--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:46 +0200
+Subject: appletalk: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ]
+
+When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/appletalk/ddp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1023,6 +1023,11 @@ static int atalk_create(struct net *net,
+ */
+ if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ goto out;
++
++ rc = -EPERM;
++ if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
++ goto out;
++
+ rc = -ENOMEM;
+ sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
+ if (!sk)
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Fri, 20 Sep 2019 16:08:21 +0200
+Subject: arcnet: provide a buffer big enough to actually receive packets
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 108639aac35eb57f1d0e8333f5fc8c7ff68df938 ]
+
+struct archdr is only big enough to hold the header of various types of
+arcnet packets. So to provide enough space to hold the data read from
+hardware provide a buffer large enough to hold a packet with maximal
+size.
+
+The problem was noticed by the stack protector which makes the kernel
+oops.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/arcnet/arcnet.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/arcnet/arcnet.c
++++ b/drivers/net/arcnet/arcnet.c
+@@ -1063,31 +1063,34 @@ EXPORT_SYMBOL(arcnet_interrupt);
+ static void arcnet_rx(struct net_device *dev, int bufnum)
+ {
+ struct arcnet_local *lp = netdev_priv(dev);
+- struct archdr pkt;
++ union {
++ struct archdr pkt;
++ char buf[512];
++ } rxdata;
+ struct arc_rfc1201 *soft;
+ int length, ofs;
+
+- soft = &pkt.soft.rfc1201;
++ soft = &rxdata.pkt.soft.rfc1201;
+
+- lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE);
+- if (pkt.hard.offset[0]) {
+- ofs = pkt.hard.offset[0];
++ lp->hw.copy_from_card(dev, bufnum, 0, &rxdata.pkt, ARC_HDR_SIZE);
++ if (rxdata.pkt.hard.offset[0]) {
++ ofs = rxdata.pkt.hard.offset[0];
+ length = 256 - ofs;
+ } else {
+- ofs = pkt.hard.offset[1];
++ ofs = rxdata.pkt.hard.offset[1];
+ length = 512 - ofs;
+ }
+
+ /* get the full header, if possible */
+- if (sizeof(pkt.soft) <= length) {
+- lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(pkt.soft));
++ if (sizeof(rxdata.pkt.soft) <= length) {
++ lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(rxdata.pkt.soft));
+ } else {
+- memset(&pkt.soft, 0, sizeof(pkt.soft));
++ memset(&rxdata.pkt.soft, 0, sizeof(rxdata.pkt.soft));
+ lp->hw.copy_from_card(dev, bufnum, ofs, soft, length);
+ }
+
+ arc_printk(D_DURING, dev, "Buffer #%d: received packet from %02Xh to %02Xh (%d+4 bytes)\n",
+- bufnum, pkt.hard.source, pkt.hard.dest, length);
++ bufnum, rxdata.pkt.hard.source, rxdata.pkt.hard.dest, length);
+
+ dev->stats.rx_packets++;
+ dev->stats.rx_bytes += length + ARC_HDR_SIZE;
+@@ -1096,13 +1099,13 @@ static void arcnet_rx(struct net_device
+ if (arc_proto_map[soft->proto]->is_ip) {
+ if (BUGLVL(D_PROTO)) {
+ struct ArcProto
+- *oldp = arc_proto_map[lp->default_proto[pkt.hard.source]],
++ *oldp = arc_proto_map[lp->default_proto[rxdata.pkt.hard.source]],
+ *newp = arc_proto_map[soft->proto];
+
+ if (oldp != newp) {
+ arc_printk(D_PROTO, dev,
+ "got protocol %02Xh; encap for host %02Xh is now '%c' (was '%c')\n",
+- soft->proto, pkt.hard.source,
++ soft->proto, rxdata.pkt.hard.source,
+ newp->suffix, oldp->suffix);
+ }
+ }
+@@ -1111,10 +1114,10 @@ static void arcnet_rx(struct net_device
+ lp->default_proto[0] = soft->proto;
+
+ /* in striking contrast, the following isn't a hack. */
+- lp->default_proto[pkt.hard.source] = soft->proto;
++ lp->default_proto[rxdata.pkt.hard.source] = soft->proto;
+ }
+ /* call the protocol-specific receiver. */
+- arc_proto_map[soft->proto]->rx(dev, bufnum, &pkt, length);
++ arc_proto_map[soft->proto]->rx(dev, bufnum, &rxdata.pkt, length);
+ }
+
+ static void null_rx(struct net_device *dev, int bufnum,
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:47 +0200
+Subject: ax25: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ]
+
+When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -855,6 +855,8 @@ static int ax25_create(struct net *net,
+ break;
+
+ case SOCK_RAW:
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ break;
+ default:
+ return -ESOCKTNOSUPPORT;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:01:46 +0200
+Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the driver more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of the out pipe is used as divisor. So this change
+fixes a divide-by-zero bug.
+
+Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -681,8 +681,12 @@ cdc_ncm_find_endpoints(struct usbnet *de
+ u8 ep;
+
+ for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
+-
+ e = intf->cur_altsetting->endpoint + ep;
++
++ /* ignore endpoints which cannot transfer data */
++ if (!usb_endpoint_maxp(&e->desc))
++ continue;
++
+ switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
+ case USB_ENDPOINT_XFER_INT:
+ if (usb_endpoint_dir_in(&e->desc)) {
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:48 +0200
+Subject: ieee802154: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ]
+
+When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
+checked first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1008,6 +1008,9 @@ static int ieee802154_create(struct net
+
+ switch (sock->type) {
+ case SOCK_RAW:
++ rc = -EPERM;
++ if (!capable(CAP_NET_RAW))
++ goto out;
+ proto = &ieee802154_raw_prot;
+ ops = &ieee802154_raw_ops;
+ break;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 17 Sep 2019 10:39:49 -0700
+Subject: ipv4: Revert removal of rt_uses_gateway
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 77d5bc7e6a6cf8bbeca31aab7f0c5449a5eee762 ]
+
+Julian noted that rt_uses_gateway has a more subtle use than 'is gateway
+set':
+ https://lore.kernel.org/netdev/alpine.LFD.2.21.1909151104060.2546@ja.home.ssi.bg/
+
+Revert that part of the commit referenced in the Fixes tag.
+
+Currently, there are no u8 holes in 'struct rtable'. There is a 4-byte hole
+in the second cacheline which contains the gateway declaration. So move
+rt_gw_family down to the gateway declarations since they are always used
+together, and then re-use that u8 for rt_uses_gateway. End result is that
+rtable size is unchanged.
+
+Fixes: 1550c171935d ("ipv4: Prepare rtable for IPv6 gateway")
+Reported-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Reviewed-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/addr.c | 2 +-
+ include/net/route.h | 3 ++-
+ net/ipv4/inet_connection_sock.c | 4 ++--
+ net/ipv4/ip_forward.c | 2 +-
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv4/route.c | 36 +++++++++++++++++++++---------------
+ net/ipv4/xfrm4_policy.c | 1 +
+ 7 files changed, 29 insertions(+), 21 deletions(-)
+
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -352,7 +352,7 @@ static bool has_gateway(const struct dst
+
+ if (family == AF_INET) {
+ rt = container_of(dst, struct rtable, dst);
+- return rt->rt_gw_family == AF_INET;
++ return rt->rt_uses_gateway;
+ }
+
+ rt6 = container_of(dst, struct rt6_info, dst);
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -53,10 +53,11 @@ struct rtable {
+ unsigned int rt_flags;
+ __u16 rt_type;
+ __u8 rt_is_input;
+- u8 rt_gw_family;
++ __u8 rt_uses_gateway;
+
+ int rt_iif;
+
++ u8 rt_gw_family;
+ /* Info on neighbour */
+ union {
+ __be32 rt_gw4;
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -560,7 +560,7 @@ struct dst_entry *inet_csk_route_req(con
+ rt = ip_route_output_flow(net, fl4, sk);
+ if (IS_ERR(rt))
+ goto no_route;
+- if (opt && opt->opt.is_strictroute && rt->rt_gw_family)
++ if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
+ goto route_err;
+ rcu_read_unlock();
+ return &rt->dst;
+@@ -598,7 +598,7 @@ struct dst_entry *inet_csk_route_child_s
+ rt = ip_route_output_flow(net, fl4, sk);
+ if (IS_ERR(rt))
+ goto no_route;
+- if (opt && opt->opt.is_strictroute && rt->rt_gw_family)
++ if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
+ goto route_err;
+ return &rt->dst;
+
+--- a/net/ipv4/ip_forward.c
++++ b/net/ipv4/ip_forward.c
+@@ -123,7 +123,7 @@ int ip_forward(struct sk_buff *skb)
+
+ rt = skb_rtable(skb);
+
+- if (opt->is_strictroute && rt->rt_gw_family)
++ if (opt->is_strictroute && rt->rt_uses_gateway)
+ goto sr_failed;
+
+ IPCB(skb)->flags |= IPSKB_FORWARDED;
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -499,7 +499,7 @@ int __ip_queue_xmit(struct sock *sk, str
+ skb_dst_set_noref(skb, &rt->dst);
+
+ packet_routed:
+- if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_gw_family)
++ if (inet_opt && inet_opt->opt.is_strictroute && rt->rt_uses_gateway)
+ goto no_route;
+
+ /* OK, we know where to send it, allocate and build IP header. */
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -635,6 +635,7 @@ static void fill_route_from_fnhe(struct
+
+ if (fnhe->fnhe_gw) {
+ rt->rt_flags |= RTCF_REDIRECTED;
++ rt->rt_uses_gateway = 1;
+ rt->rt_gw_family = AF_INET;
+ rt->rt_gw4 = fnhe->fnhe_gw;
+ }
+@@ -1313,7 +1314,7 @@ static unsigned int ipv4_mtu(const struc
+ mtu = READ_ONCE(dst->dev->mtu);
+
+ if (unlikely(ip_mtu_locked(dst))) {
+- if (rt->rt_gw_family && mtu > 576)
++ if (rt->rt_uses_gateway && mtu > 576)
+ mtu = 576;
+ }
+
+@@ -1569,6 +1570,7 @@ static void rt_set_nexthop(struct rtable
+ struct fib_nh_common *nhc = FIB_RES_NHC(*res);
+
+ if (nhc->nhc_gw_family && nhc->nhc_scope == RT_SCOPE_LINK) {
++ rt->rt_uses_gateway = 1;
+ rt->rt_gw_family = nhc->nhc_gw_family;
+ /* only INET and INET6 are supported */
+ if (likely(nhc->nhc_gw_family == AF_INET))
+@@ -1634,6 +1636,7 @@ struct rtable *rt_dst_alloc(struct net_d
+ rt->rt_iif = 0;
+ rt->rt_pmtu = 0;
+ rt->rt_mtu_locked = 0;
++ rt->rt_uses_gateway = 0;
+ rt->rt_gw_family = 0;
+ rt->rt_gw4 = 0;
+ INIT_LIST_HEAD(&rt->rt_uncached);
+@@ -2694,6 +2697,7 @@ struct dst_entry *ipv4_blackhole_route(s
+ rt->rt_genid = rt_genid_ipv4(net);
+ rt->rt_flags = ort->rt_flags;
+ rt->rt_type = ort->rt_type;
++ rt->rt_uses_gateway = ort->rt_uses_gateway;
+ rt->rt_gw_family = ort->rt_gw_family;
+ if (rt->rt_gw_family == AF_INET)
+ rt->rt_gw4 = ort->rt_gw4;
+@@ -2778,21 +2782,23 @@ static int rt_fill_info(struct net *net,
+ if (nla_put_in_addr(skb, RTA_PREFSRC, fl4->saddr))
+ goto nla_put_failure;
+ }
+- if (rt->rt_gw_family == AF_INET &&
+- nla_put_in_addr(skb, RTA_GATEWAY, rt->rt_gw4)) {
+- goto nla_put_failure;
+- } else if (rt->rt_gw_family == AF_INET6) {
+- int alen = sizeof(struct in6_addr);
+- struct nlattr *nla;
+- struct rtvia *via;
+-
+- nla = nla_reserve(skb, RTA_VIA, alen + 2);
+- if (!nla)
++ if (rt->rt_uses_gateway) {
++ if (rt->rt_gw_family == AF_INET &&
++ nla_put_in_addr(skb, RTA_GATEWAY, rt->rt_gw4)) {
+ goto nla_put_failure;
+-
+- via = nla_data(nla);
+- via->rtvia_family = AF_INET6;
+- memcpy(via->rtvia_addr, &rt->rt_gw6, alen);
++ } else if (rt->rt_gw_family == AF_INET6) {
++ int alen = sizeof(struct in6_addr);
++ struct nlattr *nla;
++ struct rtvia *via;
++
++ nla = nla_reserve(skb, RTA_VIA, alen + 2);
++ if (!nla)
++ goto nla_put_failure;
++
++ via = nla_data(nla);
++ via->rtvia_family = AF_INET6;
++ memcpy(via->rtvia_addr, &rt->rt_gw6, alen);
++ }
+ }
+
+ expires = rt->dst.expires;
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -85,6 +85,7 @@ static int xfrm4_fill_dst(struct xfrm_ds
+ xdst->u.rt.rt_flags = rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST |
+ RTCF_LOCAL);
+ xdst->u.rt.rt_type = rt->rt_type;
++ xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
+ xdst->u.rt.rt_gw_family = rt->rt_gw_family;
+ if (rt->rt_gw_family == AF_INET)
+ xdst->u.rt.rt_gw4 = rt->rt_gw4;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Tue, 24 Sep 2019 16:01:28 +0200
+Subject: ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+[ Upstream commit ca7a03c4175366a92cee0ccc4fec0038c3266e26 ]
+
+Commit 7d9e5f422150 removed references from certain dsts, but accounting
+for this never translated down into the fib6 suppression code. This bug
+was triggered by WireGuard users who use wg-quick(8), which uses the
+"suppress-prefix" directive to ip-rule(8) for routing all of their
+internet traffic without routing loops. The test case added here
+causes the reference underflow by causing packets to evaluate a suppress
+rule.
+
+Fixes: 7d9e5f422150 ("ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/fib6_rules.c | 3 ++-
+ tools/testing/selftests/net/fib_tests.sh | 17 ++++++++++++++++-
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/fib6_rules.c
++++ b/net/ipv6/fib6_rules.c
+@@ -287,7 +287,8 @@ static bool fib6_rule_suppress(struct fi
+ return false;
+
+ suppress_route:
+- ip6_rt_put(rt);
++ if (!(arg->flags & FIB_LOOKUP_NOREF))
++ ip6_rt_put(rt);
+ return true;
+ }
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -9,7 +9,7 @@ ret=0
+ ksft_skip=4
+
+ # all tests in this script. Can be overridden with -t option
+-TESTS="unregister down carrier nexthop ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw rp_filter"
++TESTS="unregister down carrier nexthop suppress ipv6_rt ipv4_rt ipv6_addr_metric ipv4_addr_metric ipv6_route_metrics ipv4_route_metrics ipv4_route_v6_gw rp_filter"
+
+ VERBOSE=0
+ PAUSE_ON_FAIL=no
+@@ -614,6 +614,20 @@ fib_nexthop_test()
+ cleanup
+ }
+
++fib_suppress_test()
++{
++ $IP link add dummy1 type dummy
++ $IP link set dummy1 up
++ $IP -6 route add default dev dummy1
++ $IP -6 rule add table main suppress_prefixlength 0
++ ping -f -c 1000 -W 1 1234::1 || true
++ $IP -6 rule del table main suppress_prefixlength 0
++ $IP link del dummy1
++
++ # If we got here without crashing, we're good.
++ return 0
++}
++
+ ################################################################################
+ # Tests on route add and replace
+
+@@ -1591,6 +1605,7 @@ do
+ fib_carrier_test|carrier) fib_carrier_test;;
+ fib_rp_filter_test|rp_filter) fib_rp_filter_test;;
+ fib_nexthop_test|nexthop) fib_nexthop_test;;
++ fib_suppress_test|suppress) fib_suppress_test;;
+ ipv6_route_test|ipv6_rt) ipv6_route_test;;
+ ipv4_route_test|ipv4_rt) ipv4_route_test;;
+ ipv6_addr_metric) ipv6_addr_metric_test;;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 19 Sep 2019 10:12:36 -0700
+Subject: ipv6: fix a typo in fib6_rule_lookup()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 7b09c2d052db4b4ad0b27b97918b46a7746966fa ]
+
+Yi Ren reported an issue discovered by syzkaller, and bisected
+to the cited commit.
+
+Many thanks to Yi, this trivial patch does not reflect the patient
+work that has been done.
+
+Fixes: d64a1f574a29 ("ipv6: honor RT6_LOOKUP_F_DST_NOREF in rule lookup logic")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Bisected-and-reported-by: Yi Ren <c4tren@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -318,7 +318,7 @@ struct dst_entry *fib6_rule_lookup(struc
+ if (rt->dst.error == -EAGAIN) {
+ ip6_rt_put_flags(rt, flags);
+ rt = net->ipv6.ip6_null_entry;
+- if (!(flags | RT6_LOOKUP_F_DST_NOREF))
++ if (!(flags & RT6_LOOKUP_F_DST_NOREF))
+ dst_hold(&rt->dst);
+ }
+
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 23 Sep 2019 17:02:46 +0800
+Subject: macsec: drop skb sk before calling gro_cells_receive
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ba56d8ce38c8252fff5b745db3899cf092578ede ]
+
+Fei Liu reported a crash when doing netperf on a topo of macsec
+dev over veth:
+
+ [ 448.919128] refcount_t: underflow; use-after-free.
+ [ 449.090460] Call trace:
+ [ 449.092895] refcount_sub_and_test+0xb4/0xc0
+ [ 449.097155] tcp_wfree+0x2c/0x150
+ [ 449.100460] ip_rcv+0x1d4/0x3a8
+ [ 449.103591] __netif_receive_skb_core+0x554/0xae0
+ [ 449.108282] __netif_receive_skb+0x28/0x78
+ [ 449.112366] netif_receive_skb_internal+0x54/0x100
+ [ 449.117144] napi_gro_complete+0x70/0xc0
+ [ 449.121054] napi_gro_flush+0x6c/0x90
+ [ 449.124703] napi_complete_done+0x50/0x130
+ [ 449.128788] gro_cell_poll+0x8c/0xa8
+ [ 449.132351] net_rx_action+0x16c/0x3f8
+ [ 449.136088] __do_softirq+0x128/0x320
+
+The issue was caused by skb's true_size changed without its sk's
+sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the
+skb is being freed and the skb's truesize is subtracted from its
+sk's sk_wmem_alloc in tcp_wfree(), underflow occurs.
+
+macsec is calling gro_cells_receive() to receive a packet, which
+actually requires skb->sk to be NULL. However when macsec dev is
+over veth, it's possible the skb->sk is still set if the skb was
+not unshared or expanded from the peer veth.
+
+ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy,
+but it is too late for macsec's calling gro_cells_receive(). So
+fix it by dropping the skb's sk earlier on rx path of macsec.
+
+Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Fei Liu <feliu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1235,6 +1235,7 @@ deliver:
+ macsec_rxsa_put(rx_sa);
+ macsec_rxsc_put(rx_sc);
+
++ skb_orphan(skb);
+ ret = gro_cells_receive(&macsec->gro_cells, skb);
+ if (ret == NET_RX_SUCCESS)
+ count_rx(dev, skb->len);
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:45 +0200
+Subject: mISDN: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ]
+
+When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -754,6 +754,8 @@ base_sock_create(struct net *net, struct
+
+ if (sock->type != SOCK_RAW)
+ return -ESOCKTNOSUPPORT;
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+
+ sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern);
+ if (!sk)
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Bodong Wang <bodong@mellanox.com>
+Date: Mon, 26 Aug 2019 16:34:12 -0500
+Subject: net/mlx5: Add device ID of upcoming BlueField-2
+
+From: Bodong Wang <bodong@mellanox.com>
+
+[ Upstream commit d19a79ee38c8fda6d297e4227e80db8bf51c71a6 ]
+
+Add the device ID of upcoming BlueField-2 integrated ConnectX-6 Dx
+network controller. Its VFs will be using the generic VF device ID:
+0x101e "ConnectX Family mlx5Gen Virtual Function".
+
+Fixes: 2e9d3e83ab82 ("net/mlx5: Update the list of the PCI supported devices")
+Signed-off-by: Bodong Wang <bodong@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1554,6 +1554,7 @@ static const struct pci_device_id mlx5_c
+ { PCI_VDEVICE(MELLANOX, 0x101e), MLX5_PCI_DEV_IS_VF}, /* ConnectX Family mlx5Gen Virtual Function */
+ { PCI_VDEVICE(MELLANOX, 0xa2d2) }, /* BlueField integrated ConnectX-5 network controller */
+ { PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF}, /* BlueField integrated ConnectX-5 network controller VF */
++ { PCI_VDEVICE(MELLANOX, 0xa2d6) }, /* BlueField-2 integrated ConnectX-6 Dx network controller */
+ { 0, }
+ };
+
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Dmytro Linkin <dmitrolin@mellanox.com>
+Date: Fri, 13 Sep 2019 10:42:21 +0000
+Subject: net/mlx5e: Fix matching on tunnel addresses type
+
+From: Dmytro Linkin <dmitrolin@mellanox.com>
+
+[ Upstream commit fe1587a7de94912ed75ba5ddbfabf0741f9f8239 ]
+
+In mlx5 parse_tunnel_attr() function dispatch on encap IP address type
+is performed by directly checking flow_rule_match_key() on
+FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, and then on
+FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS. However, since those are stored in
+union, first check is always true if any type of encap address is set,
+which leads to IPv6 tunnel encap address being parsed as IPv4 by mlx5.
+Determine correct IP address type by checking control key first and if
+it set, take address type from match.key->addr_type.
+
+Fixes: d1bda7eecd88 ("net/mlx5e: Allow matching only enc_key_id/enc_dst_port for decapsulation action")
+Signed-off-by: Dmytro Linkin <dmitrolin@mellanox.com>
+Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
+Reviewed-by: Eli Britstein <elibr@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 97 ++++++++++++++----------
+ 1 file changed, 57 insertions(+), 40 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -1369,46 +1369,63 @@ static int parse_tunnel_attr(struct mlx5
+ return err;
+ }
+
+- if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS)) {
+- struct flow_match_ipv4_addrs match;
+-
+- flow_rule_match_enc_ipv4_addrs(rule, &match);
+- MLX5_SET(fte_match_set_lyr_2_4, headers_c,
+- src_ipv4_src_ipv6.ipv4_layout.ipv4,
+- ntohl(match.mask->src));
+- MLX5_SET(fte_match_set_lyr_2_4, headers_v,
+- src_ipv4_src_ipv6.ipv4_layout.ipv4,
+- ntohl(match.key->src));
+-
+- MLX5_SET(fte_match_set_lyr_2_4, headers_c,
+- dst_ipv4_dst_ipv6.ipv4_layout.ipv4,
+- ntohl(match.mask->dst));
+- MLX5_SET(fte_match_set_lyr_2_4, headers_v,
+- dst_ipv4_dst_ipv6.ipv4_layout.ipv4,
+- ntohl(match.key->dst));
+-
+- MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, headers_c, ethertype);
+- MLX5_SET(fte_match_set_lyr_2_4, headers_v, ethertype, ETH_P_IP);
+- } else if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS)) {
+- struct flow_match_ipv6_addrs match;
+-
+- flow_rule_match_enc_ipv6_addrs(rule, &match);
+- memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
+- src_ipv4_src_ipv6.ipv6_layout.ipv6),
+- &match.mask->src, MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6));
+- memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
+- src_ipv4_src_ipv6.ipv6_layout.ipv6),
+- &match.key->src, MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6));
+-
+- memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
+- dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
+- &match.mask->dst, MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6));
+- memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
+- dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
+- &match.key->dst, MLX5_FLD_SZ_BYTES(ipv6_layout, ipv6));
+-
+- MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, headers_c, ethertype);
+- MLX5_SET(fte_match_set_lyr_2_4, headers_v, ethertype, ETH_P_IPV6);
++ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) {
++ struct flow_match_control match;
++ u16 addr_type;
++
++ flow_rule_match_enc_control(rule, &match);
++ addr_type = match.key->addr_type;
++
++ /* For tunnel addr_type used same key id`s as for non-tunnel */
++ if (addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) {
++ struct flow_match_ipv4_addrs match;
++
++ flow_rule_match_enc_ipv4_addrs(rule, &match);
++ MLX5_SET(fte_match_set_lyr_2_4, headers_c,
++ src_ipv4_src_ipv6.ipv4_layout.ipv4,
++ ntohl(match.mask->src));
++ MLX5_SET(fte_match_set_lyr_2_4, headers_v,
++ src_ipv4_src_ipv6.ipv4_layout.ipv4,
++ ntohl(match.key->src));
++
++ MLX5_SET(fte_match_set_lyr_2_4, headers_c,
++ dst_ipv4_dst_ipv6.ipv4_layout.ipv4,
++ ntohl(match.mask->dst));
++ MLX5_SET(fte_match_set_lyr_2_4, headers_v,
++ dst_ipv4_dst_ipv6.ipv4_layout.ipv4,
++ ntohl(match.key->dst));
++
++ MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, headers_c,
++ ethertype);
++ MLX5_SET(fte_match_set_lyr_2_4, headers_v, ethertype,
++ ETH_P_IP);
++ } else if (addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) {
++ struct flow_match_ipv6_addrs match;
++
++ flow_rule_match_enc_ipv6_addrs(rule, &match);
++ memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
++ src_ipv4_src_ipv6.ipv6_layout.ipv6),
++ &match.mask->src, MLX5_FLD_SZ_BYTES(ipv6_layout,
++ ipv6));
++ memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
++ src_ipv4_src_ipv6.ipv6_layout.ipv6),
++ &match.key->src, MLX5_FLD_SZ_BYTES(ipv6_layout,
++ ipv6));
++
++ memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_c,
++ dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
++ &match.mask->dst, MLX5_FLD_SZ_BYTES(ipv6_layout,
++ ipv6));
++ memcpy(MLX5_ADDR_OF(fte_match_set_lyr_2_4, headers_v,
++ dst_ipv4_dst_ipv6.ipv6_layout.ipv6),
++ &match.key->dst, MLX5_FLD_SZ_BYTES(ipv6_layout,
++ ipv6));
++
++ MLX5_SET_TO_ONES(fte_match_set_lyr_2_4, headers_c,
++ ethertype);
++ MLX5_SET(fte_match_set_lyr_2_4, headers_v, ethertype,
++ ETH_P_IPV6);
++ }
+ }
+
+ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_IP)) {
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Wed, 11 Sep 2019 07:50:13 -0700
+Subject: net/mlx5e: Fix traffic duplication in ethtool steering
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit d22fcc806b84b9818de08b32e494f3c05dd236c7 ]
+
+Before this patch, when adding multiple ethtool steering rules with
+identical classification, the driver used to append the new destination
+to the already existing hw rule, which caused the hw to forward the
+traffic to all destinations (rx queues).
+
+Here we avoid this by setting the "no append" mlx5 fs core flag when
+adding a new ethtool rule.
+
+Fixes: 6dc6071cfcde ("net/mlx5e: Add ethtool flow steering support")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Reviewed-by: Maor Gottlieb <maorg@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs_ethtool.c
+@@ -399,10 +399,10 @@ add_ethtool_flow_rule(struct mlx5e_priv
+ struct mlx5_flow_table *ft,
+ struct ethtool_rx_flow_spec *fs)
+ {
++ struct mlx5_flow_act flow_act = { .flags = FLOW_ACT_NO_APPEND };
+ struct mlx5_flow_destination *dst = NULL;
+- struct mlx5_flow_act flow_act = {0};
+- struct mlx5_flow_spec *spec;
+ struct mlx5_flow_handle *rule;
++ struct mlx5_flow_spec *spec;
+ int err = 0;
+
+ spec = kvzalloc(sizeof(*spec), GFP_KERNEL);
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Peter Mamonov <pmamonov@gmail.com>
+Date: Wed, 18 Sep 2019 19:27:55 +0300
+Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function
+
+From: Peter Mamonov <pmamonov@gmail.com>
+
+[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ]
+
+According to the DP83865 datasheet "the 10 Mbps HDX loopback can be
+disabled in the expanded memory register 0x1C0.1". The driver erroneously
+used bit 0 instead of bit 1.
+
+Fixes: 4621bf129856 ("phy: Add file missed in previous commit.")
+Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/national.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/phy/national.c
++++ b/drivers/net/phy/national.c
+@@ -105,14 +105,17 @@ static void ns_giga_speed_fallback(struc
+
+ static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable)
+ {
++ u16 lb_dis = BIT(1);
++
+ if (disable)
+- ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1);
++ ns_exp_write(phydev, 0x1c0,
++ ns_exp_read(phydev, 0x1c0) | lb_dis);
+ else
+ ns_exp_write(phydev, 0x1c0,
+- ns_exp_read(phydev, 0x1c0) & 0xfffe);
++ ns_exp_read(phydev, 0x1c0) & ~lb_dis);
+
+ pr_debug("10BASE-T HDX loopback %s\n",
+- (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on");
++ (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on");
+ }
+
+ static int ns_config_init(struct phy_device *phydev)
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Hans Andersson <hans.andersson@cellavision.se>
+Date: Thu, 26 Sep 2019 09:54:37 +0200
+Subject: net: phy: micrel: add Asym Pause workaround for KSZ9021
+
+From: Hans Andersson <hans.andersson@cellavision.se>
+
+[ Upstream commit 407d8098cb1ab338199f4753162799a488d87d23 ]
+
+The Micrel KSZ9031 PHY may fail to establish a link when the Asymmetric
+Pause capability is set. This issue is described in a Silicon Errata
+(DS80000691D or DS80000692D), which advises to always disable the
+capability.
+
+Micrel KSZ9021 has no errata, but has the same issue with Asymmetric Pause.
+This patch apply the same workaround as the one for KSZ9031.
+
+Fixes: 3aed3e2a143c ("net: phy: micrel: add Asym Pause workaround")
+Signed-off-by: Hans Andersson <hans.andersson@cellavision.se>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -763,6 +763,8 @@ static int ksz9031_get_features(struct p
+ * Whenever the device's Asymmetric Pause capability is set to 1,
+ * link-up may fail after a link-up to link-down transition.
+ *
++ * The Errata Sheet is for ksz9031, but ksz9021 has the same issue
++ *
+ * Workaround:
+ * Do not enable the Asymmetric Pause capability bit.
+ */
+@@ -1076,6 +1078,7 @@ static struct phy_driver ksphy_driver[]
+ /* PHY_GBIT_FEATURES */
+ .driver_data = &ksz9021_type,
+ .probe = kszphy_probe,
++ .get_features = ksz9031_get_features,
+ .config_init = ksz9021_config_init,
+ .ack_interrupt = kszphy_ack_interrupt,
+ .config_intr = kszphy_config_intr,
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 18 Sep 2019 10:21:17 -0700
+Subject: net: qrtr: Stop rx_worker before freeing node
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 73f0c11d11329a0d6d205d4312b6e5d2512af7c5 ]
+
+As the endpoint is unregistered there might still be work pending to
+handle incoming messages, which will result in a use after free
+scenario. The plan is to remove the rx_worker, but until then (and for
+stable@) ensure that the work is stopped before the node is freed.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -150,6 +150,7 @@ static void __qrtr_node_release(struct k
+ list_del(&node->item);
+ mutex_unlock(&qrtr_node_lock);
+
++ cancel_work_sync(&node->work);
+ skb_queue_purge(&node->rx_queue);
+ kfree(node);
+ }
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Date: Tue, 24 Sep 2019 08:51:16 -0700
+Subject: net/rds: Check laddr_check before calling it
+
+From: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+
+[ Upstream commit 05733434ee9ae6548723a808647248583e347cca ]
+
+In rds_bind(), laddr_check is called without checking if it is NULL or
+not. And rs_transport should be reset if rds_add_bound() fails.
+
+Fixes: c5c1a030a7db ("net/rds: An rds_sock is added too early to the hash table")
+Reported-by: syzbot+fae39afd2101a17ec624@syzkaller.appspotmail.com
+Signed-off-by: Ka-Cheong Poon <ka-cheong.poon@oracle.com>
+Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rds/bind.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/rds/bind.c
++++ b/net/rds/bind.c
+@@ -244,7 +244,8 @@ int rds_bind(struct socket *sock, struct
+ */
+ if (rs->rs_transport) {
+ trans = rs->rs_transport;
+- if (trans->laddr_check(sock_net(sock->sk),
++ if (!trans->laddr_check ||
++ trans->laddr_check(sock_net(sock->sk),
+ binding_addr, scope_id) != 0) {
+ ret = -ENOPROTOOPT;
+ goto out;
+@@ -263,6 +264,8 @@ int rds_bind(struct socket *sock, struct
+
+ sock_set_flag(sk, SOCK_RCU_FREE);
+ ret = rds_add_bound(rs, binding_addr, &port, scope_id);
++ if (ret)
++ rs->rs_transport = NULL;
+
+ out:
+ release_sock(sk);
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 17 Sep 2019 11:30:55 +0200
+Subject: net/sched: act_sample: don't push mac header on ip6gre ingress
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 92974a1d006ad8b30d53047c70974c9e065eb7df ]
+
+current 'sample' action doesn't push the mac header of ingress packets if
+they are received by a layer 3 tunnel (like gre or sit); but it forgot to
+check for gre over ipv6, so the following script:
+
+ # tc q a dev $d clsact
+ # tc f a dev $d ingress protocol ip flower ip_proto icmp action sample \
+ > group 100 rate 1
+ # psample -v -g 100
+
+dumps everything, including outer header and mac, when $d is a gre tunnel
+over ipv6. Fix this adding a missing label for ARPHRD_IP6GRE devices.
+
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_sample.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -146,6 +146,7 @@ static bool tcf_sample_dev_ok_push(struc
+ case ARPHRD_TUNNEL6:
+ case ARPHRD_SIT:
+ case ARPHRD_IPGRE:
++ case ARPHRD_IP6GRE:
+ case ARPHRD_VOID:
+ case ARPHRD_NONE:
+ return false;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Mon, 23 Sep 2019 22:04:58 -0700
+Subject: net/sched: cbs: Fix not adding cbs instance to list
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 3e8b9bfa110896f95d602d8c98d5f9d67e41d78c ]
+
+When removing a cbs instance when offloading is enabled, the crash
+below can be observed.
+
+The problem happens because that when offloading is enabled, the cbs
+instance is not added to the list.
+
+Also, the current code doesn't handle correctly the case when offload
+is disabled without removing the qdisc: if the link speed changes the
+credit calculations will be wrong. When we create the cbs instance
+with offloading enabled, it's not added to the notification list, when
+later we disable offloading, it's not in the list, so link speed
+changes will not affect it.
+
+The solution for both issues is the same, add the cbs instance being
+created unconditionally to the global list, even if the link state
+notification isn't useful "right now".
+
+Crash log:
+
+[518758.189866] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[518758.189870] #PF: supervisor read access in kernel mode
+[518758.189871] #PF: error_code(0x0000) - not-present page
+[518758.189872] PGD 0 P4D 0
+[518758.189874] Oops: 0000 [#1] SMP PTI
+[518758.189876] CPU: 3 PID: 4825 Comm: tc Not tainted 5.2.9 #1
+[518758.189877] Hardware name: Gigabyte Technology Co., Ltd. Z390 AORUS ULTRA/Z390 AORUS ULTRA-CF, BIOS F7 03/14/2019
+[518758.189881] RIP: 0010:__list_del_entry_valid+0x29/0xa0
+[518758.189883] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00
+[518758.189885] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207
+[518758.189887] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000
+[518758.189888] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0
+[518758.189890] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0
+[518758.189891] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000
+[518758.189892] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000
+[518758.189894] FS: 00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000
+[518758.189895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[518758.189896] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0
+[518758.189898] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[518758.189899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[518758.189900] Call Trace:
+[518758.189904] cbs_destroy+0x32/0xa0 [sch_cbs]
+[518758.189906] qdisc_destroy+0x45/0x120
+[518758.189907] qdisc_put+0x25/0x30
+[518758.189908] qdisc_graft+0x2c1/0x450
+[518758.189910] tc_get_qdisc+0x1c8/0x310
+[518758.189912] ? get_page_from_freelist+0x91a/0xcb0
+[518758.189914] rtnetlink_rcv_msg+0x293/0x360
+[518758.189916] ? kmem_cache_alloc_node_trace+0x178/0x260
+[518758.189918] ? __kmalloc_node_track_caller+0x38/0x50
+[518758.189920] ? rtnl_calcit.isra.0+0xf0/0xf0
+[518758.189922] netlink_rcv_skb+0x48/0x110
+[518758.189923] rtnetlink_rcv+0x10/0x20
+[518758.189925] netlink_unicast+0x15b/0x1d0
+[518758.189926] netlink_sendmsg+0x1ea/0x380
+[518758.189929] sock_sendmsg+0x2f/0x40
+[518758.189930] ___sys_sendmsg+0x295/0x2f0
+[518758.189932] ? ___sys_recvmsg+0x151/0x1e0
+[518758.189933] ? do_wp_page+0x7e/0x450
+[518758.189935] __sys_sendmsg+0x48/0x80
+[518758.189937] __x64_sys_sendmsg+0x1a/0x20
+[518758.189939] do_syscall_64+0x53/0x1f0
+[518758.189941] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[518758.189942] RIP: 0033:0x7fa15755169a
+[518758.189944] Code: 48 c7 c0 ff ff ff ff eb be 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 18 b8 2e 00 00 00 c5 fc 77 0f 05 <48> 3d 00 f0 ff ff 77 5e c3 0f 1f 44 00 00 48 83 ec 28 89 54 24 1c
+[518758.189946] RSP: 002b:00007ffda58b60b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[518758.189948] RAX: ffffffffffffffda RBX: 000055e4b836d9a0 RCX: 00007fa15755169a
+[518758.189949] RDX: 0000000000000000 RSI: 00007ffda58b6128 RDI: 0000000000000003
+[518758.189951] RBP: 00007ffda58b6190 R08: 0000000000000001 R09: 000055e4b9d848a0
+[518758.189952] R10: 0000000000000000 R11: 0000000000000246 R12: 000000005d654b49
+[518758.189953] R13: 0000000000000000 R14: 00007ffda58b6230 R15: 00007ffda58b6210
+[518758.189955] Modules linked in: sch_cbs sch_etf sch_mqprio netlink_diag unix_diag e1000e igb intel_pch_thermal thermal video backlight pcc_cpufreq
+[518758.189960] CR2: 0000000000000000
+[518758.189961] ---[ end trace 6a13f7aaf5376019 ]---
+[518758.189963] RIP: 0010:__list_del_entry_valid+0x29/0xa0
+[518758.189964] Code: 90 48 b8 00 01 00 00 00 00 ad de 55 48 8b 17 4c 8b 47 08 48 89 e5 48 39 c2 74 27 48 b8 00 02 00 00 00 00 ad de 49 39 c0 74 2d <49> 8b 30 48 39 fe 75 3d 48 8b 52 08 48 39 f2 75 4c b8 01 00 00 00
+[518758.189967] RSP: 0018:ffffa27e43903990 EFLAGS: 00010207
+[518758.189968] RAX: dead000000000200 RBX: ffff8bce69f0f000 RCX: 0000000000000000
+[518758.189969] RDX: 0000000000000000 RSI: ffff8bce69f0f064 RDI: ffff8bce69f0f1e0
+[518758.189971] RBP: ffffa27e43903990 R08: 0000000000000000 R09: ffff8bce69e788c0
+[518758.189972] R10: ffff8bce62acd400 R11: 00000000000003cb R12: ffff8bce69e78000
+[518758.189973] R13: ffff8bce69f0f140 R14: 0000000000000000 R15: 0000000000000000
+[518758.189975] FS: 00007fa1572c8f80(0000) GS:ffff8bce6e0c0000(0000) knlGS:0000000000000000
+[518758.189976] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[518758.189977] CR2: 0000000000000000 CR3: 000000040a398006 CR4: 00000000003606e0
+[518758.189979] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[518758.189980] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: e0a7683d30e9 ("net/sched: cbs: fix port_rate miscalculation")
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cbs.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/net/sched/sch_cbs.c
++++ b/net/sched/sch_cbs.c
+@@ -392,7 +392,6 @@ static int cbs_init(struct Qdisc *sch, s
+ {
+ struct cbs_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+- int err;
+
+ if (!opt) {
+ NL_SET_ERR_MSG(extack, "Missing CBS qdisc options which are mandatory");
+@@ -404,6 +403,10 @@ static int cbs_init(struct Qdisc *sch, s
+ if (!q->qdisc)
+ return -ENOMEM;
+
++ spin_lock(&cbs_list_lock);
++ list_add(&q->cbs_list, &cbs_list);
++ spin_unlock(&cbs_list_lock);
++
+ qdisc_hash_add(q->qdisc, false);
+
+ q->queue = sch->dev_queue - netdev_get_tx_queue(dev, 0);
+@@ -413,17 +416,7 @@ static int cbs_init(struct Qdisc *sch, s
+
+ qdisc_watchdog_init(&q->watchdog, sch);
+
+- err = cbs_change(sch, opt, extack);
+- if (err)
+- return err;
+-
+- if (!q->offload) {
+- spin_lock(&cbs_list_lock);
+- list_add(&q->cbs_list, &cbs_list);
+- spin_unlock(&cbs_list_lock);
+- }
+-
+- return 0;
++ return cbs_change(sch, opt, extack);
+ }
+
+ static void cbs_destroy(struct Qdisc *sch)
+@@ -431,15 +424,18 @@ static void cbs_destroy(struct Qdisc *sc
+ struct cbs_sched_data *q = qdisc_priv(sch);
+ struct net_device *dev = qdisc_dev(sch);
+
+- spin_lock(&cbs_list_lock);
+- list_del(&q->cbs_list);
+- spin_unlock(&cbs_list_lock);
++ /* Nothing to do if we couldn't create the underlying qdisc */
++ if (!q->qdisc)
++ return;
+
+ qdisc_watchdog_cancel(&q->watchdog);
+ cbs_disable_offload(dev, q);
+
+- if (q->qdisc)
+- qdisc_put(q->qdisc);
++ spin_lock(&cbs_list_lock);
++ list_del(&q->cbs_list);
++ spin_unlock(&cbs_list_lock);
++
++ qdisc_put(q->qdisc);
+ }
+
+ static int cbs_dump(struct Qdisc *sch, struct sk_buff *skb)
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Sep 2019 12:57:04 -0700
+Subject: net: sched: fix possible crash in tcf_action_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3d66b89c30f9220a72e92847768fc8ba4d027d88 ]
+
+If the allocation done in tcf_exts_init() failed,
+we end up with a NULL pointer in exts->actions.
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 8198 Comm: syz-executor.3 Not tainted 5.3.0-rc8+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:tcf_action_destroy+0x71/0x160 net/sched/act_api.c:705
+Code: c3 08 44 89 ee e8 4f cb bb fb 41 83 fd 20 0f 84 c9 00 00 00 e8 c0 c9 bb fb 48 89 d8 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 08 00 0f 85 c0 00 00 00 4c 8b 33 4d 85 f6 0f 84 9d 00 00 00
+RSP: 0018:ffff888096e16ff0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
+RDX: 0000000000040000 RSI: ffffffff85b6ab30 RDI: 0000000000000000
+RBP: ffff888096e17020 R08: ffff8880993f6140 R09: fffffbfff11cae67
+R10: fffffbfff11cae66 R11: ffffffff88e57333 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff888096e177a0 R15: 0000000000000001
+FS: 00007f62bc84a700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000758040 CR3: 0000000088b64000 CR4: 00000000001426e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tcf_exts_destroy+0x38/0xb0 net/sched/cls_api.c:3030
+ tcindex_set_parms+0xf7f/0x1e50 net/sched/cls_tcindex.c:488
+ tcindex_change+0x230/0x318 net/sched/cls_tcindex.c:519
+ tc_new_tfilter+0xa4b/0x1c70 net/sched/cls_api.c:2152
+ rtnetlink_rcv_msg+0x838/0xb00 net/core/rtnetlink.c:5214
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+
+Fixes: 90b73b77d08e ("net: sched: change action API to use array of pointers to actions")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_api.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -3027,8 +3027,10 @@ out:
+ void tcf_exts_destroy(struct tcf_exts *exts)
+ {
+ #ifdef CONFIG_NET_CLS_ACT
+- tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
+- kfree(exts->actions);
++ if (exts->actions) {
++ tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
++ kfree(exts->actions);
++ }
+ exts->nr_actions = 0;
+ #endif
+ }
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Thierry Reding <treding@nvidia.com>
+Date: Mon, 23 Sep 2019 11:59:15 +0200
+Subject: net: stmmac: Fix page pool size
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 4f28bd956e081fc018fe9b41ffa31573f17bfb61 ]
+
+The size of individual pages in the page pool in given by an order. The
+order is the binary logarithm of the number of pages that make up one of
+the pages in the pool. However, the driver currently passes the number
+of pages rather than the order, so it ends up wasting quite a bit of
+memory.
+
+Fix this by taking the binary logarithm and passing that in the order
+field.
+
+Fixes: 2af6106ae949 ("net: stmmac: Introducing support for Page Pool")
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -1532,13 +1532,15 @@ static int alloc_dma_rx_desc_resources(s
+ for (queue = 0; queue < rx_count; queue++) {
+ struct stmmac_rx_queue *rx_q = &priv->rx_queue[queue];
+ struct page_pool_params pp_params = { 0 };
++ unsigned int num_pages;
+
+ rx_q->queue_index = queue;
+ rx_q->priv_data = priv;
+
+ pp_params.flags = PP_FLAG_DMA_MAP;
+ pp_params.pool_size = DMA_RX_SIZE;
+- pp_params.order = DIV_ROUND_UP(priv->dma_buf_sz, PAGE_SIZE);
++ num_pages = DIV_ROUND_UP(priv->dma_buf_sz, PAGE_SIZE);
++ pp_params.order = ilog2(num_pages);
+ pp_params.nid = dev_to_node(priv->device);
+ pp_params.dev = priv->device;
+ pp_params.dma_dir = DMA_FROM_DEVICE;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Sep 2019 16:24:12 -0700
+Subject: net_sched: add max len check for TCA_KIND
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 62794fc4fbf52f2209dc094ea255eaef760e7d01 ]
+
+The TCA_KIND attribute is of NLA_STRING which does not check
+the NUL char. KMSAN reported an uninit-value of TCA_KIND which
+is likely caused by the lack of NUL.
+
+Change it to NLA_NUL_STRING and add a max len too.
+
+Fixes: 8b4c3cdd9dd8 ("net: sched: Add policy validation for tc attributes")
+Reported-and-tested-by: syzbot+618aacd49e8c8b8486bd@syzkaller.appspotmail.com
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_api.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1390,7 +1390,8 @@ check_loop_fn(struct Qdisc *q, unsigned
+ }
+
+ const struct nla_policy rtm_tca_policy[TCA_MAX + 1] = {
+- [TCA_KIND] = { .type = NLA_STRING },
++ [TCA_KIND] = { .type = NLA_NUL_STRING,
++ .len = IFNAMSIZ - 1 },
+ [TCA_RATE] = { .type = NLA_BINARY,
+ .len = sizeof(struct tc_estimator) },
+ [TCA_STAB] = { .type = NLA_NESTED },
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Sep 2019 18:44:43 -0700
+Subject: net_sched: add policy validation for action attributes
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 199ce850ce112315cfc68d42b694bcaa27b097b7 ]
+
+Similar to commit 8b4c3cdd9dd8
+("net: sched: Add policy validation for tc attributes"), we need
+to add proper policy validation for TC action attributes too.
+
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -831,6 +831,15 @@ static struct tc_cookie *nla_memdup_cook
+ return c;
+ }
+
++static const struct nla_policy tcf_action_policy[TCA_ACT_MAX + 1] = {
++ [TCA_ACT_KIND] = { .type = NLA_NUL_STRING,
++ .len = IFNAMSIZ - 1 },
++ [TCA_ACT_INDEX] = { .type = NLA_U32 },
++ [TCA_ACT_COOKIE] = { .type = NLA_BINARY,
++ .len = TC_COOKIE_MAX_SIZE },
++ [TCA_ACT_OPTIONS] = { .type = NLA_NESTED },
++};
++
+ struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp,
+ struct nlattr *nla, struct nlattr *est,
+ char *name, int ovr, int bind,
+@@ -846,8 +855,8 @@ struct tc_action *tcf_action_init_1(stru
+ int err;
+
+ if (name == NULL) {
+- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL,
+- extack);
++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
++ tcf_action_policy, extack);
+ if (err < 0)
+ goto err_out;
+ err = -EINVAL;
+@@ -856,18 +865,9 @@ struct tc_action *tcf_action_init_1(stru
+ NL_SET_ERR_MSG(extack, "TC action kind must be specified");
+ goto err_out;
+ }
+- if (nla_strlcpy(act_name, kind, IFNAMSIZ) >= IFNAMSIZ) {
+- NL_SET_ERR_MSG(extack, "TC action name too long");
+- goto err_out;
+- }
+- if (tb[TCA_ACT_COOKIE]) {
+- int cklen = nla_len(tb[TCA_ACT_COOKIE]);
+-
+- if (cklen > TC_COOKIE_MAX_SIZE) {
+- NL_SET_ERR_MSG(extack, "TC cookie size above the maximum");
+- goto err_out;
+- }
++ nla_strlcpy(act_name, kind, IFNAMSIZ);
+
++ if (tb[TCA_ACT_COOKIE]) {
+ cookie = nla_memdup_cookie(tb);
+ if (!cookie) {
+ NL_SET_ERR_MSG(extack, "No memory to generate TC cookie");
+@@ -1098,7 +1098,8 @@ static struct tc_action *tcf_action_get_
+ int index;
+ int err;
+
+- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL, extack);
++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
++ tcf_action_policy, extack);
+ if (err < 0)
+ goto err_out;
+
+@@ -1152,7 +1153,8 @@ static int tca_action_flush(struct net *
+
+ b = skb_tail_pointer(skb);
+
+- err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla, NULL, extack);
++ err = nla_parse_nested_deprecated(tb, TCA_ACT_MAX, nla,
++ tcf_action_policy, extack);
+ if (err < 0)
+ goto err_out;
+
+@@ -1440,7 +1442,7 @@ static struct nlattr *find_dump_kind(str
+
+ if (tb[1] == NULL)
+ return NULL;
+- if (nla_parse_nested_deprecated(tb2, TCA_ACT_MAX, tb[1], NULL, NULL) < 0)
++ if (nla_parse_nested_deprecated(tb2, TCA_ACT_MAX, tb[1], tcf_action_policy, NULL) < 0)
+ return NULL;
+ kind = tb2[TCA_ACT_KIND];
+
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:49 +0200
+Subject: nfc: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -1004,10 +1004,13 @@ static int llcp_sock_create(struct net *
+ sock->type != SOCK_RAW)
+ return -ESOCKTNOSUPPORT;
+
+- if (sock->type == SOCK_RAW)
++ if (sock->type == SOCK_RAW) {
++ if (!capable(CAP_NET_RAW))
++ return -EPERM;
+ sock->ops = &llcp_rawsock_ops;
+- else
++ } else {
+ sock->ops = &llcp_sock_ops;
++ }
+
+ sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
+ if (sk == NULL)
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 25 Sep 2019 14:05:09 -0500
+Subject: nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 8ce39eb5a67aee25d9f05b40b673c95b23502e3e ]
+
+In nfp_flower_spawn_vnic_reprs in the loop if initialization or the
+allocations fail memory is leaked. Appropriate releases are added.
+
+Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -400,6 +400,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a
+ repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL);
+ if (!repr_priv) {
+ err = -ENOMEM;
++ nfp_repr_free(repr);
+ goto err_reprs_clean;
+ }
+
+@@ -413,6 +414,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a
+ port = nfp_port_alloc(app, port_type, repr);
+ if (IS_ERR(port)) {
+ err = PTR_ERR(port);
++ kfree(repr_priv);
+ nfp_repr_free(repr);
+ goto err_reprs_clean;
+ }
+@@ -433,6 +435,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a
+ err = nfp_repr_init(app, repr,
+ port_id, port, priv->nn->dp.netdev);
+ if (err) {
++ kfree(repr_priv);
+ nfp_port_free(port);
+ nfp_repr_free(repr);
+ goto err_reprs_clean;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 25 Sep 2019 13:24:02 -0500
+Subject: nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 8572cea1461a006bce1d06c0c4b0575869125fa4 ]
+
+In nfp_flower_spawn_phy_reprs, in the for loop over eth_tbl if any of
+intermediate allocations or initializations fail memory is leaked.
+requiered releases are added.
+
+Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -518,6 +518,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL);
+ if (!repr_priv) {
+ err = -ENOMEM;
++ nfp_repr_free(repr);
+ goto err_reprs_clean;
+ }
+
+@@ -528,11 +529,13 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ port = nfp_port_alloc(app, NFP_PORT_PHYS_PORT, repr);
+ if (IS_ERR(port)) {
+ err = PTR_ERR(port);
++ kfree(repr_priv);
+ nfp_repr_free(repr);
+ goto err_reprs_clean;
+ }
+ err = nfp_port_init_phy_port(app->pf, app, port, i);
+ if (err) {
++ kfree(repr_priv);
+ nfp_port_free(port);
+ nfp_repr_free(repr);
+ goto err_reprs_clean;
+@@ -545,6 +548,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ err = nfp_repr_init(app, repr,
+ cmsg_port_id, port, priv->nn->dp.netdev);
+ if (err) {
++ kfree(repr_priv);
+ nfp_port_free(port);
+ nfp_repr_free(repr);
+ goto err_reprs_clean;
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 24 Sep 2019 19:11:52 +0800
+Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ]
+
+userspace openvswitch patch "(dpif-linux: Implement the API
+functions to allow multiple handler threads read upcall)"
+changes its type from U32 to UNSPEC, but leave the kernel
+unchanged
+
+and after kernel 6e237d099fac "(netlink: Relax attr validation
+for fixed length types)", this bug is exposed by the below
+warning
+
+ [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length.
+
+Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -2263,7 +2263,7 @@ static const struct nla_policy vport_pol
+ [OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) },
+ [OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 },
+ [OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 },
+- [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 },
++ [OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC },
+ [OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED },
+ [OVS_VPORT_ATTR_IFINDEX] = { .type = NLA_U32 },
+ [OVS_VPORT_ATTR_NETNSID] = { .type = NLA_S32 },
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+Date: Sun, 22 Sep 2019 16:45:31 +0900
+Subject: ppp: Fix memory leak in ppp_write
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 4c247de564f1ff614d11b3bb5313fb70d7b9598b ]
+
+When ppp is closing, __ppp_xmit_process() failed to enqueue skb
+and skb allocated in ppp_write() is leaked.
+
+syzbot reported :
+BUG: memory leak
+unreferenced object 0xffff88812a17bc00 (size 224):
+ comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline]
+ [<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline]
+ [<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574
+ [<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197
+ [<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline]
+ [<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502
+ [<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494
+ [<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline]
+ [<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542
+ [<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611
+ [<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline]
+ [<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline]
+ [<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
+ [<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
+ [<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by freeing skb, if ppp is closing.
+
+Fixes: 6d066734e9f0 ("ppp: avoid loop in xmit recursion detection code")
+Reported-and-tested-by: syzbot+d9c8bf24e56416d7ce2c@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Tested-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1415,6 +1415,8 @@ static void __ppp_xmit_process(struct pp
+ netif_wake_queue(ppp->dev);
+ else
+ netif_stop_queue(ppp->dev);
++ } else {
++ kfree_skb(skb);
+ }
+ ppp_xmit_unlock(ppp);
+ }
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Sep 2019 08:05:39 -0700
+Subject: sch_netem: fix a divide by zero in tabledist()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ]
+
+syzbot managed to crash the kernel in tabledist() loading
+an empty distribution table.
+
+ t = dist->table[rnd % dist->size];
+
+Simply return an error when such load is attempted.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -777,7 +777,7 @@ static int get_dist_table(struct Qdisc *
+ struct disttable *d;
+ int i;
+
+- if (n > NETEM_DIST_MAX)
++ if (!n || n > NETEM_DIST_MAX)
+ return -EINVAL;
+
+ d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 17 Sep 2019 10:30:35 -0700
+Subject: selftests: Update fib_nexthop_multiprefix to handle missing ping6
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit e84622ce24482f6e9c1bf29d3bdd556eb587ff41 ]
+
+Some distributions (e.g., debian buster) do not install ping6. Re-use
+the hook in pmtu.sh to detect this and fallback to ping.
+
+Fixes: 735ab2f65dce ("selftests: Add test with multiple prefixes using single nexthop")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_nexthop_multiprefix.sh | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
++++ b/tools/testing/selftests/net/fib_nexthop_multiprefix.sh
+@@ -15,6 +15,8 @@
+ PAUSE_ON_FAIL=no
+ VERBOSE=0
+
++which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
++
+ ################################################################################
+ # helpers
+
+@@ -200,7 +202,7 @@ validate_v6_exception()
+ local rc
+
+ if [ ${ping_sz} != "0" ]; then
+- run_cmd ip netns exec h0 ping6 -s ${ping_sz} -c5 -w5 ${dst}
++ run_cmd ip netns exec h0 ${ping6} -s ${ping_sz} -c5 -w5 ${dst}
+ fi
+
+ if [ "$VERBOSE" = "1" ]; then
+@@ -243,7 +245,7 @@ do
+ run_cmd taskset -c ${c} ip netns exec h0 ping -c1 -w1 172.16.10${i}.1
+ [ $? -ne 0 ] && printf "\nERROR: ping to h${i} failed\n" && ret=1
+
+- run_cmd taskset -c ${c} ip netns exec h0 ping6 -c1 -w1 2001:db8:10${i}::1
++ run_cmd taskset -c ${c} ip netns exec h0 ${ping6} -c1 -w1 2001:db8:10${i}::1
+ [ $? -ne 0 ] && printf "\nERROR: ping6 to h${i} failed\n" && ret=1
+
+ [ $ret -ne 0 ] && break
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 17 Sep 2019 10:30:21 -0700
+Subject: selftests: Update fib_tests to handle missing ping6
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 0360894a05ed52be268e3c4d40b2df9d94975fa6 ]
+
+Some distributions (e.g., debian buster) do not install ping6. Re-use
+the hook in pmtu.sh to detect this and fallback to ping.
+
+Fixes: a0e11da78f48 ("fib_tests: Add tests for metrics on routes")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -17,6 +17,8 @@ PAUSE=no
+ IP="ip -netns ns1"
+ NS_EXEC="ip netns exec ns1"
+
++which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
++
+ log_test()
+ {
+ local rc=$1
+@@ -1100,7 +1102,7 @@ ipv6_route_metrics_test()
+ log_test $rc 0 "Multipath route with mtu metric"
+
+ $IP -6 ro add 2001:db8:104::/64 via 2001:db8:101::2 mtu 1300
+- run_cmd "ip netns exec ns1 ping6 -w1 -c1 -s 1500 2001:db8:104::1"
++ run_cmd "ip netns exec ns1 ${ping6} -w1 -c1 -s 1500 2001:db8:104::1"
+ log_test $? 0 "Using route with mtu metric"
+
+ run_cmd "$IP -6 ro add 2001:db8:114::/64 via 2001:db8:101::2 congctl lock foo"
--- /dev/null
+arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch
+cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
+ipv6-do-not-free-rt-if-fib_lookup_noref-is-set-on-suppress-rule.patch
+macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
+net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
+net-qrtr-stop-rx_worker-before-freeing-node.patch
+net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch
+net_sched-add-max-len-check-for-tca_kind.patch
+net-stmmac-fix-page-pool-size.patch
+nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch
+nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch
+openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
+ppp-fix-memory-leak-in-ppp_write.patch
+sch_netem-fix-a-divide-by-zero-in-tabledist.patch
+selftests-update-fib_tests-to-handle-missing-ping6.patch
+skge-fix-checksum-byte-order.patch
+tcp_bbr-fix-quantization-code-to-not-raise-cwnd-if-not-probing-bandwidth.patch
+usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
+usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
+net-rds-check-laddr_check-before-calling-it.patch
+net-mlx5e-fix-matching-on-tunnel-addresses-type.patch
+ipv6-fix-a-typo-in-fib6_rule_lookup.patch
+selftests-update-fib_nexthop_multiprefix-to-handle-missing-ping6.patch
+net-phy-micrel-add-asym-pause-workaround-for-ksz9021.patch
+net-sched-cbs-fix-not-adding-cbs-instance-to-list.patch
+ipv4-revert-removal-of-rt_uses_gateway.patch
+net_sched-add-policy-validation-for-action-attributes.patch
+vrf-do-not-attempt-to-create-ipv6-mcast-rule-if-ipv6-is-disabled.patch
+net-mlx5e-fix-traffic-duplication-in-ethtool-steering.patch
+net-sched-fix-possible-crash-in-tcf_action_destroy.patch
+tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch
+net-mlx5-add-device-id-of-upcoming-bluefield-2.patch
+misdn-enforce-cap_net_raw-for-raw-sockets.patch
+appletalk-enforce-cap_net_raw-for-raw-sockets.patch
+ax25-enforce-cap_net_raw-for-raw-sockets.patch
+ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
+nfc-enforce-cap_net_raw-for-raw-sockets.patch
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 20 Sep 2019 18:18:26 +0200
+Subject: skge: fix checksum byte order
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ]
+
+Running old skge driver on PowerPC causes checksum errors
+because hardware reported 1's complement checksum is in little-endian
+byte order.
+
+Reported-by: Benoit <benoit.sansoni@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/skge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -3108,7 +3108,7 @@ static struct sk_buff *skge_rx_get(struc
+ skb_put(skb, len);
+
+ if (dev->features & NETIF_F_RXCSUM) {
+- skb->csum = csum;
++ skb->csum = le16_to_cpu(csum);
+ skb->ip_summed = CHECKSUM_COMPLETE;
+ }
+
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 26 Sep 2019 15:42:51 -0700
+Subject: tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a66b10c05ee2d744189e9a2130394b070883d289 ]
+
+Yuchung Cheng and Marek Majkowski independently reported a weird
+behavior of TCP_USER_TIMEOUT option when used at connect() time.
+
+When the TCP_USER_TIMEOUT is reached, tcp_write_timeout()
+believes the flow should live, and the following condition
+in tcp_clamp_rto_to_user_timeout() programs one jiffie timers :
+
+ remaining = icsk->icsk_user_timeout - elapsed;
+ if (remaining <= 0)
+ return 1; /* user timeout has passed; fire ASAP */
+
+This silly situation ends when the max syn rtx count is reached.
+
+This patch makes sure we honor both TCP_SYNCNT and TCP_USER_TIMEOUT,
+avoiding these spurious SYN packets.
+
+Fixes: b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Cc: Jon Maxwell <jmaxwell37@gmail.com>
+Link: https://marc.info/?l=linux-netdev&m=156940118307949&w=2
+Acked-by: Jon Maxwell <jmaxwell37@gmail.com>
+Tested-by: Marek Majkowski <marek@cloudflare.com>
+Signed-off-by: Marek Majkowski <marek@cloudflare.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -210,7 +210,7 @@ static int tcp_write_timeout(struct sock
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct net *net = sock_net(sk);
+- bool expired, do_reset;
++ bool expired = false, do_reset;
+ int retry_until;
+
+ if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
+@@ -242,9 +242,10 @@ static int tcp_write_timeout(struct sock
+ if (tcp_out_of_resources(sk, do_reset))
+ return 1;
+ }
++ }
++ if (!expired)
+ expired = retransmits_timed_out(sk, retry_until,
+ icsk->icsk_user_timeout);
+- }
+ tcp_fastopen_active_detect_blackhole(sk, expired);
+
+ if (BPF_SOCK_OPS_TEST_FLAG(tp, BPF_SOCK_OPS_RTO_CB_FLAG))
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: "Kevin(Yudong) Yang" <yyd@google.com>
+Date: Thu, 26 Sep 2019 10:30:05 -0400
+Subject: tcp_bbr: fix quantization code to not raise cwnd if not probing bandwidth
+
+From: "Kevin(Yudong) Yang" <yyd@google.com>
+
+[ Upstream commit 6b3656a60f2067738d1a423328199720806f0c44 ]
+
+There was a bug in the previous logic that attempted to ensure gain cycling
+gets inflight above BDP even for small BDPs. This code correctly raised and
+lowered target inflight values during the gain cycle. And this code
+correctly ensured that cwnd was raised when probing bandwidth. However, it
+did not correspondingly ensure that cwnd was *not* raised in this way when
+*not* probing for bandwidth. The result was that small-BDP flows that were
+always cwnd-bound could go for many cycles with a fixed cwnd, and not probe
+or yield bandwidth at all. This meant that multiple small-BDP flows could
+fail to converge in their bandwidth allocations.
+
+Fixes: 3c346b233c68 ("tcp_bbr: fix bw probing to raise in-flight data for very small BDPs")
+Signed-off-by: Kevin(Yudong) Yang <yyd@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Priyaranjan Jha <priyarjha@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_bbr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/tcp_bbr.c
++++ b/net/ipv4/tcp_bbr.c
+@@ -386,7 +386,7 @@ static u32 bbr_bdp(struct sock *sk, u32
+ * which allows 2 outstanding 2-packet sequences, to try to keep pipe
+ * full even with ACK-every-other-packet delayed ACKs.
+ */
+-static u32 bbr_quantization_budget(struct sock *sk, u32 cwnd, int gain)
++static u32 bbr_quantization_budget(struct sock *sk, u32 cwnd)
+ {
+ struct bbr *bbr = inet_csk_ca(sk);
+
+@@ -397,7 +397,7 @@ static u32 bbr_quantization_budget(struc
+ cwnd = (cwnd + 1) & ~1U;
+
+ /* Ensure gain cycling gets inflight above BDP even for small BDPs. */
+- if (bbr->mode == BBR_PROBE_BW && gain > BBR_UNIT)
++ if (bbr->mode == BBR_PROBE_BW && bbr->cycle_idx == 0)
+ cwnd += 2;
+
+ return cwnd;
+@@ -409,7 +409,7 @@ static u32 bbr_inflight(struct sock *sk,
+ u32 inflight;
+
+ inflight = bbr_bdp(sk, bw, gain);
+- inflight = bbr_quantization_budget(sk, inflight, gain);
++ inflight = bbr_quantization_budget(sk, inflight);
+
+ return inflight;
+ }
+@@ -529,7 +529,7 @@ static void bbr_set_cwnd(struct sock *sk
+ * due to aggregation (of data and/or ACKs) visible in the ACK stream.
+ */
+ target_cwnd += bbr_ack_aggregation_cwnd(sk);
+- target_cwnd = bbr_quantization_budget(sk, target_cwnd, gain);
++ target_cwnd = bbr_quantization_budget(sk, target_cwnd);
+
+ /* If we're below target cwnd, slow start cwnd toward target cwnd. */
+ if (bbr_full_bw_reached(sk)) /* only cut cwnd if we filled the pipe */
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:17:38 +0200
+Subject: usbnet: ignore endpoints with invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the drivers more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of these endpoints are used for memory allocations
+and as divisors in many usbnet minidrivers. Avoiding zero is therefore
+critical.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -100,6 +100,11 @@ int usbnet_get_endpoints(struct usbnet *
+ int intr = 0;
+
+ e = alt->endpoint + ep;
++
++ /* ignore endpoints which cannot transfer data */
++ if (!usb_endpoint_maxp(&e->desc))
++ continue;
++
+ switch (e->desc.bmAttributes) {
+ case USB_ENDPOINT_XFER_INT:
+ if (!usb_endpoint_dir_in(&e->desc))
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 19 Sep 2019 10:23:08 +0200
+Subject: usbnet: sanity checking of packet sizes and device mtu
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]
+
+After a reset packet sizes and device mtu can change and need
+to be reevaluated to calculate queue sizes.
+Malicious devices can set this to zero and we divide by it.
+Introduce sanity checking.
+
+Reported-and-tested-by: syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -344,6 +344,8 @@ void usbnet_update_max_qlen(struct usbne
+ {
+ enum usb_device_speed speed = dev->udev->speed;
+
++ if (!dev->rx_urb_size || !dev->hard_mtu)
++ goto insanity;
+ switch (speed) {
+ case USB_SPEED_HIGH:
+ dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
+@@ -360,6 +362,7 @@ void usbnet_update_max_qlen(struct usbne
+ dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
+ break;
+ default:
++insanity:
+ dev->rx_qlen = dev->tx_qlen = 4;
+ }
+ }
--- /dev/null
+From foo@baz Tue 01 Oct 2019 03:27:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 25 Sep 2019 07:53:19 -0700
+Subject: vrf: Do not attempt to create IPv6 mcast rule if IPv6 is disabled
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit dac91170f8e9c73784af5fad6225e954b795601c ]
+
+A user reported that vrf create fails when IPv6 is disabled at boot using
+'ipv6.disable=1':
+ https://bugzilla.kernel.org/show_bug.cgi?id=204903
+
+The failure is adding fib rules at create time. Add RTNL_FAMILY_IP6MR to
+the check in vrf_fib_rule if ipv6_mod_enabled is disabled.
+
+Fixes: e4a38c0c4b27 ("ipv6: add vrf table handling code for ipv6 mcast")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Cc: Patrick Ruddy <pruddy@vyatta.att-mail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -1154,7 +1154,8 @@ static int vrf_fib_rule(const struct net
+ struct sk_buff *skb;
+ int err;
+
+- if (family == AF_INET6 && !ipv6_mod_enabled())
++ if ((family == AF_INET6 || family == RTNL_FAMILY_IP6MR) &&
++ !ipv6_mod_enabled())
+ return 0;
+
+ skb = nlmsg_new(vrf_fib_rule_nl_size(), GFP_KERNEL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
