--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 18 Nov 2019 09:18:42 +0200
+Subject: mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 1fc1657775dc1b19e9ac1d46b4054ed8ae5d99ab ]
+
+The helper mlxsw_sp_ipip_dev_ul_tb_id() determines the underlay VRF of a
+GRE tunnel. For a tunnel without a bound device, it uses the same VRF that
+the tunnel is in. However in Linux, a GRE tunnel without a bound device
+uses the main VRF as the underlay. Fix the function accordingly.
+
+mlxsw further assumed that moving a tunnel to a different VRF could cause
+conflict in local tunnel endpoint address, which cannot be offloaded.
+However, the only way that an underlay could be changed by moving the
+tunnel device itself is if the tunnel device does not have a bound device.
+But in that case the underlay is always the main VRF, so there is no
+opportunity to introduce a conflict by moving such device. Thus this check
+constitutes a dead code, and can be removed, which do.
+
+Fixes: 6ddb7426a7d4 ("mlxsw: spectrum_router: Introduce loopback RIFs")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 19 ------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -970,7 +970,7 @@ u32 mlxsw_sp_ipip_dev_ul_tb_id(const str
+ if (d)
+ return l3mdev_fib_table(d) ? : RT_TABLE_MAIN;
+ else
+- return l3mdev_fib_table(ol_dev) ? : RT_TABLE_MAIN;
++ return RT_TABLE_MAIN;
+ }
+
+ static struct mlxsw_sp_rif *
+@@ -1532,27 +1532,10 @@ static int mlxsw_sp_netdevice_ipip_ol_vr
+ {
+ struct mlxsw_sp_ipip_entry *ipip_entry =
+ mlxsw_sp_ipip_entry_find_by_ol_dev(mlxsw_sp, ol_dev);
+- enum mlxsw_sp_l3proto ul_proto;
+- union mlxsw_sp_l3addr saddr;
+- u32 ul_tb_id;
+
+ if (!ipip_entry)
+ return 0;
+
+- /* For flat configuration cases, moving overlay to a different VRF might
+- * cause local address conflict, and the conflicting tunnels need to be
+- * demoted.
+- */
+- ul_tb_id = mlxsw_sp_ipip_dev_ul_tb_id(ol_dev);
+- ul_proto = mlxsw_sp->router->ipip_ops_arr[ipip_entry->ipipt]->ul_proto;
+- saddr = mlxsw_sp_ipip_netdev_saddr(ul_proto, ol_dev);
+- if (mlxsw_sp_ipip_demote_tunnel_by_saddr(mlxsw_sp, ul_proto,
+- saddr, ul_tb_id,
+- ipip_entry)) {
+- mlxsw_sp_ipip_entry_demote_tunnel(mlxsw_sp, ipip_entry);
+- return 0;
+- }
+-
+ return __mlxsw_sp_ipip_entry_update_tunnel(mlxsw_sp, ipip_entry,
+ true, false, false, extack);
+ }
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Luigi Rizzo <lrizzo@google.com>
+Date: Fri, 15 Nov 2019 12:12:25 -0800
+Subject: net/mlx4_en: fix mlx4 ethtool -N insertion
+
+From: Luigi Rizzo <lrizzo@google.com>
+
+[ Upstream commit 34e59836565e36fade1464e054a3551c1a0364be ]
+
+ethtool expects ETHTOOL_GRXCLSRLALL to set ethtool_rxnfc->data with the
+total number of entries in the rx classifier table. Surprisingly, mlx4
+is missing this part (in principle ethtool could still move forward and
+try the insert).
+
+Tested: compiled and run command:
+ phh13:~# ethtool -N eth1 flow-type udp4 queue 4
+ Added rule with ID 255
+
+Signed-off-by: Luigi Rizzo <lrizzo@google.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1745,6 +1745,7 @@ static int mlx4_en_get_rxnfc(struct net_
+ err = mlx4_en_get_flow(dev, cmd, cmd->fs.location);
+ break;
+ case ETHTOOL_GRXCLSRLALL:
++ cmd->data = MAX_NUM_OF_FS_RULES;
+ while ((!err || err == -ENOENT) && priority < cmd->rule_cnt) {
+ err = mlx4_en_get_flow(dev, cmd, i);
+ if (!err)
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 18 Nov 2019 11:41:04 +0200
+Subject: net/mlx4_en: Fix wrong limitation for number of TX rings
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 2744bf42680f64ebf2ee8a00354897857c073331 ]
+
+XDP_TX rings should not be limited by max_num_tx_rings_p_up.
+To make sure total number of TX rings never exceed MAX_TX_RINGS,
+add similar check in mlx4_en_alloc_tx_queue_per_tc(), where
+a new value is assigned for num_up.
+
+Fixes: 7e1dc5e926d5 ("net/mlx4_en: Limit the number of TX rings")
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 8 ++++----
+ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++++
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+@@ -1812,6 +1812,7 @@ static int mlx4_en_set_channels(struct n
+ struct mlx4_en_dev *mdev = priv->mdev;
+ struct mlx4_en_port_profile new_prof;
+ struct mlx4_en_priv *tmp;
++ int total_tx_count;
+ int port_up = 0;
+ int xdp_count;
+ int err = 0;
+@@ -1826,13 +1827,12 @@ static int mlx4_en_set_channels(struct n
+
+ mutex_lock(&mdev->state_lock);
+ xdp_count = priv->tx_ring_num[TX_XDP] ? channel->rx_count : 0;
+- if (channel->tx_count * priv->prof->num_up + xdp_count >
+- priv->mdev->profile.max_num_tx_rings_p_up * priv->prof->num_up) {
++ total_tx_count = channel->tx_count * priv->prof->num_up + xdp_count;
++ if (total_tx_count > MAX_TX_RINGS) {
+ err = -EINVAL;
+ en_err(priv,
+ "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n",
+- channel->tx_count * priv->prof->num_up + xdp_count,
+- MAX_TX_RINGS);
++ total_tx_count, MAX_TX_RINGS);
+ goto out;
+ }
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+@@ -92,6 +92,7 @@ int mlx4_en_alloc_tx_queue_per_tc(struct
+ struct mlx4_en_dev *mdev = priv->mdev;
+ struct mlx4_en_port_profile new_prof;
+ struct mlx4_en_priv *tmp;
++ int total_count;
+ int port_up = 0;
+ int err = 0;
+
+@@ -105,6 +106,14 @@ int mlx4_en_alloc_tx_queue_per_tc(struct
+ MLX4_EN_NUM_UP_HIGH;
+ new_prof.tx_ring_num[TX] = new_prof.num_tx_rings_p_up *
+ new_prof.num_up;
++ total_count = new_prof.tx_ring_num[TX] + new_prof.tx_ring_num[TX_XDP];
++ if (total_count > MAX_TX_RINGS) {
++ err = -EINVAL;
++ en_err(priv,
++ "Total number of TX and XDP rings (%d) exceeds the maximum supported (%d)\n",
++ total_count, MAX_TX_RINGS);
++ goto out;
++ }
+ err = mlx4_en_try_alloc_resources(priv, tmp, &new_prof, true);
+ if (err)
+ goto out;
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Maor Gottlieb <maorg@mellanox.com>
+Date: Thu, 5 Sep 2019 09:56:10 +0300
+Subject: net/mlx5: Fix auto group size calculation
+
+From: Maor Gottlieb <maorg@mellanox.com>
+
+[ Upstream commit 97fd8da281f80e7e69e0114bc906575734d4dfaf ]
+
+Once all the large flow groups (defined by the user when the flow table
+is created - max_num_groups) were created, then all the following new
+flow groups will have only one flow table entry, even though the flow table
+has place to larger groups.
+Fix the condition to prefer large flow group.
+
+Fixes: f0d22d187473 ("net/mlx5_core: Introduce flow steering autogrouped flow table")
+Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 10 ++++++----
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.h | 1 +
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -520,7 +520,7 @@ static void del_sw_flow_group(struct fs_
+
+ rhashtable_destroy(&fg->ftes_hash);
+ ida_destroy(&fg->fte_allocator);
+- if (ft->autogroup.active)
++ if (ft->autogroup.active && fg->max_ftes == ft->autogroup.group_size)
+ ft->autogroup.num_groups--;
+ err = rhltable_remove(&ft->fgs_hash,
+ &fg->hash,
+@@ -1065,6 +1065,8 @@ mlx5_create_auto_grouped_flow_table(stru
+
+ ft->autogroup.active = true;
+ ft->autogroup.required_groups = max_num_groups;
++ /* We save place for flow groups in addition to max types */
++ ft->autogroup.group_size = ft->max_fte / (max_num_groups + 1);
+
+ return ft;
+ }
+@@ -1270,8 +1272,7 @@ static struct mlx5_flow_group *alloc_aut
+ return ERR_PTR(-ENOENT);
+
+ if (ft->autogroup.num_groups < ft->autogroup.required_groups)
+- /* We save place for flow groups in addition to max types */
+- group_size = ft->max_fte / (ft->autogroup.required_groups + 1);
++ group_size = ft->autogroup.group_size;
+
+ /* ft->max_fte == ft->autogroup.max_types */
+ if (group_size == 0)
+@@ -1298,7 +1299,8 @@ static struct mlx5_flow_group *alloc_aut
+ if (IS_ERR(fg))
+ goto out;
+
+- ft->autogroup.num_groups++;
++ if (group_size == ft->autogroup.group_size)
++ ft->autogroup.num_groups++;
+
+ out:
+ return fg;
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
+@@ -121,6 +121,7 @@ struct mlx5_flow_table {
+ struct {
+ bool active;
+ unsigned int required_groups;
++ unsigned int group_size;
+ unsigned int num_groups;
+ } autogroup;
+ /* Protect fwd_rules */
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Roi Dayan <roid@mellanox.com>
+Date: Wed, 13 Nov 2019 14:42:00 +0200
+Subject: net/mlx5e: Fix set vf link state error flow
+
+From: Roi Dayan <roid@mellanox.com>
+
+[ Upstream commit 751021218f7e66ee9bbaa2be23056e447cd75ec4 ]
+
+Before this commit the ndo always returned success.
+Fix that.
+
+Fixes: 1ab2068a4c66 ("net/mlx5: Implement vports admin state backup/restore")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+@@ -1861,7 +1861,7 @@ int mlx5_eswitch_set_vport_state(struct
+
+ unlock:
+ mutex_unlock(&esw->state_lock);
+- return 0;
++ return err;
+ }
+
+ int mlx5_eswitch_get_vport_config(struct mlx5_eswitch *esw,
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Eran Ben Elisha <eranbe@mellanox.com>
+Date: Sun, 17 Nov 2019 10:18:59 +0200
+Subject: net/mlxfw: Verify FSM error code translation doesn't exceed array size
+
+From: Eran Ben Elisha <eranbe@mellanox.com>
+
+[ Upstream commit 30e9e0550bf693c94bc15827781fe42dd60be634 ]
+
+Array mlxfw_fsm_state_err_str contains value to string translation, when
+values are provided by mlxfw_dev. If value is larger than
+MLXFW_FSM_STATE_ERR_MAX, return "unknown error" as expected instead of
+reading an address than exceed array size.
+
+Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
+@@ -86,6 +86,8 @@ retry:
+ return err;
+
+ if (fsm_state_err != MLXFW_FSM_STATE_ERR_OK) {
++ fsm_state_err = min_t(enum mlxfw_fsm_state_err,
++ fsm_state_err, MLXFW_FSM_STATE_ERR_MAX);
+ pr_err("Firmware flash failed: %s\n",
+ mlxfw_fsm_state_err_str[fsm_state_err]);
+ return -EINVAL;
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 20 Nov 2019 15:34:38 +0300
+Subject: net: rtnetlink: prevent underflows in do_setvfinfo()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit d658c8f56ec7b3de8051a24afb25da9ba3c388c5 ]
+
+The "ivm->vf" variable is a u32, but the problem is that a number of
+drivers cast it to an int and then forget to check for negatives. An
+example of this is in the cxgb4 driver.
+
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+ 2890 static int cxgb4_mgmt_get_vf_config(struct net_device *dev,
+ 2891 int vf, struct ifla_vf_info *ivi)
+ ^^^^^^
+ 2892 {
+ 2893 struct port_info *pi = netdev_priv(dev);
+ 2894 struct adapter *adap = pi->adapter;
+ 2895 struct vf_info *vfinfo;
+ 2896
+ 2897 if (vf >= adap->num_vfs)
+ ^^^^^^^^^^^^^^^^^^^
+ 2898 return -EINVAL;
+ 2899 vfinfo = &adap->vfinfo[vf];
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+There are 48 functions affected.
+
+drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646'
+drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646'
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
+drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
+drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254'
+drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
+drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646'
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2126,6 +2126,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_MAC]) {
+ struct ifla_vf_mac *ivm = nla_data(tb[IFLA_VF_MAC]);
+
++ if (ivm->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_mac)
+ err = ops->ndo_set_vf_mac(dev, ivm->vf,
+@@ -2137,6 +2139,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_VLAN]) {
+ struct ifla_vf_vlan *ivv = nla_data(tb[IFLA_VF_VLAN]);
+
++ if (ivv->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_vlan)
+ err = ops->ndo_set_vf_vlan(dev, ivv->vf, ivv->vlan,
+@@ -2169,6 +2173,8 @@ static int do_setvfinfo(struct net_devic
+ if (len == 0)
+ return -EINVAL;
+
++ if (ivvl[0]->vf >= INT_MAX)
++ return -EINVAL;
+ err = ops->ndo_set_vf_vlan(dev, ivvl[0]->vf, ivvl[0]->vlan,
+ ivvl[0]->qos, ivvl[0]->vlan_proto);
+ if (err < 0)
+@@ -2179,6 +2185,8 @@ static int do_setvfinfo(struct net_devic
+ struct ifla_vf_tx_rate *ivt = nla_data(tb[IFLA_VF_TX_RATE]);
+ struct ifla_vf_info ivf;
+
++ if (ivt->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_get_vf_config)
+ err = ops->ndo_get_vf_config(dev, ivt->vf, &ivf);
+@@ -2197,6 +2205,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_RATE]) {
+ struct ifla_vf_rate *ivt = nla_data(tb[IFLA_VF_RATE]);
+
++ if (ivt->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_rate)
+ err = ops->ndo_set_vf_rate(dev, ivt->vf,
+@@ -2209,6 +2219,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_SPOOFCHK]) {
+ struct ifla_vf_spoofchk *ivs = nla_data(tb[IFLA_VF_SPOOFCHK]);
+
++ if (ivs->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_spoofchk)
+ err = ops->ndo_set_vf_spoofchk(dev, ivs->vf,
+@@ -2220,6 +2232,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_LINK_STATE]) {
+ struct ifla_vf_link_state *ivl = nla_data(tb[IFLA_VF_LINK_STATE]);
+
++ if (ivl->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_link_state)
+ err = ops->ndo_set_vf_link_state(dev, ivl->vf,
+@@ -2233,6 +2247,8 @@ static int do_setvfinfo(struct net_devic
+
+ err = -EOPNOTSUPP;
+ ivrssq_en = nla_data(tb[IFLA_VF_RSS_QUERY_EN]);
++ if (ivrssq_en->vf >= INT_MAX)
++ return -EINVAL;
+ if (ops->ndo_set_vf_rss_query_en)
+ err = ops->ndo_set_vf_rss_query_en(dev, ivrssq_en->vf,
+ ivrssq_en->setting);
+@@ -2243,6 +2259,8 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_TRUST]) {
+ struct ifla_vf_trust *ivt = nla_data(tb[IFLA_VF_TRUST]);
+
++ if (ivt->vf >= INT_MAX)
++ return -EINVAL;
+ err = -EOPNOTSUPP;
+ if (ops->ndo_set_vf_trust)
+ err = ops->ndo_set_vf_trust(dev, ivt->vf, ivt->setting);
+@@ -2253,15 +2271,18 @@ static int do_setvfinfo(struct net_devic
+ if (tb[IFLA_VF_IB_NODE_GUID]) {
+ struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_NODE_GUID]);
+
++ if (ivt->vf >= INT_MAX)
++ return -EINVAL;
+ if (!ops->ndo_set_vf_guid)
+ return -EOPNOTSUPP;
+-
+ return handle_vf_guid(dev, ivt, IFLA_VF_IB_NODE_GUID);
+ }
+
+ if (tb[IFLA_VF_IB_PORT_GUID]) {
+ struct ifla_vf_guid *ivt = nla_data(tb[IFLA_VF_IB_PORT_GUID]);
+
++ if (ivt->vf >= INT_MAX)
++ return -EINVAL;
+ if (!ops->ndo_set_vf_guid)
+ return -EOPNOTSUPP;
+
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 19 Nov 2019 23:47:33 +0100
+Subject: net/sched: act_pedit: fix WARN() in the traffic path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit f67169fef8dbcc1ac6a6a109ecaad0d3b259002c ]
+
+when configuring act_pedit rules, the number of keys is validated only on
+addition of a new entry. This is not sufficient to avoid hitting a WARN()
+in the traffic path: for example, it is possible to replace a valid entry
+with a new one having 0 extended keys, thus causing splats in dmesg like:
+
+ pedit BUG: index 42
+ WARNING: CPU: 2 PID: 4054 at net/sched/act_pedit.c:410 tcf_pedit_act+0xc84/0x1200 [act_pedit]
+ [...]
+ RIP: 0010:tcf_pedit_act+0xc84/0x1200 [act_pedit]
+ Code: 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ac 00 00 00 48 8b 44 24 10 48 c7 c7 a0 c4 e4 c0 8b 70 18 e8 1c 30 95 ea <0f> 0b e9 a0 fa ff ff e8 00 03 f5 ea e9 14 f4 ff ff 48 89 58 40 e9
+ RSP: 0018:ffff888077c9f320 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffffac2983a2
+ RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff888053927bec
+ RBP: dffffc0000000000 R08: ffffed100a726209 R09: ffffed100a726209
+ R10: 0000000000000001 R11: ffffed100a726208 R12: ffff88804beea780
+ R13: ffff888079a77400 R14: ffff88804beea780 R15: ffff888027ab2000
+ FS: 00007fdeec9bd740(0000) GS:ffff888053900000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007ffdb3dfd000 CR3: 000000004adb4006 CR4: 00000000001606e0
+ Call Trace:
+ tcf_action_exec+0x105/0x3f0
+ tcf_classify+0xf2/0x410
+ __dev_queue_xmit+0xcbf/0x2ae0
+ ip_finish_output2+0x711/0x1fb0
+ ip_output+0x1bf/0x4b0
+ ip_send_skb+0x37/0xa0
+ raw_sendmsg+0x180c/0x2430
+ sock_sendmsg+0xdb/0x110
+ __sys_sendto+0x257/0x2b0
+ __x64_sys_sendto+0xdd/0x1b0
+ do_syscall_64+0xa5/0x4e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fdeeb72e993
+ Code: 48 8b 0d e0 74 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 0d d6 2c 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 4b cc 00 00 48 89 04 24
+ RSP: 002b:00007ffdb3de8a18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+ RAX: ffffffffffffffda RBX: 000055c81972b700 RCX: 00007fdeeb72e993
+ RDX: 0000000000000040 RSI: 000055c81972b700 RDI: 0000000000000003
+ RBP: 00007ffdb3dea130 R08: 000055c819728510 R09: 0000000000000010
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
+ R13: 000055c81972b6c0 R14: 000055c81972969c R15: 0000000000000080
+
+Fix this moving the check on 'nkeys' earlier in tcf_pedit_init(), so that
+attempts to install rules having 0 keys are always rejected with -EINVAL.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_pedit.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/sched/act_pedit.c
++++ b/net/sched/act_pedit.c
+@@ -46,7 +46,7 @@ static struct tcf_pedit_key_ex *tcf_pedi
+ int err = -EINVAL;
+ int rem;
+
+- if (!nla || !n)
++ if (!nla)
+ return NULL;
+
+ keys_ex = kcalloc(n, sizeof(*k), GFP_KERNEL);
+@@ -169,6 +169,10 @@ static int tcf_pedit_init(struct net *ne
+ }
+
+ parm = nla_data(pattr);
++ if (!parm->nkeys) {
++ NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
++ return -EINVAL;
++ }
+ ksize = parm->nkeys * sizeof(struct tc_pedit_key);
+ if (nla_len(pattr) < sizeof(*parm) + ksize) {
+ NL_SET_ERR_MSG_ATTR(extack, pattr, "Length of TCA_PEDIT_PARMS or TCA_PEDIT_PARMS_EX pedit attribute is invalid");
+@@ -182,12 +186,6 @@ static int tcf_pedit_init(struct net *ne
+ index = parm->index;
+ err = tcf_idr_check_alloc(tn, &index, a, bind);
+ if (!err) {
+- if (!parm->nkeys) {
+- tcf_idr_cleanup(tn, index);
+- NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
+- ret = -EINVAL;
+- goto out_free;
+- }
+ ret = tcf_idr_create(tn, index, est, a,
+ &act_pedit_ops, bind, false);
+ if (ret) {
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 18 Nov 2019 17:39:34 +0800
+Subject: net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4f0e97d070984d487df027f163e52bb72d1713d8 ]
+
+info->options_len is 'u8' type, and when opts_len with a value >
+IP_TUNNEL_OPTS_MAX, 'info->options_len = opts_len' will cast int
+to u8 and set a wrong value to info->options_len.
+
+Kernel crashed in my test when doing:
+
+ # opts="0102:80:00800022"
+ # for i in {1..99}; do opts="$opts,0102:80:00800022"; done
+ # ip link add name geneve0 type geneve dstport 0 external
+ # tc qdisc add dev eth0 ingress
+ # tc filter add dev eth0 protocol ip parent ffff: \
+ flower indev eth0 ip_proto udp action tunnel_key \
+ set src_ip 10.0.99.192 dst_ip 10.0.99.193 \
+ dst_port 6081 id 11 geneve_opts $opts \
+ action mirred egress redirect dev geneve0
+
+So we should do the similar check as cls_flower does, return error
+when opts_len > IP_TUNNEL_OPTS_MAX in tunnel_key_copy_opts().
+
+Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_tunnel_key.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -137,6 +137,10 @@ static int tunnel_key_copy_opts(const st
+ if (opt_len < 0)
+ return opt_len;
+ opts_len += opt_len;
++ if (opts_len > IP_TUNNEL_OPTS_MAX) {
++ NL_SET_ERR_MSG(extack, "Tunnel options exceeds max size");
++ return -EINVAL;
++ }
+ if (dst) {
+ dst_len -= opt_len;
+ dst += opt_len;
--- /dev/null
+mlxsw-spectrum_router-fix-determining-underlay-for-a-gre-tunnel.patch
+net-mlx4_en-fix-mlx4-ethtool-n-insertion.patch
+net-mlx4_en-fix-wrong-limitation-for-number-of-tx-rings.patch
+net-rtnetlink-prevent-underflows-in-do_setvfinfo.patch
+net-sched-act_pedit-fix-warn-in-the-traffic-path.patch
+net-sched-ensure-opts_len-ip_tunnel_opts_max-in-act_tunnel_key.patch
+sfc-only-cancel-the-pps-workqueue-if-it-exists.patch
+net-mlx5e-fix-set-vf-link-state-error-flow.patch
+net-mlxfw-verify-fsm-error-code-translation-doesn-t-exceed-array-size.patch
+net-mlx5-fix-auto-group-size-calculation.patch
--- /dev/null
+From foo@baz Mon 25 Nov 2019 02:27:10 PM CET
+From: Martin Habets <mhabets@solarflare.com>
+Date: Thu, 21 Nov 2019 17:52:15 +0000
+Subject: sfc: Only cancel the PPS workqueue if it exists
+
+From: Martin Habets <mhabets@solarflare.com>
+
+[ Upstream commit 723eb53690041740a13ac78efeaf6804f5d684c9 ]
+
+The workqueue only exists for the primary PF. For other functions
+we hit a WARN_ON in kernel/workqueue.c.
+
+Fixes: 7c236c43b838 ("sfc: Add support for IEEE-1588 PTP")
+Signed-off-by: Martin Habets <mhabets@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ptp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/sfc/ptp.c
++++ b/drivers/net/ethernet/sfc/ptp.c
+@@ -1534,7 +1534,8 @@ void efx_ptp_remove(struct efx_nic *efx)
+ (void)efx_ptp_disable(efx);
+
+ cancel_work_sync(&efx->ptp_data->work);
+- cancel_work_sync(&efx->ptp_data->pps_work);
++ if (efx->ptp_data->pps_workwq)
++ cancel_work_sync(&efx->ptp_data->pps_work);
+
+ skb_queue_purge(&efx->ptp_data->rxq);
+ skb_queue_purge(&efx->ptp_data->txq);
projects / thirdparty / kernel / stable-queue.git / commitdiff
