--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Fri, 12 Apr 2019 15:04:10 +0200
+Subject: bonding: fix event handling for stacked bonds
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 92480b3977fd3884649d404cbbaf839b70035699 ]
+
+When a bond is enslaved to another bond, bond_netdev_event() only
+handles the event as if the bond is a master, and skips treating the
+bond as a slave.
+
+This leads to a refcount leak on the slave, since we don't remove the
+adjacency to its master and the master holds a reference on the slave.
+
+Reproducer:
+ ip link add bondL type bond
+ ip link add bondU type bond
+ ip link set bondL master bondU
+ ip link del bondL
+
+No "Fixes:" tag, this code is older than git history.
+
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3198,8 +3198,12 @@ static int bond_netdev_event(struct noti
+ return NOTIFY_DONE;
+
+ if (event_dev->flags & IFF_MASTER) {
++ int ret;
++
+ netdev_dbg(event_dev, "IFF_MASTER\n");
+- return bond_master_netdev_event(event, event_dev);
++ ret = bond_master_netdev_event(event, event_dev);
++ if (ret != NOTIFY_DONE)
++ return ret;
+ }
+
+ if (event_dev->flags & IFF_SLAVE) {
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+Date: Mon, 8 Apr 2019 19:45:27 -0400
+Subject: failover: allow name change on IFF_UP slave interfaces
+
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+
+[ Upstream commit 8065a779f17e94536a1c4dcee4f9d88011672f97 ]
+
+When a netdev appears through hot plug then gets enslaved by a failover
+master that is already up and running, the slave will be opened
+right away after getting enslaved. Today there's a race that userspace
+(udev) may fail to rename the slave if the kernel (net_failover)
+opens the slave earlier than when the userspace rename happens.
+Unlike bond or team, the primary slave of failover can't be renamed by
+userspace ahead of time, since the kernel initiated auto-enslavement is
+unable to, or rather, is never meant to be synchronized with the rename
+request from userspace.
+
+As the failover slave interfaces are not designed to be operated
+directly by userspace apps: IP configuration, filter rules with
+regard to network traffic passing and etc., should all be done on master
+interface. In general, userspace apps only care about the
+name of master interface, while slave names are less important as long
+as admin users can see reliable names that may carry
+other information describing the netdev. For e.g., they can infer that
+"ens3nsby" is a standby slave of "ens3", while for a
+name like "eth0" they can't tell which master it belongs to.
+
+Historically the name of IFF_UP interface can't be changed because
+there might be admin script or management software that is already
+relying on such behavior and assumes that the slave name can't be
+changed once UP. But failover is special: with the in-kernel
+auto-enslavement mechanism, the userspace expectation for device
+enumeration and bring-up order is already broken. Previously initramfs
+and various userspace config tools were modified to bypass failover
+slaves because of auto-enslavement and duplicate MAC address. Similarly,
+in case that users care about seeing reliable slave name, the new type
+of failover slaves needs to be taken care of specifically in userspace
+anyway.
+
+It's less risky to lift up the rename restriction on failover slave
+which is already UP. Although it's possible this change may potentially
+break userspace component (most likely configuration scripts or
+management software) that assumes slave name can't be changed while
+UP, it's relatively a limited and controllable set among all userspace
+components, which can be fixed specifically to listen for the rename
+events on failover slaves. Userspace component interacting with slaves
+is expected to be changed to operate on failover master interface
+instead, as the failover slave is dynamic in nature which may come and
+go at any point. The goal is to make the role of failover slaves less
+relevant, and userspace components should only deal with failover master
+in the long run.
+
+Fixes: 30c8bd5aa8b2 ("net: Introduce generic failover module")
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Reviewed-by: Liran Alon <liran.alon@oracle.com>
+Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 3 +++
+ net/core/dev.c | 16 +++++++++++++++-
+ net/core/failover.c | 6 +++---
+ 3 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -1456,6 +1456,7 @@ struct net_device_ops {
+ * @IFF_FAILOVER: device is a failover master device
+ * @IFF_FAILOVER_SLAVE: device is lower dev of a failover master device
+ * @IFF_L3MDEV_RX_HANDLER: only invoke the rx handler of L3 master device
++ * @IFF_LIVE_RENAME_OK: rename is allowed while device is up and running
+ */
+ enum netdev_priv_flags {
+ IFF_802_1Q_VLAN = 1<<0,
+@@ -1488,6 +1489,7 @@ enum netdev_priv_flags {
+ IFF_FAILOVER = 1<<27,
+ IFF_FAILOVER_SLAVE = 1<<28,
+ IFF_L3MDEV_RX_HANDLER = 1<<29,
++ IFF_LIVE_RENAME_OK = 1<<30,
+ };
+
+ #define IFF_802_1Q_VLAN IFF_802_1Q_VLAN
+@@ -1519,6 +1521,7 @@ enum netdev_priv_flags {
+ #define IFF_FAILOVER IFF_FAILOVER
+ #define IFF_FAILOVER_SLAVE IFF_FAILOVER_SLAVE
+ #define IFF_L3MDEV_RX_HANDLER IFF_L3MDEV_RX_HANDLER
++#define IFF_LIVE_RENAME_OK IFF_LIVE_RENAME_OK
+
+ /**
+ * struct net_device - The DEVICE structure.
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1180,7 +1180,21 @@ int dev_change_name(struct net_device *d
+ BUG_ON(!dev_net(dev));
+
+ net = dev_net(dev);
+- if (dev->flags & IFF_UP)
++
++ /* Some auto-enslaved devices e.g. failover slaves are
++ * special, as userspace might rename the device after
++ * the interface had been brought up and running since
++ * the point kernel initiated auto-enslavement. Allow
++ * live name change even when these slave devices are
++ * up and running.
++ *
++ * Typically, users of these auto-enslaving devices
++ * don't actually care about slave name change, as
++ * they are supposed to operate on master interface
++ * directly.
++ */
++ if (dev->flags & IFF_UP &&
++ likely(!(dev->priv_flags & IFF_LIVE_RENAME_OK)))
+ return -EBUSY;
+
+ write_seqcount_begin(&devnet_rename_seq);
+--- a/net/core/failover.c
++++ b/net/core/failover.c
+@@ -80,14 +80,14 @@ static int failover_slave_register(struc
+ goto err_upper_link;
+ }
+
+- slave_dev->priv_flags |= IFF_FAILOVER_SLAVE;
++ slave_dev->priv_flags |= (IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
+
+ if (fops && fops->slave_register &&
+ !fops->slave_register(slave_dev, failover_dev))
+ return NOTIFY_OK;
+
+ netdev_upper_dev_unlink(slave_dev, failover_dev);
+- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
+ err_upper_link:
+ netdev_rx_handler_unregister(slave_dev);
+ done:
+@@ -121,7 +121,7 @@ int failover_slave_unregister(struct net
+
+ netdev_rx_handler_unregister(slave_dev);
+ netdev_upper_dev_unlink(slave_dev, failover_dev);
+- slave_dev->priv_flags &= ~IFF_FAILOVER_SLAVE;
++ slave_dev->priv_flags &= ~(IFF_FAILOVER_SLAVE | IFF_LIVE_RENAME_OK);
+
+ if (fops && fops->slave_unregister &&
+ !fops->slave_unregister(slave_dev, failover_dev))
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 13 Apr 2019 17:32:21 -0700
+Subject: ipv4: ensure rcu_read_lock() in ipv4_link_failure()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ]
+
+fib_compute_spec_dst() needs to be called under rcu protection.
+
+syzbot reported :
+
+WARNING: suspicious RCU usage
+5.1.0-rc4+ #165 Not tainted
+include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by swapper/0/0:
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
+ #0: 0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
+
+stack backtrace:
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
+ __in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
+ fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
+ spec_dst_fill net/ipv4/ip_options.c:245 [inline]
+ __ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
+ ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
+ dst_link_failure include/net/dst.h:427 [inline]
+ arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
+ neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
+ neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
+ call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
+ expire_timers kernel/time/timer.c:1362 [inline]
+ __run_timers kernel/time/timer.c:1681 [inline]
+ __run_timers kernel/time/timer.c:1649 [inline]
+ run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
+ __do_softirq+0x266/0x95a kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
+
+Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1187,14 +1187,20 @@ static struct dst_entry *ipv4_dst_check(
+
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+- struct rtable *rt;
+ struct ip_options opt;
++ struct rtable *rt;
++ int res;
+
+ /* Recompile ip options since IPCB may not be valid anymore.
+ */
+ memset(&opt, 0, sizeof(opt));
+ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
+- if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++
++ rcu_read_lock();
++ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
++ rcu_read_unlock();
++
++ if (res)
+ return;
+
+ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Fri, 12 Apr 2019 16:19:27 -0400
+Subject: ipv4: recompile ip options in ipv4_link_failure
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit ed0de45a1008991fdaa27a0152befcb74d126a8b ]
+
+Recompile IP options since IPCB may not be valid anymore when
+ipv4_link_failure is called from arp_error_report.
+
+Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
+and the commit before that (9ef6b42ad6fd) for a similar issue.
+
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1188,8 +1188,16 @@ static struct dst_entry *ipv4_dst_check(
+ static void ipv4_link_failure(struct sk_buff *skb)
+ {
+ struct rtable *rt;
++ struct ip_options opt;
+
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
++ /* Recompile ip options since IPCB may not be valid anymore.
++ */
++ memset(&opt, 0, sizeof(opt));
++ opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), &opt, skb, NULL))
++ return;
++
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
+
+ rt = skb_rtable(skb);
+ if (rt)
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 15 Apr 2019 15:57:23 -0500
+Subject: net: atm: Fix potential Spectre v1 vulnerabilities
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit 899537b73557aafbdd11050b501cf54b4f5c45af ]
+
+arg is controlled by user-space, hence leading to a potential
+exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)
+
+Fix this by sanitizing arg before using it to index dev_lec.
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/atm/lec.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/atm/lec.c
++++ b/net/atm/lec.c
+@@ -710,7 +710,10 @@ static int lec_vcc_attach(struct atm_vcc
+
+ static int lec_mcast_attach(struct atm_vcc *vcc, int arg)
+ {
+- if (arg < 0 || arg >= MAX_LEC_ITF || !dev_lec[arg])
++ if (arg < 0 || arg >= MAX_LEC_ITF)
++ return -EINVAL;
++ arg = array_index_nospec(arg, MAX_LEC_ITF);
++ if (!dev_lec[arg])
+ return -EINVAL;
+ vcc->proto_data = dev_lec[arg];
+ return lec_mcast_make(netdev_priv(dev_lec[arg]), vcc);
+@@ -728,6 +731,7 @@ static int lecd_attach(struct atm_vcc *v
+ i = arg;
+ if (arg >= MAX_LEC_ITF)
+ return -EINVAL;
++ i = array_index_nospec(arg, MAX_LEC_ITF);
+ if (!dev_lec[i]) {
+ int size;
+
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 11 Apr 2019 13:56:39 +0300
+Subject: net: bridge: fix per-port af_packet sockets
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ]
+
+When the commit below was introduced it changed two visible things:
+ - the skb was no longer passed through the protocol handlers with the
+ original device
+ - the skb was passed up the stack with skb->dev = bridge
+
+The first change broke af_packet sockets on bridge ports. For example we
+use them for hostapd which listens for ETH_P_PAE packets on the ports.
+We discussed two possible fixes:
+ - create a clone and pass it through NF_HOOK(), act on the original skb
+ based on the result
+ - somehow signal to the caller from the okfn() that it was called,
+ meaning the skb is ok to be passed, which this patch is trying to
+ implement via returning 1 from the bridge link-local okfn()
+
+Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and
+drop/error would return < 0 thus the okfn() is called only when the
+return was 1, so we signal to the caller that it was called by preserving
+the return value from nf_hook().
+
+Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_input.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -195,13 +195,10 @@ static void __br_handle_local_finish(str
+ /* note: already called with rcu_read_lock */
+ static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- struct net_bridge_port *p = br_port_get_rcu(skb->dev);
+-
+ __br_handle_local_finish(skb);
+
+- BR_INPUT_SKB_CB(skb)->brdev = p->br->dev;
+- br_pass_frame_up(skb);
+- return 0;
++ /* return 1 to signal the okfn() was called so it's ok to use the skb */
++ return 1;
+ }
+
+ /*
+@@ -278,10 +275,18 @@ rx_handler_result_t br_handle_frame(stru
+ goto forward;
+ }
+
+- /* Deliver packet to local host only */
+- NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, dev_net(skb->dev),
+- NULL, skb, skb->dev, NULL, br_handle_local_finish);
+- return RX_HANDLER_CONSUMED;
++ /* The else clause should be hit when nf_hook():
++ * - returns < 0 (drop/error)
++ * - returns = 0 (stolen/nf_queue)
++ * Thus return 1 from the okfn() to signal the skb is ok to pass
++ */
++ if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
++ dev_net(skb->dev), NULL, skb, skb->dev, NULL,
++ br_handle_local_finish) == 1) {
++ return RX_HANDLER_PASS;
++ } else {
++ return RX_HANDLER_CONSUMED;
++ }
+ }
+
+ forward:
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Thu, 11 Apr 2019 15:08:25 +0300
+Subject: net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit c5b493ce192bd7a4e7bd073b5685aad121eeef82 ]
+
+br_multicast_start_querier() walks over the port list but it can be
+called from a timer with only multicast_lock held which doesn't protect
+the port list, so use RCU to walk over it.
+
+Fixes: c83b8fab06fc ("bridge: Restart queries when last querier expires")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -2152,7 +2152,8 @@ static void br_multicast_start_querier(s
+
+ __br_multicast_open(br, query);
+
+- list_for_each_entry(port, &br->port_list, list) {
++ rcu_read_lock();
++ list_for_each_entry_rcu(port, &br->port_list, list) {
+ if (port->state == BR_STATE_DISABLED ||
+ port->state == BR_STATE_BLOCKING)
+ continue;
+@@ -2164,6 +2165,7 @@ static void br_multicast_start_querier(s
+ br_multicast_enable(&port->ip6_own_query);
+ #endif
+ }
++ rcu_read_unlock();
+ }
+
+ int br_multicast_toggle(struct net_bridge *br, unsigned long val)
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Yuya Kusakabe <yuya.kusakabe@gmail.com>
+Date: Tue, 16 Apr 2019 10:22:28 +0900
+Subject: net: Fix missing meta data in skb with vlan packet
+
+From: Yuya Kusakabe <yuya.kusakabe@gmail.com>
+
+[ Upstream commit d85e8be2a5a02869f815dd0ac2d743deb4cd7957 ]
+
+skb_reorder_vlan_header() should move XDP meta data with ethernet header
+if XDP meta data exists.
+
+Fixes: de8f3a83b0a0 ("bpf: add meta pointer for direct access")
+Signed-off-by: Yuya Kusakabe <yuya.kusakabe@gmail.com>
+Signed-off-by: Takeru Hayasaka <taketarou2@gmail.com>
+Co-developed-by: Takeru Hayasaka <taketarou2@gmail.com>
+Reviewed-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -5071,7 +5071,8 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_l
+
+ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
+ {
+- int mac_len;
++ int mac_len, meta_len;
++ void *meta;
+
+ if (skb_cow(skb, skb_headroom(skb)) < 0) {
+ kfree_skb(skb);
+@@ -5083,6 +5084,13 @@ static struct sk_buff *skb_reorder_vlan_
+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+ mac_len - VLAN_HLEN - ETH_TLEN);
+ }
++
++ meta_len = skb_metadata_len(skb);
++ if (meta_len) {
++ meta = skb_metadata_end(skb) - meta_len;
++ memmove(meta + VLAN_HLEN, meta, meta_len);
++ }
++
+ skb->mac_header += VLAN_HLEN;
+ return skb;
+ }
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Tue, 9 Apr 2019 11:47:20 +0200
+Subject: net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ]
+
+gue tunnels run iptunnel_pull_offloads on received skbs. This can
+determine a possible use-after-free accessing guehdr pointer since
+the packet will be 'uncloned' running pskb_expand_head if it is a
+cloned gso skb (e.g if the packet has been sent though a veth device)
+
+Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fou.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -120,6 +120,7 @@ static int gue_udp_recv(struct sock *sk,
+ struct guehdr *guehdr;
+ void *data;
+ u16 doffset = 0;
++ u8 proto_ctype;
+
+ if (!fou)
+ return 1;
+@@ -211,13 +212,14 @@ static int gue_udp_recv(struct sock *sk,
+ if (unlikely(guehdr->control))
+ return gue_control_message(skb, guehdr);
+
++ proto_ctype = guehdr->proto_ctype;
+ __skb_pull(skb, sizeof(struct udphdr) + hdrlen);
+ skb_reset_transport_header(skb);
+
+ if (iptunnel_pull_offloads(skb))
+ goto drop;
+
+- return -guehdr->proto_ctype;
++ return -proto_ctype;
+
+ drop:
+ kfree_skb(skb);
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Tue, 19 Mar 2019 22:09:05 -0700
+Subject: net/mlx5: FPGA, tls, hold rcu read lock a bit longer
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit 31634bf5dcc418b5b2cacd954394c0c4620db6a2 ]
+
+To avoid use-after-free, hold the rcu read lock until we are done copying
+flow data into the command buffer.
+
+Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
+Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
+@@ -217,22 +217,22 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_
+ void *cmd;
+ int ret;
+
+- rcu_read_lock();
+- flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
+- rcu_read_unlock();
+-
+- if (!flow) {
+- WARN_ONCE(1, "Received NULL pointer for handle\n");
+- return -EINVAL;
+- }
+-
+ buf = kzalloc(size, GFP_ATOMIC);
+ if (!buf)
+ return -ENOMEM;
+
+ cmd = (buf + 1);
+
++ rcu_read_lock();
++ flow = idr_find(&mdev->fpga->tls->rx_idr, ntohl(handle));
++ if (unlikely(!flow)) {
++ rcu_read_unlock();
++ WARN_ONCE(1, "Received NULL pointer for handle\n");
++ kfree(buf);
++ return -EINVAL;
++ }
+ mlx5_fpga_tls_flow_to_cmd(flow, cmd);
++ rcu_read_unlock();
+
+ MLX5_SET(tls_cmd, cmd, swid, ntohl(handle));
+ MLX5_SET64(tls_cmd, cmd, tls_rcd_sn, be64_to_cpu(rcd_sn));
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Tue, 19 Mar 2019 01:05:41 -0700
+Subject: net/mlx5: FPGA, tls, idr remove on flow delete
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit df3a8344d404a810b4aadbf19b08c8232fbaa715 ]
+
+Flow is kfreed on mlx5_fpga_tls_del_flow but kept in the idr data
+structure, this is risky and can cause use-after-free, since the
+idr_remove is delayed until tls_send_teardown_cmd completion.
+
+Instead of delaying idr_remove, in this patch we do it on
+mlx5_fpga_tls_del_flow, before actually kfree(flow).
+
+Added synchronize_rcu before kfree(flow)
+
+Fixes: ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c | 43 +++++++--------------
+ 1 file changed, 15 insertions(+), 28 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/tls.c
+@@ -148,14 +148,16 @@ static int mlx5_fpga_tls_alloc_swid(stru
+ return ret;
+ }
+
+-static void mlx5_fpga_tls_release_swid(struct idr *idr,
+- spinlock_t *idr_spinlock, u32 swid)
++static void *mlx5_fpga_tls_release_swid(struct idr *idr,
++ spinlock_t *idr_spinlock, u32 swid)
+ {
+ unsigned long flags;
++ void *ptr;
+
+ spin_lock_irqsave(idr_spinlock, flags);
+- idr_remove(idr, swid);
++ ptr = idr_remove(idr, swid);
+ spin_unlock_irqrestore(idr_spinlock, flags);
++ return ptr;
+ }
+
+ static void mlx_tls_kfree_complete(struct mlx5_fpga_conn *conn,
+@@ -165,20 +167,12 @@ static void mlx_tls_kfree_complete(struc
+ kfree(buf);
+ }
+
+-struct mlx5_teardown_stream_context {
+- struct mlx5_fpga_tls_command_context cmd;
+- u32 swid;
+-};
+-
+ static void
+ mlx5_fpga_tls_teardown_completion(struct mlx5_fpga_conn *conn,
+ struct mlx5_fpga_device *fdev,
+ struct mlx5_fpga_tls_command_context *cmd,
+ struct mlx5_fpga_dma_buf *resp)
+ {
+- struct mlx5_teardown_stream_context *ctx =
+- container_of(cmd, struct mlx5_teardown_stream_context, cmd);
+-
+ if (resp) {
+ u32 syndrome = MLX5_GET(tls_resp, resp->sg[0].data, syndrome);
+
+@@ -186,14 +180,6 @@ mlx5_fpga_tls_teardown_completion(struct
+ mlx5_fpga_err(fdev,
+ "Teardown stream failed with syndrome = %d",
+ syndrome);
+- else if (MLX5_GET(tls_cmd, cmd->buf.sg[0].data, direction_sx))
+- mlx5_fpga_tls_release_swid(&fdev->tls->tx_idr,
+- &fdev->tls->tx_idr_spinlock,
+- ctx->swid);
+- else
+- mlx5_fpga_tls_release_swid(&fdev->tls->rx_idr,
+- &fdev->tls->rx_idr_spinlock,
+- ctx->swid);
+ }
+ mlx5_fpga_tls_put_command_ctx(cmd);
+ }
+@@ -253,7 +239,7 @@ int mlx5_fpga_tls_resync_rx(struct mlx5_
+ static void mlx5_fpga_tls_send_teardown_cmd(struct mlx5_core_dev *mdev,
+ void *flow, u32 swid, gfp_t flags)
+ {
+- struct mlx5_teardown_stream_context *ctx;
++ struct mlx5_fpga_tls_command_context *ctx;
+ struct mlx5_fpga_dma_buf *buf;
+ void *cmd;
+
+@@ -261,7 +247,7 @@ static void mlx5_fpga_tls_send_teardown_
+ if (!ctx)
+ return;
+
+- buf = &ctx->cmd.buf;
++ buf = &ctx->buf;
+ cmd = (ctx + 1);
+ MLX5_SET(tls_cmd, cmd, command_type, CMD_TEARDOWN_STREAM);
+ MLX5_SET(tls_cmd, cmd, swid, swid);
+@@ -272,8 +258,7 @@ static void mlx5_fpga_tls_send_teardown_
+ buf->sg[0].data = cmd;
+ buf->sg[0].size = MLX5_TLS_COMMAND_SIZE;
+
+- ctx->swid = swid;
+- mlx5_fpga_tls_cmd_send(mdev->fpga, &ctx->cmd,
++ mlx5_fpga_tls_cmd_send(mdev->fpga, ctx,
+ mlx5_fpga_tls_teardown_completion);
+ }
+
+@@ -283,13 +268,14 @@ void mlx5_fpga_tls_del_flow(struct mlx5_
+ struct mlx5_fpga_tls *tls = mdev->fpga->tls;
+ void *flow;
+
+- rcu_read_lock();
+ if (direction_sx)
+- flow = idr_find(&tls->tx_idr, swid);
++ flow = mlx5_fpga_tls_release_swid(&tls->tx_idr,
++ &tls->tx_idr_spinlock,
++ swid);
+ else
+- flow = idr_find(&tls->rx_idr, swid);
+-
+- rcu_read_unlock();
++ flow = mlx5_fpga_tls_release_swid(&tls->rx_idr,
++ &tls->rx_idr_spinlock,
++ swid);
+
+ if (!flow) {
+ mlx5_fpga_err(mdev->fpga, "No flow information for swid %u\n",
+@@ -297,6 +283,7 @@ void mlx5_fpga_tls_del_flow(struct mlx5_
+ return;
+ }
+
++ synchronize_rcu(); /* before kfree(flow) */
+ mlx5_fpga_tls_send_teardown_cmd(mdev, flow, swid, flags);
+ }
+
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Matteo Croce <mcroce@redhat.com>
+Date: Thu, 11 Apr 2019 12:26:33 +0200
+Subject: net: thunderx: don't allow jumbo frames with XDP
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 1f227d16083b2e280b7dde4ca78883d75593f2fd ]
+
+The thunderx driver forbids to load an eBPF program if the MTU is too high,
+but this can be circumvented by loading the eBPF, then raising the MTU.
+
+Fix this by limiting the MTU if an eBPF program is already loaded.
+
+Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -1554,6 +1554,15 @@ static int nicvf_change_mtu(struct net_d
+ struct nicvf *nic = netdev_priv(netdev);
+ int orig_mtu = netdev->mtu;
+
++ /* For now just support only the usual MTU sized frames,
++ * plus some headroom for VLAN, QinQ.
++ */
++ if (nic->xdp_prog && new_mtu > MAX_XDP_MTU) {
++ netdev_warn(netdev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
++ netdev->mtu);
++ return -EINVAL;
++ }
++
+ netdev->mtu = new_mtu;
+
+ if (!netif_running(netdev))
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Matteo Croce <mcroce@redhat.com>
+Date: Thu, 11 Apr 2019 12:26:32 +0200
+Subject: net: thunderx: raise XDP MTU to 1508
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 5ee15c101f29e0093ffb5448773ccbc786eb313b ]
+
+The thunderx driver splits frames bigger than 1530 bytes to multiple
+pages, making impossible to run an eBPF program on it.
+This leads to a maximum MTU of 1508 if QinQ is in use.
+
+The thunderx driver forbids to load an eBPF program if the MTU is higher
+than 1500 bytes. Raise the limit to 1508 so it is possible to use L2
+protocols which need some more headroom.
+
+Fixes: 05c773f52b96e ("net: thunderx: Add basic XDP support")
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cavium/thunder/nicvf_main.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+@@ -32,6 +32,13 @@
+ #define DRV_NAME "nicvf"
+ #define DRV_VERSION "1.0"
+
++/* NOTE: Packets bigger than 1530 are split across multiple pages and XDP needs
++ * the buffer to be contiguous. Allow XDP to be set up only if we don't exceed
++ * this value, keeping headroom for the 14 byte Ethernet header and two
++ * VLAN tags (for QinQ)
++ */
++#define MAX_XDP_MTU (1530 - ETH_HLEN - VLAN_HLEN * 2)
++
+ /* Supported devices */
+ static const struct pci_device_id nicvf_id_table[] = {
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_CAVIUM,
+@@ -1795,8 +1802,10 @@ static int nicvf_xdp_setup(struct nicvf
+ bool bpf_attached = false;
+ int ret = 0;
+
+- /* For now just support only the usual MTU sized frames */
+- if (prog && (dev->mtu > 1500)) {
++ /* For now just support only the usual MTU sized frames,
++ * plus some headroom for VLAN, QinQ.
++ */
++ if (prog && dev->mtu > MAX_XDP_MTU) {
+ netdev_warn(dev, "Jumbo frames not yet supported with XDP, current MTU %d.\n",
+ dev->mtu);
+ return -EOPNOTSUPP;
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Mon, 8 Apr 2019 17:59:50 -0700
+Subject: net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit b4f47f3848eb70986f75d06112af7b48b7f5f462 ]
+
+Unlike '&&' operator, the '&' does not have short-circuit
+evaluation semantics. IOW both sides of the operator always
+get evaluated. Fix the wrong operator in
+tls_is_sk_tx_device_offloaded(), which would lead to
+out-of-bounds access for for non-full sockets.
+
+Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -317,7 +317,7 @@ tls_validate_xmit_skb(struct sock *sk, s
+ static inline bool tls_is_sk_tx_device_offloaded(struct sock *sk)
+ {
+ #ifdef CONFIG_SOCK_VALIDATE_XMIT
+- return sk_fullsock(sk) &
++ return sk_fullsock(sk) &&
+ (smp_load_acquire(&sk->sk_validate_xmit_skb) ==
+ &tls_validate_xmit_skb);
+ #else
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Date: Mon, 1 Apr 2019 19:36:34 -0700
+Subject: nfp: flower: remove vlan CFI bit from push vlan action
+
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+
+[ Upstream commit 42cd5484a22f1a1b947e21e2af65fa7dab09d017 ]
+
+We no longer set CFI when pushing vlan tags, therefore we remove
+the CFI bit from push vlan.
+
+Fixes: 1a1e586f54bf ("nfp: add basic action capabilities to flower offloads")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Signed-off-by: Louis Peens <louis.peens@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/action.c | 3 +--
+ drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 1 -
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/action.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/action.c
+@@ -80,8 +80,7 @@ nfp_fl_push_vlan(struct nfp_fl_push_vlan
+
+ tmp_push_vlan_tci =
+ FIELD_PREP(NFP_FL_PUSH_VLAN_PRIO, tcf_vlan_push_prio(action)) |
+- FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action)) |
+- NFP_FL_PUSH_VLAN_CFI;
++ FIELD_PREP(NFP_FL_PUSH_VLAN_VID, tcf_vlan_push_vid(action));
+ push_vlan->vlan_tci = cpu_to_be16(tmp_push_vlan_tci);
+ }
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+@@ -109,7 +109,6 @@
+ #define NFP_FL_OUT_FLAGS_TYPE_IDX GENMASK(2, 0)
+
+ #define NFP_FL_PUSH_VLAN_PRIO GENMASK(15, 13)
+-#define NFP_FL_PUSH_VLAN_CFI BIT(12)
+ #define NFP_FL_PUSH_VLAN_VID GENMASK(11, 0)
+
+ /* LAG ports */
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Date: Mon, 1 Apr 2019 19:36:33 -0700
+Subject: nfp: flower: replace CFI with vlan present
+
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+
+[ Upstream commit f7ee799a51ddbcc205ef615fe424fb5084e9e0aa ]
+
+Replace vlan CFI bit with a vlan present bit that indicates the
+presence of a vlan tag. Previously the driver incorrectly assumed
+that an vlan id of 0 is not matchable, therefore we indicate vlan
+presence with a vlan present bit.
+
+Fixes: 5571e8c9f241 ("nfp: extend flower matching capabilities")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Signed-off-by: Louis Peens <louis.peens@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 2 +-
+ drivers/net/ethernet/netronome/nfp/flower/match.c | 14 ++++++--------
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
++++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+@@ -55,7 +55,7 @@
+ #define NFP_FLOWER_LAYER2_GENEVE_OP BIT(6)
+
+ #define NFP_FLOWER_MASK_VLAN_PRIO GENMASK(15, 13)
+-#define NFP_FLOWER_MASK_VLAN_CFI BIT(12)
++#define NFP_FLOWER_MASK_VLAN_PRESENT BIT(12)
+ #define NFP_FLOWER_MASK_VLAN_VID GENMASK(11, 0)
+
+ #define NFP_FLOWER_MASK_MPLS_LB GENMASK(31, 12)
+--- a/drivers/net/ethernet/netronome/nfp/flower/match.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/match.c
+@@ -56,14 +56,12 @@ nfp_flower_compile_meta_tci(struct nfp_f
+ FLOW_DISSECTOR_KEY_VLAN,
+ target);
+ /* Populate the tci field. */
+- if (flow_vlan->vlan_id || flow_vlan->vlan_priority) {
+- tmp_tci = FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
+- flow_vlan->vlan_priority) |
+- FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
+- flow_vlan->vlan_id) |
+- NFP_FLOWER_MASK_VLAN_CFI;
+- frame->tci = cpu_to_be16(tmp_tci);
+- }
++ tmp_tci = NFP_FLOWER_MASK_VLAN_PRESENT;
++ tmp_tci |= FIELD_PREP(NFP_FLOWER_MASK_VLAN_PRIO,
++ flow_vlan->vlan_priority) |
++ FIELD_PREP(NFP_FLOWER_MASK_VLAN_VID,
++ flow_vlan->vlan_id);
++ frame->tci = cpu_to_be16(tmp_tci);
+ }
+ }
+
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Jonathan Lemon <jonathan.lemon@gmail.com>
+Date: Sun, 14 Apr 2019 14:21:29 -0700
+Subject: route: Avoid crash from dereferencing NULL rt->from
+
+From: Jonathan Lemon <jonathan.lemon@gmail.com>
+
+[ Upstream commit 9c69a13205151c0d801de9f9d83a818e6e8f60ec ]
+
+When __ip6_rt_update_pmtu() is called, rt->from is RCU dereferenced, but is
+never checked for null - rt6_flush_exceptions() may have removed the entry.
+
+[ 1913.989004] RIP: 0010:ip6_rt_cache_alloc+0x13/0x170
+[ 1914.209410] Call Trace:
+[ 1914.214798] <IRQ>
+[ 1914.219226] __ip6_rt_update_pmtu+0xb0/0x190
+[ 1914.228649] ip6_tnl_xmit+0x2c2/0x970 [ip6_tunnel]
+[ 1914.239223] ? ip6_tnl_parse_tlv_enc_lim+0x32/0x1a0 [ip6_tunnel]
+[ 1914.252489] ? __gre6_xmit+0x148/0x530 [ip6_gre]
+[ 1914.262678] ip6gre_tunnel_xmit+0x17e/0x3c7 [ip6_gre]
+[ 1914.273831] dev_hard_start_xmit+0x8d/0x1f0
+[ 1914.283061] sch_direct_xmit+0xfa/0x230
+[ 1914.291521] __qdisc_run+0x154/0x4b0
+[ 1914.299407] net_tx_action+0x10e/0x1f0
+[ 1914.307678] __do_softirq+0xca/0x297
+[ 1914.315567] irq_exit+0x96/0xa0
+[ 1914.322494] smp_apic_timer_interrupt+0x68/0x130
+[ 1914.332683] apic_timer_interrupt+0xf/0x20
+[ 1914.341721] </IRQ>
+
+Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
+Signed-off-by: Jonathan Lemon <jonathan.lemon@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Reviewed-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2367,6 +2367,10 @@ static void __ip6_rt_update_pmtu(struct
+
+ rcu_read_lock();
+ from = rcu_dereference(rt6->from);
++ if (!from) {
++ rcu_read_unlock();
++ return;
++ }
+ nrt6 = ip6_rt_cache_alloc(from, daddr, saddr);
+ if (nrt6) {
+ rt6_do_update_pmtu(nrt6, mtu);
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Thu, 4 Apr 2019 15:01:33 +0200
+Subject: sch_cake: Make sure we can write the IP header before changing DSCP bits
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit c87b4ecdbe8db27867a7b7f840291cd843406bd7 ]
+
+There is not actually any guarantee that the IP headers are valid before we
+access the DSCP bits of the packets. Fix this using the same approach taken
+in sch_dsmark.
+
+Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cake.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1524,16 +1524,27 @@ static void cake_wash_diffserv(struct sk
+
+ static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
+ {
++ int wlen = skb_network_offset(skb);
+ u8 dscp;
+
+ switch (tc_skb_protocol(skb)) {
+ case htons(ETH_P_IP):
++ wlen += sizeof(struct iphdr);
++ if (!pskb_may_pull(skb, wlen) ||
++ skb_try_make_writable(skb, wlen))
++ return 0;
++
+ dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
+ if (wash && dscp)
+ ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
+ return dscp;
+
+ case htons(ETH_P_IPV6):
++ wlen += sizeof(struct ipv6hdr);
++ if (!pskb_may_pull(skb, wlen) ||
++ skb_try_make_writable(skb, wlen))
++ return 0;
++
+ dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
+ if (wash && dscp)
+ ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Fri, 5 Apr 2019 15:01:59 +0200
+Subject: sch_cake: Simplify logic in cake_select_tin()
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit 4976e3c683f328bc6f2edef555a4ffee6524486f ]
+
+The logic in cake_select_tin() was getting a bit hairy, and it turns out we
+can simplify it quite a bit. This also allows us to get rid of one of the
+two diffserv parsing functions, which has the added benefit that
+already-zeroed DSCP fields won't get re-written.
+
+Suggested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cake.c | 44 ++++++++++++++++----------------------------
+ 1 file changed, 16 insertions(+), 28 deletions(-)
+
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1508,20 +1508,6 @@ static unsigned int cake_drop(struct Qdi
+ return idx + (tin << 16);
+ }
+
+-static void cake_wash_diffserv(struct sk_buff *skb)
+-{
+- switch (skb->protocol) {
+- case htons(ETH_P_IP):
+- ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, 0);
+- break;
+- case htons(ETH_P_IPV6):
+- ipv6_change_dsfield(ipv6_hdr(skb), INET_ECN_MASK, 0);
+- break;
+- default:
+- break;
+- }
+-}
+-
+ static u8 cake_handle_diffserv(struct sk_buff *skb, u16 wash)
+ {
+ int wlen = skb_network_offset(skb);
+@@ -1564,25 +1550,27 @@ static struct cake_tin_data *cake_select
+ {
+ struct cake_sched_data *q = qdisc_priv(sch);
+ u32 tin;
++ u8 dscp;
++
++ /* Tin selection: Default to diffserv-based selection, allow overriding
++ * using firewall marks or skb->priority.
++ */
++ dscp = cake_handle_diffserv(skb,
++ q->rate_flags & CAKE_FLAG_WASH);
++
++ if (q->tin_mode == CAKE_DIFFSERV_BESTEFFORT)
++ tin = 0;
+
+- if (TC_H_MAJ(skb->priority) == sch->handle &&
+- TC_H_MIN(skb->priority) > 0 &&
+- TC_H_MIN(skb->priority) <= q->tin_cnt) {
++ else if (TC_H_MAJ(skb->priority) == sch->handle &&
++ TC_H_MIN(skb->priority) > 0 &&
++ TC_H_MIN(skb->priority) <= q->tin_cnt)
+ tin = q->tin_order[TC_H_MIN(skb->priority) - 1];
+
+- if (q->rate_flags & CAKE_FLAG_WASH)
+- cake_wash_diffserv(skb);
+- } else if (q->tin_mode != CAKE_DIFFSERV_BESTEFFORT) {
+- /* extract the Diffserv Precedence field, if it exists */
+- /* and clear DSCP bits if washing */
+- tin = q->tin_index[cake_handle_diffserv(skb,
+- q->rate_flags & CAKE_FLAG_WASH)];
++ else {
++ tin = q->tin_index[dscp];
++
+ if (unlikely(tin >= q->tin_cnt))
+ tin = 0;
+- } else {
+- tin = 0;
+- if (q->rate_flags & CAKE_FLAG_WASH)
+- cake_wash_diffserv(skb);
+ }
+
+ return &q->tins[tin];
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Thu, 4 Apr 2019 15:01:33 +0200
+Subject: sch_cake: Use tc_skb_protocol() helper for getting packet protocol
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit b2100cc56fca8c51d28aa42a9f1fbcb2cf351996 ]
+
+We shouldn't be using skb->protocol directly as that will miss cases with
+hardware-accelerated VLAN tags. Use the helper instead to get the right
+protocol number.
+
+Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1526,7 +1526,7 @@ static u8 cake_handle_diffserv(struct sk
+ {
+ u8 dscp;
+
+- switch (skb->protocol) {
++ switch (tc_skb_protocol(skb)) {
+ case htons(ETH_P_IP):
+ dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
+ if (wash && dscp)
--- /dev/null
+bonding-fix-event-handling-for-stacked-bonds.patch
+failover-allow-name-change-on-iff_up-slave-interfaces.patch
+net-atm-fix-potential-spectre-v1-vulnerabilities.patch
+net-bridge-fix-per-port-af_packet-sockets.patch
+net-bridge-multicast-use-rcu-to-access-port-list-from-br_multicast_start_querier.patch
+net-fix-missing-meta-data-in-skb-with-vlan-packet.patch
+net-fou-do-not-use-guehdr-after-iptunnel_pull_offloads-in-gue_udp_recv.patch
+tcp-tcp_grow_window-needs-to-respect-tcp_space.patch
+team-set-slave-to-promisc-if-team-is-already-in-promisc-mode.patch
+tipc-missing-entries-in-name-table-of-publications.patch
+vhost-reject-zero-size-iova-range.patch
+ipv4-recompile-ip-options-in-ipv4_link_failure.patch
+ipv4-ensure-rcu_read_lock-in-ipv4_link_failure.patch
+net-thunderx-raise-xdp-mtu-to-1508.patch
+net-thunderx-don-t-allow-jumbo-frames-with-xdp.patch
+net-mlx5-fpga-tls-hold-rcu-read-lock-a-bit-longer.patch
+net-tls-prevent-bad-memory-access-in-tls_is_sk_tx_device_offloaded.patch
+net-mlx5-fpga-tls-idr-remove-on-flow-delete.patch
+route-avoid-crash-from-dereferencing-null-rt-from.patch
+sch_cake-use-tc_skb_protocol-helper-for-getting-packet-protocol.patch
+sch_cake-make-sure-we-can-write-the-ip-header-before-changing-dscp-bits.patch
+nfp-flower-replace-cfi-with-vlan-present.patch
+nfp-flower-remove-vlan-cfi-bit-from-push-vlan-action.patch
+sch_cake-simplify-logic-in-cake_select_tin.patch
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 16 Apr 2019 10:55:20 -0700
+Subject: tcp: tcp_grow_window() needs to respect tcp_space()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 50ce163a72d817a99e8974222dcf2886d5deb1ae ]
+
+For some reason, tcp_grow_window() correctly tests if enough room
+is present before attempting to increase tp->rcv_ssthresh,
+but does not prevent it to grow past tcp_space()
+
+This is causing hard to debug issues, like failing
+the (__tcp_select_window(sk) >= tp->rcv_wnd) test
+in __tcp_ack_snd_check(), causing ACK delays and possibly
+slow flows.
+
+Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
+we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
+after about 60 round trips, when the active side no longer sends
+immediate acks.
+
+This bug predates git history.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -402,11 +402,12 @@ static int __tcp_grow_window(const struc
+ static void tcp_grow_window(struct sock *sk, const struct sk_buff *skb)
+ {
+ struct tcp_sock *tp = tcp_sk(sk);
++ int room;
++
++ room = min_t(int, tp->window_clamp, tcp_space(sk)) - tp->rcv_ssthresh;
+
+ /* Check #1 */
+- if (tp->rcv_ssthresh < tp->window_clamp &&
+- (int)tp->rcv_ssthresh < tcp_space(sk) &&
+- !tcp_under_memory_pressure(sk)) {
++ if (room > 0 && !tcp_under_memory_pressure(sk)) {
+ int incr;
+
+ /* Check #2. Increase window, if skb with such overhead
+@@ -419,8 +420,7 @@ static void tcp_grow_window(struct sock
+
+ if (incr) {
+ incr = max_t(int, incr, 2 * skb->len);
+- tp->rcv_ssthresh = min(tp->rcv_ssthresh + incr,
+- tp->window_clamp);
++ tp->rcv_ssthresh += min(room, incr);
+ inet_csk(sk)->icsk_ack.quick |= 1;
+ }
+ }
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 8 Apr 2019 16:45:17 +0800
+Subject: team: set slave to promisc if team is already in promisc mode
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 43c2adb9df7ddd6560fd3546d925b42cef92daa0 ]
+
+After adding a team interface to bridge, the team interface will enter
+promisc mode. Then if we add a new slave to team0, the slave will keep
+promisc off. Fix it by setting slave to promisc on if team master is
+already in promisc mode, also do the same for allmulti.
+
+v2: add promisc and allmulti checking when delete ports
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1250,6 +1250,23 @@ static int team_port_add(struct team *te
+ goto err_option_port_add;
+ }
+
++ /* set promiscuity level to new slave */
++ if (dev->flags & IFF_PROMISC) {
++ err = dev_set_promiscuity(port_dev, 1);
++ if (err)
++ goto err_set_slave_promisc;
++ }
++
++ /* set allmulti level to new slave */
++ if (dev->flags & IFF_ALLMULTI) {
++ err = dev_set_allmulti(port_dev, 1);
++ if (err) {
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ goto err_set_slave_promisc;
++ }
++ }
++
+ netif_addr_lock_bh(dev);
+ dev_uc_sync_multiple(port_dev, dev);
+ dev_mc_sync_multiple(port_dev, dev);
+@@ -1266,6 +1283,9 @@ static int team_port_add(struct team *te
+
+ return 0;
+
++err_set_slave_promisc:
++ __team_option_inst_del_port(team, port);
++
+ err_option_port_add:
+ team_upper_dev_unlink(team, port);
+
+@@ -1311,6 +1331,12 @@ static int team_port_del(struct team *te
+
+ team_port_disable(team, port);
+ list_del_rcu(&port->list);
++
++ if (dev->flags & IFF_PROMISC)
++ dev_set_promiscuity(port_dev, -1);
++ if (dev->flags & IFF_ALLMULTI)
++ dev_set_allmulti(port_dev, -1);
++
+ team_upper_dev_unlink(team, port);
+ netdev_rx_handler_unregister(port_dev);
+ team_port_disable_netpoll(port);
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Hoang Le <hoang.h.le@dektech.com.au>
+Date: Tue, 9 Apr 2019 14:59:24 +0700
+Subject: tipc: missing entries in name table of publications
+
+From: Hoang Le <hoang.h.le@dektech.com.au>
+
+[ Upstream commit d1841533e54876f152a30ac398a34f47ad6590b1 ]
+
+When binding multiple services with specific type 1Ki, 2Ki..,
+this leads to some entries in the name table of publications
+missing when listed out via 'tipc name show'.
+
+The problem is at identify zero last_type conditional provided
+via netlink. The first is initial 'type' when starting name table
+dummping. The second is continuously with zero type (node state
+service type). Then, lookup function failure to finding node state
+service type in next iteration.
+
+To solve this, adding more conditional to marked as dirty type and
+lookup correct service type for the next iteration instead of select
+the first service as initial 'type' zero.
+
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/name_table.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/name_table.c
++++ b/net/tipc/name_table.c
+@@ -908,7 +908,8 @@ static int tipc_nl_service_list(struct n
+ for (; i < TIPC_NAMETBL_SIZE; i++) {
+ head = &tn->nametbl->services[i];
+
+- if (*last_type) {
++ if (*last_type ||
++ (!i && *last_key && (*last_lower == *last_key))) {
+ service = tipc_service_find(net, *last_type);
+ if (!service)
+ return -EPIPE;
--- /dev/null
+From foo@baz Sat Apr 20 16:43:55 CEST 2019
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 9 Apr 2019 12:10:25 +0800
+Subject: vhost: reject zero size iova range
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ]
+
+We used to accept zero size iova range which will lead a infinite loop
+in translate_desc(). Fixing this by failing the request in this case.
+
+Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com
+Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vhost/vhost.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -911,8 +911,12 @@ static int vhost_new_umem_range(struct v
+ u64 start, u64 size, u64 end,
+ u64 userspace_addr, int perm)
+ {
+- struct vhost_umem_node *tmp, *node = kmalloc(sizeof(*node), GFP_ATOMIC);
++ struct vhost_umem_node *tmp, *node;
+
++ if (!size)
++ return -EFAULT;
++
++ node = kmalloc(sizeof(*node), GFP_ATOMIC);
+ if (!node)
+ return -ENOMEM;
+