--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+Date: Wed, 6 Jun 2018 15:03:22 +0200
+Subject: bnx2x: use the right constant
+
+From: Julia Lawall <Julia.Lawall@lip6.fr>
+
+[ Upstream commit dd612f18a49b63af8b3a5f572d999bdb197385bc ]
+
+Nearby code that also tests port suggests that the P0 constant should be
+used when port is zero.
+
+The semantic match that finds this problem is as follows:
+(http://coccinelle.lip6.fr/)
+
+// <smpl>
+@@
+expression e,e1;
+@@
+
+* e ? e1 : e1
+// </smpl>
+
+Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
+Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+@@ -588,7 +588,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
+ * slots for the highest priority.
+ */
+ REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
+- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
++ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+ /* Mapping between the CREDIT_WEIGHT registers and actual client
+ * numbers
+ */
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 5 Jun 2018 15:01:59 +0200
+Subject: ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 848235edb5c93ed086700584c8ff64f6d7fc778d ]
+
+Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during
+ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same
+setsockopt will fail with -ENOENT, since we haven't actually created
+that table.
+
+A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr:
+various fixes and cleanups").
+
+Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -1759,7 +1759,8 @@ int ip6_mroute_setsockopt(struct sock *s
+ ret = 0;
+ if (!ip6mr_new_table(net, v))
+ ret = -ENOMEM;
+- raw6_sk(sk)->ip6mr_table = v;
++ else
++ raw6_sk(sk)->ip6mr_table = v;
+ rtnl_unlock();
+ return ret;
+ }
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 5 Jun 2018 15:02:00 +0200
+Subject: ipmr: fix error path when ipmr_new_table fails
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit e783bb00ad86d9d1f01d9d3a750713070036358e ]
+
+commit 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
+refactored ipmr_new_table, so that it now returns NULL when
+mr_table_alloc fails. Unfortunately, all callers of ipmr_new_table
+expect an ERR_PTR.
+
+This can result in NULL deref, for example when ipmr_rules_exit calls
+ipmr_free_table with NULL net->ipv4.mrt in the
+!CONFIG_IP_MROUTE_MULTIPLE_TABLES version.
+
+This patch makes mr_table_alloc return errors, and changes
+ip6mr_new_table and its callers to return/expect error pointers as
+well. It also removes the version of mr_table_alloc defined under
+!CONFIG_IP_MROUTE_COMMON, since it is never used.
+
+Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/mroute_base.h | 10 ----------
+ net/ipv4/ipmr_base.c | 8 +++++---
+ net/ipv6/ip6mr.c | 18 ++++++++++++------
+ 3 files changed, 17 insertions(+), 19 deletions(-)
+
+--- a/include/linux/mroute_base.h
++++ b/include/linux/mroute_base.h
+@@ -307,16 +307,6 @@ static inline void vif_device_init(struc
+ {
+ }
+
+-static inline void *
+-mr_table_alloc(struct net *net, u32 id,
+- struct mr_table_ops *ops,
+- void (*expire_func)(struct timer_list *t),
+- void (*table_set)(struct mr_table *mrt,
+- struct net *net))
+-{
+- return NULL;
+-}
+-
+ static inline void *mr_mfc_find_parent(struct mr_table *mrt,
+ void *hasharg, int parent)
+ {
+--- a/net/ipv4/ipmr_base.c
++++ b/net/ipv4/ipmr_base.c
+@@ -35,17 +35,19 @@ mr_table_alloc(struct net *net, u32 id,
+ struct net *net))
+ {
+ struct mr_table *mrt;
++ int err;
+
+ mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
+ if (!mrt)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ mrt->id = id;
+ write_pnet(&mrt->net, net);
+
+ mrt->ops = *ops;
+- if (rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params)) {
++ err = rhltable_init(&mrt->mfc_hash, mrt->ops.rht_params);
++ if (err) {
+ kfree(mrt);
+- return NULL;
++ return ERR_PTR(err);
+ }
+ INIT_LIST_HEAD(&mrt->mfc_cache_list);
+ INIT_LIST_HEAD(&mrt->mfc_unres_queue);
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -227,8 +227,8 @@ static int __net_init ip6mr_rules_init(s
+ INIT_LIST_HEAD(&net->ipv6.mr6_tables);
+
+ mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
+- if (!mrt) {
+- err = -ENOMEM;
++ if (IS_ERR(mrt)) {
++ err = PTR_ERR(mrt);
+ goto err1;
+ }
+
+@@ -301,8 +301,13 @@ static int ip6mr_fib_lookup(struct net *
+
+ static int __net_init ip6mr_rules_init(struct net *net)
+ {
+- net->ipv6.mrt6 = ip6mr_new_table(net, RT6_TABLE_DFLT);
+- return net->ipv6.mrt6 ? 0 : -ENOMEM;
++ struct mr_table *mrt;
++
++ mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
++ if (IS_ERR(mrt))
++ return PTR_ERR(mrt);
++ net->ipv6.mrt6 = mrt;
++ return 0;
+ }
+
+ static void __net_exit ip6mr_rules_exit(struct net *net)
+@@ -1757,8 +1762,9 @@ int ip6_mroute_setsockopt(struct sock *s
+
+ rtnl_lock();
+ ret = 0;
+- if (!ip6mr_new_table(net, v))
+- ret = -ENOMEM;
++ mrt = ip6mr_new_table(net, v);
++ if (IS_ERR(mrt))
++ ret = PTR_ERR(mrt);
+ else
+ raw6_sk(sk)->ip6mr_table = v;
+ rtnl_unlock();
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Michal Kubecek <mkubecek@suse.cz>
+Date: Mon, 4 Jun 2018 11:36:05 +0200
+Subject: ipv6: omit traffic class when calculating flow hash
+
+From: Michal Kubecek <mkubecek@suse.cz>
+
+[ Upstream commit fa1be7e01ea863e911349e30456706749518eeab ]
+
+Some of the code paths calculating flow hash for IPv6 use flowlabel member
+of struct flowi6 which, despite its name, encodes both flow label and
+traffic class. If traffic class changes within a TCP connection (as e.g.
+ssh does), ECMP route can switch between path. It's also inconsistent with
+other code paths where ip6_flowlabel() (returning only flow label) is used
+to feed the key.
+
+Use only flow label everywhere, including one place where hash key is set
+using ip6_flowinfo().
+
+Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
+Fixes: f70ea018da06 ("net: Add functions to get skb->hash based on flow structures")
+Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ipv6.h | 5 +++++
+ net/core/flow_dissector.c | 2 +-
+ net/ipv6/route.c | 4 ++--
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/include/net/ipv6.h
++++ b/include/net/ipv6.h
+@@ -906,6 +906,11 @@ static inline __be32 ip6_make_flowinfo(u
+ return htonl(tclass << IPV6_TCLASS_SHIFT) | flowlabel;
+ }
+
++static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6)
++{
++ return fl6->flowlabel & IPV6_FLOWLABEL_MASK;
++}
++
+ /*
+ * Prototypes exported by ipv6
+ */
+--- a/net/core/flow_dissector.c
++++ b/net/core/flow_dissector.c
+@@ -1334,7 +1334,7 @@ __u32 __get_hash_from_flowi6(const struc
+ keys->ports.src = fl6->fl6_sport;
+ keys->ports.dst = fl6->fl6_dport;
+ keys->keyid.keyid = fl6->fl6_gre_key;
+- keys->tags.flow_label = (__force u32)fl6->flowlabel;
++ keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
+ keys->basic.ip_proto = fl6->flowi6_proto;
+
+ return flow_hash_from_keys(keys);
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1868,7 +1868,7 @@ out:
+ } else {
+ keys->addrs.v6addrs.src = key_iph->saddr;
+ keys->addrs.v6addrs.dst = key_iph->daddr;
+- keys->tags.flow_label = ip6_flowinfo(key_iph);
++ keys->tags.flow_label = ip6_flowlabel(key_iph);
+ keys->basic.ip_proto = key_iph->nexthdr;
+ }
+ }
+@@ -1889,7 +1889,7 @@ u32 rt6_multipath_hash(const struct net
+ } else {
+ hash_keys.addrs.v6addrs.src = fl6->saddr;
+ hash_keys.addrs.v6addrs.dst = fl6->daddr;
+- hash_keys.tags.flow_label = (__force u32)fl6->flowlabel;
++ hash_keys.tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
+ hash_keys.basic.ip_proto = fl6->flowi6_proto;
+ }
+ break;
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 4 Jun 2018 18:52:19 +0200
+Subject: l2tp: fix refcount leakage on PPPoL2TP sockets
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 3d609342cc04129ff7568e19316ce3d7451a27e8 ]
+
+Commit d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session
+object destroy") tried to fix a race condition where a PPPoL2TP socket
+would disappear while the L2TP session was still using it. However, it
+missed the root issue which is that an L2TP session may accept to be
+reconnected if its associated socket has entered the release process.
+
+The tentative fix makes the session hold the socket it is connected to.
+That saves the kernel from crashing, but introduces refcount leakage,
+preventing the socket from completing the release process. Once stalled,
+everything the socket depends on can't be released anymore, including
+the L2TP session and the l2tp_ppp module.
+
+The root issue is that, when releasing a connected PPPoL2TP socket, the
+session's ->sk pointer (RCU-protected) is reset to NULL and we have to
+wait for a grace period before destroying the socket. The socket drops
+the session in its ->sk_destruct callback function, so the session
+will exist until the last reference on the socket is dropped.
+Therefore, there is a time frame where pppol2tp_connect() may accept
+reconnecting a session, as it only checks ->sk to figure out if the
+session is connected. This time frame is shortened by the fact that
+pppol2tp_release() calls l2tp_session_delete(), making the session
+unreachable before resetting ->sk. However, pppol2tp_connect() may
+grab the session before it gets unhashed by l2tp_session_delete(), but
+it may test ->sk after the later got reset. The race is not so hard to
+trigger and syzbot found a pretty reliable reproducer:
+https://syzkaller.appspot.com/bug?id=418578d2a4389074524e04d641eacb091961b2cf
+
+Before d02ba2a6110c, another race could let pppol2tp_release()
+overwrite the ->__sk pointer of an L2TP session, thus tricking
+pppol2tp_put_sk() into calling sock_put() on a socket that is different
+than the one for which pppol2tp_release() was originally called. To get
+there, we had to trigger the race described above, therefore having one
+PPPoL2TP socket being released, while the session it is connected to is
+reconnecting to a different PPPoL2TP socket. When releasing this new
+socket fast enough, pppol2tp_release() overwrites the session's
+->__sk pointer with the address of the new socket, before the first
+pppol2tp_put_sk() call gets scheduled. Then the pppol2tp_put_sk() call
+invoked by the original socket will sock_put() the new socket,
+potentially dropping its last reference. When the second
+pppol2tp_put_sk() finally runs, its socket has already been freed.
+
+With d02ba2a6110c, the session takes a reference on both sockets.
+Furthermore, the session's ->sk pointer is reset in the
+pppol2tp_session_close() callback function rather than in
+pppol2tp_release(). Therefore, ->__sk can't be overwritten and
+pppol2tp_put_sk() is called only once (l2tp_session_delete() will only
+run pppol2tp_session_close() once, to protect the session against
+concurrent deletion requests). Now pppol2tp_put_sk() will properly
+sock_put() the original socket, but the new socket will remain, as
+l2tp_session_delete() prevented the release process from completing.
+Here, we don't depend on the ->__sk race to trigger the bug. Getting
+into the pppol2tp_connect() race is enough to leak the reference, no
+matter when new socket is released.
+
+So it all boils down to pppol2tp_connect() failing to realise that the
+session has already been connected. This patch drops the unneeded extra
+reference counting (mostly reverting d02ba2a6110c) and checks that
+neither ->sk nor ->__sk is set before allowing a session to be
+connected.
+
+Fixes: d02ba2a6110c ("l2tp: fix race in pppol2tp_release with session object destroy")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -428,16 +428,6 @@ static void pppol2tp_put_sk(struct rcu_h
+ */
+ static void pppol2tp_session_close(struct l2tp_session *session)
+ {
+- struct pppol2tp_session *ps;
+-
+- ps = l2tp_session_priv(session);
+- mutex_lock(&ps->sk_lock);
+- ps->__sk = rcu_dereference_protected(ps->sk,
+- lockdep_is_held(&ps->sk_lock));
+- RCU_INIT_POINTER(ps->sk, NULL);
+- if (ps->__sk)
+- call_rcu(&ps->rcu, pppol2tp_put_sk);
+- mutex_unlock(&ps->sk_lock);
+ }
+
+ /* Really kill the session socket. (Called from sock_put() if
+@@ -480,15 +470,24 @@ static int pppol2tp_release(struct socke
+ sock_orphan(sk);
+ sock->sk = NULL;
+
+- /* If the socket is associated with a session,
+- * l2tp_session_delete will call pppol2tp_session_close which
+- * will drop the session's ref on the socket.
+- */
+ session = pppol2tp_sock_to_session(sk);
+ if (session) {
++ struct pppol2tp_session *ps;
++
+ l2tp_session_delete(session);
+- /* drop the ref obtained by pppol2tp_sock_to_session */
+- sock_put(sk);
++
++ ps = l2tp_session_priv(session);
++ mutex_lock(&ps->sk_lock);
++ ps->__sk = rcu_dereference_protected(ps->sk,
++ lockdep_is_held(&ps->sk_lock));
++ RCU_INIT_POINTER(ps->sk, NULL);
++ mutex_unlock(&ps->sk_lock);
++ call_rcu(&ps->rcu, pppol2tp_put_sk);
++
++ /* Rely on the sock_put() call at the end of the function for
++ * dropping the reference held by pppol2tp_sock_to_session().
++ * The last reference will be dropped by pppol2tp_put_sk().
++ */
+ }
+
+ release_sock(sk);
+@@ -742,7 +741,8 @@ static int pppol2tp_connect(struct socke
+ */
+ mutex_lock(&ps->sk_lock);
+ if (rcu_dereference_protected(ps->sk,
+- lockdep_is_held(&ps->sk_lock))) {
++ lockdep_is_held(&ps->sk_lock)) ||
++ ps->__sk) {
+ mutex_unlock(&ps->sk_lock);
+ error = -EEXIST;
+ goto end;
+@@ -803,7 +803,6 @@ static int pppol2tp_connect(struct socke
+
+ out_no_ppp:
+ /* This is how we get the session context from the socket. */
+- sock_hold(sk);
+ sk->sk_user_data = session;
+ rcu_assign_pointer(ps->sk, sk);
+ mutex_unlock(&ps->sk_lock);
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Date: Tue, 5 Jun 2018 13:38:12 -0700
+Subject: net: dsa: b53: Fix for brcm tag issue in Cygnus SoC
+
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+
+[ Upstream commit 5040cc990cbac98733df4d58fdeac5bbdab15b49 ]
+
+In the Broadcom Cygnus SoC, the brcm tag needs to be inserted
+in between the mac address and the ether type (should use
+'DSA_PROTO_TAG_BRCM') for the packets sent to the internal
+b53 switch.
+
+Since the Cygnus was added with the BCM58XX device id and the
+BCM58XX uses 'DSA_PROTO_TAG_BRCM_PREPEND', the data path is
+broken, due to the incorrect brcm tag location.
+
+Add a new b53 device id (BCM583XX) for Cygnus family to fix the
+issue. Add the new device id to the BCM58XX family as Cygnus
+is similar to the BCM58XX in most other functionalities.
+
+Fixes: 11606039604c ("net: dsa: b53: Support prepended Broadcom tags")
+
+Signed-off-by: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Acked-by: Scott Branden <scott.branden@broadcom.com>
+Reported-by: Clément Péron <peron.clem@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Tested-by: Clément Péron <peron.clem@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 15 ++++++++++++++-
+ drivers/net/dsa/b53/b53_priv.h | 2 ++
+ drivers/net/dsa/b53/b53_srab.c | 4 ++--
+ 3 files changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -684,7 +684,8 @@ static int b53_switch_reset(struct b53_d
+ * still use this driver as a library and need to perform the reset
+ * earlier.
+ */
+- if (dev->chip_id == BCM58XX_DEVICE_ID) {
++ if (dev->chip_id == BCM58XX_DEVICE_ID ||
++ dev->chip_id == BCM583XX_DEVICE_ID) {
+ b53_read8(dev, B53_CTRL_PAGE, B53_SOFTRESET, ®);
+ reg |= SW_RST | EN_SW_RST | EN_CH_RST;
+ b53_write8(dev, B53_CTRL_PAGE, B53_SOFTRESET, reg);
+@@ -1875,6 +1876,18 @@ static const struct b53_chip_data b53_sw
+ .arl_entries = 4,
+ .cpu_port = B53_CPU_PORT,
+ .vta_regs = B53_VTA_REGS,
++ .duplex_reg = B53_DUPLEX_STAT_GE,
++ .jumbo_pm_reg = B53_JUMBO_PORT_MASK,
++ .jumbo_size_reg = B53_JUMBO_MAX_SIZE,
++ },
++ {
++ .chip_id = BCM583XX_DEVICE_ID,
++ .dev_name = "BCM583xx/11360",
++ .vlans = 4096,
++ .enabled_ports = 0x103,
++ .arl_entries = 4,
++ .cpu_port = B53_CPU_PORT,
++ .vta_regs = B53_VTA_REGS,
+ .duplex_reg = B53_DUPLEX_STAT_GE,
+ .jumbo_pm_reg = B53_JUMBO_PORT_MASK,
+ .jumbo_size_reg = B53_JUMBO_MAX_SIZE,
+--- a/drivers/net/dsa/b53/b53_priv.h
++++ b/drivers/net/dsa/b53/b53_priv.h
+@@ -62,6 +62,7 @@ enum {
+ BCM53018_DEVICE_ID = 0x53018,
+ BCM53019_DEVICE_ID = 0x53019,
+ BCM58XX_DEVICE_ID = 0x5800,
++ BCM583XX_DEVICE_ID = 0x58300,
+ BCM7445_DEVICE_ID = 0x7445,
+ BCM7278_DEVICE_ID = 0x7278,
+ };
+@@ -181,6 +182,7 @@ static inline int is5301x(struct b53_dev
+ static inline int is58xx(struct b53_device *dev)
+ {
+ return dev->chip_id == BCM58XX_DEVICE_ID ||
++ dev->chip_id == BCM583XX_DEVICE_ID ||
+ dev->chip_id == BCM7445_DEVICE_ID ||
+ dev->chip_id == BCM7278_DEVICE_ID;
+ }
+--- a/drivers/net/dsa/b53/b53_srab.c
++++ b/drivers/net/dsa/b53/b53_srab.c
+@@ -364,7 +364,7 @@ static const struct of_device_id b53_sra
+ { .compatible = "brcm,bcm53018-srab" },
+ { .compatible = "brcm,bcm53019-srab" },
+ { .compatible = "brcm,bcm5301x-srab" },
+- { .compatible = "brcm,bcm11360-srab", .data = (void *)BCM58XX_DEVICE_ID },
++ { .compatible = "brcm,bcm11360-srab", .data = (void *)BCM583XX_DEVICE_ID },
+ { .compatible = "brcm,bcm58522-srab", .data = (void *)BCM58XX_DEVICE_ID },
+ { .compatible = "brcm,bcm58525-srab", .data = (void *)BCM58XX_DEVICE_ID },
+ { .compatible = "brcm,bcm58535-srab", .data = (void *)BCM58XX_DEVICE_ID },
+@@ -372,7 +372,7 @@ static const struct of_device_id b53_sra
+ { .compatible = "brcm,bcm58623-srab", .data = (void *)BCM58XX_DEVICE_ID },
+ { .compatible = "brcm,bcm58625-srab", .data = (void *)BCM58XX_DEVICE_ID },
+ { .compatible = "brcm,bcm88312-srab", .data = (void *)BCM58XX_DEVICE_ID },
+- { .compatible = "brcm,cygnus-srab", .data = (void *)BCM58XX_DEVICE_ID },
++ { .compatible = "brcm,cygnus-srab", .data = (void *)BCM583XX_DEVICE_ID },
+ { .compatible = "brcm,nsp-srab", .data = (void *)BCM58XX_DEVICE_ID },
+ { /* sentinel */ },
+ };
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Jun 2018 06:06:19 -0700
+Subject: net: metrics: add proper netlink validation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 ]
+
+Before using nla_get_u32(), better make sure the attribute
+is of the proper size.
+
+Code recently was changed, but bug has been there from beginning
+of git.
+
+BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
+CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
+ __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
+ rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
+ fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
+ rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
+ fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
+ inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x455a09
+RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
+RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
+ fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
+ fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
+ fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
+ inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2753 [inline]
+ __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:988 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -717,6 +717,8 @@ bool fib_metrics_match(struct fib_config
+ nla_strlcpy(tmp, nla, sizeof(tmp));
+ val = tcp_ca_get_key_by_name(fi->fib_net, tmp, &ecn_ca);
+ } else {
++ if (nla_len(nla) != sizeof(u32))
++ return false;
+ val = nla_get_u32(nla);
+ }
+
+@@ -1043,6 +1045,8 @@ fib_convert_metrics(struct fib_info *fi,
+ if (val == TCP_CA_UNSPEC)
+ return -EINVAL;
+ } else {
++ if (nla_len(nla) != sizeof(u32))
++ return -EINVAL;
+ val = nla_get_u32(nla);
+ }
+ if (type == RTAX_ADVMSS && val > 65535 - 40)
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 1 Jun 2018 09:23:02 -0700
+Subject: net/packet: refine check for priv area size
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ]
+
+syzbot was able to trick af_packet again [1]
+
+Various commits tried to address the problem in the past,
+but failed to take into account V3 header size.
+
+[1]
+
+tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
+BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
+BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
+Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106
+
+CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: ipv6_addrconf addrconf_dad_work
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
+ prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
+ prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
+ __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
+ packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
+ tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
+ dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
+ xmit_one net/core/dev.c:3049 [inline]
+ dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
+ __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
+ dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
+ neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
+ neigh_output include/net/neighbour.h:482 [inline]
+ ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
+ ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
+ NF_HOOK_COND include/linux/netfilter.h:277 [inline]
+ ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
+ dst_output include/net/dst.h:444 [inline]
+ NF_HOOK include/linux/netfilter.h:288 [inline]
+ ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
+ ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
+ addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
+ process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
+ worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
+ kthread+0x345/0x410 kernel/kthread.c:240
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
+
+The buggy address belongs to the page:
+page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
+flags: 0x2fffc0000000000()
+raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
+raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+
+Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
+Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4282,7 +4282,7 @@ static int packet_set_ring(struct sock *
+ goto out;
+ if (po->tp_version >= TPACKET_V3 &&
+ req->tp_block_size <=
+- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
++ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
+ goto out;
+ if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ po->tp_reserve))
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 5 Jun 2018 09:48:13 -0700
+Subject: netdev-FAQ: clarify DaveM's position for stable backports
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 75d4e704fa8d2cf33ff295e5b441317603d7f9fd ]
+
+Per discussion with David at netconf 2018, let's clarify
+DaveM's position of handling stable backports in netdev-FAQ.
+
+This is important for people relying on upstream -stable
+releases.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/netdev-FAQ.txt | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/Documentation/networking/netdev-FAQ.txt
++++ b/Documentation/networking/netdev-FAQ.txt
+@@ -179,6 +179,15 @@ A: No. See above answer. In short, if
+ dash marker line as described in Documentation/process/submitting-patches.rst to
+ temporarily embed that information into the patch that you send.
+
++Q: Are all networking bug fixes backported to all stable releases?
++
++A: Due to capacity, Dave could only take care of the backports for the last
++ 2 stable releases. For earlier stable releases, each stable branch maintainer
++ is supposed to take care of them. If you find any patch is missing from an
++ earlier stable branch, please notify stable@vger.kernel.org with either a
++ commit ID or a formal patch backported, and CC Dave and other relevant
++ networking developers.
++
+ Q: Someone said that the comment style and coding convention is different
+ for the networking content. Is this true?
+
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 Jun 2018 09:25:19 -0700
+Subject: rtnetlink: validate attributes in do_setlink()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae ]
+
+It seems that rtnl_group_changelink() can call do_setlink
+while a prior call to validate_linkmsg(dev = NULL, ...) could
+not validate IFLA_ADDRESS / IFLA_BROADCAST
+
+Make sure do_setlink() calls validate_linkmsg() instead
+of letting its callers having this responsibility.
+
+With help from Dmitry Vyukov, thanks a lot !
+
+BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
+BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
+BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
+CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
+ __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
+ is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
+ eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
+ eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
+ dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
+ do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
+ rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
+ rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x455a09
+RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
+RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
+RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
+
+Uninit was stored to memory at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
+ kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
+ kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
+ __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
+ do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
+ rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
+ rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
+ rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
+ netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2753 [inline]
+ __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:988 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
+ netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg net/socket.c:639 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
+ __sys_sendmsg net/socket.c:2155 [inline]
+ __do_sys_sendmsg net/socket.c:2164 [inline]
+ __se_sys_sendmsg net/socket.c:2162 [inline]
+ __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
+ do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: e7ed828f10bd ("netlink: support setting devgroup parameters")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2256,6 +2256,10 @@ static int do_setlink(const struct sk_bu
+ const struct net_device_ops *ops = dev->netdev_ops;
+ int err;
+
++ err = validate_linkmsg(dev, tb);
++ if (err < 0)
++ return err;
++
+ if (tb[IFLA_NET_NS_PID] || tb[IFLA_NET_NS_FD] || tb[IFLA_IF_NETNSID]) {
+ struct net *net = rtnl_link_get_net_capable(skb, dev_net(dev),
+ tb, CAP_NET_ADMIN);
+@@ -2619,10 +2623,6 @@ static int rtnl_setlink(struct sk_buff *
+ goto errout;
+ }
+
+- err = validate_linkmsg(dev, tb);
+- if (err < 0)
+- goto errout;
+-
+ err = do_setlink(skb, dev, ifm, extack, tb, ifname, 0);
+ errout:
+ return err;
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 5 Jun 2018 12:16:58 +0800
+Subject: sctp: not allow transport timeout value less than HZ/5 for hb_timer
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 1d88ba1ebb2763aa86172cd7ca05dedbeccc0d35 ]
+
+syzbot reported a rcu_sched self-detected stall on CPU which is caused
+by too small value set on rto_min with SCTP_RTOINFO sockopt. With this
+value, hb_timer will get stuck there, as in its timer handler it starts
+this timer again with this value, then goes to the timer handler again.
+
+This problem is there since very beginning, and thanks to Eric for the
+reproducer shared from a syzbot mail.
+
+This patch fixes it by not allowing sctp_transport_timeout to return a
+smaller value than HZ/5 for hb_timer, which is based on TCP's min rto.
+
+Note that it doesn't fix this issue by limiting rto_min, as some users
+are still using small rto and no proper value was found for it yet.
+
+Reported-by: syzbot+3dcd59a1f907245f891f@syzkaller.appspotmail.com
+Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/transport.c
++++ b/net/sctp/transport.c
+@@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(str
+ trans->state != SCTP_PF)
+ timeout += trans->hbinterval;
+
+- return timeout;
++ return max_t(unsigned long, timeout, HZ / 5);
+ }
+
+ /* Reset transport variables to their initial values */
netfilter-nf_flow_table-attach-dst-to-skbs.patch
+bnx2x-use-the-right-constant.patch
+ip6mr-only-set-ip6mr_table-from-setsockopt-when-ip6mr_new_table-succeeds.patch
+ipv6-omit-traffic-class-when-calculating-flow-hash.patch
+l2tp-fix-refcount-leakage-on-pppol2tp-sockets.patch
+netdev-faq-clarify-davem-s-position-for-stable-backports.patch
+net-metrics-add-proper-netlink-validation.patch
+net-packet-refine-check-for-priv-area-size.patch
+rtnetlink-validate-attributes-in-do_setlink.patch
+sctp-not-allow-transport-timeout-value-less-than-hz-5-for-hb_timer.patch
+team-use-netdev_features_t-instead-of-u32.patch
+vrf-check-the-original-netdevice-for-generating-redirect.patch
+net-dsa-b53-fix-for-brcm-tag-issue-in-cygnus-soc.patch
+ipmr-fix-error-path-when-ipmr_new_table-fails.patch
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 4 Jun 2018 17:46:01 +0300
+Subject: team: use netdev_features_t instead of u32
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 25ea66544bfd1d9df1b7e1502f8717e85fa1e6e6 ]
+
+This code was introduced in 2011 around the same time that we made
+netdev_features_t a u64 type. These days a u32 is not big enough to
+hold all the potential features.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1004,7 +1004,8 @@ static void team_port_disable(struct tea
+ static void __team_compute_features(struct team *team)
+ {
+ struct team_port *port;
+- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
++ netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
++ NETIF_F_ALL_FOR_ALL;
+ netdev_features_t enc_features = TEAM_ENC_FEATURES;
+ unsigned short max_hard_header_len = ETH_HLEN;
+ unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
--- /dev/null
+From foo@baz Fri Jun 8 06:51:12 CEST 2018
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Fri, 1 Jun 2018 00:05:21 -0400
+Subject: vrf: check the original netdevice for generating redirect
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit 2f17becfbea5e9a0529b51da7345783e96e69516 ]
+
+Use the right device to determine if redirect should be sent especially
+when using vrf. Same as well as when sending the redirect.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 3 ++-
+ net/ipv6/ndisc.c | 6 ++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -507,7 +507,8 @@ int ip6_forward(struct sk_buff *skb)
+ send redirects to source routed frames.
+ We don't send redirects to frames decapsulated from IPsec.
+ */
+- if (skb->dev == dst->dev && opt->srcrt == 0 && !skb_sec_path(skb)) {
++ if (IP6CB(skb)->iif == dst->dev->ifindex &&
++ opt->srcrt == 0 && !skb_sec_path(skb)) {
+ struct in6_addr *target = NULL;
+ struct inet_peer *peer;
+ struct rt6_info *rt;
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1576,6 +1576,12 @@ void ndisc_send_redirect(struct sk_buff
+ ops_data_buf[NDISC_OPS_REDIRECT_DATA_SPACE], *ops_data = NULL;
+ bool ret;
+
++ if (netif_is_l3_master(skb->dev)) {
++ dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
++ if (!dev)
++ return;
++ }
++
+ if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
+ ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
+ dev->name);
projects / thirdparty / kernel / stable-queue.git / commitdiff
