--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Mon, 15 Jul 2019 16:41:50 -0500
+Subject: bnx2x: Prevent load reordering in tx completion processing
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+[ Upstream commit ea811b795df24644a8eb760b493c43fba4450677 ]
+
+This patch fixes an issue seen on Power systems with bnx2x which results
+in the skb is NULL WARN_ON in bnx2x_free_tx_pkt firing due to the skb
+pointer getting loaded in bnx2x_free_tx_pkt prior to the hw_cons
+load in bnx2x_tx_int. Adding a read memory barrier resolves the issue.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -285,6 +285,9 @@ int bnx2x_tx_int(struct bnx2x *bp, struc
+ hw_cons = le16_to_cpu(*txdata->tx_cons_sb);
+ sw_cons = txdata->tx_pkt_cons;
+
++ /* Ensure subsequent loads occur after hw_cons */
++ smp_rmb();
++
+ while (sw_cons != hw_cons) {
+ u16 pkt_cons;
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 15 Jul 2019 14:10:17 +0900
+Subject: caif-hsi: fix possible deadlock in cfhsi_exit_module()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit fdd258d49e88a9e0b49ef04a506a796f1c768a8e ]
+
+cfhsi_exit_module() calls unregister_netdev() under rtnl_lock().
+but unregister_netdev() internally calls rtnl_lock().
+So deadlock would occur.
+
+Fixes: c41254006377 ("caif-hsi: Add rtnl support")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_hsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/caif/caif_hsi.c
++++ b/drivers/net/caif/caif_hsi.c
+@@ -1455,7 +1455,7 @@ static void __exit cfhsi_exit_module(voi
+ rtnl_lock();
+ list_for_each_safe(list_node, n, &cfhsi_list) {
+ cfhsi = list_entry(list_node, struct cfhsi, list);
+- unregister_netdev(cfhsi->ndev);
++ unregister_netdevice(cfhsi->ndev);
+ }
+ rtnl_unlock();
+ }
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Fri, 19 Jul 2019 17:33:51 +0000
+Subject: hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback()
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit be4363bdf0ce9530f15aa0a03d1060304d116b15 ]
+
+There is an extra rcu_read_unlock left in netvsc_recv_callback(),
+after a previous patch that removes RCU from this function.
+This patch removes the extra RCU unlock.
+
+Fixes: 345ac08990b8 ("hv_netvsc: pass netvsc_device to receive callback")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -849,7 +849,6 @@ int netvsc_recv_callback(struct net_devi
+
+ if (unlikely(!skb)) {
+ ++net_device_ctx->eth_stats.rx_no_memory;
+- rcu_read_unlock();
+ return NVSP_STAT_FAIL;
+ }
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 27 Jun 2019 01:27:01 -0700
+Subject: igmp: fix memory leak in igmpv3_del_delrec()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e5b1c6c6277d5a283290a8c033c72544746f9b5b ]
+
+im->tomb and/or im->sources might not be NULL, but we
+currently overwrite their values blindly.
+
+Using swap() will make sure the following call to kfree_pmc(pmc)
+will properly free the psf structures.
+
+Tested with the C repro provided by syzbot, which basically does :
+
+ socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
+ setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
+ ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
+ setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
+ ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
+ exit_group(0) = ?
+
+BUG: memory leak
+unreferenced object 0xffff88811450f140 (size 64):
+ comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline]
+ [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline]
+ [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline]
+ [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
+ [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
+ [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
+ [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
+ [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
+ [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
+ [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
+ [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072
+ [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline]
+ [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline]
+ [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
+ [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Hangbin Liu <liuhangbin@gmail.com>
+Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1232,12 +1232,8 @@ static void igmpv3_del_delrec(struct in_
+ if (pmc) {
+ im->interface = pmc->interface;
+ if (im->sfmode == MCAST_INCLUDE) {
+- im->tomb = pmc->tomb;
+- pmc->tomb = NULL;
+-
+- im->sources = pmc->sources;
+- pmc->sources = NULL;
+-
++ swap(im->tomb, pmc->tomb);
++ swap(im->sources, pmc->sources);
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+ } else {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 1 Jul 2019 19:01:55 +0200
+Subject: ipv4: don't set IPv6 only flags to IPv4 addresses
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 2e60546368165c2449564d71f6005dda9205b5fb ]
+
+Avoid the situation where an IPV6 only flag is applied to an IPv4 address:
+
+ # ip addr add 192.0.2.1/24 dev dummy0 nodad home mngtmpaddr noprefixroute
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global noprefixroute dummy0
+ valid_lft forever preferred_lft forever
+
+Or worse, by sending a malicious netlink command:
+
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global nodad optimistic dadfailed home tentative mngtmpaddr noprefixroute stable-privacy dummy0
+ valid_lft forever preferred_lft forever
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -66,6 +66,11 @@
+ #include <net/net_namespace.h>
+ #include <net/addrconf.h>
+
++#define IPV6ONLY_FLAGS \
++ (IFA_F_NODAD | IFA_F_OPTIMISTIC | IFA_F_DADFAILED | \
++ IFA_F_HOMEADDRESS | IFA_F_TENTATIVE | \
++ IFA_F_MANAGETEMPADDR | IFA_F_STABLE_PRIVACY)
++
+ static struct ipv4_devconf ipv4_devconf = {
+ .data = {
+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
+@@ -472,6 +477,9 @@ static int __inet_insert_ifa(struct in_i
+ ifa->ifa_flags &= ~IFA_F_SECONDARY;
+ last_primary = &in_dev->ifa_list;
+
++ /* Don't set IPv6 only flags to IPv4 addresses */
++ ifa->ifa_flags &= ~IPV6ONLY_FLAGS;
++
+ for (ifap = &in_dev->ifa_list; (ifa1 = *ifap) != NULL;
+ ifap = &ifa1->ifa_next) {
+ if (!(ifa1->ifa_flags & IFA_F_SECONDARY) &&
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 17 Jul 2019 15:08:43 -0700
+Subject: ipv6: rt6_check should return NULL if 'from' is NULL
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 49d05fe2c9d1b4a27761c9807fec39b8155bef9e ]
+
+Paul reported that l2tp sessions were broken after the commit referenced
+in the Fixes tag. Prior to this commit rt6_check returned NULL if the
+rt6_info 'from' was NULL - ie., the dst_entry was disconnected from a FIB
+entry. Restore that behavior.
+
+Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")
+Reported-by: Paul Donohue <linux-kernel@PaulSD.com>
+Tested-by: Paul Donohue <linux-kernel@PaulSD.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2183,7 +2183,7 @@ static struct dst_entry *rt6_check(struc
+ {
+ u32 rt_cookie = 0;
+
+- if ((from && !fib6_get_cookie_safe(from, &rt_cookie)) ||
++ if (!from || !fib6_get_cookie_safe(from, &rt_cookie) ||
+ rt_cookie != cookie)
+ return NULL;
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Wed, 17 Jul 2019 23:39:33 +0300
+Subject: ipv6: Unlink sibling route in case of failure
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 54851aa90cf27041d64b12f65ac72e9f97bd90fd ]
+
+When a route needs to be appended to an existing multipath route,
+fib6_add_rt2node() first appends it to the siblings list and increments
+the number of sibling routes on each sibling.
+
+Later, the function notifies the route via call_fib6_entry_notifiers().
+In case the notification is vetoed, the route is not unlinked from the
+siblings list, which can result in a use-after-free.
+
+Fix this by unlinking the route from the siblings list before returning
+an error.
+
+Audited the rest of the call sites from which the FIB notification chain
+is called and could not find more problems.
+
+Fixes: 2233000cba40 ("net/ipv6: Move call_fib6_entry_notifiers up for route adds")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1113,8 +1113,24 @@ add:
+ err = call_fib6_entry_notifiers(info->nl_net,
+ FIB_EVENT_ENTRY_ADD,
+ rt, extack);
+- if (err)
++ if (err) {
++ struct fib6_info *sibling, *next_sibling;
++
++ /* If the route has siblings, then it first
++ * needs to be unlinked from them.
++ */
++ if (!rt->fib6_nsiblings)
++ return err;
++
++ list_for_each_entry_safe(sibling, next_sibling,
++ &rt->fib6_siblings,
++ fib6_siblings)
++ sibling->fib6_nsiblings--;
++ rt->fib6_nsiblings = 0;
++ list_del_init(&rt->fib6_siblings);
++ rt6_multipath_rebalance(next_sibling);
+ return err;
++ }
+
+ rcu_assign_pointer(rt->fib6_next, iter);
+ atomic_inc(&rt->fib6_ref);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:45 +0200
+Subject: macsec: fix checksumming after decryption
+
+From: Andreas Steinmetz <ast@domdv.de>
+
+[ Upstream commit 7d8b16b9facb0dd81d1469808dd9a575fa1d525a ]
+
+Fix checksumming after decryption.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -869,6 +869,7 @@ static void macsec_reset_skb(struct sk_b
+
+ static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
+ {
++ skb->ip_summed = CHECKSUM_NONE;
+ memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
+ skb_pull(skb, hdr_len);
+ pskb_trim_unique(skb, skb->len - icv_len);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:42 +0200
+Subject: macsec: fix use-after-free of skb during RX
+
+From: Andreas Steinmetz <ast@domdv.de>
+
+[ Upstream commit 095c02da80a41cf6d311c504d8955d6d1c2add10 ]
+
+Fix use-after-free of skb when rx_handler returns RX_HANDLER_PASS.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1103,10 +1103,9 @@ static rx_handler_result_t macsec_handle
+ }
+
+ skb = skb_unshare(skb, GFP_ATOMIC);
+- if (!skb) {
+- *pskb = NULL;
++ *pskb = skb;
++ if (!skb)
+ return RX_HANDLER_CONSUMED;
+- }
+
+ pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
+ if (!pulled_sci) {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Justin Chen <justinpopo6@gmail.com>
+Date: Wed, 17 Jul 2019 14:58:53 -0700
+Subject: net: bcmgenet: use promisc for unsupported filters
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 35cbef9863640f06107144687bd13151bc2e8ce3 ]
+
+Currently we silently ignore filters if we cannot meet the filter
+requirements. This will lead to the MAC dropping packets that are
+expected to pass. A better solution would be to set the NIC to promisc
+mode when the required filters cannot be met.
+
+Also correct the number of MDF filters supported. It should be 17,
+not 16.
+
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 57 +++++++++++--------------
+ 1 file changed, 26 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3086,39 +3086,42 @@ static void bcmgenet_timeout(struct net_
+ netif_tx_wake_all_queues(dev);
+ }
+
+-#define MAX_MC_COUNT 16
++#define MAX_MDF_FILTER 17
+
+ static inline void bcmgenet_set_mdf_addr(struct bcmgenet_priv *priv,
+ unsigned char *addr,
+- int *i,
+- int *mc)
++ int *i)
+ {
+- u32 reg;
+-
+ bcmgenet_umac_writel(priv, addr[0] << 8 | addr[1],
+ UMAC_MDF_ADDR + (*i * 4));
+ bcmgenet_umac_writel(priv, addr[2] << 24 | addr[3] << 16 |
+ addr[4] << 8 | addr[5],
+ UMAC_MDF_ADDR + ((*i + 1) * 4));
+- reg = bcmgenet_umac_readl(priv, UMAC_MDF_CTRL);
+- reg |= (1 << (MAX_MC_COUNT - *mc));
+- bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ *i += 2;
+- (*mc)++;
+ }
+
+ static void bcmgenet_set_rx_mode(struct net_device *dev)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct netdev_hw_addr *ha;
+- int i, mc;
++ int i, nfilter;
+ u32 reg;
+
+ netif_dbg(priv, hw, dev, "%s: %08X\n", __func__, dev->flags);
+
+- /* Promiscuous mode */
++ /* Number of filters needed */
++ nfilter = netdev_uc_count(dev) + netdev_mc_count(dev) + 2;
++
++ /*
++ * Turn on promicuous mode for three scenarios
++ * 1. IFF_PROMISC flag is set
++ * 2. IFF_ALLMULTI flag is set
++ * 3. The number of filters needed exceeds the number filters
++ * supported by the hardware.
++ */
+ reg = bcmgenet_umac_readl(priv, UMAC_CMD);
+- if (dev->flags & IFF_PROMISC) {
++ if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) ||
++ (nfilter > MAX_MDF_FILTER)) {
+ reg |= CMD_PROMISC;
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL);
+@@ -3128,32 +3131,24 @@ static void bcmgenet_set_rx_mode(struct
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ }
+
+- /* UniMac doesn't support ALLMULTI */
+- if (dev->flags & IFF_ALLMULTI) {
+- netdev_warn(dev, "ALLMULTI is not supported\n");
+- return;
+- }
+-
+ /* update MDF filter */
+ i = 0;
+- mc = 0;
+ /* Broadcast */
+- bcmgenet_set_mdf_addr(priv, dev->broadcast, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, dev->broadcast, &i);
+ /* my own address.*/
+- bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i, &mc);
+- /* Unicast list*/
+- if (netdev_uc_count(dev) > (MAX_MC_COUNT - mc))
+- return;
++ bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i);
+
+- if (!netdev_uc_empty(dev))
+- netdev_for_each_uc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
+- /* Multicast */
+- if (netdev_mc_empty(dev) || netdev_mc_count(dev) >= (MAX_MC_COUNT - mc))
+- return;
++ /* Unicast */
++ netdev_for_each_uc_addr(ha, dev)
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
+
++ /* Multicast */
+ netdev_for_each_mc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
++
++ /* Enable filters */
++ reg = GENMASK(MAX_MDF_FILTER - 1, MAX_MDF_FILTER - nfilter);
++ bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ }
+
+ /* Set the hardware MAC address. */
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:20 +0300
+Subject: net: bridge: don't cache ether dest pointer on input
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3d26eb8ad1e9b906433903ce05f775cf038e747f ]
+
+We would cache ether dst pointer on input in br_handle_frame_finish but
+after the neigh suppress code that could lead to a stale pointer since
+both ipv4 and ipv6 suppress code do pskb_may_pull. This means we have to
+always reload it after the suppress code so there's no point in having
+it cached just retrieve it directly.
+
+Fixes: 057658cb33fbf ("bridge: suppress arp pkts on BR_NEIGH_SUPPRESS ports")
+Fixes: ed842faeb2bd ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_input.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -79,7 +79,6 @@ int br_handle_frame_finish(struct net *n
+ struct net_bridge_fdb_entry *dst = NULL;
+ struct net_bridge_mdb_entry *mdst;
+ bool local_rcv, mcast_hit = false;
+- const unsigned char *dest;
+ struct net_bridge *br;
+ u16 vid = 0;
+
+@@ -97,10 +96,9 @@ int br_handle_frame_finish(struct net *n
+ br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, false);
+
+ local_rcv = !!(br->dev->flags & IFF_PROMISC);
+- dest = eth_hdr(skb)->h_dest;
+- if (is_multicast_ether_addr(dest)) {
++ if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
+ /* by definition the broadcast is also a multicast address */
+- if (is_broadcast_ether_addr(dest)) {
++ if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
+ pkt_type = BR_PKT_BROADCAST;
+ local_rcv = true;
+ } else {
+@@ -150,7 +148,7 @@ int br_handle_frame_finish(struct net *n
+ }
+ break;
+ case BR_PKT_UNICAST:
+- dst = br_fdb_find_rcu(br, dest, vid);
++ dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);
+ default:
+ break;
+ }
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:19 +0300
+Subject: net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ]
+
+We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may
+call pskb_may_pull afterwards and end up using a stale pointer.
+So use the header directly, it's just 1 place where it's needed.
+
+Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1302,7 +1302,6 @@ static int br_ip6_multicast_query(struct
+ u16 vid)
+ {
+ unsigned int transport_len = ipv6_transport_len(skb);
+- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ struct mld_msg *mld;
+ struct net_bridge_mdb_entry *mp;
+ struct mld2_query *mld2q;
+@@ -1346,7 +1345,7 @@ static int br_ip6_multicast_query(struct
+
+ if (is_general_query) {
+ saddr.proto = htons(ETH_P_IPV6);
+- saddr.u.ip6 = ip6h->saddr;
++ saddr.u.ip6 = ipv6_hdr(skb)->saddr;
+
+ br_multicast_query_received(br, port, &br->ip6_other_query,
+ &saddr, max_delay);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:18 +0300
+Subject: net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ]
+
+We take a pointer to grec prior to calling pskb_may_pull and use it
+afterwards to get nsrcs so record nsrcs before the pull when handling
+igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling
+mld2 which again could lead to reading 2 bytes out-of-bounds.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16
+
+ CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+ Call Trace:
+ dump_stack+0x71/0xab
+ print_address_description+0x6a/0x280
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ __kasan_report+0x152/0x1aa
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ kasan_report+0xe/0x20
+ br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_disable_port+0x150/0x150 [bridge]
+ ? ktime_get_with_offset+0xb4/0x150
+ ? __kasan_kmalloc.constprop.6+0xa6/0xf0
+ ? __netif_receive_skb+0x1b0/0x1b0
+ ? br_fdb_update+0x10e/0x6e0 [bridge]
+ ? br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ ? br_pass_frame_up+0x3a0/0x3a0 [bridge]
+ ? virtnet_probe+0x1c80/0x1c80 [virtio_net]
+ br_handle_frame+0x731/0xd90 [bridge]
+ ? select_idle_sibling+0x25/0x7d0
+ ? br_handle_frame_finish+0x11d0/0x11d0 [bridge]
+ __netif_receive_skb_core+0xced/0x2d70
+ ? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring]
+ ? do_xdp_generic+0x20/0x20
+ ? virtqueue_napi_complete+0x39/0x70 [virtio_net]
+ ? virtnet_poll+0x94d/0xc78 [virtio_net]
+ ? receive_buf+0x5120/0x5120 [virtio_net]
+ ? __netif_receive_skb_one_core+0x97/0x1d0
+ __netif_receive_skb_one_core+0x97/0x1d0
+ ? __netif_receive_skb_core+0x2d70/0x2d70
+ ? _raw_write_trylock+0x100/0x100
+ ? __queue_work+0x41e/0xbe0
+ process_backlog+0x19c/0x650
+ ? _raw_read_lock_irq+0x40/0x40
+ net_rx_action+0x71e/0xbc0
+ ? __switch_to_asm+0x40/0x70
+ ? napi_complete_done+0x360/0x360
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __schedule+0x85e/0x14d0
+ __do_softirq+0x1db/0x5f9
+ ? takeover_tasklets+0x5f0/0x5f0
+ run_ksoftirqd+0x26/0x40
+ smpboot_thread_fn+0x443/0x680
+ ? sort_range+0x20/0x20
+ ? schedule+0x94/0x210
+ ? __kthread_parkme+0x78/0xf0
+ ? sort_range+0x20/0x20
+ kthread+0x2ae/0x3a0
+ ? kthread_create_worker_on_cpu+0xc0/0xc0
+ ret_from_fork+0x35/0x40
+
+ The buggy address belongs to the page:
+ page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
+ flags: 0xffffc000000000()
+ raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000
+ raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ > ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -934,6 +934,7 @@ static int br_ip4_multicast_igmp3_report
+ int type;
+ int err = 0;
+ __be32 group;
++ u16 nsrcs;
+
+ ih = igmpv3_report_hdr(skb);
+ num = ntohs(ih->ngrec);
+@@ -947,8 +948,9 @@ static int br_ip4_multicast_igmp3_report
+ grec = (void *)(skb->data + len - sizeof(*grec));
+ group = grec->grec_mca;
+ type = grec->grec_type;
++ nsrcs = ntohs(grec->grec_nsrcs);
+
+- len += ntohs(grec->grec_nsrcs) * 4;
++ len += nsrcs * 4;
+ if (!ip_mc_may_pull(skb, len))
+ return -EINVAL;
+
+@@ -969,7 +971,7 @@ static int br_ip4_multicast_igmp3_report
+ src = eth_hdr(skb)->h_source;
+ if ((type == IGMPV3_CHANGE_TO_INCLUDE ||
+ type == IGMPV3_MODE_IS_INCLUDE) &&
+- ntohs(grec->grec_nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip4_multicast_leave_group(br, port, group, vid, src);
+ } else {
+ err = br_ip4_multicast_add_group(br, port, group, vid,
+@@ -1006,7 +1008,8 @@ static int br_ip6_multicast_mld2_report(
+ len = skb_transport_offset(skb) + sizeof(*icmp6h);
+
+ for (i = 0; i < num; i++) {
+- __be16 *nsrcs, _nsrcs;
++ __be16 *_nsrcs, __nsrcs;
++ u16 nsrcs;
+
+ nsrcs_offset = len + offsetof(struct mld2_grec, grec_nsrcs);
+
+@@ -1014,12 +1017,13 @@ static int br_ip6_multicast_mld2_report(
+ nsrcs_offset + sizeof(_nsrcs))
+ return -EINVAL;
+
+- nsrcs = skb_header_pointer(skb, nsrcs_offset,
+- sizeof(_nsrcs), &_nsrcs);
+- if (!nsrcs)
++ _nsrcs = skb_header_pointer(skb, nsrcs_offset,
++ sizeof(__nsrcs), &__nsrcs);
++ if (!_nsrcs)
+ return -EINVAL;
+
+- grec_len = struct_size(grec, grec_src, ntohs(*nsrcs));
++ nsrcs = ntohs(*_nsrcs);
++ grec_len = struct_size(grec, grec_src, nsrcs);
+
+ if (!ipv6_mc_may_pull(skb, len + grec_len))
+ return -EINVAL;
+@@ -1044,7 +1048,7 @@ static int br_ip6_multicast_mld2_report(
+ src = eth_hdr(skb)->h_source;
+ if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE ||
+ grec->grec_type == MLD2_MODE_IS_INCLUDE) &&
+- ntohs(*nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip6_multicast_leave_group(br, port, &grec->grec_mca,
+ vid, src);
+ } else {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:21 +0300
+Subject: net: bridge: stp: don't cache eth dest pointer before skb pull
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 2446a68ae6a8cee6d480e2f5b52f5007c7c41312 ]
+
+Don't cache eth dest pointer before calling pskb_may_pull.
+
+Fixes: cf0f02d04a83 ("[BRIDGE]: use llc for receiving STP packets")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_bpdu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -147,7 +147,6 @@ void br_send_tcn_bpdu(struct net_bridge_
+ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+ struct net_device *dev)
+ {
+- const unsigned char *dest = eth_hdr(skb)->h_dest;
+ struct net_bridge_port *p;
+ struct net_bridge *br;
+ const unsigned char *buf;
+@@ -176,7 +175,7 @@ void br_stp_rcv(const struct stp_proto *
+ if (p->state == BR_STATE_DISABLED)
+ goto out;
+
+- if (!ether_addr_equal(dest, br->group_addr))
++ if (!ether_addr_equal(eth_hdr(skb)->h_dest, br->group_addr))
+ goto out;
+
+ if (p->flags & BR_BPDU_GUARD) {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Thu, 27 Jun 2019 21:17:39 +0300
+Subject: net: dsa: mv88e6xxx: wait after reset deactivation
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 7b75e49de424ceb53d13e60f35d0a73765626fda ]
+
+Add a 1ms delay after reset deactivation. Otherwise the chip returns
+bogus ID value. This is observed with 88E6390 (Peridot) chip.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4910,6 +4910,8 @@ static int mv88e6xxx_probe(struct mdio_d
+ err = PTR_ERR(chip->reset);
+ goto out;
+ }
++ if (chip->reset)
++ usleep_range(1000, 2000);
+
+ err = mv88e6xxx_detect(chip);
+ if (err)
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 26 Jun 2019 20:40:45 +0200
+Subject: net: make skb_dst_force return true when dst is refcounted
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ]
+
+netfilter did not expect that skb_dst_force() can cause skb to lose its
+dst entry.
+
+I got a bug report with a skb->dst NULL dereference in netfilter
+output path. The backtrace contains nf_reinject(), so the dst might have
+been cleared when skb got queued to userspace.
+
+Other users were fixed via
+if (skb_dst(skb)) {
+ skb_dst_force(skb);
+ if (!skb_dst(skb))
+ goto handle_err;
+}
+
+But I think its preferable to make the 'dst might be cleared' part
+of the function explicit.
+
+In netfilter case, skb with a null dst is expected when queueing in
+prerouting hook, so drop skb for the other hooks.
+
+v2:
+ v1 of this patch returned true in case skb had no dst entry.
+ Eric said:
+ Say if we have two skb_dst_force() calls for some reason
+ on the same skb, only the first one will return false.
+
+ This now returns false even when skb had no dst, as per Erics
+ suggestion, so callers might need to check skb_dst() first before
+ skb_dst_force().
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 5 ++++-
+ net/netfilter/nf_queue.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -313,8 +313,9 @@ static inline bool dst_hold_safe(struct
+ * @skb: buffer
+ *
+ * If dst is not yet refcounted and not destroyed, grab a ref on it.
++ * Returns true if dst is refcounted.
+ */
+-static inline void skb_dst_force(struct sk_buff *skb)
++static inline bool skb_dst_force(struct sk_buff *skb)
+ {
+ if (skb_dst_is_noref(skb)) {
+ struct dst_entry *dst = skb_dst(skb);
+@@ -325,6 +326,8 @@ static inline void skb_dst_force(struct
+
+ skb->_skb_refdst = (unsigned long)dst;
+ }
++
++ return skb->_skb_refdst != 0UL;
+ }
+
+
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -190,6 +190,11 @@ static int __nf_queue(struct sk_buff *sk
+ goto err;
+ }
+
++ if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) {
++ status = -ENETDOWN;
++ goto err;
++ }
++
+ *entry = (struct nf_queue_entry) {
+ .skb = skb,
+ .state = *state,
+@@ -198,7 +203,6 @@ static int __nf_queue(struct sk_buff *sk
+ };
+
+ nf_queue_entry_get_refs(entry);
+- skb_dst_force(skb);
+
+ switch (entry->state.pf) {
+ case AF_INET:
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Aya Levin <ayal@mellanox.com>
+Date: Sun, 30 Jun 2019 11:11:26 +0300
+Subject: net/mlx5e: Fix error flow in tx reporter diagnose
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 99d31cbd8953c6929da978bf049ab0f0b4e503d9 ]
+
+Fix tx reporter's diagnose callback. Propagate error when failing to
+gather diagnostics information or failing to print diagnostic data per
+queue.
+
+Fixes: de8650a82071 ("net/mlx5e: Add tx reporter support")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+@@ -262,13 +262,13 @@ static int mlx5e_tx_reporter_diagnose(st
+
+ err = mlx5_core_query_sq_state(priv->mdev, sq->sqn, &state);
+ if (err)
+- break;
++ goto unlock;
+
+ err = mlx5e_tx_reporter_build_diagnose_output(fmsg, sq->sqn,
+ state,
+ netif_xmit_stopped(sq->txq));
+ if (err)
+- break;
++ goto unlock;
+ }
+ err = devlink_fmsg_arr_pair_nest_end(fmsg);
+ if (err)
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Eli Britstein <elibr@mellanox.com>
+Date: Sun, 2 Jun 2019 06:19:03 +0000
+Subject: net/mlx5e: Fix port tunnel GRE entropy control
+
+From: Eli Britstein <elibr@mellanox.com>
+
+[ Upstream commit 914adbb1bcf89478ac138318d28b302704564d59 ]
+
+GRE entropy calculation is a single bit per card, and not per port.
+Force disable GRE entropy calculation upon the first GRE encap rule,
+and release the force at the last GRE encap rule removal. This is done
+per port.
+
+Fixes: 97417f6182f8 ("net/mlx5e: Fix GRE key by controlling port tunnel entropy calculation")
+Signed-off-by: Eli Britstein <elibr@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c | 23 ++---------------
+ 1 file changed, 4 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/port_tun.c
+@@ -100,27 +100,12 @@ static int mlx5_set_entropy(struct mlx5_
+ */
+ if (entropy_flags.gre_calc_supported &&
+ reformat_type == MLX5_REFORMAT_TYPE_L2_TO_NVGRE) {
+- /* Other applications may change the global FW entropy
+- * calculations settings. Check that the current entropy value
+- * is the negative of the updated value.
+- */
+- if (entropy_flags.force_enabled &&
+- enable == entropy_flags.gre_calc_enabled) {
+- mlx5_core_warn(tun_entropy->mdev,
+- "Unexpected GRE entropy calc setting - expected %d",
+- !entropy_flags.gre_calc_enabled);
+- return -EOPNOTSUPP;
+- }
+- err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev, enable,
+- entropy_flags.force_supported);
++ if (!entropy_flags.force_supported)
++ return 0;
++ err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev,
++ enable, !enable);
+ if (err)
+ return err;
+- /* if we turn on the entropy we don't need to force it anymore */
+- if (entropy_flags.force_supported && enable) {
+- err = mlx5_set_port_gre_tun_entropy_calc(tun_entropy->mdev, 1, 0);
+- if (err)
+- return err;
+- }
+ } else if (entropy_flags.calc_supported) {
+ /* Other applications may change the global FW entropy
+ * calculations settings. Check that the current entropy value
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Aya Levin <ayal@mellanox.com>
+Date: Mon, 17 Jun 2019 12:01:45 +0300
+Subject: net/mlx5e: Fix return value from timeout recover function
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit 39825350ae2a52f8513741b36e42118bd80dd689 ]
+
+Fix timeout recover function to return a meaningful return value.
+When an interrupt was not sent by the FW, return IO error instead of
+'true'.
+
+Fixes: c7981bea48fb ("net/mlx5e: Fix return status of TX reporter timeout recover")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+@@ -142,22 +142,20 @@ static int mlx5e_tx_reporter_timeout_rec
+ {
+ struct mlx5_eq_comp *eq = sq->cq.mcq.eq;
+ u32 eqe_count;
+- int ret;
+
+ netdev_err(sq->channel->netdev, "EQ 0x%x: Cons = 0x%x, irqn = 0x%x\n",
+ eq->core.eqn, eq->core.cons_index, eq->core.irqn);
+
+ eqe_count = mlx5_eq_poll_irq_disabled(eq);
+- ret = eqe_count ? false : true;
+ if (!eqe_count) {
+ clear_bit(MLX5E_SQ_STATE_ENABLED, &sq->state);
+- return ret;
++ return -EIO;
+ }
+
+ netdev_err(sq->channel->netdev, "Recover %d eqes on EQ 0x%x\n",
+ eqe_count, eq->core.eqn);
+ sq->channel->stats->eq_rearm++;
+- return ret;
++ return 0;
+ }
+
+ int mlx5e_tx_reporter_timeout(struct mlx5e_txqsq *sq)
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Aya Levin <ayal@mellanox.com>
+Date: Sun, 7 Jul 2019 16:57:06 +0300
+Subject: net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit ef1ce7d7b67b46661091c7ccc0396186b7a247ef ]
+
+Check return value from mlx5e_attach_netdev, add error path on failure.
+
+Fixes: 48935bbb7ae8 ("net/mlx5e: IPoIB, Add netdevice profile skeleton")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Feras Daoud <ferasda@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+@@ -698,7 +698,9 @@ static int mlx5_rdma_setup_rn(struct ib_
+
+ prof->init(mdev, netdev, prof, ipriv);
+
+- mlx5e_attach_netdev(epriv);
++ err = mlx5e_attach_netdev(epriv);
++ if (err)
++ goto detach;
+ netif_carrier_off(netdev);
+
+ /* set rdma_netdev func pointers */
+@@ -714,6 +716,11 @@ static int mlx5_rdma_setup_rn(struct ib_
+
+ return 0;
+
++detach:
++ prof->cleanup(epriv);
++ if (ipriv->sub_interface)
++ return err;
++ mlx5e_destroy_mdev_resources(mdev);
+ destroy_ht:
+ mlx5i_pkey_qpn_ht_cleanup(netdev);
+ return err;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Fri, 3 May 2019 13:14:59 -0700
+Subject: net/mlx5e: Rx, Fix checksum calculation for new hardware
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit db849faa9bef993a1379dc510623f750a72fa7ce ]
+
+CQE checksum full mode in new HW, provides a full checksum of rx frame.
+Covering bytes starting from eth protocol up to last byte in the received
+frame (frame_size - ETH_HLEN), as expected by the stack.
+
+Fixing up skb->csum by the driver is not required in such case. This fix
+is to avoid wrong checksum calculation in drivers which already support
+the new hardware with the new checksum mode.
+
+Fixes: 85327a9c4150 ("net/mlx5: Update the list of the PCI supported devices")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 7 ++++++-
+ include/linux/mlx5/mlx5_ifc.h | 3 ++-
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -294,6 +294,7 @@ enum {
+ MLX5E_RQ_STATE_ENABLED,
+ MLX5E_RQ_STATE_AM,
+ MLX5E_RQ_STATE_NO_CSUM_COMPLETE,
++ MLX5E_RQ_STATE_CSUM_FULL, /* cqe_csum_full hw bit is set */
+ };
+
+ struct mlx5e_cq {
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -948,6 +948,9 @@ static int mlx5e_open_rq(struct mlx5e_ch
+ if (err)
+ goto err_destroy_rq;
+
++ if (MLX5_CAP_ETH(c->mdev, cqe_checksum_full))
++ __set_bit(MLX5E_RQ_STATE_CSUM_FULL, &c->rq.state);
++
+ if (params->rx_dim_enabled)
+ __set_bit(MLX5E_RQ_STATE_AM, &c->rq.state);
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -829,8 +829,14 @@ static inline void mlx5e_handle_csum(str
+ if (unlikely(get_ip_proto(skb, network_depth, proto) == IPPROTO_SCTP))
+ goto csum_unnecessary;
+
++ stats->csum_complete++;
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ skb->csum = csum_unfold((__force __sum16)cqe->check_sum);
++
++ if (test_bit(MLX5E_RQ_STATE_CSUM_FULL, &rq->state))
++ return; /* CQE csum covers all received bytes */
++
++ /* csum might need some fixups ...*/
+ if (network_depth > ETH_HLEN)
+ /* CQE csum is calculated from the IP header and does
+ * not cover VLAN headers (if present). This will add
+@@ -841,7 +847,6 @@ static inline void mlx5e_handle_csum(str
+ skb->csum);
+
+ mlx5e_skb_padding_csum(skb, network_depth, proto, stats);
+- stats->csum_complete++;
+ return;
+ }
+
+--- a/include/linux/mlx5/mlx5_ifc.h
++++ b/include/linux/mlx5/mlx5_ifc.h
+@@ -716,7 +716,8 @@ struct mlx5_ifc_per_protocol_networking_
+ u8 swp[0x1];
+ u8 swp_csum[0x1];
+ u8 swp_lso[0x1];
+- u8 reserved_at_23[0xd];
++ u8 cqe_checksum_full[0x1];
++ u8 reserved_at_24[0xc];
+ u8 max_vxlan_udp_ports[0x8];
+ u8 reserved_at_38[0x6];
+ u8 max_geneve_opt_len[0x1];
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Sun, 14 Jul 2019 23:36:11 +0200
+Subject: net: neigh: fix multiple neigh timer scheduling
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ]
+
+Neigh timer can be scheduled multiple times from userspace adding
+multiple neigh entries and forcing the neigh timer scheduling passing
+NTF_USE in the netlink requests.
+This will result in a refcount leak and in the following dump stack:
+
+[ 32.465295] NEIGH: BUG, double timer add, state is 8
+[ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65
+[ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 32.465313] Call Trace:
+[ 32.465318] dump_stack+0x7c/0xc0
+[ 32.465323] __neigh_event_send+0x20c/0x880
+[ 32.465326] ? ___neigh_create+0x846/0xfb0
+[ 32.465329] ? neigh_lookup+0x2a9/0x410
+[ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800
+[ 32.465334] neigh_add+0x4f8/0x5e0
+[ 32.465337] ? neigh_xmit+0x620/0x620
+[ 32.465341] ? find_held_lock+0x85/0xa0
+[ 32.465345] rtnetlink_rcv_msg+0x204/0x570
+[ 32.465348] ? rtnl_dellink+0x450/0x450
+[ 32.465351] ? mark_held_locks+0x90/0x90
+[ 32.465354] ? match_held_lock+0x1b/0x230
+[ 32.465357] netlink_rcv_skb+0xc4/0x1d0
+[ 32.465360] ? rtnl_dellink+0x450/0x450
+[ 32.465363] ? netlink_ack+0x420/0x420
+[ 32.465366] ? netlink_deliver_tap+0x115/0x560
+[ 32.465369] ? __alloc_skb+0xc9/0x2f0
+[ 32.465372] netlink_unicast+0x270/0x330
+[ 32.465375] ? netlink_attachskb+0x2f0/0x2f0
+[ 32.465378] netlink_sendmsg+0x34f/0x5a0
+[ 32.465381] ? netlink_unicast+0x330/0x330
+[ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20
+[ 32.465388] ? netlink_unicast+0x330/0x330
+[ 32.465391] sock_sendmsg+0x91/0xa0
+[ 32.465394] ___sys_sendmsg+0x407/0x480
+[ 32.465397] ? copy_msghdr_from_user+0x200/0x200
+[ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40
+[ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250
+[ 32.465407] ? __wake_up_common_lock+0xcb/0x110
+[ 32.465410] ? __wake_up_common+0x230/0x230
+[ 32.465413] ? netlink_bind+0x3e1/0x490
+[ 32.465416] ? netlink_setsockopt+0x540/0x540
+[ 32.465420] ? __fget_light+0x9c/0xf0
+[ 32.465423] ? sockfd_lookup_light+0x8c/0xb0
+[ 32.465426] __sys_sendmsg+0xa5/0x110
+[ 32.465429] ? __ia32_sys_shutdown+0x30/0x30
+[ 32.465432] ? __fd_install+0xe1/0x2c0
+[ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100
+[ 32.465438] ? mark_held_locks+0x24/0x90
+[ 32.465441] ? do_syscall_64+0xf/0x270
+[ 32.465444] do_syscall_64+0x63/0x270
+[ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER'
+receiving a netlink request with NTF_USE flag set
+
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1126,6 +1126,7 @@ int __neigh_event_send(struct neighbour
+
+ atomic_set(&neigh->probes,
+ NEIGH_VAR(neigh->parms, UCAST_PROBES));
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_INCOMPLETE;
+ neigh->updated = now;
+ next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
+@@ -1142,6 +1143,7 @@ int __neigh_event_send(struct neighbour
+ }
+ } else if (neigh->nud_state & NUD_STALE) {
+ neigh_dbg(2, "neigh %p is delayed\n", neigh);
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_DELAY;
+ neigh->updated = jiffies;
+ neigh_add_timer(neigh, jiffies +
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: John Hurley <john.hurley@netronome.com>
+Date: Thu, 27 Jun 2019 14:37:30 +0100
+Subject: net: openvswitch: fix csum updates for MPLS actions
+
+From: John Hurley <john.hurley@netronome.com>
+
+[ Upstream commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615 ]
+
+Skbs may have their checksum value populated by HW. If this is a checksum
+calculated over the entire packet then the CHECKSUM_COMPLETE field is
+marked. Changes to the data pointer on the skb throughout the network
+stack still try to maintain this complete csum value if it is required
+through functions such as skb_postpush_rcsum.
+
+The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when
+changes are made to packet data without a push or a pull. This occurs when
+the ethertype of the MAC header is changed or when MPLS lse fields are
+modified.
+
+The modification is carried out using the csum_partial function to get the
+csum of a buffer and add it into the larger checksum. The buffer is an
+inversion of the data to be removed followed by the new data. Because the
+csum is calculated over 16 bits and these values align with 16 bits, the
+effect is the removal of the old value from the CHECKSUM_COMPLETE and
+addition of the new value.
+
+However, the csum fed into the function and the outcome of the
+calculation are also inverted. This would only make sense if it was the
+new value rather than the old that was inverted in the input buffer.
+
+Fix the issue by removing the bit inverts in the csum_partial calculation.
+
+The bug was verified and the fix tested by comparing the folded value of
+the updated CHECKSUM_COMPLETE value with the folded value of a full
+software checksum calculation (reset skb->csum to 0 and run
+skb_checksum_complete(skb)). Prior to the fix the outcomes differed but
+after they produce the same result.
+
+Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel")
+Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls")
+Signed-off-by: John Hurley <john.hurley@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/actions.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -175,8 +175,7 @@ static void update_ethertype(struct sk_b
+ if (skb->ip_summed == CHECKSUM_COMPLETE) {
+ __be16 diff[] = { ~(hdr->h_proto), ethertype };
+
+- skb->csum = ~csum_partial((char *)diff, sizeof(diff),
+- ~skb->csum);
++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
+ }
+
+ hdr->h_proto = ethertype;
+@@ -268,8 +267,7 @@ static int set_mpls(struct sk_buff *skb,
+ if (skb->ip_summed == CHECKSUM_COMPLETE) {
+ __be32 diff[] = { ~(stack->label_stack_entry), lse };
+
+- skb->csum = ~csum_partial((char *)diff, sizeof(diff),
+- ~skb->csum);
++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
+ }
+
+ stack->label_stack_entry = lse;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sun, 21 Jul 2019 18:50:08 +0200
+Subject: net: phy: sfp: hwmon: Fix scaling of RX power
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit 0cea0e1148fe134a4a3aaf0b1496f09241fb943a ]
+
+The RX power read from the SFP uses units of 0.1uW. This must be
+scaled to units of uW for HWMON. This requires a divide by 10, not the
+current 100.
+
+With this change in place, sensors(1) and ethtool -m agree:
+
+sff2-isa-0000
+Adapter: ISA adapter
+in0: +3.23 V
+temp1: +33.1 C
+power1: 270.00 uW
+power2: 200.00 uW
+curr1: +0.01 A
+
+ Laser output power : 0.2743 mW / -5.62 dBm
+ Receiver signal average optical power : 0.2014 mW / -6.96 dBm
+
+Reported-by: chris.healy@zii.aero
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Fixes: 1323061a018a ("net: phy: sfp: Add HWMON support for module sensors")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/sfp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/sfp.c
++++ b/drivers/net/phy/sfp.c
+@@ -515,7 +515,7 @@ static int sfp_hwmon_read_sensor(struct
+
+ static void sfp_hwmon_to_rx_power(long *value)
+ {
+- *value = DIV_ROUND_CLOSEST(*value, 100);
++ *value = DIV_ROUND_CLOSEST(*value, 10);
+ }
+
+ static void sfp_hwmon_calibrate(struct sfp *sfp, unsigned int slope, int offset,
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Mon, 8 Jul 2019 14:26:28 +0200
+Subject: net: stmmac: Re-work the queue selection for TSO packets
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 4993e5b37e8bcb55ac90f76eb6d2432647273747 ]
+
+Ben Hutchings says:
+ "This is the wrong place to change the queue mapping.
+ stmmac_xmit() is called with a specific TX queue locked,
+ and accessing a different TX queue results in a data race
+ for all of that queue's state.
+
+ I think this commit should be reverted upstream and in all
+ stable branches. Instead, the driver should implement the
+ ndo_select_queue operation and override the queue mapping there."
+
+Fixes: c5acdbee22a1 ("net: stmmac: Send TSO packets always from Queue 0")
+Suggested-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 29 ++++++++++++++--------
+ 1 file changed, 19 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3058,17 +3058,8 @@ static netdev_tx_t stmmac_xmit(struct sk
+
+ /* Manage oversized TCP frames for GMAC4 device */
+ if (skb_is_gso(skb) && priv->tso) {
+- if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) {
+- /*
+- * There is no way to determine the number of TSO
+- * capable Queues. Let's use always the Queue 0
+- * because if TSO is supported then at least this
+- * one will be capable.
+- */
+- skb_set_queue_mapping(skb, 0);
+-
++ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))
+ return stmmac_tso_xmit(skb, dev);
+- }
+ }
+
+ if (unlikely(stmmac_tx_avail(priv, queue) < nfrags + 1)) {
+@@ -3885,6 +3876,23 @@ static int stmmac_setup_tc(struct net_de
+ }
+ }
+
++static u16 stmmac_select_queue(struct net_device *dev, struct sk_buff *skb,
++ struct net_device *sb_dev,
++ select_queue_fallback_t fallback)
++{
++ if (skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)) {
++ /*
++ * There is no way to determine the number of TSO
++ * capable Queues. Let's use always the Queue 0
++ * because if TSO is supported then at least this
++ * one will be capable.
++ */
++ return 0;
++ }
++
++ return fallback(dev, skb, NULL) % dev->real_num_tx_queues;
++}
++
+ static int stmmac_set_mac_address(struct net_device *ndev, void *addr)
+ {
+ struct stmmac_priv *priv = netdev_priv(ndev);
+@@ -4101,6 +4109,7 @@ static const struct net_device_ops stmma
+ .ndo_tx_timeout = stmmac_tx_timeout,
+ .ndo_do_ioctl = stmmac_ioctl,
+ .ndo_setup_tc = stmmac_setup_tc,
++ .ndo_select_queue = stmmac_select_queue,
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ .ndo_poll_controller = stmmac_poll_controller,
+ #endif
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Thu, 4 Jul 2019 14:50:36 -0700
+Subject: net/tls: fix poll ignoring partially copied records
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 13aecb17acabc2a92187d08f7ca93bb8aad62c6f ]
+
+David reports that RPC applications which use epoll() occasionally
+get stuck, and that TLS ULP causes the kernel to not wake applications,
+even though read() will return data.
+
+This is indeed true. The ctx->rx_list which holds partially copied
+records is not consulted when deciding whether socket is readable.
+
+Note that SO_RCVLOWAT with epoll() is and has always been broken for
+kernel TLS. We'd need to parse all records from the TCP layer, instead
+of just the first one.
+
+Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records")
+Reported-by: David Beckett <david.beckett@netronome.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1931,7 +1931,8 @@ bool tls_sw_stream_read(const struct soc
+ ingress_empty = list_empty(&psock->ingress_msg);
+ rcu_read_unlock();
+
+- return !ingress_empty || ctx->recv_pkt;
++ return !ingress_empty || ctx->recv_pkt ||
++ !skb_queue_empty(&ctx->rx_list);
+ }
+
+ static int tls_read_size(struct strparser *strp, struct sk_buff *skb)
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Fri, 28 Jun 2019 16:11:39 -0700
+Subject: net/tls: make sure offload also gets the keys wiped
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit acd3e96d53a24d219f720ed4012b62723ae05da1 ]
+
+Commit 86029d10af18 ("tls: zero the crypto information from tls_context
+before freeing") added memzero_explicit() calls to clear the key material
+before freeing struct tls_context, but it missed tls_device.c has its
+own way of freeing this structure. Replace the missing free.
+
+Fixes: 86029d10af18 ("tls: zero the crypto information from tls_context before freeing")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h | 1 +
+ net/tls/tls_device.c | 2 +-
+ net/tls/tls_main.c | 4 ++--
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -285,6 +285,7 @@ struct tls_offload_context_rx {
+ (ALIGN(sizeof(struct tls_offload_context_rx), sizeof(void *)) + \
+ TLS_DRIVER_STATE_SIZE)
+
++void tls_ctx_free(struct tls_context *ctx);
+ int wait_on_pending_writer(struct sock *sk, long *timeo);
+ int tls_sk_query(struct sock *sk, int optname, char __user *optval,
+ int __user *optlen);
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -61,7 +61,7 @@ static void tls_device_free_ctx(struct t
+ if (ctx->rx_conf == TLS_HW)
+ kfree(tls_offload_ctx_rx(ctx));
+
+- kfree(ctx);
++ tls_ctx_free(ctx);
+ }
+
+ static void tls_device_gc_task(struct work_struct *work)
+--- a/net/tls/tls_main.c
++++ b/net/tls/tls_main.c
+@@ -251,7 +251,7 @@ static void tls_write_space(struct sock
+ ctx->sk_write_space(sk);
+ }
+
+-static void tls_ctx_free(struct tls_context *ctx)
++void tls_ctx_free(struct tls_context *ctx)
+ {
+ if (!ctx)
+ return;
+@@ -638,7 +638,7 @@ static void tls_hw_sk_destruct(struct so
+
+ ctx->sk_destruct(sk);
+ /* Free ctx */
+- kfree(ctx);
++ tls_ctx_free(ctx);
+ icsk->icsk_ulp_data = NULL;
+ }
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Fri, 28 Jun 2019 16:07:59 -0700
+Subject: net/tls: reject offload of TLS 1.3
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 618bac45937a3dc6126ac0652747481e97000f99 ]
+
+Neither drivers nor the tls offload code currently supports TLS
+version 1.3. Check the TLS version when installing connection
+state. TLS 1.3 will just fallback to the kernel crypto for now.
+
+Fixes: 130b392c6cd6 ("net: tls: Add tls 1.3 support")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -746,6 +746,11 @@ int tls_set_device_offload(struct sock *
+ }
+
+ crypto_info = &ctx->crypto_send.info;
++ if (crypto_info->version != TLS_1_2_VERSION) {
++ rc = -EOPNOTSUPP;
++ goto free_offload_ctx;
++ }
++
+ switch (crypto_info->cipher_type) {
+ case TLS_CIPHER_AES_GCM_128:
+ nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
+@@ -880,6 +885,9 @@ int tls_set_device_offload_rx(struct soc
+ struct net_device *netdev;
+ int rc = 0;
+
++ if (ctx->crypto_recv.info.version != TLS_1_2_VERSION)
++ return -EOPNOTSUPP;
++
+ /* We support starting offload on multiple sockets
+ * concurrently, so we only need a read lock here.
+ * This lock must precede get_netdev_for_sock to prevent races between
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 16 Jul 2019 13:57:30 -0700
+Subject: net_sched: unset TCQ_F_CAN_BYPASS when adding filters
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 3f05e6886a595c9a29a309c52f45326be917823c ]
+
+For qdisc's that support TC filters and set TCQ_F_CAN_BYPASS,
+notably fq_codel, it makes no sense to let packets bypass the TC
+filters we setup in any scenario, otherwise our packets steering
+policy could not be enforced.
+
+This can be reproduced easily with the following script:
+
+ ip li add dev dummy0 type dummy
+ ifconfig dummy0 up
+ tc qd add dev dummy0 root fq_codel
+ tc filter add dev dummy0 parent 8001: protocol arp basic action mirred egress redirect dev lo
+ tc filter add dev dummy0 parent 8001: protocol ip basic action mirred egress redirect dev lo
+ ping -I dummy0 192.168.112.1
+
+Without this patch, packets are sent directly to dummy0 without
+hitting any of the filters. With this patch, packets are redirected
+to loopback as expected.
+
+This fix is not perfect, it only unsets the flag but does not set it back
+because we have to save the information somewhere in the qdisc if we
+really want that. Note, both fq_codel and sfq clear this flag in their
+->bind_tcf() but this is clearly not sufficient when we don't use any
+class ID.
+
+Fixes: 23624935e0c4 ("net_sched: TCQ_F_CAN_BYPASS generalization")
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_api.c | 1 +
+ net/sched/sch_fq_codel.c | 2 --
+ net/sched/sch_sfq.c | 2 --
+ 3 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -2162,6 +2162,7 @@ replay:
+ tfilter_notify(net, skb, n, tp, block, q, parent, fh,
+ RTM_NEWTFILTER, false, rtnl_held);
+ tfilter_put(tp, fh);
++ q->flags &= ~TCQ_F_CAN_BYPASS;
+ }
+
+ errout:
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -600,8 +600,6 @@ static unsigned long fq_codel_find(struc
+ static unsigned long fq_codel_bind(struct Qdisc *sch, unsigned long parent,
+ u32 classid)
+ {
+- /* we cannot bypass queue discipline anymore */
+- sch->flags &= ~TCQ_F_CAN_BYPASS;
+ return 0;
+ }
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -828,8 +828,6 @@ static unsigned long sfq_find(struct Qdi
+ static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent,
+ u32 classid)
+ {
+- /* we cannot bypass queue discipline anymore */
+- sch->flags &= ~TCQ_F_CAN_BYPASS;
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 27 Jun 2019 14:30:58 -0700
+Subject: netrom: fix a memory leak in nr_rx_frame()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c8c8218ec5af5d2598381883acbefbf604e56b5e ]
+
+When the skb is associated with a new sock, just assigning
+it to skb->sk is not sufficient, we have to set its destructor
+to free the sock properly too.
+
+Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -872,7 +872,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ unsigned short frametype, flags, window, timeout;
+ int ret;
+
+- skb->sk = NULL; /* Initially we don't know who it's for */
++ skb_orphan(skb);
+
+ /*
+ * skb->data points to the netrom frame start
+@@ -971,6 +971,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ window = skb->data[20];
+
+ skb->sk = make;
++ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
+
+ /* Fill in his circuit details */
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 22 Jul 2019 20:41:22 -0700
+Subject: netrom: hold sock when setting skb->destructor
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ]
+
+sock_efree() releases the sock refcnt, if we don't hold this refcnt
+when setting skb->destructor to it, the refcnt would not be balanced.
+This leads to several bug reports from syzbot.
+
+I have checked other users of sock_efree(), all of them hold the
+sock refcnt.
+
+Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()")
+Reported-and-tested-by: <syzbot+622bdabb128acc33427d@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+6eaef7158b19e3fec3a0@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+9399c158fcc09b21d0d2@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+a34e5f3d0300163f0c87@syzkaller.appspotmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -970,6 +970,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+
+ window = skb->data[20];
+
++ sock_hold(make);
+ skb->sk = make;
+ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Yang Wei <albin_yang@163.com>
+Date: Mon, 8 Jul 2019 22:57:39 +0800
+Subject: nfc: fix potential illegal memory access
+
+From: Yang Wei <albin_yang@163.com>
+
+[ Upstream commit dd006fc434e107ef90f7de0db9907cbc1c521645 ]
+
+The frags_q is not properly initialized, it may result in illegal memory
+access when conn_info is NULL.
+The "goto free_exit" should be replaced by "goto exit".
+
+Signed-off-by: Yang Wei <albin_yang@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -119,7 +119,7 @@ static int nci_queue_tx_data_frags(struc
+ conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
+ if (!conn_info) {
+ rc = -EPROTO;
+- goto free_exit;
++ goto exit;
+ }
+
+ __skb_queue_head_init(&frags_q);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sat, 13 Jul 2019 13:45:47 +0200
+Subject: r8169: fix issue with confused RX unit after PHY power-down on RTL8411b
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit fe4e8db0392a6c2e795eb89ef5fcd86522e66248 ]
+
+On RTL8411b the RX unit gets confused if the PHY is powered-down.
+This was reported in [0] and confirmed by Realtek. Realtek provided
+a sequence to fix the RX unit after PHY wakeup.
+
+The issue itself seems to have been there longer, the Fixes tag
+refers to where the fix applies properly.
+
+[0] https://bugzilla.redhat.com/show_bug.cgi?id=1692075
+
+Fixes: a99790bf5c7f ("r8169: Reinstate ASPM Support")
+Tested-by: Ionut Radu <ionut.radu@gmail.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 137 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 137 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5241,6 +5241,143 @@ static void rtl_hw_start_8411_2(struct r
+ /* disable aspm and clock request before access ephy */
+ rtl_hw_aspm_clkreq_enable(tp, false);
+ rtl_ephy_init(tp, e_info_8411_2, ARRAY_SIZE(e_info_8411_2));
++
++ /* The following Realtek-provided magic fixes an issue with the RX unit
++ * getting confused after the PHY having been powered-down.
++ */
++ r8168_mac_ocp_write(tp, 0xFC28, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC2A, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC2C, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC2E, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC30, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC32, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC34, 0x0000);
++ r8168_mac_ocp_write(tp, 0xFC36, 0x0000);
++ mdelay(3);
++ r8168_mac_ocp_write(tp, 0xFC26, 0x0000);
++
++ r8168_mac_ocp_write(tp, 0xF800, 0xE008);
++ r8168_mac_ocp_write(tp, 0xF802, 0xE00A);
++ r8168_mac_ocp_write(tp, 0xF804, 0xE00C);
++ r8168_mac_ocp_write(tp, 0xF806, 0xE00E);
++ r8168_mac_ocp_write(tp, 0xF808, 0xE027);
++ r8168_mac_ocp_write(tp, 0xF80A, 0xE04F);
++ r8168_mac_ocp_write(tp, 0xF80C, 0xE05E);
++ r8168_mac_ocp_write(tp, 0xF80E, 0xE065);
++ r8168_mac_ocp_write(tp, 0xF810, 0xC602);
++ r8168_mac_ocp_write(tp, 0xF812, 0xBE00);
++ r8168_mac_ocp_write(tp, 0xF814, 0x0000);
++ r8168_mac_ocp_write(tp, 0xF816, 0xC502);
++ r8168_mac_ocp_write(tp, 0xF818, 0xBD00);
++ r8168_mac_ocp_write(tp, 0xF81A, 0x074C);
++ r8168_mac_ocp_write(tp, 0xF81C, 0xC302);
++ r8168_mac_ocp_write(tp, 0xF81E, 0xBB00);
++ r8168_mac_ocp_write(tp, 0xF820, 0x080A);
++ r8168_mac_ocp_write(tp, 0xF822, 0x6420);
++ r8168_mac_ocp_write(tp, 0xF824, 0x48C2);
++ r8168_mac_ocp_write(tp, 0xF826, 0x8C20);
++ r8168_mac_ocp_write(tp, 0xF828, 0xC516);
++ r8168_mac_ocp_write(tp, 0xF82A, 0x64A4);
++ r8168_mac_ocp_write(tp, 0xF82C, 0x49C0);
++ r8168_mac_ocp_write(tp, 0xF82E, 0xF009);
++ r8168_mac_ocp_write(tp, 0xF830, 0x74A2);
++ r8168_mac_ocp_write(tp, 0xF832, 0x8CA5);
++ r8168_mac_ocp_write(tp, 0xF834, 0x74A0);
++ r8168_mac_ocp_write(tp, 0xF836, 0xC50E);
++ r8168_mac_ocp_write(tp, 0xF838, 0x9CA2);
++ r8168_mac_ocp_write(tp, 0xF83A, 0x1C11);
++ r8168_mac_ocp_write(tp, 0xF83C, 0x9CA0);
++ r8168_mac_ocp_write(tp, 0xF83E, 0xE006);
++ r8168_mac_ocp_write(tp, 0xF840, 0x74F8);
++ r8168_mac_ocp_write(tp, 0xF842, 0x48C4);
++ r8168_mac_ocp_write(tp, 0xF844, 0x8CF8);
++ r8168_mac_ocp_write(tp, 0xF846, 0xC404);
++ r8168_mac_ocp_write(tp, 0xF848, 0xBC00);
++ r8168_mac_ocp_write(tp, 0xF84A, 0xC403);
++ r8168_mac_ocp_write(tp, 0xF84C, 0xBC00);
++ r8168_mac_ocp_write(tp, 0xF84E, 0x0BF2);
++ r8168_mac_ocp_write(tp, 0xF850, 0x0C0A);
++ r8168_mac_ocp_write(tp, 0xF852, 0xE434);
++ r8168_mac_ocp_write(tp, 0xF854, 0xD3C0);
++ r8168_mac_ocp_write(tp, 0xF856, 0x49D9);
++ r8168_mac_ocp_write(tp, 0xF858, 0xF01F);
++ r8168_mac_ocp_write(tp, 0xF85A, 0xC526);
++ r8168_mac_ocp_write(tp, 0xF85C, 0x64A5);
++ r8168_mac_ocp_write(tp, 0xF85E, 0x1400);
++ r8168_mac_ocp_write(tp, 0xF860, 0xF007);
++ r8168_mac_ocp_write(tp, 0xF862, 0x0C01);
++ r8168_mac_ocp_write(tp, 0xF864, 0x8CA5);
++ r8168_mac_ocp_write(tp, 0xF866, 0x1C15);
++ r8168_mac_ocp_write(tp, 0xF868, 0xC51B);
++ r8168_mac_ocp_write(tp, 0xF86A, 0x9CA0);
++ r8168_mac_ocp_write(tp, 0xF86C, 0xE013);
++ r8168_mac_ocp_write(tp, 0xF86E, 0xC519);
++ r8168_mac_ocp_write(tp, 0xF870, 0x74A0);
++ r8168_mac_ocp_write(tp, 0xF872, 0x48C4);
++ r8168_mac_ocp_write(tp, 0xF874, 0x8CA0);
++ r8168_mac_ocp_write(tp, 0xF876, 0xC516);
++ r8168_mac_ocp_write(tp, 0xF878, 0x74A4);
++ r8168_mac_ocp_write(tp, 0xF87A, 0x48C8);
++ r8168_mac_ocp_write(tp, 0xF87C, 0x48CA);
++ r8168_mac_ocp_write(tp, 0xF87E, 0x9CA4);
++ r8168_mac_ocp_write(tp, 0xF880, 0xC512);
++ r8168_mac_ocp_write(tp, 0xF882, 0x1B00);
++ r8168_mac_ocp_write(tp, 0xF884, 0x9BA0);
++ r8168_mac_ocp_write(tp, 0xF886, 0x1B1C);
++ r8168_mac_ocp_write(tp, 0xF888, 0x483F);
++ r8168_mac_ocp_write(tp, 0xF88A, 0x9BA2);
++ r8168_mac_ocp_write(tp, 0xF88C, 0x1B04);
++ r8168_mac_ocp_write(tp, 0xF88E, 0xC508);
++ r8168_mac_ocp_write(tp, 0xF890, 0x9BA0);
++ r8168_mac_ocp_write(tp, 0xF892, 0xC505);
++ r8168_mac_ocp_write(tp, 0xF894, 0xBD00);
++ r8168_mac_ocp_write(tp, 0xF896, 0xC502);
++ r8168_mac_ocp_write(tp, 0xF898, 0xBD00);
++ r8168_mac_ocp_write(tp, 0xF89A, 0x0300);
++ r8168_mac_ocp_write(tp, 0xF89C, 0x051E);
++ r8168_mac_ocp_write(tp, 0xF89E, 0xE434);
++ r8168_mac_ocp_write(tp, 0xF8A0, 0xE018);
++ r8168_mac_ocp_write(tp, 0xF8A2, 0xE092);
++ r8168_mac_ocp_write(tp, 0xF8A4, 0xDE20);
++ r8168_mac_ocp_write(tp, 0xF8A6, 0xD3C0);
++ r8168_mac_ocp_write(tp, 0xF8A8, 0xC50F);
++ r8168_mac_ocp_write(tp, 0xF8AA, 0x76A4);
++ r8168_mac_ocp_write(tp, 0xF8AC, 0x49E3);
++ r8168_mac_ocp_write(tp, 0xF8AE, 0xF007);
++ r8168_mac_ocp_write(tp, 0xF8B0, 0x49C0);
++ r8168_mac_ocp_write(tp, 0xF8B2, 0xF103);
++ r8168_mac_ocp_write(tp, 0xF8B4, 0xC607);
++ r8168_mac_ocp_write(tp, 0xF8B6, 0xBE00);
++ r8168_mac_ocp_write(tp, 0xF8B8, 0xC606);
++ r8168_mac_ocp_write(tp, 0xF8BA, 0xBE00);
++ r8168_mac_ocp_write(tp, 0xF8BC, 0xC602);
++ r8168_mac_ocp_write(tp, 0xF8BE, 0xBE00);
++ r8168_mac_ocp_write(tp, 0xF8C0, 0x0C4C);
++ r8168_mac_ocp_write(tp, 0xF8C2, 0x0C28);
++ r8168_mac_ocp_write(tp, 0xF8C4, 0x0C2C);
++ r8168_mac_ocp_write(tp, 0xF8C6, 0xDC00);
++ r8168_mac_ocp_write(tp, 0xF8C8, 0xC707);
++ r8168_mac_ocp_write(tp, 0xF8CA, 0x1D00);
++ r8168_mac_ocp_write(tp, 0xF8CC, 0x8DE2);
++ r8168_mac_ocp_write(tp, 0xF8CE, 0x48C1);
++ r8168_mac_ocp_write(tp, 0xF8D0, 0xC502);
++ r8168_mac_ocp_write(tp, 0xF8D2, 0xBD00);
++ r8168_mac_ocp_write(tp, 0xF8D4, 0x00AA);
++ r8168_mac_ocp_write(tp, 0xF8D6, 0xE0C0);
++ r8168_mac_ocp_write(tp, 0xF8D8, 0xC502);
++ r8168_mac_ocp_write(tp, 0xF8DA, 0xBD00);
++ r8168_mac_ocp_write(tp, 0xF8DC, 0x0132);
++
++ r8168_mac_ocp_write(tp, 0xFC26, 0x8000);
++
++ r8168_mac_ocp_write(tp, 0xFC2A, 0x0743);
++ r8168_mac_ocp_write(tp, 0xFC2C, 0x0801);
++ r8168_mac_ocp_write(tp, 0xFC2E, 0x0BE9);
++ r8168_mac_ocp_write(tp, 0xFC30, 0x02FD);
++ r8168_mac_ocp_write(tp, 0xFC32, 0x0C25);
++ r8168_mac_ocp_write(tp, 0xFC34, 0x00A9);
++ r8168_mac_ocp_write(tp, 0xFC36, 0x012D);
++
+ rtl_hw_aspm_clkreq_enable(tp, true);
+ }
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jul 2019 15:59:12 +0100
+Subject: rxrpc: Fix send on a connected, but unbound socket
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit e835ada07091f40dcfb1bc735082bd0a7c005e59 ]
+
+If sendmsg() or sendmmsg() is called on a connected socket that hasn't had
+bind() called on it, then an oops will occur when the kernel tries to
+connect the call because no local endpoint has been allocated.
+
+Fix this by implicitly binding the socket if it is in the
+RXRPC_CLIENT_UNBOUND state, just like it does for the RXRPC_UNBOUND state.
+
+Further, the state should be transitioned to RXRPC_CLIENT_BOUND after this
+to prevent further attempts to bind it.
+
+This can be tested with:
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <arpa/inet.h>
+ #include <linux/rxrpc.h>
+ static const unsigned char inet6_addr[16] = {
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -1, -1, 0xac, 0x14, 0x14, 0xaa
+ };
+ int main(void)
+ {
+ struct sockaddr_rxrpc srx;
+ struct cmsghdr *cm;
+ struct msghdr msg;
+ unsigned char control[16];
+ int fd;
+ memset(&srx, 0, sizeof(srx));
+ srx.srx_family = 0x21;
+ srx.srx_service = 0;
+ srx.transport_type = AF_INET;
+ srx.transport_len = 0x1c;
+ srx.transport.sin6.sin6_family = AF_INET6;
+ srx.transport.sin6.sin6_port = htons(0x4e22);
+ srx.transport.sin6.sin6_flowinfo = htons(0x4e22);
+ srx.transport.sin6.sin6_scope_id = htons(0xaa3b);
+ memcpy(&srx.transport.sin6.sin6_addr, inet6_addr, 16);
+ cm = (struct cmsghdr *)control;
+ cm->cmsg_len = CMSG_LEN(sizeof(unsigned long));
+ cm->cmsg_level = SOL_RXRPC;
+ cm->cmsg_type = RXRPC_USER_CALL_ID;
+ *(unsigned long *)CMSG_DATA(cm) = 0;
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = control;
+ msg.msg_controllen = cm->cmsg_len;
+ msg.msg_flags = 0;
+ fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
+ connect(fd, (struct sockaddr *)&srx, sizeof(srx));
+ sendmsg(fd, &msg, 0);
+ return 0;
+ }
+
+Leading to the following oops:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ ...
+ RIP: 0010:rxrpc_connect_call+0x42/0xa01
+ ...
+ Call Trace:
+ ? mark_held_locks+0x47/0x59
+ ? __local_bh_enable_ip+0xb6/0xba
+ rxrpc_new_client_call+0x3b1/0x762
+ ? rxrpc_do_sendmsg+0x3c0/0x92e
+ rxrpc_do_sendmsg+0x3c0/0x92e
+ rxrpc_sendmsg+0x16b/0x1b5
+ sock_sendmsg+0x2d/0x39
+ ___sys_sendmsg+0x1a4/0x22a
+ ? release_sock+0x19/0x9e
+ ? reacquire_held_locks+0x136/0x160
+ ? release_sock+0x19/0x9e
+ ? find_held_lock+0x2b/0x6e
+ ? __lock_acquire+0x268/0xf73
+ ? rxrpc_connect+0xdd/0xe4
+ ? __local_bh_enable_ip+0xb6/0xba
+ __sys_sendmsg+0x5e/0x94
+ do_syscall_64+0x7d/0x1bf
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 2341e0775747 ("rxrpc: Simplify connect() implementation and simplify sendmsg() op")
+Reported-by: syzbot+7966f2a0b2c7da8939b4@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/af_rxrpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -521,6 +521,7 @@ static int rxrpc_sendmsg(struct socket *
+
+ switch (rx->sk.sk_state) {
+ case RXRPC_UNBOUND:
++ case RXRPC_CLIENT_UNBOUND:
+ rx->srx.srx_family = AF_RXRPC;
+ rx->srx.srx_service = 0;
+ rx->srx.transport_type = SOCK_DGRAM;
+@@ -545,10 +546,9 @@ static int rxrpc_sendmsg(struct socket *
+ }
+
+ rx->local = local;
+- rx->sk.sk_state = RXRPC_CLIENT_UNBOUND;
++ rx->sk.sk_state = RXRPC_CLIENT_BOUND;
+ /* Fall through */
+
+- case RXRPC_CLIENT_UNBOUND:
+ case RXRPC_CLIENT_BOUND:
+ if (!m->msg_name &&
+ test_bit(RXRPC_SOCK_CONNECTED, &rx->flags)) {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Thu, 27 Jun 2019 19:48:10 -0300
+Subject: sctp: fix error handling on stream scheduler initialization
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+[ Upstream commit 4d1415811e492d9a8238f8a92dd0d51612c788e9 ]
+
+It allocates the extended area for outbound streams only on sendmsg
+calls, if they are not yet allocated. When using the priority
+stream scheduler, this initialization may imply into a subsequent
+allocation, which may fail. In this case, it was aborting the stream
+scheduler initialization but leaving the ->ext pointer (allocated) in
+there, thus in a partially initialized state. On a subsequent call to
+sendmsg, it would notice the ->ext pointer in there, and trip on
+uninitialized stuff when trying to schedule the data chunk.
+
+The fix is undo the ->ext initialization if the stream scheduler
+initialization fails and avoid the partially initialized state.
+
+Although syzkaller bisected this to commit 4ff40b86262b ("sctp: set
+chunk transport correctly when it's a new asoc"), this bug was actually
+introduced on the commit I marked below.
+
+Reported-by: syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com
+Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
+Tested-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -168,13 +168,20 @@ out:
+ int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid)
+ {
+ struct sctp_stream_out_ext *soute;
++ int ret;
+
+ soute = kzalloc(sizeof(*soute), GFP_KERNEL);
+ if (!soute)
+ return -ENOMEM;
+ SCTP_SO(stream, sid)->ext = soute;
+
+- return sctp_sched_init_sid(stream, sid, GFP_KERNEL);
++ ret = sctp_sched_init_sid(stream, sid, GFP_KERNEL);
++ if (ret) {
++ kfree(SCTP_SO(stream, sid)->ext);
++ SCTP_SO(stream, sid)->ext = NULL;
++ }
++
++ return ret;
+ }
+
+ void sctp_stream_free(struct sctp_stream *stream)
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 26 Jun 2019 16:31:39 +0800
+Subject: sctp: not bind the socket in sctp_connect
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 9b6c08878e23adb7cc84bdca94d8a944b03f099e ]
+
+Now when sctp_connect() is called with a wrong sa_family, it binds
+to a port but doesn't set bp->port, then sctp_get_af_specific will
+return NULL and sctp_connect() returns -EINVAL.
+
+Then if sctp_bind() is called to bind to another port, the last
+port it has bound will leak due to bp->port is NULL by then.
+
+sctp_connect() doesn't need to bind ports, as later __sctp_connect
+will do it if bp->port is NULL. So remove it from sctp_connect().
+While at it, remove the unnecessary sockaddr.sa_family len check
+as it's already done in sctp_inet_connect.
+
+Fixes: 644fbdeacf1d ("sctp: fix the issue that flags are ignored when using kernel_connect")
+Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 24 +++---------------------
+ 1 file changed, 3 insertions(+), 21 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4828,35 +4828,17 @@ out_nounlock:
+ static int sctp_connect(struct sock *sk, struct sockaddr *addr,
+ int addr_len, int flags)
+ {
+- struct inet_sock *inet = inet_sk(sk);
+ struct sctp_af *af;
+- int err = 0;
++ int err = -EINVAL;
+
+ lock_sock(sk);
+-
+ pr_debug("%s: sk:%p, sockaddr:%p, addr_len:%d\n", __func__, sk,
+ addr, addr_len);
+
+- /* We may need to bind the socket. */
+- if (!inet->inet_num) {
+- if (sk->sk_prot->get_port(sk, 0)) {
+- release_sock(sk);
+- return -EAGAIN;
+- }
+- inet->inet_sport = htons(inet->inet_num);
+- }
+-
+ /* Validate addr_len before calling common connect/connectx routine. */
+- af = addr_len < offsetofend(struct sockaddr, sa_family) ? NULL :
+- sctp_get_af_specific(addr->sa_family);
+- if (!af || addr_len < af->sockaddr_len) {
+- err = -EINVAL;
+- } else {
+- /* Pass correct addr len to common routine (so it knows there
+- * is only one address being passed.
+- */
++ af = sctp_get_af_specific(addr->sa_family);
++ if (af && addr_len >= af->sockaddr_len)
+ err = __sctp_connect(sk, addr, af->sockaddr_len, flags, NULL);
+- }
+
+ release_sock(sk);
+ return err;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Frank de Brabander <debrabander@gmail.com>
+Date: Fri, 5 Jul 2019 13:43:14 +0200
+Subject: selftests: txring_overwrite: fix incorrect test of mmap() return value
+
+From: Frank de Brabander <debrabander@gmail.com>
+
+[ Upstream commit cecaa76b2919aac2aa584ce476e9fcd5b084add5 ]
+
+If mmap() fails it returns MAP_FAILED, which is defined as ((void *) -1).
+The current if-statement incorrectly tests if *ring is NULL.
+
+Fixes: 358be656406d ("selftests/net: add txring_overwrite")
+Signed-off-by: Frank de Brabander <debrabander@gmail.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/txring_overwrite.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/txring_overwrite.c
++++ b/tools/testing/selftests/net/txring_overwrite.c
+@@ -113,7 +113,7 @@ static int setup_tx(char **ring)
+
+ *ring = mmap(0, req.tp_block_size * req.tp_block_nr,
+ PROT_READ | PROT_WRITE, MAP_SHARED, fdt, 0);
+- if (!*ring)
++ if (*ring == MAP_FAILED)
+ error(1, errno, "mmap");
+
+ return fdt;
--- /dev/null
+bnx2x-prevent-load-reordering-in-tx-completion-processing.patch
+caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch
+hv_netvsc-fix-extra-rcu_read_unlock-in-netvsc_recv_callback.patch
+igmp-fix-memory-leak-in-igmpv3_del_delrec.patch
+ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch
+ipv6-rt6_check-should-return-null-if-from-is-null.patch
+ipv6-unlink-sibling-route-in-case-of-failure.patch
+net-bcmgenet-use-promisc-for-unsupported-filters.patch
+net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch
+net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch
+net-neigh-fix-multiple-neigh-timer-scheduling.patch
+net-openvswitch-fix-csum-updates-for-mpls-actions.patch
+net-phy-sfp-hwmon-fix-scaling-of-rx-power.patch
+net_sched-unset-tcq_f_can_bypass-when-adding-filters.patch
+net-stmmac-re-work-the-queue-selection-for-tso-packets.patch
+net-tls-make-sure-offload-also-gets-the-keys-wiped.patch
+nfc-fix-potential-illegal-memory-access.patch
+r8169-fix-issue-with-confused-rx-unit-after-phy-power-down-on-rtl8411b.patch
+rxrpc-fix-send-on-a-connected-but-unbound-socket.patch
+sctp-fix-error-handling-on-stream-scheduler-initialization.patch
+sctp-not-bind-the-socket-in-sctp_connect.patch
+sky2-disable-msi-on-asus-p6t.patch
+tcp-be-more-careful-in-tcp_fragment.patch
+tcp-fix-tcp_set_congestion_control-use-from-bpf-hook.patch
+tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch
+vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch
+net-mlx5e-ipoib-add-error-path-in-mlx5_rdma_setup_rn.patch
+net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch
+net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch
+net-bridge-don-t-cache-ether-dest-pointer-on-input.patch
+net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch
+macsec-fix-use-after-free-of-skb-during-rx.patch
+macsec-fix-checksumming-after-decryption.patch
+netrom-fix-a-memory-leak-in-nr_rx_frame.patch
+netrom-hold-sock-when-setting-skb-destructor.patch
+selftests-txring_overwrite-fix-incorrect-test-of-mmap-return-value.patch
+net-tls-fix-poll-ignoring-partially-copied-records.patch
+net-tls-reject-offload-of-tls-1.3.patch
+net-mlx5e-fix-port-tunnel-gre-entropy-control.patch
+net-mlx5e-rx-fix-checksum-calculation-for-new-hardware.patch
+net-mlx5e-fix-return-value-from-timeout-recover-function.patch
+net-mlx5e-fix-error-flow-in-tx-reporter-diagnose.patch
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 23 Jul 2019 17:15:25 +0200
+Subject: sky2: Disable MSI on ASUS P6T
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a261e3797506bd561700be643fe1a85bf81e9661 ]
+
+The onboard sky2 NIC on ASUS P6T WS PRO doesn't work after PM resume
+due to the infamous IRQ problem. Disabling MSI works around it, so
+let's add it to the blacklist.
+
+Unfortunately the BIOS on the machine doesn't fill the standard
+DMI_SYS_* entry, so we pick up DMI_BOARD_* entries instead.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1142496
+Reported-and-tested-by: Marcus Seyfarth <m.seyfarth@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -4933,6 +4933,13 @@ static const struct dmi_system_id msi_bl
+ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
+ },
+ },
++ {
++ .ident = "ASUS P6T",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "P6T"),
++ },
++ },
+ {}
+ };
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 19 Jul 2019 11:52:33 -0700
+Subject: tcp: be more careful in tcp_fragment()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b617158dc096709d8600c53b6052144d12b89fab ]
+
+Some applications set tiny SO_SNDBUF values and expect
+TCP to just work. Recent patches to address CVE-2019-11478
+broke them in case of losses, since retransmits might
+be prevented.
+
+We should allow these flows to make progress.
+
+This patch allows the first and last skb in retransmit queue
+to be split even if memory limits are hit.
+
+It also adds the some room due to the fact that tcp_sendmsg()
+and tcp_sendpage() might overshoot sk_wmem_queued by about one full
+TSO skb (64KB size). Note this allowance was already present
+in stable backports for kernels < 4.15
+
+Note for < 4.15 backports :
+ tcp_rtx_queue_tail() will probably look like :
+
+static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
+{
+ struct sk_buff *skb = tcp_send_head(sk);
+
+ return skb ? tcp_write_queue_prev(sk, skb) : tcp_write_queue_tail(sk);
+}
+
+Fixes: f070ef2ac667 ("tcp: tcp_fragment() should apply sane memory limits")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Andrew Prout <aprout@ll.mit.edu>
+Tested-by: Andrew Prout <aprout@ll.mit.edu>
+Tested-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Tested-by: Michal Kubecek <mkubecek@suse.cz>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Christoph Paasch <cpaasch@apple.com>
+Cc: Jonathan Looney <jtl@netflix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 5 +++++
+ net/ipv4/tcp_output.c | 13 +++++++++++--
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1679,6 +1679,11 @@ static inline struct sk_buff *tcp_rtx_qu
+ return skb_rb_first(&sk->tcp_rtx_queue);
+ }
+
++static inline struct sk_buff *tcp_rtx_queue_tail(const struct sock *sk)
++{
++ return skb_rb_last(&sk->tcp_rtx_queue);
++}
++
+ static inline struct sk_buff *tcp_write_queue_head(const struct sock *sk)
+ {
+ return skb_peek(&sk->sk_write_queue);
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1289,6 +1289,7 @@ int tcp_fragment(struct sock *sk, enum t
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct sk_buff *buff;
+ int nsize, old_factor;
++ long limit;
+ int nlen;
+ u8 flags;
+
+@@ -1299,8 +1300,16 @@ int tcp_fragment(struct sock *sk, enum t
+ if (nsize < 0)
+ nsize = 0;
+
+- if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
+- tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
++ /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb.
++ * We need some allowance to not penalize applications setting small
++ * SO_SNDBUF values.
++ * Also allow first and last skb in retransmit queue to be split.
++ */
++ limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE);
++ if (unlikely((sk->sk_wmem_queued >> 1) > limit &&
++ tcp_queue != TCP_FRAG_IN_WRITE_QUEUE &&
++ skb != tcp_rtx_queue_head(sk) &&
++ skb != tcp_rtx_queue_tail(sk))) {
+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
+ return -ENOMEM;
+ }
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 18 Jul 2019 19:28:14 -0700
+Subject: tcp: fix tcp_set_congestion_control() use from bpf hook
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8d650cdedaabb33e85e9b7c517c0c71fcecc1de9 ]
+
+Neal reported incorrect use of ns_capable() from bpf hook.
+
+bpf_setsockopt(...TCP_CONGESTION...)
+ -> tcp_set_congestion_control()
+ -> ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)
+ -> ns_capable_common()
+ -> current_cred()
+ -> rcu_dereference_protected(current->cred, 1)
+
+Accessing 'current' in bpf context makes no sense, since packets
+are processed from softirq context.
+
+As Neal stated : The capability check in tcp_set_congestion_control()
+was written assuming a system call context, and then was reused from
+a BPF call site.
+
+The fix is to add a new parameter to tcp_set_congestion_control(),
+so that the ns_capable() call is only performed under the right
+context.
+
+Fixes: 91b5b21c7c16 ("bpf: Add support for changing congestion control")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Lawrence Brakmo <brakmo@fb.com>
+Reported-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Lawrence Brakmo <brakmo@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 3 ++-
+ net/core/filter.c | 2 +-
+ net/ipv4/tcp.c | 4 +++-
+ net/ipv4/tcp_cong.c | 6 +++---
+ 4 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -1067,7 +1067,8 @@ void tcp_get_default_congestion_control(
+ void tcp_get_available_congestion_control(char *buf, size_t len);
+ void tcp_get_allowed_congestion_control(char *buf, size_t len);
+ int tcp_set_allowed_congestion_control(char *allowed);
+-int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, bool reinit);
++int tcp_set_congestion_control(struct sock *sk, const char *name, bool load,
++ bool reinit, bool cap_net_admin);
+ u32 tcp_slow_start(struct tcp_sock *tp, u32 acked);
+ void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked);
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -4211,7 +4211,7 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_so
+ TCP_CA_NAME_MAX-1));
+ name[TCP_CA_NAME_MAX-1] = 0;
+ ret = tcp_set_congestion_control(sk, name, false,
+- reinit);
++ reinit, true);
+ } else {
+ struct tcp_sock *tp = tcp_sk(sk);
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2784,7 +2784,9 @@ static int do_tcp_setsockopt(struct sock
+ name[val] = 0;
+
+ lock_sock(sk);
+- err = tcp_set_congestion_control(sk, name, true, true);
++ err = tcp_set_congestion_control(sk, name, true, true,
++ ns_capable(sock_net(sk)->user_ns,
++ CAP_NET_ADMIN));
+ release_sock(sk);
+ return err;
+ }
+--- a/net/ipv4/tcp_cong.c
++++ b/net/ipv4/tcp_cong.c
+@@ -332,7 +332,8 @@ out:
+ * tcp_reinit_congestion_control (if the current congestion control was
+ * already initialized.
+ */
+-int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, bool reinit)
++int tcp_set_congestion_control(struct sock *sk, const char *name, bool load,
++ bool reinit, bool cap_net_admin)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ const struct tcp_congestion_ops *ca;
+@@ -368,8 +369,7 @@ int tcp_set_congestion_control(struct so
+ } else {
+ err = -EBUSY;
+ }
+- } else if (!((ca->flags & TCP_CONG_NON_RESTRICTED) ||
+- ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))) {
++ } else if (!((ca->flags & TCP_CONG_NON_RESTRICTED) || cap_net_admin)) {
+ err = -EPERM;
+ } else if (!try_module_get(ca->owner)) {
+ err = -EBUSY;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Sat, 6 Jul 2019 16:13:07 -0700
+Subject: tcp: Reset bytes_acked and bytes_received when disconnecting
+
+From: Christoph Paasch <cpaasch@apple.com>
+
+[ Upstream commit e858faf556d4e14c750ba1e8852783c6f9520a0e ]
+
+If an app is playing tricks to reuse a socket via tcp_disconnect(),
+bytes_acked/received needs to be reset to 0. Otherwise tcp_info will
+report the sum of the current and the old connection..
+
+Cc: Eric Dumazet <edumazet@google.com>
+Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
+Fixes: bdd1f9edacb5 ("tcp: add tcpi_bytes_received to tcp_info")
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2630,6 +2630,8 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_saved_syn_free(tp);
+ tp->compressed_ack = 0;
+ tp->bytes_sent = 0;
++ tp->bytes_acked = 0;
++ tp->bytes_received = 0;
+ tp->bytes_retrans = 0;
+ tp->duplicate_sack[0].start_seq = 0;
+ tp->duplicate_sack[0].end_seq = 0;
--- /dev/null
+From foo@baz Fri 26 Jul 2019 10:52:07 AM CEST
+From: Peter Kosyh <p.kosyh@gmail.com>
+Date: Fri, 19 Jul 2019 11:11:47 +0300
+Subject: vrf: make sure skb->data contains ip header to make routing
+
+From: Peter Kosyh <p.kosyh@gmail.com>
+
+[ Upstream commit 107e47cc80ec37cb332bd41b22b1c7779e22e018 ]
+
+vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing
+using ip/ipv6 addresses, but don't make sure the header is available
+in skb->data[] (skb_headlen() is less then header size).
+
+Case:
+
+1) igb driver from intel.
+2) Packet size is greater then 255.
+3) MPLS forwards to VRF device.
+
+So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound()
+functions.
+
+Signed-off-by: Peter Kosyh <p.kosyh@gmail.com>
+Reviewed-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 58 ++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -169,23 +169,29 @@ static int vrf_ip6_local_out(struct net
+ static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb,
+ struct net_device *dev)
+ {
+- const struct ipv6hdr *iph = ipv6_hdr(skb);
++ const struct ipv6hdr *iph;
+ struct net *net = dev_net(skb->dev);
+- struct flowi6 fl6 = {
+- /* needed to match OIF rule */
+- .flowi6_oif = dev->ifindex,
+- .flowi6_iif = LOOPBACK_IFINDEX,
+- .daddr = iph->daddr,
+- .saddr = iph->saddr,
+- .flowlabel = ip6_flowinfo(iph),
+- .flowi6_mark = skb->mark,
+- .flowi6_proto = iph->nexthdr,
+- .flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF,
+- };
++ struct flowi6 fl6;
+ int ret = NET_XMIT_DROP;
+ struct dst_entry *dst;
+ struct dst_entry *dst_null = &net->ipv6.ip6_null_entry->dst;
+
++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)))
++ goto err;
++
++ iph = ipv6_hdr(skb);
++
++ memset(&fl6, 0, sizeof(fl6));
++ /* needed to match OIF rule */
++ fl6.flowi6_oif = dev->ifindex;
++ fl6.flowi6_iif = LOOPBACK_IFINDEX;
++ fl6.daddr = iph->daddr;
++ fl6.saddr = iph->saddr;
++ fl6.flowlabel = ip6_flowinfo(iph);
++ fl6.flowi6_mark = skb->mark;
++ fl6.flowi6_proto = iph->nexthdr;
++ fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
++
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst == dst_null)
+ goto err;
+@@ -241,21 +247,27 @@ static int vrf_ip_local_out(struct net *
+ static netdev_tx_t vrf_process_v4_outbound(struct sk_buff *skb,
+ struct net_device *vrf_dev)
+ {
+- struct iphdr *ip4h = ip_hdr(skb);
++ struct iphdr *ip4h;
+ int ret = NET_XMIT_DROP;
+- struct flowi4 fl4 = {
+- /* needed to match OIF rule */
+- .flowi4_oif = vrf_dev->ifindex,
+- .flowi4_iif = LOOPBACK_IFINDEX,
+- .flowi4_tos = RT_TOS(ip4h->tos),
+- .flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF,
+- .flowi4_proto = ip4h->protocol,
+- .daddr = ip4h->daddr,
+- .saddr = ip4h->saddr,
+- };
++ struct flowi4 fl4;
+ struct net *net = dev_net(vrf_dev);
+ struct rtable *rt;
+
++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)))
++ goto err;
++
++ ip4h = ip_hdr(skb);
++
++ memset(&fl4, 0, sizeof(fl4));
++ /* needed to match OIF rule */
++ fl4.flowi4_oif = vrf_dev->ifindex;
++ fl4.flowi4_iif = LOOPBACK_IFINDEX;
++ fl4.flowi4_tos = RT_TOS(ip4h->tos);
++ fl4.flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF;
++ fl4.flowi4_proto = ip4h->protocol;
++ fl4.daddr = ip4h->daddr;
++ fl4.saddr = ip4h->saddr;
++
+ rt = ip_route_output_flow(net, &fl4, NULL);
+ if (IS_ERR(rt))
+ goto err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
