--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 19 Aug 2018 12:22:13 -0700
+Subject: act_ife: fix a potential deadlock
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 5ffe57da29b3802baeddaa40909682bbb4cb4d48 ]
+
+use_all_metadata() acquires read_lock(&ife_mod_lock), then calls
+add_metainfo() which calls find_ife_oplist() which acquires the same
+lock again. Deadlock!
+
+Introduce __add_metainfo() which accepts struct tcf_meta_ops *ops
+as an additional parameter and let its callers to decide how
+to find it. For use_all_metadata(), it already has ops, no
+need to find it again, just call __add_metainfo() directly.
+
+And, as ife_mod_lock is only needed for find_ife_oplist(),
+this means we can make non-atomic allocation for populate_metalist()
+now.
+
+Fixes: 817e9f2c5c26 ("act_ife: acquire ife_mod_lock before reading ifeoplist")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -294,22 +294,16 @@ static int load_metaops_and_vet(u32 meta
+
+ /* called when adding new meta information
+ */
+-static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
+- int len, bool atomic, bool exists)
++static int __add_metainfo(const struct tcf_meta_ops *ops,
++ struct tcf_ife_info *ife, u32 metaid, void *metaval,
++ int len, bool atomic, bool exists)
+ {
+ struct tcf_meta_info *mi = NULL;
+- struct tcf_meta_ops *ops = find_ife_oplist(metaid);
+ int ret = 0;
+
+- if (!ops)
+- return -ENOENT;
+-
+ mi = kzalloc(sizeof(*mi), atomic ? GFP_ATOMIC : GFP_KERNEL);
+- if (!mi) {
+- /*put back what find_ife_oplist took */
+- module_put(ops->owner);
++ if (!mi)
+ return -ENOMEM;
+- }
+
+ mi->metaid = metaid;
+ mi->ops = ops;
+@@ -317,7 +311,6 @@ static int add_metainfo(struct tcf_ife_i
+ ret = ops->alloc(mi, metaval, atomic ? GFP_ATOMIC : GFP_KERNEL);
+ if (ret != 0) {
+ kfree(mi);
+- module_put(ops->owner);
+ return ret;
+ }
+ }
+@@ -331,6 +324,21 @@ static int add_metainfo(struct tcf_ife_i
+ return ret;
+ }
+
++static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
++ int len, bool exists)
++{
++ const struct tcf_meta_ops *ops = find_ife_oplist(metaid);
++ int ret;
++
++ if (!ops)
++ return -ENOENT;
++ ret = __add_metainfo(ops, ife, metaid, metaval, len, false, exists);
++ if (ret)
++ /*put back what find_ife_oplist took */
++ module_put(ops->owner);
++ return ret;
++}
++
+ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
+ {
+ struct tcf_meta_ops *o;
+@@ -339,7 +347,7 @@ static int use_all_metadata(struct tcf_i
+
+ read_lock(&ife_mod_lock);
+ list_for_each_entry(o, &ifeoplist, list) {
+- rc = add_metainfo(ife, o->metaid, NULL, 0, true, exists);
++ rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists);
+ if (rc == 0)
+ installed += 1;
+ }
+@@ -433,7 +441,7 @@ static int populate_metalist(struct tcf_
+ if (rc != 0)
+ return rc;
+
+- rc = add_metainfo(ife, i, val, len, false, exists);
++ rc = add_metainfo(ife, i, val, len, exists);
+ if (rc)
+ return rc;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 3 Sep 2018 11:08:15 -0700
+Subject: act_ife: fix a potential use-after-free
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ]
+
+Immediately after module_put(), user could delete this
+module, so e->ops could be already freed before we call
+e->ops->release().
+
+Fix this by moving module_put() after ops->release().
+
+Fixes: ef6980b6becb ("introduce IFE action")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -393,7 +393,6 @@ static void _tcf_ife_cleanup(struct tc_a
+ struct tcf_meta_info *e, *n;
+
+ list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
+- module_put(e->ops->owner);
+ list_del(&e->metalist);
+ if (e->metaval) {
+ if (e->ops->release)
+@@ -401,6 +400,7 @@ static void _tcf_ife_cleanup(struct tc_a
+ else
+ kfree(e->metaval);
+ }
++ module_put(e->ops->owner);
+ kfree(e);
+ }
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Sun, 19 Aug 2018 12:22:12 -0700
+Subject: act_ife: move tcfa_lock down to where necessary
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 4e407ff5cd67ec76eeeea1deec227b7982dc7f66 ]
+
+The only time we need to take tcfa_lock is when adding
+a new metainfo to an existing ife->metalist. We don't need
+to take tcfa_lock so early and so broadly in tcf_ife_init().
+
+This means we can always take ife_mod_lock first, avoid the
+reverse locking ordering warning as reported by Vlad.
+
+Reported-by: Vlad Buslov <vladbu@mellanox.com>
+Tested-by: Vlad Buslov <vladbu@mellanox.com>
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 36 +++++++++++++-----------------------
+ 1 file changed, 13 insertions(+), 23 deletions(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -265,10 +265,8 @@ static const char *ife_meta_id2name(u32
+ #endif
+
+ /* called when adding new meta information
+- * under ife->tcf_lock for existing action
+ */
+-static int load_metaops_and_vet(struct tcf_ife_info *ife, u32 metaid,
+- void *val, int len, bool exists)
++static int load_metaops_and_vet(u32 metaid, void *val, int len)
+ {
+ struct tcf_meta_ops *ops = find_ife_oplist(metaid);
+ int ret = 0;
+@@ -276,13 +274,9 @@ static int load_metaops_and_vet(struct t
+ if (!ops) {
+ ret = -ENOENT;
+ #ifdef CONFIG_MODULES
+- if (exists)
+- spin_unlock_bh(&ife->tcf_lock);
+ rtnl_unlock();
+ request_module("ife-meta-%s", ife_meta_id2name(metaid));
+ rtnl_lock();
+- if (exists)
+- spin_lock_bh(&ife->tcf_lock);
+ ops = find_ife_oplist(metaid);
+ #endif
+ }
+@@ -299,10 +293,9 @@ static int load_metaops_and_vet(struct t
+ }
+
+ /* called when adding new meta information
+- * under ife->tcf_lock for existing action
+ */
+ static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
+- int len, bool atomic)
++ int len, bool atomic, bool exists)
+ {
+ struct tcf_meta_info *mi = NULL;
+ struct tcf_meta_ops *ops = find_ife_oplist(metaid);
+@@ -329,12 +322,16 @@ static int add_metainfo(struct tcf_ife_i
+ }
+ }
+
++ if (exists)
++ spin_lock_bh(&ife->tcf_lock);
+ list_add_tail(&mi->metalist, &ife->metalist);
++ if (exists)
++ spin_unlock_bh(&ife->tcf_lock);
+
+ return ret;
+ }
+
+-static int use_all_metadata(struct tcf_ife_info *ife)
++static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
+ {
+ struct tcf_meta_ops *o;
+ int rc = 0;
+@@ -342,7 +339,7 @@ static int use_all_metadata(struct tcf_i
+
+ read_lock(&ife_mod_lock);
+ list_for_each_entry(o, &ifeoplist, list) {
+- rc = add_metainfo(ife, o->metaid, NULL, 0, true);
++ rc = add_metainfo(ife, o->metaid, NULL, 0, true, exists);
+ if (rc == 0)
+ installed += 1;
+ }
+@@ -419,7 +416,6 @@ static void tcf_ife_cleanup(struct tc_ac
+ kfree_rcu(p, rcu);
+ }
+
+-/* under ife->tcf_lock for existing action */
+ static int populate_metalist(struct tcf_ife_info *ife, struct nlattr **tb,
+ bool exists)
+ {
+@@ -433,11 +429,11 @@ static int populate_metalist(struct tcf_
+ val = nla_data(tb[i]);
+ len = nla_len(tb[i]);
+
+- rc = load_metaops_and_vet(ife, i, val, len, exists);
++ rc = load_metaops_and_vet(i, val, len);
+ if (rc != 0)
+ return rc;
+
+- rc = add_metainfo(ife, i, val, len, exists);
++ rc = add_metainfo(ife, i, val, len, false, exists);
+ if (rc)
+ return rc;
+ }
+@@ -531,8 +527,6 @@ static int tcf_ife_init(struct net *net,
+ p->eth_type = ife_type;
+ }
+
+- if (exists)
+- spin_lock_bh(&ife->tcf_lock);
+
+ if (ret == ACT_P_CREATED)
+ INIT_LIST_HEAD(&ife->metalist);
+@@ -544,9 +538,6 @@ static int tcf_ife_init(struct net *net,
+ metadata_parse_err:
+ if (ret == ACT_P_CREATED)
+ tcf_idr_release(*a, bind);
+-
+- if (exists)
+- spin_unlock_bh(&ife->tcf_lock);
+ kfree(p);
+ return err;
+ }
+@@ -561,18 +552,17 @@ metadata_parse_err:
+ * as we can. You better have at least one else we are
+ * going to bail out
+ */
+- err = use_all_metadata(ife);
++ err = use_all_metadata(ife, exists);
+ if (err) {
+ if (ret == ACT_P_CREATED)
+ tcf_idr_release(*a, bind);
+-
+- if (exists)
+- spin_unlock_bh(&ife->tcf_lock);
+ kfree(p);
+ return err;
+ }
+ }
+
++ if (exists)
++ spin_lock_bh(&ife->tcf_lock);
+ ife->tcf_action = parm->action;
+ if (exists)
+ spin_unlock_bh(&ife->tcf_lock);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 3 Sep 2018 04:23:18 -0400
+Subject: bnxt_en: Clean up unused functions.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit ad95c27bdb930105f3eea02621bda157caf2862d ]
+
+Remove unused bnxt_subtract_ulp_resources(). Change
+bnxt_get_max_func_irqs() to static since it is only locally used.
+
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 -
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 15 ---------------
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h | 1 -
+ 4 files changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5912,7 +5912,7 @@ void bnxt_set_max_func_cp_rings(struct b
+ bp->hw_resc.max_cp_rings = max;
+ }
+
+-unsigned int bnxt_get_max_func_irqs(struct bnxt *bp)
++static unsigned int bnxt_get_max_func_irqs(struct bnxt *bp)
+ {
+ struct bnxt_hw_resc *hw_resc = &bp->hw_resc;
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1469,7 +1469,6 @@ unsigned int bnxt_get_max_func_stat_ctxs
+ void bnxt_set_max_func_stat_ctxs(struct bnxt *bp, unsigned int max);
+ unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp);
+ void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max);
+-unsigned int bnxt_get_max_func_irqs(struct bnxt *bp);
+ int bnxt_get_avail_msix(struct bnxt *bp, int num);
+ int bnxt_reserve_rings(struct bnxt *bp);
+ void bnxt_tx_disable(struct bnxt *bp);
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -220,21 +220,6 @@ int bnxt_get_ulp_msix_base(struct bnxt *
+ return 0;
+ }
+
+-void bnxt_subtract_ulp_resources(struct bnxt *bp, int ulp_id)
+-{
+- ASSERT_RTNL();
+- if (bnxt_ulp_registered(bp->edev, ulp_id)) {
+- struct bnxt_en_dev *edev = bp->edev;
+- unsigned int msix_req, max;
+-
+- msix_req = edev->ulp_tbl[ulp_id].msix_requested;
+- max = bnxt_get_max_func_cp_rings(bp);
+- bnxt_set_max_func_cp_rings(bp, max - msix_req);
+- max = bnxt_get_max_func_stat_ctxs(bp);
+- bnxt_set_max_func_stat_ctxs(bp, max - 1);
+- }
+-}
+-
+ static int bnxt_send_msg(struct bnxt_en_dev *edev, int ulp_id,
+ struct bnxt_fw_msg *fw_msg)
+ {
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.h
+@@ -90,7 +90,6 @@ static inline bool bnxt_ulp_registered(s
+
+ int bnxt_get_ulp_msix_num(struct bnxt *bp);
+ int bnxt_get_ulp_msix_base(struct bnxt *bp);
+-void bnxt_subtract_ulp_resources(struct bnxt *bp, int ulp_id);
+ void bnxt_ulp_stop(struct bnxt *bp);
+ void bnxt_ulp_start(struct bnxt *bp);
+ void bnxt_ulp_sriov_cfg(struct bnxt *bp, int num_vfs);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Mon, 3 Sep 2018 04:23:19 -0400
+Subject: bnxt_en: Do not adjust max_cp_rings by the ones used by RDMA.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 00fe9c326d2027f2437dea38ef0e82f9d02d94c0 ]
+
+Currently, the driver adjusts the bp->hw_resc.max_cp_rings by the number
+of MSIX vectors used by RDMA. There is one code path in open that needs
+to check the true max_cp_rings including any used by RDMA. This code
+is now checking for the reduced max_cp_rings which will fail when the
+number of cp rings is very small.
+
+To fix this in a clean way, we don't adjust max_cp_rings anymore.
+Instead, we add a helper bnxt_get_max_func_cp_rings_for_en() to get the
+reduced max_cp_rings when appropriate.
+
+Fixes: ec86f14ea506 ("bnxt_en: Add ULP calls to stop and restart IRQs.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 ++++---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +-
+ drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 7 ++++---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 5 -----
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -5907,9 +5907,9 @@ unsigned int bnxt_get_max_func_cp_rings(
+ return bp->hw_resc.max_cp_rings;
+ }
+
+-void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max)
++unsigned int bnxt_get_max_func_cp_rings_for_en(struct bnxt *bp)
+ {
+- bp->hw_resc.max_cp_rings = max;
++ return bp->hw_resc.max_cp_rings - bnxt_get_ulp_msix_num(bp);
+ }
+
+ static unsigned int bnxt_get_max_func_irqs(struct bnxt *bp)
+@@ -8492,7 +8492,8 @@ static void _bnxt_get_max_rings(struct b
+
+ *max_tx = hw_resc->max_tx_rings;
+ *max_rx = hw_resc->max_rx_rings;
+- *max_cp = min_t(int, hw_resc->max_irqs, hw_resc->max_cp_rings);
++ *max_cp = min_t(int, bnxt_get_max_func_cp_rings_for_en(bp),
++ hw_resc->max_irqs);
+ *max_cp = min_t(int, *max_cp, hw_resc->max_stat_ctxs);
+ max_ring_grps = hw_resc->max_hw_ring_grps;
+ if (BNXT_CHIP_TYPE_NITRO_A0(bp) && BNXT_PF(bp)) {
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1468,7 +1468,7 @@ int bnxt_hwrm_set_coal(struct bnxt *);
+ unsigned int bnxt_get_max_func_stat_ctxs(struct bnxt *bp);
+ void bnxt_set_max_func_stat_ctxs(struct bnxt *bp, unsigned int max);
+ unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp);
+-void bnxt_set_max_func_cp_rings(struct bnxt *bp, unsigned int max);
++unsigned int bnxt_get_max_func_cp_rings_for_en(struct bnxt *bp);
+ int bnxt_get_avail_msix(struct bnxt *bp, int num);
+ int bnxt_reserve_rings(struct bnxt *bp);
+ void bnxt_tx_disable(struct bnxt *bp);
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+@@ -451,7 +451,7 @@ static int bnxt_hwrm_func_vf_resc_cfg(st
+
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_VF_RESOURCE_CFG, -1, -1);
+
+- vf_cp_rings = hw_resc->max_cp_rings - bp->cp_nr_rings;
++ vf_cp_rings = bnxt_get_max_func_cp_rings_for_en(bp) - bp->cp_nr_rings;
+ vf_stat_ctx = hw_resc->max_stat_ctxs - bp->num_stat_ctxs;
+ if (bp->flags & BNXT_FLAG_AGG_RINGS)
+ vf_rx_rings = hw_resc->max_rx_rings - bp->rx_nr_rings * 2;
+@@ -544,7 +544,8 @@ static int bnxt_hwrm_func_cfg(struct bnx
+ max_stat_ctxs = hw_resc->max_stat_ctxs;
+
+ /* Remaining rings are distributed equally amongs VF's for now */
+- vf_cp_rings = (hw_resc->max_cp_rings - bp->cp_nr_rings) / num_vfs;
++ vf_cp_rings = (bnxt_get_max_func_cp_rings_for_en(bp) -
++ bp->cp_nr_rings) / num_vfs;
+ vf_stat_ctx = (max_stat_ctxs - bp->num_stat_ctxs) / num_vfs;
+ if (bp->flags & BNXT_FLAG_AGG_RINGS)
+ vf_rx_rings = (hw_resc->max_rx_rings - bp->rx_nr_rings * 2) /
+@@ -638,7 +639,7 @@ static int bnxt_sriov_enable(struct bnxt
+ */
+ vfs_supported = *num_vfs;
+
+- avail_cp = hw_resc->max_cp_rings - bp->cp_nr_rings;
++ avail_cp = bnxt_get_max_func_cp_rings_for_en(bp) - bp->cp_nr_rings;
+ avail_stat = hw_resc->max_stat_ctxs - bp->num_stat_ctxs;
+ avail_cp = min_t(int, avail_cp, avail_stat);
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -169,7 +169,6 @@ static int bnxt_req_msix_vecs(struct bnx
+ edev->ulp_tbl[ulp_id].msix_requested = avail_msix;
+ }
+ bnxt_fill_msix_vecs(bp, ent);
+- bnxt_set_max_func_cp_rings(bp, max_cp_rings - avail_msix);
+ edev->flags |= BNXT_EN_FLAG_MSIX_REQUESTED;
+ return avail_msix;
+ }
+@@ -178,7 +177,6 @@ static int bnxt_free_msix_vecs(struct bn
+ {
+ struct net_device *dev = edev->net;
+ struct bnxt *bp = netdev_priv(dev);
+- int max_cp_rings, msix_requested;
+
+ ASSERT_RTNL();
+ if (ulp_id != BNXT_ROCE_ULP)
+@@ -187,9 +185,6 @@ static int bnxt_free_msix_vecs(struct bn
+ if (!(edev->flags & BNXT_EN_FLAG_MSIX_REQUESTED))
+ return 0;
+
+- max_cp_rings = bnxt_get_max_func_cp_rings(bp);
+- msix_requested = edev->ulp_tbl[ulp_id].msix_requested;
+- bnxt_set_max_func_cp_rings(bp, max_cp_rings + msix_requested);
+ edev->ulp_tbl[ulp_id].msix_requested = 0;
+ edev->flags &= ~BNXT_EN_FLAG_MSIX_REQUESTED;
+ if (netif_running(dev)) {
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 27 Aug 2018 18:41:32 +0800
+Subject: erspan: set erspan_ver to 1 by default when adding an erspan dev
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 84581bdae9587023cea1d139523f0ef0f28bd88d ]
+
+After erspan_ver is introudced, if erspan_ver is not set in iproute, its
+value will be left 0 by default. Since Commit 02f99df1875c ("erspan: fix
+invalid erspan version."), it has broken the traffic due to the version
+check in erspan_xmit if users are not aware of 'erspan_ver' param, like
+using an old version of iproute.
+
+To fix this compatibility problem, it sets erspan_ver to 1 by default
+when adding an erspan dev in erspan_setup. Note that we can't do it in
+ipgre_netlink_parms, as this function is also used by ipgre_changelink.
+
+Fixes: 02f99df1875c ("erspan: fix invalid erspan version.")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 3 +++
+ net/ipv6/ip6_gre.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1511,11 +1511,14 @@ nla_put_failure:
+
+ static void erspan_setup(struct net_device *dev)
+ {
++ struct ip_tunnel *t = netdev_priv(dev);
++
+ ether_setup(dev);
+ dev->netdev_ops = &erspan_netdev_ops;
+ dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+ dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+ ip_tunnel_setup(dev, erspan_net_id);
++ t->erspan_ver = 1;
+ }
+
+ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1776,6 +1776,7 @@ static void ip6gre_netlink_parms(struct
+ if (data[IFLA_GRE_COLLECT_METADATA])
+ parms->collect_md = true;
+
++ parms->erspan_ver = 1;
+ if (data[IFLA_GRE_ERSPAN_VER])
+ parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 30 Aug 2018 05:42:13 +0000
+Subject: hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe()
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit e04e7a7bbd4bbabef4e1a58367e5fc9b2edc3b10 ]
+
+This patch fixes the race between netvsc_probe() and
+rndis_set_subchannel(), which can cause a deadlock.
+
+These are the related 3 paths which show the deadlock:
+
+path #1:
+ Workqueue: hv_vmbus_con vmbus_onmessage_work [hv_vmbus]
+ Call Trace:
+ schedule
+ schedule_preempt_disabled
+ __mutex_lock
+ __device_attach
+ bus_probe_device
+ device_add
+ vmbus_device_register
+ vmbus_onoffer
+ vmbus_onmessage_work
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+
+path #2:
+ schedule
+ schedule_preempt_disabled
+ __mutex_lock
+ netvsc_probe
+ vmbus_probe
+ really_probe
+ __driver_attach
+ bus_for_each_dev
+ driver_attach_async
+ async_run_entry_fn
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+
+path #3:
+ Workqueue: events netvsc_subchan_work [hv_netvsc]
+ Call Trace:
+ schedule
+ rndis_set_subchannel
+ netvsc_subchan_work
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+
+Before path #1 finishes, path #2 can start to run, because just before
+the "bus_probe_device(dev);" in device_add() in path #1, there is a line
+"object_uevent(&dev->kobj, KOBJ_ADD);", so systemd-udevd can
+immediately try to load hv_netvsc and hence path #2 can start to run.
+
+Next, path #2 offloads the subchannal's initialization to a workqueue,
+i.e. path #3, so we can end up in a deadlock situation like this:
+
+Path #2 gets the device lock, and is trying to get the rtnl lock;
+Path #3 gets the rtnl lock and is waiting for all the subchannel messages
+to be processed;
+Path #1 is trying to get the device lock, but since #2 is not releasing
+the device lock, path #1 has to sleep; since the VMBus messages are
+processed one by one, this means the sub-channel messages can't be
+procedded, so #3 has to sleep with the rtnl lock held, and finally #2
+has to sleep... Now all the 3 paths are sleeping and we hit the deadlock.
+
+With the patch, we can make sure #2 gets both the device lock and the
+rtnl lock together, gets its job done, and releases the locks, so #1
+and #3 will not be blocked for ever.
+
+Fixes: 8195b1396ec8 ("hv_netvsc: fix deadlock on hotplug")
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Cc: Stephen Hemminger <sthemmin@microsoft.com>
+Cc: K. Y. Srinivasan <kys@microsoft.com>
+Cc: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2101,6 +2101,16 @@ static int netvsc_probe(struct hv_device
+
+ memcpy(net->dev_addr, device_info.mac_adr, ETH_ALEN);
+
++ /* We must get rtnl lock before scheduling nvdev->subchan_work,
++ * otherwise netvsc_subchan_work() can get rtnl lock first and wait
++ * all subchannels to show up, but that may not happen because
++ * netvsc_probe() can't get rtnl lock and as a result vmbus_onoffer()
++ * -> ... -> device_add() -> ... -> __device_attach() can't get
++ * the device lock, so all the subchannels can't be processed --
++ * finally netvsc_subchan_work() hangs for ever.
++ */
++ rtnl_lock();
++
+ if (nvdev->num_chn > 1)
+ schedule_work(&nvdev->subchan_work);
+
+@@ -2119,7 +2129,6 @@ static int netvsc_probe(struct hv_device
+ else
+ net->max_mtu = ETH_DATA_LEN;
+
+- rtnl_lock();
+ ret = register_netdevice(net);
+ if (ret != 0) {
+ pr_err("Unable to register netdev.\n");
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Tue, 21 Aug 2018 10:40:38 -0700
+Subject: hv_netvsc: ignore devices that are not PCI
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit b93c1b5ac8643cc08bb74fa8ae21d6c63dfcb23d ]
+
+Registering another device with same MAC address (such as TAP, VPN or
+DPDK KNI) will confuse the VF autobinding logic. Restrict the search
+to only run if the device is known to be a PCI attached VF.
+
+Fixes: e8ff40d4bff1 ("hv_netvsc: improve VF device matching")
+Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -29,6 +29,7 @@
+ #include <linux/netdevice.h>
+ #include <linux/inetdevice.h>
+ #include <linux/etherdevice.h>
++#include <linux/pci.h>
+ #include <linux/skbuff.h>
+ #include <linux/if_vlan.h>
+ #include <linux/in.h>
+@@ -1939,12 +1940,16 @@ static int netvsc_register_vf(struct net
+ {
+ struct net_device *ndev;
+ struct net_device_context *net_device_ctx;
++ struct device *pdev = vf_netdev->dev.parent;
+ struct netvsc_device *netvsc_dev;
+ int ret;
+
+ if (vf_netdev->addr_len != ETH_ALEN)
+ return NOTIFY_DONE;
+
++ if (!pdev || !dev_is_pci(pdev) || dev_is_pf(pdev))
++ return NOTIFY_DONE;
++
+ /*
+ * We will use the MAC address to locate the synthetic interface to
+ * associate with the VF interface. If we don't find a matching
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Mon, 20 Aug 2018 10:51:05 +0800
+Subject: ip6_vti: fix a null pointer deference when destroy vti6 tunnel
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 9c86336c15db1c48cbaddff56caf2be0a930e991 ]
+
+If load ip6_vti module and create a network namespace when set
+fb_tunnels_only_for_init_net to 1, then exit the namespace will
+cause following crash:
+
+[ 6601.677036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+[ 6601.679057] PGD 8000000425eca067 P4D 8000000425eca067 PUD 424292067 PMD 0
+[ 6601.680483] Oops: 0000 [#1] SMP PTI
+[ 6601.681223] CPU: 7 PID: 93 Comm: kworker/u16:1 Kdump: loaded Tainted: G E 4.18.0+ #3
+[ 6601.683153] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014
+[ 6601.684919] Workqueue: netns cleanup_net
+[ 6601.685742] RIP: 0010:vti6_exit_batch_net+0x87/0xd0 [ip6_vti]
+[ 6601.686932] Code: 7b 08 48 89 e6 e8 b9 ea d3 dd 48 8b 1b 48 85 db 75 ec 48 83 c5 08 48 81 fd 00 01 00 00 75 d5 49 8b 84 24 08 01 00 00 48 89 e6 <48> 8b 78 08 e8 90 ea d3 dd 49 8b 45 28 49 39 c6 4c 8d 68 d8 75 a1
+[ 6601.690735] RSP: 0018:ffffa897c2737de0 EFLAGS: 00010246
+[ 6601.691846] RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000000200
+[ 6601.693324] RDX: 0000000000000015 RSI: ffffa897c2737de0 RDI: ffffffff9f2ea9e0
+[ 6601.694824] RBP: 0000000000000100 R08: 0000000000000000 R09: 0000000000000000
+[ 6601.696314] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8dc323c07e00
+[ 6601.697812] R13: ffff8dc324a63100 R14: ffffa897c2737e30 R15: ffffa897c2737e30
+[ 6601.699345] FS: 0000000000000000(0000) GS:ffff8dc33fdc0000(0000) knlGS:0000000000000000
+[ 6601.701068] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 6601.702282] CR2: 0000000000000008 CR3: 0000000424966002 CR4: 00000000001606e0
+[ 6601.703791] Call Trace:
+[ 6601.704329] cleanup_net+0x1b4/0x2c0
+[ 6601.705268] process_one_work+0x16c/0x370
+[ 6601.706145] worker_thread+0x49/0x3e0
+[ 6601.706942] kthread+0xf8/0x130
+[ 6601.707626] ? rescuer_thread+0x340/0x340
+[ 6601.708476] ? kthread_bind+0x10/0x10
+[ 6601.709266] ret_from_fork+0x35/0x40
+
+Reproduce:
+modprobe ip6_vti
+echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net
+unshare -n
+exit
+
+This because ip6n->tnls_wc[0] point to fallback device in default, but
+in non-default namespace, ip6n->tnls_wc[0] will be NULL, so add the NULL
+check comparatively.
+
+Fixes: e2948e5af8ee ("ip6_vti: fix creating fallback tunnel device for vti6")
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -1102,7 +1102,8 @@ static void __net_exit vti6_destroy_tunn
+ }
+
+ t = rtnl_dereference(ip6n->tnls_wc[0]);
+- unregister_netdevice_queue(t->dev, list);
++ if (t)
++ unregister_netdevice_queue(t->dev, list);
+ }
+
+ static int __net_init vti6_init_net(struct net *net)
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 19 Aug 2018 15:05:05 +0800
+Subject: ip6_vti: fix creating fallback tunnel device for vti6
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit e2948e5af8eeb6c945000772b7613b0323a0a203 ]
+
+When set fb_tunnels_only_for_init_net to 1, don't create fallback tunnel
+device for vti6 when a new namespace is created.
+
+Tested:
+[root@builder2 ~]# modprobe ip6_tunnel
+[root@builder2 ~]# modprobe ip6_vti
+[root@builder2 ~]# echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net
+[root@builder2 ~]# unshare -n
+[root@builder2 ~]# ip link
+1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
+default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -1114,6 +1114,8 @@ static int __net_init vti6_init_net(stru
+ ip6n->tnls[0] = ip6n->tnls_wc;
+ ip6n->tnls[1] = ip6n->tnls_r_l;
+
++ if (!net_has_fallback_tunnels(net))
++ return 0;
+ err = -ENOMEM;
+ ip6n->fb_tnl_dev = alloc_netdev(sizeof(struct ip6_tnl), "ip6_vti0",
+ NET_NAME_UNKNOWN, vti6_dev_setup);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 22 Aug 2018 13:30:45 -0700
+Subject: ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 431280eebed9f5079553daf003011097763e71fd ]
+
+tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
+to send some control packets.
+
+1) RST packets, through tcp_v4_send_reset()
+2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()
+
+These packets assert IP_DF, and also use the hashed IP ident generator
+to provide an IPv4 ID number.
+
+Geoff Alexander reported this could be used to build off-path attacks.
+
+These packets should not be fragmented, since their size is smaller than
+IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
+regardless of inner IPID.
+
+We really can use zero IPID, to address the flaw, and as a bonus,
+avoid a couple of atomic operations in ip_idents_reserve()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Geoff Alexander <alexandg@cs.unm.edu>
+Tested-by: Geoff Alexander <alexandg@cs.unm.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_ipv4.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -2516,6 +2516,12 @@ static int __net_init tcp_sk_init(struct
+ if (res)
+ goto fail;
+ sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
++
++ /* Please enforce IP_DF and IPID==0 for RST and
++ * ACK sent in SYN-RECV and TIME-WAIT state.
++ */
++ inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO;
++
+ *per_cpu_ptr(net->ipv4.tcp_sk, cpu) = sk;
+ }
+
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Thu, 30 Aug 2018 19:11:24 +0300
+Subject: ipv6: don't get lwtstate twice in ip6_rt_copy_init()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+[ Upstream commit 93bbadd6e0a2a58e49d265b9b1aa58e621b60a26 ]
+
+Commit 80f1a0f4e0cd ("net/ipv6: Put lwtstate when destroying fib6_info")
+partially fixed the kmemleak [1], lwtstate can be copied from fib6_info,
+with ip6_rt_copy_init(), and it should be done only once there.
+
+rt->dst.lwtstate is set by ip6_rt_init_dst(), at the start of the function
+ip6_rt_copy_init(), so there is no need to get it again at the end.
+
+With this patch, lwtstate also isn't copied from RTF_REJECT routes.
+
+[1]:
+unreferenced object 0xffff880b6aaa14e0 (size 64):
+ comm "ip", pid 10577, jiffies 4295149341 (age 1273.903s)
+ hex dump (first 32 bytes):
+ 01 00 04 00 04 00 00 00 10 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000018664623>] lwtunnel_build_state+0x1bc/0x420
+ [<00000000b73aa29a>] ip6_route_info_create+0x9f7/0x1fd0
+ [<00000000ee2c5d1f>] ip6_route_add+0x14/0x70
+ [<000000008537b55c>] inet6_rtm_newroute+0xd9/0xe0
+ [<000000002acc50f5>] rtnetlink_rcv_msg+0x66f/0x8e0
+ [<000000008d9cd381>] netlink_rcv_skb+0x268/0x3b0
+ [<000000004c893c76>] netlink_unicast+0x417/0x5a0
+ [<00000000f2ab1afb>] netlink_sendmsg+0x70b/0xc30
+ [<00000000890ff0aa>] sock_sendmsg+0xb1/0xf0
+ [<00000000a2e7b66f>] ___sys_sendmsg+0x659/0x950
+ [<000000001e7426c8>] __sys_sendmsg+0xde/0x170
+ [<00000000fe411443>] do_syscall_64+0x9f/0x4a0
+ [<000000001be7b28b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<000000006d21f353>] 0xffffffffffffffff
+
+Fixes: 6edb3c96a5f0 ("net/ipv6: Defer initialization of dst to data path")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -996,7 +996,6 @@ static void ip6_rt_copy_init(struct rt6_
+ rt->rt6i_src = ort->fib6_src;
+ #endif
+ rt->rt6i_prefsrc = ort->fib6_prefsrc;
+- rt->dst.lwtstate = lwtstate_get(ort->fib6_nh.nh_lwtstate);
+ }
+
+ static struct fib6_node* fib6_backtrack(struct fib6_node *fn,
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Fri, 24 Aug 2018 15:41:35 +0300
+Subject: mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 602b74eda81311dbdb5dbab08c30f789f648ebdc ]
+
+When a bridge device is removed, the VLANs are flushed from each
+configured port. This causes the ports to decrement the reference count
+on the associated FIDs (filtering identifier). If the reference count of
+a FID is 1 and it has a RIF (router interface), then this RIF is
+destroyed.
+
+However, if no port is member in the VLAN for which a RIF exists, then
+the RIF will continue to exist after the removal of the bridge. To
+reproduce:
+
+# ip link add name br0 type bridge vlan_filtering 1
+# ip link set dev swp1 master br0
+# ip link add link br0 name br0.10 type vlan id 10
+# ip address add 192.0.2.0/24 dev br0.10
+# ip link del dev br0
+
+The RIF associated with br0.10 continues to exist.
+
+Fix this by iterating over all the bridge device uppers when it is
+destroyed and take care of destroying their RIFs.
+
+Fixes: 99f44bb3527b ("mlxsw: spectrum: Enable L3 interfaces on top of bridge devices")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 +
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 11 ++++++++
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 20 +++++++++++++++
+ 3 files changed, 33 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
+@@ -433,6 +433,8 @@ mlxsw_sp_netdevice_ipip_ul_event(struct
+ void
+ mlxsw_sp_port_vlan_router_leave(struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan);
+ void mlxsw_sp_rif_destroy(struct mlxsw_sp_rif *rif);
++void mlxsw_sp_rif_destroy_by_dev(struct mlxsw_sp *mlxsw_sp,
++ struct net_device *dev);
+
+ /* spectrum_kvdl.c */
+ int mlxsw_sp_kvdl_init(struct mlxsw_sp *mlxsw_sp);
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -6228,6 +6228,17 @@ void mlxsw_sp_rif_destroy(struct mlxsw_s
+ mlxsw_sp_vr_put(mlxsw_sp, vr);
+ }
+
++void mlxsw_sp_rif_destroy_by_dev(struct mlxsw_sp *mlxsw_sp,
++ struct net_device *dev)
++{
++ struct mlxsw_sp_rif *rif;
++
++ rif = mlxsw_sp_rif_find_by_dev(mlxsw_sp, dev);
++ if (!rif)
++ return;
++ mlxsw_sp_rif_destroy(rif);
++}
++
+ static void
+ mlxsw_sp_rif_subport_params_init(struct mlxsw_sp_rif_params *params,
+ struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan)
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+@@ -160,6 +160,24 @@ bool mlxsw_sp_bridge_device_is_offloaded
+ return !!mlxsw_sp_bridge_device_find(mlxsw_sp->bridge, br_dev);
+ }
+
++static int mlxsw_sp_bridge_device_upper_rif_destroy(struct net_device *dev,
++ void *data)
++{
++ struct mlxsw_sp *mlxsw_sp = data;
++
++ mlxsw_sp_rif_destroy_by_dev(mlxsw_sp, dev);
++ return 0;
++}
++
++static void mlxsw_sp_bridge_device_rifs_destroy(struct mlxsw_sp *mlxsw_sp,
++ struct net_device *dev)
++{
++ mlxsw_sp_rif_destroy_by_dev(mlxsw_sp, dev);
++ netdev_walk_all_upper_dev_rcu(dev,
++ mlxsw_sp_bridge_device_upper_rif_destroy,
++ mlxsw_sp);
++}
++
+ static struct mlxsw_sp_bridge_device *
+ mlxsw_sp_bridge_device_create(struct mlxsw_sp_bridge *bridge,
+ struct net_device *br_dev)
+@@ -198,6 +216,8 @@ static void
+ mlxsw_sp_bridge_device_destroy(struct mlxsw_sp_bridge *bridge,
+ struct mlxsw_sp_bridge_device *bridge_device)
+ {
++ mlxsw_sp_bridge_device_rifs_destroy(bridge->mlxsw_sp,
++ bridge_device->dev);
+ list_del(&bridge_device->list);
+ if (bridge_device->vlan_enabled)
+ bridge->vlan_enabled_exists = false;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Doug Berger <opendmb@gmail.com>
+Date: Tue, 28 Aug 2018 12:33:15 -0700
+Subject: net: bcmgenet: use MAC link status for fixed phy
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit c3c397c1f16c51601a3fac4fe0c63ad8aa85a904 ]
+
+When using the fixed PHY with GENET (e.g. MOCA) the PHY link
+status can be determined from the internal link status captured
+by the MAC. This allows the PHY state machine to use the correct
+link state with the fixed PHY even if MAC link event interrupts
+are missed when the net device is opened.
+
+Fixes: 8d88c6ebb34c ("net: bcmgenet: enable MoCA link state change detection")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 3 +++
+ drivers/net/ethernet/broadcom/genet/bcmmii.c | 10 ++++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h
+@@ -186,6 +186,9 @@ struct bcmgenet_mib_counters {
+ #define UMAC_MAC1 0x010
+ #define UMAC_MAX_FRAME_LEN 0x014
+
++#define UMAC_MODE 0x44
++#define MODE_LINK_STATUS (1 << 5)
++
+ #define UMAC_EEE_CTRL 0x064
+ #define EN_LPI_RX_PAUSE (1 << 0)
+ #define EN_LPI_TX_PFC (1 << 1)
+--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c
+@@ -115,8 +115,14 @@ void bcmgenet_mii_setup(struct net_devic
+ static int bcmgenet_fixed_phy_link_update(struct net_device *dev,
+ struct fixed_phy_status *status)
+ {
+- if (dev && dev->phydev && status)
+- status->link = dev->phydev->link;
++ struct bcmgenet_priv *priv;
++ u32 reg;
++
++ if (dev && dev->phydev && status) {
++ priv = netdev_priv(dev);
++ reg = bcmgenet_umac_readl(priv, UMAC_MODE);
++ status->link = !!(reg & MODE_LINK_STATUS);
++ }
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 23 Aug 2018 11:31:37 +0800
+Subject: net/ipv6: init ip6 anycast rt->dst.input as ip6_input
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d23c4b6336ef30898dcdff351f21e633e7a64930 ]
+
+Commit 6edb3c96a5f02 ("net/ipv6: Defer initialization of dst to data path")
+forgot to handle anycast route and init anycast rt->dst.input to ip6_forward.
+Fix it by setting anycast rt->dst.input back to ip6_input.
+
+Fixes: 6edb3c96a5f02 ("net/ipv6: Defer initialization of dst to data path")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -956,7 +956,7 @@ static void ip6_rt_init_dst(struct rt6_i
+ rt->dst.error = 0;
+ rt->dst.output = ip6_output;
+
+- if (ort->fib6_type == RTN_LOCAL) {
++ if (ort->fib6_type == RTN_LOCAL || ort->fib6_type == RTN_ANYCAST) {
+ rt->dst.input = ip6_input;
+ } else if (ipv6_addr_type(&ort->fib6_dst.addr) & IPV6_ADDR_MULTICAST) {
+ rt->dst.input = ip6_mc_input;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Thu, 30 Aug 2018 14:15:43 -0700
+Subject: net/ipv6: Only update MTU metric if it set
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 15a81b418e22a9aa4a0504471fdcb0f4ebf69b96 ]
+
+Jan reported a regression after an update to 4.18.5. In this case ipv6
+default route is setup by systemd-networkd based on data from an RA. The
+RA contains an MTU of 1492 which is used when the route is first inserted
+but then systemd-networkd pushes down updates to the default route
+without the mtu set.
+
+Prior to the change to fib6_info, metrics such as MTU were held in the
+dst_entry and rt6i_pmtu in rt6_info contained an update to the mtu if
+any. ip6_mtu would look at rt6i_pmtu first and use it if set. If not,
+the value from the metrics is used if it is set and finally falling
+back to the idev value.
+
+After the fib6_info change metrics are contained in the fib6_info struct
+and there is no equivalent to rt6i_pmtu. To maintain consistency with
+the old behavior the new code should only reset the MTU in the metrics
+if the route update has it set.
+
+Fixes: d4ead6b34b67 ("net/ipv6: move metrics from dst to rt6_info")
+Reported-by: Jan Janssen <medhefgo@web.de>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -987,7 +987,10 @@ static int fib6_add_rt2node(struct fib6_
+ fib6_clean_expires(iter);
+ else
+ fib6_set_expires(iter, rt->expires);
+- fib6_metric_set(iter, RTAX_MTU, rt->fib6_pmtu);
++
++ if (rt->fib6_pmtu)
++ fib6_metric_set(iter, RTAX_MTU,
++ rt->fib6_pmtu);
+ return -EEXIST;
+ }
+ /* If we have the same destination and the same metric,
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 20 Aug 2018 13:02:41 -0700
+Subject: net/ipv6: Put lwtstate when destroying fib6_info
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 80f1a0f4e0cd4bfc8a74fc1c39843a6e7b206b95 ]
+
+Prior to the introduction of fib6_info lwtstate was managed by the dst
+code. With fib6_info releasing lwtstate needs to be done when the struct
+is freed.
+
+Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -198,6 +198,8 @@ void fib6_info_destroy_rcu(struct rcu_he
+ }
+ }
+
++ lwtstate_put(f6i->fib6_nh.nh_lwtstate);
++
+ if (f6i->fib6_nh.nh_dev)
+ dev_put(f6i->fib6_nh.nh_dev);
+
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+Date: Thu, 23 Aug 2018 10:45:22 +0300
+Subject: net: macb: do not disable MDIO bus at open/close time
+
+From: Anssi Hannula <anssi.hannula@bitwise.fi>
+
+[ Upstream commit 0da70f808029476001109b6cb076737bc04cea2e ]
+
+macb_reset_hw() is called from macb_close() and indirectly from
+macb_open(). macb_reset_hw() zeroes the NCR register, including the MPE
+(Management Port Enable) bit.
+
+This will prevent accessing any other PHYs for other Ethernet MACs on
+the MDIO bus, which remains registered at macb_reset_hw() time, until
+macb_init_hw() is called from macb_open() which sets the MPE bit again.
+
+I.e. currently the MDIO bus has a short disruption at open time and is
+disabled at close time until the interface is opened again.
+
+Fix that by only touching the RE and TE bits when enabling and disabling
+RX/TX.
+
+v2: Make macb_init_hw() NCR write a single statement.
+
+Fixes: 6c36a7074436 ("macb: Use generic PHY layer")
+Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Tested-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1957,14 +1957,17 @@ static void macb_reset_hw(struct macb *b
+ {
+ struct macb_queue *queue;
+ unsigned int q;
++ u32 ctrl = macb_readl(bp, NCR);
+
+ /* Disable RX and TX (XXX: Should we halt the transmission
+ * more gracefully?)
+ */
+- macb_writel(bp, NCR, 0);
++ ctrl &= ~(MACB_BIT(RE) | MACB_BIT(TE));
+
+ /* Clear the stats registers (XXX: Update stats first?) */
+- macb_writel(bp, NCR, MACB_BIT(CLRSTAT));
++ ctrl |= MACB_BIT(CLRSTAT);
++
++ macb_writel(bp, NCR, ctrl);
+
+ /* Clear all status flags */
+ macb_writel(bp, TSR, -1);
+@@ -2152,7 +2155,7 @@ static void macb_init_hw(struct macb *bp
+ }
+
+ /* Enable TX and RX */
+- macb_writel(bp, NCR, MACB_BIT(RE) | MACB_BIT(TE) | MACB_BIT(MPE));
++ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(RE) | MACB_BIT(TE));
+ }
+
+ /* The hash address register is 64 bits long and takes up two
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Date: Tue, 21 Aug 2018 17:35:48 +0200
+Subject: net: macb: Fix regression breaking non-MDIO fixed-link PHYs
+
+From: Ahmad Fatoum <a.fatoum@pengutronix.de>
+
+[ Upstream commit ab5f11055fdf8dfc3ddbd89e8e3cc550de41d1d3 ]
+
+commit 739de9a1563a ("net: macb: Reorganize macb_mii bringup") broke
+initializing macb on the EVB-KSZ9477 eval board.
+There, of_mdiobus_register was called even for the fixed-link representing
+the RGMII-link to the switch with the result that the driver attempts to
+enumerate PHYs on a non-existent MDIO bus:
+
+ libphy: MACB_mii_bus: probed
+ mdio_bus f0028000.ethernet-ffffffff: fixed-link has invalid PHY address
+ mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 0
+ [snip]
+ mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 31
+
+The "MDIO" bus registration succeeds regardless, having claimed the reset GPIO,
+and calling of_phy_register_fixed_link later on fails because it tries
+to claim the same GPIO:
+
+ macb f0028000.ethernet: broken fixed-link specification
+
+Fix this by registering the fixed-link before calling mdiobus_register.
+
+Fixes: 739de9a1563a ("net: macb: Reorganize macb_mii bringup")
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -481,11 +481,6 @@ static int macb_mii_probe(struct net_dev
+
+ if (np) {
+ if (of_phy_is_fixed_link(np)) {
+- if (of_phy_register_fixed_link(np) < 0) {
+- dev_err(&bp->pdev->dev,
+- "broken fixed-link specification\n");
+- return -ENODEV;
+- }
+ bp->phy_node = of_node_get(np);
+ } else {
+ bp->phy_node = of_parse_phandle(np, "phy-handle", 0);
+@@ -568,7 +563,7 @@ static int macb_mii_init(struct macb *bp
+ {
+ struct macb_platform_data *pdata;
+ struct device_node *np;
+- int err;
++ int err = -ENXIO;
+
+ /* Enable management port */
+ macb_writel(bp, NCR, MACB_BIT(MPE));
+@@ -591,12 +586,23 @@ static int macb_mii_init(struct macb *bp
+ dev_set_drvdata(&bp->dev->dev, bp->mii_bus);
+
+ np = bp->pdev->dev.of_node;
+- if (pdata)
+- bp->mii_bus->phy_mask = pdata->phy_mask;
++ if (np && of_phy_is_fixed_link(np)) {
++ if (of_phy_register_fixed_link(np) < 0) {
++ dev_err(&bp->pdev->dev,
++ "broken fixed-link specification %pOF\n", np);
++ goto err_out_free_mdiobus;
++ }
++
++ err = mdiobus_register(bp->mii_bus);
++ } else {
++ if (pdata)
++ bp->mii_bus->phy_mask = pdata->phy_mask;
++
++ err = of_mdiobus_register(bp->mii_bus, np);
++ }
+
+- err = of_mdiobus_register(bp->mii_bus, np);
+ if (err)
+- goto err_out_free_mdiobus;
++ goto err_out_free_fixed_link;
+
+ err = macb_mii_probe(bp->dev);
+ if (err)
+@@ -606,6 +612,7 @@ static int macb_mii_init(struct macb *bp
+
+ err_out_unregister_bus:
+ mdiobus_unregister(bp->mii_bus);
++err_out_free_fixed_link:
+ if (np && of_phy_is_fixed_link(np))
+ of_phy_deregister_fixed_link(np);
+ err_out_free_mdiobus:
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 3 Sep 2018 18:06:24 +0300
+Subject: net/mlx5: Fix SQ offset in QPs with small RQ
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 639505d4397b8c654a8e2616f9cb70ece40c83f9 ]
+
+Correct the formula for calculating the RQ page remainder,
+which should be in byte granularity. The result will be
+non-zero only for RQs smaller than PAGE_SIZE, as an RQ size
+is a power of 2.
+
+Divide this by the SQ stride (MLX5_SEND_WQE_BB) to get the
+SQ offset in strides granularity.
+
+Fixes: d7037ad73daa ("net/mlx5: Fix QP fragmented buffer allocation")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/wq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/wq.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/wq.c
+@@ -139,14 +139,15 @@ int mlx5_wq_qp_create(struct mlx5_core_d
+ struct mlx5_wq_ctrl *wq_ctrl)
+ {
+ u32 sq_strides_offset;
++ u32 rq_pg_remainder;
+ int err;
+
+ mlx5_fill_fbc(MLX5_GET(qpc, qpc, log_rq_stride) + 4,
+ MLX5_GET(qpc, qpc, log_rq_size),
+ &wq->rq.fbc);
+
+- sq_strides_offset =
+- ((wq->rq.fbc.frag_sz_m1 + 1) % PAGE_SIZE) / MLX5_SEND_WQE_BB;
++ rq_pg_remainder = mlx5_wq_cyc_get_byte_size(&wq->rq) % PAGE_SIZE;
++ sq_strides_offset = rq_pg_remainder / MLX5_SEND_WQE_BB;
+
+ mlx5_fill_fbc_offset(ilog2(MLX5_SEND_WQE_BB),
+ MLX5_GET(qpc, qpc, log_sq_size),
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Mon, 27 Aug 2018 22:56:22 +0200
+Subject: net/sched: act_pedit: fix dump of extended layered op
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 85eb9af182243ce9a8b72410d5321c440ac5f8d7 ]
+
+in the (rare) case of failure in nla_nest_start(), missing NULL checks in
+tcf_pedit_key_ex_dump() can make the following command
+
+ # tc action add action pedit ex munge ip ttl set 64
+
+dereference a NULL pointer:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+ PGD 800000007d1cd067 P4D 800000007d1cd067 PUD 7acd3067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ CPU: 0 PID: 3336 Comm: tc Tainted: G E 4.18.0.pedit+ #425
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:tcf_pedit_dump+0x19d/0x358 [act_pedit]
+ Code: be 02 00 00 00 48 89 df 66 89 44 24 20 e8 9b b1 fd e0 85 c0 75 46 8b 83 c8 00 00 00 49 83 c5 08 48 03 83 d0 00 00 00 4d 39 f5 <66> 89 04 25 00 00 00 00 0f 84 81 01 00 00 41 8b 45 00 48 8d 4c 24
+ RSP: 0018:ffffb5d4004478a8 EFLAGS: 00010246
+ RAX: ffff8880fcda2070 RBX: ffff8880fadd2900 RCX: 0000000000000000
+ RDX: 0000000000000002 RSI: ffffb5d4004478ca RDI: ffff8880fcda206e
+ RBP: ffff8880fb9cb900 R08: 0000000000000008 R09: ffff8880fcda206e
+ R10: ffff8880fadd2900 R11: 0000000000000000 R12: ffff8880fd26cf40
+ R13: ffff8880fc957430 R14: ffff8880fc957430 R15: ffff8880fb9cb988
+ FS: 00007f75a537a740(0000) GS:ffff8880fda00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000007a2fa005 CR4: 00000000001606f0
+ Call Trace:
+ ? __nla_reserve+0x38/0x50
+ tcf_action_dump_1+0xd2/0x130
+ tcf_action_dump+0x6a/0xf0
+ tca_get_fill.constprop.31+0xa3/0x120
+ tcf_action_add+0xd1/0x170
+ tc_ctl_action+0x137/0x150
+ rtnetlink_rcv_msg+0x263/0x2d0
+ ? _cond_resched+0x15/0x40
+ ? rtnl_calcit.isra.30+0x110/0x110
+ netlink_rcv_skb+0x4d/0x130
+ netlink_unicast+0x1a3/0x250
+ netlink_sendmsg+0x2ae/0x3a0
+ sock_sendmsg+0x36/0x40
+ ___sys_sendmsg+0x26f/0x2d0
+ ? do_wp_page+0x8e/0x5f0
+ ? handle_pte_fault+0x6c3/0xf50
+ ? __handle_mm_fault+0x38e/0x520
+ ? __sys_sendmsg+0x5e/0xa0
+ __sys_sendmsg+0x5e/0xa0
+ do_syscall_64+0x5b/0x180
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+ RIP: 0033:0x7f75a4583ba0
+ Code: c3 48 8b 05 f2 62 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d fd c3 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae cc 00 00 48 89 04 24
+ RSP: 002b:00007fff60ee7418 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fff60ee7540 RCX: 00007f75a4583ba0
+ RDX: 0000000000000000 RSI: 00007fff60ee7490 RDI: 0000000000000003
+ RBP: 000000005b842d3e R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fff60ee6ea0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fff60ee7554 R14: 0000000000000001 R15: 000000000066c100
+ Modules linked in: act_pedit(E) ip6table_filter ip6_tables iptable_filter binfmt_misc crct10dif_pclmul ext4 crc32_pclmul mbcache ghash_clmulni_intel jbd2 pcbc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer cryptd glue_helper snd joydev pcspkr soundcore virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk virtio_console failover qxl crc32c_intel drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix virtio_pci libata virtio_ring i2c_core virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_pedit]
+ CR2: 0000000000000000
+
+Like it's done for other TC actions, give up dumping pedit rules and return
+an error if nla_nest_start() returns NULL.
+
+Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_pedit.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/net/sched/act_pedit.c
++++ b/net/sched/act_pedit.c
+@@ -109,16 +109,18 @@ static int tcf_pedit_key_ex_dump(struct
+ {
+ struct nlattr *keys_start = nla_nest_start(skb, TCA_PEDIT_KEYS_EX);
+
++ if (!keys_start)
++ goto nla_failure;
+ for (; n > 0; n--) {
+ struct nlattr *key_start;
+
+ key_start = nla_nest_start(skb, TCA_PEDIT_KEY_EX);
++ if (!key_start)
++ goto nla_failure;
+
+ if (nla_put_u16(skb, TCA_PEDIT_KEY_EX_HTYPE, keys_ex->htype) ||
+- nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) {
+- nlmsg_trim(skb, keys_start);
+- return -EINVAL;
+- }
++ nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd))
++ goto nla_failure;
+
+ nla_nest_end(skb, key_start);
+
+@@ -128,6 +130,9 @@ static int tcf_pedit_key_ex_dump(struct
+ nla_nest_end(skb, keys_start);
+
+ return 0;
++nla_failure:
++ nla_nest_cancel(skb, keys_start);
++ return -EINVAL;
+ }
+
+ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
+@@ -395,7 +400,10 @@ static int tcf_pedit_dump(struct sk_buff
+ opt->bindcnt = p->tcf_bindcnt - bind;
+
+ if (p->tcfp_keys_ex) {
+- tcf_pedit_key_ex_dump(skb, p->tcfp_keys_ex, p->tcfp_nkeys);
++ if (tcf_pedit_key_ex_dump(skb,
++ p->tcfp_keys_ex,
++ p->tcfp_nkeys))
++ goto nla_put_failure;
+
+ if (nla_put(skb, TCA_PEDIT_PARMS_EX, s, opt))
+ goto nla_put_failure;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Vlad Buslov <vladbu@mellanox.com>
+Date: Tue, 4 Sep 2018 00:44:42 +0300
+Subject: net: sched: action_ife: take reference to meta module
+
+From: Vlad Buslov <vladbu@mellanox.com>
+
+[ Upstream commit 84cb8eb26cb9ce3c79928094962a475a9d850a53 ]
+
+Recent refactoring of add_metainfo() caused use_all_metadata() to add
+metainfo to ife action metalist without taking reference to module. This
+causes warning in module_put called from ife action cleanup function.
+
+Implement add_metainfo_and_get_ops() function that returns with reference
+to module taken if metainfo was added successfully, and call it from
+use_all_metadata(), instead of calling __add_metainfo() directly.
+
+Example warning:
+
+[ 646.344393] WARNING: CPU: 1 PID: 2278 at kernel/module.c:1139 module_put+0x1cb/0x230
+[ 646.352437] Modules linked in: act_meta_skbtcindex act_meta_mark act_meta_skbprio act_ife ife veth nfsv3 nfs fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c tun ebtable_filter ebtables ip6table_filter ip6_tables bridge stp llc mlx5_ib ib_uverbs ib_core intel_rapl sb_edac x86_pkg_temp_thermal mlx5_core coretemp kvm_intel kvm nfsd igb irqbypass crct10dif_pclmul devlink crc32_pclmul mei_me joydev ses crc32c_intel enclosure auth_rpcgss i2c_algo_bit ioatdma ptp mei pps_core ghash_clmulni_intel iTCO_wdt iTCO_vendor_support pcspkr dca ipmi_ssif lpc_ich target_core_mod i2c_i801 ipmi_si ipmi_devintf pcc_cpufreq wmi ipmi_msghandler nfs_acl lockd acpi_pad acpi_power_meter grace sunrpc mpt3sas raid_class scsi_transport_sas
+[ 646.425631] CPU: 1 PID: 2278 Comm: tc Not tainted 4.19.0-rc1+ #799
+[ 646.432187] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
+[ 646.440595] RIP: 0010:module_put+0x1cb/0x230
+[ 646.445238] Code: f3 66 94 02 e8 26 ff fa ff 85 c0 74 11 0f b6 1d 51 30 94 02 80 fb 01 77 60 83 e3 01 74 13 65 ff 0d 3a 83 db 73 e9 2b ff ff ff <0f> 0b e9 00 ff ff ff e8 59 01 fb ff 85 c0 75 e4 48 c7 c2 20 62 6b
+[ 646.464997] RSP: 0018:ffff880354d37068 EFLAGS: 00010286
+[ 646.470599] RAX: 0000000000000000 RBX: ffffffffc0a52518 RCX: ffffffff8c2668db
+[ 646.478118] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffc0a52518
+[ 646.485641] RBP: ffffffffc0a52180 R08: fffffbfff814a4a4 R09: fffffbfff814a4a3
+[ 646.493164] R10: ffffffffc0a5251b R11: fffffbfff814a4a4 R12: 1ffff1006a9a6e0d
+[ 646.500687] R13: 00000000ffffffff R14: ffff880362bab890 R15: dead000000000100
+[ 646.508213] FS: 00007f4164c99800(0000) GS:ffff88036fe40000(0000) knlGS:0000000000000000
+[ 646.516961] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 646.523080] CR2: 00007f41638b8420 CR3: 0000000351df0004 CR4: 00000000001606e0
+[ 646.530595] Call Trace:
+[ 646.533408] ? find_symbol_in_section+0x260/0x260
+[ 646.538509] tcf_ife_cleanup+0x11b/0x200 [act_ife]
+[ 646.543695] tcf_action_cleanup+0x29/0xa0
+[ 646.548078] __tcf_action_put+0x5a/0xb0
+[ 646.552289] ? nla_put+0x65/0xe0
+[ 646.555889] __tcf_idr_release+0x48/0x60
+[ 646.560187] tcf_generic_walker+0x448/0x6b0
+[ 646.564764] ? tcf_action_dump_1+0x450/0x450
+[ 646.569411] ? __lock_is_held+0x84/0x110
+[ 646.573720] ? tcf_ife_walker+0x10c/0x20f [act_ife]
+[ 646.578982] tca_action_gd+0x972/0xc40
+[ 646.583129] ? tca_get_fill.constprop.17+0x250/0x250
+[ 646.588471] ? mark_lock+0xcf/0x980
+[ 646.592324] ? check_chain_key+0x140/0x1f0
+[ 646.596832] ? debug_show_all_locks+0x240/0x240
+[ 646.601839] ? memset+0x1f/0x40
+[ 646.605350] ? nla_parse+0xca/0x1a0
+[ 646.609217] tc_ctl_action+0x215/0x230
+[ 646.613339] ? tcf_action_add+0x220/0x220
+[ 646.617748] rtnetlink_rcv_msg+0x56a/0x6d0
+[ 646.622227] ? rtnl_fdb_del+0x3f0/0x3f0
+[ 646.626466] netlink_rcv_skb+0x18d/0x200
+[ 646.630752] ? rtnl_fdb_del+0x3f0/0x3f0
+[ 646.634959] ? netlink_ack+0x500/0x500
+[ 646.639106] netlink_unicast+0x2d0/0x370
+[ 646.643409] ? netlink_attachskb+0x340/0x340
+[ 646.648050] ? _copy_from_iter_full+0xe9/0x3e0
+[ 646.652870] ? import_iovec+0x11e/0x1c0
+[ 646.657083] netlink_sendmsg+0x3b9/0x6a0
+[ 646.661388] ? netlink_unicast+0x370/0x370
+[ 646.665877] ? netlink_unicast+0x370/0x370
+[ 646.670351] sock_sendmsg+0x6b/0x80
+[ 646.674212] ___sys_sendmsg+0x4a1/0x520
+[ 646.678443] ? copy_msghdr_from_user+0x210/0x210
+[ 646.683463] ? lock_downgrade+0x320/0x320
+[ 646.687849] ? debug_show_all_locks+0x240/0x240
+[ 646.692760] ? do_raw_spin_unlock+0xa2/0x130
+[ 646.697418] ? _raw_spin_unlock+0x24/0x30
+[ 646.701798] ? __handle_mm_fault+0x1819/0x1c10
+[ 646.706619] ? __pmd_alloc+0x320/0x320
+[ 646.710738] ? debug_show_all_locks+0x240/0x240
+[ 646.715649] ? restore_nameidata+0x7b/0xa0
+[ 646.720117] ? check_chain_key+0x140/0x1f0
+[ 646.724590] ? check_chain_key+0x140/0x1f0
+[ 646.729070] ? __fget_light+0xbc/0xd0
+[ 646.733121] ? __sys_sendmsg+0xd7/0x150
+[ 646.737329] __sys_sendmsg+0xd7/0x150
+[ 646.741359] ? __ia32_sys_shutdown+0x30/0x30
+[ 646.746003] ? up_read+0x53/0x90
+[ 646.749601] ? __do_page_fault+0x484/0x780
+[ 646.754105] ? do_syscall_64+0x1e/0x2c0
+[ 646.758320] do_syscall_64+0x72/0x2c0
+[ 646.762353] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 646.767776] RIP: 0033:0x7f4163872150
+[ 646.771713] Code: 8b 15 3c 7d 2b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d b9 d5 2b 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be cd 00 00 48 89 04 24
+[ 646.791474] RSP: 002b:00007ffdef7d6b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 646.799721] RAX: ffffffffffffffda RBX: 0000000000000024 RCX: 00007f4163872150
+[ 646.807240] RDX: 0000000000000000 RSI: 00007ffdef7d6bd0 RDI: 0000000000000003
+[ 646.814760] RBP: 000000005b8b9482 R08: 0000000000000001 R09: 0000000000000000
+[ 646.822286] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007ffdef7dad20
+[ 646.829807] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000679bc0
+[ 646.837360] irq event stamp: 6083
+[ 646.841043] hardirqs last enabled at (6081): [<ffffffff8c220a7d>] __call_rcu+0x17d/0x500
+[ 646.849882] hardirqs last disabled at (6083): [<ffffffff8c004f06>] trace_hardirqs_off_thunk+0x1a/0x1c
+[ 646.859775] softirqs last enabled at (5968): [<ffffffff8d4004a1>] __do_softirq+0x4a1/0x6ee
+[ 646.868784] softirqs last disabled at (6082): [<ffffffffc0a78759>] tcf_ife_cleanup+0x39/0x200 [act_ife]
+[ 646.878845] ---[ end trace b1b8c12ffe51e657 ]---
+
+Fixes: 5ffe57da29b3 ("act_ife: fix a potential deadlock")
+Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -324,6 +324,20 @@ static int __add_metainfo(const struct t
+ return ret;
+ }
+
++static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops,
++ struct tcf_ife_info *ife, u32 metaid,
++ bool exists)
++{
++ int ret;
++
++ if (!try_module_get(ops->owner))
++ return -ENOENT;
++ ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists);
++ if (ret)
++ module_put(ops->owner);
++ return ret;
++}
++
+ static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
+ int len, bool exists)
+ {
+@@ -347,7 +361,7 @@ static int use_all_metadata(struct tcf_i
+
+ read_lock(&ife_mod_lock);
+ list_for_each_entry(o, &ifeoplist, list) {
+- rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists);
++ rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists);
+ if (rc == 0)
+ installed += 1;
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Kees Cook <keescook@chromium.org>
+Date: Sat, 25 Aug 2018 22:58:01 -0700
+Subject: net: sched: Fix memory exposure from short TCA_U32_SEL
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 ]
+
+Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
+policy, so max length isn't enforced, only minimum. This means nkeys
+(from userspace) was being trusted without checking the actual size of
+nla_len(), which could lead to a memory over-read, and ultimately an
+exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
+a namespace.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -912,6 +912,7 @@ static int u32_change(struct net *net, s
+ struct nlattr *opt = tca[TCA_OPTIONS];
+ struct nlattr *tb[TCA_U32_MAX + 1];
+ u32 htid, flags = 0;
++ size_t sel_size;
+ int err;
+ #ifdef CONFIG_CLS_U32_PERF
+ size_t size;
+@@ -1074,8 +1075,13 @@ static int u32_change(struct net *net, s
+ }
+
+ s = nla_data(tb[TCA_U32_SEL]);
++ sel_size = struct_size(s, keys, s->nkeys);
++ if (nla_len(tb[TCA_U32_SEL]) < sel_size) {
++ err = -EINVAL;
++ goto erridr;
++ }
+
+- n = kzalloc(sizeof(*n) + s->nkeys*sizeof(struct tc_u32_key), GFP_KERNEL);
++ n = kzalloc(offsetof(typeof(*n), sel) + sel_size, GFP_KERNEL);
+ if (n == NULL) {
+ err = -ENOBUFS;
+ goto erridr;
+@@ -1090,7 +1096,7 @@ static int u32_change(struct net *net, s
+ }
+ #endif
+
+- memcpy(&n->sel, s, sizeof(*s) + s->nkeys*sizeof(struct tc_u32_key));
++ memcpy(&n->sel, s, sel_size);
+ RCU_INIT_POINTER(n->ht_up, ht);
+ n->handle = handle;
+ n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Wed, 29 Aug 2018 12:46:08 -0700
+Subject: nfp: wait for posted reconfigs when disabling the device
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 9ad716b95fd6c6be46a4f2d5936e514b5bcd744d ]
+
+To avoid leaking a running timer we need to wait for the
+posted reconfigs after netdev is unregistered. In common
+case the process of deinitializing the device will perform
+synchronous reconfigs which wait for posted requests, but
+especially with VXLAN ports being actively added and removed
+there can be a race condition leaving a timer running after
+adapter structure is freed leading to a crash.
+
+Add an explicit flush after deregistering and for a good
+measure a warning to check if timer is running just before
+structures are freed.
+
+Fixes: 3d780b926a12 ("nfp: add async reconfiguration mechanism")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 48 +++++++++++++-------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+@@ -227,29 +227,16 @@ done:
+ spin_unlock_bh(&nn->reconfig_lock);
+ }
+
+-/**
+- * nfp_net_reconfig() - Reconfigure the firmware
+- * @nn: NFP Net device to reconfigure
+- * @update: The value for the update field in the BAR config
+- *
+- * Write the update word to the BAR and ping the reconfig queue. The
+- * poll until the firmware has acknowledged the update by zeroing the
+- * update word.
+- *
+- * Return: Negative errno on error, 0 on success
+- */
+-int nfp_net_reconfig(struct nfp_net *nn, u32 update)
++static void nfp_net_reconfig_sync_enter(struct nfp_net *nn)
+ {
+ bool cancelled_timer = false;
+ u32 pre_posted_requests;
+- int ret;
+
+ spin_lock_bh(&nn->reconfig_lock);
+
+ nn->reconfig_sync_present = true;
+
+ if (nn->reconfig_timer_active) {
+- del_timer(&nn->reconfig_timer);
+ nn->reconfig_timer_active = false;
+ cancelled_timer = true;
+ }
+@@ -258,14 +245,43 @@ int nfp_net_reconfig(struct nfp_net *nn,
+
+ spin_unlock_bh(&nn->reconfig_lock);
+
+- if (cancelled_timer)
++ if (cancelled_timer) {
++ del_timer_sync(&nn->reconfig_timer);
+ nfp_net_reconfig_wait(nn, nn->reconfig_timer.expires);
++ }
+
+ /* Run the posted reconfigs which were issued before we started */
+ if (pre_posted_requests) {
+ nfp_net_reconfig_start(nn, pre_posted_requests);
+ nfp_net_reconfig_wait(nn, jiffies + HZ * NFP_NET_POLL_TIMEOUT);
+ }
++}
++
++static void nfp_net_reconfig_wait_posted(struct nfp_net *nn)
++{
++ nfp_net_reconfig_sync_enter(nn);
++
++ spin_lock_bh(&nn->reconfig_lock);
++ nn->reconfig_sync_present = false;
++ spin_unlock_bh(&nn->reconfig_lock);
++}
++
++/**
++ * nfp_net_reconfig() - Reconfigure the firmware
++ * @nn: NFP Net device to reconfigure
++ * @update: The value for the update field in the BAR config
++ *
++ * Write the update word to the BAR and ping the reconfig queue. The
++ * poll until the firmware has acknowledged the update by zeroing the
++ * update word.
++ *
++ * Return: Negative errno on error, 0 on success
++ */
++int nfp_net_reconfig(struct nfp_net *nn, u32 update)
++{
++ int ret;
++
++ nfp_net_reconfig_sync_enter(nn);
+
+ nfp_net_reconfig_start(nn, update);
+ ret = nfp_net_reconfig_wait(nn, jiffies + HZ * NFP_NET_POLL_TIMEOUT);
+@@ -3609,6 +3625,7 @@ struct nfp_net *nfp_net_alloc(struct pci
+ */
+ void nfp_net_free(struct nfp_net *nn)
+ {
++ WARN_ON(timer_pending(&nn->reconfig_timer) || nn->reconfig_posted);
+ if (nn->dp.netdev)
+ free_netdev(nn->dp.netdev);
+ else
+@@ -3893,4 +3910,5 @@ void nfp_net_clean(struct nfp_net *nn)
+ return;
+
+ unregister_netdev(nn->dp.netdev);
++ nfp_net_reconfig_wait_posted(nn);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Manish Chopra <manish.chopra@cavium.com>
+Date: Thu, 23 Aug 2018 13:20:52 -0700
+Subject: qlge: Fix netdev features configuration.
+
+From: Manish Chopra <manish.chopra@cavium.com>
+
+[ Upstream commit 6750c87074c5b534d82fdaabb1deb45b8f1f57de ]
+
+qlge_fix_features() is not supposed to modify hardware or
+driver state, rather it is supposed to only fix requested
+fetures bits. Currently qlge_fix_features() also goes for
+interface down and up unnecessarily if there is not even
+any change in features set.
+
+This patch changes/fixes following -
+
+1) Move reload of interface or device re-config from
+ qlge_fix_features() to qlge_set_features().
+2) Reload of interface in qlge_set_features() only if
+ relevant feature bit (NETIF_F_HW_VLAN_CTAG_RX) is changed.
+3) Get rid of qlge_fix_features() since driver is not really
+ required to fix any features bit.
+
+Signed-off-by: Manish <manish.chopra@cavium.com>
+Reviewed-by: Benjamin Poirier <bpoirier@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge_main.c | 23 ++++++++---------------
+ 1 file changed, 8 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+@@ -2384,26 +2384,20 @@ static int qlge_update_hw_vlan_features(
+ return status;
+ }
+
+-static netdev_features_t qlge_fix_features(struct net_device *ndev,
+- netdev_features_t features)
+-{
+- int err;
+-
+- /* Update the behavior of vlan accel in the adapter */
+- err = qlge_update_hw_vlan_features(ndev, features);
+- if (err)
+- return err;
+-
+- return features;
+-}
+-
+ static int qlge_set_features(struct net_device *ndev,
+ netdev_features_t features)
+ {
+ netdev_features_t changed = ndev->features ^ features;
++ int err;
++
++ if (changed & NETIF_F_HW_VLAN_CTAG_RX) {
++ /* Update the behavior of vlan accel in the adapter */
++ err = qlge_update_hw_vlan_features(ndev, features);
++ if (err)
++ return err;
+
+- if (changed & NETIF_F_HW_VLAN_CTAG_RX)
+ qlge_vlan_mode(ndev, features);
++ }
+
+ return 0;
+ }
+@@ -4719,7 +4713,6 @@ static const struct net_device_ops qlge_
+ .ndo_set_mac_address = qlge_set_mac_address,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_tx_timeout = qlge_tx_timeout,
+- .ndo_fix_features = qlge_fix_features,
+ .ndo_set_features = qlge_set_features,
+ .ndo_vlan_rx_add_vid = qlge_vlan_rx_add_vid,
+ .ndo_vlan_rx_kill_vid = qlge_vlan_rx_kill_vid,
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 20 Aug 2018 12:43:51 +0800
+Subject: r8152: disable RX aggregation on new Dell TB16 dock
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 176eb614b118c96e7797f5ddefd10708c316f621 ]
+
+There's a new Dell TB16 dock with a different iSerialNumber.
+
+Apply the same fix from commit 0b1655143df0 ("r8152: disable RX
+aggregation on Dell TB16 dock") to this model.
+
+BugLink: https://bugs.launchpad.net/bugs/1785780
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -5214,8 +5214,8 @@ static int rtl8152_probe(struct usb_inte
+ netdev->hw_features &= ~NETIF_F_RXCSUM;
+ }
+
+- if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 &&
+- udev->serial && !strcmp(udev->serial, "000001000000")) {
++ if (le16_to_cpu(udev->descriptor.bcdDevice) == 0x3011 && udev->serial &&
++ (!strcmp(udev->serial, "000001000000") || !strcmp(udev->serial, "000002000000"))) {
+ dev_info(&udev->dev, "Dell TB16 Dock, disable RX aggregation");
+ set_bit(DELL_TB_RX_AGG_BUG, &tp->flags);
+ }
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Anthony Wong <anthony.wong@ubuntu.com>
+Date: Fri, 31 Aug 2018 20:06:42 +0800
+Subject: r8169: add support for NCube 8168 network card
+
+From: Anthony Wong <anthony.wong@ubuntu.com>
+
+[ Upstream commit 9fd0e09a4e86499639653243edfcb417a05c5c46 ]
+
+This card identifies itself as:
+ Ethernet controller [0200]: NCube Device [10ff:8168] (rev 06)
+ Subsystem: TP-LINK Technologies Co., Ltd. Device [7470:3468]
+
+Adding a new entry to rtl8169_pci_tbl makes the card work.
+
+Link: http://launchpad.net/bugs/1788730
+Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 1 +
+ include/linux/pci_ids.h | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -303,6 +303,7 @@ static const struct pci_device_id rtl816
+ { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8161), 0, 0, RTL_CFG_1 },
+ { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8167), 0, 0, RTL_CFG_0 },
+ { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8168), 0, 0, RTL_CFG_1 },
++ { PCI_DEVICE(PCI_VENDOR_ID_NCUBE, 0x8168), 0, 0, RTL_CFG_1 },
+ { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8169), 0, 0, RTL_CFG_0 },
+ { PCI_VENDOR_ID_DLINK, 0x4300,
+ PCI_VENDOR_ID_DLINK, 0x4b10, 0, 0, RTL_CFG_1 },
+--- a/include/linux/pci_ids.h
++++ b/include/linux/pci_ids.h
+@@ -3082,4 +3082,6 @@
+
+ #define PCI_VENDOR_ID_OCZ 0x1b85
+
++#define PCI_VENDOR_ID_NCUBE 0x10ff
++
+ #endif /* _LINUX_PCI_IDS_H */
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Azat Khuzhin <a3at.mail@gmail.com>
+Date: Sun, 26 Aug 2018 17:03:09 +0300
+Subject: r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices
+
+From: Azat Khuzhin <a3at.mail@gmail.com>
+
+[ Upstream commit 05212ba8132b42047ab5d63d759c6f9c28e7eab5 ]
+
+I have two Ethernet adapters:
+ r8169 0000:03:01.0 eth0: RTL8169sb/8110sb, 00:14:d1:14:2d:49, XID 10000000, IRQ 18
+ r8169 0000:01:00.0 eth0: RTL8168e/8111e, 64:66:b3:11:14:5d, XID 2c200000, IRQ 30
+And after upgrading from linux 4.15 [1] to linux 4.18+ [2] RTL8169sb failed to
+receive any packets. tcpdump shows a lot of checksum mismatch.
+
+ [1]: a0f79386a4968b4925da6db2d1daffd0605a4402
+ [2]: 0519359784328bfa92bf0931bf0cff3b58c16932 (4.19 merge window opened)
+
+I started bisecting and the found that [3] breaks it. According to [4]:
+ "For 8110S, 8110SB, and 8110SC series, the initial value of RxConfig
+ needs to be set after the tx/rx is enabled."
+So I moved rtl_init_rxcfg() after enabling tx/rs and now my adapter works
+(RTL8168e works too).
+
+ [3]: 3559d81e76bfe3803e89f2e04cf6ef7ab4f3aace
+ [4]: e542a2269f232d61270ceddd42b73a4348dee2bb ("r8169: adjust the RxConfig
+settings.")
+
+Also drop "rx" from rtl_set_rx_tx_config_registers(), since it does nothing
+with it already.
+
+Fixes: 3559d81e76bfe3803e89f2e04cf6ef7ab4f3aace ("r8169: simplify
+rtl_hw_start_8169")
+
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: netdev@vger.kernel.org
+Cc: Realtek linux nic maintainers <nic_swsd@realtek.com>
+Signed-off-by: Azat Khuzhin <a3at.mail@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -5039,7 +5039,7 @@ static void rtl8169_hw_reset(struct rtl8
+ rtl_hw_reset(tp);
+ }
+
+-static void rtl_set_rx_tx_config_registers(struct rtl8169_private *tp)
++static void rtl_set_tx_config_registers(struct rtl8169_private *tp)
+ {
+ /* Set DMA burst size and Interframe Gap Time */
+ RTL_W32(tp, TxConfig, (TX_DMA_BURST << TxDMAShift) |
+@@ -5150,12 +5150,14 @@ static void rtl_hw_start(struct rtl8169
+
+ rtl_set_rx_max_size(tp);
+ rtl_set_rx_tx_desc_registers(tp);
+- rtl_set_rx_tx_config_registers(tp);
++ rtl_set_tx_config_registers(tp);
+ RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+
+ /* Initially a 10 us delay. Turned it into a PCI commit. - FR */
+ RTL_R8(tp, IntrMask);
+ RTL_W8(tp, ChipCmd, CmdTxEnb | CmdRxEnb);
++ rtl_init_rxcfg(tp);
++
+ rtl_set_rx_mode(tp->dev);
+ /* no early-rx interrupts */
+ RTL_W16(tp, MultiIntr, RTL_R16(tp, MultiIntr) & 0xf000);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Fri, 24 Aug 2018 11:04:40 +0200
+Subject: Revert "net: stmmac: Do not keep rearming the coalesce timer in stmmac_xmit"
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit e5133f2f1261f8ab412e7fc5e3694c9f84328f89 ]
+
+This reverts commit 4ae0169fd1b3c792b66be58995b7e6b629919ecf.
+
+This change in the handling of the coalesce timer is causing regression on
+(at least) amlogic platforms.
+
+Network will break down very quickly (a few seconds) after starting
+a download. This can easily be reproduced using iperf3 for example.
+
+The problem has been reported on the S805, S905, S912 and A113 SoCs
+(Realtek and Micrel PHYs) and it is likely impacting all Amlogics
+platforms using Gbit ethernet
+
+No problem was seen with the platform using 10/100 only PHYs (GXL internal)
+
+Reverting change brings things back to normal and allows to use network
+again until we better understand the problem with the coalesce timer.
+
+Cc: Jose Abreu <joabreu@synopsys.com>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: Vitor Soares <soares@synopsys.com>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Cc: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac.h | 1 -
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+@@ -112,7 +112,6 @@ struct stmmac_priv {
+ u32 tx_count_frames;
+ u32 tx_coal_frames;
+ u32 tx_coal_timer;
+- bool tx_timer_armed;
+
+ int tx_coalesce;
+ int hwts_tx_en;
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3126,16 +3126,13 @@ static netdev_tx_t stmmac_xmit(struct sk
+ * element in case of no SG.
+ */
+ priv->tx_count_frames += nfrags + 1;
+- if (likely(priv->tx_coal_frames > priv->tx_count_frames) &&
+- !priv->tx_timer_armed) {
++ if (likely(priv->tx_coal_frames > priv->tx_count_frames)) {
+ mod_timer(&priv->txtimer,
+ STMMAC_COAL_TIMER(priv->tx_coal_timer));
+- priv->tx_timer_armed = true;
+ } else {
+ priv->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, desc);
+ priv->xstats.tx_set_ic_bit++;
+- priv->tx_timer_armed = false;
+ }
+
+ skb_tx_timestamp(skb);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 27 Aug 2018 18:38:31 +0800
+Subject: sctp: hold transport before accessing its asoc in sctp_transport_get_next
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit bab1be79a5169ac748d8292b20c86d874022d7ba ]
+
+As Marcelo noticed, in sctp_transport_get_next, it is iterating over
+transports but then also accessing the association directly, without
+checking any refcnts before that, which can cause an use-after-free
+Read.
+
+So fix it by holding transport before accessing the association. With
+that, sctp_transport_hold calls can be removed in the later places.
+
+Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
+Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/proc.c | 4 ----
+ net/sctp/socket.c | 22 +++++++++++++++-------
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -260,8 +260,6 @@ static int sctp_assocs_seq_show(struct s
+ }
+
+ transport = (struct sctp_transport *)v;
+- if (!sctp_transport_hold(transport))
+- return 0;
+ assoc = transport->asoc;
+ epb = &assoc->base;
+ sk = epb->sk;
+@@ -318,8 +316,6 @@ static int sctp_remaddr_seq_show(struct
+ }
+
+ transport = (struct sctp_transport *)v;
+- if (!sctp_transport_hold(transport))
+- return 0;
+ assoc = transport->asoc;
+
+ list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list,
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4881,9 +4881,14 @@ struct sctp_transport *sctp_transport_ge
+ break;
+ }
+
++ if (!sctp_transport_hold(t))
++ continue;
++
+ if (net_eq(sock_net(t->asoc->base.sk), net) &&
+ t->asoc->peer.primary_path == t)
+ break;
++
++ sctp_transport_put(t);
+ }
+
+ return t;
+@@ -4893,13 +4898,18 @@ struct sctp_transport *sctp_transport_ge
+ struct rhashtable_iter *iter,
+ int pos)
+ {
+- void *obj = SEQ_START_TOKEN;
++ struct sctp_transport *t;
++
++ if (!pos)
++ return SEQ_START_TOKEN;
+
+- while (pos && (obj = sctp_transport_get_next(net, iter)) &&
+- !IS_ERR(obj))
+- pos--;
++ while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) {
++ if (!--pos)
++ break;
++ sctp_transport_put(t);
++ }
+
+- return obj;
++ return t;
+ }
+
+ int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *),
+@@ -4958,8 +4968,6 @@ again:
+
+ tsp = sctp_transport_get_idx(net, &hti, *pos + 1);
+ for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) {
+- if (!sctp_transport_hold(tsp))
+- continue;
+ ret = cb(tsp, p);
+ if (ret)
+ break;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 27 Aug 2018 18:40:18 +0800
+Subject: sctp: remove useless start_fail from sctp_ht_iter in proc
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 834539e69a5fe2aab33cc777ccfd4a4fcc5b9770 ]
+
+After changing rhashtable_walk_start to return void, start_fail would
+never be set other value than 0, and the checking for start_fail is
+pointless, so remove it.
+
+Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/proc.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/sctp/proc.c
++++ b/net/sctp/proc.c
+@@ -215,7 +215,6 @@ static const struct seq_operations sctp_
+ struct sctp_ht_iter {
+ struct seq_net_private p;
+ struct rhashtable_iter hti;
+- int start_fail;
+ };
+
+ static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
+@@ -224,7 +223,6 @@ static void *sctp_transport_seq_start(st
+
+ sctp_transport_walk_start(&iter->hti);
+
+- iter->start_fail = 0;
+ return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos);
+ }
+
+@@ -232,8 +230,6 @@ static void sctp_transport_seq_stop(stru
+ {
+ struct sctp_ht_iter *iter = seq->private;
+
+- if (iter->start_fail)
+- return;
+ sctp_transport_walk_stop(&iter->hti);
+ }
+
+act_ife-fix-a-potential-use-after-free.patch
+ipv4-tcp-send-zero-ipid-for-rst-and-ack-sent-in-syn-recv-and-time-wait-state.patch
+net-bcmgenet-use-mac-link-status-for-fixed-phy.patch
+net-macb-do-not-disable-mdio-bus-at-open-close-time.patch
+net-sched-fix-memory-exposure-from-short-tca_u32_sel.patch
+qlge-fix-netdev-features-configuration.patch
+r8152-disable-rx-aggregation-on-new-dell-tb16-dock.patch
+r8169-add-support-for-ncube-8168-network-card.patch
+tcp-do-not-restart-timewait-timer-on-rst-reception.patch
+vti6-remove-skb-ignore_df-check-from-vti6_xmit.patch
+act_ife-move-tcfa_lock-down-to-where-necessary.patch
+act_ife-fix-a-potential-deadlock.patch
+net-sched-action_ife-take-reference-to-meta-module.patch
+bnxt_en-clean-up-unused-functions.patch
+bnxt_en-do-not-adjust-max_cp_rings-by-the-ones-used-by-rdma.patch
+net-sched-act_pedit-fix-dump-of-extended-layered-op.patch
+tipc-fix-a-missing-rhashtable_walk_exit.patch
+hv_netvsc-fix-a-deadlock-by-getting-rtnl-lock-earlier-in-netvsc_probe.patch
+tipc-fix-the-big-little-endian-issue-in-tipc_dest.patch
+sctp-remove-useless-start_fail-from-sctp_ht_iter-in-proc.patch
+erspan-set-erspan_ver-to-1-by-default-when-adding-an-erspan-dev.patch
+net-macb-fix-regression-breaking-non-mdio-fixed-link-phys.patch
+ipv6-don-t-get-lwtstate-twice-in-ip6_rt_copy_init.patch
+net-ipv6-init-ip6-anycast-rt-dst.input-as-ip6_input.patch
+net-ipv6-only-update-mtu-metric-if-it-set.patch
+net-ipv6-put-lwtstate-when-destroying-fib6_info.patch
+net-mlx5-fix-sq-offset-in-qps-with-small-rq.patch
+r8169-set-rxconfig-after-tx-rx-is-enabled-for-rtl8169sb-8110sb-devices.patch
+revert-net-stmmac-do-not-keep-rearming-the-coalesce-timer-in-stmmac_xmit.patch
+ip6_vti-fix-creating-fallback-tunnel-device-for-vti6.patch
+ip6_vti-fix-a-null-pointer-deference-when-destroy-vti6-tunnel.patch
+nfp-wait-for-posted-reconfigs-when-disabling-the-device.patch
+sctp-hold-transport-before-accessing-its-asoc-in-sctp_transport_get_next.patch
+mlxsw-spectrum_switchdev-do-not-leak-rifs-when-removing-bridge.patch
+vhost-correctly-check-the-iova-range-when-waking-virtqueue.patch
+hv_netvsc-ignore-devices-that-are-not-pci.patch
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 30 Aug 2018 14:24:29 +0200
+Subject: tcp: do not restart timewait timer on rst reception
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 63cc357f7bba6729869565a12df08441a5995d9a ]
+
+RFC 1337 says:
+ ''Ignore RST segments in TIME-WAIT state.
+ If the 2 minute MSL is enforced, this fix avoids all three hazards.''
+
+So with net.ipv4.tcp_rfc1337=1, expected behaviour is to have TIME-WAIT sk
+expire rather than removing it instantly when a reset is received.
+
+However, Linux will also re-start the TIME-WAIT timer.
+
+This causes connect to fail when tying to re-use ports or very long
+delays (until syn retry interval exceeds MSL).
+
+packetdrill test case:
+// Demonstrate bogus rearming of TIME-WAIT timer in rfc1337 mode.
+`sysctl net.ipv4.tcp_rfc1337=1`
+
+0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0.000 bind(3, ..., ...) = 0
+0.000 listen(3, 1) = 0
+
+0.100 < S 0:0(0) win 29200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+0.100 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+0.200 < . 1:1(0) ack 1 win 257
+0.200 accept(3, ..., ...) = 4
+
+// Receive first segment
+0.310 < P. 1:1001(1000) ack 1 win 46
+
+// Send one ACK
+0.310 > . 1:1(0) ack 1001
+
+// read 1000 byte
+0.310 read(4, ..., 1000) = 1000
+
+// Application writes 100 bytes
+0.350 write(4, ..., 100) = 100
+0.350 > P. 1:101(100) ack 1001
+
+// ACK
+0.500 < . 1001:1001(0) ack 101 win 257
+
+// close the connection
+0.600 close(4) = 0
+0.600 > F. 101:101(0) ack 1001 win 244
+
+// Our side is in FIN_WAIT_1 & waits for ack to fin
+0.7 < . 1001:1001(0) ack 102 win 244
+
+// Our side is in FIN_WAIT_2 with no outstanding data.
+0.8 < F. 1001:1001(0) ack 102 win 244
+0.8 > . 102:102(0) ack 1002 win 244
+
+// Our side is now in TIME_WAIT state, send ack for fin.
+0.9 < F. 1002:1002(0) ack 102 win 244
+0.9 > . 102:102(0) ack 1002 win 244
+
+// Peer reopens with in-window SYN:
+1.000 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+
+// Therefore, reply with ACK.
+1.000 > . 102:102(0) ack 1002 win 244
+
+// Peer sends RST for this ACK. Normally this RST results
+// in tw socket removal, but rfc1337=1 setting prevents this.
+1.100 < R 1002:1002(0) win 244
+
+// second syn. Due to rfc1337=1 expect another pure ACK.
+31.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+31.0 > . 102:102(0) ack 1002 win 244
+
+// .. and another RST from peer.
+31.1 < R 1002:1002(0) win 244
+31.2 `echo no timer restart;ss -m -e -a -i -n -t -o state TIME-WAIT`
+
+// third syn after one minute. Time-Wait socket should have expired by now.
+63.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+
+// so we expect a syn-ack & 3whs to proceed from here on.
+63.0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+
+Without this patch, 'ss' shows restarts of tw timer and last packet is
+thus just another pure ack, more than one minute later.
+
+This restores the original code from commit 283fd6cf0be690a83
+("Merge in ANK networking jumbo patch") in netdev-vger-cvs.git .
+
+For some reason the else branch was removed/lost in 1f28b683339f7
+("Merge in TCP/UDP optimizations and [..]") and timer restart became
+unconditional.
+
+Reported-by: Michal Tesar <mtesar@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_minisocks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_minisocks.c
++++ b/net/ipv4/tcp_minisocks.c
+@@ -184,8 +184,9 @@ kill:
+ inet_twsk_deschedule_put(tw);
+ return TCP_TW_SUCCESS;
+ }
++ } else {
++ inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
+ }
+- inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
+
+ if (tmp_opt.saw_tstamp) {
+ tcptw->tw_ts_recent = tmp_opt.rcv_tsval;
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 23 Aug 2018 16:19:44 -0700
+Subject: tipc: fix a missing rhashtable_walk_exit()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit bd583fe30427500a2d0abe25724025b1cb5e2636 ]
+
+rhashtable_walk_exit() must be paired with rhashtable_walk_enter().
+
+Fixes: 40f9f4397060 ("tipc: Fix tipc_sk_reinit race conditions")
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2675,6 +2675,8 @@ void tipc_sk_reinit(struct net *net)
+
+ rhashtable_walk_stop(&iter);
+ } while (tsk == ERR_PTR(-EAGAIN));
++
++ rhashtable_walk_exit(&iter);
+ }
+
+ static struct tipc_sock *tipc_sk_lookup(struct net *net, u32 portid)
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+Date: Mon, 27 Aug 2018 09:32:26 +0800
+Subject: tipc: fix the big/little endian issue in tipc_dest
+
+From: Haiqing Bai <Haiqing.Bai@windriver.com>
+
+[ Upstream commit 30935198b7d0be12b1c45c328b66a7fdefb16256 ]
+
+In function tipc_dest_push, the 32bit variables 'node' and 'port'
+are stored separately in uppper and lower part of 64bit 'value'.
+Then this value is assigned to dst->value which is a union like:
+union
+{
+ struct {
+ u32 port;
+ u32 node;
+ };
+ u64 value;
+}
+This works on little-endian machines like x86 but fails on big-endian
+machines.
+
+The fix remove the 'value' stack parameter and even the 'value'
+member of the union in tipc_dest, assign the 'node' and 'port' member
+directly with the input parameter to avoid the endian issue.
+
+Fixes: a80ae5306a73 ("tipc: improve destination linked list")
+Signed-off-by: Zhenbo Gao <zhenbo.gao@windriver.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/name_table.c | 10 ++++------
+ net/tipc/name_table.h | 9 ++-------
+ 2 files changed, 6 insertions(+), 13 deletions(-)
+
+--- a/net/tipc/name_table.c
++++ b/net/tipc/name_table.c
+@@ -980,20 +980,17 @@ int tipc_nl_name_table_dump(struct sk_bu
+
+ struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port)
+ {
+- u64 value = (u64)node << 32 | port;
+ struct tipc_dest *dst;
+
+ list_for_each_entry(dst, l, list) {
+- if (dst->value != value)
+- continue;
+- return dst;
++ if (dst->node == node && dst->port == port)
++ return dst;
+ }
+ return NULL;
+ }
+
+ bool tipc_dest_push(struct list_head *l, u32 node, u32 port)
+ {
+- u64 value = (u64)node << 32 | port;
+ struct tipc_dest *dst;
+
+ if (tipc_dest_find(l, node, port))
+@@ -1002,7 +999,8 @@ bool tipc_dest_push(struct list_head *l,
+ dst = kmalloc(sizeof(*dst), GFP_ATOMIC);
+ if (unlikely(!dst))
+ return false;
+- dst->value = value;
++ dst->node = node;
++ dst->port = port;
+ list_add(&dst->list, l);
+ return true;
+ }
+--- a/net/tipc/name_table.h
++++ b/net/tipc/name_table.h
+@@ -133,13 +133,8 @@ void tipc_nametbl_stop(struct net *net);
+
+ struct tipc_dest {
+ struct list_head list;
+- union {
+- struct {
+- u32 port;
+- u32 node;
+- };
+- u64 value;
+- };
++ u32 port;
++ u32 node;
+ };
+
+ struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 24 Aug 2018 16:53:13 +0800
+Subject: vhost: correctly check the iova range when waking virtqueue
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 2d66f997f0545c8f7fc5cf0b49af1decb35170e7 ]
+
+We don't wakeup the virtqueue if the first byte of pending iova range
+is the last byte of the range we just got updated. This will lead a
+virtqueue to wait for IOTLB updating forever. Fixing by correct the
+check and wake up the virtqueue in this case.
+
+Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
+Reported-by: Peter Xu <peterx@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Peter Xu <peterx@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -951,7 +951,7 @@ static void vhost_iotlb_notify_vq(struct
+ list_for_each_entry_safe(node, n, &d->pending_list, node) {
+ struct vhost_iotlb_msg *vq_msg = &node->msg.iotlb;
+ if (msg->iova <= vq_msg->iova &&
+- msg->iova + msg->size - 1 > vq_msg->iova &&
++ msg->iova + msg->size - 1 >= vq_msg->iova &&
+ vq_msg->type == VHOST_IOTLB_MISS) {
+ vhost_poll_queue(&node->vq->poll);
+ list_del(&node->node);
--- /dev/null
+From foo@baz Tue Sep 11 10:24:52 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Thu, 23 Aug 2018 19:49:54 +0300
+Subject: vti6: remove !skb->ignore_df check from vti6_xmit()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+[ Upstream commit 9f2895461439fda2801a7906fb4c5fb3dbb37a0a ]
+
+Before the commit d6990976af7c ("vti6: fix PMTU caching and reporting
+on xmit") '!skb->ignore_df' check was always true because the function
+skb_scrub_packet() was called before it, resetting ignore_df to zero.
+
+In the commit, skb_scrub_packet() was moved below, and now this check
+can be false for the packet, e.g. when sending it in the two fragments,
+this prevents successful PMTU updates in such case. The next attempts
+to send the packet lead to the same tx error. Moreover, vti6 initial
+MTU value relies on PMTU adjustments.
+
+This issue can be reproduced with the following LTP test script:
+ udp_ipsec_vti.sh -6 -p ah -m tunnel -s 2000
+
+Fixes: ccd740cbc6e0 ("vti6: Add pmtu handling to vti6_xmit.")
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -481,7 +481,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
+ }
+
+ mtu = dst_mtu(dst);
+- if (!skb->ignore_df && skb->len > mtu) {
++ if (skb->len > mtu) {
+ skb_dst_update_pmtu(skb, mtu);
+
+ if (skb->protocol == htons(ETH_P_IPV6)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
