18:35 +0100
+Subject: farsync: fix off-by-one bug in fst_add_one
+Status: RO
+Content-Length: 2352
+Lines: 51
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]
+
+gcc-6 finds an out of bounds access in the fst_add_one function
+when calculating the end of the mmio area:
+
+drivers/net/wan/farsync.c: In function 'fst_add_one':
+drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
+ #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
+ ^
+include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
+ __builtin_offsetof(a, b)
+ ^
+drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
+ #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
+ ^~~~~~~~
+drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
+ ^~~~~~~~~~
+
+The warning is correct, but not critical because this appears
+to be a write-only variable that is set by each WAN driver but
+never accessed afterwards.
+
+I'm taking the minimal fix here, using the correct pointer by
+pointing 'mem_end' to the last byte inside of the register area
+as all other WAN drivers do, rather than the first byte outside of
+it. An alternative would be to just remove the mem_end member
+entirely.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/farsync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -2545,7 +2545,7 @@ fst_add_one(struct pci_dev *pdev, const
+ dev->mem_start = card->phys_mem
+ + BUF_OFFSET ( txBuffer[i][0][0]);
+ dev->mem_end = card->phys_mem
+- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
++ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]);
+ dev->base_addr = card->pci_conf;
+ dev->irq = card->irq;
+
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+Date: Fri, 1 Apr 2016 17:17:50 -0300
+Subject: ip6_tunnel: set rtnl_link_ops before calling register_netdevice
+Status: RO
+Content-Length: 1146
+Lines: 37
+
+From: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+
+[ Upstream commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 ]
+
+When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
+before ip6_tnl_create2 is called. When register_netdevice is called, there
+is no linkinfo attribute in the NEWLINK message because of that.
+
+Setting rtnl_link_ops before calling register_netdevice fixes that.
+
+Fixes: 0b112457229d ("ip6tnl: add support of link creation via rtnl")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -273,12 +273,12 @@ static int ip6_tnl_create2(struct net_de
+
+ t = netdev_priv(dev);
+
++ dev->rtnl_link_ops = &ip6_link_ops;
+ err = register_netdevice(dev);
+ if (err < 0)
+ goto out;
+
+ strcpy(t->parms.name, dev->name);
+- dev->rtnl_link_ops = &ip6_link_ops;
+
+ dev_hold(dev);
+ ip6_tnl_link(ip6n, t);
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 22 Mar 2016 09:19:38 +0100
+Subject: ipv4: fix broadcast packets reception
+Status: RO
+Content-Length: 1329
+Lines: 43
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit ad0ea1989cc4d5905941d0a9e62c63ad6d859cef ]
+
+Currently, ingress ipv4 broadcast datagrams are dropped since,
+in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
+bcast packets.
+
+This patch addresses the issue, invoking ip_check_mc_rcu()
+only for mcast packets.
+
+Fixes: 6e5403093261 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1939,10 +1939,14 @@ void udp_v4_early_demux(struct sk_buff *
+ if (!in_dev)
+ return;
+
+- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
+- iph->protocol);
+- if (!ours)
+- return;
++ /* we are supposed to accept bcast packets */
++ if (skb->pkt_type == PACKET_MULTICAST) {
++ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
++ iph->protocol);
++ if (!ours)
++ return;
++ }
++
+ sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
+ uh->source, iph->saddr, dif);
+ } else if (skb->pkt_type == PACKET_HOST) {
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 3 Apr 2016 22:09:23 +0800
+Subject: ipv4: l2tp: fix a potential issue in l2tp_ip_recv
+Status: RO
+Content-Length: 1135
+Lines: 43
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ]
+
+pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
+right place.
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *
+ struct l2tp_tunnel *tunnel = NULL;
+ int length;
+
+- /* Point to L2TP header */
+- optr = ptr = skb->data;
+-
+ if (!pskb_may_pull(skb, 4))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
+ session_id = ntohl(*((__be32 *) ptr));
+ ptr += 4;
+
+@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *
+ if (!pskb_may_pull(skb, length))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
++ ptr += 4;
+ pr_debug("%s: ip recv\n", tunnel->name);
+ print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
+ }
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 3 Apr 2016 22:09:24 +0800
+Subject: ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
+Status: RO
+Content-Length: 1142
+Lines: 43
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ]
+
+pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
+right place.
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip6.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff
+ struct l2tp_tunnel *tunnel = NULL;
+ int length;
+
+- /* Point to L2TP header */
+- optr = ptr = skb->data;
+-
+ if (!pskb_may_pull(skb, 4))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
+ session_id = ntohl(*((__be32 *) ptr));
+ ptr += 4;
+
+@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff
+ if (!pskb_may_pull(skb, length))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
++ ptr += 4;
+ pr_debug("%s: ip recv\n", tunnel->name);
+ print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
+ }
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 1 Mar 2016 16:15:16 +0100
+Subject: ipv6: re-enable fragment header matching in ipv6_find_hdr
+Status: RO
+Content-Length: 1469
+Lines: 44
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 5d150a985520bbe3cb2aa1ceef24a7e32f20c15f ]
+
+When ipv6_find_hdr is used to find a fragment header
+(caller specifies target NEXTHDR_FRAGMENT) we erronously return
+-ENOENT for all fragments with nonzero offset.
+
+Before commit 9195bb8e381d, when target was specified, we did not
+enter the exthdr walk loop as nexthdr == target so this used to work.
+
+Now we do (so we can skip empty route headers). When we then stumble upon
+a frag with nonzero frag_off we must return -ENOENT ("header not found")
+only if the caller did not specifically request NEXTHDR_FRAGMENT.
+
+This allows nfables exthdr expression to match ipv6 fragments, e.g. via
+
+nft add rule ip6 filter input frag frag-off gt 0
+
+Fixes: 9195bb8e381d ("ipv6: improve ipv6_find_hdr() to skip empty routing headers")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs_core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/exthdrs_core.c
++++ b/net/ipv6/exthdrs_core.c
+@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *
+ *fragoff = _frag_off;
+ return hp->nexthdr;
+ }
+- return -ENOENT;
++ if (!found)
++ return -ENOENT;
++ if (fragoff)
++ *fragoff = _frag_off;
++ break;
+ }
+ hdrlen = 8;
+ } else if (nexthdr == NEXTHDR_AUTH) {
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 14 Mar 2016 09:56:35 -0300
+Subject: net: Fix use after free in the recvmmsg exit path
+Status: RO
+Content-Length: 2726
+Lines: 88
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ]
+
+The syzkaller fuzzer hit the following use-after-free:
+
+ Call Trace:
+ [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
+ [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
+ [< inline >] SYSC_recvmmsg net/socket.c:2281
+ [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
+ [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
+
+And, as Dmitry rightly assessed, that is because we can drop the
+reference and then touch it when the underlying recvmsg calls return
+some packets and then hit an error, which will make recvmmsg to set
+sock->sk->sk_err, oops, fix it.
+
+Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
+http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2400,31 +2400,31 @@ int __sys_recvmmsg(int fd, struct mmsghd
+ break;
+ }
+
+-out_put:
+- fput_light(sock->file, fput_needed);
+-
+ if (err == 0)
+- return datagrams;
++ goto out_put;
++
++ if (datagrams == 0) {
++ datagrams = err;
++ goto out_put;
++ }
+
+- if (datagrams != 0) {
++ /*
++ * We may return less entries than requested (vlen) if the
++ * sock is non block and there aren't enough datagrams...
++ */
++ if (err != -EAGAIN) {
+ /*
+- * We may return less entries than requested (vlen) if the
+- * sock is non block and there aren't enough datagrams...
++ * ... or if recvmsg returns an error after we
++ * received some datagrams, where we record the
++ * error to return on the next call or if the
++ * app asks about it using getsockopt(SO_ERROR).
+ */
+- if (err != -EAGAIN) {
+- /*
+- * ... or if recvmsg returns an error after we
+- * received some datagrams, where we record the
+- * error to return on the next call or if the
+- * app asks about it using getsockopt(SO_ERROR).
+- */
+- sock->sk->sk_err = -err;
+- }
+-
+- return datagrams;
++ sock->sk->sk_err = -err;
+ }
++out_put:
++ fput_light(sock->file, fput_needed);
+
+- return err;
++ return datagrams;
+ }
+
+ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Diego Viola <diego.viola@gmail.com>
+Date: Tue, 23 Feb 2016 12:04:04 -0300
+Subject: net: jme: fix suspend/resume on JMC260
+Status: RO
+Content-Length: 1085
+Lines: 40
+
+From: Diego Viola <diego.viola@gmail.com>
+
+[ Upstream commit ee50c130c82175eaa0820c96b6d3763928af2241 ]
+
+The JMC260 network card fails to suspend/resume because the call to
+jme_start_irq() was too early, moving the call to jme_start_irq() after
+the call to jme_reset_link() makes it work.
+
+Prior this change suspend/resume would fail unless /sys/power/pm_async=0
+was explicitly specified.
+
+Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351
+
+Signed-off-by: Diego Viola <diego.viola@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/jme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/jme.c
++++ b/drivers/net/ethernet/jme.c
+@@ -3287,13 +3287,14 @@ jme_resume(struct device *dev)
+ jme_reset_phy_processor(jme);
+ jme_phy_calibration(jme);
+ jme_phy_setEA(jme);
+- jme_start_irq(jme);
+ netif_device_attach(netdev);
+
+ atomic_inc(&jme->link_changing);
+
+ jme_reset_link(jme);
+
++ jme_start_irq(jme);
++
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed, 23 Mar 2016 16:38:55 +0100
+Subject: ppp: take reference on channels netns
+Status: RO
+Content-Length: 8705
+Lines: 146
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 ]
+
+Let channels hold a reference on their network namespace.
+Some channel types, like ppp_async and ppp_synctty, can have their
+userspace controller running in a different namespace. Therefore they
+can't rely on them to preclude their netns from being removed from
+under them.
+
+==================================================================
+BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
+addr ffff880064e217e0
+Read of size 8 by task syz-executor/11581
+=============================================================================
+BUG net_namespace (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
+[< none >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
+[< none >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
+[< inline >] slab_alloc_node kernel/mm/slub.c:2532
+[< inline >] slab_alloc kernel/mm/slub.c:2574
+[< none >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
+[< inline >] kmem_cache_zalloc kernel/include/linux/slab.h:597
+[< inline >] net_alloc kernel/net/core/net_namespace.c:325
+[< none >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
+[< none >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
+[< none >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
+[< none >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
+[< inline >] copy_process kernel/kernel/fork.c:1274
+[< none >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
+[< inline >] SYSC_clone kernel/kernel/fork.c:1832
+[< none >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
+[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
+
+INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
+[< none >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
+[< inline >] slab_free kernel/mm/slub.c:2805
+[< none >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
+[< inline >] net_free kernel/net/core/net_namespace.c:341
+[< none >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
+[< none >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
+[< none >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
+[< none >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
+[< none >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
+[< none >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
+INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
+flags=0x5fffc0000004080
+INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
+
+CPU: 1 PID: 11581 Comm: syz-executor Tainted: G B 4.4.0+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+ 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
+ ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
+ ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
+Call Trace:
+ [< inline >] __dump_stack kernel/lib/dump_stack.c:15
+ [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
+ [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
+ [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
+ [< inline >] print_address_description kernel/mm/kasan/report.c:138
+ [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
+ [< inline >] kasan_report kernel/mm/kasan/report.c:259
+ [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
+ [< inline >] ? ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [< inline >] ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [< inline >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
+ [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
+ [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
+ [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
+ [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
+ [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
+ [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
+ [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
+ [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
+ [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
+ [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
+ [< inline >] exit_task_work kernel/include/linux/task_work.h:21
+ [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
+ [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
+ [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
+ [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
+ [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
+ [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
+ [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
+ [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
+ [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
+ [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
+ [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
+ [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
+ [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
+ [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
+ [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
+ [< inline >] ? context_switch kernel/kernel/sched/core.c:2807
+ [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
+ [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
+ [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
+ [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
+ [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
+Memory state around the buggy address:
+ ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -2220,7 +2220,7 @@ int ppp_register_net_channel(struct net
+
+ pch->ppp = NULL;
+ pch->chan = chan;
+- pch->chan_net = net;
++ pch->chan_net = get_net(net);
+ chan->ppp = pch;
+ init_ppp_file(&pch->file, CHANNEL);
+ pch->file.hdrlen = chan->hdrlen;
+@@ -2317,6 +2317,8 @@ ppp_unregister_channel(struct ppp_channe
+ spin_lock_bh(&pn->all_channels_lock);
+ list_del(&pch->list);
+ spin_unlock_bh(&pn->all_channels_lock);
++ put_net(pch->chan_net);
++ pch->chan_net = NULL;
+
+ pch->file.dead = 1;
+ wake_up_interruptible(&pch->file.rwait);
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Manish Chopra <manish.chopra@qlogic.com>
+Date: Tue, 15 Mar 2016 07:13:45 -0400
+Subject: qlge: Fix receive packets drop.
+Status: RO
+Content-Length: 1438
+Lines: 40
+
+From: Manish Chopra <manish.chopra@qlogic.com>
+
+[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]
+
+When running small packets [length < 256 bytes] traffic, packets were
+being dropped due to invalid data in those packets which were
+delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
+ensures copying latest and updated data into skb from the receive buffer.
+
+Signed-off-by: Sony Chacko <sony.chacko@qlogic.com>
+Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct
+ return;
+ }
+ skb_reserve(new_skb, NET_IP_ALIGN);
++
++ pci_dma_sync_single_for_cpu(qdev->pdev,
++ dma_unmap_addr(sbq_desc, mapaddr),
++ dma_unmap_len(sbq_desc, maplen),
++ PCI_DMA_FROMDEVICE);
++
+ memcpy(skb_put(new_skb, length), skb->data, length);
++
++ pci_dma_sync_single_for_device(qdev->pdev,
++ dma_unmap_addr(sbq_desc, mapaddr),
++ dma_unmap_len(sbq_desc, maplen),
++ PCI_DMA_FROMDEVICE);
+ skb = new_skb;
+
+ /* Frame error, so drop the packet. */
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 28 Mar 2016 22:38:16 +0200
+Subject: qmi_wwan: add "D-Link DWM-221 B1" device id
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Status: RO
+Content-Length: 1807
+Lines: 49
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]
+
+Thomas reports:
+"Windows:
+
+00 diagnostics
+01 modem
+02 at-port
+03 nmea
+04 nic
+
+Linux:
+
+T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2001 ProdID=7e19 Rev=02.32
+S: Manufacturer=Mobile Connect
+S: Product=Mobile Connect
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
+
+Reported-by: Thomas Schäfer <tschaefer@t-online.de>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -737,6 +737,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */
+ {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */
+ {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
++ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 28 Feb 2016 10:03:51 +0800
+Subject: sctp: lack the check for ports in sctp_v6_cmp_addr
+Status: RO
+Content-Length: 1078
+Lines: 34
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 40b4f0fd74e46c017814618d67ec9127ff20f157 ]
+
+As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check
+the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by
+sctp_cmp_addr_exact().
+
+Now sctp_v6_cmp_addr just check the port when two addresses have different
+family, and lack the port check for two ipv6 addresses. that will make
+sctp_hash_cmp() cannot work well.
+
+so fix it by adding ports comparison in sctp_v6_cmp_addr().
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -519,6 +519,8 @@ static int sctp_v6_cmp_addr(const union
+ }
+ return 0;
+ }
++ if (addr1->v6.sin6_port != addr2->v6.sin6_port)
++ return 0;
+ if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
+ return 0;
+ /* If this is a linklocal address, compare the scope_id. */
drm-radeon-add-a-dpm-quirk-for-sapphire-dual-x-r7-370-2g-d5.patch
drm-radeon-add-a-dpm-quirk-for-all-r7-370-parts.patch
xen-events-mask-a-moving-irq.patch
+net-jme-fix-suspend-resume-on-jmc260.patch
+sctp-lack-the-check-for-ports-in-sctp_v6_cmp_addr.patch
+ipv6-re-enable-fragment-header-matching-in-ipv6_find_hdr.patch
+cdc_ncm-toggle-altsetting-to-force-reset-before-setup.patch
+usbnet-cleanup-after-bind-in-probe.patch
+udp6-fix-udp-ipv6-encap-resubmit-path.patch
+sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch
+net-fix-use-after-free-in-the-recvmmsg-exit-path.patch
+farsync-fix-off-by-one-bug-in-fst_add_one.patch
+ath9k-fix-buffer-overrun-for-ar9287.patch
+qlge-fix-receive-packets-drop.patch
+ipv4-fix-broadcast-packets-reception.patch
+ppp-take-reference-on-channels-netns.patch
+qmi_wwan-add-d-link-dwm-221-b1-device-id.patch
+ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch
+ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch
+ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Tue, 8 Mar 2016 01:36:28 +0300
+Subject: sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
+Status: RO
+Content-Length: 1101
+Lines: 30
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]
+
+In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
+loop iteration in sh_eth_ring_format(), 'rxdesc' is still NULL. Avoid
+kernel oops by adding the 'rxdesc' check after the loop.
+
+Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1156,7 +1156,8 @@ static void sh_eth_ring_format(struct ne
+ mdp->dirty_rx = (u32) (i - mdp->num_rx_ring);
+
+ /* Mark the last entry as wrapping the ring. */
+- rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);
++ if (rxdesc)
++ rxdesc->status |= cpu_to_edmac(mdp, RD_RDEL);
+
+ memset(mdp->tx_ring, 0, tx_ringsize);
+
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Bill Sommerfeld <wsommerfeld@google.com>
+Date: Fri, 4 Mar 2016 14:47:21 -0800
+Subject: udp6: fix UDP/IPv6 encap resubmit path
+Status: RO
+Content-Length: 1318
+Lines: 40
+
+From: Bill Sommerfeld <wsommerfeld@google.com>
+
+[ Upstream commit 59dca1d8a6725a121dae6c452de0b2611d5865dc ]
+
+IPv4 interprets a negative return value from a protocol handler as a
+request to redispatch to a new protocol. In contrast, IPv6 interprets a
+negative value as an error, and interprets a positive value as a request
+for redispatch.
+
+UDP for IPv6 was unaware of this difference. Change __udp6_lib_rcv() to
+return a positive value for redispatch. Note that the socket's
+encap_rcv hook still needs to return a negative value to request
+dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to
+identify the byte containing the next protocol.
+
+Signed-off-by: Bill Sommerfeld <wsommerfeld@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -868,11 +868,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
+ ret = udpv6_queue_rcv_skb(sk, skb);
+ sock_put(sk);
+
+- /* a return value > 0 means to resubmit the input, but
+- * it wants the return to be -protocol, or 0
+- */
++ /* a return value > 0 means to resubmit the input */
+ if (ret > 0)
+- return -ret;
++ return ret;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Sat Apr 16 22:36:37 PDT 2016
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 7 Mar 2016 11:31:10 +0100
+Subject: usbnet: cleanup after bind() in probe()
+Status: RO
+Content-Length: 1136
+Lines: 36
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 1666984c8625b3db19a9abc298931d35ab7bc64b ]
+
+In case bind() works, but a later error forces bailing
+in probe() in error cases work and a timer may be scheduled.
+They must be killed. This fixes an error case related to
+the double free reported in
+http://www.spinics.net/lists/netdev/msg367669.html
+and needs to go on top of Linus' fix to cdc-ncm.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1718,6 +1718,13 @@ out3:
+ if (info->unbind)
+ info->unbind (dev, udev);
+ out1:
++ /* subdrivers must undo all they did in bind() if they
++ * fail it, but we may fail later and a deferred kevent
++ * may trigger an error resubmitting itself and, worse,
++ * schedule a timer. So we kill it all just in case.
++ */
++ cancel_work_sync(&dev->kevent);
++ del_timer_sync(&dev->delay);
+ free_netdev(net);
+ out:
+ return status;
projects / thirdparty / kernel / stable-queue.git / commitdiff
