--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Miguel Fadon Perlines <mfadon@teldat.com>
+Date: Thu, 5 Apr 2018 10:25:38 +0200
+Subject: arp: fix arp_filter on l3slave devices
+
+From: Miguel Fadon Perlines <mfadon@teldat.com>
+
+
+[ Upstream commit 58b35f27689b5eb514fc293c332966c226b1b6e4 ]
+
+arp_filter performs an ip_route_output search for arp source address and
+checks if output device is the same where the arp request was received,
+if it is not, the arp request is not answered.
+
+This route lookup is always done on main route table so l3slave devices
+never find the proper route and arp is not answered.
+
+Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the
+lookup for l3slave devices while maintaining same behavior for non
+l3slave devices as this function returns 0 in that case.
+
+Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX")
+Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/arp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -437,7 +437,7 @@ static int arp_filter(__be32 sip, __be32
+ /*unsigned long now; */
+ struct net *net = dev_net(dev);
+
+- rt = ip_route_output(net, sip, tip, 0, 0);
++ rt = ip_route_output(net, sip, tip, 0, l3mdev_master_ifindex_rcu(dev));
+ if (IS_ERR(rt))
+ return 1;
+ if (rt->dst.dev != dev) {
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:45 +0800
+Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ]
+
+vlan_vids_add_by_dev is called right after dev hwaddr sync, so on
+the err path it should unsync dev hwaddr. Otherwise, the slave
+dev's hwaddr will never be unsync when this err happens.
+
+Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1565,7 +1565,7 @@ int bond_enslave(struct net_device *bond
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_close;
++ goto err_hwaddr_unsync;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1755,9 +1755,6 @@ err_unregister:
+ netdev_rx_handler_unregister(slave_dev);
+
+ err_detach:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ vlan_vids_del_by_dev(slave_dev, bond_dev);
+ if (rcu_access_pointer(bond->primary_slave) == new_slave)
+ RCU_INIT_POINTER(bond->primary_slave, NULL);
+@@ -1771,6 +1768,10 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
++err_hwaddr_unsync:
++ if (!bond_uses_primary(bond))
++ bond_hw_addr_flush(bond_dev, slave_dev);
++
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:46 +0800
+Subject: bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e ]
+
+Beniamino found a crash when adding vlan as slave of bond which is also
+the parent link:
+
+ ip link add bond1 type bond
+ ip link set bond1 up
+ ip link add link bond1 vlan1 type vlan id 80
+ ip link set vlan1 master bond1
+
+The call trace is as below:
+
+ [<ffffffffa850842a>] queued_spin_lock_slowpath+0xb/0xf
+ [<ffffffffa8515680>] _raw_spin_lock+0x20/0x30
+ [<ffffffffa83f6f07>] dev_mc_sync+0x37/0x80
+ [<ffffffffc08687dc>] vlan_dev_set_rx_mode+0x1c/0x30 [8021q]
+ [<ffffffffa83efd2a>] __dev_set_rx_mode+0x5a/0xa0
+ [<ffffffffa83f7138>] dev_mc_sync_multiple+0x78/0x80
+ [<ffffffffc084127c>] bond_enslave+0x67c/0x1190 [bonding]
+ [<ffffffffa8401909>] do_setlink+0x9c9/0xe50
+ [<ffffffffa8403bf2>] rtnl_newlink+0x522/0x880
+ [<ffffffffa8403ff7>] rtnetlink_rcv_msg+0xa7/0x260
+ [<ffffffffa8424ecb>] netlink_rcv_skb+0xab/0xc0
+ [<ffffffffa83fe498>] rtnetlink_rcv+0x28/0x30
+ [<ffffffffa8424850>] netlink_unicast+0x170/0x210
+ [<ffffffffa8424bf8>] netlink_sendmsg+0x308/0x420
+ [<ffffffffa83cc396>] sock_sendmsg+0xb6/0xf0
+
+This is actually a dead lock caused by sync slave hwaddr from master when
+the master is the slave's 'slave'. This dead loop check is actually done
+by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding:
+populate neighbour's private on enslave") moved it after dev_mc_sync.
+
+This patch is to fix it by moving dev_mc_sync after master_upper_dev_link,
+so that this loop check would be earlier than dev_mc_sync. It also moves
+if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an
+improvement.
+
+Note team driver also has this issue, I will fix it in another patch.
+
+Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave")
+Reported-by: Beniamino Galvani <bgalvani@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 73 +++++++++++++++++++---------------------
+ 1 file changed, 35 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1528,44 +1528,11 @@ int bond_enslave(struct net_device *bond
+ goto err_close;
+ }
+
+- /* If the mode uses primary, then the following is handled by
+- * bond_change_active_slave().
+- */
+- if (!bond_uses_primary(bond)) {
+- /* set promiscuity level to new slave */
+- if (bond_dev->flags & IFF_PROMISC) {
+- res = dev_set_promiscuity(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- /* set allmulti level to new slave */
+- if (bond_dev->flags & IFF_ALLMULTI) {
+- res = dev_set_allmulti(slave_dev, 1);
+- if (res)
+- goto err_close;
+- }
+-
+- netif_addr_lock_bh(bond_dev);
+-
+- dev_mc_sync_multiple(slave_dev, bond_dev);
+- dev_uc_sync_multiple(slave_dev, bond_dev);
+-
+- netif_addr_unlock_bh(bond_dev);
+- }
+-
+- if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+- /* add lacpdu mc addr to mc list */
+- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+-
+- dev_mc_add(slave_dev, lacpdu_multicast);
+- }
+-
+ res = vlan_vids_add_by_dev(slave_dev, bond_dev);
+ if (res) {
+ netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n",
+ slave_dev->name);
+- goto err_hwaddr_unsync;
++ goto err_close;
+ }
+
+ prev_slave = bond_last_slave(bond);
+@@ -1725,6 +1692,37 @@ int bond_enslave(struct net_device *bond
+ goto err_upper_unlink;
+ }
+
++ /* If the mode uses primary, then the following is handled by
++ * bond_change_active_slave().
++ */
++ if (!bond_uses_primary(bond)) {
++ /* set promiscuity level to new slave */
++ if (bond_dev->flags & IFF_PROMISC) {
++ res = dev_set_promiscuity(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ /* set allmulti level to new slave */
++ if (bond_dev->flags & IFF_ALLMULTI) {
++ res = dev_set_allmulti(slave_dev, 1);
++ if (res)
++ goto err_sysfs_del;
++ }
++
++ netif_addr_lock_bh(bond_dev);
++ dev_mc_sync_multiple(slave_dev, bond_dev);
++ dev_uc_sync_multiple(slave_dev, bond_dev);
++ netif_addr_unlock_bh(bond_dev);
++
++ if (BOND_MODE(bond) == BOND_MODE_8023AD) {
++ /* add lacpdu mc addr to mc list */
++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
++
++ dev_mc_add(slave_dev, lacpdu_multicast);
++ }
++ }
++
+ bond->slave_cnt++;
+ bond_compute_features(bond);
+ bond_set_carrier(bond);
+@@ -1748,6 +1746,9 @@ int bond_enslave(struct net_device *bond
+ return 0;
+
+ /* Undo stages on error */
++err_sysfs_del:
++ bond_sysfs_slave_del(new_slave);
++
+ err_upper_unlink:
+ bond_upper_dev_unlink(bond, new_slave);
+
+@@ -1768,10 +1769,6 @@ err_detach:
+ synchronize_rcu();
+ slave_disable_netpoll(new_slave);
+
+-err_hwaddr_unsync:
+- if (!bond_uses_primary(bond))
+- bond_hw_addr_flush(bond_dev, slave_dev);
+-
+ err_close:
+ slave_dev->priv_flags &= ~IFF_BONDING;
+ dev_close(slave_dev);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:16:47 +0800
+Subject: bonding: process the err returned by dev_set_allmulti properly in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9f5a90c107741b864398f4ac0014711a8c1d8474 ]
+
+When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails,
+dev_set_promiscuity(-1) should be done before going to the err path.
+Otherwise, dev->promiscuity will leak.
+
+Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1706,8 +1706,11 @@ int bond_enslave(struct net_device *bond
+ /* set allmulti level to new slave */
+ if (bond_dev->flags & IFF_ALLMULTI) {
+ res = dev_set_allmulti(slave_dev, 1);
+- if (res)
++ if (res) {
++ if (bond_dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(slave_dev, -1);
+ goto err_sysfs_del;
++ }
+ }
+
+ netif_addr_lock_bh(bond_dev);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:29 -0700
+Subject: ip6_gre: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466
+
+CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
+ ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_gre.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -319,11 +319,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc
+ if (t || !create)
+ return t;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ return NULL;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "ip6gre%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6gre_tunnel_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:30 -0700
+Subject: ip6_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -297,13 +297,16 @@ static struct ip6_tnl *ip6_tnl_create(st
+ struct net_device *dev;
+ struct ip6_tnl *t;
+ char name[IFNAMSIZ];
+- int err = -ENOMEM;
++ int err = -E2BIG;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6tnl%%d");
+-
++ }
++ err = -ENOMEM;
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ip6_tnl_dev_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:27 -0700
+Subject: ip_tunnel: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482
+
+CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
+ ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
+ ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
+ ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -253,13 +253,14 @@ static struct net_device *__ip_tunnel_cr
+ struct net_device *dev;
+ char name[IFNAMSIZ];
+
+- if (parms->name[0])
++ err = -E2BIG;
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else {
+- if (strlen(ops->kind) > (IFNAMSIZ - 3)) {
+- err = -E2BIG;
++ } else {
++ if (strlen(ops->kind) > (IFNAMSIZ - 3))
+ goto failed;
+- }
+ strlcpy(name, ops->kind, IFNAMSIZ);
+ strncat(name, "%d", 2);
+ }
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:28 -0700
+Subject: ipv6: sit: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ]
+
+Use dev_valid_name() to make sure user does not provide illegal
+device name.
+
+syzbot caught the following bug :
+
+BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
+BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453
+
+CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1b9/0x29f lib/dump_stack.c:53
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ strlcpy include/linux/string.h:300 [inline]
+ ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
+ ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
+ dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
+ dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
+ sock_ioctl+0x47e/0x680 net/socket.c:1015
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:500 [inline]
+ do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
+ ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
+ SYSC_ioctl fs/ioctl.c:708 [inline]
+ SyS_ioctl+0x24/0x30 fs/ioctl.c:706
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -250,11 +250,13 @@ static struct ip_tunnel *ipip6_tunnel_lo
+ if (!create)
+ goto failed;
+
+- if (parms->name[0])
++ if (parms->name[0]) {
++ if (!dev_valid_name(parms->name))
++ goto failed;
+ strlcpy(name, parms->name, IFNAMSIZ);
+- else
++ } else {
+ strcpy(name, "sit%d");
+-
++ }
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN,
+ ipip6_tunnel_setup);
+ if (!dev)
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: David Lebrun <dlebrun@google.com>
+Date: Thu, 29 Mar 2018 17:59:36 +0100
+Subject: ipv6: sr: fix seg6 encap performances with TSO enabled
+
+From: David Lebrun <dlebrun@google.com>
+
+
+[ Upstream commit 5807b22c9164a21cd1077a9bc587f0bba361f72d ]
+
+Enabling TSO can lead to abysmal performances when using seg6 in
+encap mode, such as with the ixgbe driver. This patch adds a call to
+iptunnel_handle_offloads() to remove the encapsulation bit if needed.
+
+Before:
+root@comp4-seg6bpf:~# iperf3 -c fc00::55
+Connecting to host fc00::55, port 5201
+[ 4] local fc45::4 port 36592 connected to fc00::55 port 5201
+[ ID] Interval Transfer Bandwidth Retr Cwnd
+[ 4] 0.00-1.00 sec 196 KBytes 1.60 Mbits/sec 47 6.66 KBytes
+[ 4] 1.00-2.00 sec 304 KBytes 2.49 Mbits/sec 100 5.33 KBytes
+[ 4] 2.00-3.00 sec 284 KBytes 2.32 Mbits/sec 92 5.33 KBytes
+
+After:
+root@comp4-seg6bpf:~# iperf3 -c fc00::55
+Connecting to host fc00::55, port 5201
+[ 4] local fc45::4 port 43062 connected to fc00::55 port 5201
+[ ID] Interval Transfer Bandwidth Retr Cwnd
+[ 4] 0.00-1.00 sec 1.03 GBytes 8.89 Gbits/sec 0 743 KBytes
+[ 4] 1.00-2.00 sec 1.03 GBytes 8.87 Gbits/sec 0 743 KBytes
+[ 4] 2.00-3.00 sec 1.03 GBytes 8.87 Gbits/sec 0 743 KBytes
+
+Reported-by: Tom Herbert <tom@quantonium.net>
+Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
+Signed-off-by: David Lebrun <dlebrun@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/seg6_iptunnel.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -16,6 +16,7 @@
+ #include <linux/net.h>
+ #include <linux/module.h>
+ #include <net/ip.h>
++#include <net/ip_tunnels.h>
+ #include <net/lwtunnel.h>
+ #include <net/netevent.h>
+ #include <net/netns/generic.h>
+@@ -211,11 +212,6 @@ static int seg6_do_srh(struct sk_buff *s
+
+ tinfo = seg6_encap_lwtunnel(dst->lwtstate);
+
+- if (likely(!skb->encapsulation)) {
+- skb_reset_inner_headers(skb);
+- skb->encapsulation = 1;
+- }
+-
+ switch (tinfo->mode) {
+ case SEG6_IPTUN_MODE_INLINE:
+ if (skb->protocol != htons(ETH_P_IPV6))
+@@ -224,10 +220,12 @@ static int seg6_do_srh(struct sk_buff *s
+ err = seg6_do_srh_inline(skb, tinfo->srh);
+ if (err)
+ return err;
+-
+- skb_reset_inner_headers(skb);
+ break;
+ case SEG6_IPTUN_MODE_ENCAP:
++ err = iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6);
++ if (err)
++ return err;
++
+ if (skb->protocol == htons(ETH_P_IPV6))
+ proto = IPPROTO_IPV6;
+ else if (skb->protocol == htons(ETH_P_IP))
+@@ -239,6 +237,8 @@ static int seg6_do_srh(struct sk_buff *s
+ if (err)
+ return err;
+
++ skb_set_inner_transport_header(skb, skb_transport_offset(skb));
++ skb_set_inner_protocol(skb, skb->protocol);
+ skb->protocol = htons(ETH_P_IPV6);
+ break;
+ case SEG6_IPTUN_MODE_L2ENCAP:
+@@ -262,8 +262,6 @@ static int seg6_do_srh(struct sk_buff *s
+ ipv6_hdr(skb)->payload_len = htons(skb->len - sizeof(struct ipv6hdr));
+ skb_set_transport_header(skb, sizeof(struct ipv6hdr));
+
+- skb_set_inner_protocol(skb, skb->protocol);
+-
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 23 Mar 2018 14:47:30 +0100
+Subject: ipv6: the entire IPv6 header chain must fit the first fragment
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ]
+
+While building ipv6 datagram we currently allow arbitrary large
+extheaders, even beyond pmtu size. The syzbot has found a way
+to exploit the above to trigger the following splat:
+
+kernel BUG at ./include/linux/skbuff.h:2073!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline]
+RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636
+RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293
+RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828
+RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18
+RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000
+R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6
+R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0
+FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ip6_finish_skb include/net/ipv6.h:969 [inline]
+ udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073
+ udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343
+ inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:640
+ ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
+ __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136
+ SYSC_sendmmsg net/socket.c:2167 [inline]
+ SyS_sendmmsg+0x35/0x60 net/socket.c:2162
+ do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4404c9
+RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9
+RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0
+R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000
+Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29
+5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d
+87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe
+RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0
+RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP:
+ffff8801bc18f0f0
+
+As stated by RFC 7112 section 5:
+
+ When a host fragments an IPv6 datagram, it MUST include the entire
+ IPv6 Header Chain in the First Fragment.
+
+So this patch addresses the issue dropping datagrams with excessive
+extheader length. It also updates the error path to report to the
+calling socket nonnegative pmtu values.
+
+The issue apparently predates git history.
+
+v1 -> v2: cleanup error path, as per Eric's suggestion
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1245,7 +1245,7 @@ static int __ip6_append_data(struct sock
+ const struct sockcm_cookie *sockc)
+ {
+ struct sk_buff *skb, *skb_prev = NULL;
+- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu;
++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu;
+ int exthdrlen = 0;
+ int dst_exthdrlen = 0;
+ int hh_len;
+@@ -1281,6 +1281,12 @@ static int __ip6_append_data(struct sock
+ sizeof(struct frag_hdr) : 0) +
+ rt->rt6i_nfheader_len;
+
++ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit
++ * the first fragment
++ */
++ if (headersize + transhdrlen > mtu)
++ goto emsgsize;
++
+ if (cork->length + length > mtu - headersize && ipc6->dontfrag &&
+ (sk->sk_protocol == IPPROTO_UDP ||
+ sk->sk_protocol == IPPROTO_RAW)) {
+@@ -1296,9 +1302,8 @@ static int __ip6_append_data(struct sock
+
+ if (cork->length + length > maxnonfragsize - headersize) {
+ emsgsize:
+- ipv6_local_error(sk, EMSGSIZE, fl6,
+- mtu - headersize +
+- sizeof(struct ipv6hdr));
++ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
++ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
+ return -EMSGSIZE;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Date: Tue, 27 Mar 2018 14:51:16 +0530
+Subject: lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
+
+From: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+
+
+[ Upstream commit 2d2d99ec13f62d5d2cecb6169dfdb6bbe05356d0 ]
+
+Description:
+Crash was reported with syzkaller pointing to lan78xx_write_reg routine.
+
+Root-cause:
+Proper cleanup of workqueues and init/setup routines was not happening
+in failure conditions.
+
+Fix:
+Handled the error conditions by cleaning up the queues and init/setup
+routines.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Raghuram Chary J <raghuramchary.jallipalli@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2863,8 +2863,7 @@ static int lan78xx_bind(struct lan78xx_n
+ if (ret < 0) {
+ netdev_warn(dev->net,
+ "lan78xx_setup_irq_domain() failed : %d", ret);
+- kfree(pdata);
+- return ret;
++ goto out1;
+ }
+
+ dev->net->hard_header_len += TX_OVERHEAD;
+@@ -2872,14 +2871,32 @@ static int lan78xx_bind(struct lan78xx_n
+
+ /* Init all registers */
+ ret = lan78xx_reset(dev);
++ if (ret) {
++ netdev_warn(dev->net, "Registers INIT FAILED....");
++ goto out2;
++ }
+
+ ret = lan78xx_mdio_init(dev);
++ if (ret) {
++ netdev_warn(dev->net, "MDIO INIT FAILED.....");
++ goto out2;
++ }
+
+ dev->net->flags |= IFF_MULTICAST;
+
+ pdata->wol = WAKE_MAGIC;
+
+ return ret;
++
++out2:
++ lan78xx_remove_irq_domain(dev);
++
++out1:
++ netdev_warn(dev->net, "Bind routine FAILED");
++ cancel_work_sync(&pdata->set_multicast);
++ cancel_work_sync(&pdata->set_vlan);
++ kfree(pdata);
++ return ret;
+ }
+
+ static void lan78xx_unbind(struct lan78xx_net *dev, struct usb_interface *intf)
+@@ -2891,6 +2908,8 @@ static void lan78xx_unbind(struct lan78x
+ lan78xx_remove_mdio(dev);
+
+ if (pdata) {
++ cancel_work_sync(&pdata->set_multicast);
++ cancel_work_sync(&pdata->set_vlan);
+ netif_dbg(dev, ifdown, dev->net, "free pdata");
+ kfree(pdata);
+ pdata = NULL;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sat, 7 Apr 2018 20:37:40 +0200
+Subject: net: dsa: Discard frames from unused ports
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+
+[ Upstream commit fc5f33768cca7144f8d793205b229d46740d183b ]
+
+The Marvell switches under some conditions will pass a frame to the
+host with the port being the CPU port. Such frames are invalid, and
+should be dropped. Not dropping them can result in a crash when
+incrementing the receive statistics for an invalid port.
+
+Reported-by: Chris Healy <cphealy@gmail.com>
+Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa_priv.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/dsa/dsa_priv.h
++++ b/net/dsa/dsa_priv.h
+@@ -117,6 +117,7 @@ static inline struct net_device *dsa_mas
+ struct dsa_port *cpu_dp = dev->dsa_ptr;
+ struct dsa_switch_tree *dst = cpu_dp->dst;
+ struct dsa_switch *ds;
++ struct dsa_port *slave_port;
+
+ if (device < 0 || device >= DSA_MAX_SWITCHES)
+ return NULL;
+@@ -128,7 +129,12 @@ static inline struct net_device *dsa_mas
+ if (port < 0 || port >= ds->num_ports)
+ return NULL;
+
+- return ds->ports[port].slave;
++ slave_port = &ds->ports[port];
++
++ if (unlikely(slave_port->type != DSA_PORT_TYPE_USER))
++ return NULL;
++
++ return slave_port->slave;
+ }
+
+ /* port.c */
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 26 Mar 2018 08:08:07 -0700
+Subject: net: fix possible out-of-bound read in skb_network_protocol()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]
+
+skb mac header is not necessarily set at the time skb_network_protocol()
+is called. Use skb->data instead.
+
+BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
+
+CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
+ skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
+ harmonize_features net/core/dev.c:2924 [inline]
+ netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
+ validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
+ validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
+ packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:639
+ ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
+ __sys_sendmsg+0xe5/0x210 net/socket.c:2081
+
+Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Pravin B Shelar <pshelar@ovn.org>
+Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2719,7 +2719,7 @@ __be16 skb_network_protocol(struct sk_bu
+ if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
+ return 0;
+
+- eth = (struct ethhdr *)skb_mac_header(skb);
++ eth = (struct ethhdr *)skb->data;
+ type = eth->h_proto;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:26 -0700
+Subject: net: fool proof dev_valid_name()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ]
+
+We want to use dev_valid_name() to validate tunnel names,
+so better use strnlen(name, IFNAMSIZ) than strlen(name) to make
+sure to not upset KASAN.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1027,7 +1027,7 @@ bool dev_valid_name(const char *name)
+ {
+ if (*name == '\0')
+ return false;
+- if (strlen(name) >= IFNAMSIZ)
++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ)
+ return false;
+ if (!strcmp(name, ".") || !strcmp(name, ".."))
+ return false;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Thu, 29 Mar 2018 17:44:57 -0700
+Subject: net/ipv6: Fix route leaking between VRFs
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit b6cdbc85234b072340b8923e69f49ec293f905dc ]
+
+Donald reported that IPv6 route leaking between VRFs is not working.
+The root cause is the strict argument in the call to rt6_lookup when
+validating the nexthop spec.
+
+ip6_route_check_nh validates the gateway and device (if given) of a
+route spec. It in turn could call rt6_lookup (e.g., lookup in a given
+table did not succeed so it falls back to a full lookup) and if so
+sets the strict argument to 1. That means if the egress device is given,
+the route lookup needs to return a result with the same device. This
+strict requirement does not work with VRFs (IPv4 or IPv6) because the
+oif in the flow struct is overridden with the index of the VRF device
+to trigger a match on the l3mdev rule and force the lookup to its table.
+
+The right long term solution is to add an l3mdev index to the flow
+struct such that the oif is not overridden. That solution will not
+backport well, so this patch aims for a simpler solution to relax the
+strict argument if the route spec device is an l3mdev slave. As done
+in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
+RT6_LOOKUP_F_IFACE flag needs to be removed.
+
+Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack")
+Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -922,6 +922,9 @@ static struct rt6_info *ip6_pol_route_lo
+ struct rt6_info *rt, *rt_cache;
+ struct fib6_node *fn;
+
++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF)
++ flags &= ~RT6_LOOKUP_F_IFACE;
++
+ rcu_read_lock();
+ fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
+ restart:
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jeff Barnhill <0xeffeff@gmail.com>
+Date: Thu, 5 Apr 2018 21:29:47 +0000
+Subject: net/ipv6: Increment OUTxxx counters after netfilter hook
+
+From: Jeff Barnhill <0xeffeff@gmail.com>
+
+
+[ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ]
+
+At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and
+IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call
+for NFPROTO_IPV6 / NF_INET_FORWARD. As a result, these counters get
+incremented regardless of whether or not the netfilter hook allows the
+packet to continue being processed. This change increments the counters
+in ip6_forward_finish() so that it will not happen if the netfilter hook
+chooses to terminate the packet, which is similar to how IPv4 works.
+
+Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -375,6 +375,11 @@ static int ip6_forward_proxy_check(struc
+ static inline int ip6_forward_finish(struct net *net, struct sock *sk,
+ struct sk_buff *skb)
+ {
++ struct dst_entry *dst = skb_dst(skb);
++
++ __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
++ __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
++
+ return dst_output(net, sk, skb);
+ }
+
+@@ -568,8 +573,6 @@ int ip6_forward(struct sk_buff *skb)
+
+ hdr->hop_limit--;
+
+- __IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
+- __IP6_ADD_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
+ return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
+ net, NULL, skb, skb->dev, dst->dev,
+ ip6_forward_finish);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Tue, 27 Mar 2018 14:41:19 +0300
+Subject: net/mlx4_core: Fix memory leak while delete slave's resources
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+
+[ Upstream commit 461d5f1b59490ce0096dfda45e10038c122a7892 ]
+
+mlx4_delete_all_resources_for_slave in resource tracker should free all
+memory allocated for a slave.
+While releasing memory of fs_rule, it misses releasing memory of
+fs_rule->mirr_mbox.
+
+Fixes: 78efed275117 ('net/mlx4_core: Support mirroring VF DMFS rules on both ports')
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+@@ -5088,6 +5088,7 @@ static void rem_slave_fs_rule(struct mlx
+ &tracker->res_tree[RES_FS_RULE]);
+ list_del(&fs_rule->com.list);
+ spin_unlock_irq(mlx4_tlock(dev));
++ kfree(fs_rule->mirr_mbox);
+ kfree(fs_rule);
+ state = 0;
+ break;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Tue, 27 Mar 2018 14:41:18 +0300
+Subject: net/mlx4_en: Fix mixed PFC and Global pause user control requests
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+
+[ Upstream commit 6e8814ceb7e8f468659ef9253bd212c07ae19584 ]
+
+Global pause and PFC configuration should be mutually exclusive (i.e. only
+one of them at most can be set). However, once PFC was turned off,
+driver automatically turned Global pause on. This is a bug.
+
+Fix the driver behaviour to turn off PFC/Global once the user turned the
+other on.
+
+This also fixed a weird behaviour that at a current time, the profile
+had both PFC and global pause configuration turned on, which is
+Hardware-wise impossible and caused returning false positive indication
+to query tools.
+
+In addition, fix error code when setting global pause or PFC to change
+metadata only upon successful change.
+
+Also, removed useless debug print.
+
+Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
+Fixes: c27a02cd94d6 ("mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 72 +++++++++++++-----------
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 33 ++++++-----
+ drivers/net/ethernet/mellanox/mlx4/en_main.c | 4 -
+ 3 files changed, 62 insertions(+), 47 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
+@@ -156,57 +156,63 @@ static int mlx4_en_dcbnl_getnumtcs(struc
+ static u8 mlx4_en_dcbnl_set_all(struct net_device *netdev)
+ {
+ struct mlx4_en_priv *priv = netdev_priv(netdev);
++ struct mlx4_en_port_profile *prof = priv->prof;
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u8 tx_pause, tx_ppp, rx_pause, rx_ppp;
+
+ if (!(priv->dcbx_cap & DCB_CAP_DCBX_VER_CEE))
+ return 1;
+
+ if (priv->cee_config.pfc_state) {
+ int tc;
++ rx_ppp = prof->rx_ppp;
++ tx_ppp = prof->tx_ppp;
+
+- priv->prof->rx_pause = 0;
+- priv->prof->tx_pause = 0;
+ for (tc = 0; tc < CEE_DCBX_MAX_PRIO; tc++) {
+ u8 tc_mask = 1 << tc;
+
+ switch (priv->cee_config.dcb_pfc[tc]) {
+ case pfc_disabled:
+- priv->prof->tx_ppp &= ~tc_mask;
+- priv->prof->rx_ppp &= ~tc_mask;
++ tx_ppp &= ~tc_mask;
++ rx_ppp &= ~tc_mask;
+ break;
+ case pfc_enabled_full:
+- priv->prof->tx_ppp |= tc_mask;
+- priv->prof->rx_ppp |= tc_mask;
++ tx_ppp |= tc_mask;
++ rx_ppp |= tc_mask;
+ break;
+ case pfc_enabled_tx:
+- priv->prof->tx_ppp |= tc_mask;
+- priv->prof->rx_ppp &= ~tc_mask;
++ tx_ppp |= tc_mask;
++ rx_ppp &= ~tc_mask;
+ break;
+ case pfc_enabled_rx:
+- priv->prof->tx_ppp &= ~tc_mask;
+- priv->prof->rx_ppp |= tc_mask;
++ tx_ppp &= ~tc_mask;
++ rx_ppp |= tc_mask;
+ break;
+ default:
+ break;
+ }
+ }
+- en_dbg(DRV, priv, "Set pfc on\n");
++ rx_pause = !!(rx_ppp || tx_ppp) ? 0 : prof->rx_pause;
++ tx_pause = !!(rx_ppp || tx_ppp) ? 0 : prof->tx_pause;
+ } else {
+- priv->prof->rx_pause = 1;
+- priv->prof->tx_pause = 1;
+- en_dbg(DRV, priv, "Set pfc off\n");
++ rx_ppp = 0;
++ tx_ppp = 0;
++ rx_pause = prof->rx_pause;
++ tx_pause = prof->tx_pause;
+ }
+
+ if (mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- priv->prof->tx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->rx_ppp)) {
++ tx_pause, tx_ppp, rx_pause, rx_ppp)) {
+ en_err(priv, "Failed setting pause params\n");
+ return 1;
+ }
+
++ prof->tx_ppp = tx_ppp;
++ prof->rx_ppp = rx_ppp;
++ prof->tx_pause = tx_pause;
++ prof->rx_pause = rx_pause;
++
+ return 0;
+ }
+
+@@ -408,6 +414,7 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
+ struct mlx4_en_priv *priv = netdev_priv(dev);
+ struct mlx4_en_port_profile *prof = priv->prof;
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u32 tx_pause, tx_ppp, rx_pause, rx_ppp;
+ int err;
+
+ en_dbg(DRV, priv, "cap: 0x%x en: 0x%x mbc: 0x%x delay: %d\n",
+@@ -416,23 +423,26 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
+ pfc->mbc,
+ pfc->delay);
+
+- prof->rx_pause = !pfc->pfc_en;
+- prof->tx_pause = !pfc->pfc_en;
+- prof->rx_ppp = pfc->pfc_en;
+- prof->tx_ppp = pfc->pfc_en;
++ rx_pause = prof->rx_pause && !pfc->pfc_en;
++ tx_pause = prof->tx_pause && !pfc->pfc_en;
++ rx_ppp = pfc->pfc_en;
++ tx_ppp = pfc->pfc_en;
+
+ err = mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- prof->tx_pause,
+- prof->tx_ppp,
+- prof->rx_pause,
+- prof->rx_ppp);
+- if (err)
++ tx_pause, tx_ppp, rx_pause, rx_ppp);
++ if (err) {
+ en_err(priv, "Failed setting pause params\n");
+- else
+- mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
+- prof->rx_ppp, prof->rx_pause,
+- prof->tx_ppp, prof->tx_pause);
++ return err;
++ }
++
++ mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
++ rx_ppp, rx_pause, tx_ppp, tx_pause);
++
++ prof->tx_ppp = tx_ppp;
++ prof->rx_ppp = rx_ppp;
++ prof->rx_pause = rx_pause;
++ prof->tx_pause = tx_pause;
+
+ return err;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1046,27 +1046,32 @@ static int mlx4_en_set_pauseparam(struct
+ {
+ struct mlx4_en_priv *priv = netdev_priv(dev);
+ struct mlx4_en_dev *mdev = priv->mdev;
++ u8 tx_pause, tx_ppp, rx_pause, rx_ppp;
+ int err;
+
+ if (pause->autoneg)
+ return -EINVAL;
+
+- priv->prof->tx_pause = pause->tx_pause != 0;
+- priv->prof->rx_pause = pause->rx_pause != 0;
++ tx_pause = !!(pause->tx_pause);
++ rx_pause = !!(pause->rx_pause);
++ rx_ppp = priv->prof->rx_ppp && !(tx_pause || rx_pause);
++ tx_ppp = priv->prof->tx_ppp && !(tx_pause || rx_pause);
++
+ err = mlx4_SET_PORT_general(mdev->dev, priv->port,
+ priv->rx_skb_size + ETH_FCS_LEN,
+- priv->prof->tx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->rx_ppp);
+- if (err)
+- en_err(priv, "Failed setting pause params\n");
+- else
+- mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
+- priv->prof->rx_ppp,
+- priv->prof->rx_pause,
+- priv->prof->tx_ppp,
+- priv->prof->tx_pause);
++ tx_pause, tx_ppp, rx_pause, rx_ppp);
++ if (err) {
++ en_err(priv, "Failed setting pause params, err = %d\n", err);
++ return err;
++ }
++
++ mlx4_en_update_pfc_stats_bitmap(mdev->dev, &priv->stats_bitmap,
++ rx_ppp, rx_pause, tx_ppp, tx_pause);
++
++ priv->prof->tx_pause = tx_pause;
++ priv->prof->rx_pause = rx_pause;
++ priv->prof->tx_ppp = tx_ppp;
++ priv->prof->rx_ppp = rx_ppp;
+
+ return err;
+ }
+--- a/drivers/net/ethernet/mellanox/mlx4/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_main.c
+@@ -163,9 +163,9 @@ static void mlx4_en_get_profile(struct m
+ params->udp_rss = 0;
+ }
+ for (i = 1; i <= MLX4_MAX_PORTS; i++) {
+- params->prof[i].rx_pause = 1;
++ params->prof[i].rx_pause = !(pfcrx || pfctx);
+ params->prof[i].rx_ppp = pfcrx;
+- params->prof[i].tx_pause = 1;
++ params->prof[i].tx_pause = !(pfcrx || pfctx);
+ params->prof[i].tx_ppp = pfctx;
+ params->prof[i].tx_ring_size = MLX4_EN_DEF_TX_RING_SIZE;
+ params->prof[i].rx_ring_size = MLX4_EN_DEF_RX_RING_SIZE;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Or Gerlitz <ogerlitz@mellanox.com>
+Date: Tue, 13 Mar 2018 21:43:43 +0200
+Subject: net/mlx5e: Avoid using the ipv6 stub in the TC offload neigh update path
+
+From: Or Gerlitz <ogerlitz@mellanox.com>
+
+
+[ Upstream commit 423c9db29943cfc43e3a408192e9efa4178af6a1 ]
+
+Currently we use the global ipv6_stub var to access the ipv6 global
+nd table. This practice gets us to troubles when the stub is only partially
+set e.g when ipv6 is loaded under the disabled policy. In this case, as of commit
+343d60aada5a ("ipv6: change ipv6_stub_impl.ipv6_dst_lookup to take net argument")
+the stub is not null, but stub->nd_tbl is and we crash.
+
+As we can access the ipv6 nd_tbl directly, the fix is just to avoid the
+reference through the stub. There is one place in the code where we
+issue ipv6 route lookup and keep doing it through the stub, but that
+mentioned commit makes sure we get -EAFNOSUPPORT from the stack.
+
+Fixes: 232c001398ae ("net/mlx5e: Add support to neighbour update flow")
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Aviv Heller <avivh@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 6 +++---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -231,7 +231,7 @@ void mlx5e_remove_sqs_fwd_rules(struct m
+ static void mlx5e_rep_neigh_update_init_interval(struct mlx5e_rep_priv *rpriv)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+- unsigned long ipv6_interval = NEIGH_VAR(&ipv6_stub->nd_tbl->parms,
++ unsigned long ipv6_interval = NEIGH_VAR(&nd_tbl.parms,
+ DELAY_PROBE_TIME);
+ #else
+ unsigned long ipv6_interval = ~0UL;
+@@ -367,7 +367,7 @@ static int mlx5e_rep_netevent_event(stru
+ case NETEVENT_NEIGH_UPDATE:
+ n = ptr;
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (n->tbl != ipv6_stub->nd_tbl && n->tbl != &arp_tbl)
++ if (n->tbl != &nd_tbl && n->tbl != &arp_tbl)
+ #else
+ if (n->tbl != &arp_tbl)
+ #endif
+@@ -415,7 +415,7 @@ static int mlx5e_rep_netevent_event(stru
+ * done per device delay prob time parameter.
+ */
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (!p->dev || (p->tbl != ipv6_stub->nd_tbl && p->tbl != &arp_tbl))
++ if (!p->dev || (p->tbl != &nd_tbl && p->tbl != &arp_tbl))
+ #else
+ if (!p->dev || p->tbl != &arp_tbl)
+ #endif
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -495,7 +495,7 @@ void mlx5e_tc_update_neigh_used_value(st
+ tbl = &arp_tbl;
+ #if IS_ENABLED(CONFIG_IPV6)
+ else if (m_neigh->family == AF_INET6)
+- tbl = ipv6_stub->nd_tbl;
++ tbl = &nd_tbl;
+ #endif
+ else
+ return;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jianbo Liu <jianbol@mellanox.com>
+Date: Fri, 2 Mar 2018 02:09:08 +0000
+Subject: net/mlx5e: Don't override vport admin link state in switchdev mode
+
+From: Jianbo Liu <jianbol@mellanox.com>
+
+
+The vport admin original link state will be re-applied after returning
+back to legacy mode, it is not right to change the admin link state value
+when in switchdev mode.
+
+Use direct vport commands to alter logical vport state in netdev
+representor open/close flows rather than the administrative eswitch API.
+
+Fixes: 20a1ea674783 ('net/mlx5e: Support VF vport link state control for SRIOV switchdev mode')
+Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -611,7 +611,6 @@ static int mlx5e_rep_open(struct net_dev
+ struct mlx5e_priv *priv = netdev_priv(dev);
+ struct mlx5e_rep_priv *rpriv = priv->ppriv;
+ struct mlx5_eswitch_rep *rep = rpriv->rep;
+- struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
+ int err;
+
+ mutex_lock(&priv->state_lock);
+@@ -619,8 +618,9 @@ static int mlx5e_rep_open(struct net_dev
+ if (err)
+ goto unlock;
+
+- if (!mlx5_eswitch_set_vport_state(esw, rep->vport,
+- MLX5_ESW_VPORT_ADMIN_STATE_UP))
++ if (!mlx5_modify_vport_admin_state(priv->mdev,
++ MLX5_QUERY_VPORT_STATE_IN_OP_MOD_ESW_VPORT,
++ rep->vport, MLX5_ESW_VPORT_ADMIN_STATE_UP))
+ netif_carrier_on(dev);
+
+ unlock:
+@@ -633,11 +633,12 @@ static int mlx5e_rep_close(struct net_de
+ struct mlx5e_priv *priv = netdev_priv(dev);
+ struct mlx5e_rep_priv *rpriv = priv->ppriv;
+ struct mlx5_eswitch_rep *rep = rpriv->rep;
+- struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
+ int ret;
+
+ mutex_lock(&priv->state_lock);
+- (void)mlx5_eswitch_set_vport_state(esw, rep->vport, MLX5_ESW_VPORT_ADMIN_STATE_DOWN);
++ mlx5_modify_vport_admin_state(priv->mdev,
++ MLX5_QUERY_VPORT_STATE_IN_OP_MOD_ESW_VPORT,
++ rep->vport, MLX5_ESW_VPORT_ADMIN_STATE_DOWN);
+ ret = mlx5e_close_locked(dev);
+ mutex_unlock(&priv->state_lock);
+ return ret;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jianbo Liu <jianbol@mellanox.com>
+Date: Thu, 8 Mar 2018 09:20:55 +0000
+Subject: net/mlx5e: Fix memory usage issues in offloading TC flows
+
+From: Jianbo Liu <jianbol@mellanox.com>
+
+
+[ Upstream commit af1607c37d9d85a66fbcf43b7f11bf3d94b9bb69 ]
+
+For NIC flows, the parsed attributes are not freed when we exit
+successfully from mlx5e_configure_flower().
+
+There is possible double free for eswitch flows. If error is returned
+from rhashtable_insert_fast(), the parse attrs will be freed in
+mlx5e_tc_del_flow(), but they will be freed again before exiting
+mlx5e_configure_flower().
+
+To fix both issues we do the following:
+(1) change the condition that determines if to issue the free call to
+ check if this flow is NIC flow, or it does not have encap action.
+(2) reorder the code such that that the check and free calls are done
+ before we attempt to add into the hash table.
+
+Fixes: 232c001398ae ('net/mlx5e: Add support to neighbour update flow')
+Signed-off-by: Jianbo Liu <jianbol@mellanox.com>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2102,19 +2102,19 @@ int mlx5e_configure_flower(struct mlx5e_
+ if (err != -EAGAIN)
+ flow->flags |= MLX5E_TC_FLOW_OFFLOADED;
+
++ if (!(flow->flags & MLX5E_TC_FLOW_ESWITCH) ||
++ !(flow->esw_attr->action & MLX5_FLOW_CONTEXT_ACTION_ENCAP))
++ kvfree(parse_attr);
++
+ err = rhashtable_insert_fast(&tc->ht, &flow->node,
+ tc->ht_params);
+- if (err)
+- goto err_del_rule;
++ if (err) {
++ mlx5e_tc_del_flow(priv, flow);
++ kfree(flow);
++ }
+
+- if (flow->flags & MLX5E_TC_FLOW_ESWITCH &&
+- !(flow->esw_attr->action & MLX5_FLOW_CONTEXT_ACTION_ENCAP))
+- kvfree(parse_attr);
+ return err;
+
+-err_del_rule:
+- mlx5e_tc_del_flow(priv, flow);
+-
+ err_free:
+ kvfree(parse_attr);
+ kfree(flow);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Roi Dayan <roid@mellanox.com>
+Date: Wed, 28 Feb 2018 12:56:42 +0200
+Subject: net/mlx5e: Fix traffic being dropped on VF representor
+
+From: Roi Dayan <roid@mellanox.com>
+
+
+[ Upstream commit 4246f698dd58e3c6246fa919ef0b0a1d29a57e4a ]
+
+Increase representor netdev RQ size to avoid dropped packets.
+The current size (two) is just too small to keep up with
+conventional slow path traffic patterns.
+Also match the SQ size to the RQ size.
+
+Fixes: cb67b832921c ("net/mlx5e: Introduce SRIOV VF representors")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Paul Blakey <paulb@mellanox.com>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -44,6 +44,11 @@
+ #include "en_tc.h"
+ #include "fs_core.h"
+
++#define MLX5E_REP_PARAMS_LOG_SQ_SIZE \
++ max(0x6, MLX5E_PARAMS_MINIMUM_LOG_SQ_SIZE)
++#define MLX5E_REP_PARAMS_LOG_RQ_SIZE \
++ max(0x6, MLX5E_PARAMS_MINIMUM_LOG_RQ_SIZE)
++
+ static const char mlx5e_rep_driver_name[] = "mlx5e_rep";
+
+ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+@@ -824,9 +829,9 @@ static void mlx5e_build_rep_params(struc
+ MLX5_CQ_PERIOD_MODE_START_FROM_CQE :
+ MLX5_CQ_PERIOD_MODE_START_FROM_EQE;
+
+- params->log_sq_size = MLX5E_PARAMS_MINIMUM_LOG_SQ_SIZE;
++ params->log_sq_size = MLX5E_REP_PARAMS_LOG_SQ_SIZE;
+ params->rq_wq_type = MLX5_WQ_TYPE_LINKED_LIST;
+- params->log_rq_size = MLX5E_PARAMS_MINIMUM_LOG_RQ_SIZE;
++ params->log_rq_size = MLX5E_REP_PARAMS_LOG_RQ_SIZE;
+
+ params->rx_am_enabled = MLX5_CAP_GEN(mdev, cq_moderation);
+ mlx5e_set_rx_cq_mode_params(params, cq_period_mode);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Tal Gilboa <talgi@mellanox.com>
+Date: Fri, 30 Mar 2018 15:50:08 -0700
+Subject: net/mlx5e: Set EQE based as default TX interrupt moderation mode
+
+From: Tal Gilboa <talgi@mellanox.com>
+
+
+[ Upstream commit 48bfc39791b8b4a25f165e711f18b9c1617cefbc ]
+
+The default TX moderation mode was mistakenly set to CQE based. The
+intention was to add a control ability in order to improve some specific
+use-cases. In general, we prefer to use EQE based moderation as it gives
+much better numbers for the common cases.
+
+CQE based causes a degradation in the common case since it resets the
+moderation timer on CQE generation. This causes an issue when TSO is
+well utilized (large TSO sessions). The timer is set to 16us so traffic
+of ~64KB TSO sessions per second would mean timer reset (CQE per TSO
+session -> long time between CQEs). In this case we quickly reach the
+tcp_limit_output_bytes (256KB by default) and cause a halt in TX traffic.
+
+By setting EQE based moderation we make sure timer would expire after
+16us regardless of the packet rate.
+This fixes an up to 40% packet rate and up to 23% bandwidth degradtions.
+
+Fixes: 0088cbbc4b66 ("net/mlx5e: Enable CQE based moderation on TX CQ")
+Signed-off-by: Tal Gilboa <talgi@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4075,7 +4075,7 @@ void mlx5e_build_nic_params(struct mlx5_
+ struct mlx5e_params *params,
+ u16 max_channels)
+ {
+- u8 cq_period_mode = 0;
++ u8 rx_cq_period_mode;
+ u32 link_speed = 0;
+ u32 pci_bw = 0;
+
+@@ -4111,12 +4111,12 @@ void mlx5e_build_nic_params(struct mlx5_
+ params->lro_timeout = mlx5e_choose_lro_timeout(mdev, MLX5E_DEFAULT_LRO_TIMEOUT);
+
+ /* CQ moderation params */
+- cq_period_mode = MLX5_CAP_GEN(mdev, cq_period_start_from_cqe) ?
++ rx_cq_period_mode = MLX5_CAP_GEN(mdev, cq_period_start_from_cqe) ?
+ MLX5_CQ_PERIOD_MODE_START_FROM_CQE :
+ MLX5_CQ_PERIOD_MODE_START_FROM_EQE;
+ params->rx_am_enabled = MLX5_CAP_GEN(mdev, cq_moderation);
+- mlx5e_set_rx_cq_mode_params(params, cq_period_mode);
+- mlx5e_set_tx_cq_mode_params(params, cq_period_mode);
++ mlx5e_set_rx_cq_mode_params(params, rx_cq_period_mode);
++ mlx5e_set_tx_cq_mode_params(params, MLX5_CQ_PERIOD_MODE_START_FROM_EQE);
+
+ /* TX inline */
+ params->tx_max_inline = mlx5e_get_max_inline_cap(mdev);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Shahar Klein <shahark@mellanox.com>
+Date: Tue, 20 Mar 2018 14:44:40 +0200
+Subject: net/mlx5e: Sync netdev vxlan ports at open
+
+From: Shahar Klein <shahark@mellanox.com>
+
+
+[ Upstream commit a117f73dc2430443f23e18367fa545981129c1a6 ]
+
+When mlx5_core is loaded it is expected to sync ports
+with all vxlan devices so it can support vxlan encap/decap.
+This is done via udp_tunnel_get_rx_info(). Currently this
+call is set in mlx5e_nic_enable() and if the netdev is not in
+NETREG_REGISTERED state it will not be called.
+
+Normally on load the netdev state is not NETREG_REGISTERED
+so udp_tunnel_get_rx_info() will not be called.
+
+Moving udp_tunnel_get_rx_info() to mlx5e_open() so
+it will be called on netdev UP event and allow encap/decap.
+
+Fixes: 610e89e05c3f ("net/mlx5e: Don't sync netdev state when not registered")
+Signed-off-by: Shahar Klein <shahark@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -2715,6 +2715,9 @@ int mlx5e_open(struct net_device *netdev
+ mlx5_set_port_admin_status(priv->mdev, MLX5_PORT_UP);
+ mutex_unlock(&priv->state_lock);
+
++ if (mlx5e_vxlan_allowed(priv->mdev))
++ udp_tunnel_get_rx_info(netdev);
++
+ return err;
+ }
+
+@@ -4428,12 +4431,6 @@ static void mlx5e_nic_enable(struct mlx5
+ #ifdef CONFIG_MLX5_CORE_EN_DCB
+ mlx5e_dcbnl_init_app(priv);
+ #endif
+- /* Device already registered: sync netdev system state */
+- if (mlx5e_vxlan_allowed(mdev)) {
+- rtnl_lock();
+- udp_tunnel_get_rx_info(netdev);
+- rtnl_unlock();
+- }
+
+ queue_work(priv->wq, &priv->set_rx_mode_work);
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Thu, 15 Feb 2018 12:41:48 +0200
+Subject: net/mlx5e: Verify coalescing parameters in range
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+
+[ Upstream commit b392a2078b5e0094ff38aa0c9d2a31b3f607d4ef ]
+
+Add check of coalescing parameters received through ethtool are within
+range of values supported by the HW.
+Driver gets the coalescing rx/tx-usecs and rx/tx-frames as set by the
+users through ethtool. The ethtool support up to 32 bit value for each.
+However, mlx5 modify cq limits the coalescing time parameter to 12 bit
+and coalescing frames parameters to 16 bits.
+Return out of range error if user tries to set these parameters to
+higher values.
+
+Fixes: f62b8bb8f2d3 ('net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality')
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -492,6 +492,9 @@ static int mlx5e_get_coalesce(struct net
+ return mlx5e_ethtool_get_coalesce(priv, coal);
+ }
+
++#define MLX5E_MAX_COAL_TIME MLX5_MAX_CQ_PERIOD
++#define MLX5E_MAX_COAL_FRAMES MLX5_MAX_CQ_COUNT
++
+ static void
+ mlx5e_set_priv_channels_coalesce(struct mlx5e_priv *priv, struct ethtool_coalesce *coal)
+ {
+@@ -526,6 +529,20 @@ int mlx5e_ethtool_set_coalesce(struct ml
+ if (!MLX5_CAP_GEN(mdev, cq_moderation))
+ return -EOPNOTSUPP;
+
++ if (coal->tx_coalesce_usecs > MLX5E_MAX_COAL_TIME ||
++ coal->rx_coalesce_usecs > MLX5E_MAX_COAL_TIME) {
++ netdev_info(priv->netdev, "%s: maximum coalesce time supported is %lu usecs\n",
++ __func__, MLX5E_MAX_COAL_TIME);
++ return -ERANGE;
++ }
++
++ if (coal->tx_max_coalesced_frames > MLX5E_MAX_COAL_FRAMES ||
++ coal->rx_max_coalesced_frames > MLX5E_MAX_COAL_FRAMES) {
++ netdev_info(priv->netdev, "%s: maximum coalesced frames supported is %lu\n",
++ __func__, MLX5E_MAX_COAL_FRAMES);
++ return -ERANGE;
++ }
++
+ mutex_lock(&priv->state_lock);
+ new_channels.params = priv->channels.params;
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+Date: Mon, 26 Mar 2018 14:58:32 -0400
+Subject: net sched actions: fix dumping which requires several messages to user space
+
+From: Craig Dillabaugh <cdillaba@mojatatu.com>
+
+
+[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ]
+
+Fixes a bug in the tcf_dump_walker function that can cause some actions
+to not be reported when dumping a large number of actions. This issue
+became more aggrevated when cookies feature was added. In particular
+this issue is manifest when large cookie values are assigned to the
+actions and when enough actions are created that the resulting table
+must be dumped in multiple batches.
+
+The number of actions returned in each batch is limited by the total
+number of actions and the memory buffer size. With small cookies
+the numeric limit is reached before the buffer size limit, which avoids
+the code path triggering this bug. When large cookies are used buffer
+fills before the numeric limit, and the erroneous code path is hit.
+
+For example after creating 32 csum actions with the cookie
+aaaabbbbccccdddd
+
+$ tc actions ls action csum
+total acts 26
+
+ action order 0: csum (tcp) action continue
+ index 1 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ .....
+
+ action order 25: csum (tcp) action continue
+ index 26 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+total acts 6
+
+ action order 0: csum (tcp) action continue
+ index 28 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+ ......
+
+ action order 5: csum (tcp) action continue
+ index 32 ref 1 bind 0
+ cookie aaaabbbbccccdddd
+
+Note that the action with index 27 is omitted from the report.
+
+Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")"
+Signed-off-by: Craig Dillabaugh <cdillaba@mojatatu.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -135,8 +135,10 @@ static int tcf_dump_walker(struct tcf_id
+ continue;
+
+ nest = nla_nest_start(skb, n_i);
+- if (!nest)
++ if (!nest) {
++ index--;
+ goto nla_put_failure;
++ }
+ err = tcf_action_dump_1(skb, p, 0, 0);
+ if (err < 0) {
+ index--;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 6 Apr 2018 01:19:37 +0200
+Subject: net/sched: fix NULL dereference in the error path of tcf_bpf_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ]
+
+when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid
+number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or
+bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes
+the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
+ PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf]
+ CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__bpf_prog_put+0xc/0xc0
+ RSP: 0018:ffff9594003ef728 EFLAGS: 00010202
+ RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000
+ R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054
+ FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0
+ Call Trace:
+ tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf]
+ tcf_bpf_cleanup+0x4c/0x70 [act_bpf]
+ __tcf_idr_release+0x79/0x140
+ tcf_bpf_init+0x125/0x330 [act_bpf]
+ tcf_action_init_1+0x2cc/0x430
+ ? get_page_from_freelist+0x3f0/0x11b0
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.29+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? mem_cgroup_commit_charge+0x80/0x130
+ ? page_add_new_anon_rmap+0x73/0xc0
+ ? do_anonymous_page+0x2a2/0x560
+ ? __handle_mm_fault+0xc75/0xe20
+ __sys_sendmsg+0x58/0xa0
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7fcb2e58eba0
+ RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0
+ RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003
+ RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0
+ Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00
+ RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728
+ CR2: 0000000000000020
+
+Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f)
+is called only when f is not NULL.
+
+Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()")
+Reported-by: Lucas Bates <lucasb@mojatatu.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_bpf.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/sched/act_bpf.c
++++ b/net/sched/act_bpf.c
+@@ -248,10 +248,14 @@ static int tcf_bpf_init_from_efd(struct
+
+ static void tcf_bpf_cfg_cleanup(const struct tcf_bpf_cfg *cfg)
+ {
+- if (cfg->is_ebpf)
+- bpf_prog_put(cfg->filter);
+- else
+- bpf_prog_destroy(cfg->filter);
++ struct bpf_prog *filter = cfg->filter;
++
++ if (filter) {
++ if (cfg->is_ebpf)
++ bpf_prog_put(filter);
++ else
++ bpf_prog_destroy(filter);
++ }
+
+ kfree(cfg->bpf_ops);
+ kfree(cfg->bpf_name);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:56 +0100
+Subject: net/sched: fix NULL dereference in the error path of tcf_sample_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 1f110e7cae09e6c6a144616480d1a9dd99c5208a ]
+
+when the following command
+
+ # tc action add action sample rate 100 group 100 index 100
+
+is run for the first time, and psample_group_get(100) fails to create a
+new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus
+causing the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 000000000000001c
+ IP: psample_group_put+0x15/0x71 [psample]
+ PGD 8000000075775067 P4D 8000000075775067 PUD 7453c067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key]
+ CPU: 2 PID: 5740 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:psample_group_put+0x15/0x71 [psample]
+ RSP: 0018:ffffb8a80032f7d0 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000024
+ RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffc06d93c0
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 00000000bd003000 R11: ffff979fba04aa59 R12: 0000000000000000
+ R13: 0000000000000000 R14: 0000000000000000 R15: ffff979fbba3f22c
+ FS: 00007f7638112740(0000) GS:ffff979fbfd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000000001c CR3: 00000000734ea001 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tcf_sample_init+0x125/0x1d0 [act_sample]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? filemap_map_pages+0x34a/0x3a0
+ ? __handle_mm_fault+0xbfd/0xe20
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f7637523ba0
+ RSP: 002b:00007fff0473ef58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fff0473f080 RCX: 00007f7637523ba0
+ RDX: 0000000000000000 RSI: 00007fff0473efd0 RDI: 0000000000000003
+ RBP: 000000005aaaac80 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fff0473e9e0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fff0473f094 R14: 0000000000000001 R15: 0000000000669f60
+ Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b
+ RIP: psample_group_put+0x15/0x71 [psample] RSP: ffffb8a80032f7d0
+ CR2: 000000000000001c
+
+Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p)
+are done only when p is not NULL.
+
+Fixes: cadb9c9fdbc6 ("net/sched: act_sample: Fix error path in init")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_sample.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -103,7 +103,8 @@ static void tcf_sample_cleanup(struct tc
+
+ psample_group = rtnl_dereference(s->psample_group);
+ RCU_INIT_POINTER(s->psample_group, NULL);
+- psample_group_put(psample_group);
++ if (psample_group)
++ psample_group_put(psample_group);
+ }
+
+ static bool tcf_sample_dev_ok_push(struct net_device *dev)
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:53 +0100
+Subject: net/sched: fix NULL dereference in the error path of tcf_vlan_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 1edf8abe04090c4f41a85e42c66638be1ee69156 ]
+
+when the following command
+
+ # tc actions replace action vlan pop index 100
+
+is run for the first time, and tcf_vlan_init() fails allocating struct
+tcf_vlan_params, tcf_vlan_cleanup() calls kfree_rcu(NULL, ...). This causes
+the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+ IP: __call_rcu+0x23/0x2b0
+ PGD 80000000760a2067 P4D 80000000760a2067 PUD 742c1067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in: act_vlan(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel mbcache snd_hda_codec jbd2 snd_hda_core crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev soundcore virtio_balloon pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_blk virtio_net ata_piix crc32c_intel libata virtio_pci i2c_core virtio_ring serio_raw virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_vlan]
+ CPU: 3 PID: 3119 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__call_rcu+0x23/0x2b0
+ RSP: 0018:ffffaac3005fb798 EFLAGS: 00010246
+ RAX: ffffffffc0704080 RBX: ffff97f2b4bbe900 RCX: 00000000ffffffff
+ RDX: ffffffffabca5f00 RSI: 0000000000000010 RDI: 0000000000000010
+ RBP: 0000000000000010 R08: 0000000000000001 R09: 0000000000000044
+ R10: 00000000fd003000 R11: ffff97f2faab5b91 R12: 0000000000000000
+ R13: ffffffffabca5f00 R14: ffff97f2fb80202c R15: 00000000fffffff4
+ FS: 00007f68f75b4740(0000) GS:ffff97f2ffd80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000018 CR3: 0000000072b52001 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tcf_vlan_init+0x168/0x270 [act_vlan]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? filemap_map_pages+0x34a/0x3a0
+ ? __handle_mm_fault+0xbfd/0xe20
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f68f69c5ba0
+ RSP: 002b:00007fffd79c1118 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fffd79c1240 RCX: 00007f68f69c5ba0
+ RDX: 0000000000000000 RSI: 00007fffd79c1190 RDI: 0000000000000003
+ RBP: 000000005aaa708e R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fffd79c0ba0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fffd79c1254 R14: 0000000000000001 R15: 0000000000669f60
+ Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
+ RIP: __call_rcu+0x23/0x2b0 RSP: ffffaac3005fb798
+ CR2: 0000000000000018
+
+fix this in tcf_vlan_cleanup(), ensuring that kfree_rcu(p, ...) is called
+only when p is not NULL.
+
+Fixes: 4c5b9d9642c8 ("act_vlan: VLAN action rewrite to use RCU lock/unlock and update")
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Acked-by: Manish Kurup <manish.kurup@verizon.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_vlan.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_vlan.c
++++ b/net/sched/act_vlan.c
+@@ -225,7 +225,8 @@ static void tcf_vlan_cleanup(struct tc_a
+ struct tcf_vlan_params *p;
+
+ p = rcu_dereference_protected(v->vlan_p, 1);
+- kfree_rcu(p, rcu);
++ if (p)
++ kfree_rcu(p, rcu);
+ }
+
+ static int tcf_vlan_dump(struct sk_buff *skb, struct tc_action *a,
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:55 +0100
+Subject: net/sched: fix NULL dereference in the error path of tunnel_key_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit abdadd3cfd3e7ea3da61ac774f84777d1f702058 ]
+
+when the following command
+
+ # tc action add action tunnel_key unset index 100
+
+is run for the first time, and tunnel_key_init() fails to allocate struct
+tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers.
+This causes the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+ IP: tunnel_key_release+0xd/0x40 [act_tunnel_key]
+ PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0
+ Oops: 0000 [#1] SMP PTI
+ Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
+ CPU: 2 PID: 3101 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key]
+ RSP: 0018:ffffba46803b7768 EFLAGS: 00010286
+ RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
+ R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000
+ R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4
+ FS: 00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tunnel_key_init+0xd9/0x460 [act_tunnel_key]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7febca6deba0
+ RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0
+ RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003
+ RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60
+ Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18
+ RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768
+ CR2: 0000000000000010
+
+Fix this in tunnel_key_release(), ensuring 'param' is not NULL before
+dereferencing it.
+
+Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_tunnel_key.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -208,11 +208,12 @@ static void tunnel_key_release(struct tc
+ struct tcf_tunnel_key_params *params;
+
+ params = rcu_dereference_protected(t->params, 1);
++ if (params) {
++ if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
++ dst_release(¶ms->tcft_enc_metadata->dst);
+
+- if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+- dst_release(¶ms->tcft_enc_metadata->dst);
+-
+- kfree_rcu(params, rcu);
++ kfree_rcu(params, rcu);
++ }
+ }
+
+ static int tunnel_key_dump_addresses(struct sk_buff *skb,
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 16 Mar 2018 00:00:57 +0100
+Subject: net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+
+[ Upstream commit 2d433610176d6569e8b3a28f67bc72235bf69efc ]
+
+when the following command
+
+ # tc action replace action skbmod swap mac index 100
+
+is run for the first time, and tcf_skbmod_init() fails to allocate struct
+tcf_skbmod_params, tcf_skbmod_cleanup() calls kfree_rcu(NULL), thus
+causing the following error:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: __call_rcu+0x23/0x2b0
+ PGD 8000000034057067 P4D 8000000034057067 PUD 74937067 PMD 0
+ Oops: 0002 [#1] SMP PTI
+ Modules linked in: act_skbmod(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul mbcache jbd2 crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep pcbc snd_seq snd_seq_device snd_pcm aesni_intel snd_timer crypto_simd glue_helper snd cryptd virtio_balloon joydev soundcore pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_net virtio_blk ata_piix libata crc32c_intel virtio_pci serio_raw virtio_ring virtio i2c_core floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_skbmod]
+ CPU: 3 PID: 3144 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:__call_rcu+0x23/0x2b0
+ RSP: 0018:ffffbd2e403e7798 EFLAGS: 00010246
+ RAX: ffffffffc0872080 RBX: ffff981d34bff780 RCX: 00000000ffffffff
+ RDX: ffffffff922a5f00 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000021f
+ R10: 000000003d003000 R11: 0000000000aaaaaa R12: 0000000000000000
+ R13: ffffffff922a5f00 R14: 0000000000000001 R15: ffff981d3b698c2c
+ FS: 00007f3678292740(0000) GS:ffff981d3fd80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000008 CR3: 000000007c57a006 CR4: 00000000001606e0
+ Call Trace:
+ __tcf_idr_release+0x79/0xf0
+ tcf_skbmod_init+0x1d1/0x210 [act_skbmod]
+ tcf_action_init_1+0x2cc/0x430
+ tcf_action_init+0xd3/0x1b0
+ tc_ctl_action+0x18b/0x240
+ rtnetlink_rcv_msg+0x29c/0x310
+ ? _cond_resched+0x15/0x30
+ ? __kmalloc_node_track_caller+0x1b9/0x270
+ ? rtnl_calcit.isra.28+0x100/0x100
+ netlink_rcv_skb+0xd2/0x110
+ netlink_unicast+0x17c/0x230
+ netlink_sendmsg+0x2cd/0x3c0
+ sock_sendmsg+0x30/0x40
+ ___sys_sendmsg+0x27a/0x290
+ ? filemap_map_pages+0x34a/0x3a0
+ ? __handle_mm_fault+0xbfd/0xe20
+ __sys_sendmsg+0x51/0x90
+ do_syscall_64+0x6e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+ RIP: 0033:0x7f36776a3ba0
+ RSP: 002b:00007fff4703b618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 00007fff4703b740 RCX: 00007f36776a3ba0
+ RDX: 0000000000000000 RSI: 00007fff4703b690 RDI: 0000000000000003
+ RBP: 000000005aaaba36 R08: 0000000000000002 R09: 0000000000000000
+ R10: 00007fff4703b0a0 R11: 0000000000000246 R12: 0000000000000000
+ R13: 00007fff4703b754 R14: 0000000000000001 R15: 0000000000669f60
+ Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
+ RIP: __call_rcu+0x23/0x2b0 RSP: ffffbd2e403e7798
+ CR2: 0000000000000008
+
+Fix it in tcf_skbmod_cleanup(), ensuring that kfree_rcu(p, ...) is called
+only when p is not NULL.
+
+Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbmod.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_skbmod.c
++++ b/net/sched/act_skbmod.c
+@@ -190,7 +190,8 @@ static void tcf_skbmod_cleanup(struct tc
+ struct tcf_skbmod_params *p;
+
+ p = rcu_dereference_protected(d->skbmod_p, 1);
+- kfree_rcu(p, rcu);
++ if (p)
++ kfree_rcu(p, rcu);
+ }
+
+ static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 6 Apr 2018 17:19:41 -0700
+Subject: net_sched: fix a missing idr_remove() in u32_delete_key()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit f12c643209db0626f2f54780d86bb93bfa7a9c2d ]
+
+When we delete a u32 key via u32_delete_key(), we forget to
+call idr_remove() to remove its handle from IDR.
+
+Fixes: e7614370d6f0 ("net_sched: use idr to allocate u32 filter handles")
+Reported-by: Marcin Kabiesz <admin@hostcenter.eu>
+Tested-by: Marcin Kabiesz <admin@hostcenter.eu>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_u32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_u32.c
++++ b/net/sched/cls_u32.c
+@@ -478,6 +478,7 @@ static int u32_delete_key(struct tcf_pro
+ RCU_INIT_POINTER(*kp, key->next);
+
+ tcf_unbind_filter(tp, &key->res);
++ idr_remove(&ht->handle_idr, key->handle);
+ tcf_exts_get_net(&key->exts);
+ call_rcu(&key->rcu, u32_delete_key_freepf_rcu);
+ return 0;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Alexander Potapenko <glider@google.com>
+Date: Fri, 23 Mar 2018 13:49:02 +0100
+Subject: netlink: make sure nladdr has correct size in netlink_connect()
+
+From: Alexander Potapenko <glider@google.com>
+
+
+[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ]
+
+KMSAN reports use of uninitialized memory in the case when |alen| is
+smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't
+fully copied from the userspace.
+
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2")
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -1052,6 +1052,9 @@ static int netlink_connect(struct socket
+ if (addr->sa_family != AF_NETLINK)
+ return -EINVAL;
+
++ if (alen < sizeof(struct sockaddr_nl))
++ return -EINVAL;
++
+ if ((nladdr->nl_groups || nladdr->nl_pid) &&
+ !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
+ return -EPERM;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Date: Tue, 3 Apr 2018 17:24:23 -0700
+Subject: nfp: use full 40 bits of the NSP buffer address
+
+From: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+
+
+[ Upstream commit 1489bbd10e16079ce30a53d3c22a431fd47af791 ]
+
+The NSP default buffer is a piece of NFP memory where additional
+command data can be placed. Its format has been copied from
+host buffer, but the PCIe selection bits do not make sense in
+this case. If those get masked out from a NFP address - writes
+to random place in the chip memory may be issued and crash the
+device.
+
+Even in the general NSP buffer case, it doesn't make sense to have the
+PCIe selection bits there anymore. These are unused at the moment, and
+when it becomes necessary, the PCIe selection bits should rather be
+moved to another register to utilise more bits for the buffer address.
+
+This has never been an issue because the buffer used to be
+allocated in memory with less-than-38-bit-long address but that
+is about to change.
+
+Fixes: 1a64821c6af7 ("nfp: add support for service processor access")
+Signed-off-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c
+@@ -68,10 +68,11 @@
+ /* CPP address to retrieve the data from */
+ #define NSP_BUFFER 0x10
+ #define NSP_BUFFER_CPP GENMASK_ULL(63, 40)
+-#define NSP_BUFFER_PCIE GENMASK_ULL(39, 38)
+-#define NSP_BUFFER_ADDRESS GENMASK_ULL(37, 0)
++#define NSP_BUFFER_ADDRESS GENMASK_ULL(39, 0)
+
+ #define NSP_DFLT_BUFFER 0x18
++#define NSP_DFLT_BUFFER_CPP GENMASK_ULL(63, 40)
++#define NSP_DFLT_BUFFER_ADDRESS GENMASK_ULL(39, 0)
+
+ #define NSP_DFLT_BUFFER_CONFIG 0x20
+ #define NSP_DFLT_BUFFER_SIZE_MB GENMASK_ULL(7, 0)
+@@ -412,8 +413,8 @@ static int nfp_nsp_command_buf(struct nf
+ if (err < 0)
+ return err;
+
+- cpp_id = FIELD_GET(NSP_BUFFER_CPP, reg) << 8;
+- cpp_buf = FIELD_GET(NSP_BUFFER_ADDRESS, reg);
++ cpp_id = FIELD_GET(NSP_DFLT_BUFFER_CPP, reg) << 8;
++ cpp_buf = FIELD_GET(NSP_DFLT_BUFFER_ADDRESS, reg);
+
+ if (in_buf && in_size) {
+ err = nfp_cpp_write(cpp, cpp_id, cpp_buf, in_buf, in_size);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 2 Apr 2018 18:48:37 -0700
+Subject: pptp: remove a buggy dst release in pptp_connect()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ]
+
+Once dst has been cached in socket via sk_setup_caps(),
+it is illegal to call ip_rt_put() (or dst_release()),
+since sk_setup_caps() did not change dst refcount.
+
+We can still dereference it since we hold socket lock.
+
+Caugth by syzbot :
+
+BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185
+Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088
+
+CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x1a7/0x27d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23c/0x360 mm/kasan/report.c:412
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
+ kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
+ atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline]
+ dst_release+0x27/0xa0 net/core/dst.c:185
+ sk_dst_set include/net/sock.h:1812 [inline]
+ sk_dst_reset include/net/sock.h:1824 [inline]
+ sock_setbindtodevice net/core/sock.c:610 [inline]
+ sock_setsockopt+0x431/0x1b20 net/core/sock.c:707
+ SYSC_setsockopt net/socket.c:1845 [inline]
+ SyS_setsockopt+0x2ff/0x360 net/socket.c:1828
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4552d9
+RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9
+RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013
+RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000
+R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000
+
+Allocated by task 20088:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552
+ kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
+ kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542
+ dst_alloc+0x11f/0x1a0 net/core/dst.c:104
+ rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520
+ __mkroute_output net/ipv4/route.c:2265 [inline]
+ ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493
+ ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322
+ __ip_route_output_key include/net/route.h:126 [inline]
+ ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577
+ ip_route_output_ports include/net/route.h:163 [inline]
+ pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453
+ SYSC_connect+0x213/0x4a0 net/socket.c:1639
+ SyS_connect+0x24/0x30 net/socket.c:1620
+ do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Freed by task 20082:
+ save_stack+0x43/0xd0 mm/kasan/kasan.c:447
+ set_track mm/kasan/kasan.c:459 [inline]
+ __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520
+ kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527
+ __cache_free mm/slab.c:3486 [inline]
+ kmem_cache_free+0x83/0x2a0 mm/slab.c:3744
+ dst_destroy+0x266/0x380 net/core/dst.c:140
+ dst_destroy_rcu+0x16/0x20 net/core/dst.c:153
+ __rcu_reclaim kernel/rcu/rcu.h:178 [inline]
+ rcu_do_batch kernel/rcu/tree.c:2675 [inline]
+ invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline]
+ __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline]
+ rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914
+ __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
+
+The buggy address belongs to the object at ffff8801c54dc000
+ which belongs to the cache ip_dst_cache of size 168
+The buggy address is located 64 bytes inside of
+ 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8)
+The buggy address belongs to the page:
+page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0
+flags: 0x2fffc0000000100(slab)
+raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010
+raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000
+page dumped because: kasan: bad access detected
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pptp.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -464,7 +464,6 @@ static int pptp_connect(struct socket *s
+ po->chan.mtu = dst_mtu(&rt->dst);
+ if (!po->chan.mtu)
+ po->chan.mtu = PPP_MRU;
+- ip_rt_put(rt);
+ po->chan.mtu -= PPTP_HEADER_OVERHEAD;
+
+ po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 26 Mar 2018 19:19:30 +0200
+Subject: r8169: fix setting driver_data after register_netdev
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+
+[ Upstream commit 19c9ea363a244f85f90a424f9936e6d56449e33c ]
+
+pci_set_drvdata() is called only after registering the net_device,
+therefore we could run into a NPE if one of the functions using
+driver_data is called before it's set.
+
+Fix this by calling pci_set_drvdata() before registering the
+net_device.
+
+This fix is a candidate for stable. As far as I can see the
+bug has been there in kernel version 3.2 already, therefore
+I can't provide a reference which commit is fixed by it.
+
+The fix may need small adjustments per kernel version because
+due to other changes the label which is jumped to if
+register_netdev() fails has changed over time.
+
+Reported-by: David Miller <davem@davemloft.net>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -8699,12 +8699,12 @@ static int rtl_init_one(struct pci_dev *
+ goto err_out_msi_5;
+ }
+
++ pci_set_drvdata(pdev, dev);
++
+ rc = register_netdev(dev);
+ if (rc < 0)
+ goto err_out_cnt_6;
+
+- pci_set_drvdata(pdev, dev);
+-
+ netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n",
+ rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr,
+ (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq);
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 1 Apr 2018 22:40:35 +0800
+Subject: route: check sysctl_fib_multipath_use_neigh earlier than hash
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 6174a30df1b902e1fedbd728f5343937e83e64e6 ]
+
+Prior to this patch, when one packet is hashed into path [1]
+(hash <= nh_upper_bound) and it's neigh is dead, it will try
+path [2]. However, if path [2]'s neigh is alive but it's
+hash > nh_upper_bound, it will not return this alive path.
+This packet will never be sent even if path [2] is alive.
+
+ 3.3.3.1/24:
+ nexthop via 1.1.1.254 dev eth1 weight 1 <--[1] (dead neigh)
+ nexthop via 2.2.2.254 dev eth2 weight 1 <--[2]
+
+With sysctl_fib_multipath_use_neigh set is supposed to find an
+available path respecting to the l3/l4 hash. But if there is
+no available route with this hash, it should at least return
+an alive route even with other hash.
+
+This patch is to fix it by processing fib_multipath_use_neigh
+earlier than the hash check, so that it will at least return
+an alive route if there is when fib_multipath_use_neigh is
+enabled. It's also compatible with before when there are alive
+routes with the l3/l4 hash.
+
+Fixes: a6db4494d218 ("net: ipv4: Consider failed nexthops in multipath routes")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1746,18 +1746,20 @@ void fib_select_multipath(struct fib_res
+ bool first = false;
+
+ for_nexthops(fi) {
++ if (net->ipv4.sysctl_fib_multipath_use_neigh) {
++ if (!fib_good_nh(nh))
++ continue;
++ if (!first) {
++ res->nh_sel = nhsel;
++ first = true;
++ }
++ }
++
+ if (hash > atomic_read(&nh->nh_upper_bound))
+ continue;
+
+- if (!net->ipv4.sysctl_fib_multipath_use_neigh ||
+- fib_good_nh(nh)) {
+- res->nh_sel = nhsel;
+- return;
+- }
+- if (!first) {
+- res->nh_sel = nhsel;
+- first = true;
+- }
++ res->nh_sel = nhsel;
++ return;
+ } endfor_nexthops(fi);
+ }
+ #endif
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Apr 2018 17:15:22 -0700
+Subject: sctp: do not leak kernel memory to user space
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]
+
+syzbot produced a nice report [1]
+
+Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
+to user space, because sin_zero (padding field) was not properly cleared.
+
+[1]
+BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
+BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
+CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x4401c9
+RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
+RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
+R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
+R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xd5/0x810 net/socket.c:2172
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+
+Bytes 8-15 of 16 are uninitialized
+
+==================================================================
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ panic+0x39d/0x940 kernel/panic.c:183
+ kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
+ kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
+ kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
+ copy_to_user include/linux/uaccess.h:184 [inline]
+ move_addr_to_user+0x32e/0x530 net/socket.c:227
+ ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
+ __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
+ SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
+ SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -728,8 +728,10 @@ static int sctp_v6_addr_to_user(struct s
+ sctp_v6_map_v4(addr);
+ }
+
+- if (addr->sa.sa_family == AF_INET)
++ if (addr->sa.sa_family == AF_INET) {
++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero));
+ return sizeof(struct sockaddr_in);
++ }
+ return sizeof(struct sockaddr_in6);
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 8 Apr 2018 07:52:08 -0700
+Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]
+
+Check must happen before call to ipv6_addr_v4mapped()
+
+syzbot report was :
+
+BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ sctp_sockaddr_af net/sctp/socket.c:359 [inline]
+ sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
+ sctp_bind+0x149/0x190 net/sctp/socket.c:332
+ inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
+ SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
+ SyS_bind+0x54/0x80 net/socket.c:1460
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fd49
+RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
+RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
+R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000
+
+Local variable description: ----address@SYSC_bind
+Variable was created at:
+ SYSC_bind+0x6f/0x4b0 net/socket.c:1461
+ SyS_bind+0x54/0x80 net/socket.c:1460
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -338,11 +338,14 @@ static struct sctp_af *sctp_sockaddr_af(
+ if (!opt->pf->af_supported(addr->sa.sa_family, opt))
+ return NULL;
+
+- /* V4 mapped address are really of AF_INET family */
+- if (addr->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
+- !opt->pf->af_supported(AF_INET, opt))
+- return NULL;
++ if (addr->sa.sa_family == AF_INET6) {
++ if (len < SIN6_LEN_RFC2133)
++ return NULL;
++ /* V4 mapped address are really of AF_INET family */
++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) &&
++ !opt->pf->af_supported(AF_INET, opt))
++ return NULL;
++ }
+
+ /* If we get this far, af is valid. */
+ af = sctp_get_af_specific(addr->sa.sa_family);
x86-microcode-synchronize-late-microcode-loading.patch
x86-microcode-attempt-late-loading-only-when-new-microcode-is-present.patch
x86-microcode-fix-cpu-synchronization-routine.patch
+arp-fix-arp_filter-on-l3slave-devices.patch
+ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
+lan78xx-crash-in-lan78xx_writ_reg-workqueue-events-lan78xx_deferred_multicast_write.patch
+net-dsa-discard-frames-from-unused-ports.patch
+net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
+net-ipv6-fix-route-leaking-between-vrfs.patch
+net-ipv6-increment-outxxx-counters-after-netfilter-hook.patch
+netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
+net-mlx5e-verify-coalescing-parameters-in-range.patch
+net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tcf_bpf_init.patch
+pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
+r8169-fix-setting-driver_data-after-register_netdev.patch
+sctp-do-not-leak-kernel-memory-to-user-space.patch
+sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
+sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch
+vhost-correctly-remove-wait-queue-during-poll-failure.patch
+vlan-also-check-phy_driver-ts_info-for-vlan-s-real-device.patch
+vrf-fix-use-after-free-and-double-free-in-vrf_finish_output.patch
+bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch
+bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch
+bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch
+net-fool-proof-dev_valid_name.patch
+ip_tunnel-better-validate-user-provided-tunnel-names.patch
+ipv6-sit-better-validate-user-provided-tunnel-names.patch
+ip6_gre-better-validate-user-provided-tunnel-names.patch
+ip6_tunnel-better-validate-user-provided-tunnel-names.patch
+vti6-better-validate-user-provided-tunnel-names.patch
+net-mlx5e-set-eqe-based-as-default-tx-interrupt-moderation-mode.patch
+net_sched-fix-a-missing-idr_remove-in-u32_delete_key.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tcf_vlan_init.patch
+net-mlx5e-avoid-using-the-ipv6-stub-in-the-tc-offload-neigh-update-path.patch
+net-mlx5e-fix-memory-usage-issues-in-offloading-tc-flows.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch
+nfp-use-full-40-bits-of-the-nsp-buffer-address.patch
+ipv6-sr-fix-seg6-encap-performances-with-tso-enabled.patch
+net-mlx5e-don-t-override-vport-admin-link-state-in-switchdev-mode.patch
+net-mlx5e-sync-netdev-vxlan-ports-at-open.patch
+net-sched-fix-null-dereference-in-the-error-path-of-tunnel_key_init.patch
+net-sched-fix-null-dereference-on-the-error-path-of-tcf_skbmod_init.patch
+strparser-fix-sign-of-err-codes.patch
+net-mlx4_en-fix-mixed-pfc-and-global-pause-user-control-requests.patch
+net-mlx5e-fix-traffic-being-dropped-on-vf-representor.patch
+vhost-validate-log-when-iotlb-is-enabled.patch
+route-check-sysctl_fib_multipath_use_neigh-earlier-than-hash.patch
+team-move-dev_mc_sync-after-master_upper_dev_link-in-team_port_add.patch
+vhost_net-add-missing-lock-nesting-notation.patch
+net-mlx4_core-fix-memory-leak-while-delete-slave-s-resources.patch
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Sat, 31 Mar 2018 23:42:03 +0800
+Subject: sky2: Increase D3 delay to sky2 stops working after suspend
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+
+[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ]
+
+The sky2 ethernet stops working after system resume from suspend:
+[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3
+
+The current 150ms delay is not enough, change it to 200ms can solve the
+issue.
+
+BugLink: https://bugs.launchpad.net/bugs/1758507
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -5087,7 +5087,7 @@ static int sky2_probe(struct pci_dev *pd
+ INIT_WORK(&hw->restart_work, sky2_restart);
+
+ pci_set_drvdata(pdev, hw);
+- pdev->d3_delay = 150;
++ pdev->d3_delay = 200;
+
+ return 0;
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Dave Watson <davejwatson@fb.com>
+Date: Mon, 26 Mar 2018 12:31:21 -0700
+Subject: strparser: Fix sign of err codes
+
+From: Dave Watson <davejwatson@fb.com>
+
+
+[ Upstream commit cd00edc179863848abab5cc5683de5b7b5f70954 ]
+
+strp_parser_err is called with a negative code everywhere, which then
+calls abort_parser with a negative code. strp_msg_timeout calls
+abort_parser directly with a positive code. Negate ETIMEDOUT
+to match signed-ness of other calls.
+
+The default abort_parser callback, strp_abort_strp, sets
+sk->sk_err to err. Also negate the error here so sk_err always
+holds a positive value, as the rest of the net code expects. Currently
+a negative sk_err can result in endless loops, or user code that
+thinks it actually sent/received err bytes.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Signed-off-by: Dave Watson <davejwatson@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -60,7 +60,7 @@ static void strp_abort_strp(struct strpa
+ struct sock *sk = strp->sk;
+
+ /* Report an error on the lower socket */
+- sk->sk_err = err;
++ sk->sk_err = -err;
+ sk->sk_error_report(sk);
+ }
+ }
+@@ -458,7 +458,7 @@ static void strp_msg_timeout(struct work
+ /* Message assembly timed out */
+ STRP_STATS_INCR(strp->stats.msg_timeouts);
+ strp->cb.lock(strp);
+- strp->cb.abort_parser(strp, ETIMEDOUT);
++ strp->cb.abort_parser(strp, -ETIMEDOUT);
+ strp->cb.unlock(strp);
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 26 Mar 2018 01:25:06 +0800
+Subject: team: move dev_mc_sync after master_upper_dev_link in team_port_add
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 982cf3b3999d39a2eaca0a65542df33c19b5d814 ]
+
+The same fix as in 'bonding: move dev_mc_sync after master_upper_dev_link
+in bond_enslave' is needed for team driver.
+
+The panic can be reproduced easily:
+
+ ip link add team1 type team
+ ip link set team1 up
+ ip link add link team1 vlan1 type vlan id 80
+ ip link set vlan1 master team1
+
+Fixes: cb41c997d444 ("team: team should sync the port's uc/mc addrs when add a port")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1197,11 +1197,6 @@ static int team_port_add(struct team *te
+ goto err_dev_open;
+ }
+
+- netif_addr_lock_bh(dev);
+- dev_uc_sync_multiple(port_dev, dev);
+- dev_mc_sync_multiple(port_dev, dev);
+- netif_addr_unlock_bh(dev);
+-
+ err = vlan_vids_add_by_dev(port_dev, dev);
+ if (err) {
+ netdev_err(dev, "Failed to add vlan ids to device %s\n",
+@@ -1241,6 +1236,11 @@ static int team_port_add(struct team *te
+ goto err_option_port_add;
+ }
+
++ netif_addr_lock_bh(dev);
++ dev_uc_sync_multiple(port_dev, dev);
++ dev_mc_sync_multiple(port_dev, dev);
++ netif_addr_unlock_bh(dev);
++
+ port->index = -1;
+ list_add_tail_rcu(&port->list, &team->port_list);
+ team_port_enable(team, port);
+@@ -1265,8 +1265,6 @@ err_enable_netpoll:
+ vlan_vids_del_by_dev(port_dev, dev);
+
+ err_vids_add:
+- dev_uc_unsync(port_dev, dev);
+- dev_mc_unsync(port_dev, dev);
+ dev_close(port_dev);
+
+ err_dev_open:
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 27 Mar 2018 20:50:52 +0800
+Subject: vhost: correctly remove wait queue during poll failure
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit dc6455a71c7fc5117977e197f67f71b49f27baba ]
+
+We tried to remove vq poll from wait queue, but do not check whether
+or not it was in a list before. This will lead double free. Fixing
+this by switching to use vhost_poll_stop() which zeros poll->wqh after
+removing poll from waitqueue to make sure it won't be freed twice.
+
+Cc: Darren Kenny <darren.kenny@oracle.com>
+Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com
+Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -213,8 +213,7 @@ int vhost_poll_start(struct vhost_poll *
+ if (mask)
+ vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask);
+ if (mask & POLLERR) {
+- if (poll->wqh)
+- remove_wait_queue(poll->wqh, &poll->wait);
++ vhost_poll_stop(poll);
+ ret = -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 29 Mar 2018 16:00:04 +0800
+Subject: vhost: validate log when IOTLB is enabled
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ]
+
+Vq log_base is the userspace address of bitmap which has nothing to do
+with IOTLB. So it needs to be validated unconditionally otherwise we
+may try use 0 as log_base which may lead to pin pages that will lead
+unexpected result (e.g trigger BUG_ON() in set_bit_to_user()).
+
+Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
+Reported-by: syzbot+6304bf97ef436580fede@syzkaller.appspotmail.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -1256,14 +1256,12 @@ static int vq_log_access_ok(struct vhost
+ /* Caller should have vq mutex and device mutex */
+ int vhost_vq_access_ok(struct vhost_virtqueue *vq)
+ {
+- if (vq->iotlb) {
+- /* When device IOTLB was used, the access validation
+- * will be validated during prefetching.
+- */
+- return 1;
+- }
+- return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used) &&
+- vq_log_access_ok(vq, vq->log_base);
++ int ret = vq_log_access_ok(vq, vq->log_base);
++
++ if (ret || vq->iotlb)
++ return ret;
++
++ return vq_access_ok(vq, vq->num, vq->desc, vq->avail, vq->used);
+ }
+ EXPORT_SYMBOL_GPL(vhost_vq_access_ok);
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 26 Mar 2018 16:10:23 +0800
+Subject: vhost_net: add missing lock nesting notation
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit aaa3149bbee9ba9b4e6f0bd6e3e7d191edeae942 ]
+
+We try to hold TX virtqueue mutex in vhost_net_rx_peek_head_len()
+after RX virtqueue mutex is held in handle_rx(). This requires an
+appropriate lock nesting notation to calm down deadlock detector.
+
+Fixes: 0308813724606 ("vhost_net: basic polling support")
+Reported-by: syzbot+7f073540b1384a614e09@syzkaller.appspotmail.com
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -618,7 +618,7 @@ static int vhost_net_rx_peek_head_len(st
+
+ if (!len && vq->busyloop_timeout) {
+ /* Both tx vq and rx socket were polled here */
+- mutex_lock(&vq->mutex);
++ mutex_lock_nested(&vq->mutex, 1);
+ vhost_disable_notify(&net->dev, vq);
+
+ preempt_disable();
+@@ -751,7 +751,7 @@ static void handle_rx(struct vhost_net *
+ struct iov_iter fixup;
+ __virtio16 num_buffers;
+
+- mutex_lock(&vq->mutex);
++ mutex_lock_nested(&vq->mutex, 0);
+ sock = vq->private_data;
+ if (!sock)
+ goto out;
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 30 Mar 2018 09:44:00 +0800
+Subject: vlan: also check phy_driver ts_info for vlan's real device
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit ec1d8ccb07deaf30fd0508af6755364ac47dc08d ]
+
+Just like function ethtool_get_ts_info(), we should also consider the
+phy_driver ts_info call back. For example, driver dp83640.
+
+Fixes: 37dd9255b2f6 ("vlan: Pass ethtool get_ts_info queries to real device.")
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -29,6 +29,7 @@
+ #include <linux/net_tstamp.h>
+ #include <linux/etherdevice.h>
+ #include <linux/ethtool.h>
++#include <linux/phy.h>
+ #include <net/arp.h>
+ #include <net/switchdev.h>
+
+@@ -665,8 +666,11 @@ static int vlan_ethtool_get_ts_info(stru
+ {
+ const struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+ const struct ethtool_ops *ops = vlan->real_dev->ethtool_ops;
++ struct phy_device *phydev = vlan->real_dev->phydev;
+
+- if (ops->get_ts_info) {
++ if (phydev && phydev->drv && phydev->drv->ts_info) {
++ return phydev->drv->ts_info(phydev, info);
++ } else if (ops->get_ts_info) {
+ return ops->get_ts_info(vlan->real_dev, info);
+ } else {
+ info->so_timestamping = SOF_TIMESTAMPING_RX_SOFTWARE |
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Thu, 29 Mar 2018 12:49:52 -0700
+Subject: vrf: Fix use after free and double free in vrf_finish_output
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit 82dd0d2a9a76fc8fa2b18d80b987d455728bf83a ]
+
+Miguel reported an skb use after free / double free in vrf_finish_output
+when neigh_output returns an error. The vrf driver should return after
+the call to neigh_output as it takes over the skb on error path as well.
+
+Patch is a simplified version of Miguel's patch which was written for 4.9,
+and updated to top of tree.
+
+Fixes: 8f58336d3f78a ("net: Add ethernet header for pass through VRF device")
+Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -578,12 +578,13 @@ static int vrf_finish_output(struct net
+ if (!IS_ERR(neigh)) {
+ sock_confirm_neigh(skb, neigh);
+ ret = neigh_output(neigh, skb);
++ rcu_read_unlock_bh();
++ return ret;
+ }
+
+ rcu_read_unlock_bh();
+ err:
+- if (unlikely(ret < 0))
+- vrf_tx_error(skb->dev, skb);
++ vrf_tx_error(skb->dev, skb);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue Apr 10 23:19:36 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 5 Apr 2018 06:39:31 -0700
+Subject: vti6: better validate user provided tunnel names
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ]
+
+Use valid_name() to make sure user does not provide illegal
+device name.
+
+Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_vti.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -212,10 +212,13 @@ static struct ip6_tnl *vti6_tnl_create(s
+ char name[IFNAMSIZ];
+ int err;
+
+- if (p->name[0])
++ if (p->name[0]) {
++ if (!dev_valid_name(p->name))
++ goto failed;
+ strlcpy(name, p->name, IFNAMSIZ);
+- else
++ } else {
+ sprintf(name, "ip6_vti%%d");
++ }
+
+ dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup);
+ if (!dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
