--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Thu, 9 Nov 2017 13:04:44 +0900
+Subject: af_netlink: ensure that NLMSG_DONE never fails in dumps
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+
+[ Upstream commit 0642840b8bb008528dbdf929cec9f65ac4231ad0 ]
+
+The way people generally use netlink_dump is that they fill in the skb
+as much as possible, breaking when nla_put returns an error. Then, they
+get called again and start filling out the next skb, and again, and so
+forth. The mechanism at work here is the ability for the iterative
+dumping function to detect when the skb is filled up and not fill it
+past the brim, waiting for a fresh skb for the rest of the data.
+
+However, if the attributes are small and nicely packed, it is possible
+that a dump callback function successfully fills in attributes until the
+skb is of size 4080 (libmnl's default page-sized receive buffer size).
+The dump function completes, satisfied, and then, if it happens to be
+that this is actually the last skb, and no further ones are to be sent,
+then netlink_dump will add on the NLMSG_DONE part:
+
+ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+
+It is very important that netlink_dump does this, of course. However, in
+this example, that call to nlmsg_put_answer will fail, because the
+previous filling by the dump function did not leave it enough room. And
+how could it possibly have done so? All of the nla_put variety of
+functions simply check to see if the skb has enough tailroom,
+independent of the context it is in.
+
+In order to keep the important assumptions of all netlink dump users, it
+is therefore important to give them an skb that has this end part of the
+tail already reserved, so that the call to nlmsg_put_answer does not
+fail. Otherwise, library authors are forced to find some bizarre sized
+receive buffer that has a large modulo relative to the common sizes of
+messages received, which is ugly and buggy.
+
+This patch thus saves the NLMSG_DONE for an additional message, for the
+case that things are dangerously close to the brim. This requires
+keeping track of the errno from ->dump() across calls.
+
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 17 +++++++++++------
+ net/netlink/af_netlink.h | 1 +
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2128,7 +2128,7 @@ static int netlink_dump(struct sock *sk)
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
+ struct module *module;
+- int len, err = -ENOBUFS;
++ int err = -ENOBUFS;
+ int alloc_min_size;
+ int alloc_size;
+
+@@ -2175,9 +2175,11 @@ static int netlink_dump(struct sock *sk)
+ skb_reserve(skb, skb_tailroom(skb) - alloc_size);
+ netlink_skb_set_owner_r(skb, sk);
+
+- len = cb->dump(skb, cb);
++ if (nlk->dump_done_errno > 0)
++ nlk->dump_done_errno = cb->dump(skb, cb);
+
+- if (len > 0) {
++ if (nlk->dump_done_errno > 0 ||
++ skb_tailroom(skb) < nlmsg_total_size(sizeof(nlk->dump_done_errno))) {
+ mutex_unlock(nlk->cb_mutex);
+
+ if (sk_filter(sk, skb))
+@@ -2187,13 +2189,15 @@ static int netlink_dump(struct sock *sk)
+ return 0;
+ }
+
+- nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI);
+- if (!nlh)
++ nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE,
++ sizeof(nlk->dump_done_errno), NLM_F_MULTI);
++ if (WARN_ON(!nlh))
+ goto errout_skb;
+
+ nl_dump_check_consistent(cb, nlh);
+
+- memcpy(nlmsg_data(nlh), &len, sizeof(len));
++ memcpy(nlmsg_data(nlh), &nlk->dump_done_errno,
++ sizeof(nlk->dump_done_errno));
+
+ if (sk_filter(sk, skb))
+ kfree_skb(skb);
+@@ -2265,6 +2269,7 @@ int __netlink_dump_start(struct sock *ss
+ }
+
+ nlk->cb_running = true;
++ nlk->dump_done_errno = INT_MAX;
+
+ mutex_unlock(nlk->cb_mutex);
+
+--- a/net/netlink/af_netlink.h
++++ b/net/netlink/af_netlink.h
+@@ -33,6 +33,7 @@ struct netlink_sock {
+ wait_queue_head_t wait;
+ bool bound;
+ bool cb_running;
++ int dump_done_errno;
+ struct netlink_callback cb;
+ struct mutex *cb_mutex;
+ struct mutex cb_def_mutex;
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 6 Nov 2017 09:01:57 +0800
+Subject: bonding: discard lowest hash bit for 802.3ad layer3+4
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+
+[ Upstream commit b5f862180d7011d9575d0499fa37f0f25b423b12 ]
+
+After commit 07f4c90062f8 ("tcp/dccp: try to not exhaust ip_local_port_range
+in connect()"), we will try to use even ports for connect(). Then if an
+application (seen clearly with iperf) opens multiple streams to the same
+destination IP and port, each stream will be given an even source port.
+
+So the bonding driver's simple xmit_hash_policy based on layer3+4 addressing
+will always hash all these streams to the same interface. And the total
+throughput will limited to a single slave.
+
+Change the tcp code will impact the whole tcp behavior, only for bonding
+usage. Paolo Abeni suggested fix this by changing the bonding code only,
+which should be more reasonable, and less impact.
+
+Fix this by discarding the lowest hash bit because it contains little entropy.
+After the fix we can re-balance between slaves.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3253,7 +3253,7 @@ u32 bond_xmit_hash(struct bonding *bond,
+ hash ^= (hash >> 16);
+ hash ^= (hash >> 8);
+
+- return hash;
++ return hash >> 1;
+ }
+
+ /*-------------------------- Device entry points ----------------------------*/
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Huacai Chen <chenhc@lemote.com>
+Date: Thu, 16 Nov 2017 11:07:15 +0800
+Subject: fealnx: Fix building error on MIPS
+
+From: Huacai Chen <chenhc@lemote.com>
+
+
+[ Upstream commit cc54c1d32e6a4bb3f116721abf900513173e4d02 ]
+
+This patch try to fix the building error on MIPS. The reason is MIPS
+has already defined the LONG macro, which conflicts with the LONG enum
+in drivers/net/ethernet/fealnx.c.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/fealnx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/fealnx.c
++++ b/drivers/net/ethernet/fealnx.c
+@@ -257,8 +257,8 @@ enum rx_desc_status_bits {
+ RXFSD = 0x00000800, /* first descriptor */
+ RXLSD = 0x00000400, /* last descriptor */
+ ErrorSummary = 0x80, /* error summary */
+- RUNT = 0x40, /* runt packet received */
+- LONG = 0x20, /* long packet received */
++ RUNTPKT = 0x40, /* runt packet received */
++ LONGPKT = 0x20, /* long packet received */
+ FAE = 0x10, /* frame align error */
+ CRC = 0x08, /* crc error */
+ RXER = 0x04, /* receive error */
+@@ -1632,7 +1632,7 @@ static int netdev_rx(struct net_device *
+ dev->name, rx_status);
+
+ dev->stats.rx_errors++; /* end of a packet. */
+- if (rx_status & (LONG | RUNT))
++ if (rx_status & (LONGPKT | RUNTPKT))
+ dev->stats.rx_length_errors++;
+ if (rx_status & RXER)
+ dev->stats.rx_frame_errors++;
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Fri, 3 Nov 2017 16:49:00 +0100
+Subject: l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit 8f7dc9ae4a7aece9fbc3e6637bdfa38b36bcdf09 ]
+
+Using l2tp_tunnel_find() in l2tp_ip_recv() is wrong for two reasons:
+
+ * It doesn't take a reference on the returned tunnel, which makes the
+ call racy wrt. concurrent tunnel deletion.
+
+ * The lookup is only based on the tunnel identifier, so it can return
+ a tunnel that doesn't match the packet's addresses or protocol.
+
+For example, a packet sent to an L2TPv3 over IPv6 tunnel can be
+delivered to an L2TPv2 over UDPv4 tunnel. This is worse than a simple
+cross-talk: when delivering the packet to an L2TP over UDP tunnel, the
+corresponding socket is UDP, where ->sk_backlog_rcv() is NULL. Calling
+sk_receive_skb() will then crash the kernel by trying to execute this
+callback.
+
+And l2tp_tunnel_find() isn't even needed here. __l2tp_ip_bind_lookup()
+properly checks the socket binding and connection settings. It was used
+as a fallback mechanism for finding tunnels that didn't have their data
+path registered yet. But it's not limited to this case and can be used
+to replace l2tp_tunnel_find() in the general case.
+
+Fix l2tp_ip6 in the same way.
+
+Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 24 +++++++++---------------
+ net/l2tp/l2tp_ip6.c | 24 +++++++++---------------
+ 2 files changed, 18 insertions(+), 30 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -123,6 +123,7 @@ static int l2tp_ip_recv(struct sk_buff *
+ unsigned char *ptr, *optr;
+ struct l2tp_session *session;
+ struct l2tp_tunnel *tunnel = NULL;
++ struct iphdr *iph;
+ int length;
+
+ if (!pskb_may_pull(skb, 4))
+@@ -178,24 +179,17 @@ pass_up:
+ goto discard;
+
+ tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+- tunnel = l2tp_tunnel_find(net, tunnel_id);
+- if (tunnel) {
+- sk = tunnel->sock;
+- sock_hold(sk);
+- } else {
+- struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
+-
+- read_lock_bh(&l2tp_ip_lock);
+- sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr,
+- inet_iif(skb), tunnel_id);
+- if (!sk) {
+- read_unlock_bh(&l2tp_ip_lock);
+- goto discard;
+- }
++ iph = (struct iphdr *)skb_network_header(skb);
+
+- sock_hold(sk);
++ read_lock_bh(&l2tp_ip_lock);
++ sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, inet_iif(skb),
++ tunnel_id);
++ if (!sk) {
+ read_unlock_bh(&l2tp_ip_lock);
++ goto discard;
+ }
++ sock_hold(sk);
++ read_unlock_bh(&l2tp_ip_lock);
+
+ if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
+ goto discard_put;
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -136,6 +136,7 @@ static int l2tp_ip6_recv(struct sk_buff
+ unsigned char *ptr, *optr;
+ struct l2tp_session *session;
+ struct l2tp_tunnel *tunnel = NULL;
++ struct ipv6hdr *iph;
+ int length;
+
+ if (!pskb_may_pull(skb, 4))
+@@ -192,24 +193,17 @@ pass_up:
+ goto discard;
+
+ tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
+- tunnel = l2tp_tunnel_find(net, tunnel_id);
+- if (tunnel) {
+- sk = tunnel->sock;
+- sock_hold(sk);
+- } else {
+- struct ipv6hdr *iph = ipv6_hdr(skb);
+-
+- read_lock_bh(&l2tp_ip6_lock);
+- sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
+- inet6_iif(skb), tunnel_id);
+- if (!sk) {
+- read_unlock_bh(&l2tp_ip6_lock);
+- goto discard;
+- }
++ iph = ipv6_hdr(skb);
+
+- sock_hold(sk);
++ read_lock_bh(&l2tp_ip6_lock);
++ sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
++ inet6_iif(skb), tunnel_id);
++ if (!sk) {
+ read_unlock_bh(&l2tp_ip6_lock);
++ goto discard;
+ }
++ sock_hold(sk);
++ read_unlock_bh(&l2tp_ip6_lock);
+
+ if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
+ goto discard_put;
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Bjørn Mork <bjorn@mork.no>
+Date: Mon, 6 Nov 2017 15:37:22 +0100
+Subject: net: cdc_ether: fix divide by 0 on bad descriptors
+
+From: Bjørn Mork <bjorn@mork.no>
+
+
+[ Upstream commit 2cb80187ba065d7decad7c6614e35e07aec8a974 ]
+
+Setting dev->hard_mtu to 0 will cause a divide error in
+usbnet_probe. Protect against devices with bogus CDC Ethernet
+functional descriptors by ignoring a zero wMaxSegmentSize.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ether.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ether.c
++++ b/drivers/net/usb/cdc_ether.c
+@@ -221,7 +221,7 @@ skip:
+ goto bad_desc;
+ }
+
+- if (header.usb_cdc_ether_desc) {
++ if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) {
+ dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize);
+ /* because of Zaurus, we may be ignoring the host
+ * side link address we were given.
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Bjørn Mork <bjorn@mork.no>
+Date: Wed, 15 Nov 2017 09:35:02 +0100
+Subject: net: cdc_ncm: GetNtbFormat endian fix
+
+From: Bjørn Mork <bjorn@mork.no>
+
+
+[ Upstream commit 6314dab4b8fb8493d810e175cb340376052c69b6 ]
+
+The GetNtbFormat and SetNtbFormat requests operate on 16 bit little
+endian values. We get away with ignoring this most of the time, because
+we only care about USB_CDC_NCM_NTB16_FORMAT which is 0x0000. This
+fails for USB_CDC_NCM_NTB32_FORMAT.
+
+Fix comparison between LE value from device and constant by converting
+the constant to LE.
+
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Fixes: 2b02c20ce0c2 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices")
+Cc: Enrico Mioso <mrkiko.rs@gmail.com>
+Cc: Christian Panton <christian@panton.org>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Acked-By: Enrico Mioso <mrkiko.rs@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -771,7 +771,7 @@ int cdc_ncm_bind_common(struct usbnet *d
+ int err;
+ u8 iface_no;
+ struct usb_cdc_parsed_header hdr;
+- u16 curr_ntb_format;
++ __le16 curr_ntb_format;
+
+ ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
+ if (!ctx)
+@@ -889,7 +889,7 @@ int cdc_ncm_bind_common(struct usbnet *d
+ goto error2;
+ }
+
+- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) {
++ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) {
+ dev_info(&intf->dev, "resetting NTB format to 16-bit");
+ err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT,
+ USB_TYPE_CLASS | USB_DIR_OUT
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Tue, 26 Sep 2017 15:11:56 -0500
+Subject: net/mlx5: Cancel health poll before sending panic teardown command
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+
+[ Upstream commit d2aa060d40fa060e963f9a356d43481e43ba3dac ]
+
+After the panic teardown firmware command, health_care detects the error
+in PCI bus and calls the mlx5_pci_err_detected. This health_care flow is
+no longer needed because the panic teardown firmware command will bring
+down the PCI bus communication with the HCA.
+
+The solution is to cancel the health care timer and its pending
+workqueue request before sending panic teardown firmware command.
+
+Kernel trace:
+mlx5_core 0033:01:00.0: Shutdown was called
+mlx5_core 0033:01:00.0: health_care:154:(pid 9304): handling bad device here
+mlx5_core 0033:01:00.0: mlx5_handle_bad_state:114:(pid 9304): NIC state 1
+mlx5_core 0033:01:00.0: mlx5_pci_err_detected was called
+mlx5_core 0033:01:00.0: mlx5_enter_error_state:96:(pid 9304): start
+mlx5_3:mlx5_ib_event:3061:(pid 9304): warning: event on port 0
+mlx5_core 0033:01:00.0: mlx5_enter_error_state:104:(pid 9304): end
+Unable to handle kernel paging request for data at address 0x0000003f
+Faulting instruction address: 0xc0080000434b8c80
+
+Fixes: 8812c24d28f4 ('net/mlx5: Add fast unload support in shutdown flow')
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1545,9 +1545,16 @@ static int mlx5_try_fast_unload(struct m
+ return -EAGAIN;
+ }
+
++ /* Panic tear down fw command will stop the PCI bus communication
++ * with the HCA, so the health polll is no longer needed.
++ */
++ mlx5_drain_health_wq(dev);
++ mlx5_stop_health_poll(dev);
++
+ ret = mlx5_cmd_force_teardown_hca(dev);
+ if (ret) {
+ mlx5_core_dbg(dev, "Firmware couldn't do fast unload error: %d\n", ret);
++ mlx5_start_health_poll(dev);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Inbar Karmy <inbark@mellanox.com>
+Date: Sun, 15 Oct 2017 17:30:59 +0300
+Subject: net/mlx5e: Set page to null in case dma mapping fails
+
+From: Inbar Karmy <inbark@mellanox.com>
+
+
+[ Upstream commit 2e50b2619538ea0224c037f6fa746023089e0654 ]
+
+Currently, when dma mapping fails, put_page is called,
+but the page is not set to null. Later, in the page_reuse treatment in
+mlx5e_free_rx_descs(), mlx5e_page_release() is called for the second time,
+improperly doing dma_unmap (for a non-mapped address) and an extra put_page.
+Prevent this by nullifying the page pointer when dma_map fails.
+
+Fixes: accd58833237 ("net/mlx5e: Introduce RX Page-Reuse")
+Signed-off-by: Inbar Karmy <inbark@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Cc: kernel-team@fb.com
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -213,22 +213,20 @@ static inline bool mlx5e_rx_cache_get(st
+ static inline int mlx5e_page_alloc_mapped(struct mlx5e_rq *rq,
+ struct mlx5e_dma_info *dma_info)
+ {
+- struct page *page;
+-
+ if (mlx5e_rx_cache_get(rq, dma_info))
+ return 0;
+
+- page = dev_alloc_pages(rq->buff.page_order);
+- if (unlikely(!page))
++ dma_info->page = dev_alloc_pages(rq->buff.page_order);
++ if (unlikely(!dma_info->page))
+ return -ENOMEM;
+
+- dma_info->addr = dma_map_page(rq->pdev, page, 0,
++ dma_info->addr = dma_map_page(rq->pdev, dma_info->page, 0,
+ RQ_PAGE_SIZE(rq), rq->buff.map_dir);
+ if (unlikely(dma_mapping_error(rq->pdev, dma_info->addr))) {
+- put_page(page);
++ put_page(dma_info->page);
++ dma_info->page = NULL;
+ return -ENOMEM;
+ }
+- dma_info->page = page;
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Bjørn Mork <bjorn@mork.no>
+Date: Mon, 6 Nov 2017 15:32:18 +0100
+Subject: net: qmi_wwan: fix divide by 0 on bad descriptors
+
+From: Bjørn Mork <bjorn@mork.no>
+
+
+[ Upstream commit 7fd078337201cf7468f53c3d9ef81ff78cb6df3b ]
+
+A CDC Ethernet functional descriptor with wMaxSegmentSize = 0 will
+cause a divide error in usbnet_probe:
+
+divide error: 0000 [#1] PREEMPT SMP KASAN
+Modules linked in:
+CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+task: ffff88006bef5c00 task.stack: ffff88006bf60000
+RIP: 0010:usbnet_update_max_qlen+0x24d/0x390 drivers/net/usb/usbnet.c:355
+RSP: 0018:ffff88006bf67508 EFLAGS: 00010246
+RAX: 00000000000163c8 RBX: ffff8800621fce40 RCX: ffff8800621fcf34
+RDX: 0000000000000000 RSI: ffffffff837ecb7a RDI: ffff8800621fcf34
+RBP: ffff88006bf67520 R08: ffff88006bef5c00 R09: ffffed000c43f881
+R10: ffffed000c43f880 R11: ffff8800621fc406 R12: 0000000000000003
+R13: ffffffff85c71de0 R14: 0000000000000000 R15: 0000000000000000
+FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe9c0d6dac CR3: 00000000614f4000 CR4: 00000000000006f0
+Call Trace:
+ usbnet_probe+0x18b5/0x2790 drivers/net/usb/usbnet.c:1783
+ qmi_wwan_probe+0x133/0x220 drivers/net/usb/qmi_wwan.c:1338
+ usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361
+ really_probe drivers/base/dd.c:413
+ driver_probe_device+0x522/0x740 drivers/base/dd.c:557
+
+Fix by simply ignoring the bogus descriptor, as it is optional
+for QMI devices anyway.
+
+Fixes: 423ce8caab7e ("net: usb: qmi_wwan: New driver for Huawei QMI based WWAN devices")
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -681,7 +681,7 @@ static int qmi_wwan_bind(struct usbnet *
+ }
+
+ /* errors aren't fatal - we can live with the dynamic address */
+- if (cdc_ether) {
++ if (cdc_ether && cdc_ether->wMaxSegmentSize) {
+ dev->hard_mtu = le16_to_cpu(cdc_ether->wMaxSegmentSize);
+ usbnet_get_ethernet_addr(dev, cdc_ether->iMACAddress);
+ }
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 15 Nov 2017 22:17:48 -0600
+Subject: net/sctp: Always set scope_id in sctp_inet6_skb_msgname
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+
+[ Upstream commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec ]
+
+Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
+discovered that in some configurations sctp would leak 4 bytes of
+kernel stack.
+
+Working with his reproducer I discovered that those 4 bytes that
+are leaked is the scope id of an ipv6 address returned by recvmsg.
+
+With a little code inspection and a shrewd guess I discovered that
+sctp_inet6_skb_msgname only initializes the scope_id field for link
+local ipv6 addresses to the interface index the link local address
+pertains to instead of initializing the scope_id field for all ipv6
+addresses.
+
+That is almost reasonable as scope_id's are meaniningful only for link
+local addresses. Set the scope_id in all other cases to 0 which is
+not a valid interface index to make it clear there is nothing useful
+in the scope_id field.
+
+There should be no danger of breaking userspace as the stack leak
+guaranteed that previously meaningless random data was being returned.
+
+Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
+History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Reported-by: Alexander Potapenko <glider@google.com>
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -807,9 +807,10 @@ static void sctp_inet6_skb_msgname(struc
+ addr->v6.sin6_flowinfo = 0;
+ addr->v6.sin6_port = sh->source;
+ addr->v6.sin6_addr = ipv6_hdr(skb)->saddr;
+- if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
++ if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
+ addr->v6.sin6_scope_id = sctp_v6_skb_iif(skb);
+- }
++ else
++ addr->v6.sin6_scope_id = 0;
+ }
+
+ *addr_len = sctp_v6_addr_to_user(sctp_sk(skb->sk), addr);
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 2 Nov 2017 16:08:40 -0700
+Subject: net: systemport: Correct IPG length settings
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+
+[ Upstream commit 93824c80bf47ebe087414b3a40ca0ff9aab7d1fb ]
+
+Due to a documentation mistake, the IPG length was set to 0x12 while it
+should have been 12 (decimal). This would affect short packet (64B
+typically) performance since the IPG was bigger than necessary.
+
+Fixes: 44a4524c54af ("net: systemport: Add support for SYSTEMPORT Lite")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1743,15 +1743,17 @@ static inline void bcm_sysport_mask_all_
+
+ static inline void gib_set_pad_extension(struct bcm_sysport_priv *priv)
+ {
+- u32 __maybe_unused reg;
++ u32 reg;
+
+- /* Include Broadcom tag in pad extension */
++ reg = gib_readl(priv, GIB_CONTROL);
++ /* Include Broadcom tag in pad extension and fix up IPG_LENGTH */
+ if (netdev_uses_dsa(priv->netdev)) {
+- reg = gib_readl(priv, GIB_CONTROL);
+ reg &= ~(GIB_PAD_EXTENSION_MASK << GIB_PAD_EXTENSION_SHIFT);
+ reg |= ENET_BRCM_TAG_LEN << GIB_PAD_EXTENSION_SHIFT;
+- gib_writel(priv, reg, GIB_CONTROL);
+ }
++ reg &= ~(GIB_IPG_LEN_MASK << GIB_IPG_LEN_SHIFT);
++ reg |= 12 << GIB_IPG_LEN_SHIFT;
++ gib_writel(priv, reg, GIB_CONTROL);
+ }
+
+ static int bcm_sysport_open(struct net_device *dev)
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Mon, 6 Nov 2017 13:26:46 +0100
+Subject: net: usb: asix: fill null-ptr-deref in asix_suspend
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+
+[ Upstream commit 8f5624629105589bcc23d0e51cc01bd8103d09a5 ]
+
+When asix_suspend() is called dev->driver_priv might not have been
+assigned a value, so we need to check that it's not NULL.
+
+Similar issue is present in asix_resume(), this patch fixes it as well.
+
+Found by syzkaller.
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+Modules linked in:
+CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc4-43422-geccacdd69a8c #400
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+Workqueue: usb_hub_wq hub_event
+task: ffff88006bb36300 task.stack: ffff88006bba8000
+RIP: 0010:asix_suspend+0x76/0xc0 drivers/net/usb/asix_devices.c:629
+RSP: 0018:ffff88006bbae718 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: ffff880061ba3b80 RCX: 1ffff1000c34d644
+RDX: 0000000000000001 RSI: 0000000000000402 RDI: 0000000000000008
+RBP: ffff88006bbae738 R08: 1ffff1000d775cad R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffff8800630a8b40
+R13: 0000000000000000 R14: 0000000000000402 R15: ffff880061ba3b80
+FS: 0000000000000000(0000) GS:ffff88006c600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ff33cf89000 CR3: 0000000061c0a000 CR4: 00000000000006f0
+Call Trace:
+ usb_suspend_interface drivers/usb/core/driver.c:1209
+ usb_suspend_both+0x27f/0x7e0 drivers/usb/core/driver.c:1314
+ usb_runtime_suspend+0x41/0x120 drivers/usb/core/driver.c:1852
+ __rpm_callback+0x339/0xb60 drivers/base/power/runtime.c:334
+ rpm_callback+0x106/0x220 drivers/base/power/runtime.c:461
+ rpm_suspend+0x465/0x1980 drivers/base/power/runtime.c:596
+ __pm_runtime_suspend+0x11e/0x230 drivers/base/power/runtime.c:1009
+ pm_runtime_put_sync_autosuspend ./include/linux/pm_runtime.h:251
+ usb_new_device+0xa37/0x1020 drivers/usb/core/hub.c:2487
+ hub_port_connect drivers/usb/core/hub.c:4903
+ hub_port_connect_change drivers/usb/core/hub.c:5009
+ port_event drivers/usb/core/hub.c:5115
+ hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195
+ process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119
+ worker_thread+0x221/0x1850 kernel/workqueue.c:2253
+ kthread+0x3a1/0x470 kernel/kthread.c:231
+ ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431
+Code: 8d 7c 24 20 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5b 48 b8 00 00
+00 00 00 fc ff df 4d 8b 6c 24 20 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80>
+3c 02 00 75 34 4d 8b 6d 08 4d 85 ed 74 0b e8 26 2b 51 fd 4c
+RIP: asix_suspend+0x76/0xc0 RSP: ffff88006bbae718
+---[ end trace dfc4f5649284342c ]---
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_inter
+ struct usbnet *dev = usb_get_intfdata(intf);
+ struct asix_common_private *priv = dev->driver_priv;
+
+- if (priv->suspend)
++ if (priv && priv->suspend)
+ priv->suspend(dev);
+
+ return usbnet_suspend(intf, message);
+@@ -678,7 +678,7 @@ static int asix_resume(struct usb_interf
+ struct usbnet *dev = usb_get_intfdata(intf);
+ struct asix_common_private *priv = dev->driver_priv;
+
+- if (priv->resume)
++ if (priv && priv->resume)
+ priv->resume(dev);
+
+ return usbnet_resume(intf);
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Jeff Barnhill <0xeffeff@gmail.com>
+Date: Wed, 1 Nov 2017 14:58:09 +0000
+Subject: net: vrf: correct FRA_L3MDEV encode type
+
+From: Jeff Barnhill <0xeffeff@gmail.com>
+
+
+[ Upstream commit 18129a24983906eaf2a2d448ce4b83e27091ebe2 ]
+
+FRA_L3MDEV is defined as U8, but is being added as a U32 attribute. On
+big endian architecture, this results in the l3mdev entry not being
+added to the FIB rules.
+
+Fixes: 1aa6c4f6b8cd8 ("net: vrf: Add l3mdev rules on first device create")
+Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1271,7 +1271,7 @@ static int vrf_fib_rule(const struct net
+ frh->family = family;
+ frh->action = FR_ACT_TO_TBL;
+
+- if (nla_put_u32(skb, FRA_L3MDEV, 1))
++ if (nla_put_u8(skb, FRA_L3MDEV, 1))
+ goto nla_put_failure;
+
+ if (nla_put_u32(skb, FRA_PRIORITY, FIB_RULE_PREF))
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Ye Yin <hustcat@gmail.com>
+Date: Thu, 26 Oct 2017 16:57:05 +0800
+Subject: netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
+
+From: Ye Yin <hustcat@gmail.com>
+
+
+[ Upstream commit 2b5ec1a5f9738ee7bf8f5ec0526e75e00362c48f ]
+
+When run ipvs in two different network namespace at the same host, and one
+ipvs transport network traffic to the other network namespace ipvs.
+'ipvs_property' flag will make the second ipvs take no effect. So we should
+clear 'ipvs_property' when SKB network namespace changed.
+
+Fixes: 621e84d6f373 ("dev: introduce skb_scrub_packet()")
+Signed-off-by: Ye Yin <hustcat@gmail.com>
+Signed-off-by: Wei Zhou <chouryzhou@gmail.com>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 7 +++++++
+ net/core/skbuff.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3655,6 +3655,13 @@ static inline void nf_reset_trace(struct
+ #endif
+ }
+
++static inline void ipvs_reset(struct sk_buff *skb)
++{
++#if IS_ENABLED(CONFIG_IP_VS)
++ skb->ipvs_property = 0;
++#endif
++}
++
+ /* Note: This doesn't put any conntrack and bridge info in dst. */
+ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
+ bool copy)
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4476,6 +4476,7 @@ void skb_scrub_packet(struct sk_buff *sk
+ if (!xnet)
+ return;
+
++ ipvs_reset(skb);
+ skb_orphan(skb);
+ skb->mark = 0;
+ }
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Tue, 7 Nov 2017 13:47:56 +0100
+Subject: qmi_wwan: Add missing skb_reset_mac_header-call
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+
+[ Upstream commit 0de0add10e587effa880c741c9413c874f16be91 ]
+
+When we receive a packet on a QMI device in raw IP mode, we should call
+skb_reset_mac_header() to ensure that skb->mac_header contains a valid
+offset in the packet. While it shouldn't really matter, the packets have
+no MAC header and the interface is configured as-such, it seems certain
+parts of the network stack expects a "good" value in skb->mac_header.
+
+Without the skb_reset_mac_header() call added in this patch, for example
+shaping traffic (using tc) triggers the following oops on the first
+received packet:
+
+[ 303.642957] skbuff: skb_under_panic: text:8f137918 len:177 put:67 head:8e4b0f00 data:8e4b0eff tail:0x8e4b0fb0 end:0x8e4b1520 dev:wwan0
+[ 303.655045] Kernel bug detected[#1]:
+[ 303.658622] CPU: 1 PID: 1002 Comm: logd Not tainted 4.9.58 #0
+[ 303.664339] task: 8fdf05e0 task.stack: 8f15c000
+[ 303.668844] $ 0 : 00000000 00000001 0000007a 00000000
+[ 303.674062] $ 4 : 8149a2fc 8149a2fc 8149ce20 00000000
+[ 303.679284] $ 8 : 00000030 3878303a 31623465 20303235
+[ 303.684510] $12 : ded731e3 2626a277 00000000 03bd0000
+[ 303.689747] $16 : 8ef62b40 00000043 8f137918 804db5fc
+[ 303.694978] $20 : 00000001 00000004 8fc13800 00000003
+[ 303.700215] $24 : 00000001 8024ab10
+[ 303.705442] $28 : 8f15c000 8fc19cf0 00000043 802cc920
+[ 303.710664] Hi : 00000000
+[ 303.713533] Lo : 74e58000
+[ 303.716436] epc : 802cc920 skb_panic+0x58/0x5c
+[ 303.721046] ra : 802cc920 skb_panic+0x58/0x5c
+[ 303.725639] Status: 11007c03 KERNEL EXL IE
+[ 303.729823] Cause : 50800024 (ExcCode 09)
+[ 303.733817] PrId : 0001992f (MIPS 1004Kc)
+[ 303.737892] Modules linked in: rt2800pci rt2800mmio rt2800lib qcserial ppp_async option usb_wwan rt2x00pci rt2x00mmio rt2x00lib rndis_host qmi_wwan ppp_generic nf_nat_pptp nf_conntrack_pptp nf_conntrack_ipv6 mt76x2i
+Process logd (pid: 1002, threadinfo=8f15c000, task=8fdf05e0, tls=77b3eee4)
+[ 303.962509] Stack : 00000000 80408990 8f137918 000000b1 00000043 8e4b0f00 8e4b0eff 8e4b0fb0
+[ 303.970871] 8e4b1520 8fec1800 00000043 802cd2a4 6e000045 00000043 00000000 8ef62000
+[ 303.979219] 8eef5d00 8ef62b40 8fea7300 8f137918 00000000 00000000 0002bb01 793e5664
+[ 303.987568] 8ef08884 00000001 8fea7300 00000002 8fc19e80 8eef5d00 00000006 00000003
+[ 303.995934] 00000000 8030ba90 00000003 77ab3fd0 8149dc80 8004d1bc 8f15c000 8f383700
+[ 304.004324] ...
+[ 304.006767] Call Trace:
+[ 304.009241] [<802cc920>] skb_panic+0x58/0x5c
+[ 304.013504] [<802cd2a4>] skb_push+0x78/0x90
+[ 304.017783] [<8f137918>] 0x8f137918
+[ 304.021269] Code: 00602825 0c02a3b4 24842888 <000c000d> 8c870060 8c8200a0 0007382b 00070336 8c88005c
+[ 304.031034]
+[ 304.032805] ---[ end trace b778c482b3f0bda9 ]---
+[ 304.041384] Kernel panic - not syncing: Fatal exception in interrupt
+[ 304.051975] Rebooting in 3 seconds..
+
+While the oops is for a 4.9-kernel, I was able to trigger the same oops with
+net-next as of yesterday.
+
+Fixes: 32f7adf633b9 ("net: qmi_wwan: support "raw IP" mode")
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -499,6 +499,7 @@ static int qmi_wwan_rx_fixup(struct usbn
+ return 1;
+ }
+ if (rawip) {
++ skb_reset_mac_header(skb);
+ skb->dev = dev->net; /* normally set by eth_type_trans */
+ skb->protocol = proto;
+ return 1;
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 17 Oct 2017 23:26:10 +0800
+Subject: sctp: do not peel off an assoc from one netns to another one
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 ]
+
+Now when peeling off an association to the sock in another netns, all
+transports in this assoc are not to be rehashed and keep use the old
+key in hashtable.
+
+As a transport uses sk->net as the hash key to insert into hashtable,
+it would miss removing these transports from hashtable due to the new
+netns when closing the sock and all transports are being freeed, then
+later an use-after-free issue could be caused when looking up an asoc
+and dereferencing those transports.
+
+This is a very old issue since very beginning, ChunYu found it with
+syzkaller fuzz testing with this series:
+
+ socket$inet6_sctp()
+ bind$inet6()
+ sendto$inet6()
+ unshare(0x40000000)
+ getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST()
+ getsockopt$inet_sctp6_SCTP_SOCKOPT_PEELOFF()
+
+This patch is to block this call when peeling one assoc off from one
+netns to another one, so that the netns of all transport would not
+go out-sync with the key in hashtable.
+
+Note that this patch didn't fix it by rehashing transports, as it's
+difficult to handle the situation when the tuple is already in use
+in the new netns. Besides, no one would like to peel off one assoc
+to another netns, considering ipaddrs, ifaces, etc. are usually
+different.
+
+Reported-by: ChunYu Wang <chunwang@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4924,6 +4924,10 @@ int sctp_do_peeloff(struct sock *sk, sct
+ struct socket *sock;
+ int err = 0;
+
++ /* Do not peel off from one netns to another one. */
++ if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
++ return -EINVAL;
++
+ if (!asoc)
+ return -EINVAL;
+
--- /dev/null
+tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch
+net-vrf-correct-fra_l3mdev-encode-type.patch
+tcp-do-not-mangle-skb-cb-in-tcp_make_synack.patch
+net-systemport-correct-ipg-length-settings.patch
+netfilter-ipvs-clear-ipvs_property-flag-when-skb-net-namespace-changed.patch
+l2tp-don-t-use-l2tp_tunnel_find-in-l2tp_ip-and-l2tp_ip6.patch
+bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
+net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch
+net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch
+qmi_wwan-add-missing-skb_reset_mac_header-call.patch
+net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch
+tcp-gso-avoid-refcount_t-warning-from-tcp_gso_segment.patch
+tcp-fix-tcp_fastretrans_alert-warning.patch
+vlan-fix-a-use-after-free-in-vlan_device_event.patch
+net-mlx5-cancel-health-poll-before-sending-panic-teardown-command.patch
+net-mlx5e-set-page-to-null-in-case-dma-mapping-fails.patch
+af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch
+vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmpv6-packets.patch
+net-cdc_ncm-getntbformat-endian-fix.patch
+sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+fealnx-fix-building-error-on-mips.patch
+net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 2 Nov 2017 12:30:25 -0700
+Subject: tcp: do not mangle skb->cb[] in tcp_make_synack()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 3b11775033dc87c3d161996c54507b15ba26414a ]
+
+Christoph Paasch sent a patch to address the following issue :
+
+tcp_make_synack() is leaving some TCP private info in skb->cb[],
+then send the packet by other means than tcp_transmit_skb()
+
+tcp_transmit_skb() makes sure to clear skb->cb[] to not confuse
+IPv4/IPV6 stacks, but we have no such cleanup for SYNACK.
+
+tcp_make_synack() should not use tcp_init_nondata_skb() :
+
+tcp_init_nondata_skb() really should be limited to skbs put in write/rtx
+queues (the ones that are only sent via tcp_transmit_skb())
+
+This patch fixes the issue and should even save few cpu cycles ;)
+
+Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Christoph Paasch <cpaasch@apple.com>
+Reviewed-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3207,13 +3207,8 @@ struct sk_buff *tcp_make_synack(const st
+ th->source = htons(ireq->ir_num);
+ th->dest = ireq->ir_rmt_port;
+ skb->mark = ireq->ir_mark;
+- /* Setting of flags are superfluous here for callers (and ECE is
+- * not even correctly set)
+- */
+- tcp_init_nondata_skb(skb, tcp_rsk(req)->snt_isn,
+- TCPHDR_SYN | TCPHDR_ACK);
+-
+- th->seq = htonl(TCP_SKB_CB(skb)->seq);
++ skb->ip_summed = CHECKSUM_PARTIAL;
++ th->seq = htonl(tcp_rsk(req)->snt_isn);
+ /* XXX data is queued and acked as is. No buffer/window check */
+ th->ack_seq = htonl(tcp_rsk(req)->rcv_nxt);
+
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Yuchung Cheng <ycheng@google.com>
+Date: Tue, 7 Nov 2017 15:33:43 -0800
+Subject: tcp: fix tcp_fastretrans_alert warning
+
+From: Yuchung Cheng <ycheng@google.com>
+
+
+[ Upstream commit 0eb96bf754d7fa6635aa0b0f6650c74b8a6b1cc9 ]
+
+This patch fixes the cause of an WARNING indicatng TCP has pending
+retransmission in Open state in tcp_fastretrans_alert().
+
+The root cause is a bad interaction between path mtu probing,
+if enabled, and the RACK loss detection. Upong receiving a SACK
+above the sequence of the MTU probing packet, RACK could mark the
+probe packet lost in tcp_fastretrans_alert(), prior to calling
+tcp_simple_retransmit().
+
+tcp_simple_retransmit() only enters Loss state if it newly marks
+the probe packet lost. If the probe packet is already identified as
+lost by RACK, the sender remains in Open state with some packets
+marked lost and retransmitted. Then the next SACK would trigger
+the warning. The likely scenario is that the probe packet was
+lost due to its size or network congestion. The actual impact of
+this warning is small by potentially entering fast recovery an
+ACK later.
+
+The simple fix is always entering recovery (Loss) state if some
+packet is marked lost during path MTU probing.
+
+Fixes: a0370b3f3f2c ("tcp: enable RACK loss detection to trigger recovery")
+Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Reported-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -2613,7 +2613,6 @@ void tcp_simple_retransmit(struct sock *
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct sk_buff *skb;
+ unsigned int mss = tcp_current_mss(sk);
+- u32 prior_lost = tp->lost_out;
+
+ tcp_for_write_queue(skb, sk) {
+ if (skb == tcp_send_head(sk))
+@@ -2630,7 +2629,7 @@ void tcp_simple_retransmit(struct sock *
+
+ tcp_clear_retrans_hints_partial(tp);
+
+- if (prior_lost == tp->lost_out)
++ if (!tp->lost_out)
+ return;
+
+ if (tcp_is_reno(tp))
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 7 Nov 2017 15:15:04 -0800
+Subject: tcp: gso: avoid refcount_t warning from tcp_gso_segment()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7ec318feeed10a64c0359ec4d10889cb4defa39a ]
+
+When a GSO skb of truesize O is segmented into 2 new skbs of truesize N1
+and N2, we want to transfer socket ownership to the new fresh skbs.
+
+In order to avoid expensive atomic operations on a cache line subject to
+cache bouncing, we replace the sequence :
+
+refcount_add(N1, &sk->sk_wmem_alloc);
+refcount_add(N2, &sk->sk_wmem_alloc); // repeated by number of segments
+
+refcount_sub(O, &sk->sk_wmem_alloc);
+
+by a single
+
+refcount_add(sum_of(N) - O, &sk->sk_wmem_alloc);
+
+Problem is :
+
+In some pathological cases, sum(N) - O might be a negative number, and
+syzkaller bot was apparently able to trigger this trace [1]
+
+atomic_t was ok with this construct, but we need to take care of the
+negative delta with refcount_t
+
+[1]
+refcount_t: saturated; leaking memory.
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 8404 at lib/refcount.c:77 refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
+Kernel panic - not syncing: panic_on_warn set ...
+
+CPU: 0 PID: 8404 Comm: syz-executor2 Not tainted 4.14.0-rc5-mm1+ #20
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:16 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:52
+ panic+0x1e4/0x41c kernel/panic.c:183
+ __warn+0x1c4/0x1e0 kernel/panic.c:546
+ report_bug+0x211/0x2d0 lib/bug.c:183
+ fixup_bug+0x40/0x90 arch/x86/kernel/traps.c:177
+ do_trap_no_signal arch/x86/kernel/traps.c:211 [inline]
+ do_trap+0x260/0x390 arch/x86/kernel/traps.c:260
+ do_error_trap+0x120/0x390 arch/x86/kernel/traps.c:297
+ do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:310
+ invalid_op+0x18/0x20 arch/x86/entry/entry_64.S:905
+RIP: 0010:refcount_add_not_zero+0x198/0x200 lib/refcount.c:77
+RSP: 0018:ffff8801c606e3a0 EFLAGS: 00010282
+RAX: 0000000000000026 RBX: 0000000000001401 RCX: 0000000000000000
+RDX: 0000000000000026 RSI: ffffc900036fc000 RDI: ffffed0038c0dc68
+RBP: ffff8801c606e430 R08: 0000000000000001 R09: 0000000000000000
+R10: ffff8801d97f5eba R11: 0000000000000000 R12: ffff8801d5acf73c
+R13: 1ffff10038c0dc75 R14: 00000000ffffffff R15: 00000000fffff72f
+ refcount_add+0x1b/0x60 lib/refcount.c:101
+ tcp_gso_segment+0x10d0/0x16b0 net/ipv4/tcp_offload.c:155
+ tcp4_gso_segment+0xd4/0x310 net/ipv4/tcp_offload.c:51
+ inet_gso_segment+0x60c/0x11c0 net/ipv4/af_inet.c:1271
+ skb_mac_gso_segment+0x33f/0x660 net/core/dev.c:2749
+ __skb_gso_segment+0x35f/0x7f0 net/core/dev.c:2821
+ skb_gso_segment include/linux/netdevice.h:3971 [inline]
+ validate_xmit_skb+0x4ba/0xb20 net/core/dev.c:3074
+ __dev_queue_xmit+0xe49/0x2070 net/core/dev.c:3497
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
+ neigh_hh_output include/net/neighbour.h:471 [inline]
+ neigh_output include/net/neighbour.h:479 [inline]
+ ip_finish_output2+0xece/0x1460 net/ipv4/ip_output.c:229
+ ip_finish_output+0x85e/0xd10 net/ipv4/ip_output.c:317
+ NF_HOOK_COND include/linux/netfilter.h:238 [inline]
+ ip_output+0x1cc/0x860 net/ipv4/ip_output.c:405
+ dst_output include/net/dst.h:459 [inline]
+ ip_local_out+0x95/0x160 net/ipv4/ip_output.c:124
+ ip_queue_xmit+0x8c6/0x18e0 net/ipv4/ip_output.c:504
+ tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1137
+ tcp_write_xmit+0x663/0x4de0 net/ipv4/tcp_output.c:2341
+ __tcp_push_pending_frames+0xa0/0x250 net/ipv4/tcp_output.c:2513
+ tcp_push_pending_frames include/net/tcp.h:1722 [inline]
+ tcp_data_snd_check net/ipv4/tcp_input.c:5050 [inline]
+ tcp_rcv_established+0x8c7/0x18a0 net/ipv4/tcp_input.c:5497
+ tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1460
+ sk_backlog_rcv include/net/sock.h:909 [inline]
+ __release_sock+0x124/0x360 net/core/sock.c:2264
+ release_sock+0xa4/0x2a0 net/core/sock.c:2776
+ tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462
+ inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
+ sock_sendmsg_nosec net/socket.c:632 [inline]
+ sock_sendmsg+0xca/0x110 net/socket.c:642
+ ___sys_sendmsg+0x31c/0x890 net/socket.c:2048
+ __sys_sendmmsg+0x1e6/0x5f0 net/socket.c:2138
+
+Fixes: 14afee4b6092 ("net: convert sock.sk_wmem_alloc from atomic_t to refcount_t")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_offload.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_offload.c
++++ b/net/ipv4/tcp_offload.c
+@@ -149,11 +149,19 @@ struct sk_buff *tcp_gso_segment(struct s
+ * is freed by GSO engine
+ */
+ if (copy_destructor) {
++ int delta;
++
+ swap(gso_skb->sk, skb->sk);
+ swap(gso_skb->destructor, skb->destructor);
+ sum_truesize += skb->truesize;
+- refcount_add(sum_truesize - gso_skb->truesize,
+- &skb->sk->sk_wmem_alloc);
++ delta = sum_truesize - gso_skb->truesize;
++ /* In some pathological cases, delta can be negative.
++ * We need to either use refcount_add() or refcount_sub_and_test()
++ */
++ if (likely(delta >= 0))
++ refcount_add(delta, &skb->sk->sk_wmem_alloc);
++ else
++ WARN_ON_ONCE(refcount_sub_and_test(-delta, &skb->sk->sk_wmem_alloc));
+ }
+
+ delta = htonl(oldlen + (skb_tail_pointer(skb) -
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 1 Nov 2017 16:32:15 +0300
+Subject: tcp_nv: fix division by zero in tcpnv_acked()
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+
+[ Upstream commit 4eebff27ca4182bbf5f039dd60d79e2d7c0a707e ]
+
+Average RTT could become zero. This happened in real life at least twice.
+This patch treats zero as 1us.
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Acked-by: Lawrence Brakmo <Brakmo@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_nv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_nv.c
++++ b/net/ipv4/tcp_nv.c
+@@ -263,7 +263,7 @@ static void tcpnv_acked(struct sock *sk,
+
+ /* rate in 100's bits per second */
+ rate64 = ((u64)sample->in_flight) * 8000000;
+- rate = (u32)div64_u64(rate64, (u64)(avg_rtt * 100));
++ rate = (u32)div64_u64(rate64, (u64)(avg_rtt ?: 1) * 100);
+
+ /* Remember the maximum rate seen during this RTT
+ * Note: It may be more than one RTT. This function should be
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 9 Nov 2017 16:43:13 -0800
+Subject: vlan: fix a use-after-free in vlan_device_event()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 052d41c01b3a2e3371d66de569717353af489d63 ]
+
+After refcnt reaches zero, vlan_vid_del() could free
+dev->vlan_info via RCU:
+
+ RCU_INIT_POINTER(dev->vlan_info, NULL);
+ call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
+
+However, the pointer 'grp' still points to that memory
+since it is set before vlan_vid_del():
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+ goto out;
+ grp = &vlan_info->grp;
+
+Depends on when that RCU callback is scheduled, we could
+trigger a use-after-free in vlan_group_for_each_dev()
+right following this vlan_vid_del().
+
+Fix it by moving vlan_vid_del() before setting grp. This
+is also symmetric to the vlan_vid_add() we call in
+vlan_device_event().
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Fixes: efc73f4bbc23 ("net: Fix memory leak - vlan_info struct")
+Cc: Alexander Duyck <alexander.duyck@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Girish Moodalbail <girish.moodalbail@oracle.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Girish Moodalbail <girish.moodalbail@oracle.com>
+Tested-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan.c
++++ b/net/8021q/vlan.c
+@@ -376,6 +376,9 @@ static int vlan_device_event(struct noti
+ dev->name);
+ vlan_vid_add(dev, htons(ETH_P_8021Q), 0);
+ }
++ if (event == NETDEV_DOWN &&
++ (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
++ vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+
+ vlan_info = rtnl_dereference(dev->vlan_info);
+ if (!vlan_info)
+@@ -423,9 +426,6 @@ static int vlan_device_event(struct noti
+ struct net_device *tmp;
+ LIST_HEAD(close_list);
+
+- if (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+- vlan_vid_del(dev, htons(ETH_P_8021Q), 0);
+-
+ /* Put all VLANs for this dev in the down state too. */
+ vlan_group_for_each_dev(grp, i, vlandev) {
+ flgs = vlandev->flags;
--- /dev/null
+From foo@baz Tue Nov 21 13:07:20 CET 2017
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 11 Nov 2017 19:58:50 +0800
+Subject: vxlan: fix the issue that neigh proxy blocks all icmpv6 packets
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 8bff3685a4bbf175a96bc6a528f13455d8d38244 ]
+
+Commit f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport
+header offset") removed icmp6_code and icmp6_type check before calling
+neigh_reduce when doing neigh proxy.
+
+It means all icmpv6 packets would be blocked by this, not only ns packet.
+In Jianlin's env, even ping6 couldn't work through it.
+
+This patch is to bring the icmp6_code and icmp6_type check back and also
+removed the same check from neigh_reduce().
+
+Fixes: f1fb08f6337c ("vxlan: fix ND proxy when skb doesn't have transport header offset")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Vincent Bernat <vincent@bernat.im>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 31 +++++++++++++------------------
+ 1 file changed, 13 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1632,26 +1632,19 @@ static struct sk_buff *vxlan_na_create(s
+ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb, __be32 vni)
+ {
+ struct vxlan_dev *vxlan = netdev_priv(dev);
+- struct nd_msg *msg;
+- const struct ipv6hdr *iphdr;
+ const struct in6_addr *daddr;
+- struct neighbour *n;
++ const struct ipv6hdr *iphdr;
+ struct inet6_dev *in6_dev;
++ struct neighbour *n;
++ struct nd_msg *msg;
+
+ in6_dev = __in6_dev_get(dev);
+ if (!in6_dev)
+ goto out;
+
+- if (!pskb_may_pull(skb, sizeof(struct ipv6hdr) + sizeof(struct nd_msg)))
+- goto out;
+-
+ iphdr = ipv6_hdr(skb);
+ daddr = &iphdr->daddr;
+-
+ msg = (struct nd_msg *)(iphdr + 1);
+- if (msg->icmph.icmp6_code != 0 ||
+- msg->icmph.icmp6_type != NDISC_NEIGHBOUR_SOLICITATION)
+- goto out;
+
+ if (ipv6_addr_loopback(daddr) ||
+ ipv6_addr_is_multicast(&msg->target))
+@@ -2258,11 +2251,11 @@ tx_error:
+ static netdev_tx_t vxlan_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct vxlan_dev *vxlan = netdev_priv(dev);
++ struct vxlan_rdst *rdst, *fdst = NULL;
+ const struct ip_tunnel_info *info;
+- struct ethhdr *eth;
+ bool did_rsc = false;
+- struct vxlan_rdst *rdst, *fdst = NULL;
+ struct vxlan_fdb *f;
++ struct ethhdr *eth;
+ __be32 vni = 0;
+
+ info = skb_tunnel_info(skb);
+@@ -2287,12 +2280,14 @@ static netdev_tx_t vxlan_xmit(struct sk_
+ if (ntohs(eth->h_proto) == ETH_P_ARP)
+ return arp_reduce(dev, skb, vni);
+ #if IS_ENABLED(CONFIG_IPV6)
+- else if (ntohs(eth->h_proto) == ETH_P_IPV6) {
+- struct ipv6hdr *hdr, _hdr;
+- if ((hdr = skb_header_pointer(skb,
+- skb_network_offset(skb),
+- sizeof(_hdr), &_hdr)) &&
+- hdr->nexthdr == IPPROTO_ICMPV6)
++ else if (ntohs(eth->h_proto) == ETH_P_IPV6 &&
++ pskb_may_pull(skb, sizeof(struct ipv6hdr) +
++ sizeof(struct nd_msg)) &&
++ ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
++ struct nd_msg *m = (struct nd_msg *)(ipv6_hdr(skb) + 1);
++
++ if (m->icmph.icmp6_code == 0 &&
++ m->icmph.icmp6_type == NDISC_NEIGHBOUR_SOLICITATION)
+ return neigh_reduce(dev, skb, vni);
+ }
+ #endif
--- /dev/null
+bio-ensure-__bio_clone_fast-copies-bi_partno.patch
+af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch
+vxlan-fix-the-issue-that-neigh-proxy-blocks-all-icmpv6-packets.patch
+net-cdc_ncm-getntbformat-endian-fix.patch
+fealnx-fix-building-error-on-mips.patch
+net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
--- /dev/null
+tcp_nv-fix-division-by-zero-in-tcpnv_acked.patch
+net-vrf-correct-fra_l3mdev-encode-type.patch
+tcp-do-not-mangle-skb-cb-in-tcp_make_synack.patch
+netfilter-ipvs-clear-ipvs_property-flag-when-skb-net-namespace-changed.patch
+bonding-discard-lowest-hash-bit-for-802.3ad-layer3-4.patch
+net-cdc_ether-fix-divide-by-0-on-bad-descriptors.patch
+net-qmi_wwan-fix-divide-by-0-on-bad-descriptors.patch
+qmi_wwan-add-missing-skb_reset_mac_header-call.patch
+net-usb-asix-fill-null-ptr-deref-in-asix_suspend.patch
+vlan-fix-a-use-after-free-in-vlan_device_event.patch
+af_netlink-ensure-that-nlmsg_done-never-fails-in-dumps.patch
+sctp-do-not-peel-off-an-assoc-from-one-netns-to-another-one.patch
+fealnx-fix-building-error-on-mips.patch
+net-sctp-always-set-scope_id-in-sctp_inet6_skb_msgname.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
