--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+Date: Tue, 6 Mar 2018 22:57:01 +0300
+Subject: dccp: check sk for closed state in dccp_sendmsg()
+
+From: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+
+[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]
+
+dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
+therefore if DCCP socket is disconnected and dccp_sendmsg() is
+called after it, it will cause a NULL pointer dereference in
+dccp_write_xmit().
+
+This crash and the reproducer was reported by syzbot. Looks like
+it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
+use-after-free in DCCP code") is applied.
+
+Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
+Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct
+ if (skb == NULL)
+ goto out_release;
+
++ if (sk->sk_state == DCCP_CLOSED) {
++ rc = -ENOTCONN;
++ goto out_discard;
++ }
++
+ skb_reserve(skb, sk->sk_prot->max_header);
+ rc = memcpy_from_msg(skb_put(skb, len), msg, len);
+ if (rc != 0)
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 5 Mar 2018 08:51:03 -0800
+Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
+
+A tun device type can trivially be set to arbitrary value using
+TUNSETLINK ioctl().
+
+Therefore, lowpan_device_event() must really check that ieee802154_ptr
+is not NULL.
+
+Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Alexander Aring <alex.aring@gmail.com>
+Cc: Stefan Schmidt <stefan@osg.samsung.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/6lowpan/core.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ieee802154/6lowpan/core.c
++++ b/net/ieee802154/6lowpan/core.c
+@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(v
+ static int lowpan_device_event(struct notifier_block *unused,
+ unsigned long event, void *ptr)
+ {
+- struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
++ struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
++ struct wpan_dev *wpan_dev;
+
+- if (wdev->type != ARPHRD_IEEE802154)
++ if (ndev->type != ARPHRD_IEEE802154)
++ return NOTIFY_DONE;
++ wpan_dev = ndev->ieee802154_ptr;
++ if (!wpan_dev)
+ goto out;
+
+ switch (event) {
+@@ -217,8 +221,8 @@ static int lowpan_device_event(struct no
+ * also delete possible lowpan interfaces which belongs
+ * to the wpan interface.
+ */
+- if (wdev->ieee802154_ptr->lowpan_dev)
+- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
++ if (wpan_dev->lowpan_dev)
++ lowpan_dellink(wpan_dev->lowpan_dev, NULL);
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Thu, 8 Mar 2018 17:00:02 +0100
+Subject: ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+
+[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ]
+
+Fix the following slab-out-of-bounds kasan report in
+ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not
+linear and the accessed data are not in the linear data region of orig_skb.
+
+[ 1503.122508] ==================================================================
+[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990
+[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932
+
+[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124
+[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014
+[ 1503.123527] Call Trace:
+[ 1503.123579] <IRQ>
+[ 1503.123638] print_address_description+0x6e/0x280
+[ 1503.123849] kasan_report+0x233/0x350
+[ 1503.123946] memcpy+0x1f/0x50
+[ 1503.124037] ndisc_send_redirect+0x94e/0x990
+[ 1503.125150] ip6_forward+0x1242/0x13b0
+[...]
+[ 1503.153890] Allocated by task 1932:
+[ 1503.153982] kasan_kmalloc+0x9f/0xd0
+[ 1503.154074] __kmalloc_track_caller+0xb5/0x160
+[ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70
+[ 1503.154324] __alloc_skb+0x130/0x3e0
+[ 1503.154415] sctp_packet_transmit+0x21a/0x1810
+[ 1503.154533] sctp_outq_flush+0xc14/0x1db0
+[ 1503.154624] sctp_do_sm+0x34e/0x2740
+[ 1503.154715] sctp_primitive_SEND+0x57/0x70
+[ 1503.154807] sctp_sendmsg+0xaa6/0x1b10
+[ 1503.154897] sock_sendmsg+0x68/0x80
+[ 1503.154987] ___sys_sendmsg+0x431/0x4b0
+[ 1503.155078] __sys_sendmsg+0xa4/0x130
+[ 1503.155168] do_syscall_64+0x171/0x3f0
+[ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 1503.155436] Freed by task 1932:
+[ 1503.155527] __kasan_slab_free+0x134/0x180
+[ 1503.155618] kfree+0xbc/0x180
+[ 1503.155709] skb_release_data+0x27f/0x2c0
+[ 1503.155800] consume_skb+0x94/0xe0
+[ 1503.155889] sctp_chunk_put+0x1aa/0x1f0
+[ 1503.155979] sctp_inq_pop+0x2f8/0x6e0
+[ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230
+[ 1503.156164] sctp_inq_push+0x117/0x150
+[ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0
+[ 1503.156346] __release_sock+0x142/0x250
+[ 1503.156436] release_sock+0x80/0x180
+[ 1503.156526] sctp_sendmsg+0xbb0/0x1b10
+[ 1503.156617] sock_sendmsg+0x68/0x80
+[ 1503.156708] ___sys_sendmsg+0x431/0x4b0
+[ 1503.156799] __sys_sendmsg+0xa4/0x130
+[ 1503.156889] do_syscall_64+0x171/0x3f0
+[ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600
+ which belongs to the cache kmalloc-1024 of size 1024
+[ 1503.157444] The buggy address is located 176 bytes inside of
+ 1024-byte region [ffff8800298ab600, ffff8800298aba00)
+[ 1503.157702] The buggy address belongs to the page:
+[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
+[ 1503.158053] flags: 0x4000000000008100(slab|head)
+[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e
+[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000
+[ 1503.158523] page dumped because: kasan: bad access detected
+
+[ 1503.158698] Memory state around the buggy address:
+[ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 1503.159338] ^
+[ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 1503.159785] ==================================================================
+[ 1503.159964] Disabling lock debugging due to kernel taint
+
+The test scenario to trigger the issue consists of 4 devices:
+- H0: data sender, connected to LAN0
+- H1: data receiver, connected to LAN1
+- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an
+ ethernet connection on LAN0 and LAN1
+On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for
+data from LAN0 to LAN1.
+Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent
+data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send
+buffer size is set to 16K). While data streams are active flush the route
+cache on HA multiple times.
+I have not been able to identify a given commit that introduced the issue
+since, using the reproducer described above, the kasan report has been
+triggered from 4.14 and I have not gone back further.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1478,7 +1478,8 @@ static void ndisc_fill_redirect_hdr_opti
+ *(opt++) = (rd_len >> 3);
+ opt += 6;
+
+- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
++ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
++ rd_len - 8);
+ }
+
+ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 6 Mar 2018 07:54:53 -0800
+Subject: l2tp: do not accept arbitrary sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ]
+
+syzkaller found an issue caused by lack of sufficient checks
+in l2tp_tunnel_create()
+
+RAW sockets can not be considered as UDP ones for instance.
+
+In another patch, we shall replace all pr_err() by less intrusive
+pr_debug() so that syzkaller can find other bugs faster.
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Acked-by: James Chapman <jchapman@katalix.com>
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
+dst_release: dst:00000000d53d0d0f refcnt:-1
+Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242
+
+CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x24d lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report+0x23b/0x360 mm/kasan/report.c:412
+ __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
+ setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
+ l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
+ pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
+ SYSC_connect+0x213/0x4a0 net/socket.c:1640
+ SyS_connect+0x24/0x30 net/socket.c:1621
+ do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1518,9 +1518,14 @@ int l2tp_tunnel_create(struct net *net,
+ encap = cfg->encap;
+
+ /* Quick sanity checks */
++ err = -EPROTONOSUPPORT;
++ if (sk->sk_type != SOCK_DGRAM) {
++ pr_debug("tunl %hu: fd %d wrong socket type\n",
++ tunnel_id, fd);
++ goto err;
++ }
+ switch (encap) {
+ case L2TP_ENCAPTYPE_UDP:
+- err = -EPROTONOSUPPORT;
+ if (sk->sk_protocol != IPPROTO_UDP) {
+ pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+ tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
+@@ -1528,7 +1533,6 @@ int l2tp_tunnel_create(struct net *net,
+ }
+ break;
+ case L2TP_ENCAPTYPE_IP:
+- err = -EPROTONOSUPPORT;
+ if (sk->sk_protocol != IPPROTO_L2TP) {
+ pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
+ tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 18 Mar 2018 23:59:36 +0100
+Subject: net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+
+[ Upstream commit 00777fac28ba3e126b9e63e789a613e8bd2cab25 ]
+
+If the optional regulator is deferred, we must release some resources.
+They will be re-allocated when the probe function will be called again.
+
+Fixes: 6eacf31139bf ("ethernet: arc: Add support for Rockchip SoC layer device tree bindings")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/arc/emac_rockchip.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/arc/emac_rockchip.c
++++ b/drivers/net/ethernet/arc/emac_rockchip.c
+@@ -150,8 +150,10 @@ static int emac_rockchip_probe(struct pl
+ /* Optional regulator for PHY */
+ priv->regulator = devm_regulator_get_optional(dev, "phy");
+ if (IS_ERR(priv->regulator)) {
+- if (PTR_ERR(priv->regulator) == -EPROBE_DEFER)
+- return -EPROBE_DEFER;
++ if (PTR_ERR(priv->regulator) == -EPROBE_DEFER) {
++ err = -EPROBE_DEFER;
++ goto out_clk_disable;
++ }
+ dev_err(dev, "no regulator found\n");
+ priv->regulator = NULL;
+ }
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: "SZ Lin (林上智)" <sz.lin@moxa.com>
+Date: Fri, 16 Mar 2018 00:56:01 +0800
+Subject: net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
+
+From: "SZ Lin (林上智)" <sz.lin@moxa.com>
+
+
+[ Upstream commit f9db50691db4a7d860fce985f080bb3fc23a7ede ]
+
+According to AM335x TRM[1] 14.3.6.2, AM437x TRM[2] 15.3.6.2 and
+DRA7 TRM[3] 24.11.4.8.7.3.3, in-band mode in EXT_EN(bit18) register is only
+available when PHY is configured in RGMII mode with 10Mbps speed. It will
+cause some networking issues without RGMII mode, such as carrier sense
+errors and low throughput. TI also mentioned this issue in their forum[4].
+
+This patch adds the check mechanism for PHY interface with RGMII interface
+type, the in-band mode can only be set in RGMII mode with 10Mbps speed.
+
+References:
+[1]: https://www.ti.com/lit/ug/spruh73p/spruh73p.pdf
+[2]: http://www.ti.com/lit/ug/spruhl7h/spruhl7h.pdf
+[3]: http://www.ti.com/lit/ug/spruic2b/spruic2b.pdf
+[4]: https://e2e.ti.com/support/arm/sitara_arm/f/791/p/640765/2392155
+
+Suggested-by: Holsety Chen (陳憲輝) <Holsety.Chen@moxa.com>
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Signed-off-by: Schuyler Patton <spatton@ti.com>
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -878,7 +878,8 @@ static void _cpsw_adjust_link(struct cps
+ /* set speed_in input in case RMII mode is used in 100Mbps */
+ if (phy->speed == 100)
+ mac_control |= BIT(15);
+- else if (phy->speed == 10)
++ /* in band mode only works in 10Mbps RGMII mode */
++ else if ((phy->speed == 10) && phy_interface_is_rgmii(phy))
+ mac_control |= BIT(18); /* In Band mode */
+
+ if (priv->rx_pause)
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 18 Mar 2018 12:49:51 -0700
+Subject: net: fec: Fix unbalanced PM runtime calls
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit a069215cf5985f3aa1bba550264907d6bd05c5f7 ]
+
+When unbinding/removing the driver, we will run into the following warnings:
+
+[ 259.655198] fec 400d1000.ethernet: 400d1000.ethernet supply phy not found, using dummy regulator
+[ 259.665065] fec 400d1000.ethernet: Unbalanced pm_runtime_enable!
+[ 259.672770] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
+[ 259.683062] fec 400d1000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: f2:3e:93:b7:29:c1
+[ 259.696239] libphy: fec_enet_mii_bus: probed
+
+Avoid these warnings by balancing the runtime PM calls during fec_drv_remove().
+
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3539,6 +3539,8 @@ fec_drv_remove(struct platform_device *p
+ fec_enet_mii_remove(fep);
+ if (fep->reg_phy)
+ regulator_disable(fep->reg_phy);
++ pm_runtime_put(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
+ of_node_put(fep->phy_node);
+ free_netdev(ndev);
+
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+Date: Tue, 6 Mar 2018 18:46:39 +0300
+Subject: net: Fix hlist corruptions in inet_evict_bucket()
+
+From: Kirill Tkhai <ktkhai@virtuozzo.com>
+
+
+[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]
+
+inet_evict_bucket() iterates global list, and
+several tasks may call it in parallel. All of
+them hash the same fq->list_evictor to different
+lists, which leads to list corruption.
+
+This patch makes fq be hashed to expired list
+only if this has not been made yet by another
+task. Since inet_frag_alloc() allocates fq
+using kmem_cache_zalloc(), we may rely on
+list_evictor is initially unhashed.
+
+The problem seems to exist before async
+pernet_operations, as there was possible to have
+exit method to be executed in parallel with
+inet_frags::frags_work, so I add two Fixes tags.
+This also may go to stable.
+
+Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
+Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
+Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_fragment.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ipv4/inet_fragment.c
++++ b/net/ipv4/inet_fragment.c
+@@ -119,6 +119,9 @@ out:
+
+ static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
+ {
++ if (!hlist_unhashed(&q->list_evictor))
++ return false;
++
+ return q->net->low_thresh == 0 ||
+ frag_mem_limit(q->net) >= q->net->low_thresh;
+ }
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Date: Tue, 13 Mar 2018 16:50:06 +0100
+Subject: net/iucv: Free memory obtained by kzalloc
+
+From: Arvind Yadav <arvind.yadav.cs@gmail.com>
+
+
+[ Upstream commit fa6a91e9b907231d2e38ea5ed89c537b3525df3d ]
+
+Free memory by calling put_device(), if afiucv_iucv_init is not
+successful.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/iucv/af_iucv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -2381,9 +2381,11 @@ static int afiucv_iucv_init(void)
+ af_iucv_dev->driver = &af_iucv_driver;
+ err = device_register(af_iucv_dev);
+ if (err)
+- goto out_driver;
++ goto out_iucv_dev;
+ return 0;
+
++out_iucv_dev:
++ put_device(af_iucv_dev);
+ out_driver:
+ driver_unregister(&af_iucv_driver);
+ out_iucv:
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Fri, 16 Feb 2018 11:03:03 -0800
+Subject: net: Only honor ifindex in IP_PKTINFO if non-0
+
+From: David Ahern <dsahern@gmail.com>
+
+
+[ Upstream commit 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 ]
+
+Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings
+if the index is actually set in the message.
+
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -241,7 +241,8 @@ int ip_cmsg_send(struct net *net, struct
+ src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
+ if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
+ return -EINVAL;
+- ipc->oif = src_info->ipi6_ifindex;
++ if (src_info->ipi6_ifindex)
++ ipc->oif = src_info->ipi6_ifindex;
+ ipc->addr = src_info->ipi6_addr.s6_addr32[3];
+ continue;
+ }
+@@ -264,7 +265,8 @@ int ip_cmsg_send(struct net *net, struct
+ if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
+ return -EINVAL;
+ info = (struct in_pktinfo *)CMSG_DATA(cmsg);
+- ipc->oif = info->ipi_ifindex;
++ if (info->ipi_ifindex)
++ ipc->oif = info->ipi_ifindex;
+ ipc->addr = info->ipi_spec_dst.s_addr;
+ break;
+ }
--- /dev/null
+From foo@baz Wed Mar 28 20:16:33 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 13 Mar 2018 14:45:07 -0700
+Subject: net: systemport: Rewrite __bcm_sysport_tx_reclaim()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 484d802d0f2f29c335563fcac2a8facf174a1bbc ]
+
+There is no need for complex checking between the last consumed index
+and current consumed index, a simple subtraction will do.
+
+This also eliminates the possibility of a permanent transmit queue stall
+under the following conditions:
+
+- one CPU bursts ring->size worth of traffic (up to 256 buffers), to the
+ point where we run out of free descriptors, so we stop the transmit
+ queue at the end of bcm_sysport_xmit()
+
+- because of our locking, we have the transmit process disable
+ interrupts which means we can be blocking the TX reclamation process
+
+- when TX reclamation finally runs, we will be computing the difference
+ between ring->c_index (last consumed index by SW) and what the HW
+ reports through its register
+
+- this register is masked with (ring->size - 1) = 0xff, which will lead
+ to stripping the upper bits of the index (register is 16-bits wide)
+
+- we will be computing last_tx_cn as 0, which means there is no work to
+ be done, and we never wake-up the transmit queue, leaving it
+ permanently disabled
+
+A practical example is e.g: ring->c_index aka last_c_index = 12, we
+pushed 256 entries, HW consumer index = 268, we mask it with 0xff = 12,
+so last_tx_cn == 0, nothing happens.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 33 +++++++++++++----------------
+ drivers/net/ethernet/broadcom/bcmsysport.h | 2 -
+ 2 files changed, 16 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -729,37 +729,33 @@ static unsigned int __bcm_sysport_tx_rec
+ struct bcm_sysport_tx_ring *ring)
+ {
+ struct net_device *ndev = priv->netdev;
+- unsigned int c_index, last_c_index, last_tx_cn, num_tx_cbs;
+ unsigned int pkts_compl = 0, bytes_compl = 0;
++ unsigned int txbds_processed = 0;
+ struct bcm_sysport_cb *cb;
++ unsigned int txbds_ready;
++ unsigned int c_index;
+ u32 hw_ind;
+
+ /* Compute how many descriptors have been processed since last call */
+ hw_ind = tdma_readl(priv, TDMA_DESC_RING_PROD_CONS_INDEX(ring->index));
+ c_index = (hw_ind >> RING_CONS_INDEX_SHIFT) & RING_CONS_INDEX_MASK;
+- ring->p_index = (hw_ind & RING_PROD_INDEX_MASK);
+-
+- last_c_index = ring->c_index;
+- num_tx_cbs = ring->size;
+-
+- c_index &= (num_tx_cbs - 1);
+-
+- if (c_index >= last_c_index)
+- last_tx_cn = c_index - last_c_index;
+- else
+- last_tx_cn = num_tx_cbs - last_c_index + c_index;
++ txbds_ready = (c_index - ring->c_index) & RING_CONS_INDEX_MASK;
+
+ netif_dbg(priv, tx_done, ndev,
+- "ring=%d c_index=%d last_tx_cn=%d last_c_index=%d\n",
+- ring->index, c_index, last_tx_cn, last_c_index);
++ "ring=%d old_c_index=%u c_index=%u txbds_ready=%u\n",
++ ring->index, ring->c_index, c_index, txbds_ready);
+
+- while (last_tx_cn-- > 0) {
+- cb = ring->cbs + last_c_index;
++ while (txbds_processed < txbds_ready) {
++ cb = &ring->cbs[ring->clean_index];
+ bcm_sysport_tx_reclaim_one(priv, cb, &bytes_compl, &pkts_compl);
+
+ ring->desc_count++;
+- last_c_index++;
+- last_c_index &= (num_tx_cbs - 1);
++ txbds_processed++;
++
++ if (likely(ring->clean_index < ring->size - 1))
++ ring->clean_index++;
++ else
++ ring->clean_index = 0;
+ }
+
+ ring->c_index = c_index;
+@@ -1229,6 +1225,7 @@ static int bcm_sysport_init_tx_ring(stru
+ netif_napi_add(priv->netdev, &ring->napi, bcm_sysport_tx_poll, 64);
+ ring->index = index;
+ ring->size = size;
++ ring->clean_index = 0;
+ ring->alloc_size = ring->size;
+ ring->desc_cpu = p;
+ ring->desc_count = ring->size;
+--- a/drivers/net/ethernet/broadcom/bcmsysport.h
++++ b/drivers/net/ethernet/broadcom/bcmsysport.h
+@@ -638,7 +638,7 @@ struct bcm_sysport_tx_ring {
+ unsigned int desc_count; /* Number of descriptors */
+ unsigned int curr_desc; /* Current descriptor */
+ unsigned int c_index; /* Last consumer index */
+- unsigned int p_index; /* Current producer index */
++ unsigned int clean_index; /* Current clean index */
+ struct bcm_sysport_cb *cbs; /* Transmit control blocks */
+ struct dma_desc *desc_cpu; /* CPU view of the descriptor */
+ struct bcm_sysport_priv *priv; /* private context backpointer */
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Wed, 14 Mar 2018 21:10:23 +0100
+Subject: netlink: avoid a double skb free in genlmsg_mcast()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+
+[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ]
+
+nlmsg_multicast() consumes always the skb, thus the original skb must be
+freed only when this function is called with a clone.
+
+Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/genetlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/genetlink.c
++++ b/net/netlink/genetlink.c
+@@ -1143,7 +1143,7 @@ static int genlmsg_mcast(struct sk_buff
+ if (!err)
+ delivered = true;
+ else if (err != -ESRCH)
+- goto error;
++ return err;
+ return delivered ? 0 : -ESRCH;
+ error:
+ kfree_skb(skb);
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:12 +0100
+Subject: s390/qeth: free netdevice when removing a card
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 6be687395b3124f002a653c1a50b3260222b3cd7 ]
+
+On removal, a qeth card's netdevice is currently not properly freed
+because the call chain looks as follows:
+
+qeth_core_remove_device(card)
+ lx_remove_device(card)
+ unregister_netdev(card->dev)
+ card->dev = NULL !!!
+ qeth_core_free_card(card)
+ if (card->dev) !!!
+ free_netdev(card->dev)
+
+Fix it by free'ing the netdev straight after unregistering. This also
+fixes the sysfs-driven layer switch case (qeth_dev_layer2_store()),
+where the need to free the current netdevice was not considered at all.
+
+Note that free_netdev() takes care of the netif_napi_del() for us too.
+
+Fixes: 4a71df50047f ("qeth: new qeth device driver")
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Reviewed-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 2 --
+ drivers/s390/net/qeth_l2_main.c | 2 +-
+ drivers/s390/net/qeth_l3_main.c | 2 +-
+ 3 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -4969,8 +4969,6 @@ static void qeth_core_free_card(struct q
+ QETH_DBF_HEX(SETUP, 2, &card, sizeof(void *));
+ qeth_clean_channel(&card->read);
+ qeth_clean_channel(&card->write);
+- if (card->dev)
+- free_netdev(card->dev);
+ kfree(card->ip_tbd_list);
+ qeth_free_qdio_buffers(card);
+ unregister_service_level(&card->qeth_service_level);
+--- a/drivers/s390/net/qeth_l2_main.c
++++ b/drivers/s390/net/qeth_l2_main.c
+@@ -1062,8 +1062,8 @@ static void qeth_l2_remove_device(struct
+ qeth_l2_set_offline(cgdev);
+
+ if (card->dev) {
+- netif_napi_del(&card->napi);
+ unregister_netdev(card->dev);
++ free_netdev(card->dev);
+ card->dev = NULL;
+ }
+ return;
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -3243,8 +3243,8 @@ static void qeth_l3_remove_device(struct
+ qeth_l3_set_offline(cgdev);
+
+ if (card->dev) {
+- netif_napi_del(&card->napi);
+ unregister_netdev(card->dev);
++ free_netdev(card->dev);
+ card->dev = NULL;
+ }
+
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:14 +0100
+Subject: s390/qeth: lock read device while queueing next buffer
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 17bf8c9b3d499d5168537c98b61eb7a1fcbca6c2 ]
+
+For calling ccw_device_start(), issue_next_read() needs to hold the
+device's ccwlock.
+This is satisfied for the IRQ handler path (where qeth_irq() gets called
+under the ccwlock), but we need explicit locking for the initial call by
+the MPC initialization.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -517,8 +517,7 @@ static inline int qeth_is_cq(struct qeth
+ queue == card->qdio.no_in_queues - 1;
+ }
+
+-
+-static int qeth_issue_next_read(struct qeth_card *card)
++static int __qeth_issue_next_read(struct qeth_card *card)
+ {
+ int rc;
+ struct qeth_cmd_buffer *iob;
+@@ -549,6 +548,17 @@ static int qeth_issue_next_read(struct q
+ return rc;
+ }
+
++static int qeth_issue_next_read(struct qeth_card *card)
++{
++ int ret;
++
++ spin_lock_irq(get_ccwdev_lock(CARD_RDEV(card)));
++ ret = __qeth_issue_next_read(card);
++ spin_unlock_irq(get_ccwdev_lock(CARD_RDEV(card)));
++
++ return ret;
++}
++
+ static struct qeth_reply *qeth_alloc_reply(struct qeth_card *card)
+ {
+ struct qeth_reply *reply;
+@@ -1174,7 +1184,7 @@ static void qeth_irq(struct ccw_device *
+ return;
+ if (channel == &card->read &&
+ channel->state == CH_STATE_UP)
+- qeth_issue_next_read(card);
++ __qeth_issue_next_read(card);
+
+ iob = channel->iob;
+ index = channel->buf_no;
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:15 +0100
+Subject: s390/qeth: on channel error, reject further cmd requests
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit a6c3d93963e4b333c764fde69802c3ea9eaa9d5c ]
+
+When the IRQ handler determines that one of the cmd IO channels has
+failed and schedules recovery, block any further cmd requests from
+being submitted. The request would inevitably stall, and prevent the
+recovery from making progress until the request times out.
+
+This sort of error was observed after Live Guest Relocation, where
+the pending IO on the READ channel intentionally gets terminated to
+kick-start recovery. Simultaneously the guest executed SIOCETHTOOL,
+triggering qeth to issue a QUERY CARD INFO command. The command
+then stalled in the inoperabel WRITE channel.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -1166,6 +1166,7 @@ static void qeth_irq(struct ccw_device *
+ }
+ rc = qeth_get_problem(cdev, irb);
+ if (rc) {
++ card->read_or_write_problem = 1;
+ qeth_clear_ipacmd_list(card);
+ qeth_schedule_recovery(card);
+ goto out;
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Tue, 20 Mar 2018 07:59:13 +0100
+Subject: s390/qeth: when thread completes, wake up all waiters
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 1063e432bb45be209427ed3f1ca3908e4aa3c7d7 ]
+
+qeth_wait_for_threads() is potentially called by multiple users, make
+sure to notify all of them after qeth_clear_thread_running_bit()
+adjusted the thread_running_mask. With no timeout, callers would
+otherwise stall.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -952,7 +952,7 @@ void qeth_clear_thread_running_bit(struc
+ spin_lock_irqsave(&card->thread_mask_lock, flags);
+ card->thread_running_mask &= ~thread;
+ spin_unlock_irqrestore(&card->thread_mask_lock, flags);
+- wake_up(&card->wait_q);
++ wake_up_all(&card->wait_q);
+ }
+ EXPORT_SYMBOL_GPL(qeth_clear_thread_running_bit);
+
scsi-sg-don-t-return-bogus-sg_requests.patch
genirq-track-whether-the-trigger-type-has-been-set.patch
+net-fix-hlist-corruptions-in-inet_evict_bucket.patch
+dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
+ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
+l2tp-do-not-accept-arbitrary-sockets.patch
+net-ethernet-arc-fix-a-potential-memory-leak-if-an-optional-regulator-is-deferred.patch
+net-ethernet-ti-cpsw-add-check-for-in-band-mode-setting-with-rgmii-phy-interface.patch
+net-iucv-free-memory-obtained-by-kzalloc.patch
+netlink-avoid-a-double-skb-free-in-genlmsg_mcast.patch
+net-only-honor-ifindex-in-ip_pktinfo-if-non-0.patch
+skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch
+team-fix-double-free-in-error-path.patch
+s390-qeth-free-netdevice-when-removing-a-card.patch
+s390-qeth-when-thread-completes-wake-up-all-waiters.patch
+s390-qeth-lock-read-device-while-queueing-next-buffer.patch
+s390-qeth-on-channel-error-reject-further-cmd-requests.patch
+ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
+net-fec-fix-unbalanced-pm-runtime-calls.patch
+net-systemport-rewrite-__bcm_sysport_tx_reclaim.patch
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Wed, 14 Mar 2018 13:32:09 -0700
+Subject: skbuff: Fix not waking applications when errors are enqueued
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+
+[ Upstream commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 ]
+
+When errors are enqueued to the error queue via sock_queue_err_skb()
+function, it is possible that the waiting application is not notified.
+
+Calling 'sk->sk_data_ready()' would not notify applications that
+selected only POLLERR events in poll() (for example).
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Randy E. Witt <randy.e.witt@intel.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -3571,7 +3571,7 @@ int sock_queue_err_skb(struct sock *sk,
+
+ skb_queue_tail(&sk->sk_error_queue, skb);
+ if (!sock_flag(sk, SOCK_DEAD))
+- sk->sk_data_ready(sk);
++ sk->sk_error_report(sk);
+ return 0;
+ }
+ EXPORT_SYMBOL(sock_queue_err_skb);
--- /dev/null
+From foo@baz Thu Mar 29 08:33:08 CEST 2018
+From: Arkadi Sharshevsky <arkadis@mellanox.com>
+Date: Thu, 8 Mar 2018 12:42:10 +0200
+Subject: team: Fix double free in error path
+
+From: Arkadi Sharshevsky <arkadis@mellanox.com>
+
+
+[ Upstream commit cbcc607e18422555db569b593608aec26111cb0b ]
+
+The __send_and_alloc_skb() receives a skb ptr as a parameter but in
+case it fails the skb is not valid:
+- Send failed and released the skb internally.
+- Allocation failed.
+
+The current code tries to release the skb in case of failure which
+causes redundant freeing.
+
+Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
+Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2380,7 +2380,7 @@ send_done:
+ if (!nlh) {
+ err = __send_and_alloc_skb(&skb, team, portid, send_func);
+ if (err)
+- goto errout;
++ return err;
+ goto send_done;
+ }
+
+@@ -2660,7 +2660,7 @@ send_done:
+ if (!nlh) {
+ err = __send_and_alloc_skb(&skb, team, portid, send_func);
+ if (err)
+- goto errout;
++ return err;
+ goto send_done;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
