--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Tobias Jungel <tobias.jungel@gmail.com>
+Date: Sun, 28 Oct 2018 12:54:10 +0100
+Subject: bonding: fix length of actor system
+
+From: Tobias Jungel <tobias.jungel@gmail.com>
+
+[ Upstream commit 414dd6fb9a1a1b59983aea7bf0f79f0085ecc5b8 ]
+
+The attribute IFLA_BOND_AD_ACTOR_SYSTEM is sent to user space having the
+length of sizeof(bond->params.ad_actor_system) which is 8 byte. This
+patch aligns the length to ETH_ALEN to have the same MAC address exposed
+as using sysfs.
+
+Fixes: f87fda00b6ed2 ("bonding: prevent out of bound accesses")
+Signed-off-by: Tobias Jungel <tobias.jungel@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_netlink.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_netlink.c
++++ b/drivers/net/bonding/bond_netlink.c
+@@ -638,8 +638,7 @@ static int bond_fill_info(struct sk_buff
+ goto nla_put_failure;
+
+ if (nla_put(skb, IFLA_BOND_AD_ACTOR_SYSTEM,
+- sizeof(bond->params.ad_actor_system),
+- &bond->params.ad_actor_system))
++ ETH_ALEN, &bond->params.ad_actor_system))
+ goto nla_put_failure;
+ }
+ if (!bond_3ad_get_active_agg_info(bond, &info)) {
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 26 Oct 2018 10:28:43 +0800
+Subject: bridge: do not add port to router list when receives query with source 0.0.0.0
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 5a2de63fd1a59c30c02526d427bc014b98adf508 ]
+
+Based on RFC 4541, 2.1.1. IGMP Forwarding Rules
+
+ The switch supporting IGMP snooping must maintain a list of
+ multicast routers and the ports on which they are attached. This
+ list can be constructed in any combination of the following ways:
+
+ a) This list should be built by the snooping switch sending
+ Multicast Router Solicitation messages as described in IGMP
+ Multicast Router Discovery [MRDISC]. It may also snoop
+ Multicast Router Advertisement messages sent by and to other
+ nodes.
+
+ b) The arrival port for IGMP Queries (sent by multicast routers)
+ where the source address is not 0.0.0.0.
+
+We should not add the port to router list when receives query with source
+0.0.0.0.
+
+Reported-by: Ying Xu <yinxu@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1420,7 +1420,15 @@ static void br_multicast_query_received(
+ return;
+
+ br_multicast_update_query_timer(br, query, max_delay);
+- br_multicast_mark_router(br, port);
++
++ /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
++ * the arrival port for IGMP Queries where the source address
++ * is 0.0.0.0 should not be added to router port list.
++ */
++ if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
++ (saddr->proto == htons(ETH_P_IPV6) &&
++ !ipv6_addr_any(&saddr->u.ip6)))
++ br_multicast_mark_router(br, port);
+ }
+
+ static void br_ip4_multicast_query(struct net_bridge *br,
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Wed, 24 Oct 2018 14:37:21 +0200
+Subject: ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit ee1abcf689353f36d9322231b4320926096bdee0 ]
+
+Commit a61bbcf28a8c ("[NET]: Store skb->timestamp as offset to a base
+timestamp") introduces a neighbour control buffer and zeroes it out in
+ndisc_rcv(), as ndisc_recv_ns() uses it.
+
+Commit f2776ff04722 ("[IPV6]: Fix address/interface handling in UDP and
+DCCP, according to the scoping architecture.") introduces the usage of the
+IPv6 control buffer in protocol error handlers (e.g. inet6_iif() in
+present-day __udp6_lib_err()).
+
+Now, with commit b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate
+redirect, instead of rt6_redirect()."), we call protocol error handlers
+from ndisc_redirect_rcv(), after the control buffer is already stolen and
+some parts are already zeroed out. This implies that inet6_iif() on this
+path will always return zero.
+
+This gives unexpected results on UDP socket lookup in __udp6_lib_err(), as
+we might actually need to match sockets for a given interface.
+
+Instead of always claiming the control buffer in ndisc_rcv(), do that only
+when needed.
+
+Fixes: b94f1c0904da ("ipv6: Use icmpv6_notify() to propagate redirect, instead of rt6_redirect().")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ndisc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1732,10 +1732,9 @@ int ndisc_rcv(struct sk_buff *skb)
+ return 0;
+ }
+
+- memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
+-
+ switch (msg->icmph.icmp6_type) {
+ case NDISC_NEIGHBOUR_SOLICITATION:
++ memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
+ ndisc_recv_ns(skb);
+ break;
+
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Shalom Toledo <shalomt@mellanox.com>
+Date: Mon, 29 Oct 2018 14:26:16 +0000
+Subject: mlxsw: core: Fix devlink unregister flow
+
+From: Shalom Toledo <shalomt@mellanox.com>
+
+[ Upstream commit a22712a962912faf257e857ab6857f56a93cfb34 ]
+
+After a failed reload, the driver is still registered to devlink, its
+devlink instance is still allocated and the 'reload_fail' flag is set.
+Then, in the next reload try, the driver's allocated devlink instance will
+be freed without unregistering from devlink and its components (e.g,
+resources). This scenario can cause a use-after-free if the user tries to
+execute command via devlink user-space tool.
+
+Fix by not freeing the devlink instance during reload (failed or not).
+
+Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload")
+Signed-off-by: Shalom Toledo <shalomt@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core.c
+@@ -943,8 +943,8 @@ static int mlxsw_devlink_core_bus_device
+ mlxsw_core->bus,
+ mlxsw_core->bus_priv, true,
+ devlink);
+- if (err)
+- mlxsw_core->reload_fail = true;
++ mlxsw_core->reload_fail = !!err;
++
+ return err;
+ }
+
+@@ -1083,8 +1083,15 @@ void mlxsw_core_bus_device_unregister(st
+ {
+ struct devlink *devlink = priv_to_devlink(mlxsw_core);
+
+- if (mlxsw_core->reload_fail)
+- goto reload_fail;
++ if (mlxsw_core->reload_fail) {
++ if (!reload)
++ /* Only the parts that were not de-initialized in the
++ * failed reload attempt need to be de-initialized.
++ */
++ goto reload_fail_deinit;
++ else
++ return;
++ }
+
+ if (mlxsw_core->driver->fini)
+ mlxsw_core->driver->fini(mlxsw_core);
+@@ -1098,9 +1105,12 @@ void mlxsw_core_bus_device_unregister(st
+ if (!reload)
+ devlink_resources_unregister(devlink, NULL);
+ mlxsw_core->bus->fini(mlxsw_core->bus_priv);
+- if (reload)
+- return;
+-reload_fail:
++
++ return;
++
++reload_fail_deinit:
++ devlink_unregister(devlink);
++ devlink_resources_unregister(devlink, NULL);
+ devlink_free(devlink);
+ }
+ EXPORT_SYMBOL(mlxsw_core_bus_device_unregister);
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 29 Oct 2018 14:26:14 +0000
+Subject: mlxsw: spectrum_switchdev: Don't ignore deletions of learned MACs
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit ad0b9d94182be8356978d220c82f9837cffeb7a9 ]
+
+Demands to remove FDB entries should be honored even if the FDB entry in
+question was originally learned, and not added by the user. Therefore
+ignore the added_by_user datum for SWITCHDEV_FDB_DEL_TO_DEVICE.
+
+Fixes: 816a3bed9549 ("switchdev: Add fdb.added_by_user to switchdev notifications")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Suggested-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+@@ -2317,8 +2317,6 @@ static void mlxsw_sp_switchdev_event_wor
+ break;
+ case SWITCHDEV_FDB_DEL_TO_DEVICE:
+ fdb_info = &switchdev_work->fdb_info;
+- if (!fdb_info->added_by_user)
+- break;
+ mlxsw_sp_port_fdb_set(mlxsw_sp_port, fdb_info, false);
+ break;
+ case SWITCHDEV_FDB_ADD_TO_BRIDGE: /* fall through */
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 1 Nov 2018 12:02:37 -0700
+Subject: net: drop skb on failure in ip_check_defrag()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 7de414a9dd91426318df7b63da024b2b07e53df5 ]
+
+Most callers of pskb_trim_rcsum() simply drop the skb when
+it fails, however, ip_check_defrag() still continues to pass
+the skb up to stack. This is suspicious.
+
+In ip_check_defrag(), after we learn the skb is an IP fragment,
+passing the skb to callers makes no sense, because callers expect
+fragments are defrag'ed on success. So, dropping the skb when we
+can't defrag it is reasonable.
+
+Note, prior to commit 88078d98d1bb, this is not a big problem as
+checksum will be fixed up anyway. After it, the checksum is not
+correct on failure.
+
+Found this during code review.
+
+Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends")
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_fragment.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ip_fragment.c
++++ b/net/ipv4/ip_fragment.c
+@@ -720,10 +720,14 @@ struct sk_buff *ip_check_defrag(struct n
+ if (ip_is_fragment(&iph)) {
+ skb = skb_share_check(skb, GFP_ATOMIC);
+ if (skb) {
+- if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
+- return skb;
+- if (pskb_trim_rcsum(skb, netoff + len))
+- return skb;
++ if (!pskb_may_pull(skb, netoff + iph.ihl * 4)) {
++ kfree_skb(skb);
++ return NULL;
++ }
++ if (pskb_trim_rcsum(skb, netoff + len)) {
++ kfree_skb(skb);
++ return NULL;
++ }
+ memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
+ if (ip_defrag(net, skb, user))
+ return NULL;
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 24 Oct 2018 13:58:39 -0700
+Subject: net/ipv6: Allow onlink routes to have a device mismatch if it is the default route
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 4ed591c8ab44e711e56b8e021ffaf4f407c045f5 ]
+
+The intent of ip6_route_check_nh_onlink is to make sure the gateway
+given for an onlink route is not actually on a connected route for
+a different interface (e.g., 2001:db8:1::/64 is on dev eth1 and then
+an onlink route has a via 2001:db8:1::1 dev eth2). If the gateway
+lookup hits the default route then it most likely will be a different
+interface than the onlink route which is ok.
+
+Update ip6_route_check_nh_onlink to disregard the device mismatch
+if the gateway lookup hits the default route. Turns out the existing
+onlink tests are passing because there is no default route or it is
+an unreachable default, so update the onlink tests to have a default
+route other than unreachable.
+
+Fixes: fc1e64e1092f6 ("net/ipv6: Add support for onlink flag")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 ++
+ tools/testing/selftests/net/fib-onlink-tests.sh | 14 +++++++-------
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2799,6 +2799,8 @@ static int ip6_route_check_nh_onlink(str
+ grt = ip6_nh_lookup_table(net, cfg, gw_addr, tbid, 0);
+ if (grt) {
+ if (!grt->dst.error &&
++ /* ignore match if it is the default route */
++ grt->from && !ipv6_addr_any(&grt->from->fib6_dst.addr) &&
+ (grt->rt6i_flags & flags || dev != grt->dst.dev)) {
+ NL_SET_ERR_MSG(extack,
+ "Nexthop has invalid gateway or device mismatch");
+--- a/tools/testing/selftests/net/fib-onlink-tests.sh
++++ b/tools/testing/selftests/net/fib-onlink-tests.sh
+@@ -167,8 +167,8 @@ setup()
+ # add vrf table
+ ip li add ${VRF} type vrf table ${VRF_TABLE}
+ ip li set ${VRF} up
+- ip ro add table ${VRF_TABLE} unreachable default
+- ip -6 ro add table ${VRF_TABLE} unreachable default
++ ip ro add table ${VRF_TABLE} unreachable default metric 8192
++ ip -6 ro add table ${VRF_TABLE} unreachable default metric 8192
+
+ # create test interfaces
+ ip li add ${NETIFS[p1]} type veth peer name ${NETIFS[p2]}
+@@ -185,20 +185,20 @@ setup()
+ for n in 1 3 5 7; do
+ ip li set ${NETIFS[p${n}]} up
+ ip addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ ip addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+ # move peer interfaces to namespace and add addresses
+ for n in 2 4 6 8; do
+ ip li set ${NETIFS[p${n}]} netns ${PEER_NS} up
+ ip -netns ${PEER_NS} addr add ${V4ADDRS[p${n}]}/24 dev ${NETIFS[p${n}]}
+- ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]}
++ ip -netns ${PEER_NS} addr add ${V6ADDRS[p${n}]}/64 dev ${NETIFS[p${n}]} nodad
+ done
+
+- set +e
++ ip -6 ro add default via ${V6ADDRS[p3]/::[0-9]/::64}
++ ip -6 ro add table ${VRF_TABLE} default via ${V6ADDRS[p7]/::[0-9]/::64}
+
+- # let DAD complete - assume default of 1 probe
+- sleep 1
++ set +e
+ }
+
+ cleanup()
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 30 Oct 2018 00:57:25 -0700
+Subject: net/mlx5e: fix csum adjustments caused by RXFCS
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d48051c5b8376038c2b287c3b1bd55b8d391d567 ]
+
+As shown by Dmitris, we need to use csum_block_add() instead of csum_add()
+when adding the FCS contribution to skb csum.
+
+Before 4.18 (more exactly commit 88078d98d1bb "net: pskb_trim_rcsum()
+and CHECKSUM_COMPLETE are friends"), the whole skb csum was thrown away,
+so RXFCS changes were ignored.
+
+Then before commit d55bef5059dd ("net: fix pskb_trim_rcsum_slow() with
+odd trim offset") both mlx5 and pskb_trim_rcsum_slow() bugs were canceling
+each other.
+
+Now we fixed pskb_trim_rcsum_slow() we need to fix mlx5.
+
+Note that this patch also rewrites mlx5e_get_fcs() to :
+
+- Use skb_header_pointer() instead of reinventing it.
+- Use __get_unaligned_cpu32() to avoid possible non aligned accesses
+ as Dmitris pointed out.
+
+Fixes: 902a545904c7 ("net/mlx5e: When RXFCS is set, add FCS data into checksum calculation")
+Reported-by: Paweł Staszewski <pstaszewski@itcare.pl>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Eran Ben Elisha <eranbe@mellanox.com>
+Cc: Saeed Mahameed <saeedm@mellanox.com>
+Cc: Dimitris Michailidis <dmichail@google.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Paweł Staszewski <pstaszewski@itcare.pl>
+Reviewed-by: Eran Ben Elisha <eranbe@mellanox.com>
+Tested-By: Maria Pasechnik <mariap@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 45 ++++--------------------
+ 1 file changed, 9 insertions(+), 36 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -696,43 +696,15 @@ static inline bool is_last_ethertype_ip(
+ return (ethertype == htons(ETH_P_IP) || ethertype == htons(ETH_P_IPV6));
+ }
+
+-static __be32 mlx5e_get_fcs(struct sk_buff *skb)
++static u32 mlx5e_get_fcs(const struct sk_buff *skb)
+ {
+- int last_frag_sz, bytes_in_prev, nr_frags;
+- u8 *fcs_p1, *fcs_p2;
+- skb_frag_t *last_frag;
+- __be32 fcs_bytes;
+-
+- if (!skb_is_nonlinear(skb))
+- return *(__be32 *)(skb->data + skb->len - ETH_FCS_LEN);
+-
+- nr_frags = skb_shinfo(skb)->nr_frags;
+- last_frag = &skb_shinfo(skb)->frags[nr_frags - 1];
+- last_frag_sz = skb_frag_size(last_frag);
+-
+- /* If all FCS data is in last frag */
+- if (last_frag_sz >= ETH_FCS_LEN)
+- return *(__be32 *)(skb_frag_address(last_frag) +
+- last_frag_sz - ETH_FCS_LEN);
+-
+- fcs_p2 = (u8 *)skb_frag_address(last_frag);
+- bytes_in_prev = ETH_FCS_LEN - last_frag_sz;
+-
+- /* Find where the other part of the FCS is - Linear or another frag */
+- if (nr_frags == 1) {
+- fcs_p1 = skb_tail_pointer(skb);
+- } else {
+- skb_frag_t *prev_frag = &skb_shinfo(skb)->frags[nr_frags - 2];
++ const void *fcs_bytes;
++ u32 _fcs_bytes;
+
+- fcs_p1 = skb_frag_address(prev_frag) +
+- skb_frag_size(prev_frag);
+- }
+- fcs_p1 -= bytes_in_prev;
+-
+- memcpy(&fcs_bytes, fcs_p1, bytes_in_prev);
+- memcpy(((u8 *)&fcs_bytes) + bytes_in_prev, fcs_p2, last_frag_sz);
++ fcs_bytes = skb_header_pointer(skb, skb->len - ETH_FCS_LEN,
++ ETH_FCS_LEN, &_fcs_bytes);
+
+- return fcs_bytes;
++ return __get_unaligned_cpu32(fcs_bytes);
+ }
+
+ static inline void mlx5e_handle_csum(struct net_device *netdev,
+@@ -765,8 +737,9 @@ static inline void mlx5e_handle_csum(str
+ network_depth - ETH_HLEN,
+ skb->csum);
+ if (unlikely(netdev->features & NETIF_F_RXFCS))
+- skb->csum = csum_add(skb->csum,
+- (__force __wsum)mlx5e_get_fcs(skb));
++ skb->csum = csum_block_add(skb->csum,
++ (__force __wsum)mlx5e_get_fcs(skb),
++ skb->len - ETH_FCS_LEN);
+ stats->csum_complete++;
+ return;
+ }
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sun, 28 Oct 2018 10:35:12 -0700
+Subject: net: Properly unlink GRO packets on overflow.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commti ece23711dd956cd5053c9cb03e9fe0668f9c8894 ]
+
+Just like with normal GRO processing, we have to initialize
+skb->next to NULL when we unlink overflow packets from the
+GRO hash lists.
+
+Fixes: d4546c2509b1 ("net: Convert GRO SKB handling to list_head.")
+Reported-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5431,6 +5431,7 @@ static void gro_flush_oldest(struct list
+ * SKB to the chain.
+ */
+ list_del(&oldest->list);
++ oldest->next = NULL;
+ napi_gro_complete(oldest);
+ }
+
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Fri, 26 Oct 2018 15:51:06 -0700
+Subject: net: sched: gred: pass the right attribute to gred_change_table_def()
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 38b4f18d56372e1e21771ab7b0357b853330186c ]
+
+gred_change_table_def() takes a pointer to TCA_GRED_DPS attribute,
+and expects it will be able to interpret its contents as
+struct tc_gred_sopt. Pass the correct gred attribute, instead of
+TCA_OPTIONS.
+
+This bug meant the table definition could never be changed after
+Qdisc was initialized (unless whatever TCA_OPTIONS contained both
+passed netlink validation and was a valid struct tc_gred_sopt...).
+
+Old behaviour:
+$ ip link add type dummy
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+RTNETLINK answers: Invalid argument
+
+Now:
+$ ip link add type dummy
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+$ tc qdisc replace dev dummy0 parent root handle 7: \
+ gred setup vqs 4 default 0
+
+Fixes: f62d6b936df5 ("[PKT_SCHED]: GRED: Use central VQ change procedure")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_gred.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_gred.c
++++ b/net/sched/sch_gred.c
+@@ -413,7 +413,7 @@ static int gred_change(struct Qdisc *sch
+ if (tb[TCA_GRED_PARMS] == NULL && tb[TCA_GRED_STAB] == NULL) {
+ if (tb[TCA_GRED_LIMIT] != NULL)
+ sch->limit = nla_get_u32(tb[TCA_GRED_LIMIT]);
+- return gred_change_table_def(sch, opt);
++ return gred_change_table_def(sch, tb[TCA_GRED_DPS]);
+ }
+
+ if (tb[TCA_GRED_PARMS] == NULL ||
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Thu, 25 Oct 2018 13:25:28 +0200
+Subject: net/smc: fix smc_buf_unuse to use the lgr pointer
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+[ Upstream commit fb692ec4117f6fd25044cfb5720d6b79d400dc65 ]
+
+The pointer to the link group is unset in the smc connection structure
+right before the call to smc_buf_unuse. Provide the lgr pointer to
+smc_buf_unuse explicitly.
+And move the call to smc_lgr_schedule_free_work to the end of
+smc_conn_free.
+
+Fixes: a6920d1d130c ("net/smc: handle unregistered buffers")
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/smc_core.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+--- a/net/smc/smc_core.c
++++ b/net/smc/smc_core.c
+@@ -122,22 +122,17 @@ static void __smc_lgr_unregister_conn(st
+ sock_put(&smc->sk); /* sock_hold in smc_lgr_register_conn() */
+ }
+
+-/* Unregister connection and trigger lgr freeing if applicable
++/* Unregister connection from lgr
+ */
+ static void smc_lgr_unregister_conn(struct smc_connection *conn)
+ {
+ struct smc_link_group *lgr = conn->lgr;
+- int reduced = 0;
+
+ write_lock_bh(&lgr->conns_lock);
+ if (conn->alert_token_local) {
+- reduced = 1;
+ __smc_lgr_unregister_conn(conn);
+ }
+ write_unlock_bh(&lgr->conns_lock);
+- if (!reduced || lgr->conns_num)
+- return;
+- smc_lgr_schedule_free_work(lgr);
+ }
+
+ /* Send delete link, either as client to request the initiation
+@@ -291,7 +286,8 @@ out:
+ return rc;
+ }
+
+-static void smc_buf_unuse(struct smc_connection *conn)
++static void smc_buf_unuse(struct smc_connection *conn,
++ struct smc_link_group *lgr)
+ {
+ if (conn->sndbuf_desc)
+ conn->sndbuf_desc->used = 0;
+@@ -301,8 +297,6 @@ static void smc_buf_unuse(struct smc_con
+ conn->rmb_desc->used = 0;
+ } else {
+ /* buf registration failed, reuse not possible */
+- struct smc_link_group *lgr = conn->lgr;
+-
+ write_lock_bh(&lgr->rmbs_lock);
+ list_del(&conn->rmb_desc->list);
+ write_unlock_bh(&lgr->rmbs_lock);
+@@ -315,16 +309,21 @@ static void smc_buf_unuse(struct smc_con
+ /* remove a finished connection from its link group */
+ void smc_conn_free(struct smc_connection *conn)
+ {
+- if (!conn->lgr)
++ struct smc_link_group *lgr = conn->lgr;
++
++ if (!lgr)
+ return;
+- if (conn->lgr->is_smcd) {
++ if (lgr->is_smcd) {
+ smc_ism_unset_conn(conn);
+ tasklet_kill(&conn->rx_tsklet);
+ } else {
+ smc_cdc_tx_dismiss_slots(conn);
+ }
+- smc_lgr_unregister_conn(conn);
+- smc_buf_unuse(conn);
++ smc_lgr_unregister_conn(conn); /* unsets conn->lgr */
++ smc_buf_unuse(conn, lgr); /* allow buffer reuse */
++
++ if (!lgr->conns_num)
++ smc_lgr_schedule_free_work(lgr);
+ }
+
+ static void smc_link_clear(struct smc_link *lnk)
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Niklas Cassel <niklas.cassel@linaro.org>
+Date: Wed, 31 Oct 2018 16:08:10 +0100
+Subject: net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
+
+From: Niklas Cassel <niklas.cassel@linaro.org>
+
+[ Upstream commit 30549aab146ccb1275230c3b4b4bc6b4181fd54e ]
+
+When building stmmac, it is only possible to select CONFIG_DWMAC_GENERIC,
+or any of the glue drivers, when CONFIG_STMMAC_PLATFORM is set.
+The only exception is CONFIG_STMMAC_PCI.
+
+When calling of_mdiobus_register(), it will call our ->reset()
+callback, which is set to stmmac_mdio_reset().
+
+Most of the code in stmmac_mdio_reset() is protected by a
+"#if defined(CONFIG_STMMAC_PLATFORM)", which will evaluate
+to false when CONFIG_STMMAC_PLATFORM=m.
+
+Because of this, the phy reset gpio will only be pulled when
+stmmac is built as built-in, but not when built as modules.
+
+Fix this by using "#if IS_ENABLED()" instead of "#if defined()".
+
+Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+@@ -243,7 +243,7 @@ static int stmmac_mdio_write(struct mii_
+ */
+ int stmmac_mdio_reset(struct mii_bus *bus)
+ {
+-#if defined(CONFIG_STMMAC_PLATFORM)
++#if IS_ENABLED(CONFIG_STMMAC_PLATFORM)
+ struct net_device *ndev = bus->priv;
+ struct stmmac_priv *priv = netdev_priv(ndev);
+ unsigned int mii_address = priv->hw->mii.addr;
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Tue, 23 Oct 2018 16:04:31 -0600
+Subject: net: udp: fix handling of CHECKSUM_COMPLETE packets
+
+From: Sean Tranchetti <stranche@codeaurora.org>
+
+[ Upstream commit db4f1be3ca9b0ef7330763d07bf4ace83ad6f913 ]
+
+Current handling of CHECKSUM_COMPLETE packets by the UDP stack is
+incorrect for any packet that has an incorrect checksum value.
+
+udp4/6_csum_init() will both make a call to
+__skb_checksum_validate_complete() to initialize/validate the csum
+field when receiving a CHECKSUM_COMPLETE packet. When this packet
+fails validation, skb->csum will be overwritten with the pseudoheader
+checksum so the packet can be fully validated by software, but the
+skb->ip_summed value will be left as CHECKSUM_COMPLETE so that way
+the stack can later warn the user about their hardware spewing bad
+checksums. Unfortunately, leaving the SKB in this state can cause
+problems later on in the checksum calculation.
+
+Since the the packet is still marked as CHECKSUM_COMPLETE,
+udp_csum_pull_header() will SUBTRACT the checksum of the UDP header
+from skb->csum instead of adding it, leaving us with a garbage value
+in that field. Once we try to copy the packet to userspace in the
+udp4/6_recvmsg(), we'll make a call to skb_copy_and_csum_datagram_msg()
+to checksum the packet data and add it in the garbage skb->csum value
+to perform our final validation check.
+
+Since the value we're validating is not the proper checksum, it's possible
+that the folded value could come out to 0, causing us not to drop the
+packet. Instead, we believe that the packet was checksummed incorrectly
+by hardware since skb->ip_summed is still CHECKSUM_COMPLETE, and we attempt
+to warn the user with netdev_rx_csum_fault(skb->dev);
+
+Unfortunately, since this is the UDP path, skb->dev has been overwritten
+by skb->dev_scratch and is no longer a valid pointer, so we end up
+reading invalid memory.
+
+This patch addresses this problem in two ways:
+ 1) Do not use the dev pointer when calling netdev_rx_csum_fault()
+ from skb_copy_and_csum_datagram_msg(). Since this gets called
+ from the UDP path where skb->dev has been overwritten, we have
+ no way of knowing if the pointer is still valid. Also for the
+ sake of consistency with the other uses of
+ netdev_rx_csum_fault(), don't attempt to call it if the
+ packet was checksummed by software.
+
+ 2) Add better CHECKSUM_COMPLETE handling to udp4/6_csum_init().
+ If we receive a packet that's CHECKSUM_COMPLETE that fails
+ verification (i.e. skb->csum_valid == 0), check who performed
+ the calculation. It's possible that the checksum was done in
+ software by the network stack earlier (such as Netfilter's
+ CONNTRACK module), and if that says the checksum is bad,
+ we can drop the packet immediately instead of waiting until
+ we try and copy it to userspace. Otherwise, we need to
+ mark the SKB as CHECKSUM_NONE, since the skb->csum field
+ no longer contains the full packet checksum after the
+ call to __skb_checksum_validate_complete().
+
+Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
+Fixes: c84d949057ca ("udp: copy skb->truesize in the first cache line")
+Cc: Sam Kumar <samanthakumar@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/datagram.c | 5 +++--
+ net/ipv4/udp.c | 20 ++++++++++++++++++--
+ net/ipv6/ip6_checksum.c | 20 ++++++++++++++++++--
+ 3 files changed, 39 insertions(+), 6 deletions(-)
+
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -808,8 +808,9 @@ int skb_copy_and_csum_datagram_msg(struc
+ return -EINVAL;
+ }
+
+- if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE))
+- netdev_rx_csum_fault(skb->dev);
++ if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) &&
++ !skb->csum_complete_sw)
++ netdev_rx_csum_fault(NULL);
+ }
+ return 0;
+ fault:
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2120,8 +2120,24 @@ static inline int udp4_csum_init(struct
+ /* Note, we are only interested in != 0 or == 0, thus the
+ * force to int.
+ */
+- return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
+- inet_compute_pseudo);
++ err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
++ inet_compute_pseudo);
++ if (err)
++ return err;
++
++ if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) {
++ /* If SW calculated the value, we know it's bad */
++ if (skb->csum_complete_sw)
++ return 1;
++
++ /* HW says the value is bad. Let's validate that.
++ * skb->csum is no longer the full packet checksum,
++ * so don't treat it as such.
++ */
++ skb_checksum_complete_unset(skb);
++ }
++
++ return 0;
+ }
+
+ /* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
+--- a/net/ipv6/ip6_checksum.c
++++ b/net/ipv6/ip6_checksum.c
+@@ -88,8 +88,24 @@ int udp6_csum_init(struct sk_buff *skb,
+ * Note, we are only interested in != 0 or == 0, thus the
+ * force to int.
+ */
+- return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
+- ip6_compute_pseudo);
++ err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check,
++ ip6_compute_pseudo);
++ if (err)
++ return err;
++
++ if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) {
++ /* If SW calculated the value, we know it's bad */
++ if (skb->csum_complete_sw)
++ return 1;
++
++ /* HW says the value is bad. Let's validate that.
++ * skb->csum is no longer the full packet checksum,
++ * so don't treat is as such.
++ */
++ skb_checksum_complete_unset(skb);
++ }
++
++ return 0;
+ }
+ EXPORT_SYMBOL(udp6_csum_init);
+
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: "Jaime Caamaño Ruiz" <jcaamano@suse.com>
+Date: Wed, 31 Oct 2018 18:52:03 +0100
+Subject: openvswitch: Fix push/pop ethernet validation
+
+From: "Jaime Caamaño Ruiz" <jcaamano@suse.com>
+
+[ Upstream commit 46ebe2834ba5b541f28ee72e556a3fed42c47570 ]
+
+When there are both pop and push ethernet header actions among the
+actions to be applied to a packet, an unexpected EINVAL (Invalid
+argument) error is obtained. This is due to mac_proto not being reset
+correctly when those actions are validated.
+
+Reported-at:
+https://mail.openvswitch.org/pipermail/ovs-discuss/2018-October/047554.html
+Fixes: 91820da6ae85 ("openvswitch: add Ethernet push and pop actions")
+Signed-off-by: Jaime Caamaño Ruiz <jcaamano@suse.com>
+Tested-by: Greg Rose <gvrose8192@gmail.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/flow_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -3030,7 +3030,7 @@ static int __ovs_nla_copy_actions(struct
+ * is already present */
+ if (mac_proto != MAC_PROTO_NONE)
+ return -EINVAL;
+- mac_proto = MAC_PROTO_NONE;
++ mac_proto = MAC_PROTO_ETHERNET;
+ break;
+
+ case OVS_ACTION_ATTR_POP_ETH:
+@@ -3038,7 +3038,7 @@ static int __ovs_nla_copy_actions(struct
+ return -EINVAL;
+ if (vlan_tci & htons(VLAN_TAG_PRESENT))
+ return -EINVAL;
+- mac_proto = MAC_PROTO_ETHERNET;
++ mac_proto = MAC_PROTO_NONE;
+ break;
+
+ case OVS_ACTION_ATTR_PUSH_NSH:
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 25 Oct 2018 18:40:19 +0200
+Subject: r8169: fix broken Wake-on-LAN from S5 (poweroff)
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 649f0837a8cc2b39329f2de00fa0d04b029291c5 ]
+
+It was reported that WoL from S5 is broken (WoL from S3 works) and the
+analysis showed that during system shutdown the network interface was
+brought down already when the actual kernel shutdown started.
+Therefore netif_running() returned false and as a consequence the PHY
+was suspended. Obviously WoL wasn't working then.
+To fix this the original patch needs to be effectively reverted.
+A side effect is that when normally bringing down the interface and
+WoL is enabled the PHY will remain powered on (like it was before the
+original patch).
+
+Fixes: fe87bef01f9b ("r8169: don't check WoL when powering down PHY and interface is down")
+Reported-by: Neil MacLeod <neil@nmacleod.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -4175,10 +4175,15 @@ static void rtl_wol_suspend_quirk(struct
+
+ static bool rtl_wol_pll_power_down(struct rtl8169_private *tp)
+ {
+- if (!netif_running(tp->dev) || !__rtl8169_get_wol(tp))
++ struct phy_device *phydev;
++
++ if (!__rtl8169_get_wol(tp))
+ return false;
+
+- phy_speed_down(tp->dev->phydev, false);
++ /* phydev may not be attached to netdevice */
++ phydev = mdiobus_get_phy(tp->mii_bus, 0);
++
++ phy_speed_down(phydev, false);
+ rtl_wol_suspend_quirk(tp);
+
+ return true;
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Tue, 23 Oct 2018 16:40:26 +0200
+Subject: Revert "be2net: remove desc field from be_eq_obj"
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 5ef79151c2fbc401cf38325e9a32e77b9fc593ae ]
+
+The mentioned commit needs to be reverted because we cannot pass
+string allocated on stack to request_irq(). This function stores
+uses this pointer for later use (e.g. /proc/interrupts) so we need
+to keep this string persistently.
+
+Fixes: d6d9704af8f4 ("be2net: remove desc field from be_eq_obj")
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be.h | 1 +
+ drivers/net/ethernet/emulex/benet/be_main.c | 6 ++----
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be.h
++++ b/drivers/net/ethernet/emulex/benet/be.h
+@@ -185,6 +185,7 @@ static inline void queue_tail_inc(struct
+
+ struct be_eq_obj {
+ struct be_queue_info q;
++ char desc[32];
+
+ struct be_adapter *adapter;
+ struct napi_struct napi;
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -3488,11 +3488,9 @@ static int be_msix_register(struct be_ad
+ int status, i, vec;
+
+ for_all_evt_queues(adapter, eqo, i) {
+- char irq_name[IFNAMSIZ+4];
+-
+- snprintf(irq_name, sizeof(irq_name), "%s-q%d", netdev->name, i);
++ sprintf(eqo->desc, "%s-q%d", netdev->name, i);
+ vec = be_msix_vec_get(adapter, eqo);
+- status = request_irq(vec, be_msix, 0, irq_name, eqo);
++ status = request_irq(vec, be_msix, 0, eqo->desc, eqo);
+ if (status)
+ goto err_msix;
+
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Tue, 23 Oct 2018 13:40:39 +0200
+Subject: Revert "net: simplify sock_poll_wait"
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+[ Upstream commit 89ab066d4229acd32e323f1569833302544a4186 ]
+
+This reverts commit dd979b4df817e9976f18fb6f9d134d6bc4a3c317.
+
+This broke tcp_poll for SMC fallback: An AF_SMC socket establishes an
+internal TCP socket for the initial handshake with the remote peer.
+Whenever the SMC connection can not be established this TCP socket is
+used as a fallback. All socket operations on the SMC socket are then
+forwarded to the TCP socket. In case of poll, the file->private_data
+pointer references the SMC socket because the TCP socket has no file
+assigned. This causes tcp_poll to wait on the wrong socket.
+
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/af_alg.c | 2 +-
+ include/net/sock.h | 12 +++++++++---
+ net/atm/common.c | 2 +-
+ net/caif/caif_socket.c | 2 +-
+ net/core/datagram.c | 2 +-
+ net/dccp/proto.c | 2 +-
+ net/ipv4/tcp.c | 2 +-
+ net/iucv/af_iucv.c | 2 +-
+ net/nfc/llcp_sock.c | 2 +-
+ net/rxrpc/af_rxrpc.c | 2 +-
+ net/smc/af_smc.c | 2 +-
+ net/tipc/socket.c | 2 +-
+ net/unix/af_unix.c | 4 ++--
+ 13 files changed, 22 insertions(+), 16 deletions(-)
+
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -1071,7 +1071,7 @@ __poll_t af_alg_poll(struct file *file,
+ struct af_alg_ctx *ctx = ask->private;
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ if (!ctx->more || ctx->used)
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2057,14 +2057,20 @@ static inline bool skwq_has_sleeper(stru
+ /**
+ * sock_poll_wait - place memory barrier behind the poll_wait call.
+ * @filp: file
++ * @sock: socket to wait on
+ * @p: poll_table
+ *
+ * See the comments in the wq_has_sleeper function.
++ *
++ * Do not derive sock from filp->private_data here. An SMC socket establishes
++ * an internal TCP socket that is used in the fallback case. All socket
++ * operations on the SMC socket are then forwarded to the TCP socket. In case of
++ * poll, the filp->private_data pointer references the SMC socket because the
++ * TCP socket has no file assigned.
+ */
+-static inline void sock_poll_wait(struct file *filp, poll_table *p)
++static inline void sock_poll_wait(struct file *filp, struct socket *sock,
++ poll_table *p)
+ {
+- struct socket *sock = filp->private_data;
+-
+ if (!poll_does_not_wait(p)) {
+ poll_wait(filp, &sock->wq->wait, p);
+ /* We need to be sure we are in sync with the
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -653,7 +653,7 @@ __poll_t vcc_poll(struct file *file, str
+ struct atm_vcc *vcc;
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ vcc = ATM_SD(sock);
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -941,7 +941,7 @@ static __poll_t caif_poll(struct file *f
+ __poll_t mask;
+ struct caifsock *cf_sk = container_of(sk, struct caifsock, sk);
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ /* exceptional events? */
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -838,7 +838,7 @@ __poll_t datagram_poll(struct file *file
+ struct sock *sk = sock->sk;
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ /* exceptional events? */
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -325,7 +325,7 @@ __poll_t dccp_poll(struct file *file, st
+ __poll_t mask;
+ struct sock *sk = sock->sk;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ if (sk->sk_state == DCCP_LISTEN)
+ return inet_csk_listen_poll(sk);
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -507,7 +507,7 @@ __poll_t tcp_poll(struct file *file, str
+ const struct tcp_sock *tp = tcp_sk(sk);
+ int state;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+
+ state = inet_sk_state_load(sk);
+ if (state == TCP_LISTEN)
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1505,7 +1505,7 @@ __poll_t iucv_sock_poll(struct file *fil
+ struct sock *sk = sock->sk;
+ __poll_t mask = 0;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+
+ if (sk->sk_state == IUCV_LISTEN)
+ return iucv_accept_poll(sk);
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -556,7 +556,7 @@ static __poll_t llcp_sock_poll(struct fi
+
+ pr_debug("%p\n", sk);
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+
+ if (sk->sk_state == LLCP_LISTEN)
+ return llcp_accept_poll(sk);
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -741,7 +741,7 @@ static __poll_t rxrpc_poll(struct file *
+ struct rxrpc_sock *rx = rxrpc_sk(sk);
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ /* the socket is readable if there are any messages waiting on the Rx
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1543,7 +1543,7 @@ static __poll_t smc_poll(struct file *fi
+ mask |= EPOLLERR;
+ } else {
+ if (sk->sk_state != SMC_CLOSED)
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ if (sk->sk_err)
+ mask |= EPOLLERR;
+ if ((sk->sk_shutdown == SHUTDOWN_MASK) ||
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -715,7 +715,7 @@ static __poll_t tipc_poll(struct file *f
+ struct tipc_sock *tsk = tipc_sk(sk);
+ __poll_t revents = 0;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+ revents |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2640,7 +2640,7 @@ static __poll_t unix_poll(struct file *f
+ struct sock *sk = sock->sk;
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ /* exceptional events? */
+@@ -2677,7 +2677,7 @@ static __poll_t unix_dgram_poll(struct f
+ unsigned int writable;
+ __poll_t mask;
+
+- sock_poll_wait(file, wait);
++ sock_poll_wait(file, sock, wait);
+ mask = 0;
+
+ /* exceptional events? */
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 29 Oct 2018 20:36:43 +0000
+Subject: rtnetlink: Disallow FDB configuration for non-Ethernet device
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ]
+
+When an FDB entry is configured, the address is validated to have the
+length of an Ethernet address, but the device for which the address is
+configured can be of any type.
+
+The above can result in the use of uninitialized memory when the address
+is later compared against existing addresses since 'dev->addr_len' is
+used and it may be greater than ETH_ALEN, as with ip6tnl devices.
+
+Fix this by making sure that FDB entries are only configured for
+Ethernet devices.
+
+BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863
+CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x14b/0x190 lib/dump_stack.c:113
+ kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956
+ __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645
+ memcmp+0x11d/0x180 lib/string.c:863
+ dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464
+ ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline]
+ rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558
+ rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715
+ netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
+ __sys_sendmsg net/socket.c:2152 [inline]
+ __do_sys_sendmsg net/socket.c:2161 [inline]
+ __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
+ do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x440ee9
+Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
+48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
+ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0
+R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181
+ kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91
+ kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100
+ slab_post_alloc_hook mm/slab.h:446 [inline]
+ slab_alloc_node mm/slub.c:2718 [inline]
+ __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:996 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
+ netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883
+ sock_sendmsg_nosec net/socket.c:621 [inline]
+ sock_sendmsg net/socket.c:631 [inline]
+ ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114
+ __sys_sendmsg net/socket.c:2152 [inline]
+ __do_sys_sendmsg net/socket.c:2161 [inline]
+ __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159
+ do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+v2:
+* Make error message more specific (David)
+
+Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_<op>")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com
+Cc: Vlad Yasevich <vyasevich@gmail.com>
+Cc: David Ahern <dsahern@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3530,6 +3530,11 @@ static int rtnl_fdb_add(struct sk_buff *
+ return -EINVAL;
+ }
+
++ if (dev->type != ARPHRD_ETHER) {
++ NL_SET_ERR_MSG(extack, "FDB delete only supported for Ethernet devices");
++ return -EINVAL;
++ }
++
+ addr = nla_data(tb[NDA_LLADDR]);
+
+ err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack);
+@@ -3634,6 +3639,11 @@ static int rtnl_fdb_del(struct sk_buff *
+ return -EINVAL;
+ }
+
++ if (dev->type != ARPHRD_ETHER) {
++ NL_SET_ERR_MSG(extack, "FDB add only supported for Ethernet devices");
++ return -EINVAL;
++ }
++
+ addr = nla_data(tb[NDA_LLADDR]);
+
+ err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack);
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 29 Oct 2018 23:13:11 +0800
+Subject: sctp: check policy more carefully when getting pr status
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 713358369382cebf92f6e98ce2005f94e7344931 ]
+
+When getting pr_assocstatus and pr_streamstatus by sctp_getsockopt,
+it doesn't correctly process the case when policy is set with
+SCTP_PR_SCTP_ALL | SCTP_PR_SCTP_MASK. It even causes a
+slab-out-of-bounds in sctp_getsockopt_pr_streamstatus().
+
+This patch fixes it by return -EINVAL for this case.
+
+Fixes: 0ac1077e3a54 ("sctp: get pr_assoc and pr_stream all status with SCTP_PR_SCTP_ALL")
+Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
+Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7101,14 +7101,15 @@ static int sctp_getsockopt_pr_assocstatu
+ }
+
+ policy = params.sprstat_policy;
+- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
++ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
++ ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK)))
+ goto out;
+
+ asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
+ if (!asoc)
+ goto out;
+
+- if (policy & SCTP_PR_SCTP_ALL) {
++ if (policy == SCTP_PR_SCTP_ALL) {
+ params.sprstat_abandoned_unsent = 0;
+ params.sprstat_abandoned_sent = 0;
+ for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {
+@@ -7160,7 +7161,8 @@ static int sctp_getsockopt_pr_streamstat
+ }
+
+ policy = params.sprstat_policy;
+- if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
++ if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
++ ((policy & SCTP_PR_SCTP_ALL) && (policy & SCTP_PR_SCTP_MASK)))
+ goto out;
+
+ asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
--- /dev/null
+bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch
+ipv6-ndisc-preserve-ipv6-control-buffer-if-protocol-error-handlers-are-called.patch
+net-mlx5e-fix-csum-adjustments-caused-by-rxfcs.patch
+net-sched-gred-pass-the-right-attribute-to-gred_change_table_def.patch
+net-stmmac-fix-stmmac_mdio_reset-when-building-stmmac-as-modules.patch
+net-udp-fix-handling-of-checksum_complete-packets.patch
+revert-net-simplify-sock_poll_wait.patch
+rtnetlink-disallow-fdb-configuration-for-non-ethernet-device.patch
+vhost-fix-spectre-v1-vulnerability.patch
+bonding-fix-length-of-actor-system.patch
+openvswitch-fix-push-pop-ethernet-validation.patch
+net-ipv6-allow-onlink-routes-to-have-a-device-mismatch-if-it-is-the-default-route.patch
+net-smc-fix-smc_buf_unuse-to-use-the-lgr-pointer.patch
+mlxsw-spectrum_switchdev-don-t-ignore-deletions-of-learned-macs.patch
+mlxsw-core-fix-devlink-unregister-flow.patch
+net-drop-skb-on-failure-in-ip_check_defrag.patch
+net-properly-unlink-gro-packets-on-overflow.patch
+r8169-fix-broken-wake-on-lan-from-s5-poweroff.patch
+revert-be2net-remove-desc-field-from-be_eq_obj.patch
+sctp-check-policy-more-carefully-when-getting-pr-status.patch
--- /dev/null
+From foo@baz Fri Nov 2 06:12:28 CET 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 30 Oct 2018 14:10:49 +0800
+Subject: vhost: Fix Spectre V1 vulnerability
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ]
+
+The idx in vhost_vring_ioctl() was controlled by userspace, hence a
+potential exploitation of the Spectre variant 1 vulnerability.
+
+Fixing this by sanitizing idx before using it to index d->vqs.
+
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -30,6 +30,7 @@
+ #include <linux/sched/mm.h>
+ #include <linux/sched/signal.h>
+ #include <linux/interval_tree_generic.h>
++#include <linux/nospec.h>
+
+ #include "vhost.h"
+
+@@ -1397,6 +1398,7 @@ long vhost_vring_ioctl(struct vhost_dev
+ if (idx >= d->nvqs)
+ return -ENOBUFS;
+
++ idx = array_index_nospec(idx, d->nvqs);
+ vq = d->vqs[idx];
+
+ mutex_lock(&vq->mutex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
