--- /dev/null
+From 78e1a6eecafb6c58c0cd4b1455c9ba17345f0fc7 Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Thu, 4 Apr 2019 19:42:30 +0200
+Subject: KVM: arm/arm64: Ensure vcpu target is unset on reset failure
+
+[ Upstream commit 811328fc3222f7b55846de0cd0404339e2e1e6d7 ]
+
+A failed KVM_ARM_VCPU_INIT should not set the vcpu target,
+as the vcpu target is used by kvm_vcpu_initialized() to
+determine if other vcpu ioctls may proceed. We need to set
+the target before calling kvm_reset_vcpu(), but if that call
+fails, we should then unset it and clear the feature bitmap
+while we're at it.
+
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+[maz: Simplified patch, completed commit message]
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/kvm/arm.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
+index d7bef2144760c..e96ddc599c303 100644
+--- a/arch/arm/kvm/arm.c
++++ b/arch/arm/kvm/arm.c
+@@ -744,7 +744,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
+ static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu,
+ const struct kvm_vcpu_init *init)
+ {
+- unsigned int i;
++ unsigned int i, ret;
+ int phys_target = kvm_target_cpu();
+
+ if (init->target != phys_target)
+@@ -779,9 +779,14 @@ static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu,
+ vcpu->arch.target = phys_target;
+
+ /* Now we know what it is, we can reset it. */
+- return kvm_reset_vcpu(vcpu);
+-}
++ ret = kvm_reset_vcpu(vcpu);
++ if (ret) {
++ vcpu->arch.target = -1;
++ bitmap_zero(vcpu->arch.features, KVM_VCPU_MAX_FEATURES);
++ }
+
++ return ret;
++}
+
+ static int kvm_arch_vcpu_ioctl_vcpu_init(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu_init *init)
+--
+2.20.1
+
--- /dev/null
+From 7589a886eef9b660d7bc35d58597ffb0972223f6 Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Thu, 25 Apr 2019 18:36:51 -0300
+Subject: perf bench numa: Add define for RUSAGE_THREAD if not present
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit bf561d3c13423fc54daa19b5d49dc15fafdb7acc ]
+
+While cross building perf to the ARC architecture on a fedora 30 host,
+we were failing with:
+
+ CC /tmp/build/perf/bench/numa.o
+ bench/numa.c: In function ‘worker_thread’:
+ bench/numa.c:1261:12: error: ‘RUSAGE_THREAD’ undeclared (first use in this function); did you mean ‘SIGEV_THREAD’?
+ getrusage(RUSAGE_THREAD, &rusage);
+ ^~~~~~~~~~~~~
+ SIGEV_THREAD
+ bench/numa.c:1261:12: note: each undeclared identifier is reported only once for each function it appears in
+
+[perfbuilder@60d5802468f6 perf]$ /arc_gnu_2019.03-rc1_prebuilt_uclibc_le_archs_linux_install/bin/arc-linux-gcc --version | head -1
+arc-linux-gcc (ARCv2 ISA Linux uClibc toolchain 2019.03-rc1) 8.3.1 20190225
+[perfbuilder@60d5802468f6 perf]$
+
+Trying to reproduce a report by Vineet, I noticed that, with just
+cross-built zlib and numactl libraries, I ended up with the above
+failure.
+
+So, since RUSAGE_THREAD is available as a define, check for that and
+numactl libraries, I ended up with the above failure.
+
+So, since RUSAGE_THREAD is available as a define in the system headers,
+check if it is defined in the 'perf bench numa' sources and define it if
+not.
+
+Now it builds and I have to figure out if the problem reported by Vineet
+only takes place if we have libelf or some other library available.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Link: https://lkml.kernel.org/n/tip-2wb4r1gir9xrevbpq7qp0amk@git.kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/bench/numa.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
+index 73d192f57dc34..df41deed0320e 100644
+--- a/tools/perf/bench/numa.c
++++ b/tools/perf/bench/numa.c
+@@ -32,6 +32,10 @@
+ #include <numa.h>
+ #include <numaif.h>
+
++#ifndef RUSAGE_THREAD
++# define RUSAGE_THREAD 1
++#endif
++
+ /*
+ * Regular printout to the terminal, supressed if -q is specified:
+ */
+--
+2.20.1
+
--- /dev/null
+From c3def3c3d3fee8e0d35154554f83635a97542085 Mon Sep 17 00:00:00 2001
+From: Andrey Smirnov <andrew.smirnov@gmail.com>
+Date: Wed, 24 Apr 2019 00:16:10 -0700
+Subject: power: supply: sysfs: prevent endless uevent loop with
+ CONFIG_POWER_SUPPLY_DEBUG
+
+[ Upstream commit 349ced9984ff540ce74ca8a0b2e9b03dc434b9dd ]
+
+Fix a similar endless event loop as was done in commit
+8dcf32175b4e ("i2c: prevent endless uevent loop with
+CONFIG_I2C_DEBUG_CORE"):
+
+ The culprit is the dev_dbg printk in the i2c uevent handler. If
+ this is activated (for instance by CONFIG_I2C_DEBUG_CORE) it results
+ in an endless loop with systemd-journald.
+
+ This happens if user-space scans the system log and reads the uevent
+ file to get information about a newly created device, which seems
+ fair use to me. Unfortunately reading the "uevent" file uses the
+ same function that runs for creating the uevent for a new device,
+ generating the next syslog entry
+
+Both CONFIG_I2C_DEBUG_CORE and CONFIG_POWER_SUPPLY_DEBUG were reported
+in https://bugs.freedesktop.org/show_bug.cgi?id=76886 but only former
+seems to have been fixed. Drop debug prints as it was done in I2C
+subsystem to resolve the issue.
+
+Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
+Cc: Chris Healy <cphealy@gmail.com>
+Cc: linux-pm@vger.kernel.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/power_supply_sysfs.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
+index ed2d7fd0c734d..488dd7eb0aeb7 100644
+--- a/drivers/power/power_supply_sysfs.c
++++ b/drivers/power/power_supply_sysfs.c
+@@ -277,15 +277,11 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env)
+ char *prop_buf;
+ char *attrname;
+
+- dev_dbg(dev, "uevent\n");
+-
+ if (!psy || !psy->desc) {
+ dev_dbg(dev, "No power supply yet\n");
+ return ret;
+ }
+
+- dev_dbg(dev, "POWER_SUPPLY_NAME=%s\n", psy->desc->name);
+-
+ ret = add_uevent_var(env, "POWER_SUPPLY_NAME=%s", psy->desc->name);
+ if (ret)
+ return ret;
+@@ -321,8 +317,6 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env)
+ goto out;
+ }
+
+- dev_dbg(dev, "prop %s=%s\n", attrname, prop_buf);
+-
+ ret = add_uevent_var(env, "POWER_SUPPLY_%s=%s", attrname, prop_buf);
+ kfree(attrname);
+ if (ret)
+--
+2.20.1
+
fbdev-sm712fb-fix-crashes-and-garbled-display-during-dpms-modesetting.patch
pci-mark-atheros-ar9462-to-avoid-bus-reset.patch
dm-delay-fix-a-crash-when-invalid-device-is-specified.patch
+xfrm-policy-fix-out-of-bound-array-accesses-in-__xfr.patch
+xfrm6_tunnel-fix-potential-panic-when-unloading-xfrm.patch
+vti4-ipip-tunnel-deregistration-fixes.patch
+xfrm4-fix-uninitialized-memory-read-in-_decode_sessi.patch
+kvm-arm-arm64-ensure-vcpu-target-is-unset-on-reset-f.patch
+power-supply-sysfs-prevent-endless-uevent-loop-with-.patch
+ufs-fix-braino-in-ufs_get_inode_gid-for-solaris-ufs-.patch
+perf-bench-numa-add-define-for-rusage_thread-if-not-.patch
--- /dev/null
+From ae70e01e01cd150e911983a812f4d0bf4783d0c7 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 1 May 2019 22:46:11 -0400
+Subject: ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
+
+[ Upstream commit 4e9036042fedaffcd868d7f7aa948756c48c637d ]
+
+To choose whether to pick the GID from the old (16bit) or new (32bit)
+field, we should check if the old gid field is set to 0xffff. Mainline
+checks the old *UID* field instead - cut'n'paste from the corresponding
+code in ufs_get_inode_uid().
+
+Fixes: 252e211e90ce
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ufs/util.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ufs/util.h b/fs/ufs/util.h
+index 3f9463f8cf2fa..f877d5cadd981 100644
+--- a/fs/ufs/util.h
++++ b/fs/ufs/util.h
+@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
+ case UFS_UID_44BSD:
+ return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
+ case UFS_UID_EFT:
+- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
++ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
+ return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
+ /* Fall through */
+ default:
+--
+2.20.1
+
--- /dev/null
+From f668a8ba91f02a52b86a3a628606b186065fba92 Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Tue, 19 Mar 2019 15:39:20 +0000
+Subject: vti4: ipip tunnel deregistration fixes.
+
+[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ]
+
+If tunnel registration failed during module initialization, the module
+would fail to deregister the IPPROTO_COMP protocol and would attempt to
+deregister the tunnel.
+
+The tunnel was not deregistered during module-exit.
+
+Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_vti.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
+index fcf327ebd1345..bbcbbc1cc2cc6 100644
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -648,9 +648,9 @@ static int __init vti_init(void)
+ return err;
+
+ rtnl_link_failed:
+- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
+-xfrm_tunnel_failed:
+ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
++xfrm_tunnel_failed:
++ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
+ xfrm_proto_comp_failed:
+ xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
+ xfrm_proto_ah_failed:
+@@ -666,6 +666,7 @@ pernet_dev_failed:
+ static void __exit vti_fini(void)
+ {
+ rtnl_link_unregister(&vti_link_ops);
++ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
+ xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
+ xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
+--
+2.20.1
+
--- /dev/null
+From 139e4b56034f179a53e41e3037df24bb7ce92cb0 Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 28 Feb 2019 15:18:59 +0800
+Subject: xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
+
+[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
+
+UBSAN report this:
+
+UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
+index 6 is out of range for type 'unsigned int [6]'
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+ 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
+ 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
+ ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
+Call Trace:
+ <IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
+ <IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
+ [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
+ [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
+ [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
+ [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
+ [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
+ [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
+ [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
+ [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
+ [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
+ [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
+ [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
+ [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
+ [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
+ [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
+ <EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
+ [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
+ [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
+ [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
+ [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
+ [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
+ [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
+ [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
+ [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
+
+The issue is triggered as this:
+
+xfrm_add_policy
+ -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX
+ //In my case, the index is 0x6E6BB6, so it pass the check.
+ -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer
+ -->xfrm_policy_insert
+ --> __xfrm_policy_link //use the orgin dir, in my case is 2
+ --> xfrm_gen_index //generate policy index, there is 0x6E6BB6
+
+then xfrm_policy_timer be fired
+
+xfrm_policy_timer
+ --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6
+ --> xfrm_policy_delete
+ --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
+
+Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
+valid, to fix the issue.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index 177a6c75f136b..b04c030439762 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1340,7 +1340,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p)
+ ret = verify_policy_dir(p->dir);
+ if (ret)
+ return ret;
+- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
++ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
+ return -EINVAL;
+
+ return 0;
+--
+2.20.1
+
--- /dev/null
+From 842b887c89d91258a2e62a8ff3f30650c789b4a3 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Tue, 26 Feb 2019 07:04:50 +0100
+Subject: xfrm4: Fix uninitialized memory read in _decode_session4
+
+[ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ]
+
+We currently don't reload pointers pointing into skb header
+after doing pskb_may_pull() in _decode_session4(). So in case
+pskb_may_pull() changed the pointers, we read from random
+memory. Fix this by putting all the needed infos on the
+stack, so that we don't need to access the header pointers
+after doing pskb_may_pull().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/xfrm4_policy.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
+index fddae0164b918..d9758ecdcba6a 100644
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -108,7 +108,8 @@ static void
+ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+- u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
++ int ihl = iph->ihl;
++ u8 *xprth = skb_network_header(skb) + ihl * 4;
+ struct flowi4 *fl4 = &fl->u.ip4;
+ int oif = 0;
+
+@@ -119,6 +120,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ fl4->flowi4_mark = skb->mark;
+ fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
+
++ fl4->flowi4_proto = iph->protocol;
++ fl4->daddr = reverse ? iph->saddr : iph->daddr;
++ fl4->saddr = reverse ? iph->daddr : iph->saddr;
++ fl4->flowi4_tos = iph->tos;
++
+ if (!ip_is_fragment(iph)) {
+ switch (iph->protocol) {
+ case IPPROTO_UDP:
+@@ -130,7 +136,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ pskb_may_pull(skb, xprth + 4 - skb->data)) {
+ __be16 *ports;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ ports = (__be16 *)xprth;
+
+ fl4->fl4_sport = ports[!!reverse];
+@@ -143,7 +149,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ pskb_may_pull(skb, xprth + 2 - skb->data)) {
+ u8 *icmp;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ icmp = xprth;
+
+ fl4->fl4_icmp_type = icmp[0];
+@@ -156,7 +162,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ pskb_may_pull(skb, xprth + 4 - skb->data)) {
+ __be32 *ehdr;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ ehdr = (__be32 *)xprth;
+
+ fl4->fl4_ipsec_spi = ehdr[0];
+@@ -168,7 +174,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ pskb_may_pull(skb, xprth + 8 - skb->data)) {
+ __be32 *ah_hdr;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ ah_hdr = (__be32 *)xprth;
+
+ fl4->fl4_ipsec_spi = ah_hdr[1];
+@@ -180,7 +186,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ pskb_may_pull(skb, xprth + 4 - skb->data)) {
+ __be16 *ipcomp_hdr;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ ipcomp_hdr = (__be16 *)xprth;
+
+ fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
+@@ -193,7 +199,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ __be16 *greflags;
+ __be32 *gre_hdr;
+
+- xprth = skb_network_header(skb) + iph->ihl * 4;
++ xprth = skb_network_header(skb) + ihl * 4;
+ greflags = (__be16 *)xprth;
+ gre_hdr = (__be32 *)xprth;
+
+@@ -210,10 +216,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ break;
+ }
+ }
+- fl4->flowi4_proto = iph->protocol;
+- fl4->daddr = reverse ? iph->saddr : iph->daddr;
+- fl4->saddr = reverse ? iph->daddr : iph->saddr;
+- fl4->flowi4_tos = iph->tos;
+ }
+
+ static inline int xfrm4_garbage_collect(struct dst_ops *ops)
+--
+2.20.1
+
--- /dev/null
+From fe62e481297878a35494219232c66d7b0e58cecb Mon Sep 17 00:00:00 2001
+From: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Date: Thu, 14 Mar 2019 14:59:42 +0800
+Subject: xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
+
+[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ]
+
+When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
+frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
+xfrm6_tunnel_spi, so need to wait it.
+
+Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion")
+Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/xfrm6_tunnel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
+index 56b72cada346f..f9d493c59d6c1 100644
+--- a/net/ipv6/xfrm6_tunnel.c
++++ b/net/ipv6/xfrm6_tunnel.c
+@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(void)
+ xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
+ xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
+ unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
++ /* Someone maybe has gotten the xfrm6_tunnel_spi.
++ * So need to wait it.
++ */
++ rcu_barrier();
+ kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
+ }
+
+--
+2.20.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
