--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Fri, 17 Jan 2020 00:32:47 -0500
+Subject: bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit d061b2411d5f3d6272187ab734ce0640827fca13 ]
+
+DSN read can fail, for example on a kdump kernel without PCIe extended
+config space support. If DSN read fails, don't set the
+BNXT_FLAG_DSN_VALID flag and continue loading. Check the flag
+to see if the stored DSN is valid before using it. Only VF reps
+creation should fail without valid DSN.
+
+Fixes: 03213a996531 ("bnxt: move bp->switch_id initialization to PF probe")
+Reported-by: Marc Smith <msmith626@gmail.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 +++----
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 +
+ drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c | 3 +++
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11299,7 +11299,7 @@ int bnxt_get_port_parent_id(struct net_d
+ return -EOPNOTSUPP;
+
+ /* The PF and it's VF-reps only support the switchdev framework */
+- if (!BNXT_PF(bp))
++ if (!BNXT_PF(bp) || !(bp->flags & BNXT_FLAG_DSN_VALID))
+ return -EOPNOTSUPP;
+
+ ppid->id_len = sizeof(bp->switch_id);
+@@ -11691,6 +11691,7 @@ static int bnxt_pcie_dsn_get(struct bnxt
+ put_unaligned_le32(dw, &dsn[0]);
+ pci_read_config_dword(pdev, pos + 4, &dw);
+ put_unaligned_le32(dw, &dsn[4]);
++ bp->flags |= BNXT_FLAG_DSN_VALID;
+ return 0;
+ }
+
+@@ -11802,9 +11803,7 @@ static int bnxt_init_one(struct pci_dev
+
+ if (BNXT_PF(bp)) {
+ /* Read the adapter's DSN to use as the eswitch switch_id */
+- rc = bnxt_pcie_dsn_get(bp, bp->switch_id);
+- if (rc)
+- goto init_err_pci_clean;
++ bnxt_pcie_dsn_get(bp, bp->switch_id);
+ }
+
+ /* MTU range: 60 - FW defined max */
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1510,6 +1510,7 @@ struct bnxt {
+ #define BNXT_FLAG_NO_AGG_RINGS 0x20000
+ #define BNXT_FLAG_RX_PAGE_MODE 0x40000
+ #define BNXT_FLAG_MULTI_HOST 0x100000
++ #define BNXT_FLAG_DSN_VALID 0x200000
+ #define BNXT_FLAG_DOUBLE_DB 0x400000
+ #define BNXT_FLAG_CHIP_NITRO_A0 0x1000000
+ #define BNXT_FLAG_DIM 0x2000000
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_vfr.c
+@@ -398,6 +398,9 @@ static int bnxt_vf_reps_create(struct bn
+ struct net_device *dev;
+ int rc, i;
+
++ if (!(bp->flags & BNXT_FLAG_DSN_VALID))
++ return -ENODEV;
++
+ bp->vf_reps = kcalloc(num_vfs, sizeof(vf_rep), GFP_KERNEL);
+ if (!bp->vf_reps)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Fri, 17 Jan 2020 00:32:46 -0500
+Subject: bnxt_en: Fix ipv6 RFS filter matching logic.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 6fc7caa84e713f7627e171ab1e7c4b5be0dc9b3d ]
+
+Fix bnxt_fltr_match() to match ipv6 source and destination addresses.
+The function currently only checks ipv4 addresses and will not work
+corrently on ipv6 filters.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -10991,11 +10991,23 @@ static bool bnxt_fltr_match(struct bnxt_
+ struct flow_keys *keys1 = &f1->fkeys;
+ struct flow_keys *keys2 = &f2->fkeys;
+
+- if (keys1->addrs.v4addrs.src == keys2->addrs.v4addrs.src &&
+- keys1->addrs.v4addrs.dst == keys2->addrs.v4addrs.dst &&
+- keys1->ports.ports == keys2->ports.ports &&
+- keys1->basic.ip_proto == keys2->basic.ip_proto &&
+- keys1->basic.n_proto == keys2->basic.n_proto &&
++ if (keys1->basic.n_proto != keys2->basic.n_proto ||
++ keys1->basic.ip_proto != keys2->basic.ip_proto)
++ return false;
++
++ if (keys1->basic.n_proto == htons(ETH_P_IP)) {
++ if (keys1->addrs.v4addrs.src != keys2->addrs.v4addrs.src ||
++ keys1->addrs.v4addrs.dst != keys2->addrs.v4addrs.dst)
++ return false;
++ } else {
++ if (memcmp(&keys1->addrs.v6addrs.src, &keys2->addrs.v6addrs.src,
++ sizeof(keys1->addrs.v6addrs.src)) ||
++ memcmp(&keys1->addrs.v6addrs.dst, &keys2->addrs.v6addrs.dst,
++ sizeof(keys1->addrs.v6addrs.dst)))
++ return false;
++ }
++
++ if (keys1->ports.ports == keys2->ports.ports &&
+ keys1->control.flags == keys2->control.flags &&
+ ether_addr_equal(f1->src_mac_addr, f2->src_mac_addr) &&
+ ether_addr_equal(f1->dst_mac_addr, f2->dst_mac_addr))
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Fri, 17 Jan 2020 00:32:45 -0500
+Subject: bnxt_en: Fix NTUPLE firmware command failures.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit ceb3284c588eee5ea256c70e4d8d7cf399b8134e ]
+
+The NTUPLE related firmware commands are sent to the wrong firmware
+channel, causing all these commands to fail on new firmware that
+supports the new firmware channel. Fix it by excluding the 3
+NTUPLE firmware commands from the list for the new firmware channel.
+
+Fixes: 760b6d33410c ("bnxt_en: Add support for 2nd firmware message channel.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1904,9 +1904,6 @@ static inline bool bnxt_cfa_hwrm_message
+ case HWRM_CFA_ENCAP_RECORD_FREE:
+ case HWRM_CFA_DECAP_FILTER_ALLOC:
+ case HWRM_CFA_DECAP_FILTER_FREE:
+- case HWRM_CFA_NTUPLE_FILTER_ALLOC:
+- case HWRM_CFA_NTUPLE_FILTER_FREE:
+- case HWRM_CFA_NTUPLE_FILTER_CFG:
+ case HWRM_CFA_EM_FLOW_ALLOC:
+ case HWRM_CFA_EM_FLOW_FREE:
+ case HWRM_CFA_EM_FLOW_CFG:
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Mohammed Gamal <mgamal@redhat.com>
+Date: Tue, 14 Jan 2020 15:09:50 +0200
+Subject: hv_netvsc: Fix memory leak when removing rndis device
+
+From: Mohammed Gamal <mgamal@redhat.com>
+
+[ Upstream commit 536dc5df2808efbefc5acee334d3c4f701790ec0 ]
+
+kmemleak detects the following memory leak when hot removing
+a network device:
+
+unreferenced object 0xffff888083f63600 (size 256):
+ comm "kworker/0:1", pid 12, jiffies 4294831717 (age 1113.676s)
+ hex dump (first 32 bytes):
+ 00 40 c7 33 80 88 ff ff 00 00 00 00 10 00 00 00 .@.3............
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ backtrace:
+ [<00000000d4a8f5be>] rndis_filter_device_add+0x117/0x11c0 [hv_netvsc]
+ [<000000009c02d75b>] netvsc_probe+0x5e7/0xbf0 [hv_netvsc]
+ [<00000000ddafce23>] vmbus_probe+0x74/0x170 [hv_vmbus]
+ [<00000000046e64f1>] really_probe+0x22f/0xb50
+ [<000000005cc35eb7>] driver_probe_device+0x25e/0x370
+ [<0000000043c642b2>] bus_for_each_drv+0x11f/0x1b0
+ [<000000005e3d09f0>] __device_attach+0x1c6/0x2f0
+ [<00000000a72c362f>] bus_probe_device+0x1a6/0x260
+ [<0000000008478399>] device_add+0x10a3/0x18e0
+ [<00000000cf07b48c>] vmbus_device_register+0xe7/0x1e0 [hv_vmbus]
+ [<00000000d46cf032>] vmbus_add_channel_work+0x8ab/0x1770 [hv_vmbus]
+ [<000000002c94bb64>] process_one_work+0x919/0x17d0
+ [<0000000096de6781>] worker_thread+0x87/0xb40
+ [<00000000fbe7397e>] kthread+0x333/0x3f0
+ [<000000004f844269>] ret_from_fork+0x3a/0x50
+
+rndis_filter_device_add() allocates an instance of struct rndis_device
+which never gets deallocated as rndis_filter_device_remove() sets
+net_device->extension which points to the rndis_device struct to NULL,
+leaving the rndis_device dangling.
+
+Since net_device->extension is eventually freed in free_netvsc_device(),
+we refrain from setting it to NULL inside rndis_filter_device_remove()
+
+Signed-off-by: Mohammed Gamal <mgamal@redhat.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/rndis_filter.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/hyperv/rndis_filter.c
++++ b/drivers/net/hyperv/rndis_filter.c
+@@ -1436,8 +1436,6 @@ void rndis_filter_device_remove(struct h
+ /* Halt and release the rndis device */
+ rndis_filter_halt_device(net_dev, rndis_dev);
+
+- net_dev->extension = NULL;
+-
+ netvsc_device_remove(dev);
+ }
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 25 Sep 2019 10:48:30 -0500
+Subject: i40e: prevent memory leak in i40e_setup_macvlans
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 27d461333459d282ffa4a2bdb6b215a59d493a8f ]
+
+In i40e_setup_macvlans if i40e_setup_channel fails the allocated memory
+for ch should be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
+@@ -7168,6 +7168,7 @@ static int i40e_setup_macvlans(struct i4
+ ch->num_queue_pairs = qcnt;
+ if (!i40e_setup_channel(pf, vsi, ch)) {
+ ret = -EINVAL;
++ kfree(ch);
+ goto err_free;
+ }
+ ch->parent_vsi = vsi;
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 15 Jan 2020 13:02:38 -0800
+Subject: net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 53d374979ef147ab51f5d632dfe20b14aebeccd0 ]
+
+syzbot reported some bogus lockdep warnings, for example bad unlock
+balance in sch_direct_xmit(). They are due to a race condition between
+slow path and fast path, that is qdisc_xmit_lock_key gets re-registered
+in netdev_update_lockdep_key() on slow path, while we could still
+acquire the queue->_xmit_lock on fast path in this small window:
+
+CPU A CPU B
+ __netif_tx_lock();
+lockdep_unregister_key(qdisc_xmit_lock_key);
+ __netif_tx_unlock();
+lockdep_register_key(qdisc_xmit_lock_key);
+
+In fact, unlike the addr_list_lock which has to be reordered when
+the master/slave device relationship changes, queue->_xmit_lock is
+only acquired on fast path and only when NETIF_F_LLTX is not set,
+so there is likely no nested locking for it.
+
+Therefore, we can just get rid of re-registration of
+qdisc_xmit_lock_key.
+
+Reported-by: syzbot+4ec99438ed7450da6272@syzkaller.appspotmail.com
+Fixes: ab92d68fc22f ("net: core: add generic lockdep keys")
+Cc: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -8953,22 +8953,10 @@ static void netdev_unregister_lockdep_ke
+
+ void netdev_update_lockdep_key(struct net_device *dev)
+ {
+- struct netdev_queue *queue;
+- int i;
+-
+- lockdep_unregister_key(&dev->qdisc_xmit_lock_key);
+ lockdep_unregister_key(&dev->addr_list_lock_key);
+-
+- lockdep_register_key(&dev->qdisc_xmit_lock_key);
+ lockdep_register_key(&dev->addr_list_lock_key);
+
+ lockdep_set_class(&dev->addr_list_lock, &dev->addr_list_lock_key);
+- for (i = 0; i < dev->num_tx_queues; i++) {
+- queue = netdev_get_tx_queue(dev, i);
+-
+- lockdep_set_class(&queue->_xmit_lock,
+- &dev->qdisc_xmit_lock_key);
+- }
+ }
+ EXPORT_SYMBOL(netdev_update_lockdep_key);
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 16 Jan 2020 12:55:48 -0800
+Subject: net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 8f1880cbe8d0d49ebb7e9ae409b3b96676e5aa97 ]
+
+With the implementation of the system reset controller we lost a setting
+that is currently applied by the bootloader and which configures the IMP
+port for 2Gb/sec, the default is 1Gb/sec. This is needed given the
+number of ports and applications we expect to run so bring back that
+setting.
+
+Fixes: 01b0ac07589e ("net: dsa: bcm_sf2: Add support for optional reset controller line")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -68,7 +68,7 @@ static void bcm_sf2_imp_setup(struct dsa
+
+ /* Force link status for IMP port */
+ reg = core_readl(priv, offset);
+- reg |= (MII_SW_OR | LINK_STS);
++ reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G);
+ core_writel(priv, reg, offset);
+
+ /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+Date: Thu, 16 Jan 2020 20:43:27 +0200
+Subject: net: dsa: sja1105: Don't error out on disabled ports with no phy-mode
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 27afe0d34e9121a3d61cc0af9b17c2542dadde24 ]
+
+The sja1105_parse_ports_node function was tested only on device trees
+where all ports were enabled. Fix this check so that the driver
+continues to probe only with the ports where status is not "disabled",
+as expected.
+
+Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -619,7 +619,7 @@ static int sja1105_parse_ports_node(stru
+ struct device *dev = &priv->spidev->dev;
+ struct device_node *child;
+
+- for_each_child_of_node(ports_node, child) {
++ for_each_available_child_of_node(ports_node, child) {
+ struct device_node *phy_node;
+ int phy_mode;
+ u32 index;
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Alexander Lobakin <alobakin@dlink.ru>
+Date: Wed, 15 Jan 2020 11:54:38 +0300
+Subject: net: dsa: tag_gswip: fix typo in tagger name
+
+From: Alexander Lobakin <alobakin@dlink.ru>
+
+[ Upstream commit ad32205470919c8e04cdd33e0613bdba50c2376d ]
+
+The correct name is GSWIP (Gigabit Switch IP). Typo was introduced in
+875138f81d71a ("dsa: Move tagger name into its ops structure") while
+moving tagger names to their structures.
+
+Fixes: 875138f81d71a ("dsa: Move tagger name into its ops structure")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/tag_gswip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dsa/tag_gswip.c
++++ b/net/dsa/tag_gswip.c
+@@ -104,7 +104,7 @@ static struct sk_buff *gswip_tag_rcv(str
+ }
+
+ static const struct dsa_device_ops gswip_netdev_ops = {
+- .name = "gwsip",
++ .name = "gswip",
+ .proto = DSA_TAG_PROTO_GSWIP,
+ .xmit = gswip_tag_xmit,
+ .rcv = gswip_tag_rcv,
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Alexander Lobakin <alobakin@dlink.ru>
+Date: Wed, 15 Jan 2020 11:56:52 +0300
+Subject: net: dsa: tag_qca: fix doubled Tx statistics
+
+From: Alexander Lobakin <alobakin@dlink.ru>
+
+[ Upstream commit bd5874da57edd001b35cf28ae737779498c16a56 ]
+
+DSA subsystem takes care of netdev statistics since commit 4ed70ce9f01c
+("net: dsa: Refactor transmit path to eliminate duplication"), so
+any accounting inside tagger callbacks is redundant and can lead to
+messing up the stats.
+This bug is present in Qualcomm tagger since day 0.
+
+Fixes: cafdc45c949b ("net-next: dsa: add Qualcomm tag RX/TX handler")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Alexander Lobakin <alobakin@dlink.ru>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/tag_qca.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/dsa/tag_qca.c
++++ b/net/dsa/tag_qca.c
+@@ -33,9 +33,6 @@ static struct sk_buff *qca_tag_xmit(stru
+ struct dsa_port *dp = dsa_slave_to_port(dev);
+ u16 *phdr, hdr;
+
+- dev->stats.tx_packets++;
+- dev->stats.tx_bytes += skb->len;
+-
+ if (skb_cow_head(skb, 0) < 0)
+ return NULL;
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Wed, 15 Jan 2020 13:02:42 +0900
+Subject: net: ethernet: ave: Avoid lockdep warning
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 82d5d6a638cbd12b7dfe8acafd9efd87a656cc06 ]
+
+When building with PROVE_LOCKING=y, lockdep shows the following
+dump message.
+
+ INFO: trying to register non-static key.
+ the code is fine but needs lockdep annotation.
+ turning off the locking correctness validator.
+ ...
+
+Calling device_set_wakeup_enable() directly occurs this issue,
+and it isn't necessary for initialization, so this patch creates
+internal function __ave_ethtool_set_wol() and replaces with this
+in ave_init() and ave_resume().
+
+Fixes: 7200f2e3c9e2 ("net: ethernet: ave: Set initial wol state to disabled")
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/socionext/sni_ave.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/socionext/sni_ave.c
++++ b/drivers/net/ethernet/socionext/sni_ave.c
+@@ -424,16 +424,22 @@ static void ave_ethtool_get_wol(struct n
+ phy_ethtool_get_wol(ndev->phydev, wol);
+ }
+
+-static int ave_ethtool_set_wol(struct net_device *ndev,
+- struct ethtool_wolinfo *wol)
++static int __ave_ethtool_set_wol(struct net_device *ndev,
++ struct ethtool_wolinfo *wol)
+ {
+- int ret;
+-
+ if (!ndev->phydev ||
+ (wol->wolopts & (WAKE_ARP | WAKE_MAGICSECURE)))
+ return -EOPNOTSUPP;
+
+- ret = phy_ethtool_set_wol(ndev->phydev, wol);
++ return phy_ethtool_set_wol(ndev->phydev, wol);
++}
++
++static int ave_ethtool_set_wol(struct net_device *ndev,
++ struct ethtool_wolinfo *wol)
++{
++ int ret;
++
++ ret = __ave_ethtool_set_wol(ndev, wol);
+ if (!ret)
+ device_set_wakeup_enable(&ndev->dev, !!wol->wolopts);
+
+@@ -1216,7 +1222,7 @@ static int ave_init(struct net_device *n
+
+ /* set wol initial state disabled */
+ wol.wolopts = 0;
+- ave_ethtool_set_wol(ndev, &wol);
++ __ave_ethtool_set_wol(ndev, &wol);
+
+ if (!phy_interface_is_rgmii(phydev))
+ phy_set_max_speed(phydev, SPEED_100);
+@@ -1768,7 +1774,7 @@ static int ave_resume(struct device *dev
+
+ ave_ethtool_get_wol(ndev, &wol);
+ wol.wolopts = priv->wolopts;
+- ave_ethtool_set_wol(ndev, &wol);
++ __ave_ethtool_set_wol(ndev, &wol);
+
+ if (ndev->phydev) {
+ ret = phy_resume(ndev->phydev);
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Yonglong Liu <liuyonglong@huawei.com>
+Date: Thu, 16 Jan 2020 15:41:17 +0800
+Subject: net: hns: fix soft lockup when there is not enough memory
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit 49edd6a2c456150870ddcef5b7ed11b21d849e13 ]
+
+When there is not enough memory and napi_alloc_skb() return NULL,
+the HNS driver will print error message, and than try again, if
+the memory is not enough for a while, huge error message and the
+retry operation will cause soft lockup.
+
+When napi_alloc_skb() return NULL because of no memory, we can
+get a warn_alloc() call trace, so this patch deletes the error
+message. We already use polling mode to handle irq, but the
+retry operation will render the polling weight inactive, this
+patch just return budget when the rx is not completed to avoid
+dead loop.
+
+Fixes: 36eedfde1a36 ("net: hns: Optimize hns_nic_common_poll for better performance")
+Fixes: b5996f11ea54 ("net: add Hisilicon Network Subsystem basic ethernet support")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+@@ -565,7 +565,6 @@ static int hns_nic_poll_rx_skb(struct hn
+ skb = *out_skb = napi_alloc_skb(&ring_data->napi,
+ HNS_RX_HEAD_SIZE);
+ if (unlikely(!skb)) {
+- netdev_err(ndev, "alloc rx skb fail\n");
+ ring->stats.sw_err_cnt++;
+ return -ENOMEM;
+ }
+@@ -1056,7 +1055,6 @@ static int hns_nic_common_poll(struct na
+ container_of(napi, struct hns_nic_ring_data, napi);
+ struct hnae_ring *ring = ring_data->ring;
+
+-try_again:
+ clean_complete += ring_data->poll_one(
+ ring_data, budget - clean_complete,
+ ring_data->ex_process);
+@@ -1066,7 +1064,7 @@ try_again:
+ napi_complete(napi);
+ ring->q->handle->dev->ops->toggle_ring_irq(ring, 0);
+ } else {
+- goto try_again;
++ return budget;
+ }
+ }
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Yunsheng Lin <linyunsheng@huawei.com>
+Date: Wed, 15 Jan 2020 10:46:45 +0800
+Subject: net: hns3: pad the short frame before sending to the hardware
+
+From: Yunsheng Lin <linyunsheng@huawei.com>
+
+[ Upstream commit 36c67349a1a1c88b9cf11d7ca7762ababdb38867 ]
+
+The hardware can not handle short frames below or equal to 32
+bytes according to the hardware user manual, and it will trigger
+a RAS error when the frame's length is below 33 bytes.
+
+This patch pads the SKB when skb->len is below 33 bytes before
+sending it to hardware.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -54,6 +54,8 @@ MODULE_PARM_DESC(debug, " Network interf
+ #define HNS3_INNER_VLAN_TAG 1
+ #define HNS3_OUTER_VLAN_TAG 2
+
++#define HNS3_MIN_TX_LEN 33U
++
+ /* hns3_pci_tbl - PCI Device ID Table
+ *
+ * Last entry must be all 0s
+@@ -1329,6 +1331,10 @@ netdev_tx_t hns3_nic_net_xmit(struct sk_
+ int ret;
+ int i;
+
++ /* Hardware can only handle short frames above 32 bytes */
++ if (skb_put_padto(skb, HNS3_MIN_TX_LEN))
++ return NETDEV_TX_OK;
++
+ /* Prefetch the data used later */
+ prefetch(skb->data);
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Date: Thu, 16 Jan 2020 14:16:31 +0100
+Subject: net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 86ffe920e669ec73035e84553e18edf17d16317c ]
+
+According to the Datasheet this bit should be 0 (Normal operation) in
+default. With the FORCE_LINK_GOOD bit set, it is not possible to get a
+link. This patch sets FORCE_LINK_GOOD to the default value after
+resetting the phy.
+
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83867.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83867.c
++++ b/drivers/net/phy/dp83867.c
+@@ -80,6 +80,7 @@
+ #define DP83867_PHYCR_FIFO_DEPTH_MAX 0x03
+ #define DP83867_PHYCR_FIFO_DEPTH_MASK GENMASK(15, 14)
+ #define DP83867_PHYCR_RESERVED_MASK BIT(11)
++#define DP83867_PHYCR_FORCE_LINK_GOOD BIT(10)
+
+ /* RGMIIDCTL bits */
+ #define DP83867_RGMII_TX_CLK_DELAY_MAX 0xf
+@@ -454,7 +455,12 @@ static int dp83867_phy_reset(struct phy_
+
+ usleep_range(10, 20);
+
+- return 0;
++ /* After reset FORCE_LINK_GOOD bit is set. Although the
++ * default value should be unset. Disable FORCE_LINK_GOOD
++ * for the phy to work properly.
++ */
++ return phy_modify(phydev, MII_DP83867_PHYCTRL,
++ DP83867_PHYCR_FORCE_LINK_GOOD, 0);
+ }
+
+ static struct phy_driver dp83867_driver[] = {
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 18 Jan 2020 20:45:06 -0800
+Subject: net: sched: act_ctinfo: fix memory leak
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 ]
+
+Implement a cleanup method to properly free ci->params
+
+BUG: memory leak
+unreferenced object 0xffff88811746e2c0 (size 64):
+ comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00 .4`.............
+ backtrace:
+ [<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline]
+ [<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline]
+ [<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
+ [<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline]
+ [<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline]
+ [<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236
+ [<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944
+ [<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000
+ [<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410
+ [<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465
+ [<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
+ [<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
+ [<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
+ [<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ [<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
+ [<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
+ [<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline]
+ [<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659
+ [<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
+ [<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
+ [<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
+ [<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline]
+ [<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline]
+ [<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
+
+Fixes: 24ec483cec98 ("net: sched: Introduce act_ctinfo action")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ctinfo.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/net/sched/act_ctinfo.c
++++ b/net/sched/act_ctinfo.c
+@@ -360,6 +360,16 @@ static int tcf_ctinfo_search(struct net
+ return tcf_idr_search(tn, a, index);
+ }
+
++static void tcf_ctinfo_cleanup(struct tc_action *a)
++{
++ struct tcf_ctinfo *ci = to_ctinfo(a);
++ struct tcf_ctinfo_params *cp;
++
++ cp = rcu_dereference_protected(ci->params, 1);
++ if (cp)
++ kfree_rcu(cp, rcu);
++}
++
+ static struct tc_action_ops act_ctinfo_ops = {
+ .kind = "ctinfo",
+ .id = TCA_ID_CTINFO,
+@@ -367,6 +377,7 @@ static struct tc_action_ops act_ctinfo_o
+ .act = tcf_ctinfo_act,
+ .dump = tcf_ctinfo_dump,
+ .init = tcf_ctinfo_init,
++ .cleanup= tcf_ctinfo_cleanup,
+ .walk = tcf_ctinfo_walker,
+ .lookup = tcf_ctinfo_search,
+ .size = sizeof(struct tcf_ctinfo),
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 15 Jan 2020 08:20:39 -0800
+Subject: net/sched: act_ife: initalize ife->metalist earlier
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 44c23d71599f81a1c7fe8389e0319822dd50c37c ]
+
+It seems better to init ife->metalist earlier in tcf_ife_init()
+to avoid the following crash :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 10483 Comm: syz-executor216 Not tainted 5.5.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:_tcf_ife_cleanup net/sched/act_ife.c:412 [inline]
+RIP: 0010:tcf_ife_cleanup+0x6e/0x400 net/sched/act_ife.c:431
+Code: 48 c1 ea 03 80 3c 02 00 0f 85 94 03 00 00 49 8b bd f8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 67 e8 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5c 03 00 00 48 bb 00 00 00 00 00 fc ff df 48 8b
+RSP: 0018:ffffc90001dc6d00 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffffffff864619c0 RCX: ffffffff815bfa09
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
+RBP: ffffc90001dc6d50 R08: 0000000000000004 R09: fffff520003b8d8e
+R10: fffff520003b8d8d R11: 0000000000000003 R12: ffffffffffffffe8
+R13: ffff8880a79fc000 R14: ffff88809aba0e00 R15: 0000000000000000
+FS: 0000000001b51880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000563f52cce140 CR3: 0000000093541000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tcf_action_cleanup+0x62/0x1b0 net/sched/act_api.c:119
+ __tcf_action_put+0xfa/0x130 net/sched/act_api.c:135
+ __tcf_idr_release net/sched/act_api.c:165 [inline]
+ __tcf_idr_release+0x59/0xf0 net/sched/act_api.c:145
+ tcf_idr_release include/net/act_api.h:171 [inline]
+ tcf_ife_init+0x97c/0x1870 net/sched/act_ife.c:616
+ tcf_action_init_1+0x6b6/0xa40 net/sched/act_api.c:944
+ tcf_action_init+0x21a/0x330 net/sched/act_api.c:1000
+ tcf_action_add+0xf5/0x3b0 net/sched/act_api.c:1410
+ tc_ctl_action+0x390/0x488 net/sched/act_api.c:1465
+ rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:659
+ ____sys_sendmsg+0x753/0x880 net/socket.c:2330
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2384
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg net/socket.c:2424 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 11a94d7fd80f ("net/sched: act_ife: validate the control action inside init()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Davide Caratti <dcaratti@redhat.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -536,6 +536,9 @@ static int tcf_ife_init(struct net *net,
+ }
+
+ ife = to_ife(*a);
++ if (ret == ACT_P_CREATED)
++ INIT_LIST_HEAD(&ife->metalist);
++
+ err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch, extack);
+ if (err < 0)
+ goto release_idr;
+@@ -565,10 +568,6 @@ static int tcf_ife_init(struct net *net,
+ p->eth_type = ife_type;
+ }
+
+-
+- if (ret == ACT_P_CREATED)
+- INIT_LIST_HEAD(&ife->metalist);
+-
+ if (tb[TCA_IFE_METALST]) {
+ err = nla_parse_nested_deprecated(tb2, IFE_META_MAX,
+ tb[TCA_IFE_METALST], NULL,
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 16 Jan 2020 13:08:58 -0800
+Subject: net: systemport: Fixed queue mapping in internal ring map
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 5a9ef19454cd5daec8041bc7c3c11deb7456d9a0 ]
+
+We would not be transmitting using the correct SYSTEMPORT transmit queue
+during ndo_select_queue() which looks up the internal TX ring map
+because while establishing the mapping we would be off by 4, so for
+instance, when we populate switch port mappings we would be doing:
+
+switch port 0, queue 0 -> ring index #0
+switch port 0, queue 1 -> ring index #1
+...
+switch port 0, queue 3 -> ring index #3
+switch port 1, queue 0 -> ring index #8 (4 + 4 * 1)
+...
+
+instead of using ring index #4. This would cause our ndo_select_queue()
+to use the fallback queue mechanism which would pick up an incorrect
+ring for that switch port. Fix this by using the correct switch queue
+number instead of SYSTEMPORT queue number.
+
+Fixes: 25c440704661 ("net: systemport: Simplify queue mapping logic")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2323,7 +2323,7 @@ static int bcm_sysport_map_queues(struct
+ ring->switch_queue = qp;
+ ring->switch_port = port;
+ ring->inspect = true;
+- priv->ring_map[q + port * num_tx_queues] = ring;
++ priv->ring_map[qp + port * num_tx_queues] = ring;
+ qp++;
+ }
+
+@@ -2338,7 +2338,7 @@ static int bcm_sysport_unmap_queues(stru
+ struct net_device *slave_dev;
+ unsigned int num_tx_queues;
+ struct net_device *dev;
+- unsigned int q, port;
++ unsigned int q, qp, port;
+
+ priv = container_of(nb, struct bcm_sysport_priv, dsa_notifier);
+ if (priv->netdev != info->master)
+@@ -2364,7 +2364,8 @@ static int bcm_sysport_unmap_queues(stru
+ continue;
+
+ ring->inspect = false;
+- priv->ring_map[q + port * num_tx_queues] = NULL;
++ qp = ring->switch_queue;
++ priv->ring_map[qp + port * num_tx_queues] = NULL;
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 13 Jan 2020 09:27:11 -0800
+Subject: net: usb: lan78xx: limit size of local TSO packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f8d7408a4d7f60f8b2df0f81decdc882dd9c20dc ]
+
+lan78xx_tx_bh() makes sure to not exceed MAX_SINGLE_PACKET_SIZE
+bytes in the aggregated packets it builds, but does
+nothing to prevent large GSO packets being submitted.
+
+Pierre-Francois reported various hangs when/if TSO is enabled.
+
+For localy generated packets, we can use netif_set_gso_max_size()
+to limit the size of TSO packets.
+
+Note that forwarded packets could still hit the issue,
+so a complete fix might require implementing .ndo_features_check
+for this driver, forcing a software segmentation if the size
+of the TSO packet exceeds MAX_SINGLE_PACKET_SIZE.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: RENARD Pierre-Francois <pfrenard@gmail.com>
+Tested-by: RENARD Pierre-Francois <pfrenard@gmail.com>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Woojung Huh <woojung.huh@microchip.com>
+Cc: Microchip Linux Driver Support <UNGLinuxDriver@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -3750,6 +3750,7 @@ static int lan78xx_probe(struct usb_inte
+
+ /* MTU range: 68 - 9000 */
+ netdev->max_mtu = MAX_SINGLE_PACKET_SIZE;
++ netif_set_gso_max_size(netdev, MAX_SINGLE_PACKET_SIZE - MAX_HEADER);
+
+ dev->ep_blkin = (intf->cur_altsetting)->endpoint + 0;
+ dev->ep_blkout = (intf->cur_altsetting)->endpoint + 1;
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 14 Jan 2020 14:54:48 +0000
+Subject: net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit ddf420390526ede3b9ff559ac89f58cb59d9db2f ]
+
+Array utdm_info is declared as an array of MAX_HDLC_NUM (4) elements
+however up to UCC_MAX_NUM (8) elements are potentially being written
+to it. Currently we have an array out-of-bounds write error on the
+last 4 elements. Fix this by making utdm_info UCC_MAX_NUM elements in
+size.
+
+Addresses-Coverity: ("Out-of-bounds write")
+Fixes: c19b6d246a35 ("drivers/net: support hdlc function for QE-UCC")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/fsl_ucc_hdlc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wan/fsl_ucc_hdlc.c
++++ b/drivers/net/wan/fsl_ucc_hdlc.c
+@@ -73,7 +73,7 @@ static struct ucc_tdm_info utdm_primary_
+ },
+ };
+
+-static struct ucc_tdm_info utdm_info[MAX_HDLC_NUM];
++static struct ucc_tdm_info utdm_info[UCC_MAX_NUM];
+
+ static int uhdlc_init(struct ucc_hdlc_private *priv)
+ {
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Mon, 13 Jan 2020 14:00:09 +0100
+Subject: ptp: free ptp device pin descriptors properly
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+[ Upstream commit 75718584cb3c64e6269109d4d54f888ac5a5fd15 ]
+
+There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
+first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
+them to destroy a related sysfs device.
+
+These functions can not be just swapped, as posix_clock_unregister() frees
+ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
+ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.
+
+This makes this patch fix an UAF bug in a patch which fixes an UAF bug.
+
+Reported-by: Antti Laakso <antti.laakso@intel.com>
+Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
+Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -170,6 +170,7 @@ static void ptp_clock_release(struct dev
+ {
+ struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);
+
++ ptp_cleanup_pin_groups(ptp);
+ mutex_destroy(&ptp->tsevq_mux);
+ mutex_destroy(&ptp->pincfg_mux);
+ ida_simple_remove(&ptp_clocks_map, ptp->index);
+@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_cloc
+ if (ptp->pps_source)
+ pps_unregister_source(ptp->pps_source);
+
+- ptp_cleanup_pin_groups(ptp);
+-
+ posix_clock_unregister(&ptp->clock);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(ptp_clock_unregister);
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Jan 2020 09:27:29 +0100
+Subject: r8152: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 86f3f4cd53707ceeec079b83205c8d3c756eca93 ]
+
+Add missing endpoint sanity check to probe in order to prevent a
+NULL-pointer dereference (or slab out-of-bounds access) when retrieving
+the interrupt-endpoint bInterval on ndo_open() in case a device lacks
+the expected endpoints.
+
+Fixes: 40a82917b1d3 ("net/usb/r8152: enable interrupt transfer")
+Cc: hayeswang <hayeswang@realtek.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -5587,6 +5587,9 @@ static int rtl8152_probe(struct usb_inte
+ return -ENODEV;
+ }
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 3)
++ return -ENODEV;
++
+ usb_reset_device(udev);
+ netdev = alloc_etherdev(sizeof(struct r8152));
+ if (!netdev) {
bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch
batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
macvlan-use-skb_reset_mac_header-in-macvlan_queue_xm.patch
+hv_netvsc-fix-memory-leak-when-removing-rndis-device.patch
+net-avoid-updating-qdisc_xmit_lock_key-in-netdev_update_lockdep_key.patch
+net-dsa-tag_qca-fix-doubled-tx-statistics.patch
+net-hns3-pad-the-short-frame-before-sending-to-the-hardware.patch
+net-hns-fix-soft-lockup-when-there-is-not-enough-memory.patch
+net-phy-dp83867-set-force_link_good-to-default-after-reset.patch
+net-sched-act_ife-initalize-ife-metalist-earlier.patch
+net-usb-lan78xx-limit-size-of-local-tso-packets.patch
+net-wan-fsl_ucc_hdlc-fix-out-of-bounds-write-on-array-utdm_info.patch
+ptp-free-ptp-device-pin-descriptors-properly.patch
+r8152-add-missing-endpoint-sanity-check.patch
+tcp-fix-marked-lost-packets-not-being-retransmitted.patch
+bnxt_en-fix-ntuple-firmware-command-failures.patch
+bnxt_en-fix-ipv6-rfs-filter-matching-logic.patch
+bnxt_en-do-not-treat-dsn-digital-serial-number-read-failure-as-fatal.patch
+net-ethernet-ave-avoid-lockdep-warning.patch
+net-systemport-fixed-queue-mapping-in-internal-ring-map.patch
+net-dsa-sja1105-don-t-error-out-on-disabled-ports-with-no-phy-mode.patch
+net-dsa-tag_gswip-fix-typo-in-tagger-name.patch
+net-sched-act_ctinfo-fix-memory-leak.patch
+net-dsa-bcm_sf2-configure-imp-port-for-2gb-sec.patch
+wimax-i2400-fix-memory-leak.patch
+wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
+i40e-prevent-memory-leak-in-i40e_setup_macvlans.patch
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Pengcheng Yang <yangpc@wangsu.com>
+Date: Tue, 14 Jan 2020 17:23:40 +0800
+Subject: tcp: fix marked lost packets not being retransmitted
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit e176b1ba476cf36f723cfcc7a9e57f3cb47dec70 ]
+
+When the packet pointed to by retransmit_skb_hint is unlinked by ACK,
+retransmit_skb_hint will be set to NULL in tcp_clean_rtx_queue().
+If packet loss is detected at this time, retransmit_skb_hint will be set
+to point to the current packet loss in tcp_verify_retransmit_hint(),
+then the packets that were previously marked lost but not retransmitted
+due to the restriction of cwnd will be skipped and cannot be
+retransmitted.
+
+To fix this, when retransmit_skb_hint is NULL, retransmit_skb_hint can
+be reset only after all marked lost packets are retransmitted
+(retrans_out >= lost_out), otherwise we need to traverse from
+tcp_rtx_queue_head in tcp_xmit_retransmit_queue().
+
+Packetdrill to demonstrate:
+
+// Disable RACK and set max_reordering to keep things simple
+ 0 `sysctl -q net.ipv4.tcp_recovery=0`
+ +0 `sysctl -q net.ipv4.tcp_max_reordering=3`
+
+// Establish a connection
+ +0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+ +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+ +0 bind(3, ..., ...) = 0
+ +0 listen(3, 1) = 0
+
+ +.1 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+ +0 > S. 0:0(0) ack 1 <...>
+ +.01 < . 1:1(0) ack 1 win 257
+ +0 accept(3, ..., ...) = 4
+
+// Send 8 data segments
+ +0 write(4, ..., 8000) = 8000
+ +0 > P. 1:8001(8000) ack 1
+
+// Enter recovery and 1:3001 is marked lost
+ +.01 < . 1:1(0) ack 1 win 257 <sack 3001:4001,nop,nop>
+ +0 < . 1:1(0) ack 1 win 257 <sack 5001:6001 3001:4001,nop,nop>
+ +0 < . 1:1(0) ack 1 win 257 <sack 5001:7001 3001:4001,nop,nop>
+
+// Retransmit 1:1001, now retransmit_skb_hint points to 1001:2001
+ +0 > . 1:1001(1000) ack 1
+
+// 1001:2001 was ACKed causing retransmit_skb_hint to be set to NULL
+ +.01 < . 1:1(0) ack 2001 win 257 <sack 5001:8001 3001:4001,nop,nop>
+// Now retransmit_skb_hint points to 4001:5001 which is now marked lost
+
+// BUG: 2001:3001 was not retransmitted
+ +0 > . 2001:3001(1000) ack 1
+
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Tested-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -915,9 +915,10 @@ static void tcp_check_sack_reordering(st
+ /* This must be called before lost_out is incremented */
+ static void tcp_verify_retransmit_hint(struct tcp_sock *tp, struct sk_buff *skb)
+ {
+- if (!tp->retransmit_skb_hint ||
+- before(TCP_SKB_CB(skb)->seq,
+- TCP_SKB_CB(tp->retransmit_skb_hint)->seq))
++ if ((!tp->retransmit_skb_hint && tp->retrans_out >= tp->lost_out) ||
++ (tp->retransmit_skb_hint &&
++ before(TCP_SKB_CB(skb)->seq,
++ TCP_SKB_CB(tp->retransmit_skb_hint)->seq)))
+ tp->retransmit_skb_hint = skb;
+ }
+
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 25 Oct 2019 23:53:30 -0500
+Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 6f3ef5c25cc762687a7341c18cbea5af54461407 ]
+
+In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
+buffer for cmd should be released before returning. The
+documentation for i2400m_msg_to_dev() says when it returns the buffer
+can be reused. Meaning cmd should be released in either case. Move
+kfree(cmd) before return to be reached by all execution paths.
+
+Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -127,7 +127,6 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
+- kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
--- /dev/null
+From foo@baz Tue 21 Jan 2020 04:26:29 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:01:40 -0500
+Subject: wimax: i2400: fix memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 2507e6ab7a9a440773be476141a255934468c5ef ]
+
+In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
+skb response.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -127,6 +127,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
++ kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
projects / thirdparty / kernel / stable-queue.git / commitdiff
