--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Manish Chopra <manishc@marvell.com>
+Date: Sun, 18 Aug 2019 07:25:48 -0700
+Subject: bnx2x: Fix VF's VLAN reconfiguration in reload.
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 4a4d2d372fb9b9229327e2ed01d5d9572eddf4de ]
+
+Commit 04f05230c5c13 ("bnx2x: Remove configured vlans as
+part of unload sequence."), introduced a regression in driver
+that as a part of VF's reload flow, VLANs created on the VF
+doesn't get re-configured in hardware as vlan metadata/info
+was not getting cleared for the VFs which causes vlan PING to stop.
+
+This patch clears the vlan metadata/info so that VLANs gets
+re-configured back in the hardware in VF's reload flow and
+PING/traffic continues for VLANs created over the VFs.
+
+Fixes: 04f05230c5c13 ("bnx2x: Remove configured vlans as part of unload sequence.")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Sudarsana Kalluru <skalluru@marvell.com>
+Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 7 ++++---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 ++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 17 ++++++++++++-----
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3058,12 +3058,13 @@ int bnx2x_nic_unload(struct bnx2x *bp, i
+ /* if VF indicate to PF this function is going down (PF will delete sp
+ * elements and clear initializations
+ */
+- if (IS_VF(bp))
++ if (IS_VF(bp)) {
++ bnx2x_clear_vlan_info(bp);
+ bnx2x_vfpf_close_vf(bp);
+- else if (unload_mode != UNLOAD_RECOVERY)
++ } else if (unload_mode != UNLOAD_RECOVERY) {
+ /* if this is a normal/close unload need to clean up chip*/
+ bnx2x_chip_cleanup(bp, unload_mode, keep_link);
+- else {
++ } else {
+ /* Send the UNLOAD_REQUEST to the MCP */
+ bnx2x_send_unload_req(bp, unload_mode);
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -425,6 +425,8 @@ void bnx2x_set_reset_global(struct bnx2x
+ void bnx2x_disable_close_the_gate(struct bnx2x *bp);
+ int bnx2x_init_hw_func_cnic(struct bnx2x *bp);
+
++void bnx2x_clear_vlan_info(struct bnx2x *bp);
++
+ /**
+ * bnx2x_sp_event - handle ramrods completion.
+ *
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -8488,11 +8488,21 @@ int bnx2x_set_vlan_one(struct bnx2x *bp,
+ return rc;
+ }
+
++void bnx2x_clear_vlan_info(struct bnx2x *bp)
++{
++ struct bnx2x_vlan_entry *vlan;
++
++ /* Mark that hw forgot all entries */
++ list_for_each_entry(vlan, &bp->vlan_reg, link)
++ vlan->hw = false;
++
++ bp->vlan_cnt = 0;
++}
++
+ static int bnx2x_del_all_vlans(struct bnx2x *bp)
+ {
+ struct bnx2x_vlan_mac_obj *vlan_obj = &bp->sp_objs[0].vlan_obj;
+ unsigned long ramrod_flags = 0, vlan_flags = 0;
+- struct bnx2x_vlan_entry *vlan;
+ int rc;
+
+ __set_bit(RAMROD_COMP_WAIT, &ramrod_flags);
+@@ -8501,10 +8511,7 @@ static int bnx2x_del_all_vlans(struct bn
+ if (rc)
+ return rc;
+
+- /* Mark that hw forgot all entries */
+- list_for_each_entry(vlan, &bp->vlan_reg, link)
+- vlan->hw = false;
+- bp->vlan_cnt = 0;
++ bnx2x_clear_vlan_info(bp);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 7 Aug 2019 10:19:59 +0800
+Subject: bonding: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d595b03de2cb0bdf9bcdf35ff27840cc3a37158f ]
+
+As commit 30d8177e8ac7 ("bonding: Always enable vlan tx offload")
+said, we should always enable bonding's vlan tx offload, pass the
+vlan packets to the slave devices with vlan tci, let them to handle
+vlan implementation.
+
+Now if encapsulation protocols like VXLAN is used, skb->encapsulation
+may be set, then the packet is passed to vlan device which based on
+bonding device. However in netif_skb_features(), the check of
+hw_enc_features:
+
+ if (skb->encapsulation)
+ features &= dev->hw_enc_features;
+
+clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results
+in same issue in commit 30d8177e8ac7 like this:
+
+vlan_dev_hard_start_xmit
+ -->dev_queue_xmit
+ -->validate_xmit_skb
+ -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared
+ -->validate_xmit_vlan
+ -->__vlan_hwaccel_push_inside //skb->tci is cleared
+...
+ --> bond_start_xmit
+ --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34
+ --> __skb_flow_dissect // nhoff point to IP header
+ --> case htons(ETH_P_8021Q)
+ // skb_vlan_tag_present is false, so
+ vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
+ //vlan point to ip header wrongly
+
+Fixes: b2a103e6d0af ("bonding: convert to ndo_fix_features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1102,6 +1102,8 @@ static void bond_compute_features(struct
+ done:
+ bond_dev->vlan_features = vlan_features;
+ bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++ NETIF_F_HW_VLAN_CTAG_TX |
++ NETIF_F_HW_VLAN_STAG_TX |
+ NETIF_F_GSO_UDP_L4;
+ bond_dev->gso_max_segs = gso_max_segs;
+ netif_set_gso_max_size(bond_dev, gso_max_size);
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Sun, 11 Aug 2019 22:18:25 +0800
+Subject: net: dsa: Check existence of .port_mdb_add callback before calling it
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit 58799865be84e2a895dab72de0e1b996ed943f22 ]
+
+The dsa framework has optional .port_mdb_{prepare,add,del} callback fields
+for drivers to handle multicast database entries. When adding an entry, the
+framework goes through a prepare phase, then a commit phase. Drivers not
+providing these callbacks should be detected in the prepare phase.
+
+DSA core may still bypass the bridge layer and call the dsa_port_mdb_add
+function directly with no prepare phase or no switchdev trans object,
+and the framework ends up calling an undefined .port_mdb_add callback.
+This results in a NULL pointer dereference, as shown in the log below.
+
+The other functions seem to be properly guarded. Do the same for
+.port_mdb_add in dsa_switch_mdb_add_bitmap() as well.
+
+ 8<--- cut here ---
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ pgd = (ptrval)
+ [00000000] *pgd=00000000
+ Internal error: Oops: 80000005 [#1] SMP ARM
+ Modules linked in: rtl8xxxu rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 cfg80211
+ CPU: 1 PID: 134 Comm: kworker/1:2 Not tainted 5.3.0-rc1-00247-gd3519030752a #1
+ Hardware name: Allwinner sun7i (A20) Family
+ Workqueue: events switchdev_deferred_process_work
+ PC is at 0x0
+ LR is at dsa_switch_event+0x570/0x620
+ pc : [<00000000>] lr : [<c08533ec>] psr: 80070013
+ sp : ee871db8 ip : 00000000 fp : ee98d0a4
+ r10: 0000000c r9 : 00000008 r8 : ee89f710
+ r7 : ee98d040 r6 : ee98d088 r5 : c0f04c48 r4 : ee98d04c
+ r3 : 00000000 r2 : ee89f710 r1 : 00000008 r0 : ee98d040
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 10c5387d Table: 6deb406a DAC: 00000051
+ Process kworker/1:2 (pid: 134, stack limit = 0x(ptrval))
+ Stack: (0xee871db8 to 0xee872000)
+ 1da0: ee871e14 103ace2d
+ 1dc0: 00000000 ffffffff 00000000 ee871e14 00000005 00000000 c08524a0 00000000
+ 1de0: ffffe000 c014bdfc c0f04c48 ee871e98 c0f04c48 ee9e5000 c0851120 c014bef0
+ 1e00: 00000000 b643aea2 ee9b4068 c08509a8 ee2bf940 ee89f710 ee871ecb 00000000
+ 1e20: 00000008 103ace2d 00000000 c087e248 ee29c868 103ace2d 00000001 ffffffff
+ 1e40: 00000000 ee871e98 00000006 00000000 c0fb2a50 c087e2d0 ffffffff c08523c4
+ 1e60: ffffffff c014bdfc 00000006 c0fad2d0 ee871e98 ee89f710 00000000 c014c500
+ 1e80: 00000000 ee89f3c0 c0f04c48 00000000 ee9e5000 c087dfb4 ee9e5000 00000000
+ 1ea0: ee89f710 ee871ecb 00000001 103ace2d 00000000 c0f04c48 00000000 c087e0a8
+ 1ec0: 00000000 efd9a3e0 0089f3c0 103ace2d ee89f700 ee89f710 ee9e5000 00000122
+ 1ee0: 00000100 c087e130 ee89f700 c0fad2c8 c1003ef0 c087de4c 2e928000 c0fad2ec
+ 1f00: c0fad2ec ee839580 ef7a62c0 ef7a9400 00000000 c087def8 c0fad2ec c01447dc
+ 1f20: ef315640 ef7a62c0 00000008 ee839580 ee839594 ef7a62c0 00000008 c0f03d00
+ 1f40: ef7a62d8 ef7a62c0 ffffe000 c0145b84 ffffe000 c0fb2420 c0bfaa8c 00000000
+ 1f60: ffffe000 ee84b600 ee84b5c0 00000000 ee870000 ee839580 c0145b40 ef0e5ea4
+ 1f80: ee84b61c c014a6f8 00000001 ee84b5c0 c014a5b0 00000000 00000000 00000000
+ 1fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+ 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+ [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ [<c014bdfc>] (notifier_call_chain) from [<c014bef0>] (raw_notifier_call_chain+0x18/0x20)
+ [<c014bef0>] (raw_notifier_call_chain) from [<c08509a8>] (dsa_port_mdb_add+0x48/0x74)
+ [<c08509a8>] (dsa_port_mdb_add) from [<c087e248>] (__switchdev_handle_port_obj_add+0x54/0xd4)
+ [<c087e248>] (__switchdev_handle_port_obj_add) from [<c087e2d0>] (switchdev_handle_port_obj_add+0x8/0x14)
+ [<c087e2d0>] (switchdev_handle_port_obj_add) from [<c08523c4>] (dsa_slave_switchdev_blocking_event+0x94/0xa4)
+ [<c08523c4>] (dsa_slave_switchdev_blocking_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ [<c014bdfc>] (notifier_call_chain) from [<c014c500>] (blocking_notifier_call_chain+0x50/0x68)
+ [<c014c500>] (blocking_notifier_call_chain) from [<c087dfb4>] (switchdev_port_obj_notify+0x44/0xa8)
+ [<c087dfb4>] (switchdev_port_obj_notify) from [<c087e0a8>] (switchdev_port_obj_add_now+0x90/0x104)
+ [<c087e0a8>] (switchdev_port_obj_add_now) from [<c087e130>] (switchdev_port_obj_add_deferred+0x14/0x5c)
+ [<c087e130>] (switchdev_port_obj_add_deferred) from [<c087de4c>] (switchdev_deferred_process+0x64/0x104)
+ [<c087de4c>] (switchdev_deferred_process) from [<c087def8>] (switchdev_deferred_process_work+0xc/0x14)
+ [<c087def8>] (switchdev_deferred_process_work) from [<c01447dc>] (process_one_work+0x218/0x50c)
+ [<c01447dc>] (process_one_work) from [<c0145b84>] (worker_thread+0x44/0x5bc)
+ [<c0145b84>] (worker_thread) from [<c014a6f8>] (kthread+0x148/0x150)
+ [<c014a6f8>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+ Exception stack(0xee871fb0 to 0xee871ff8)
+ 1fa0: 00000000 00000000 00000000 00000000
+ 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+ Code: bad PC value
+ ---[ end trace 1292c61abd17b130 ]---
+
+ [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ corresponds to
+
+ $ arm-linux-gnueabihf-addr2line -C -i -e vmlinux c08533ec
+
+ linux/net/dsa/switch.c:156
+ linux/net/dsa/switch.c:178
+ linux/net/dsa/switch.c:328
+
+Fixes: e6db98db8a95 ("net: dsa: add switch mdb bitmap functions")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/switch.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/dsa/switch.c
++++ b/net/dsa/switch.c
+@@ -127,6 +127,9 @@ static void dsa_switch_mdb_add_bitmap(st
+ {
+ int port;
+
++ if (!ds->ops->port_mdb_add)
++ return;
++
+ for_each_set_bit(port, bitmap, ds->num_ports)
+ ds->ops->port_mdb_add(ds, port, mdb);
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Mon, 12 Aug 2019 14:11:35 -0500
+Subject: net/mlx4_en: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 48ec7014c56e5eb2fbf6f479896143622d834f3b ]
+
+In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
+kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
+indirection. However, if mlx4_qp_alloc() fails, the allocated
+'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
+
+To fix the above issue, add the 'qp_alloc_err' label to free
+'rss_map->indir_qp'.
+
+Fixes: 4931c6ef04b4 ("net/mlx4_en: Optimized single ring steering")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+@@ -1190,7 +1190,7 @@ int mlx4_en_config_rss_steer(struct mlx4
+ err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
+ if (err) {
+ en_err(priv, "Failed to allocate RSS indirection QP\n");
+- goto rss_err;
++ goto qp_alloc_err;
+ }
+
+ rss_map->indir_qp->event = mlx4_en_sqp_event;
+@@ -1244,6 +1244,7 @@ indir_err:
+ MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
+ mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
+ mlx4_qp_free(mdev->dev, rss_map->indir_qp);
++qp_alloc_err:
+ kfree(rss_map->indir_qp);
+ rss_map->indir_qp = NULL;
+ rss_err:
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Thu, 1 Aug 2019 11:10:19 -0500
+Subject: net/mlx5e: Only support tx/rx pause setting for port owner
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 466df6eb4a9e813b3cfc674363316450c57a89c5 ]
+
+Only support changing tx/rx pause frame setting if the net device
+is the vport group manager.
+
+Fixes: 3c2d18ef22df ("net/mlx5e: Support ethtool get/set_pauseparam")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1083,6 +1083,9 @@ static int mlx5e_set_pauseparam(struct n
+ struct mlx5_core_dev *mdev = priv->mdev;
+ int err;
+
++ if (!MLX5_CAP_GEN(mdev, vport_group_manager))
++ return -EOPNOTSUPP;
++
+ if (pauseparam->autoneg)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Fri, 5 Jul 2019 17:59:28 +0300
+Subject: net/mlx5e: Use flow keys dissector to parse packets for ARFS
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit 405b93eb764367a670e729da18e54dc42db32620 ]
+
+The current ARFS code relies on certain fields to be set in the SKB
+(e.g. transport_header) and extracts IP addresses and ports by custom
+code that parses the packet. The necessary SKB fields, however, are not
+always set at that point, which leads to an out-of-bounds access. Use
+skb_flow_dissect_flow_keys() to get the necessary information reliably,
+fix the out-of-bounds access and reuse the code.
+
+Fixes: 18c908e477dc ("net/mlx5e: Add accelerated RFS support")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c | 97 +++++++---------------
+ 1 file changed, 34 insertions(+), 63 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
+@@ -437,12 +437,6 @@ arfs_hash_bucket(struct arfs_table *arfs
+ return &arfs_t->rules_hash[bucket_idx];
+ }
+
+-static u8 arfs_get_ip_proto(const struct sk_buff *skb)
+-{
+- return (skb->protocol == htons(ETH_P_IP)) ?
+- ip_hdr(skb)->protocol : ipv6_hdr(skb)->nexthdr;
+-}
+-
+ static struct arfs_table *arfs_get_table(struct mlx5e_arfs_tables *arfs,
+ u8 ip_proto, __be16 etype)
+ {
+@@ -599,31 +593,9 @@ out:
+ arfs_may_expire_flow(priv);
+ }
+
+-/* return L4 destination port from ip4/6 packets */
+-static __be16 arfs_get_dst_port(const struct sk_buff *skb)
+-{
+- char *transport_header;
+-
+- transport_header = skb_transport_header(skb);
+- if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+- return ((struct tcphdr *)transport_header)->dest;
+- return ((struct udphdr *)transport_header)->dest;
+-}
+-
+-/* return L4 source port from ip4/6 packets */
+-static __be16 arfs_get_src_port(const struct sk_buff *skb)
+-{
+- char *transport_header;
+-
+- transport_header = skb_transport_header(skb);
+- if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+- return ((struct tcphdr *)transport_header)->source;
+- return ((struct udphdr *)transport_header)->source;
+-}
+-
+ static struct arfs_rule *arfs_alloc_rule(struct mlx5e_priv *priv,
+ struct arfs_table *arfs_t,
+- const struct sk_buff *skb,
++ const struct flow_keys *fk,
+ u16 rxq, u32 flow_id)
+ {
+ struct arfs_rule *rule;
+@@ -638,19 +610,19 @@ static struct arfs_rule *arfs_alloc_rule
+ INIT_WORK(&rule->arfs_work, arfs_handle_work);
+
+ tuple = &rule->tuple;
+- tuple->etype = skb->protocol;
++ tuple->etype = fk->basic.n_proto;
++ tuple->ip_proto = fk->basic.ip_proto;
+ if (tuple->etype == htons(ETH_P_IP)) {
+- tuple->src_ipv4 = ip_hdr(skb)->saddr;
+- tuple->dst_ipv4 = ip_hdr(skb)->daddr;
++ tuple->src_ipv4 = fk->addrs.v4addrs.src;
++ tuple->dst_ipv4 = fk->addrs.v4addrs.dst;
+ } else {
+- memcpy(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
++ memcpy(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
+ sizeof(struct in6_addr));
+- memcpy(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
++ memcpy(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
+ sizeof(struct in6_addr));
+ }
+- tuple->ip_proto = arfs_get_ip_proto(skb);
+- tuple->src_port = arfs_get_src_port(skb);
+- tuple->dst_port = arfs_get_dst_port(skb);
++ tuple->src_port = fk->ports.src;
++ tuple->dst_port = fk->ports.dst;
+
+ rule->flow_id = flow_id;
+ rule->filter_id = priv->fs.arfs.last_filter_id++ % RPS_NO_FILTER;
+@@ -661,37 +633,33 @@ static struct arfs_rule *arfs_alloc_rule
+ return rule;
+ }
+
+-static bool arfs_cmp_ips(struct arfs_tuple *tuple,
+- const struct sk_buff *skb)
++static bool arfs_cmp(const struct arfs_tuple *tuple, const struct flow_keys *fk)
+ {
+- if (tuple->etype == htons(ETH_P_IP) &&
+- tuple->src_ipv4 == ip_hdr(skb)->saddr &&
+- tuple->dst_ipv4 == ip_hdr(skb)->daddr)
+- return true;
+- if (tuple->etype == htons(ETH_P_IPV6) &&
+- (!memcmp(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
+- sizeof(struct in6_addr))) &&
+- (!memcmp(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
+- sizeof(struct in6_addr))))
+- return true;
++ if (tuple->src_port != fk->ports.src || tuple->dst_port != fk->ports.dst)
++ return false;
++ if (tuple->etype != fk->basic.n_proto)
++ return false;
++ if (tuple->etype == htons(ETH_P_IP))
++ return tuple->src_ipv4 == fk->addrs.v4addrs.src &&
++ tuple->dst_ipv4 == fk->addrs.v4addrs.dst;
++ if (tuple->etype == htons(ETH_P_IPV6))
++ return !memcmp(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
++ sizeof(struct in6_addr)) &&
++ !memcmp(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
++ sizeof(struct in6_addr));
+ return false;
+ }
+
+ static struct arfs_rule *arfs_find_rule(struct arfs_table *arfs_t,
+- const struct sk_buff *skb)
++ const struct flow_keys *fk)
+ {
+ struct arfs_rule *arfs_rule;
+ struct hlist_head *head;
+- __be16 src_port = arfs_get_src_port(skb);
+- __be16 dst_port = arfs_get_dst_port(skb);
+
+- head = arfs_hash_bucket(arfs_t, src_port, dst_port);
++ head = arfs_hash_bucket(arfs_t, fk->ports.src, fk->ports.dst);
+ hlist_for_each_entry(arfs_rule, head, hlist) {
+- if (arfs_rule->tuple.src_port == src_port &&
+- arfs_rule->tuple.dst_port == dst_port &&
+- arfs_cmp_ips(&arfs_rule->tuple, skb)) {
++ if (arfs_cmp(&arfs_rule->tuple, fk))
+ return arfs_rule;
+- }
+ }
+
+ return NULL;
+@@ -704,20 +672,24 @@ int mlx5e_rx_flow_steer(struct net_devic
+ struct mlx5e_arfs_tables *arfs = &priv->fs.arfs;
+ struct arfs_table *arfs_t;
+ struct arfs_rule *arfs_rule;
++ struct flow_keys fk;
++
++ if (!skb_flow_dissect_flow_keys(skb, &fk, 0))
++ return -EPROTONOSUPPORT;
+
+- if (skb->protocol != htons(ETH_P_IP) &&
+- skb->protocol != htons(ETH_P_IPV6))
++ if (fk.basic.n_proto != htons(ETH_P_IP) &&
++ fk.basic.n_proto != htons(ETH_P_IPV6))
+ return -EPROTONOSUPPORT;
+
+ if (skb->encapsulation)
+ return -EPROTONOSUPPORT;
+
+- arfs_t = arfs_get_table(arfs, arfs_get_ip_proto(skb), skb->protocol);
++ arfs_t = arfs_get_table(arfs, fk.basic.ip_proto, fk.basic.n_proto);
+ if (!arfs_t)
+ return -EPROTONOSUPPORT;
+
+ spin_lock_bh(&arfs->arfs_lock);
+- arfs_rule = arfs_find_rule(arfs_t, skb);
++ arfs_rule = arfs_find_rule(arfs_t, &fk);
+ if (arfs_rule) {
+ if (arfs_rule->rxq == rxq_index) {
+ spin_unlock_bh(&arfs->arfs_lock);
+@@ -725,8 +697,7 @@ int mlx5e_rx_flow_steer(struct net_devic
+ }
+ arfs_rule->rxq = rxq_index;
+ } else {
+- arfs_rule = arfs_alloc_rule(priv, arfs_t, skb,
+- rxq_index, flow_id);
++ arfs_rule = arfs_alloc_rule(priv, arfs_t, &fk, rxq_index, flow_id);
+ if (!arfs_rule) {
+ spin_unlock_bh(&arfs->arfs_lock);
+ return -ENOMEM;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 14 Aug 2019 02:11:57 -0700
+Subject: net/packet: fix race in tpacket_snd()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]
+
+packet_sendmsg() checks tx_ring.pg_vec to decide
+if it must call tpacket_snd().
+
+Problem is that the check is lockless, meaning another thread
+can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
+tx_ring.pg_vec back to NULL.
+
+Given that tpacket_snd() grabs pg_vec_lock mutex, we can
+perform the check again to solve the race.
+
+syzbot reported :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
+Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
+RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
+RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
+R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
+R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
+FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ packet_current_frame net/packet/af_packet.c:487 [inline]
+ tpacket_snd net/packet/af_packet.c:2667 [inline]
+ packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2616,6 +2616,13 @@ static int tpacket_snd(struct packet_soc
+
+ mutex_lock(&po->pg_vec_lock);
+
++ /* packet_sendmsg() check on tx_ring.pg_vec was lockless,
++ * we need to confirm it under protection of pg_vec_lock.
++ */
++ if (unlikely(!po->tx_ring.pg_vec)) {
++ err = -EBUSY;
++ goto out;
++ }
+ if (likely(saddr == NULL)) {
+ dev = packet_cached_dev_get(po);
+ proto = po->num;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: zhengbin <zhengbin13@huawei.com>
+Date: Tue, 13 Aug 2019 22:05:50 +0800
+Subject: sctp: fix memleak in sctp_send_reset_streams
+
+From: zhengbin <zhengbin13@huawei.com>
+
+[ Upstream commit 6d5afe20397b478192ed8c38ec0ee10fa3aec649 ]
+
+If the stream outq is not empty, need to kfree nstr_list.
+
+Fixes: d570a59c5b5f ("sctp: only allow the out stream reset when the stream outq is empty")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -416,6 +416,7 @@ int sctp_send_reset_streams(struct sctp_
+ nstr_list[i] = htons(str_list[i]);
+
+ if (out && !sctp_stream_outq_is_empty(stream, str_nums, nstr_list)) {
++ kfree(nstr_list);
+ retval = -EAGAIN;
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 12 Aug 2019 20:49:12 +0800
+Subject: sctp: fix the transport error_count check
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a1794de8b92ea6bc2037f445b296814ac826693e ]
+
+As the annotation says in sctp_do_8_2_transport_strike():
+
+ "If the transport error count is greater than the pf_retrans
+ threshold, and less than pathmaxrtx ..."
+
+It should be transport->error_count checked with pathmaxrxt,
+instead of asoc->pf_retrans.
+
+Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -561,7 +561,7 @@ static void sctp_do_8_2_transport_strike
+ */
+ if (net->sctp.pf_enable &&
+ (transport->state == SCTP_ACTIVE) &&
+- (asoc->pf_retrans < transport->pathmaxrxt) &&
++ (transport->error_count < transport->pathmaxrxt) &&
+ (transport->error_count > asoc->pf_retrans)) {
+
+ sctp_assoc_control_transport(asoc, transport,
netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch
input-psmouse-fix-build-error-of-multiple-definition.patch
iommu-amd-move-iommu_init_pci-to-.init-section.patch
+bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
+bonding-add-vlan-tx-offload-to-hw_enc_features.patch
+net-dsa-check-existence-of-.port_mdb_add-callback-before-calling-it.patch
+net-mlx4_en-fix-a-memory-leak-bug.patch
+net-packet-fix-race-in-tpacket_snd.patch
+sctp-fix-memleak-in-sctp_send_reset_streams.patch
+sctp-fix-the-transport-error_count-check.patch
+team-add-vlan-tx-offload-to-hw_enc_features.patch
+tipc-initialise-addr_trail_end-when-setting-node-addresses.patch
+xen-netback-reset-nr_frags-before-freeing-skb.patch
+net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
+net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 8 Aug 2019 14:22:47 +0800
+Subject: team: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 227f2f030e28d8783c3d10ce70ff4ba79cad653f ]
+
+We should also enable team's vlan tx offload in hw_enc_features,
+pass the vlan packets to the slave devices with vlan tci, let the
+slave handle vlan tunneling offload implementation.
+
+Fixes: 3268e5cb494d ("team: Advertise tunneling offload features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1011,6 +1011,8 @@ static void __team_compute_features(stru
+
+ team->dev->vlan_features = vlan_features;
+ team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++ NETIF_F_HW_VLAN_CTAG_TX |
++ NETIF_F_HW_VLAN_STAG_TX |
+ NETIF_F_GSO_UDP_L4;
+ team->dev->hard_header_len = max_hard_header_len;
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Mon, 12 Aug 2019 08:18:25 +1200
+Subject: tipc: initialise addr_trail_end when setting node addresses
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit 8874ecae2977e5a2d4f0ba301364435b81c05938 ]
+
+We set the field 'addr_trial_end' to 'jiffies', instead of the current
+value 0, at the moment the node address is initialized. This guarantees
+we don't inadvertently enter an address trial period when the node
+address is explicitly set by the user.
+
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/addr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/addr.c
++++ b/net/tipc/addr.c
+@@ -75,6 +75,7 @@ void tipc_set_node_addr(struct net *net,
+ tipc_set_node_id(net, node_id);
+ }
+ tn->trial_addr = addr;
++ tn->addr_trial_end = jiffies;
+ pr_info("32-bit node address hash set to %x\n", addr);
+ }
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:40 PM PDT
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 5 Aug 2019 16:34:34 +0100
+Subject: xen/netback: Reset nr_frags before freeing skb
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 3a0233ddec554b886298de2428edb5c50a20e694 ]
+
+At this point nr_frags has been incremented but the frag does not yet
+have a page assigned so freeing the skb results in a crash. Reset
+nr_frags before freeing the skb to prevent this.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -925,6 +925,7 @@ static void xenvif_tx_build_gops(struct
+ skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
+ nskb = xenvif_alloc_skb(0);
+ if (unlikely(nskb == NULL)) {
++ skb_shinfo(skb)->nr_frags = 0;
+ kfree_skb(skb);
+ xenvif_tx_err(queue, &txreq, extra_count, idx);
+ if (net_ratelimit())
+@@ -940,6 +941,7 @@ static void xenvif_tx_build_gops(struct
+
+ if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
+ /* Failure in xenvif_set_skb_gso is fatal. */
++ skb_shinfo(skb)->nr_frags = 0;
+ kfree_skb(skb);
+ kfree_skb(nskb);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
