--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Mar 2016 15:18:36 +0100
+Subject: ath9k: fix buffer overrun for ar9287
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 83d6f1f15f8cce844b0a131cbc63e444620e48b5 ]
+
+Code that was added back in 2.6.38 has an obvious overflow
+when accessing a static array, and at the time it was added
+only a code comment was put in front of it as a reminder
+to have it reviewed properly.
+
+This has not happened, but gcc-6 now points to the specific
+overflow:
+
+drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
+drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
+ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
+ ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
+
+It turns out that the correct array length exists in the local
+'intercepts' variable of this function, so we can just use that
+instead of hardcoding '4', so this patch changes all three
+instances to use that variable. The other two instances were
+already correct, but it's more consistent this way.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/eeprom.c
+@@ -477,10 +477,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+
+ if (match) {
+ if (AR_SREV_9287(ah)) {
+- /* FIXME: array overrun? */
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_9287[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_9287[idxL].pwrPdg[i],
+ data_9287[idxL].vpdPdg[i],
+@@ -490,7 +489,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+ } else if (eeprom_4k) {
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_4k[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_4k[idxL].pwrPdg[i],
+ data_4k[idxL].vpdPdg[i],
+@@ -500,7 +499,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs
+ } else {
+ for (i = 0; i < numXpdGains; i++) {
+ minPwrT4[i] = data_def[idxL].pwrPdg[i][0];
+- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4];
++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1];
+ ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i],
+ data_def[idxL].pwrPdg[i],
+ data_def[idxL].vpdPdg[i],
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 9 Mar 2016 21:58:33 -0500
+Subject: ax25: add link layer header validation function
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit ea47781c26510e5d97f80f9aceafe9065bd5e3aa ]
+
+As variable length protocol, AX25 fails link layer header validation
+tests based on a minimum length. header_ops.validate allows protocols
+to validate headers that are shorter than hard_header_len. Implement
+this callback for AX25.
+
+See also http://comments.gmane.org/gmane.linux.network/401064
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/ax25_ip.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/net/ax25/ax25_ip.c
++++ b/net/ax25/ax25_ip.c
+@@ -228,8 +228,23 @@ netdev_tx_t ax25_ip_xmit(struct sk_buff
+ }
+ #endif
+
++static bool ax25_validate_header(const char *header, unsigned int len)
++{
++ ax25_digi digi;
++
++ if (!len)
++ return false;
++
++ if (header[0])
++ return true;
++
++ return ax25_addr_parse(header + 1, len - 1, NULL, NULL, &digi, NULL,
++ NULL);
++}
++
+ const struct header_ops ax25_header_ops = {
+ .create = ax25_hard_header,
++ .validate = ax25_validate_header,
+ };
+
+ EXPORT_SYMBOL(ax25_header_ops);
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 17 Mar 2016 17:23:36 -0700
+Subject: bonding: fix bond_get_stats()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fe30937b65354c7fec244caebbdaae68e28ca797 ]
+
+bond_get_stats() can be called from rtnetlink (with RTNL held)
+or from /proc/net/dev seq handler (with RCU held)
+
+The logic added in commit 5f0c5f73e5ef ("bonding: make global bonding
+stats more reliable") kind of assumed only one cpu could run there.
+
+If multiple threads are reading /proc/net/dev, stats can be really
+messed up after a while.
+
+A second problem is that some fields are 32bit, so we need to properly
+handle the wrap around problem.
+
+Given that RTNL is not always held, we need to use
+bond_for_each_slave_rcu().
+
+Fixes: 5f0c5f73e5ef ("bonding: make global bonding stats more reliable")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 63 +++++++++++++++++++++-------------------
+ include/net/bonding.h | 1
+ 2 files changed, 35 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3308,6 +3308,30 @@ static int bond_close(struct net_device
+ return 0;
+ }
+
++/* fold stats, assuming all rtnl_link_stats64 fields are u64, but
++ * that some drivers can provide 32bit values only.
++ */
++static void bond_fold_stats(struct rtnl_link_stats64 *_res,
++ const struct rtnl_link_stats64 *_new,
++ const struct rtnl_link_stats64 *_old)
++{
++ const u64 *new = (const u64 *)_new;
++ const u64 *old = (const u64 *)_old;
++ u64 *res = (u64 *)_res;
++ int i;
++
++ for (i = 0; i < sizeof(*_res) / sizeof(u64); i++) {
++ u64 nv = new[i];
++ u64 ov = old[i];
++
++ /* detects if this particular field is 32bit only */
++ if (((nv | ov) >> 32) == 0)
++ res[i] += (u32)nv - (u32)ov;
++ else
++ res[i] += nv - ov;
++ }
++}
++
+ static struct rtnl_link_stats64 *bond_get_stats(struct net_device *bond_dev,
+ struct rtnl_link_stats64 *stats)
+ {
+@@ -3316,43 +3340,23 @@ static struct rtnl_link_stats64 *bond_ge
+ struct list_head *iter;
+ struct slave *slave;
+
++ spin_lock(&bond->stats_lock);
+ memcpy(stats, &bond->bond_stats, sizeof(*stats));
+
+- bond_for_each_slave(bond, slave, iter) {
+- const struct rtnl_link_stats64 *sstats =
++ rcu_read_lock();
++ bond_for_each_slave_rcu(bond, slave, iter) {
++ const struct rtnl_link_stats64 *new =
+ dev_get_stats(slave->dev, &temp);
+- struct rtnl_link_stats64 *pstats = &slave->slave_stats;
+
+- stats->rx_packets += sstats->rx_packets - pstats->rx_packets;
+- stats->rx_bytes += sstats->rx_bytes - pstats->rx_bytes;
+- stats->rx_errors += sstats->rx_errors - pstats->rx_errors;
+- stats->rx_dropped += sstats->rx_dropped - pstats->rx_dropped;
+-
+- stats->tx_packets += sstats->tx_packets - pstats->tx_packets;;
+- stats->tx_bytes += sstats->tx_bytes - pstats->tx_bytes;
+- stats->tx_errors += sstats->tx_errors - pstats->tx_errors;
+- stats->tx_dropped += sstats->tx_dropped - pstats->tx_dropped;
+-
+- stats->multicast += sstats->multicast - pstats->multicast;
+- stats->collisions += sstats->collisions - pstats->collisions;
+-
+- stats->rx_length_errors += sstats->rx_length_errors - pstats->rx_length_errors;
+- stats->rx_over_errors += sstats->rx_over_errors - pstats->rx_over_errors;
+- stats->rx_crc_errors += sstats->rx_crc_errors - pstats->rx_crc_errors;
+- stats->rx_frame_errors += sstats->rx_frame_errors - pstats->rx_frame_errors;
+- stats->rx_fifo_errors += sstats->rx_fifo_errors - pstats->rx_fifo_errors;
+- stats->rx_missed_errors += sstats->rx_missed_errors - pstats->rx_missed_errors;
+-
+- stats->tx_aborted_errors += sstats->tx_aborted_errors - pstats->tx_aborted_errors;
+- stats->tx_carrier_errors += sstats->tx_carrier_errors - pstats->tx_carrier_errors;
+- stats->tx_fifo_errors += sstats->tx_fifo_errors - pstats->tx_fifo_errors;
+- stats->tx_heartbeat_errors += sstats->tx_heartbeat_errors - pstats->tx_heartbeat_errors;
+- stats->tx_window_errors += sstats->tx_window_errors - pstats->tx_window_errors;
++ bond_fold_stats(stats, new, &slave->slave_stats);
+
+ /* save off the slave stats for the next run */
+- memcpy(pstats, sstats, sizeof(*sstats));
++ memcpy(&slave->slave_stats, new, sizeof(*new));
+ }
++ rcu_read_unlock();
++
+ memcpy(&bond->bond_stats, stats, sizeof(*stats));
++ spin_unlock(&bond->stats_lock);
+
+ return stats;
+ }
+@@ -4166,6 +4170,7 @@ void bond_setup(struct net_device *bond_
+ struct bonding *bond = netdev_priv(bond_dev);
+
+ spin_lock_init(&bond->mode_lock);
++ spin_lock_init(&bond->stats_lock);
+ bond->params = bonding_defaults;
+
+ /* Initialize pointers */
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -215,6 +215,7 @@ struct bonding {
+ * ALB mode (6) - to sync the use and modifications of its hash table
+ */
+ spinlock_t mode_lock;
++ spinlock_t stats_lock;
+ u8 send_peer_notif;
+ u8 igmp_retrans;
+ #ifdef CONFIG_PROC_FS
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Alexei Starovoitov <ast@fb.com>
+Date: Wed, 9 Mar 2016 20:02:33 -0800
+Subject: bpf: avoid copying junk bytes in bpf_get_current_comm()
+
+From: Alexei Starovoitov <ast@fb.com>
+
+[ Upstream commit cdc4e47da8f4c32eeb6b2061a8a834f4362a12b7 ]
+
+Lots of places in the kernel use memcpy(buf, comm, TASK_COMM_LEN); but
+the result is typically passed to print("%s", buf) and extra bytes
+after zero don't cause any harm.
+In bpf the result of bpf_get_current_comm() is used as the part of
+map key and was causing spurious hash map mismatches.
+Use strlcpy() to guarantee zero-terminated string.
+bpf verifier checks that output buffer is zero-initialized,
+so even for short task names the output buffer don't have junk bytes.
+Note it's not a security concern, since kprobe+bpf is root only.
+
+Fixes: ffeedafbf023 ("bpf: introduce current->pid, tgid, uid, gid, comm accessors")
+Reported-by: Tobias Waldekranz <tobias@waldekranz.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -166,7 +166,7 @@ static u64 bpf_get_current_comm(u64 r1,
+ if (!task)
+ return -EINVAL;
+
+- memcpy(buf, task->comm, min_t(size_t, size, sizeof(task->comm)));
++ strlcpy(buf, task->comm, min_t(size_t, size, sizeof(task->comm)));
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Tue, 29 Mar 2016 18:48:08 +0800
+Subject: bridge: Allow set bridge ageing time when switchdev disabled
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 5e263f712691615fb802f06c98d7638c378f5d11 ]
+
+When NET_SWITCHDEV=n, switchdev_port_attr_set will return -EOPNOTSUPP,
+we should ignore this error code and continue to set the ageing time.
+
+Fixes: c62987bbd8a1 ("bridge: push bridge setting ageing_time down to switchdev")
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Acked-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bridge/br_stp.c
++++ b/net/bridge/br_stp.c
+@@ -588,7 +588,7 @@ int br_set_ageing_time(struct net_bridge
+ int err;
+
+ err = switchdev_port_attr_set(br->dev, &attr);
+- if (err)
++ if (err && err != -EOPNOTSUPP)
+ return err;
+
+ br->ageing_time = t;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Stephen Hemminger <shemming@brocade.com>
+Date: Tue, 8 Mar 2016 12:59:35 -0800
+Subject: bridge: allow zero ageing time
+
+From: Stephen Hemminger <shemming@brocade.com>
+
+[ Upstream commit 4c656c13b254d598e83e586b7b4d36a2043dad85 ]
+
+This fixes a regression in the bridge ageing time caused by:
+commit c62987bbd8a1 ("bridge: push bridge setting ageing_time down to switchdev")
+
+There are users of Linux bridge which use the feature that if ageing time
+is set to 0 it causes entries to never expire. See:
+ https://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
+
+For a pure software bridge, it is unnecessary for the code to have
+arbitrary restrictions on what values are allowable.
+
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_bridge.h | 4 ----
+ net/bridge/br_stp.c | 11 ++++++++---
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/include/linux/if_bridge.h
++++ b/include/linux/if_bridge.h
+@@ -46,10 +46,6 @@ struct br_ip_list {
+ #define BR_LEARNING_SYNC BIT(9)
+ #define BR_PROXYARP_WIFI BIT(10)
+
+-/* values as per ieee8021QBridgeFdbAgingTime */
+-#define BR_MIN_AGEING_TIME (10 * HZ)
+-#define BR_MAX_AGEING_TIME (1000000 * HZ)
+-
+ #define BR_DEFAULT_AGEING_TIME (300 * HZ)
+
+ extern void brioctl_set(int (*ioctl_hook)(struct net *, unsigned int, void __user *));
+--- a/net/bridge/br_stp.c
++++ b/net/bridge/br_stp.c
+@@ -568,6 +568,14 @@ int br_set_max_age(struct net_bridge *br
+
+ }
+
++/* Set time interval that dynamic forwarding entries live
++ * For pure software bridge, allow values outside the 802.1
++ * standard specification for special cases:
++ * 0 - entry never ages (all permanant)
++ * 1 - entry disappears (no persistance)
++ *
++ * Offloaded switch entries maybe more restrictive
++ */
+ int br_set_ageing_time(struct net_bridge *br, u32 ageing_time)
+ {
+ struct switchdev_attr attr = {
+@@ -579,9 +587,6 @@ int br_set_ageing_time(struct net_bridge
+ unsigned long t = clock_t_to_jiffies(ageing_time);
+ int err;
+
+- if (t < BR_MIN_AGEING_TIME || t > BR_MAX_AGEING_TIME)
+- return -ERANGE;
+-
+ err = switchdev_port_attr_set(br->dev, &attr);
+ if (err)
+ return err;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Mar 2016 15:18:35 +0100
+Subject: farsync: fix off-by-one bug in fst_add_one
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit e725a66c0202b5f36c2f9d59d26a65c53bbf21f7 ]
+
+gcc-6 finds an out of bounds access in the fst_add_one function
+when calculating the end of the mmio area:
+
+drivers/net/wan/farsync.c: In function 'fst_add_one':
+drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
+ #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
+ ^
+include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
+ __builtin_offsetof(a, b)
+ ^
+drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
+ #define BUF_OFFSET(X) (BFM_BASE + offsetof(struct buf_window, X))
+ ^~~~~~~~
+drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
+ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
+ ^~~~~~~~~~
+
+The warning is correct, but not critical because this appears
+to be a write-only variable that is set by each WAN driver but
+never accessed afterwards.
+
+I'm taking the minimal fix here, using the correct pointer by
+pointing 'mem_end' to the last byte inside of the register area
+as all other WAN drivers do, rather than the first byte outside of
+it. An alternative would be to just remove the mem_end member
+entirely.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/farsync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/farsync.c
++++ b/drivers/net/wan/farsync.c
+@@ -2516,7 +2516,7 @@ fst_add_one(struct pci_dev *pdev, const
+ dev->mem_start = card->phys_mem
+ + BUF_OFFSET ( txBuffer[i][0][0]);
+ dev->mem_end = card->phys_mem
+- + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
++ + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER - 1][LEN_RX_BUFFER - 1]);
+ dev->base_addr = card->pci_conf;
+ dev->irq = card->irq;
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+Date: Fri, 1 Apr 2016 17:17:50 -0300
+Subject: ip6_tunnel: set rtnl_link_ops before calling register_netdevice
+
+From: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+
+[ Upstream commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 ]
+
+When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
+before ip6_tnl_create2 is called. When register_netdevice is called, there
+is no linkinfo attribute in the NEWLINK message because of that.
+
+Setting rtnl_link_ops before calling register_netdevice fixes that.
+
+Fixes: 0b112457229d ("ip6tnl: add support of link creation via rtnl")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@redhat.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -343,12 +343,12 @@ static int ip6_tnl_create2(struct net_de
+
+ t = netdev_priv(dev);
+
++ dev->rtnl_link_ops = &ip6_link_ops;
+ err = register_netdevice(dev);
+ if (err < 0)
+ goto out;
+
+ strcpy(t->parms.name, dev->name);
+- dev->rtnl_link_ops = &ip6_link_ops;
+
+ dev_hold(dev);
+ ip6_tnl_link(ip6n, t);
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: "David S. Miller" <davem@davemloft.net>
+Date: Sun, 13 Mar 2016 23:28:00 -0400
+Subject: ipv4: Don't do expensive useless work during inetdev destroy.
+
+From: "David S. Miller" <davem@davemloft.net>
+
+[ Upstream commit fbd40ea0180a2d328c5adc61414dc8bab9335ce2 ]
+
+When an inetdev is destroyed, every address assigned to the interface
+is removed. And in this scenerio we do two pointless things which can
+be very expensive if the number of assigned interfaces is large:
+
+1) Address promotion. We are deleting all addresses, so there is no
+ point in doing this.
+
+2) A full nf conntrack table purge for every address. We only need to
+ do this once, as is already caught by the existing
+ masq_dev_notifier so masq_inet_event() can skip this.
+
+Reported-by: Solar Designer <solar@openwall.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Tested-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 4 ++++
+ net/ipv4/fib_frontend.c | 4 ++++
+ net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 12 ++++++++++--
+ 3 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -334,6 +334,9 @@ static void __inet_del_ifa(struct in_dev
+
+ ASSERT_RTNL();
+
++ if (in_dev->dead)
++ goto no_promotions;
++
+ /* 1. Deleting primary ifaddr forces deletion all secondaries
+ * unless alias promotion is set
+ **/
+@@ -380,6 +383,7 @@ static void __inet_del_ifa(struct in_dev
+ fib_del_ifaddr(ifa, ifa1);
+ }
+
++no_promotions:
+ /* 2. Unlink it */
+
+ *ifap = ifa1->ifa_next;
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -922,6 +922,9 @@ void fib_del_ifaddr(struct in_ifaddr *if
+ subnet = 1;
+ }
+
++ if (in_dev->dead)
++ goto no_promotions;
++
+ /* Deletion is more complicated than add.
+ * We should take care of not to delete too much :-)
+ *
+@@ -997,6 +1000,7 @@ void fib_del_ifaddr(struct in_ifaddr *if
+ }
+ }
+
++no_promotions:
+ if (!(ok & BRD_OK))
+ fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
+ if (subnet && ifa->ifa_prefixlen < 31) {
+--- a/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
+@@ -108,10 +108,18 @@ static int masq_inet_event(struct notifi
+ unsigned long event,
+ void *ptr)
+ {
+- struct net_device *dev = ((struct in_ifaddr *)ptr)->ifa_dev->dev;
++ struct in_device *idev = ((struct in_ifaddr *)ptr)->ifa_dev;
+ struct netdev_notifier_info info;
+
+- netdev_notifier_info_init(&info, dev);
++ /* The masq_dev_notifier will catch the case of the device going
++ * down. So if the inetdev is dead and being destroyed we have
++ * no work to do. Otherwise this is an individual address removal
++ * and we have to perform the flush.
++ */
++ if (idev->dead)
++ return NOTIFY_DONE;
++
++ netdev_notifier_info_init(&info, idev->dev);
+ return masq_device_event(this, event, &info);
+ }
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 22 Mar 2016 09:19:38 +0100
+Subject: ipv4: fix broadcast packets reception
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit ad0ea1989cc4d5905941d0a9e62c63ad6d859cef ]
+
+Currently, ingress ipv4 broadcast datagrams are dropped since,
+in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
+bcast packets.
+
+This patch addresses the issue, invoking ip_check_mc_rcu()
+only for mcast packets.
+
+Fixes: 6e5403093261 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -2082,10 +2082,14 @@ void udp_v4_early_demux(struct sk_buff *
+ if (!in_dev)
+ return;
+
+- ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
+- iph->protocol);
+- if (!ours)
+- return;
++ /* we are supposed to accept bcast packets */
++ if (skb->pkt_type == PACKET_MULTICAST) {
++ ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
++ iph->protocol);
++ if (!ours)
++ return;
++ }
++
+ sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
+ uh->source, iph->saddr, dif);
+ } else if (skb->pkt_type == PACKET_HOST) {
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Lance Richardson <lrichard@redhat.com>
+Date: Tue, 22 Mar 2016 14:56:57 -0400
+Subject: ipv4: initialize flowi4_flags before calling fib_lookup()
+
+From: Lance Richardson <lrichard@redhat.com>
+
+[ Upstream commit 4cfc86f3dae6ca38ed49cdd78f458a03d4d87992 ]
+
+Field fl4.flowi4_flags is not initialized in fib_compute_spec_dst()
+before calling fib_lookup(), which means fib_table_lookup() is
+using non-deterministic data at this line:
+
+ if (!(flp->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF)) {
+
+Fix by initializing the entire fl4 structure, which will prevent
+similar issues as fields are added in the future by ensuring that
+all fields are initialized to zero unless explicitly initialized
+to another value.
+
+Fixes: 58189ca7b2741 ("net: Fix vti use case with oif in dst lookups")
+Suggested-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: Lance Richardson <lrichard@redhat.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_frontend.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -280,7 +280,6 @@ __be32 fib_compute_spec_dst(struct sk_bu
+ struct in_device *in_dev;
+ struct fib_result res;
+ struct rtable *rt;
+- struct flowi4 fl4;
+ struct net *net;
+ int scope;
+
+@@ -296,14 +295,13 @@ __be32 fib_compute_spec_dst(struct sk_bu
+
+ scope = RT_SCOPE_UNIVERSE;
+ if (!ipv4_is_zeronet(ip_hdr(skb)->saddr)) {
+- fl4.flowi4_oif = 0;
+- fl4.flowi4_iif = LOOPBACK_IFINDEX;
+- fl4.daddr = ip_hdr(skb)->saddr;
+- fl4.saddr = 0;
+- fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
+- fl4.flowi4_scope = scope;
+- fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
+- fl4.flowi4_tun_key.tun_id = 0;
++ struct flowi4 fl4 = {
++ .flowi4_iif = LOOPBACK_IFINDEX,
++ .daddr = ip_hdr(skb)->saddr,
++ .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
++ .flowi4_scope = scope,
++ .flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0,
++ };
+ if (!fib_lookup(net, &fl4, &res, 0))
+ return FIB_RES_PREFSRC(net, res);
+ } else {
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 3 Apr 2016 22:09:23 +0800
+Subject: ipv4: l2tp: fix a potential issue in l2tp_ip_recv
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 5745b8232e942abd5e16e85fa9b27cc21324acf0 ]
+
+pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
+right place.
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip.c
++++ b/net/l2tp/l2tp_ip.c
+@@ -123,12 +123,11 @@ static int l2tp_ip_recv(struct sk_buff *
+ struct l2tp_tunnel *tunnel = NULL;
+ int length;
+
+- /* Point to L2TP header */
+- optr = ptr = skb->data;
+-
+ if (!pskb_may_pull(skb, 4))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
+ session_id = ntohl(*((__be32 *) ptr));
+ ptr += 4;
+
+@@ -156,6 +155,9 @@ static int l2tp_ip_recv(struct sk_buff *
+ if (!pskb_may_pull(skb, length))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
++ ptr += 4;
+ pr_debug("%s: ip recv\n", tunnel->name);
+ print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
+ }
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Jakub Sitnicki <jkbs@redhat.com>
+Date: Tue, 5 Apr 2016 18:41:08 +0200
+Subject: ipv6: Count in extension headers in skb->network_header
+
+From: Jakub Sitnicki <jkbs@redhat.com>
+
+[ Upstream commit 3ba3458fb9c050718b95275a3310b74415e767e2 ]
+
+When sending a UDPv6 message longer than MTU, account for the length
+of fragmentable IPv6 extension headers in skb->network_header offset.
+Same as we do in alloc_new_skb path in __ip6_append_data().
+
+This ensures that later on __ip6_make_skb() will make space in
+headroom for fragmentable extension headers:
+
+ /* move skb->data to ip header from ext header */
+ if (skb->data < skb_network_header(skb))
+ __skb_pull(skb, skb_network_offset(skb));
+
+Prevents a splat due to skb_under_panic:
+
+skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \
+head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo
+------------[ cut here ]------------
+kernel BUG at net/core/skbuff.c:104!
+invalid opcode: 0000 [#1] KASAN
+CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65
+[...]
+Call Trace:
+ [<ffffffff813eb7b9>] skb_push+0x79/0x80
+ [<ffffffff8143397b>] eth_header+0x2b/0x100
+ [<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310
+ [<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0
+ [<ffffffff814efe3a>] ip6_output+0x16a/0x280
+ [<ffffffff815440c1>] ip6_local_out+0xb1/0xf0
+ [<ffffffff814f1115>] ip6_send_skb+0x45/0xd0
+ [<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0
+ [<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090
+[...]
+
+Reported-by: Ji Jianwen <jiji@redhat.com>
+Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1091,8 +1091,8 @@ static inline int ip6_ufo_append_data(st
+ int getfrag(void *from, char *to, int offset, int len,
+ int odd, struct sk_buff *skb),
+ void *from, int length, int hh_len, int fragheaderlen,
+- int transhdrlen, int mtu, unsigned int flags,
+- const struct flowi6 *fl6)
++ int exthdrlen, int transhdrlen, int mtu,
++ unsigned int flags, const struct flowi6 *fl6)
+
+ {
+ struct sk_buff *skb;
+@@ -1117,7 +1117,7 @@ static inline int ip6_ufo_append_data(st
+ skb_put(skb, fragheaderlen + transhdrlen);
+
+ /* initialize network header pointer */
+- skb_reset_network_header(skb);
++ skb_set_network_header(skb, exthdrlen);
+
+ /* initialize protocol header pointer */
+ skb->transport_header = skb->network_header + fragheaderlen;
+@@ -1359,7 +1359,7 @@ emsgsize:
+ (rt->dst.dev->features & NETIF_F_UFO) &&
+ (sk->sk_type == SOCK_DGRAM) && !udp_get_no_check6_tx(sk)) {
+ err = ip6_ufo_append_data(sk, queue, getfrag, from, length,
+- hh_len, fragheaderlen,
++ hh_len, fragheaderlen, exthdrlen,
+ transhdrlen, mtu, flags, fl6);
+ if (err)
+ goto error;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Sun, 3 Apr 2016 22:09:24 +0800
+Subject: ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit be447f305494e019dfc37ea4cdf3b0e4200b4eba ]
+
+pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
+right place.
+
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ip6.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff
+ struct l2tp_tunnel *tunnel = NULL;
+ int length;
+
+- /* Point to L2TP header */
+- optr = ptr = skb->data;
+-
+ if (!pskb_may_pull(skb, 4))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
+ session_id = ntohl(*((__be32 *) ptr));
+ ptr += 4;
+
+@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff
+ if (!pskb_may_pull(skb, length))
+ goto discard;
+
++ /* Point to L2TP header */
++ optr = ptr = skb->data;
++ ptr += 4;
+ pr_debug("%s: ip recv\n", tunnel->name);
+ print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
+ }
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 29 Mar 2016 08:43:41 -0700
+Subject: ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2d4212261fdf13e29728ddb5ea9d60c342cc92b5 ]
+
+IPv6 counters updates use a different macro than IPv4.
+
+Fixes: 36cbb2452cbaf ("udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Rick Jones <rick.jones2@hp.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -883,8 +883,8 @@ start_lookup:
+ flush_stack(stack, count, skb, count - 1);
+ } else {
+ if (!inner_flushed)
+- UDP_INC_STATS_BH(net, UDP_MIB_IGNOREDMULTI,
+- proto == IPPROTO_UDPLITE);
++ UDP6_INC_STATS_BH(net, UDP_MIB_IGNOREDMULTI,
++ proto == IPPROTO_UDPLITE);
+ consume_skb(skb);
+ }
+ return 0;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 8 Mar 2016 15:18:54 -0500
+Subject: macvtap: always pass ethernet header in linear
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 8e2ad4113ce4671686740f808ff2795395c39eef ]
+
+The stack expects link layer headers in the skb linear section.
+Macvtap can create skbs with llheader in frags in edge cases:
+when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
+prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.
+
+Add checks to ensure linear is always at least ETH_HLEN.
+At this point, len is already ensured to be >= ETH_HLEN.
+
+For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
+This differs from tap and packet, which return an error.
+
+Fixes b9fb9ee07e67 ("macvtap: add GSO/csum offload support")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvtap.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -760,6 +760,8 @@ static ssize_t macvtap_get_user(struct m
+ macvtap16_to_cpu(q, vnet_hdr.hdr_len) : GOODCOPY_LEN;
+ if (copylen > good_linear)
+ copylen = good_linear;
++ else if (copylen < ETH_HLEN)
++ copylen = ETH_HLEN;
+ linear = copylen;
+ i = *from;
+ iov_iter_advance(&i, copylen);
+@@ -769,10 +771,11 @@ static ssize_t macvtap_get_user(struct m
+
+ if (!zerocopy) {
+ copylen = len;
+- if (macvtap16_to_cpu(q, vnet_hdr.hdr_len) > good_linear)
++ linear = macvtap16_to_cpu(q, vnet_hdr.hdr_len);
++ if (linear > good_linear)
+ linear = good_linear;
+- else
+- linear = macvtap16_to_cpu(q, vnet_hdr.hdr_len);
++ else if (linear < ETH_HLEN)
++ linear = ETH_HLEN;
+ }
+
+ skb = macvtap_alloc_skb(&q->sk, MACVTAP_RESERVE, copylen,
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Mar 2016 15:18:34 +0100
+Subject: mlx4: add missing braces in verify_qp_parameters
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit baefd7015cdb304ce6c94f9679d0486c71954766 ]
+
+The implementation of QP paravirtualization back in linux-3.7 included
+some code that looks very dubious, and gcc-6 has grown smart enough
+to warn about it:
+
+drivers/net/ethernet/mellanox/mlx4/resource_tracker.c: In function 'verify_qp_parameters':
+drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3154:5: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
+ if (optpar & MLX4_QP_OPTPAR_ALT_ADDR_PATH) {
+ ^~
+drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3144:4: note: ...this 'if' clause, but it is not
+ if (slave != mlx4_master_func_num(dev))
+
+>From looking at the context, I'm reasonably sure that the indentation
+is correct but that it should have contained curly braces from the
+start, as the update_gid() function in the same patch correctly does.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 54679e148287 ("mlx4: Implement QP paravirtualization and maintain phys_pkey_cache for smp_snoop")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c
+@@ -3141,7 +3141,7 @@ static int verify_qp_parameters(struct m
+ case QP_TRANS_RTS2RTS:
+ case QP_TRANS_SQD2SQD:
+ case QP_TRANS_SQD2RTS:
+- if (slave != mlx4_master_func_num(dev))
++ if (slave != mlx4_master_func_num(dev)) {
+ if (optpar & MLX4_QP_OPTPAR_PRIMARY_ADDR_PATH) {
+ port = (qp_ctx->pri_path.sched_queue >> 6 & 1) + 1;
+ if (dev->caps.port_mask[port] != MLX4_PORT_TYPE_IB)
+@@ -3160,6 +3160,7 @@ static int verify_qp_parameters(struct m
+ if (qp_ctx->alt_path.mgid_index >= num_gids)
+ return -EINVAL;
+ }
++ }
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 8 Mar 2016 12:59:33 -0800
+Subject: mlxsw: spectrum: Check requested ageing time is valid
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 869f63a4d28144c03c8f4a4c0d1e8f31f8c11a10 ]
+
+Commit c62987bbd8a1 ("bridge: push bridge setting ageing_time down to
+switchdev") added a check for minimum and maximum ageing time, but this
+breaks existing behaviour where one can set ageing time to 0 for a
+non-learning bridge.
+
+Push this check down to the driver and allow the check in the bridge
+layer to be removed. Currently ageing time 0 is refused by the driver,
+but we can later add support for this functionality.
+
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 ++
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h
+@@ -118,6 +118,8 @@ struct mlxsw_sp {
+ #define MLXSW_SP_DEFAULT_LEARNING_INTERVAL 100
+ unsigned int interval; /* ms */
+ } fdb_notify;
++#define MLXSW_SP_MIN_AGEING_TIME 10
++#define MLXSW_SP_MAX_AGEING_TIME 1000000
+ #define MLXSW_SP_DEFAULT_AGEING_TIME 300
+ u32 ageing_time;
+ struct mlxsw_sp_upper master_bridge;
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+@@ -311,8 +311,13 @@ static int mlxsw_sp_port_attr_br_ageing_
+ unsigned long ageing_jiffies = clock_t_to_jiffies(ageing_clock_t);
+ u32 ageing_time = jiffies_to_msecs(ageing_jiffies) / 1000;
+
+- if (switchdev_trans_ph_prepare(trans))
+- return 0;
++ if (switchdev_trans_ph_prepare(trans)) {
++ if (ageing_time < MLXSW_SP_MIN_AGEING_TIME ||
++ ageing_time > MLXSW_SP_MAX_AGEING_TIME)
++ return -ERANGE;
++ else
++ return 0;
++ }
+
+ return mlxsw_sp_ageing_set(mlxsw_sp, ageing_time);
+ }
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+Date: Thu, 7 Apr 2016 21:28:38 -0700
+Subject: mpls: find_outdev: check for err ptr in addition to NULL check
+
+From: Roopa Prabhu <roopa@cumulusnetworks.com>
+
+[ Upstream commit 94a57f1f8a9de90ab4b0f8748361ff8be706c80c ]
+
+find_outdev calls inet{,6}_fib_lookup_dev() or dev_get_by_index() to
+find the output device. In case of an error, inet{,6}_fib_lookup_dev()
+returns error pointer and dev_get_by_index() returns NULL. But the function
+only checks for NULL and thus can end up calling dev_put on an ERR_PTR.
+This patch adds an additional check for err ptr after the NULL check.
+
+Before: Trying to add an mpls route with no oif from user, no available
+path to 10.1.1.8 and no default route:
+$ip -f mpls route add 100 as 200 via inet 10.1.1.8
+[ 822.337195] BUG: unable to handle kernel NULL pointer dereference at
+00000000000003a3
+[ 822.340033] IP: [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
+[ 822.340033] PGD 1db38067 PUD 1de9e067 PMD 0
+[ 822.340033] Oops: 0000 [#1] SMP
+[ 822.340033] Modules linked in:
+[ 822.340033] CPU: 0 PID: 11148 Comm: ip Not tainted 4.5.0-rc7+ #54
+[ 822.340033] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org
+04/01/2014
+[ 822.340033] task: ffff88001db82580 ti: ffff88001dad4000 task.ti:
+ffff88001dad4000
+[ 822.340033] RIP: 0010:[<ffffffff8148781e>] [<ffffffff8148781e>]
+mpls_nh_assign_dev+0x10b/0x182
+[ 822.340033] RSP: 0018:ffff88001dad7a88 EFLAGS: 00010282
+[ 822.340033] RAX: ffffffffffffff9b RBX: ffffffffffffff9b RCX:
+0000000000000002
+[ 822.340033] RDX: 00000000ffffff9b RSI: 0000000000000008 RDI:
+0000000000000000
+[ 822.340033] RBP: ffff88001ddc9ea0 R08: ffff88001e9f1768 R09:
+0000000000000000
+[ 822.340033] R10: ffff88001d9c1100 R11: ffff88001e3c89f0 R12:
+ffffffff8187e0c0
+[ 822.340033] R13: ffffffff8187e0c0 R14: ffff88001ddc9e80 R15:
+0000000000000004
+[ 822.340033] FS: 00007ff9ed798700(0000) GS:ffff88001fc00000(0000)
+knlGS:0000000000000000
+[ 822.340033] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 822.340033] CR2: 00000000000003a3 CR3: 000000001de89000 CR4:
+00000000000006f0
+[ 822.340033] Stack:
+[ 822.340033] 0000000000000000 0000000100000000 0000000000000000
+0000000000000000
+[ 822.340033] 0000000000000000 0801010a00000000 0000000000000000
+0000000000000000
+[ 822.340033] 0000000000000004 ffffffff8148749b ffffffff8187e0c0
+000000000000001c
+[ 822.340033] Call Trace:
+[ 822.340033] [<ffffffff8148749b>] ? mpls_rt_alloc+0x2b/0x3e
+[ 822.340033] [<ffffffff81488e66>] ? mpls_rtm_newroute+0x358/0x3e2
+[ 822.340033] [<ffffffff810e7bbc>] ? get_page+0x5/0xa
+[ 822.340033] [<ffffffff813b7d94>] ? rtnetlink_rcv_msg+0x17e/0x191
+[ 822.340033] [<ffffffff8111794e>] ? __kmalloc_track_caller+0x8c/0x9e
+[ 822.340033] [<ffffffff813c9393>] ?
+rht_key_hashfn.isra.20.constprop.57+0x14/0x1f
+[ 822.340033] [<ffffffff813b7c16>] ? __rtnl_unlock+0xc/0xc
+[ 822.340033] [<ffffffff813cb794>] ? netlink_rcv_skb+0x36/0x82
+[ 822.340033] [<ffffffff813b4507>] ? rtnetlink_rcv+0x1f/0x28
+[ 822.340033] [<ffffffff813cb2b1>] ? netlink_unicast+0x106/0x189
+[ 822.340033] [<ffffffff813cb5b3>] ? netlink_sendmsg+0x27f/0x2c8
+[ 822.340033] [<ffffffff81392ede>] ? sock_sendmsg_nosec+0x10/0x1b
+[ 822.340033] [<ffffffff81393df1>] ? ___sys_sendmsg+0x182/0x1e3
+[ 822.340033] [<ffffffff810e4f35>] ?
+__alloc_pages_nodemask+0x11c/0x1e4
+[ 822.340033] [<ffffffff8110619c>] ? PageAnon+0x5/0xd
+[ 822.340033] [<ffffffff811062fe>] ? __page_set_anon_rmap+0x45/0x52
+[ 822.340033] [<ffffffff810e7bbc>] ? get_page+0x5/0xa
+[ 822.340033] [<ffffffff810e85ab>] ? __lru_cache_add+0x1a/0x3a
+[ 822.340033] [<ffffffff81087ea9>] ? current_kernel_time64+0x9/0x30
+[ 822.340033] [<ffffffff813940c4>] ? __sys_sendmsg+0x3c/0x5a
+[ 822.340033] [<ffffffff8148f597>] ?
+entry_SYSCALL_64_fastpath+0x12/0x6a
+[ 822.340033] Code: 83 08 04 00 00 65 ff 00 48 8b 3c 24 e8 40 7c f2 ff
+eb 13 48 c7 c3 9f ff ff ff eb 0f 89 ce e8 f1 ae f1 ff 48 89 c3 48 85 db
+74 15 <48> 8b 83 08 04 00 00 65 ff 08 48 81 fb 00 f0 ff ff 76 0d eb 07
+[ 822.340033] RIP [<ffffffff8148781e>] mpls_nh_assign_dev+0x10b/0x182
+[ 822.340033] RSP <ffff88001dad7a88>
+[ 822.340033] CR2: 00000000000003a3
+[ 822.435363] ---[ end trace 98cc65e6f6b8bf11 ]---
+
+After patch:
+$ip -f mpls route add 100 as 200 via inet 10.1.1.8
+RTNETLINK answers: Network is unreachable
+
+Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
+Reported-by: David Miller <davem@davemloft.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mpls/af_mpls.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -543,6 +543,9 @@ static struct net_device *find_outdev(st
+ if (!dev)
+ return ERR_PTR(-ENODEV);
+
++ if (IS_ERR(dev))
++ return dev;
++
+ /* The caller is holding rtnl anyways, so release the dev reference */
+ dev_put(dev);
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 17 Mar 2016 11:57:06 -0700
+Subject: net: bcmgenet: fix dma api length mismatch
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eee577232203842b4dcadb7ab477a298479633ed ]
+
+When un-mapping skb->data in __bcmgenet_tx_reclaim(),
+we must use the length that was used in original dma_map_single(),
+instead of skb->len that might be bigger (includes the frags)
+
+We simply can store skb_len into tx_cb_ptr->dma_len and use it
+at unmap time.
+
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -1197,7 +1197,7 @@ static unsigned int __bcmgenet_tx_reclai
+ dev->stats.tx_bytes += tx_cb_ptr->skb->len;
+ dma_unmap_single(&dev->dev,
+ dma_unmap_addr(tx_cb_ptr, dma_addr),
+- tx_cb_ptr->skb->len,
++ dma_unmap_len(tx_cb_ptr, dma_len),
+ DMA_TO_DEVICE);
+ bcmgenet_free_cb(tx_cb_ptr);
+ } else if (dma_unmap_addr(tx_cb_ptr, dma_addr)) {
+@@ -1308,7 +1308,7 @@ static int bcmgenet_xmit_single(struct n
+ }
+
+ dma_unmap_addr_set(tx_cb_ptr, dma_addr, mapping);
+- dma_unmap_len_set(tx_cb_ptr, dma_len, skb->len);
++ dma_unmap_len_set(tx_cb_ptr, dma_len, skb_len);
+ length_status = (skb_len << DMA_BUFLENGTH_SHIFT) | dma_desc_flags |
+ (priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT) |
+ DMA_TX_APPEND_CRC;
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Neil Armstrong <narmstrong@baylibre.com>
+Date: Tue, 8 Mar 2016 10:36:20 +0100
+Subject: net: dsa: Fix cleanup resources upon module removal
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit 04761890a7cec6a1ff9aafd909004da4fe8059db ]
+
+The initial commit badly merged into the dsa_resume method instead
+of the dsa_remove_dst method.
+As consequence, the dst->master_netdev->dsa_ptr is not set to NULL on
+removal and re-bind of the dsa device fails with error -17.
+
+Fixes: b0dc635d923c ("net: dsa: cleanup resources upon module removal ")
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Acked-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/net/dsa/dsa.c
++++ b/net/dsa/dsa.c
+@@ -935,6 +935,14 @@ static void dsa_remove_dst(struct dsa_sw
+ {
+ int i;
+
++ dst->master_netdev->dsa_ptr = NULL;
++
++ /* If we used a tagging format that doesn't have an ethertype
++ * field, make sure that all packets from this point get sent
++ * without the tag and go through the regular receive path.
++ */
++ wmb();
++
+ for (i = 0; i < dst->pd->nr_chips; i++) {
+ struct dsa_switch *ds = dst->ds[i];
+
+@@ -988,14 +996,6 @@ static int dsa_suspend(struct device *d)
+ struct dsa_switch_tree *dst = platform_get_drvdata(pdev);
+ int i, ret = 0;
+
+- dst->master_netdev->dsa_ptr = NULL;
+-
+- /* If we used a tagging format that doesn't have an ethertype
+- * field, make sure that all packets from this point get sent
+- * without the tag and go through the regular receive path.
+- */
+- wmb();
+-
+ for (i = 0; i < dst->pd->nr_chips; i++) {
+ struct dsa_switch *ds = dst->ds[i];
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Mon, 14 Mar 2016 09:56:35 -0300
+Subject: net: Fix use after free in the recvmmsg exit path
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 34b88a68f26a75e4fded796f1a49c40f82234b7d ]
+
+The syzkaller fuzzer hit the following use-after-free:
+
+ Call Trace:
+ [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
+ [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
+ [< inline >] SYSC_recvmmsg net/socket.c:2281
+ [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
+ [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
+ arch/x86/entry/entry_64.S:185
+
+And, as Dmitry rightly assessed, that is because we can drop the
+reference and then touch it when the underlying recvmsg calls return
+some packets and then hit an error, which will make recvmmsg to set
+sock->sk->sk_err, oops, fix it.
+
+Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Kostya Serebryany <kcc@google.com>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
+http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 38 +++++++++++++++++++-------------------
+ 1 file changed, 19 insertions(+), 19 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2240,31 +2240,31 @@ int __sys_recvmmsg(int fd, struct mmsghd
+ cond_resched();
+ }
+
+-out_put:
+- fput_light(sock->file, fput_needed);
+-
+ if (err == 0)
+- return datagrams;
++ goto out_put;
++
++ if (datagrams == 0) {
++ datagrams = err;
++ goto out_put;
++ }
+
+- if (datagrams != 0) {
++ /*
++ * We may return less entries than requested (vlen) if the
++ * sock is non block and there aren't enough datagrams...
++ */
++ if (err != -EAGAIN) {
+ /*
+- * We may return less entries than requested (vlen) if the
+- * sock is non block and there aren't enough datagrams...
++ * ... or if recvmsg returns an error after we
++ * received some datagrams, where we record the
++ * error to return on the next call or if the
++ * app asks about it using getsockopt(SO_ERROR).
+ */
+- if (err != -EAGAIN) {
+- /*
+- * ... or if recvmsg returns an error after we
+- * received some datagrams, where we record the
+- * error to return on the next call or if the
+- * app asks about it using getsockopt(SO_ERROR).
+- */
+- sock->sk->sk_err = -err;
+- }
+-
+- return datagrams;
++ sock->sk->sk_err = -err;
+ }
++out_put:
++ fput_light(sock->file, fput_needed);
+
+- return err;
++ return datagrams;
+ }
+
+ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Sat, 12 Mar 2016 18:44:17 +0100
+Subject: net: mvneta: Fix spinlock usage
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+[ Upstream commit 1c2722a975fdb8c90bc6ba8570b7fb62db4e2e9c ]
+
+In the previous patch, the spinlock was not initialized. While it didn't
+cause any trouble yet it could be a problem to use it uninitialized.
+
+The most annoying part was the critical section protected by the spinlock
+in mvneta_stop(). Some of the functions could sleep as pointed when
+activated CONFIG_DEBUG_ATOMIC_SLEEP. Actually, in mvneta_stop() we only
+need to protect the is_stopped flagged, indeed the code of the notifier
+for CPU online is protected by the same spinlock, so when we get the
+lock, the notifer work is done.
+
+Reported-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -3070,17 +3070,17 @@ static int mvneta_stop(struct net_device
+ struct mvneta_port *pp = netdev_priv(dev);
+
+ /* Inform that we are stopping so we don't want to setup the
+- * driver for new CPUs in the notifiers
++ * driver for new CPUs in the notifiers. The code of the
++ * notifier for CPU online is protected by the same spinlock,
++ * so when we get the lock, the notifer work is done.
+ */
+ spin_lock(&pp->lock);
+ pp->is_stopped = true;
++ spin_unlock(&pp->lock);
++
+ mvneta_stop_dev(pp);
+ mvneta_mdio_remove(pp);
+ unregister_cpu_notifier(&pp->cpu_notifier);
+- /* Now that the notifier are unregistered, we can release le
+- * lock
+- */
+- spin_unlock(&pp->lock);
+ on_each_cpu(mvneta_percpu_disable, pp, true);
+ free_percpu_irq(dev->irq, pp->ports);
+ mvneta_cleanup_rxqs(pp);
+@@ -3612,6 +3612,7 @@ static int mvneta_probe(struct platform_
+ dev->ethtool_ops = &mvneta_eth_tool_ops;
+
+ pp = netdev_priv(dev);
++ spin_lock_init(&pp->lock);
+ pp->phy_node = phy_node;
+ pp->phy_interface = phy_mode;
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 9 Mar 2016 21:58:32 -0500
+Subject: net: validate variable length ll headers
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 2793a23aacbd754dbbb5cb75093deb7e4103bace ]
+
+Netdevice parameter hard_header_len is variously interpreted both as
+an upper and lower bound on link layer header length. The field is
+used as upper bound when reserving room at allocation, as lower bound
+when validating user input in PF_PACKET.
+
+Clarify the definition to be maximum header length. For validation
+of untrusted headers, add an optional validate member to header_ops.
+
+Allow bypassing of validation by passing CAP_SYS_RAWIO, for instance
+for deliberate testing of corrupt input. In this case, pad trailing
+bytes, as some device drivers expect completely initialized headers.
+
+See also http://comments.gmane.org/gmane.linux.network/401064
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -267,6 +267,7 @@ struct header_ops {
+ void (*cache_update)(struct hh_cache *hh,
+ const struct net_device *dev,
+ const unsigned char *haddr);
++ bool (*validate)(const char *ll_header, unsigned int len);
+ };
+
+ /* These flag bits are private to the generic network queueing
+@@ -1420,8 +1421,7 @@ enum netdev_priv_flags {
+ * @dma: DMA channel
+ * @mtu: Interface MTU value
+ * @type: Interface hardware type
+- * @hard_header_len: Hardware header length, which means that this is the
+- * minimum size of a packet.
++ * @hard_header_len: Maximum hardware header length.
+ *
+ * @needed_headroom: Extra headroom the hardware may need, but not in all
+ * cases can this be guaranteed
+@@ -2627,6 +2627,24 @@ static inline int dev_parse_header(const
+ return dev->header_ops->parse(skb, haddr);
+ }
+
++/* ll_header must have at least hard_header_len allocated */
++static inline bool dev_validate_header(const struct net_device *dev,
++ char *ll_header, int len)
++{
++ if (likely(len >= dev->hard_header_len))
++ return true;
++
++ if (capable(CAP_SYS_RAWIO)) {
++ memset(ll_header + len, 0, dev->hard_header_len - len);
++ return true;
++ }
++
++ if (dev->header_ops && dev->header_ops->validate)
++ return dev->header_ops->validate(ll_header, len);
++
++ return false;
++}
++
+ typedef int gifconf_func_t(struct net_device * dev, char __user * bufptr, int len);
+ int register_gifconf(unsigned int family, gifconf_func_t *gifconf);
+ static inline int unregister_gifconf(unsigned int family)
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 9 Mar 2016 21:58:34 -0500
+Subject: packet: validate variable length ll headers
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 9ed988cd591500c040b2a6257bc68543e08ceeef ]
+
+Replace link layer header validation check ll_header_truncate with
+more generic dev_validate_header.
+
+Validation based on hard_header_len incorrectly drops valid packets
+in variable length protocols, such as AX25. dev_validate_header
+calls header_ops.validate for such protocols to ensure correctness
+below hard_header_len.
+
+See also http://comments.gmane.org/gmane.linux.network/401064
+
+Fixes 9c7077622dd9 ("packet: make packet_snd fail on len smaller than l2 header")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 37 ++++++++++++++++---------------------
+ 1 file changed, 16 insertions(+), 21 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1916,6 +1916,10 @@ retry:
+ goto retry;
+ }
+
++ if (!dev_validate_header(dev, skb->data, len)) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
+ if (len > (dev->mtu + dev->hard_header_len + extra_len) &&
+ !packet_extra_vlan_len_allowed(dev, skb)) {
+ err = -EMSGSIZE;
+@@ -2326,18 +2330,6 @@ static void tpacket_destruct_skb(struct
+ sock_wfree(skb);
+ }
+
+-static bool ll_header_truncated(const struct net_device *dev, int len)
+-{
+- /* net device doesn't like empty head */
+- if (unlikely(len < dev->hard_header_len)) {
+- net_warn_ratelimited("%s: packet size is too short (%d < %d)\n",
+- current->comm, len, dev->hard_header_len);
+- return true;
+- }
+-
+- return false;
+-}
+-
+ static void tpacket_set_protocol(const struct net_device *dev,
+ struct sk_buff *skb)
+ {
+@@ -2420,19 +2412,19 @@ static int tpacket_fill_skb(struct packe
+ if (unlikely(err < 0))
+ return -EINVAL;
+ } else if (dev->hard_header_len) {
+- if (ll_header_truncated(dev, tp_len))
+- return -EINVAL;
++ int hdrlen = min_t(int, dev->hard_header_len, tp_len);
+
+ skb_push(skb, dev->hard_header_len);
+- err = skb_store_bits(skb, 0, data,
+- dev->hard_header_len);
++ err = skb_store_bits(skb, 0, data, hdrlen);
+ if (unlikely(err))
+ return err;
++ if (!dev_validate_header(dev, skb->data, hdrlen))
++ return -EINVAL;
+ if (!skb->protocol)
+ tpacket_set_protocol(dev, skb);
+
+- data += dev->hard_header_len;
+- to_write -= dev->hard_header_len;
++ data += hdrlen;
++ to_write -= hdrlen;
+ }
+
+ offset = offset_in_page(data);
+@@ -2763,9 +2755,6 @@ static int packet_snd(struct socket *soc
+ offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
+ if (unlikely(offset < 0))
+ goto out_free;
+- } else {
+- if (ll_header_truncated(dev, len))
+- goto out_free;
+ }
+
+ /* Returns -EFAULT on error */
+@@ -2773,6 +2762,12 @@ static int packet_snd(struct socket *soc
+ if (err)
+ goto out_free;
+
++ if (sock->type == SOCK_RAW &&
++ !dev_validate_header(dev, skb->data, len)) {
++ err = -EINVAL;
++ goto out_free;
++ }
++
+ sock_tx_timestamp(sk, &skb_shinfo(skb)->tx_flags);
+
+ if (!gso_type && (len > dev->mtu + reserve + extra_len) &&
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 14 Mar 2016 21:17:16 +0100
+Subject: ppp: ensure file->private_data can't be overridden
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit e8e56ffd9d2973398b60ece1f1bebb8d67b4d032 ]
+
+Locking ppp_mutex must be done before dereferencing file->private_data,
+otherwise it could be modified before ppp_unattached_ioctl() takes the
+lock. This could lead ppp_unattached_ioctl() to override ->private_data,
+thus leaking reference to the ppp_file previously pointed to.
+
+v2: lock all ppp_ioctl() instead of just checking private_data in
+ ppp_unattached_ioctl(), to avoid ambiguous behaviour.
+
+Fixes: f3ff8a4d80e8 ("ppp: push BKL down into the driver")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -575,7 +575,7 @@ static int get_filter(void __user *arg,
+
+ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+- struct ppp_file *pf = file->private_data;
++ struct ppp_file *pf;
+ struct ppp *ppp;
+ int err = -EFAULT, val, val2, i;
+ struct ppp_idle idle;
+@@ -585,9 +585,14 @@ static long ppp_ioctl(struct file *file,
+ void __user *argp = (void __user *)arg;
+ int __user *p = argp;
+
+- if (!pf)
+- return ppp_unattached_ioctl(current->nsproxy->net_ns,
+- pf, file, cmd, arg);
++ mutex_lock(&ppp_mutex);
++
++ pf = file->private_data;
++ if (!pf) {
++ err = ppp_unattached_ioctl(current->nsproxy->net_ns,
++ pf, file, cmd, arg);
++ goto out;
++ }
+
+ if (cmd == PPPIOCDETACH) {
+ /*
+@@ -602,7 +607,6 @@ static long ppp_ioctl(struct file *file,
+ * this fd and reopening /dev/ppp.
+ */
+ err = -EINVAL;
+- mutex_lock(&ppp_mutex);
+ if (pf->kind == INTERFACE) {
+ ppp = PF_TO_PPP(pf);
+ rtnl_lock();
+@@ -616,15 +620,13 @@ static long ppp_ioctl(struct file *file,
+ } else
+ pr_warn("PPPIOCDETACH file->f_count=%ld\n",
+ atomic_long_read(&file->f_count));
+- mutex_unlock(&ppp_mutex);
+- return err;
++ goto out;
+ }
+
+ if (pf->kind == CHANNEL) {
+ struct channel *pch;
+ struct ppp_channel *chan;
+
+- mutex_lock(&ppp_mutex);
+ pch = PF_TO_CHANNEL(pf);
+
+ switch (cmd) {
+@@ -646,17 +648,16 @@ static long ppp_ioctl(struct file *file,
+ err = chan->ops->ioctl(chan, cmd, arg);
+ up_read(&pch->chan_sem);
+ }
+- mutex_unlock(&ppp_mutex);
+- return err;
++ goto out;
+ }
+
+ if (pf->kind != INTERFACE) {
+ /* can't happen */
+ pr_err("PPP: not interface or channel??\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+- mutex_lock(&ppp_mutex);
+ ppp = PF_TO_PPP(pf);
+ switch (cmd) {
+ case PPPIOCSMRU:
+@@ -831,7 +832,10 @@ static long ppp_ioctl(struct file *file,
+ default:
+ err = -ENOTTY;
+ }
++
++out:
+ mutex_unlock(&ppp_mutex);
++
+ return err;
+ }
+
+@@ -844,7 +848,6 @@ static int ppp_unattached_ioctl(struct n
+ struct ppp_net *pn;
+ int __user *p = (int __user *)arg;
+
+- mutex_lock(&ppp_mutex);
+ switch (cmd) {
+ case PPPIOCNEWUNIT:
+ /* Create a new ppp unit */
+@@ -894,7 +897,7 @@ static int ppp_unattached_ioctl(struct n
+ default:
+ err = -ENOTTY;
+ }
+- mutex_unlock(&ppp_mutex);
++
+ return err;
+ }
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed, 23 Mar 2016 16:38:55 +0100
+Subject: ppp: take reference on channels netns
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit 1f461dcdd296eecedaffffc6bae2bfa90bd7eb89 ]
+
+Let channels hold a reference on their network namespace.
+Some channel types, like ppp_async and ppp_synctty, can have their
+userspace controller running in a different namespace. Therefore they
+can't rely on them to preclude their netns from being removed from
+under them.
+
+==================================================================
+BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
+addr ffff880064e217e0
+Read of size 8 by task syz-executor/11581
+=============================================================================
+BUG net_namespace (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
+[< none >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
+[< none >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
+[< inline >] slab_alloc_node kernel/mm/slub.c:2532
+[< inline >] slab_alloc kernel/mm/slub.c:2574
+[< none >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
+[< inline >] kmem_cache_zalloc kernel/include/linux/slab.h:597
+[< inline >] net_alloc kernel/net/core/net_namespace.c:325
+[< none >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
+[< none >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
+[< none >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
+[< none >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
+[< inline >] copy_process kernel/kernel/fork.c:1274
+[< none >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
+[< inline >] SYSC_clone kernel/kernel/fork.c:1832
+[< none >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
+[< none >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
+
+INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
+[< none >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
+[< inline >] slab_free kernel/mm/slub.c:2805
+[< none >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
+[< inline >] net_free kernel/net/core/net_namespace.c:341
+[< none >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
+[< none >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
+[< none >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
+[< none >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
+[< none >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
+[< none >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
+INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
+flags=0x5fffc0000004080
+INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
+
+CPU: 1 PID: 11581 Comm: syz-executor Tainted: G B 4.4.0+
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+ 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
+ ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
+ ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
+Call Trace:
+ [< inline >] __dump_stack kernel/lib/dump_stack.c:15
+ [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
+ [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
+ [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
+ [< inline >] print_address_description kernel/mm/kasan/report.c:138
+ [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
+ [< inline >] kasan_report kernel/mm/kasan/report.c:259
+ [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
+ [< inline >] ? ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [< inline >] ppp_pernet kernel/include/linux/compiler.h:218
+ [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [< inline >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
+ [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
+ [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
+ [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
+ [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
+ [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
+ [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
+ [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
+ [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
+ [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
+ [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
+ [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
+ [< inline >] exit_task_work kernel/include/linux/task_work.h:21
+ [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
+ [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
+ [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
+ [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
+ [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
+ [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
+ [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
+ [< inline >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
+ [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
+ [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
+ [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
+ [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
+ [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
+ [< inline >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
+ [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
+ [< inline >] ? context_switch kernel/kernel/sched/core.c:2807
+ [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
+ [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
+ [< inline >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
+ [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
+ [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
+Memory state around the buggy address:
+ ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -2307,7 +2307,7 @@ int ppp_register_net_channel(struct net
+
+ pch->ppp = NULL;
+ pch->chan = chan;
+- pch->chan_net = net;
++ pch->chan_net = get_net(net);
+ chan->ppp = pch;
+ init_ppp_file(&pch->file, CHANNEL);
+ pch->file.hdrlen = chan->hdrlen;
+@@ -2404,6 +2404,8 @@ ppp_unregister_channel(struct ppp_channe
+ spin_lock_bh(&pn->all_channels_lock);
+ list_del(&pch->list);
+ spin_unlock_bh(&pn->all_channels_lock);
++ put_net(pch->chan_net);
++ pch->chan_net = NULL;
+
+ pch->file.dead = 1;
+ wake_up_interruptible(&pch->file.rwait);
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Rajesh Borundia <rajesh.borundia@qlogic.com>
+Date: Tue, 8 Mar 2016 02:39:58 -0500
+Subject: qlcnic: Fix mailbox completion handling during spurious interrupt
+
+From: Rajesh Borundia <rajesh.borundia@qlogic.com>
+
+[ Upstream commit 819bfe764dceec2f6b4551768453f374b4c60443 ]
+
+o While the driver is in the middle of a MB completion processing
+and it receives a spurious MB interrupt, it is mistaken as a good MB
+completion interrupt leading to premature completion of the next MB
+request. Fix the driver to guard against this by checking the current
+state of MB processing and ignore the spurious interrupt.
+Also added a stats counter to record this condition.
+
+Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic.h | 1 +
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 15 +++++++++++----
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c | 3 ++-
+ 3 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
+@@ -566,6 +566,7 @@ struct qlcnic_adapter_stats {
+ u64 tx_dma_map_error;
+ u64 spurious_intr;
+ u64 mac_filter_limit_overrun;
++ u64 mbx_spurious_intr;
+ };
+
+ /*
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2338,9 +2338,9 @@ static void qlcnic_83xx_handle_link_aen(
+
+ static irqreturn_t qlcnic_83xx_handle_aen(int irq, void *data)
+ {
++ u32 mask, resp, event, rsp_status = QLC_83XX_MBX_RESPONSE_ARRIVED;
+ struct qlcnic_adapter *adapter = data;
+ struct qlcnic_mailbox *mbx;
+- u32 mask, resp, event;
+ unsigned long flags;
+
+ mbx = adapter->ahw->mailbox;
+@@ -2350,10 +2350,14 @@ static irqreturn_t qlcnic_83xx_handle_ae
+ goto out;
+
+ event = readl(QLCNIC_MBX_FW(adapter->ahw, 0));
+- if (event & QLCNIC_MBX_ASYNC_EVENT)
++ if (event & QLCNIC_MBX_ASYNC_EVENT) {
+ __qlcnic_83xx_process_aen(adapter);
+- else
+- qlcnic_83xx_notify_mbx_response(mbx);
++ } else {
++ if (mbx->rsp_status != rsp_status)
++ qlcnic_83xx_notify_mbx_response(mbx);
++ else
++ adapter->stats.mbx_spurious_intr++;
++ }
+
+ out:
+ mask = QLCRDX(adapter->ahw, QLCNIC_DEF_INT_MASK);
+@@ -4053,6 +4057,7 @@ static void qlcnic_83xx_mailbox_worker(s
+ struct list_head *head = &mbx->cmd_q;
+ struct qlcnic_hardware_context *ahw;
+ struct qlcnic_cmd_args *cmd = NULL;
++ unsigned long flags;
+
+ ahw = adapter->ahw;
+
+@@ -4062,7 +4067,9 @@ static void qlcnic_83xx_mailbox_worker(s
+ return;
+ }
+
++ spin_lock_irqsave(&mbx->aen_lock, flags);
+ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT;
++ spin_unlock_irqrestore(&mbx->aen_lock, flags);
+
+ spin_lock(&mbx->queue_lock);
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ethtool.c
+@@ -59,7 +59,8 @@ static const struct qlcnic_stats qlcnic_
+ QLC_OFF(stats.mac_filter_limit_overrun)},
+ {"spurious intr", QLC_SIZEOF(stats.spurious_intr),
+ QLC_OFF(stats.spurious_intr)},
+-
++ {"mbx spurious intr", QLC_SIZEOF(stats.mbx_spurious_intr),
++ QLC_OFF(stats.mbx_spurious_intr)},
+ };
+
+ static const char qlcnic_device_gstrings_stats[][ETH_GSTRING_LEN] = {
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Rajesh Borundia <rajesh.borundia@qlogic.com>
+Date: Tue, 8 Mar 2016 02:39:57 -0500
+Subject: qlcnic: Remove unnecessary usage of atomic_t
+
+From: Rajesh Borundia <rajesh.borundia@qlogic.com>
+
+[ Upstream commit 5bf93251cee1fb66141d1d2eaff86e04a9397bdf ]
+
+o atomic_t usage is incorrect as we are not implementing
+any atomicity.
+
+Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic.h | 2 +-
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 9 ++++-----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
+@@ -1099,7 +1099,7 @@ struct qlcnic_mailbox {
+ unsigned long status;
+ spinlock_t queue_lock; /* Mailbox queue lock */
+ spinlock_t aen_lock; /* Mailbox response/AEN lock */
+- atomic_t rsp_status;
++ u32 rsp_status;
+ u32 num_cmds;
+ };
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -491,7 +491,7 @@ irqreturn_t qlcnic_83xx_clear_legacy_int
+
+ static inline void qlcnic_83xx_notify_mbx_response(struct qlcnic_mailbox *mbx)
+ {
+- atomic_set(&mbx->rsp_status, QLC_83XX_MBX_RESPONSE_ARRIVED);
++ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_ARRIVED;
+ complete(&mbx->completion);
+ }
+
+@@ -510,7 +510,7 @@ static void qlcnic_83xx_poll_process_aen
+ if (event & QLCNIC_MBX_ASYNC_EVENT) {
+ __qlcnic_83xx_process_aen(adapter);
+ } else {
+- if (atomic_read(&mbx->rsp_status) != rsp_status)
++ if (mbx->rsp_status != rsp_status)
+ qlcnic_83xx_notify_mbx_response(mbx);
+ }
+ out:
+@@ -1023,7 +1023,7 @@ static void qlcnic_83xx_process_aen(stru
+ if (event & QLCNIC_MBX_ASYNC_EVENT) {
+ __qlcnic_83xx_process_aen(adapter);
+ } else {
+- if (atomic_read(&mbx->rsp_status) != rsp_status)
++ if (mbx->rsp_status != rsp_status)
+ qlcnic_83xx_notify_mbx_response(mbx);
+ }
+ }
+@@ -4050,7 +4050,6 @@ static void qlcnic_83xx_mailbox_worker(s
+ struct qlcnic_adapter *adapter = mbx->adapter;
+ const struct qlcnic_mbx_ops *mbx_ops = mbx->ops;
+ struct device *dev = &adapter->pdev->dev;
+- atomic_t *rsp_status = &mbx->rsp_status;
+ struct list_head *head = &mbx->cmd_q;
+ struct qlcnic_hardware_context *ahw;
+ struct qlcnic_cmd_args *cmd = NULL;
+@@ -4063,7 +4062,7 @@ static void qlcnic_83xx_mailbox_worker(s
+ return;
+ }
+
+- atomic_set(rsp_status, QLC_83XX_MBX_RESPONSE_WAIT);
++ mbx->rsp_status = QLC_83XX_MBX_RESPONSE_WAIT;
+
+ spin_lock(&mbx->queue_lock);
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Manish Chopra <manish.chopra@qlogic.com>
+Date: Tue, 15 Mar 2016 07:13:45 -0400
+Subject: qlge: Fix receive packets drop.
+
+From: Manish Chopra <manish.chopra@qlogic.com>
+
+[ Upstream commit 2c9a266afefe137bff06bbe0fc48b4d3b3cb348c ]
+
+When running small packets [length < 256 bytes] traffic, packets were
+being dropped due to invalid data in those packets which were
+delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
+ensures copying latest and updated data into skb from the receive buffer.
+
+Signed-off-by: Sony Chacko <sony.chacko@qlogic.com>
+Signed-off-by: Manish Chopra <manish.chopra@qlogic.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlge/qlge_main.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/qlogic/qlge/qlge_main.c
++++ b/drivers/net/ethernet/qlogic/qlge/qlge_main.c
+@@ -1648,7 +1648,18 @@ static void ql_process_mac_rx_skb(struct
+ return;
+ }
+ skb_reserve(new_skb, NET_IP_ALIGN);
++
++ pci_dma_sync_single_for_cpu(qdev->pdev,
++ dma_unmap_addr(sbq_desc, mapaddr),
++ dma_unmap_len(sbq_desc, maplen),
++ PCI_DMA_FROMDEVICE);
++
+ memcpy(skb_put(new_skb, length), skb->data, length);
++
++ pci_dma_sync_single_for_device(qdev->pdev,
++ dma_unmap_addr(sbq_desc, mapaddr),
++ dma_unmap_len(sbq_desc, maplen),
++ PCI_DMA_FROMDEVICE);
+ skb = new_skb;
+
+ /* Frame error, so drop the packet. */
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 28 Mar 2016 22:38:16 +0200
+Subject: qmi_wwan: add "D-Link DWM-221 B1" device id
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+
+[ Upstream commit e84810c7b85a2d7897797b3ad3e879168a8e032a ]
+
+Thomas reports:
+"Windows:
+
+00 diagnostics
+01 modem
+02 at-port
+03 nmea
+04 nic
+
+Linux:
+
+T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2001 ProdID=7e19 Rev=02.32
+S: Manufacturer=Mobile Connect
+S: Product=Mobile Connect
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
+
+Reported-by: Thomas Schäfer <tschaefer@t-online.de>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -844,6 +844,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x19d2, 0x1426, 2)}, /* ZTE MF91 */
+ {QMI_FIXED_INTF(0x19d2, 0x1428, 2)}, /* Telewell TW-LTE 4G v2 */
+ {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */
++ {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */
+ {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */
+ {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */
+ {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 8 Mar 2016 12:59:34 -0800
+Subject: rocker: set FDB cleanup timer according to lowest ageing time
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 88de1cd457e5cb664d6d437e2ea4750d089165f5 ]
+
+In rocker, ageing time is a per-port attribute, so the next time the FDB
+cleanup timer fires should be set according to the lowest ageing time.
+
+This will later allow us to delete the BR_MIN_AGEING_TIME macro, which was
+added to guarantee minimum ageing time in the bridge layer, thereby breaking
+existing behavior.
+
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/rocker/rocker.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/rocker/rocker.c
++++ b/drivers/net/ethernet/rocker/rocker.c
+@@ -239,6 +239,7 @@ struct rocker {
+ struct {
+ u64 id;
+ } hw;
++ unsigned long ageing_time;
+ spinlock_t cmd_ring_lock; /* for cmd ring accesses */
+ struct rocker_dma_ring_info cmd_ring;
+ struct rocker_dma_ring_info event_ring;
+@@ -3704,7 +3705,7 @@ static void rocker_fdb_cleanup(unsigned
+ struct rocker_port *rocker_port;
+ struct rocker_fdb_tbl_entry *entry;
+ struct hlist_node *tmp;
+- unsigned long next_timer = jiffies + BR_MIN_AGEING_TIME;
++ unsigned long next_timer = jiffies + rocker->ageing_time;
+ unsigned long expires;
+ unsigned long lock_flags;
+ int flags = ROCKER_OP_FLAG_NOWAIT | ROCKER_OP_FLAG_REMOVE |
+@@ -4367,8 +4368,12 @@ static int rocker_port_bridge_ageing_tim
+ struct switchdev_trans *trans,
+ u32 ageing_time)
+ {
++ struct rocker *rocker = rocker_port->rocker;
++
+ if (!switchdev_trans_ph_prepare(trans)) {
+ rocker_port->ageing_time = clock_t_to_jiffies(ageing_time);
++ if (rocker_port->ageing_time < rocker->ageing_time)
++ rocker->ageing_time = rocker_port->ageing_time;
+ mod_timer(&rocker_port->rocker->fdb_cleanup_timer, jiffies);
+ }
+
+@@ -5206,10 +5211,13 @@ static int rocker_probe(struct pci_dev *
+ goto err_init_tbls;
+ }
+
++ rocker->ageing_time = BR_DEFAULT_AGEING_TIME;
+ setup_timer(&rocker->fdb_cleanup_timer, rocker_fdb_cleanup,
+ (unsigned long) rocker);
+ mod_timer(&rocker->fdb_cleanup_timer, jiffies);
+
++ rocker->ageing_time = BR_DEFAULT_AGEING_TIME;
++
+ err = rocker_probe_ports(rocker);
+ if (err) {
+ dev_err(&pdev->dev, "failed to probe ports\n");
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 31 Mar 2016 18:10:31 +0200
+Subject: rtnl: fix msg size calculation in if_nlmsg_size()
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit c57c7a95da842807b475b823ed2e5435c42cb3b0 ]
+
+Size of the attribute IFLA_PHYS_PORT_NAME was missing.
+
+Fixes: db24a9044ee1 ("net: add support for phys_port_name")
+CC: David Ahern <dsahern@gmail.com>
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -905,6 +905,7 @@ static noinline size_t if_nlmsg_size(con
+ + rtnl_link_get_af_size(dev, ext_filter_mask) /* IFLA_AF_SPEC */
+ + nla_total_size(MAX_PHYS_ITEM_ID_LEN) /* IFLA_PHYS_PORT_ID */
+ + nla_total_size(MAX_PHYS_ITEM_ID_LEN) /* IFLA_PHYS_SWITCH_ID */
++ + nla_total_size(IFNAMSIZ) /* IFLA_PHYS_PORT_NAME */
+ + nla_total_size(1); /* IFLA_PROTO_DOWN */
+
+ }
drm-amdgpu-gmc-move-vram-type-fetching-into-sw_init.patch
drm-amdgpu-gmc-use-proper-register-for-vram-type-on-fiji.patch
xen-events-mask-a-moving-irq.patch
+net-validate-variable-length-ll-headers.patch
+ax25-add-link-layer-header-validation-function.patch
+packet-validate-variable-length-ll-headers.patch
+bpf-avoid-copying-junk-bytes-in-bpf_get_current_comm.patch
+net-dsa-fix-cleanup-resources-upon-module-removal.patch
+sh_eth-fix-null-pointer-dereference-in-sh_eth_ring_format.patch
+sh_eth-advance-rxdesc-later-in-sh_eth_ring_format.patch
+qlcnic-remove-unnecessary-usage-of-atomic_t.patch
+qlcnic-fix-mailbox-completion-handling-during-spurious-interrupt.patch
+macvtap-always-pass-ethernet-header-in-linear.patch
+mlxsw-spectrum-check-requested-ageing-time-is-valid.patch
+rocker-set-fdb-cleanup-timer-according-to-lowest-ageing-time.patch
+bridge-allow-zero-ageing-time.patch
+ipv4-don-t-do-expensive-useless-work-during-inetdev-destroy.patch
+net-fix-use-after-free-in-the-recvmmsg-exit-path.patch
+mlx4-add-missing-braces-in-verify_qp_parameters.patch
+farsync-fix-off-by-one-bug-in-fst_add_one.patch
+ath9k-fix-buffer-overrun-for-ar9287.patch
+net-mvneta-fix-spinlock-usage.patch
+ppp-ensure-file-private_data-can-t-be-overridden.patch
+tcp-dccp-remove-obsolete-warn_on-in-icmp-handlers.patch
+qlge-fix-receive-packets-drop.patch
+net-bcmgenet-fix-dma-api-length-mismatch.patch
+bonding-fix-bond_get_stats.patch
+ipv4-fix-broadcast-packets-reception.patch
+ipv4-initialize-flowi4_flags-before-calling-fib_lookup.patch
+ppp-take-reference-on-channels-netns.patch
+xfrm-fix-crash-observed-during-device-unregistration-and-decryption.patch
+qmi_wwan-add-d-link-dwm-221-b1-device-id.patch
+ipv6-udp-fix-udp_mib_ignoredmulti-updates.patch
+bridge-allow-set-bridge-ageing-time-when-switchdev-disabled.patch
+rtnl-fix-msg-size-calculation-in-if_nlmsg_size.patch
+tun-bpf-fix-suspicious-rcu-usage-in-tun_-attach-detach-_filter.patch
+tuntap-restore-default-qdisc.patch
+ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch
+ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch
+ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch
+ipv6-count-in-extension-headers-in-skb-network_header.patch
+mpls-find_outdev-check-for-err-ptr-in-addition-to-null-check.patch
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Tue, 8 Mar 2016 01:37:09 +0300
+Subject: sh_eth: advance 'rxdesc' later in sh_eth_ring_format()
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit d0ba913488dc8c55d1880f5ed34f096dc45fb05d ]
+
+Iff dma_map_single() fails, 'rxdesc' should point to the last filled RX
+descriptor, so that it can be marked as the last one, however the driver
+would have already advanced it by that time. In order to fix that, only
+fill an RX descriptor once all the data for it is ready.
+
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1136,11 +1136,8 @@ static void sh_eth_ring_format(struct ne
+ break;
+ sh_eth_set_receive_align(skb);
+
+- /* RX descriptor */
+- rxdesc = &mdp->rx_ring[i];
+ /* The size of the buffer is a multiple of 32 bytes. */
+ buf_len = ALIGN(mdp->rx_buf_sz, 32);
+- rxdesc->len = cpu_to_le32(buf_len << 16);
+ dma_addr = dma_map_single(&ndev->dev, skb->data, buf_len,
+ DMA_FROM_DEVICE);
+ if (dma_mapping_error(&ndev->dev, dma_addr)) {
+@@ -1148,6 +1145,10 @@ static void sh_eth_ring_format(struct ne
+ break;
+ }
+ mdp->rx_skbuff[i] = skb;
++
++ /* RX descriptor */
++ rxdesc = &mdp->rx_ring[i];
++ rxdesc->len = cpu_to_le32(buf_len << 16);
+ rxdesc->addr = cpu_to_le32(dma_addr);
+ rxdesc->status = cpu_to_le32(RD_RACT | RD_RFP);
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Date: Tue, 8 Mar 2016 01:36:28 +0300
+Subject: sh_eth: fix NULL pointer dereference in sh_eth_ring_format()
+
+From: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+
+[ Upstream commit c1b7fca65070bfadca94dd53a4e6b71cd4f69715 ]
+
+In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
+loop iteration in sh_eth_ring_format(), 'rxdesc' is still NULL. Avoid
+kernel oops by adding the 'rxdesc' check after the loop.
+
+Reported-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -1163,7 +1163,8 @@ static void sh_eth_ring_format(struct ne
+ mdp->dirty_rx = (u32) (i - mdp->num_rx_ring);
+
+ /* Mark the last entry as wrapping the ring. */
+- rxdesc->status |= cpu_to_le32(RD_RDLE);
++ if (rxdesc)
++ rxdesc->status |= cpu_to_le32(RD_RDLE);
+
+ memset(mdp->tx_ring, 0, tx_ringsize);
+
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 16 Mar 2016 22:52:15 -0700
+Subject: tcp/dccp: remove obsolete WARN_ON() in icmp handlers
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e316ea62e3203d524ff0239a40c56d3a39ad1b5c ]
+
+Now SYN_RECV request sockets are installed in ehash table, an ICMP
+handler can find a request socket while another cpu handles an incoming
+packet transforming this SYN_RECV request socket into an ESTABLISHED
+socket.
+
+We need to remove the now obsolete WARN_ON(req->sk), since req->sk
+is set when a new child is created and added into listener accept queue.
+
+If this race happens, the ICMP will do nothing special.
+
+Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Ben Lazarus <blazarus@google.com>
+Reported-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/ipv4.c | 2 --
+ net/ipv4/tcp_ipv4.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+--- a/net/dccp/ipv4.c
++++ b/net/dccp/ipv4.c
+@@ -204,8 +204,6 @@ void dccp_req_err(struct sock *sk, u64 s
+ * ICMPs are not backlogged, hence we cannot get an established
+ * socket here.
+ */
+- WARN_ON(req->sk);
+-
+ if (!between48(seq, dccp_rsk(req)->dreq_iss, dccp_rsk(req)->dreq_gss)) {
+ NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
+ } else {
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -319,8 +319,6 @@ void tcp_req_err(struct sock *sk, u32 se
+ /* ICMPs are not backlogged, hence we cannot get
+ * an established socket here.
+ */
+- WARN_ON(req->sk);
+-
+ if (seq != tcp_rsk(req)->snt_isn) {
+ NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
+ } else if (abort) {
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 31 Mar 2016 02:13:18 +0200
+Subject: tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 5a5abb1fa3b05dd6aa821525832644c1e7d2905f ]
+
+Sasha Levin reported a suspicious rcu_dereference_protected() warning
+found while fuzzing with trinity that is similar to this one:
+
+ [ 52.765684] net/core/filter.c:2262 suspicious rcu_dereference_protected() usage!
+ [ 52.765688] other info that might help us debug this:
+ [ 52.765695] rcu_scheduler_active = 1, debug_locks = 1
+ [ 52.765701] 1 lock held by a.out/1525:
+ [ 52.765704] #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff816a64b7>] rtnl_lock+0x17/0x20
+ [ 52.765721] stack backtrace:
+ [ 52.765728] CPU: 1 PID: 1525 Comm: a.out Not tainted 4.5.0+ #264
+ [...]
+ [ 52.765768] Call Trace:
+ [ 52.765775] [<ffffffff813e488d>] dump_stack+0x85/0xc8
+ [ 52.765784] [<ffffffff810f2fa5>] lockdep_rcu_suspicious+0xd5/0x110
+ [ 52.765792] [<ffffffff816afdc2>] sk_detach_filter+0x82/0x90
+ [ 52.765801] [<ffffffffa0883425>] tun_detach_filter+0x35/0x90 [tun]
+ [ 52.765810] [<ffffffffa0884ed4>] __tun_chr_ioctl+0x354/0x1130 [tun]
+ [ 52.765818] [<ffffffff8136fed0>] ? selinux_file_ioctl+0x130/0x210
+ [ 52.765827] [<ffffffffa0885ce3>] tun_chr_ioctl+0x13/0x20 [tun]
+ [ 52.765834] [<ffffffff81260ea6>] do_vfs_ioctl+0x96/0x690
+ [ 52.765843] [<ffffffff81364af3>] ? security_file_ioctl+0x43/0x60
+ [ 52.765850] [<ffffffff81261519>] SyS_ioctl+0x79/0x90
+ [ 52.765858] [<ffffffff81003ba2>] do_syscall_64+0x62/0x140
+ [ 52.765866] [<ffffffff817d563f>] entry_SYSCALL64_slow_path+0x25/0x25
+
+Same can be triggered with PROVE_RCU (+ PROVE_RCU_REPEATEDLY) enabled
+from tun_attach_filter() when user space calls ioctl(tun_fd, TUN{ATTACH,
+DETACH}FILTER, ...) for adding/removing a BPF filter on tap devices.
+
+Since the fix in f91ff5b9ff52 ("net: sk_{detach|attach}_filter() rcu
+fixes") sk_attach_filter()/sk_detach_filter() now dereferences the
+filter with rcu_dereference_protected(), checking whether socket lock
+is held in control path.
+
+Since its introduction in 994051625981 ("tun: socket filter support"),
+tap filters are managed under RTNL lock from __tun_chr_ioctl(). Thus the
+sock_owned_by_user(sk) doesn't apply in this specific case and therefore
+triggers the false positive.
+
+Extend the BPF API with __sk_attach_filter()/__sk_detach_filter() pair
+that is used by tap filters and pass in lockdep_rtnl_is_held() for the
+rcu_dereference_protected() checks instead.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 8 +++++---
+ include/linux/filter.h | 4 ++++
+ net/core/filter.c | 33 +++++++++++++++++++++------------
+ 3 files changed, 30 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -621,7 +621,8 @@ static int tun_attach(struct tun_struct
+
+ /* Re-attach the filter to persist device */
+ if (!skip_filter && (tun->filter_attached == true)) {
+- err = sk_attach_filter(&tun->fprog, tfile->socket.sk);
++ err = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
++ lockdep_rtnl_is_held());
+ if (!err)
+ goto out;
+ }
+@@ -1807,7 +1808,7 @@ static void tun_detach_filter(struct tun
+
+ for (i = 0; i < n; i++) {
+ tfile = rtnl_dereference(tun->tfiles[i]);
+- sk_detach_filter(tfile->socket.sk);
++ __sk_detach_filter(tfile->socket.sk, lockdep_rtnl_is_held());
+ }
+
+ tun->filter_attached = false;
+@@ -1820,7 +1821,8 @@ static int tun_attach_filter(struct tun_
+
+ for (i = 0; i < tun->numqueues; i++) {
+ tfile = rtnl_dereference(tun->tfiles[i]);
+- ret = sk_attach_filter(&tun->fprog, tfile->socket.sk);
++ ret = __sk_attach_filter(&tun->fprog, tfile->socket.sk,
++ lockdep_rtnl_is_held());
+ if (ret) {
+ tun_detach_filter(tun, i);
+ return ret;
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -465,10 +465,14 @@ int bpf_prog_create_from_user(struct bpf
+ void bpf_prog_destroy(struct bpf_prog *fp);
+
+ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk);
++int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
++ bool locked);
+ int sk_attach_bpf(u32 ufd, struct sock *sk);
+ int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk);
+ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk);
+ int sk_detach_filter(struct sock *sk);
++int __sk_detach_filter(struct sock *sk, bool locked);
++
+ int sk_get_filter(struct sock *sk, struct sock_filter __user *filter,
+ unsigned int len);
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1147,7 +1147,8 @@ void bpf_prog_destroy(struct bpf_prog *f
+ }
+ EXPORT_SYMBOL_GPL(bpf_prog_destroy);
+
+-static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk)
++static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk,
++ bool locked)
+ {
+ struct sk_filter *fp, *old_fp;
+
+@@ -1163,10 +1164,8 @@ static int __sk_attach_prog(struct bpf_p
+ return -ENOMEM;
+ }
+
+- old_fp = rcu_dereference_protected(sk->sk_filter,
+- sock_owned_by_user(sk));
++ old_fp = rcu_dereference_protected(sk->sk_filter, locked);
+ rcu_assign_pointer(sk->sk_filter, fp);
+-
+ if (old_fp)
+ sk_filter_uncharge(sk, old_fp);
+
+@@ -1245,7 +1244,8 @@ struct bpf_prog *__get_filter(struct soc
+ * occurs or there is insufficient memory for the filter a negative
+ * errno code is returned. On success the return is zero.
+ */
+-int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
++int __sk_attach_filter(struct sock_fprog *fprog, struct sock *sk,
++ bool locked)
+ {
+ struct bpf_prog *prog = __get_filter(fprog, sk);
+ int err;
+@@ -1253,7 +1253,7 @@ int sk_attach_filter(struct sock_fprog *
+ if (IS_ERR(prog))
+ return PTR_ERR(prog);
+
+- err = __sk_attach_prog(prog, sk);
++ err = __sk_attach_prog(prog, sk, locked);
+ if (err < 0) {
+ __bpf_prog_release(prog);
+ return err;
+@@ -1261,7 +1261,12 @@ int sk_attach_filter(struct sock_fprog *
+
+ return 0;
+ }
+-EXPORT_SYMBOL_GPL(sk_attach_filter);
++EXPORT_SYMBOL_GPL(__sk_attach_filter);
++
++int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
++{
++ return __sk_attach_filter(fprog, sk, sock_owned_by_user(sk));
++}
+
+ int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk)
+ {
+@@ -1307,7 +1312,7 @@ int sk_attach_bpf(u32 ufd, struct sock *
+ if (IS_ERR(prog))
+ return PTR_ERR(prog);
+
+- err = __sk_attach_prog(prog, sk);
++ err = __sk_attach_prog(prog, sk, sock_owned_by_user(sk));
+ if (err < 0) {
+ bpf_prog_put(prog);
+ return err;
+@@ -2105,7 +2110,7 @@ static int __init register_sk_filter_ops
+ }
+ late_initcall(register_sk_filter_ops);
+
+-int sk_detach_filter(struct sock *sk)
++int __sk_detach_filter(struct sock *sk, bool locked)
+ {
+ int ret = -ENOENT;
+ struct sk_filter *filter;
+@@ -2113,8 +2118,7 @@ int sk_detach_filter(struct sock *sk)
+ if (sock_flag(sk, SOCK_FILTER_LOCKED))
+ return -EPERM;
+
+- filter = rcu_dereference_protected(sk->sk_filter,
+- sock_owned_by_user(sk));
++ filter = rcu_dereference_protected(sk->sk_filter, locked);
+ if (filter) {
+ RCU_INIT_POINTER(sk->sk_filter, NULL);
+ sk_filter_uncharge(sk, filter);
+@@ -2123,7 +2127,12 @@ int sk_detach_filter(struct sock *sk)
+
+ return ret;
+ }
+-EXPORT_SYMBOL_GPL(sk_detach_filter);
++EXPORT_SYMBOL_GPL(__sk_detach_filter);
++
++int sk_detach_filter(struct sock *sk)
++{
++ return __sk_detach_filter(sk, sock_owned_by_user(sk));
++}
+
+ int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
+ unsigned int len)
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 8 Apr 2016 13:26:48 +0800
+Subject: tuntap: restore default qdisc
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit 016adb7260f481168c03e09f785184d6d5278894 ]
+
+After commit f84bb1eac027 ("net: fix IFF_NO_QUEUE for drivers using
+alloc_netdev"), default qdisc was changed to noqueue because
+tuntap does not set tx_queue_len during .setup(). This patch restores
+default qdisc by setting tx_queue_len in tun_setup().
+
+Fixes: f84bb1eac027 ("net: fix IFF_NO_QUEUE for drivers using alloc_netdev")
+Cc: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1001,7 +1001,6 @@ static void tun_net_init(struct net_devi
+ /* Zero header length */
+ dev->type = ARPHRD_NONE;
+ dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
+- dev->tx_queue_len = TUN_READQ_SIZE; /* We prefer our own queue length */
+ break;
+
+ case IFF_TAP:
+@@ -1013,7 +1012,6 @@ static void tun_net_init(struct net_devi
+
+ eth_hw_addr_random(dev);
+
+- dev->tx_queue_len = TUN_READQ_SIZE; /* We prefer our own queue length */
+ break;
+ }
+ }
+@@ -1467,6 +1465,8 @@ static void tun_setup(struct net_device
+
+ dev->ethtool_ops = &tun_ethtool_ops;
+ dev->destructor = tun_free_netdev;
++ /* We prefer our own queue length */
++ dev->tx_queue_len = TUN_READQ_SIZE;
+ }
+
+ /* Trivial set of netlink ops to allow deleting tun or tap
--- /dev/null
+From foo@baz Sat Apr 16 09:15:18 PDT 2016
+From: "subashab@codeaurora.org" <subashab@codeaurora.org>
+Date: Wed, 23 Mar 2016 22:39:50 -0600
+Subject: xfrm: Fix crash observed during device unregistration and decryption
+
+From: "subashab@codeaurora.org" <subashab@codeaurora.org>
+
+[ Upstream commit 071d36bf21bcc837be00cea55bcef8d129e7f609 ]
+
+A crash is observed when a decrypted packet is processed in receive
+path. get_rps_cpus() tries to dereference the skb->dev fields but it
+appears that the device is freed from the poison pattern.
+
+[<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
+[<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
+[<ffffffc000af6094>] netif_rx+0x74/0x94
+[<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
+[<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
+[<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
+[<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
+[<ffffffc0000b7324>] worker_thread+0x2f8/0x418
+[<ffffffc0000bb40c>] kthread+0xe0/0xec
+
+-013|get_rps_cpu(
+ | dev = 0xFFFFFFC08B688000,
+ | skb = 0xFFFFFFC0C76AAC00 -> (
+ | dev = 0xFFFFFFC08B688000 -> (
+ | name =
+"......................................................
+ | name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
+0xAAAAAAAAAAA
+
+Following are the sequence of events observed -
+
+- Encrypted packet in receive path from netdevice is queued
+- Encrypted packet queued for decryption (asynchronous)
+- Netdevice brought down and freed
+- Packet is decrypted and returned through callback in esp_input_done
+- Packet is queued again for process in network stack using netif_rx
+
+Since the device appears to have been freed, the dereference of
+skb->dev in get_rps_cpus() leads to an unhandled page fault
+exception.
+
+Fix this by holding on to device reference when queueing packets
+asynchronously and releasing the reference on call back return.
+
+v2: Make the change generic to xfrm as mentioned by Steffen and
+update the title to xfrm
+
+Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Jerome Stanislaus <jeromes@codeaurora.org>
+Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_input.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -292,12 +292,15 @@ int xfrm_input(struct sk_buff *skb, int
+ XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
+
+ skb_dst_force(skb);
++ dev_hold(skb->dev);
+
+ nexthdr = x->type->input(x, skb);
+
+ if (nexthdr == -EINPROGRESS)
+ return 0;
+ resume:
++ dev_put(skb->dev);
++
+ spin_lock(&x->lock);
+ if (nexthdr <= 0) {
+ if (nexthdr == -EBADMSG) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
