--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Manish Chopra <manishc@marvell.com>
+Date: Sun, 18 Aug 2019 07:25:48 -0700
+Subject: bnx2x: Fix VF's VLAN reconfiguration in reload.
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 4a4d2d372fb9b9229327e2ed01d5d9572eddf4de ]
+
+Commit 04f05230c5c13 ("bnx2x: Remove configured vlans as
+part of unload sequence."), introduced a regression in driver
+that as a part of VF's reload flow, VLANs created on the VF
+doesn't get re-configured in hardware as vlan metadata/info
+was not getting cleared for the VFs which causes vlan PING to stop.
+
+This patch clears the vlan metadata/info so that VLANs gets
+re-configured back in the hardware in VF's reload flow and
+PING/traffic continues for VLANs created over the VFs.
+
+Fixes: 04f05230c5c13 ("bnx2x: Remove configured vlans as part of unload sequence.")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Sudarsana Kalluru <skalluru@marvell.com>
+Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 7 ++++---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 2 ++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 17 ++++++++++++-----
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3057,12 +3057,13 @@ int bnx2x_nic_unload(struct bnx2x *bp, i
+ /* if VF indicate to PF this function is going down (PF will delete sp
+ * elements and clear initializations
+ */
+- if (IS_VF(bp))
++ if (IS_VF(bp)) {
++ bnx2x_clear_vlan_info(bp);
+ bnx2x_vfpf_close_vf(bp);
+- else if (unload_mode != UNLOAD_RECOVERY)
++ } else if (unload_mode != UNLOAD_RECOVERY) {
+ /* if this is a normal/close unload need to clean up chip*/
+ bnx2x_chip_cleanup(bp, unload_mode, keep_link);
+- else {
++ } else {
+ /* Send the UNLOAD_REQUEST to the MCP */
+ bnx2x_send_unload_req(bp, unload_mode);
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -425,6 +425,8 @@ void bnx2x_set_reset_global(struct bnx2x
+ void bnx2x_disable_close_the_gate(struct bnx2x *bp);
+ int bnx2x_init_hw_func_cnic(struct bnx2x *bp);
+
++void bnx2x_clear_vlan_info(struct bnx2x *bp);
++
+ /**
+ * bnx2x_sp_event - handle ramrods completion.
+ *
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -8482,11 +8482,21 @@ int bnx2x_set_vlan_one(struct bnx2x *bp,
+ return rc;
+ }
+
++void bnx2x_clear_vlan_info(struct bnx2x *bp)
++{
++ struct bnx2x_vlan_entry *vlan;
++
++ /* Mark that hw forgot all entries */
++ list_for_each_entry(vlan, &bp->vlan_reg, link)
++ vlan->hw = false;
++
++ bp->vlan_cnt = 0;
++}
++
+ static int bnx2x_del_all_vlans(struct bnx2x *bp)
+ {
+ struct bnx2x_vlan_mac_obj *vlan_obj = &bp->sp_objs[0].vlan_obj;
+ unsigned long ramrod_flags = 0, vlan_flags = 0;
+- struct bnx2x_vlan_entry *vlan;
+ int rc;
+
+ __set_bit(RAMROD_COMP_WAIT, &ramrod_flags);
+@@ -8495,10 +8505,7 @@ static int bnx2x_del_all_vlans(struct bn
+ if (rc)
+ return rc;
+
+- /* Mark that hw forgot all entries */
+- list_for_each_entry(vlan, &bp->vlan_reg, link)
+- vlan->hw = false;
+- bp->vlan_cnt = 0;
++ bnx2x_clear_vlan_info(bp);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:49 -0400
+Subject: bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit dd2ebf3404c7c295014bc025dea23960960ceb1a ]
+
+If FW returns FRAG_ERR in response error code, driver is resending the
+command only when HWRM command returns success. Fix the code to resend
+NVM_INSTALL_UPDATE command with DEFRAG install flags, if FW returns
+FRAG_ERR in its response error code.
+
+Fixes: cb4d1d626145 ("bnxt_en: Retry failed NVM_INSTALL_UPDATE with defragmentation flag enabled.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -2016,21 +2016,19 @@ static int bnxt_flash_package_from_file(
+ mutex_lock(&bp->hwrm_cmd_lock);
+ hwrm_err = _hwrm_send_message(bp, &install, sizeof(install),
+ INSTALL_PACKAGE_TIMEOUT);
+- if (hwrm_err)
+- goto flash_pkg_exit;
+-
+- if (resp->error_code) {
++ if (hwrm_err) {
+ u8 error_code = ((struct hwrm_err_output *)resp)->cmd_err;
+
+- if (error_code == NVM_INSTALL_UPDATE_CMD_ERR_CODE_FRAG_ERR) {
++ if (resp->error_code && error_code ==
++ NVM_INSTALL_UPDATE_CMD_ERR_CODE_FRAG_ERR) {
+ install.flags |= cpu_to_le16(
+ NVM_INSTALL_UPDATE_REQ_FLAGS_ALLOWED_TO_DEFRAG);
+ hwrm_err = _hwrm_send_message(bp, &install,
+ sizeof(install),
+ INSTALL_PACKAGE_TIMEOUT);
+- if (hwrm_err)
+- goto flash_pkg_exit;
+ }
++ if (hwrm_err)
++ goto flash_pkg_exit;
+ }
+
+ if (resp->result) {
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:52 -0400
+Subject: bnxt_en: Fix to include flow direction in L2 key
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 9bf46566e80fd94845527d01ebd888eb49313551 ]
+
+FW expects the driver to provide unique flow reference handles
+for Tx or Rx flows. When a Tx flow and an Rx flow end up sharing
+a reference handle, flow offload does not seem to work.
+This could happen in the case of 2 flows having their L2 fields
+wildcarded but in different direction.
+Fix to incorporate the flow direction as part of the L2 key
+
+v2: Move the dir field to the end of the bnxt_tc_l2_key struct to
+fix the warning reported by kbuild test robot <lkp@intel.com>.
+There is existing code that initializes the structure using
+nested initializer and will warn with the new u8 field added to
+the beginning. The structure also packs nicer when this new u8 is
+added to the end of the structure [MChan].
+
+Fixes: abd43a13525d ("bnxt_en: Support for 64-bit flow handle.")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 ++--
+ drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
+@@ -1236,7 +1236,7 @@ static int __bnxt_tc_del_flow(struct bnx
+ static void bnxt_tc_set_flow_dir(struct bnxt *bp, struct bnxt_tc_flow *flow,
+ u16 src_fid)
+ {
+- flow->dir = (bp->pf.fw_fid == src_fid) ? BNXT_DIR_RX : BNXT_DIR_TX;
++ flow->l2_key.dir = (bp->pf.fw_fid == src_fid) ? BNXT_DIR_RX : BNXT_DIR_TX;
+ }
+
+ static void bnxt_tc_set_src_fid(struct bnxt *bp, struct bnxt_tc_flow *flow,
+@@ -1405,7 +1405,7 @@ static void bnxt_fill_cfa_stats_req(stru
+ * 2. 15th bit of flow_handle must specify the flow
+ * direction (TX/RX).
+ */
+- if (flow_node->flow.dir == BNXT_DIR_RX)
++ if (flow_node->flow.l2_key.dir == BNXT_DIR_RX)
+ handle = CFA_FLOW_INFO_REQ_FLOW_HANDLE_DIR_RX |
+ CFA_FLOW_INFO_REQ_FLOW_HANDLE_MAX_MASK;
+ else
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.h
+@@ -23,6 +23,9 @@ struct bnxt_tc_l2_key {
+ __be16 inner_vlan_tci;
+ __be16 ether_type;
+ u8 num_vlans;
++ u8 dir;
++#define BNXT_DIR_RX 1
++#define BNXT_DIR_TX 0
+ };
+
+ struct bnxt_tc_l3_key {
+@@ -98,9 +101,6 @@ struct bnxt_tc_flow {
+
+ /* flow applicable to pkts ingressing on this fid */
+ u16 src_fid;
+- u8 dir;
+-#define BNXT_DIR_RX 1
+-#define BNXT_DIR_TX 0
+ struct bnxt_tc_l2_key l2_key;
+ struct bnxt_tc_l2_key l2_mask;
+ struct bnxt_tc_l3_key l3_key;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:47 -0400
+Subject: bnxt_en: Fix VNIC clearing logic for 57500 chips.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit a46ecb116fb7f722fa8cb2da01959c36e4e10c41 ]
+
+During device shutdown, the VNIC clearing sequence needs to be modified
+to free the VNIC first before freeing the RSS contexts. The current
+code is doing the reverse and we can get mis-directed RX completions
+to CP ring ID 0 when the RSS contexts are freed and zeroed. The clearing
+of RSS contexts is not required with the new sequence.
+
+Refactor the VNIC clearing logic into a new function bnxt_clear_vnic()
+and do the chip specific VNIC clearing sequence.
+
+Fixes: 7b3af4f75b81 ("bnxt_en: Add RSS support for 57500 chips.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6963,19 +6963,29 @@ static void bnxt_hwrm_clear_vnic_rss(str
+ bnxt_hwrm_vnic_set_rss(bp, i, false);
+ }
+
+-static void bnxt_hwrm_resource_free(struct bnxt *bp, bool close_path,
+- bool irq_re_init)
++static void bnxt_clear_vnic(struct bnxt *bp)
+ {
+- if (bp->vnic_info) {
+- bnxt_hwrm_clear_vnic_filter(bp);
++ if (!bp->vnic_info)
++ return;
++
++ bnxt_hwrm_clear_vnic_filter(bp);
++ if (!(bp->flags & BNXT_FLAG_CHIP_P5)) {
+ /* clear all RSS setting before free vnic ctx */
+ bnxt_hwrm_clear_vnic_rss(bp);
+ bnxt_hwrm_vnic_ctx_free(bp);
+- /* before free the vnic, undo the vnic tpa settings */
+- if (bp->flags & BNXT_FLAG_TPA)
+- bnxt_set_tpa(bp, false);
+- bnxt_hwrm_vnic_free(bp);
+ }
++ /* before free the vnic, undo the vnic tpa settings */
++ if (bp->flags & BNXT_FLAG_TPA)
++ bnxt_set_tpa(bp, false);
++ bnxt_hwrm_vnic_free(bp);
++ if (bp->flags & BNXT_FLAG_CHIP_P5)
++ bnxt_hwrm_vnic_ctx_free(bp);
++}
++
++static void bnxt_hwrm_resource_free(struct bnxt *bp, bool close_path,
++ bool irq_re_init)
++{
++ bnxt_clear_vnic(bp);
+ bnxt_hwrm_ring_free(bp, close_path);
+ bnxt_hwrm_ring_grp_free(bp);
+ if (irq_re_init) {
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:48 -0400
+Subject: bnxt_en: Improve RX doorbell sequence.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit e8f267b063208372f7a329c6d5288d58944d873c ]
+
+When both RX buffers and RX aggregation buffers have to be
+replenished at the end of NAPI, post the RX aggregation buffers first
+before RX buffers. Otherwise, we may run into a situation where
+there are only RX buffers without RX aggregation buffers for a split
+second. This will cause the hardware to abort the RX packet and
+report buffer errors, which will cause unnecessary cleanup by the
+driver.
+
+Ringing the Aggregation ring doorbell first before the RX ring doorbell
+will prevent some of these buffer errors. Use the same sequence during
+ring initialization as well.
+
+Fixes: 697197e5a173 ("bnxt_en: Re-structure doorbells.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2015,9 +2015,9 @@ static void __bnxt_poll_work_done(struct
+ if (bnapi->events & BNXT_RX_EVENT) {
+ struct bnxt_rx_ring_info *rxr = bnapi->rx_ring;
+
+- bnxt_db_write(bp, &rxr->rx_db, rxr->rx_prod);
+ if (bnapi->events & BNXT_AGG_EVENT)
+ bnxt_db_write(bp, &rxr->rx_agg_db, rxr->rx_agg_prod);
++ bnxt_db_write(bp, &rxr->rx_db, rxr->rx_prod);
+ }
+ bnapi->events = 0;
+ }
+@@ -5011,6 +5011,7 @@ static void bnxt_set_db(struct bnxt *bp,
+
+ static int bnxt_hwrm_ring_alloc(struct bnxt *bp)
+ {
++ bool agg_rings = !!(bp->flags & BNXT_FLAG_AGG_RINGS);
+ int i, rc = 0;
+ u32 type;
+
+@@ -5086,7 +5087,9 @@ static int bnxt_hwrm_ring_alloc(struct b
+ if (rc)
+ goto err_out;
+ bnxt_set_db(bp, &rxr->rx_db, type, map_idx, ring->fw_ring_id);
+- bnxt_db_write(bp, &rxr->rx_db, rxr->rx_prod);
++ /* If we have agg rings, post agg buffers first. */
++ if (!agg_rings)
++ bnxt_db_write(bp, &rxr->rx_db, rxr->rx_prod);
+ bp->grp_info[map_idx].rx_fw_ring_id = ring->fw_ring_id;
+ if (bp->flags & BNXT_FLAG_CHIP_P5) {
+ struct bnxt_cp_ring_info *cpr = &bnapi->cp_ring;
+@@ -5105,7 +5108,7 @@ static int bnxt_hwrm_ring_alloc(struct b
+ }
+ }
+
+- if (bp->flags & BNXT_FLAG_AGG_RINGS) {
++ if (agg_rings) {
+ type = HWRM_RING_ALLOC_AGG;
+ for (i = 0; i < bp->rx_nr_rings; i++) {
+ struct bnxt_rx_ring_info *rxr = &bp->rx_ring[i];
+@@ -5121,6 +5124,7 @@ static int bnxt_hwrm_ring_alloc(struct b
+ bnxt_set_db(bp, &rxr->rx_agg_db, type, map_idx,
+ ring->fw_ring_id);
+ bnxt_db_write(bp, &rxr->rx_agg_db, rxr->rx_agg_prod);
++ bnxt_db_write(bp, &rxr->rx_db, rxr->rx_prod);
+ bp->grp_info[grp_idx].agg_fw_ring_id = ring->fw_ring_id;
+ }
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:50 -0400
+Subject: bnxt_en: Suppress HWRM errors for HWRM_NVM_GET_VARIABLE command
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit b703ba751dbb4bcd086509ed4b28102bc1670b35 ]
+
+For newly added NVM parameters, older firmware may not have the support.
+Suppress the error message to avoid the unncessary error message which is
+triggered when devlink calls the driver during initialization.
+
+Fixes: 782a624d00fa ("bnxt_en: Add bnxt_en initial params table and register it.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c
+@@ -98,10 +98,13 @@ static int bnxt_hwrm_nvm_req(struct bnxt
+ if (idx)
+ req->dimensions = cpu_to_le16(1);
+
+- if (req->req_type == cpu_to_le16(HWRM_NVM_SET_VARIABLE))
++ if (req->req_type == cpu_to_le16(HWRM_NVM_SET_VARIABLE)) {
+ memcpy(data_addr, buf, bytesize);
+-
+- rc = hwrm_send_message(bp, msg, msg_len, HWRM_CMD_TIMEOUT);
++ rc = hwrm_send_message(bp, msg, msg_len, HWRM_CMD_TIMEOUT);
++ } else {
++ rc = hwrm_send_message_silent(bp, msg, msg_len,
++ HWRM_CMD_TIMEOUT);
++ }
+ if (!rc && req->req_type == cpu_to_le16(HWRM_NVM_GET_VARIABLE))
+ memcpy(buf, data_addr, bytesize);
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Venkat Duvvuru <venkatkumar.duvvuru@broadcom.com>
+Date: Sat, 17 Aug 2019 17:04:51 -0400
+Subject: bnxt_en: Use correct src_fid to determine direction of the flow
+
+From: Venkat Duvvuru <venkatkumar.duvvuru@broadcom.com>
+
+[ Upstream commit 685ec6a81bb0d47faf1dba49437d5bdaede2733d ]
+
+Direction of the flow is determined using src_fid. For an RX flow,
+src_fid is PF's fid and for TX flow, src_fid is VF's fid. Direction
+of the flow must be specified, when getting statistics for that flow.
+Currently, for DECAP flow, direction is determined incorrectly, i.e.,
+direction is initialized as TX for DECAP flow, instead of RX. Because
+of which, stats are not reported for this DECAP flow, though it is
+offloaded and there is traffic for that flow, resulting in flow age out.
+
+This patch fixes the problem by determining the DECAP flow's direction
+using correct fid. Set the flow direction in all cases for consistency
+even if 64-bit flow handle is not used.
+
+Fixes: abd43a13525d ("bnxt_en: Support for 64-bit flow handle.")
+Signed-off-by: Venkat Duvvuru <venkatkumar.duvvuru@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c
+@@ -1285,9 +1285,7 @@ static int bnxt_tc_add_flow(struct bnxt
+ goto free_node;
+
+ bnxt_tc_set_src_fid(bp, flow, src_fid);
+-
+- if (bp->fw_cap & BNXT_FW_CAP_OVS_64BIT_HANDLE)
+- bnxt_tc_set_flow_dir(bp, flow, src_fid);
++ bnxt_tc_set_flow_dir(bp, flow, flow->src_fid);
+
+ if (!bnxt_tc_can_offload(bp, flow)) {
+ rc = -EOPNOTSUPP;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 7 Aug 2019 10:19:59 +0800
+Subject: bonding: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d595b03de2cb0bdf9bcdf35ff27840cc3a37158f ]
+
+As commit 30d8177e8ac7 ("bonding: Always enable vlan tx offload")
+said, we should always enable bonding's vlan tx offload, pass the
+vlan packets to the slave devices with vlan tci, let them to handle
+vlan implementation.
+
+Now if encapsulation protocols like VXLAN is used, skb->encapsulation
+may be set, then the packet is passed to vlan device which based on
+bonding device. However in netif_skb_features(), the check of
+hw_enc_features:
+
+ if (skb->encapsulation)
+ features &= dev->hw_enc_features;
+
+clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results
+in same issue in commit 30d8177e8ac7 like this:
+
+vlan_dev_hard_start_xmit
+ -->dev_queue_xmit
+ -->validate_xmit_skb
+ -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared
+ -->validate_xmit_vlan
+ -->__vlan_hwaccel_push_inside //skb->tci is cleared
+...
+ --> bond_start_xmit
+ --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34
+ --> __skb_flow_dissect // nhoff point to IP header
+ --> case htons(ETH_P_8021Q)
+ // skb_vlan_tag_present is false, so
+ vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
+ //vlan point to ip header wrongly
+
+Fixes: b2a103e6d0af ("bonding: convert to ndo_fix_features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1113,6 +1113,8 @@ static void bond_compute_features(struct
+ done:
+ bond_dev->vlan_features = vlan_features;
+ bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++ NETIF_F_HW_VLAN_CTAG_TX |
++ NETIF_F_HW_VLAN_STAG_TX |
+ NETIF_F_GSO_UDP_L4;
+ bond_dev->gso_max_segs = gso_max_segs;
+ netif_set_gso_max_size(bond_dev, gso_max_size);
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Sun, 11 Aug 2019 22:18:25 +0800
+Subject: net: dsa: Check existence of .port_mdb_add callback before calling it
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit 58799865be84e2a895dab72de0e1b996ed943f22 ]
+
+The dsa framework has optional .port_mdb_{prepare,add,del} callback fields
+for drivers to handle multicast database entries. When adding an entry, the
+framework goes through a prepare phase, then a commit phase. Drivers not
+providing these callbacks should be detected in the prepare phase.
+
+DSA core may still bypass the bridge layer and call the dsa_port_mdb_add
+function directly with no prepare phase or no switchdev trans object,
+and the framework ends up calling an undefined .port_mdb_add callback.
+This results in a NULL pointer dereference, as shown in the log below.
+
+The other functions seem to be properly guarded. Do the same for
+.port_mdb_add in dsa_switch_mdb_add_bitmap() as well.
+
+ 8<--- cut here ---
+ Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ pgd = (ptrval)
+ [00000000] *pgd=00000000
+ Internal error: Oops: 80000005 [#1] SMP ARM
+ Modules linked in: rtl8xxxu rtl8192cu rtl_usb rtl8192c_common rtlwifi mac80211 cfg80211
+ CPU: 1 PID: 134 Comm: kworker/1:2 Not tainted 5.3.0-rc1-00247-gd3519030752a #1
+ Hardware name: Allwinner sun7i (A20) Family
+ Workqueue: events switchdev_deferred_process_work
+ PC is at 0x0
+ LR is at dsa_switch_event+0x570/0x620
+ pc : [<00000000>] lr : [<c08533ec>] psr: 80070013
+ sp : ee871db8 ip : 00000000 fp : ee98d0a4
+ r10: 0000000c r9 : 00000008 r8 : ee89f710
+ r7 : ee98d040 r6 : ee98d088 r5 : c0f04c48 r4 : ee98d04c
+ r3 : 00000000 r2 : ee89f710 r1 : 00000008 r0 : ee98d040
+ Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+ Control: 10c5387d Table: 6deb406a DAC: 00000051
+ Process kworker/1:2 (pid: 134, stack limit = 0x(ptrval))
+ Stack: (0xee871db8 to 0xee872000)
+ 1da0: ee871e14 103ace2d
+ 1dc0: 00000000 ffffffff 00000000 ee871e14 00000005 00000000 c08524a0 00000000
+ 1de0: ffffe000 c014bdfc c0f04c48 ee871e98 c0f04c48 ee9e5000 c0851120 c014bef0
+ 1e00: 00000000 b643aea2 ee9b4068 c08509a8 ee2bf940 ee89f710 ee871ecb 00000000
+ 1e20: 00000008 103ace2d 00000000 c087e248 ee29c868 103ace2d 00000001 ffffffff
+ 1e40: 00000000 ee871e98 00000006 00000000 c0fb2a50 c087e2d0 ffffffff c08523c4
+ 1e60: ffffffff c014bdfc 00000006 c0fad2d0 ee871e98 ee89f710 00000000 c014c500
+ 1e80: 00000000 ee89f3c0 c0f04c48 00000000 ee9e5000 c087dfb4 ee9e5000 00000000
+ 1ea0: ee89f710 ee871ecb 00000001 103ace2d 00000000 c0f04c48 00000000 c087e0a8
+ 1ec0: 00000000 efd9a3e0 0089f3c0 103ace2d ee89f700 ee89f710 ee9e5000 00000122
+ 1ee0: 00000100 c087e130 ee89f700 c0fad2c8 c1003ef0 c087de4c 2e928000 c0fad2ec
+ 1f00: c0fad2ec ee839580 ef7a62c0 ef7a9400 00000000 c087def8 c0fad2ec c01447dc
+ 1f20: ef315640 ef7a62c0 00000008 ee839580 ee839594 ef7a62c0 00000008 c0f03d00
+ 1f40: ef7a62d8 ef7a62c0 ffffe000 c0145b84 ffffe000 c0fb2420 c0bfaa8c 00000000
+ 1f60: ffffe000 ee84b600 ee84b5c0 00000000 ee870000 ee839580 c0145b40 ef0e5ea4
+ 1f80: ee84b61c c014a6f8 00000001 ee84b5c0 c014a5b0 00000000 00000000 00000000
+ 1fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000
+ 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
+ [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ [<c014bdfc>] (notifier_call_chain) from [<c014bef0>] (raw_notifier_call_chain+0x18/0x20)
+ [<c014bef0>] (raw_notifier_call_chain) from [<c08509a8>] (dsa_port_mdb_add+0x48/0x74)
+ [<c08509a8>] (dsa_port_mdb_add) from [<c087e248>] (__switchdev_handle_port_obj_add+0x54/0xd4)
+ [<c087e248>] (__switchdev_handle_port_obj_add) from [<c087e2d0>] (switchdev_handle_port_obj_add+0x8/0x14)
+ [<c087e2d0>] (switchdev_handle_port_obj_add) from [<c08523c4>] (dsa_slave_switchdev_blocking_event+0x94/0xa4)
+ [<c08523c4>] (dsa_slave_switchdev_blocking_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ [<c014bdfc>] (notifier_call_chain) from [<c014c500>] (blocking_notifier_call_chain+0x50/0x68)
+ [<c014c500>] (blocking_notifier_call_chain) from [<c087dfb4>] (switchdev_port_obj_notify+0x44/0xa8)
+ [<c087dfb4>] (switchdev_port_obj_notify) from [<c087e0a8>] (switchdev_port_obj_add_now+0x90/0x104)
+ [<c087e0a8>] (switchdev_port_obj_add_now) from [<c087e130>] (switchdev_port_obj_add_deferred+0x14/0x5c)
+ [<c087e130>] (switchdev_port_obj_add_deferred) from [<c087de4c>] (switchdev_deferred_process+0x64/0x104)
+ [<c087de4c>] (switchdev_deferred_process) from [<c087def8>] (switchdev_deferred_process_work+0xc/0x14)
+ [<c087def8>] (switchdev_deferred_process_work) from [<c01447dc>] (process_one_work+0x218/0x50c)
+ [<c01447dc>] (process_one_work) from [<c0145b84>] (worker_thread+0x44/0x5bc)
+ [<c0145b84>] (worker_thread) from [<c014a6f8>] (kthread+0x148/0x150)
+ [<c014a6f8>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+ Exception stack(0xee871fb0 to 0xee871ff8)
+ 1fa0: 00000000 00000000 00000000 00000000
+ 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+ 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
+ Code: bad PC value
+ ---[ end trace 1292c61abd17b130 ]---
+
+ [<c08533ec>] (dsa_switch_event) from [<c014bdfc>] (notifier_call_chain+0x48/0x84)
+ corresponds to
+
+ $ arm-linux-gnueabihf-addr2line -C -i -e vmlinux c08533ec
+
+ linux/net/dsa/switch.c:156
+ linux/net/dsa/switch.c:178
+ linux/net/dsa/switch.c:328
+
+Fixes: e6db98db8a95 ("net: dsa: add switch mdb bitmap functions")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/switch.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/dsa/switch.c
++++ b/net/dsa/switch.c
+@@ -153,6 +153,9 @@ static void dsa_switch_mdb_add_bitmap(st
+ {
+ int port;
+
++ if (!ds->ops->port_mdb_add)
++ return;
++
+ for_each_set_bit(port, bitmap, ds->num_ports)
+ ds->ops->port_mdb_add(ds, port, mdb);
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Mon, 12 Aug 2019 14:11:35 -0500
+Subject: net/mlx4_en: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 48ec7014c56e5eb2fbf6f479896143622d834f3b ]
+
+In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
+kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
+indirection. However, if mlx4_qp_alloc() fails, the allocated
+'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
+
+To fix the above issue, add the 'qp_alloc_err' label to free
+'rss_map->indir_qp'.
+
+Fixes: 4931c6ef04b4 ("net/mlx4_en: Optimized single ring steering")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+@@ -1187,7 +1187,7 @@ int mlx4_en_config_rss_steer(struct mlx4
+ err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
+ if (err) {
+ en_err(priv, "Failed to allocate RSS indirection QP\n");
+- goto rss_err;
++ goto qp_alloc_err;
+ }
+
+ rss_map->indir_qp->event = mlx4_en_sqp_event;
+@@ -1241,6 +1241,7 @@ indir_err:
+ MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
+ mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
+ mlx4_qp_free(mdev->dev, rss_map->indir_qp);
++qp_alloc_err:
+ kfree(rss_map->indir_qp);
+ rss_map->indir_qp = NULL;
+ rss_err:
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Mohamad Heib <mohamadh@mellanox.com>
+Date: Tue, 23 Apr 2019 21:13:48 +0300
+Subject: net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg off
+
+From: Mohamad Heib <mohamadh@mellanox.com>
+
+[ Upstream commit 5faf5b70c51dd9c9905bf8209e33cbd867486607 ]
+
+Setting speed to 56GBASE is allowed only with auto-negotiation enabled.
+
+This patch prevent setting speed to 56GBASE when auto-negotiation disabled.
+
+Fixes: f62b8bb8f2d3 ("net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality")
+Signed-off-by: Mohamad Heib <mohamadh@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1060,6 +1060,14 @@ int mlx5e_ethtool_set_link_ksettings(str
+ link_modes = autoneg == AUTONEG_ENABLE ? ethtool2ptys_adver_func(adver) :
+ mlx5e_port_speed2linkmodes(mdev, speed, !ext);
+
++ if ((link_modes & MLX5E_PROT_MASK(MLX5E_56GBASE_R4)) &&
++ autoneg != AUTONEG_ENABLE) {
++ netdev_err(priv->netdev, "%s: 56G link speed requires autoneg enabled\n",
++ __func__);
++ err = -EINVAL;
++ goto out;
++ }
++
+ link_modes = link_modes & eproto.cap;
+ if (!link_modes) {
+ netdev_err(priv->netdev, "%s: Not supported link mode(s) requested",
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Aya Levin <ayal@mellanox.com>
+Date: Wed, 7 Aug 2019 15:59:06 +0300
+Subject: net/mlx5e: Fix false negative indication on tx reporter CQE recovery
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit d9a2fcf53c76a7edb2bcf99e94507935561a83d5 ]
+
+Remove wrong error return value when SQ is not in error state.
+CQE recovery on TX reporter queries the sq state. If the sq is not in
+error state, the sq is either in ready or reset state. Ready state is
+good state which doesn't require recovery and reset state is a temporal
+state which ends in ready state. With this patch, CQE recovery in this
+scenario is successful.
+
+Fixes: de8650a82071 ("net/mlx5e: Add tx reporter support")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+@@ -86,10 +86,8 @@ static int mlx5e_tx_reporter_err_cqe_rec
+ return err;
+ }
+
+- if (state != MLX5_SQC_STATE_ERR) {
+- netdev_err(dev, "SQ 0x%x not in ERROR state\n", sq->sqn);
+- return -EINVAL;
+- }
++ if (state != MLX5_SQC_STATE_ERR)
++ return 0;
+
+ mlx5e_tx_disable_queue(sq->txq);
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Thu, 1 Aug 2019 11:10:19 -0500
+Subject: net/mlx5e: Only support tx/rx pause setting for port owner
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 466df6eb4a9e813b3cfc674363316450c57a89c5 ]
+
+Only support changing tx/rx pause frame setting if the net device
+is the vport group manager.
+
+Fixes: 3c2d18ef22df ("net/mlx5e: Support ethtool get/set_pauseparam")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1317,6 +1317,9 @@ int mlx5e_ethtool_set_pauseparam(struct
+ struct mlx5_core_dev *mdev = priv->mdev;
+ int err;
+
++ if (!MLX5_CAP_GEN(mdev, vport_group_manager))
++ return -EOPNOTSUPP;
++
+ if (pauseparam->autoneg)
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Aya Levin <ayal@mellanox.com>
+Date: Thu, 8 Aug 2019 15:55:48 +0300
+Subject: net/mlx5e: Remove redundant check in CQE recovery flow of tx reporter
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit a4e508cab623951dc4754f346e5673714f3bbade ]
+
+Remove check of recovery bit, in the beginning of the CQE recovery
+function. This test is already performed right before the reporter
+is invoked, when CQE error is detected.
+
+Fixes: de8650a82071 ("net/mlx5e: Add tx reporter support")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/reporter_tx.c
+@@ -76,9 +76,6 @@ static int mlx5e_tx_reporter_err_cqe_rec
+ u8 state;
+ int err;
+
+- if (!test_bit(MLX5E_SQ_STATE_RECOVERING, &sq->state))
+- return 0;
+-
+ err = mlx5_core_query_sq_state(mdev, sq->sqn, &state);
+ if (err) {
+ netdev_err(dev, "Failed to query SQ 0x%x state. err = %d\n",
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Fri, 5 Jul 2019 17:59:28 +0300
+Subject: net/mlx5e: Use flow keys dissector to parse packets for ARFS
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit 405b93eb764367a670e729da18e54dc42db32620 ]
+
+The current ARFS code relies on certain fields to be set in the SKB
+(e.g. transport_header) and extracts IP addresses and ports by custom
+code that parses the packet. The necessary SKB fields, however, are not
+always set at that point, which leads to an out-of-bounds access. Use
+skb_flow_dissect_flow_keys() to get the necessary information reliably,
+fix the out-of-bounds access and reuse the code.
+
+Fixes: 18c908e477dc ("net/mlx5e: Add accelerated RFS support")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c | 97 +++++++---------------
+ 1 file changed, 34 insertions(+), 63 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
+@@ -437,12 +437,6 @@ arfs_hash_bucket(struct arfs_table *arfs
+ return &arfs_t->rules_hash[bucket_idx];
+ }
+
+-static u8 arfs_get_ip_proto(const struct sk_buff *skb)
+-{
+- return (skb->protocol == htons(ETH_P_IP)) ?
+- ip_hdr(skb)->protocol : ipv6_hdr(skb)->nexthdr;
+-}
+-
+ static struct arfs_table *arfs_get_table(struct mlx5e_arfs_tables *arfs,
+ u8 ip_proto, __be16 etype)
+ {
+@@ -602,31 +596,9 @@ out:
+ arfs_may_expire_flow(priv);
+ }
+
+-/* return L4 destination port from ip4/6 packets */
+-static __be16 arfs_get_dst_port(const struct sk_buff *skb)
+-{
+- char *transport_header;
+-
+- transport_header = skb_transport_header(skb);
+- if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+- return ((struct tcphdr *)transport_header)->dest;
+- return ((struct udphdr *)transport_header)->dest;
+-}
+-
+-/* return L4 source port from ip4/6 packets */
+-static __be16 arfs_get_src_port(const struct sk_buff *skb)
+-{
+- char *transport_header;
+-
+- transport_header = skb_transport_header(skb);
+- if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+- return ((struct tcphdr *)transport_header)->source;
+- return ((struct udphdr *)transport_header)->source;
+-}
+-
+ static struct arfs_rule *arfs_alloc_rule(struct mlx5e_priv *priv,
+ struct arfs_table *arfs_t,
+- const struct sk_buff *skb,
++ const struct flow_keys *fk,
+ u16 rxq, u32 flow_id)
+ {
+ struct arfs_rule *rule;
+@@ -641,19 +613,19 @@ static struct arfs_rule *arfs_alloc_rule
+ INIT_WORK(&rule->arfs_work, arfs_handle_work);
+
+ tuple = &rule->tuple;
+- tuple->etype = skb->protocol;
++ tuple->etype = fk->basic.n_proto;
++ tuple->ip_proto = fk->basic.ip_proto;
+ if (tuple->etype == htons(ETH_P_IP)) {
+- tuple->src_ipv4 = ip_hdr(skb)->saddr;
+- tuple->dst_ipv4 = ip_hdr(skb)->daddr;
++ tuple->src_ipv4 = fk->addrs.v4addrs.src;
++ tuple->dst_ipv4 = fk->addrs.v4addrs.dst;
+ } else {
+- memcpy(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
++ memcpy(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
+ sizeof(struct in6_addr));
+- memcpy(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
++ memcpy(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
+ sizeof(struct in6_addr));
+ }
+- tuple->ip_proto = arfs_get_ip_proto(skb);
+- tuple->src_port = arfs_get_src_port(skb);
+- tuple->dst_port = arfs_get_dst_port(skb);
++ tuple->src_port = fk->ports.src;
++ tuple->dst_port = fk->ports.dst;
+
+ rule->flow_id = flow_id;
+ rule->filter_id = priv->fs.arfs.last_filter_id++ % RPS_NO_FILTER;
+@@ -664,37 +636,33 @@ static struct arfs_rule *arfs_alloc_rule
+ return rule;
+ }
+
+-static bool arfs_cmp_ips(struct arfs_tuple *tuple,
+- const struct sk_buff *skb)
++static bool arfs_cmp(const struct arfs_tuple *tuple, const struct flow_keys *fk)
+ {
+- if (tuple->etype == htons(ETH_P_IP) &&
+- tuple->src_ipv4 == ip_hdr(skb)->saddr &&
+- tuple->dst_ipv4 == ip_hdr(skb)->daddr)
+- return true;
+- if (tuple->etype == htons(ETH_P_IPV6) &&
+- (!memcmp(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
+- sizeof(struct in6_addr))) &&
+- (!memcmp(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
+- sizeof(struct in6_addr))))
+- return true;
++ if (tuple->src_port != fk->ports.src || tuple->dst_port != fk->ports.dst)
++ return false;
++ if (tuple->etype != fk->basic.n_proto)
++ return false;
++ if (tuple->etype == htons(ETH_P_IP))
++ return tuple->src_ipv4 == fk->addrs.v4addrs.src &&
++ tuple->dst_ipv4 == fk->addrs.v4addrs.dst;
++ if (tuple->etype == htons(ETH_P_IPV6))
++ return !memcmp(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
++ sizeof(struct in6_addr)) &&
++ !memcmp(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
++ sizeof(struct in6_addr));
+ return false;
+ }
+
+ static struct arfs_rule *arfs_find_rule(struct arfs_table *arfs_t,
+- const struct sk_buff *skb)
++ const struct flow_keys *fk)
+ {
+ struct arfs_rule *arfs_rule;
+ struct hlist_head *head;
+- __be16 src_port = arfs_get_src_port(skb);
+- __be16 dst_port = arfs_get_dst_port(skb);
+
+- head = arfs_hash_bucket(arfs_t, src_port, dst_port);
++ head = arfs_hash_bucket(arfs_t, fk->ports.src, fk->ports.dst);
+ hlist_for_each_entry(arfs_rule, head, hlist) {
+- if (arfs_rule->tuple.src_port == src_port &&
+- arfs_rule->tuple.dst_port == dst_port &&
+- arfs_cmp_ips(&arfs_rule->tuple, skb)) {
++ if (arfs_cmp(&arfs_rule->tuple, fk))
+ return arfs_rule;
+- }
+ }
+
+ return NULL;
+@@ -707,20 +675,24 @@ int mlx5e_rx_flow_steer(struct net_devic
+ struct mlx5e_arfs_tables *arfs = &priv->fs.arfs;
+ struct arfs_table *arfs_t;
+ struct arfs_rule *arfs_rule;
++ struct flow_keys fk;
++
++ if (!skb_flow_dissect_flow_keys(skb, &fk, 0))
++ return -EPROTONOSUPPORT;
+
+- if (skb->protocol != htons(ETH_P_IP) &&
+- skb->protocol != htons(ETH_P_IPV6))
++ if (fk.basic.n_proto != htons(ETH_P_IP) &&
++ fk.basic.n_proto != htons(ETH_P_IPV6))
+ return -EPROTONOSUPPORT;
+
+ if (skb->encapsulation)
+ return -EPROTONOSUPPORT;
+
+- arfs_t = arfs_get_table(arfs, arfs_get_ip_proto(skb), skb->protocol);
++ arfs_t = arfs_get_table(arfs, fk.basic.ip_proto, fk.basic.n_proto);
+ if (!arfs_t)
+ return -EPROTONOSUPPORT;
+
+ spin_lock_bh(&arfs->arfs_lock);
+- arfs_rule = arfs_find_rule(arfs_t, skb);
++ arfs_rule = arfs_find_rule(arfs_t, &fk);
+ if (arfs_rule) {
+ if (arfs_rule->rxq == rxq_index) {
+ spin_unlock_bh(&arfs->arfs_lock);
+@@ -728,8 +700,7 @@ int mlx5e_rx_flow_steer(struct net_devic
+ }
+ arfs_rule->rxq = rxq_index;
+ } else {
+- arfs_rule = arfs_alloc_rule(priv, arfs_t, skb,
+- rxq_index, flow_id);
++ arfs_rule = arfs_alloc_rule(priv, arfs_t, &fk, rxq_index, flow_id);
+ if (!arfs_rule) {
+ spin_unlock_bh(&arfs->arfs_lock);
+ return -ENOMEM;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 14 Aug 2019 02:11:57 -0700
+Subject: net/packet: fix race in tpacket_snd()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]
+
+packet_sendmsg() checks tx_ring.pg_vec to decide
+if it must call tpacket_snd().
+
+Problem is that the check is lockless, meaning another thread
+can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
+tx_ring.pg_vec back to NULL.
+
+Given that tpacket_snd() grabs pg_vec_lock mutex, we can
+perform the check again to solve the race.
+
+syzbot reported :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
+Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
+RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
+RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
+R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
+R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
+FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ packet_current_frame net/packet/af_packet.c:487 [inline]
+ tpacket_snd net/packet/af_packet.c:2667 [inline]
+ packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2607,6 +2607,13 @@ static int tpacket_snd(struct packet_soc
+
+ mutex_lock(&po->pg_vec_lock);
+
++ /* packet_sendmsg() check on tx_ring.pg_vec was lockless,
++ * we need to confirm it under protection of pg_vec_lock.
++ */
++ if (unlikely(!po->tx_ring.pg_vec)) {
++ err = -EBUSY;
++ goto out;
++ }
+ if (likely(saddr == NULL)) {
+ dev = packet_cached_dev_get(po);
+ proto = po->num;
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Mon, 12 Aug 2019 21:20:02 +0200
+Subject: net: phy: consider AN_RESTART status when reading link status
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit c36757eb9dee13681227ad3676d37f14b3a2b2af ]
+
+After configuring and restarting aneg we immediately try to read the
+link status. On some systems the PHY may not yet have cleared the
+"aneg complete" and "link up" bits, resulting in a false link-up
+signal. See [0] for a report.
+Clause 22 and 45 both require the PHY to keep the AN_RESTART
+bit set until the PHY actually starts auto-negotiation.
+Let's consider this in the generic functions for reading link status.
+The commit marked as fixed is the first one where the patch applies
+cleanly.
+
+[0] https://marc.info/?t=156518400300003&r=1&w=2
+
+Fixes: c1164bb1a631 ("net: phy: check PMAPMD link status only in genphy_c45_read_link")
+Tested-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy-c45.c | 14 ++++++++++++++
+ drivers/net/phy/phy_device.c | 12 +++++++++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy-c45.c
++++ b/drivers/net/phy/phy-c45.c
+@@ -219,6 +219,20 @@ int genphy_c45_read_link(struct phy_devi
+ int val, devad;
+ bool link = true;
+
++ if (phydev->c45_ids.devices_in_package & MDIO_DEVS_AN) {
++ val = phy_read_mmd(phydev, MDIO_MMD_AN, MDIO_CTRL1);
++ if (val < 0)
++ return val;
++
++ /* Autoneg is being started, therefore disregard current
++ * link status and report link as down.
++ */
++ if (val & MDIO_AN_CTRL1_RESTART) {
++ phydev->link = 0;
++ return 0;
++ }
++ }
++
+ while (mmd_mask && link) {
+ devad = __ffs(mmd_mask);
+ mmd_mask &= ~BIT(devad);
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1708,7 +1708,17 @@ EXPORT_SYMBOL(genphy_aneg_done);
+ */
+ int genphy_update_link(struct phy_device *phydev)
+ {
+- int status;
++ int status = 0, bmcr;
++
++ bmcr = phy_read(phydev, MII_BMCR);
++ if (bmcr < 0)
++ return bmcr;
++
++ /* Autoneg is being started, therefore disregard BMSR value and
++ * report link as down.
++ */
++ if (bmcr & BMCR_ANRESTART)
++ goto done;
+
+ /* The link state is latched low so that momentary link
+ * drops can be detected. Do not double-read the status
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Date: Wed, 7 Aug 2019 01:45:40 +0300
+Subject: net: sched: sch_taprio: fix memleak in error path for sched list parse
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+[ Upstream commit 51650d33b2771acd505068da669cf85cffac369a ]
+
+In error case, all entries should be freed from the sched list
+before deleting it. For simplicity use rcu way.
+
+Fixes: 5a781ccbd19e46 ("tc: Add support for configuring the taprio scheduler")
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -849,7 +849,8 @@ unlock:
+ spin_unlock_bh(qdisc_lock(sch));
+
+ free_sched:
+- kfree(new_admin);
++ if (new_admin)
++ call_rcu(&new_admin->rcu, taprio_free_sched_cb);
+
+ return err;
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Wed, 7 Aug 2019 15:57:28 -0400
+Subject: net sched: update skbedit action for batched events operations
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+[ Upstream commit e1fea322fc6d4075254ca9c5f2afdace0281da2a ]
+
+Add get_fill_size() routine used to calculate the action size
+when building a batch of events.
+
+Fixes: ca9b0e27e ("pkt_action: add new action skbedit")
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbedit.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/net/sched/act_skbedit.c
++++ b/net/sched/act_skbedit.c
+@@ -307,6 +307,17 @@ static int tcf_skbedit_search(struct net
+ return tcf_idr_search(tn, a, index);
+ }
+
++static size_t tcf_skbedit_get_fill_size(const struct tc_action *act)
++{
++ return nla_total_size(sizeof(struct tc_skbedit))
++ + nla_total_size(sizeof(u32)) /* TCA_SKBEDIT_PRIORITY */
++ + nla_total_size(sizeof(u16)) /* TCA_SKBEDIT_QUEUE_MAPPING */
++ + nla_total_size(sizeof(u32)) /* TCA_SKBEDIT_MARK */
++ + nla_total_size(sizeof(u16)) /* TCA_SKBEDIT_PTYPE */
++ + nla_total_size(sizeof(u32)) /* TCA_SKBEDIT_MASK */
++ + nla_total_size_64bit(sizeof(u64)); /* TCA_SKBEDIT_FLAGS */
++}
++
+ static struct tc_action_ops act_skbedit_ops = {
+ .kind = "skbedit",
+ .id = TCA_ID_SKBEDIT,
+@@ -316,6 +327,7 @@ static struct tc_action_ops act_skbedit_
+ .init = tcf_skbedit_init,
+ .cleanup = tcf_skbedit_cleanup,
+ .walk = tcf_skbedit_walker,
++ .get_fill_size = tcf_skbedit_get_fill_size,
+ .lookup = tcf_skbedit_search,
+ .size = sizeof(struct tcf_skbedit),
+ };
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Wed, 7 Aug 2019 17:03:59 -0700
+Subject: net/tls: prevent skb_orphan() from leaking TLS plain text with offload
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 414776621d1006e57e80e6db7fdc3837897aaa64 ]
+
+sk_validate_xmit_skb() and drivers depend on the sk member of
+struct sk_buff to identify segments requiring encryption.
+Any operation which removes or does not preserve the original TLS
+socket such as skb_orphan() or skb_clone() will cause clear text
+leaks.
+
+Make the TCP socket underlying an offloaded TLS connection
+mark all skbs as decrypted, if TLS TX is in offload mode.
+Then in sk_validate_xmit_skb() catch skbs which have no socket
+(or a socket with no validation) and decrypted flag set.
+
+Note that CONFIG_SOCK_VALIDATE_XMIT, CONFIG_TLS_DEVICE and
+sk->sk_validate_xmit_skb are slightly interchangeable right now,
+they all imply TLS offload. The new checks are guarded by
+CONFIG_TLS_DEVICE because that's the option guarding the
+sk_buff->decrypted member.
+
+Second, smaller issue with orphaning is that it breaks
+the guarantee that packets will be delivered to device
+queues in-order. All TLS offload drivers depend on that
+scheduling property. This means skb_orphan_partial()'s
+trick of preserving partial socket references will cause
+issues in the drivers. We need a full orphan, and as a
+result netem delay/throttling will cause all TLS offload
+skbs to be dropped.
+
+Reusing the sk_buff->decrypted flag also protects from
+leaking clear text when incoming, decrypted skb is redirected
+(e.g. by TC).
+
+See commit 0608c69c9a80 ("bpf: sk_msg, sock{map|hash} redirect
+through ULP") for justification why the internal flag is safe.
+The only location which could leak the flag in is tcp_bpf_sendmsg(),
+which is taken care of by clearing the previously unused bit.
+
+v2:
+ - remove superfluous decrypted mark copy (Willem);
+ - remove the stale doc entry (Boris);
+ - rely entirely on EOR marking to prevent coalescing (Boris);
+ - use an internal sendpages flag instead of marking the socket
+ (Boris).
+v3 (Willem):
+ - reorganize the can_skb_orphan_partial() condition;
+ - fix the flag leak-in through tcp_bpf_sendmsg.
+
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/tls-offload.rst | 18 ------------------
+ include/linux/skbuff.h | 8 ++++++++
+ include/linux/socket.h | 3 +++
+ include/net/sock.h | 10 +++++++++-
+ net/core/sock.c | 19 ++++++++++++++-----
+ net/ipv4/tcp.c | 3 +++
+ net/ipv4/tcp_bpf.c | 6 +++++-
+ net/ipv4/tcp_output.c | 3 +++
+ net/tls/tls_device.c | 9 +++++++--
+ 9 files changed, 52 insertions(+), 27 deletions(-)
+
+--- a/Documentation/networking/tls-offload.rst
++++ b/Documentation/networking/tls-offload.rst
+@@ -445,24 +445,6 @@ These flags will be acted upon according
+ TLS device feature flags only control adding of new TLS connection
+ offloads, old connections will remain active after flags are cleared.
+
+-Known bugs
+-==========
+-
+-skb_orphan() leaks clear text
+------------------------------
+-
+-Currently drivers depend on the :c:member:`sk` member of
+-:c:type:`struct sk_buff <sk_buff>` to identify segments requiring
+-encryption. Any operation which removes or does not preserve the socket
+-association such as :c:func:`skb_orphan` or :c:func:`skb_clone`
+-will cause the driver to miss the packets and lead to clear text leaks.
+-
+-Redirects leak clear text
+--------------------------
+-
+-In the RX direction, if segment has already been decrypted by the device
+-and it gets redirected or mirrored - clear text will be transmitted out.
+-
+ .. _pre_tls_data:
+
+ Transmission of pre-TLS data
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1358,6 +1358,14 @@ static inline void skb_copy_hash(struct
+ to->l4_hash = from->l4_hash;
+ };
+
++static inline void skb_copy_decrypted(struct sk_buff *to,
++ const struct sk_buff *from)
++{
++#ifdef CONFIG_TLS_DEVICE
++ to->decrypted = from->decrypted;
++#endif
++}
++
+ #ifdef NET_SKBUFF_DATA_USES_OFFSET
+ static inline unsigned char *skb_end_pointer(const struct sk_buff *skb)
+ {
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -291,6 +291,9 @@ struct ucred {
+ #define MSG_BATCH 0x40000 /* sendmmsg(): more messages coming */
+ #define MSG_EOF MSG_FIN
+ #define MSG_NO_SHARED_FRAGS 0x80000 /* sendpage() internal : page frags are not shared */
++#define MSG_SENDPAGE_DECRYPTED 0x100000 /* sendpage() internal : page may carry
++ * plain text and require encryption
++ */
+
+ #define MSG_ZEROCOPY 0x4000000 /* Use user data in kernel path */
+ #define MSG_FASTOPEN 0x20000000 /* Send data in TCP SYN */
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2482,6 +2482,7 @@ static inline bool sk_fullsock(const str
+
+ /* Checks if this SKB belongs to an HW offloaded socket
+ * and whether any SW fallbacks are required based on dev.
++ * Check decrypted mark in case skb_orphan() cleared socket.
+ */
+ static inline struct sk_buff *sk_validate_xmit_skb(struct sk_buff *skb,
+ struct net_device *dev)
+@@ -2489,8 +2490,15 @@ static inline struct sk_buff *sk_validat
+ #ifdef CONFIG_SOCK_VALIDATE_XMIT
+ struct sock *sk = skb->sk;
+
+- if (sk && sk_fullsock(sk) && sk->sk_validate_xmit_skb)
++ if (sk && sk_fullsock(sk) && sk->sk_validate_xmit_skb) {
+ skb = sk->sk_validate_xmit_skb(sk, dev, skb);
++#ifdef CONFIG_TLS_DEVICE
++ } else if (unlikely(skb->decrypted)) {
++ pr_warn_ratelimited("unencrypted skb with no associated socket - dropping\n");
++ kfree_skb(skb);
++ skb = NULL;
++#endif
++ }
+ #endif
+
+ return skb;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1988,6 +1988,19 @@ void skb_set_owner_w(struct sk_buff *skb
+ }
+ EXPORT_SYMBOL(skb_set_owner_w);
+
++static bool can_skb_orphan_partial(const struct sk_buff *skb)
++{
++#ifdef CONFIG_TLS_DEVICE
++ /* Drivers depend on in-order delivery for crypto offload,
++ * partial orphan breaks out-of-order-OK logic.
++ */
++ if (skb->decrypted)
++ return false;
++#endif
++ return (skb->destructor == sock_wfree ||
++ (IS_ENABLED(CONFIG_INET) && skb->destructor == tcp_wfree));
++}
++
+ /* This helper is used by netem, as it can hold packets in its
+ * delay queue. We want to allow the owner socket to send more
+ * packets, as if they were already TX completed by a typical driver.
+@@ -1999,11 +2012,7 @@ void skb_orphan_partial(struct sk_buff *
+ if (skb_is_tcp_pure_ack(skb))
+ return;
+
+- if (skb->destructor == sock_wfree
+-#ifdef CONFIG_INET
+- || skb->destructor == tcp_wfree
+-#endif
+- ) {
++ if (can_skb_orphan_partial(skb)) {
+ struct sock *sk = skb->sk;
+
+ if (refcount_inc_not_zero(&sk->sk_refcnt)) {
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -984,6 +984,9 @@ new_segment:
+ if (!skb)
+ goto wait_for_memory;
+
++#ifdef CONFIG_TLS_DEVICE
++ skb->decrypted = !!(flags & MSG_SENDPAGE_DECRYPTED);
++#endif
+ skb_entail(sk, skb);
+ copy = size_goal;
+ }
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -398,10 +398,14 @@ more_data:
+ static int tcp_bpf_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ {
+ struct sk_msg tmp, *msg_tx = NULL;
+- int flags = msg->msg_flags | MSG_NO_SHARED_FRAGS;
+ int copied = 0, err = 0;
+ struct sk_psock *psock;
+ long timeo;
++ int flags;
++
++ /* Don't let internal do_tcp_sendpages() flags through */
++ flags = (msg->msg_flags & ~MSG_SENDPAGE_DECRYPTED);
++ flags |= MSG_NO_SHARED_FRAGS;
+
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1318,6 +1318,7 @@ int tcp_fragment(struct sock *sk, enum t
+ buff = sk_stream_alloc_skb(sk, nsize, gfp, true);
+ if (!buff)
+ return -ENOMEM; /* We'll just try again later. */
++ skb_copy_decrypted(buff, skb);
+
+ sk->sk_wmem_queued += buff->truesize;
+ sk_mem_charge(sk, buff->truesize);
+@@ -1872,6 +1873,7 @@ static int tso_fragment(struct sock *sk,
+ buff = sk_stream_alloc_skb(sk, 0, gfp, true);
+ if (unlikely(!buff))
+ return -ENOMEM;
++ skb_copy_decrypted(buff, skb);
+
+ sk->sk_wmem_queued += buff->truesize;
+ sk_mem_charge(sk, buff->truesize);
+@@ -2141,6 +2143,7 @@ static int tcp_mtu_probe(struct sock *sk
+ sk_mem_charge(sk, nskb->truesize);
+
+ skb = tcp_send_head(sk);
++ skb_copy_decrypted(nskb, skb);
+
+ TCP_SKB_CB(nskb)->seq = TCP_SKB_CB(skb)->seq;
+ TCP_SKB_CB(nskb)->end_seq = TCP_SKB_CB(skb)->seq + probe_size;
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -342,9 +342,9 @@ static int tls_push_data(struct sock *sk
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+ struct tls_prot_info *prot = &tls_ctx->prot_info;
+ struct tls_offload_context_tx *ctx = tls_offload_ctx_tx(tls_ctx);
+- int tls_push_record_flags = flags | MSG_SENDPAGE_NOTLAST;
+ int more = flags & (MSG_SENDPAGE_NOTLAST | MSG_MORE);
+ struct tls_record_info *record = ctx->open_record;
++ int tls_push_record_flags;
+ struct page_frag *pfrag;
+ size_t orig_size = size;
+ u32 max_open_record_len;
+@@ -359,6 +359,9 @@ static int tls_push_data(struct sock *sk
+ if (sk->sk_err)
+ return -sk->sk_err;
+
++ flags |= MSG_SENDPAGE_DECRYPTED;
++ tls_push_record_flags = flags | MSG_SENDPAGE_NOTLAST;
++
+ timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);
+ if (tls_is_partially_sent_record(tls_ctx)) {
+ rc = tls_push_partial_record(sk, tls_ctx, flags);
+@@ -545,7 +548,9 @@ void tls_device_write_space(struct sock
+ gfp_t sk_allocation = sk->sk_allocation;
+
+ sk->sk_allocation = GFP_ATOMIC;
+- tls_push_partial_record(sk, ctx, MSG_DONTWAIT | MSG_NOSIGNAL);
++ tls_push_partial_record(sk, ctx,
++ MSG_DONTWAIT | MSG_NOSIGNAL |
++ MSG_SENDPAGE_DECRYPTED);
+ sk->sk_allocation = sk_allocation;
+ }
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 6 Aug 2019 12:15:17 -0700
+Subject: netdevsim: Restore per-network namespace accounting for fib entries
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 59c84b9fcf42c99a945d5fdc49220d854e539690 ]
+
+Prior to the commit in the fixes tag, the resource controller in netdevsim
+tracked fib entries and rules per network namespace. Restore that behavior.
+
+Fixes: 5fc494225c1e ("netdevsim: create devlink instance per netdevsim instance")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/netdevsim/dev.c | 63 +++++++++--------------
+ drivers/net/netdevsim/fib.c | 102 ++++++++++++++++++++++----------------
+ drivers/net/netdevsim/netdev.c | 9 ++-
+ drivers/net/netdevsim/netdevsim.h | 10 +--
+ 4 files changed, 98 insertions(+), 86 deletions(-)
+
+--- a/drivers/net/netdevsim/dev.c
++++ b/drivers/net/netdevsim/dev.c
+@@ -71,46 +71,47 @@ static void nsim_dev_port_debugfs_exit(s
+ debugfs_remove_recursive(nsim_dev_port->ddir);
+ }
+
++static struct net *nsim_devlink_net(struct devlink *devlink)
++{
++ return &init_net;
++}
++
+ static u64 nsim_dev_ipv4_fib_resource_occ_get(void *priv)
+ {
+- struct nsim_dev *nsim_dev = priv;
++ struct net *net = priv;
+
+- return nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV4_FIB, false);
++ return nsim_fib_get_val(net, NSIM_RESOURCE_IPV4_FIB, false);
+ }
+
+ static u64 nsim_dev_ipv4_fib_rules_res_occ_get(void *priv)
+ {
+- struct nsim_dev *nsim_dev = priv;
++ struct net *net = priv;
+
+- return nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV4_FIB_RULES, false);
++ return nsim_fib_get_val(net, NSIM_RESOURCE_IPV4_FIB_RULES, false);
+ }
+
+ static u64 nsim_dev_ipv6_fib_resource_occ_get(void *priv)
+ {
+- struct nsim_dev *nsim_dev = priv;
++ struct net *net = priv;
+
+- return nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV6_FIB, false);
++ return nsim_fib_get_val(net, NSIM_RESOURCE_IPV6_FIB, false);
+ }
+
+ static u64 nsim_dev_ipv6_fib_rules_res_occ_get(void *priv)
+ {
+- struct nsim_dev *nsim_dev = priv;
++ struct net *net = priv;
+
+- return nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV6_FIB_RULES, false);
++ return nsim_fib_get_val(net, NSIM_RESOURCE_IPV6_FIB_RULES, false);
+ }
+
+ static int nsim_dev_resources_register(struct devlink *devlink)
+ {
+- struct nsim_dev *nsim_dev = devlink_priv(devlink);
+ struct devlink_resource_size_params params = {
+ .size_max = (u64)-1,
+ .size_granularity = 1,
+ .unit = DEVLINK_RESOURCE_UNIT_ENTRY
+ };
++ struct net *net = nsim_devlink_net(devlink);
+ int err;
+ u64 n;
+
+@@ -124,8 +125,7 @@ static int nsim_dev_resources_register(s
+ goto out;
+ }
+
+- n = nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV4_FIB, true);
++ n = nsim_fib_get_val(net, NSIM_RESOURCE_IPV4_FIB, true);
+ err = devlink_resource_register(devlink, "fib", n,
+ NSIM_RESOURCE_IPV4_FIB,
+ NSIM_RESOURCE_IPV4, ¶ms);
+@@ -134,8 +134,7 @@ static int nsim_dev_resources_register(s
+ return err;
+ }
+
+- n = nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV4_FIB_RULES, true);
++ n = nsim_fib_get_val(net, NSIM_RESOURCE_IPV4_FIB_RULES, true);
+ err = devlink_resource_register(devlink, "fib-rules", n,
+ NSIM_RESOURCE_IPV4_FIB_RULES,
+ NSIM_RESOURCE_IPV4, ¶ms);
+@@ -154,8 +153,7 @@ static int nsim_dev_resources_register(s
+ goto out;
+ }
+
+- n = nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV6_FIB, true);
++ n = nsim_fib_get_val(net, NSIM_RESOURCE_IPV6_FIB, true);
+ err = devlink_resource_register(devlink, "fib", n,
+ NSIM_RESOURCE_IPV6_FIB,
+ NSIM_RESOURCE_IPV6, ¶ms);
+@@ -164,8 +162,7 @@ static int nsim_dev_resources_register(s
+ return err;
+ }
+
+- n = nsim_fib_get_val(nsim_dev->fib_data,
+- NSIM_RESOURCE_IPV6_FIB_RULES, true);
++ n = nsim_fib_get_val(net, NSIM_RESOURCE_IPV6_FIB_RULES, true);
+ err = devlink_resource_register(devlink, "fib-rules", n,
+ NSIM_RESOURCE_IPV6_FIB_RULES,
+ NSIM_RESOURCE_IPV6, ¶ms);
+@@ -177,19 +174,19 @@ static int nsim_dev_resources_register(s
+ devlink_resource_occ_get_register(devlink,
+ NSIM_RESOURCE_IPV4_FIB,
+ nsim_dev_ipv4_fib_resource_occ_get,
+- nsim_dev);
++ net);
+ devlink_resource_occ_get_register(devlink,
+ NSIM_RESOURCE_IPV4_FIB_RULES,
+ nsim_dev_ipv4_fib_rules_res_occ_get,
+- nsim_dev);
++ net);
+ devlink_resource_occ_get_register(devlink,
+ NSIM_RESOURCE_IPV6_FIB,
+ nsim_dev_ipv6_fib_resource_occ_get,
+- nsim_dev);
++ net);
+ devlink_resource_occ_get_register(devlink,
+ NSIM_RESOURCE_IPV6_FIB_RULES,
+ nsim_dev_ipv6_fib_rules_res_occ_get,
+- nsim_dev);
++ net);
+ out:
+ return err;
+ }
+@@ -197,11 +194,11 @@ out:
+ static int nsim_dev_reload(struct devlink *devlink,
+ struct netlink_ext_ack *extack)
+ {
+- struct nsim_dev *nsim_dev = devlink_priv(devlink);
+ enum nsim_resource_id res_ids[] = {
+ NSIM_RESOURCE_IPV4_FIB, NSIM_RESOURCE_IPV4_FIB_RULES,
+ NSIM_RESOURCE_IPV6_FIB, NSIM_RESOURCE_IPV6_FIB_RULES
+ };
++ struct net *net = nsim_devlink_net(devlink);
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(res_ids); ++i) {
+@@ -210,8 +207,7 @@ static int nsim_dev_reload(struct devlin
+
+ err = devlink_resource_size_get(devlink, res_ids[i], &val);
+ if (!err) {
+- err = nsim_fib_set_max(nsim_dev->fib_data,
+- res_ids[i], val, extack);
++ err = nsim_fib_set_max(net, res_ids[i], val, extack);
+ if (err)
+ return err;
+ }
+@@ -241,15 +237,9 @@ nsim_dev_create(struct nsim_bus_dev *nsi
+ INIT_LIST_HEAD(&nsim_dev->port_list);
+ mutex_init(&nsim_dev->port_list_lock);
+
+- nsim_dev->fib_data = nsim_fib_create();
+- if (IS_ERR(nsim_dev->fib_data)) {
+- err = PTR_ERR(nsim_dev->fib_data);
+- goto err_devlink_free;
+- }
+-
+ err = nsim_dev_resources_register(devlink);
+ if (err)
+- goto err_fib_destroy;
++ goto err_devlink_free;
+
+ err = devlink_register(devlink, &nsim_bus_dev->dev);
+ if (err)
+@@ -271,8 +261,6 @@ err_dl_unregister:
+ devlink_unregister(devlink);
+ err_resources_unregister:
+ devlink_resources_unregister(devlink, NULL);
+-err_fib_destroy:
+- nsim_fib_destroy(nsim_dev->fib_data);
+ err_devlink_free:
+ devlink_free(devlink);
+ return ERR_PTR(err);
+@@ -286,7 +274,6 @@ static void nsim_dev_destroy(struct nsim
+ nsim_dev_debugfs_exit(nsim_dev);
+ devlink_unregister(devlink);
+ devlink_resources_unregister(devlink, NULL);
+- nsim_fib_destroy(nsim_dev->fib_data);
+ mutex_destroy(&nsim_dev->port_list_lock);
+ devlink_free(devlink);
+ }
+--- a/drivers/net/netdevsim/fib.c
++++ b/drivers/net/netdevsim/fib.c
+@@ -18,6 +18,7 @@
+ #include <net/ip_fib.h>
+ #include <net/ip6_fib.h>
+ #include <net/fib_rules.h>
++#include <net/netns/generic.h>
+
+ #include "netdevsim.h"
+
+@@ -32,14 +33,15 @@ struct nsim_per_fib_data {
+ };
+
+ struct nsim_fib_data {
+- struct notifier_block fib_nb;
+ struct nsim_per_fib_data ipv4;
+ struct nsim_per_fib_data ipv6;
+ };
+
+-u64 nsim_fib_get_val(struct nsim_fib_data *fib_data,
+- enum nsim_resource_id res_id, bool max)
++static unsigned int nsim_fib_net_id;
++
++u64 nsim_fib_get_val(struct net *net, enum nsim_resource_id res_id, bool max)
+ {
++ struct nsim_fib_data *fib_data = net_generic(net, nsim_fib_net_id);
+ struct nsim_fib_entry *entry;
+
+ switch (res_id) {
+@@ -62,10 +64,10 @@ u64 nsim_fib_get_val(struct nsim_fib_dat
+ return max ? entry->max : entry->num;
+ }
+
+-int nsim_fib_set_max(struct nsim_fib_data *fib_data,
+- enum nsim_resource_id res_id, u64 val,
++int nsim_fib_set_max(struct net *net, enum nsim_resource_id res_id, u64 val,
+ struct netlink_ext_ack *extack)
+ {
++ struct nsim_fib_data *fib_data = net_generic(net, nsim_fib_net_id);
+ struct nsim_fib_entry *entry;
+ int err = 0;
+
+@@ -118,9 +120,9 @@ static int nsim_fib_rule_account(struct
+ return err;
+ }
+
+-static int nsim_fib_rule_event(struct nsim_fib_data *data,
+- struct fib_notifier_info *info, bool add)
++static int nsim_fib_rule_event(struct fib_notifier_info *info, bool add)
+ {
++ struct nsim_fib_data *data = net_generic(info->net, nsim_fib_net_id);
+ struct netlink_ext_ack *extack = info->extack;
+ int err = 0;
+
+@@ -155,9 +157,9 @@ static int nsim_fib_account(struct nsim_
+ return err;
+ }
+
+-static int nsim_fib_event(struct nsim_fib_data *data,
+- struct fib_notifier_info *info, bool add)
++static int nsim_fib_event(struct fib_notifier_info *info, bool add)
+ {
++ struct nsim_fib_data *data = net_generic(info->net, nsim_fib_net_id);
+ struct netlink_ext_ack *extack = info->extack;
+ int err = 0;
+
+@@ -176,22 +178,18 @@ static int nsim_fib_event(struct nsim_fi
+ static int nsim_fib_event_nb(struct notifier_block *nb, unsigned long event,
+ void *ptr)
+ {
+- struct nsim_fib_data *data = container_of(nb, struct nsim_fib_data,
+- fib_nb);
+ struct fib_notifier_info *info = ptr;
+ int err = 0;
+
+ switch (event) {
+ case FIB_EVENT_RULE_ADD: /* fall through */
+ case FIB_EVENT_RULE_DEL:
+- err = nsim_fib_rule_event(data, info,
+- event == FIB_EVENT_RULE_ADD);
++ err = nsim_fib_rule_event(info, event == FIB_EVENT_RULE_ADD);
+ break;
+
+ case FIB_EVENT_ENTRY_ADD: /* fall through */
+ case FIB_EVENT_ENTRY_DEL:
+- err = nsim_fib_event(data, info,
+- event == FIB_EVENT_ENTRY_ADD);
++ err = nsim_fib_event(info, event == FIB_EVENT_ENTRY_ADD);
+ break;
+ }
+
+@@ -201,23 +199,30 @@ static int nsim_fib_event_nb(struct noti
+ /* inconsistent dump, trying again */
+ static void nsim_fib_dump_inconsistent(struct notifier_block *nb)
+ {
+- struct nsim_fib_data *data = container_of(nb, struct nsim_fib_data,
+- fib_nb);
++ struct nsim_fib_data *data;
++ struct net *net;
++
++ rcu_read_lock();
++ for_each_net_rcu(net) {
++ data = net_generic(net, nsim_fib_net_id);
++
++ data->ipv4.fib.num = 0ULL;
++ data->ipv4.rules.num = 0ULL;
+
+- data->ipv4.fib.num = 0ULL;
+- data->ipv4.rules.num = 0ULL;
+- data->ipv6.fib.num = 0ULL;
+- data->ipv6.rules.num = 0ULL;
++ data->ipv6.fib.num = 0ULL;
++ data->ipv6.rules.num = 0ULL;
++ }
++ rcu_read_unlock();
+ }
+
+-struct nsim_fib_data *nsim_fib_create(void)
+-{
+- struct nsim_fib_data *data;
+- int err;
++static struct notifier_block nsim_fib_nb = {
++ .notifier_call = nsim_fib_event_nb,
++};
+
+- data = kzalloc(sizeof(*data), GFP_KERNEL);
+- if (!data)
+- return ERR_PTR(-ENOMEM);
++/* Initialize per network namespace state */
++static int __net_init nsim_fib_netns_init(struct net *net)
++{
++ struct nsim_fib_data *data = net_generic(net, nsim_fib_net_id);
+
+ data->ipv4.fib.max = (u64)-1;
+ data->ipv4.rules.max = (u64)-1;
+@@ -225,22 +230,37 @@ struct nsim_fib_data *nsim_fib_create(vo
+ data->ipv6.fib.max = (u64)-1;
+ data->ipv6.rules.max = (u64)-1;
+
+- data->fib_nb.notifier_call = nsim_fib_event_nb;
+- err = register_fib_notifier(&data->fib_nb, nsim_fib_dump_inconsistent);
+- if (err) {
+- pr_err("Failed to register fib notifier\n");
+- goto err_out;
+- }
++ return 0;
++}
+
+- return data;
++static struct pernet_operations nsim_fib_net_ops = {
++ .init = nsim_fib_netns_init,
++ .id = &nsim_fib_net_id,
++ .size = sizeof(struct nsim_fib_data),
++};
+
+-err_out:
+- kfree(data);
+- return ERR_PTR(err);
++void nsim_fib_exit(void)
++{
++ unregister_pernet_subsys(&nsim_fib_net_ops);
++ unregister_fib_notifier(&nsim_fib_nb);
+ }
+
+-void nsim_fib_destroy(struct nsim_fib_data *data)
++int nsim_fib_init(void)
+ {
+- unregister_fib_notifier(&data->fib_nb);
+- kfree(data);
++ int err;
++
++ err = register_pernet_subsys(&nsim_fib_net_ops);
++ if (err < 0) {
++ pr_err("Failed to register pernet subsystem\n");
++ goto err_out;
++ }
++
++ err = register_fib_notifier(&nsim_fib_nb, nsim_fib_dump_inconsistent);
++ if (err < 0) {
++ pr_err("Failed to register fib notifier\n");
++ goto err_out;
++ }
++
++err_out:
++ return err;
+ }
+--- a/drivers/net/netdevsim/netdev.c
++++ b/drivers/net/netdevsim/netdev.c
+@@ -370,12 +370,18 @@ static int __init nsim_module_init(void)
+ if (err)
+ goto err_dev_exit;
+
+- err = rtnl_link_register(&nsim_link_ops);
++ err = nsim_fib_init();
+ if (err)
+ goto err_bus_exit;
+
++ err = rtnl_link_register(&nsim_link_ops);
++ if (err)
++ goto err_fib_exit;
++
+ return 0;
+
++err_fib_exit:
++ nsim_fib_exit();
+ err_bus_exit:
+ nsim_bus_exit();
+ err_dev_exit:
+@@ -386,6 +392,7 @@ err_dev_exit:
+ static void __exit nsim_module_exit(void)
+ {
+ rtnl_link_unregister(&nsim_link_ops);
++ nsim_fib_exit();
+ nsim_bus_exit();
+ nsim_dev_exit();
+ }
+--- a/drivers/net/netdevsim/netdevsim.h
++++ b/drivers/net/netdevsim/netdevsim.h
+@@ -168,12 +168,10 @@ int nsim_dev_port_add(struct nsim_bus_de
+ int nsim_dev_port_del(struct nsim_bus_dev *nsim_bus_dev,
+ unsigned int port_index);
+
+-struct nsim_fib_data *nsim_fib_create(void);
+-void nsim_fib_destroy(struct nsim_fib_data *fib_data);
+-u64 nsim_fib_get_val(struct nsim_fib_data *fib_data,
+- enum nsim_resource_id res_id, bool max);
+-int nsim_fib_set_max(struct nsim_fib_data *fib_data,
+- enum nsim_resource_id res_id, u64 val,
++int nsim_fib_init(void);
++void nsim_fib_exit(void);
++u64 nsim_fib_get_val(struct net *net, enum nsim_resource_id res_id, bool max);
++int nsim_fib_set_max(struct net *net, enum nsim_resource_id res_id, u64 val,
+ struct netlink_ext_ack *extack);
+
+ #if IS_ENABLED(CONFIG_XFRM_OFFLOAD)
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 12 Aug 2019 13:07:07 -0700
+Subject: netlink: Fix nlmsg_parse as a wrapper for strict message parsing
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit d00ee64e1dcf09b3afefd1340f3e9eb637272714 ]
+
+Eric reported a syzbot warning:
+
+BUG: KMSAN: uninit-value in nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
+CPU: 0 PID: 11812 Comm: syz-executor444 Not tainted 5.3.0-rc3+ #17
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
+ nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
+ rtm_del_nexthop+0x1b1/0x610 net/ipv4/nexthop.c:1543
+ rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5223
+ netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg net/socket.c:657 [inline]
+ ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
+ __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
+ __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+
+The root cause is nlmsg_parse calling __nla_parse which means the
+header struct size is not checked.
+
+nlmsg_parse should be a wrapper around __nlmsg_parse with
+NL_VALIDATE_STRICT for the validate argument very much like
+nlmsg_parse_deprecated is for NL_VALIDATE_LIBERAL.
+
+Fixes: 3de6440354465 ("netlink: re-add parse/validate functions in strict mode")
+Reported-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netlink.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/include/net/netlink.h
++++ b/include/net/netlink.h
+@@ -680,9 +680,8 @@ static inline int nlmsg_parse(const stru
+ const struct nla_policy *policy,
+ struct netlink_ext_ack *extack)
+ {
+- return __nla_parse(tb, maxtype, nlmsg_attrdata(nlh, hdrlen),
+- nlmsg_attrlen(nlh, hdrlen), policy,
+- NL_VALIDATE_STRICT, extack);
++ return __nlmsg_parse(nlh, hdrlen, tb, maxtype, policy,
++ NL_VALIDATE_STRICT, extack);
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: zhengbin <zhengbin13@huawei.com>
+Date: Tue, 13 Aug 2019 22:05:50 +0800
+Subject: sctp: fix memleak in sctp_send_reset_streams
+
+From: zhengbin <zhengbin13@huawei.com>
+
+[ Upstream commit 6d5afe20397b478192ed8c38ec0ee10fa3aec649 ]
+
+If the stream outq is not empty, need to kfree nstr_list.
+
+Fixes: d570a59c5b5f ("sctp: only allow the out stream reset when the stream outq is empty")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: zhengbin <zhengbin13@huawei.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/stream.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/stream.c
++++ b/net/sctp/stream.c
+@@ -316,6 +316,7 @@ int sctp_send_reset_streams(struct sctp_
+ nstr_list[i] = htons(str_list[i]);
+
+ if (out && !sctp_stream_outq_is_empty(stream, str_nums, nstr_list)) {
++ kfree(nstr_list);
+ retval = -EAGAIN;
+ goto out;
+ }
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 12 Aug 2019 20:49:12 +0800
+Subject: sctp: fix the transport error_count check
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a1794de8b92ea6bc2037f445b296814ac826693e ]
+
+As the annotation says in sctp_do_8_2_transport_strike():
+
+ "If the transport error count is greater than the pf_retrans
+ threshold, and less than pathmaxrtx ..."
+
+It should be transport->error_count checked with pathmaxrxt,
+instead of asoc->pf_retrans.
+
+Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -546,7 +546,7 @@ static void sctp_do_8_2_transport_strike
+ */
+ if (net->sctp.pf_enable &&
+ (transport->state == SCTP_ACTIVE) &&
+- (asoc->pf_retrans < transport->pathmaxrxt) &&
++ (transport->error_count < transport->pathmaxrxt) &&
+ (transport->error_count > asoc->pf_retrans)) {
+
+ sctp_assoc_control_transport(asoc, transport,
netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch
iwlwifi-add-support-for-sar-south-korea-limitation.patch
input-psmouse-fix-build-error-of-multiple-definition.patch
+bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
+bonding-add-vlan-tx-offload-to-hw_enc_features.patch
+net-dsa-check-existence-of-.port_mdb_add-callback-before-calling-it.patch
+net-mlx4_en-fix-a-memory-leak-bug.patch
+net-packet-fix-race-in-tpacket_snd.patch
+net-sched-sch_taprio-fix-memleak-in-error-path-for-sched-list-parse.patch
+sctp-fix-memleak-in-sctp_send_reset_streams.patch
+sctp-fix-the-transport-error_count-check.patch
+team-add-vlan-tx-offload-to-hw_enc_features.patch
+tipc-initialise-addr_trail_end-when-setting-node-addresses.patch
+xen-netback-reset-nr_frags-before-freeing-skb.patch
+net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
+bnxt_en-fix-vnic-clearing-logic-for-57500-chips.patch
+bnxt_en-improve-rx-doorbell-sequence.patch
+bnxt_en-fix-handling-frag_err-when-nvm_install_update-cmd-fails.patch
+bnxt_en-suppress-hwrm-errors-for-hwrm_nvm_get_variable-command.patch
+bnxt_en-use-correct-src_fid-to-determine-direction-of-the-flow.patch
+bnxt_en-fix-to-include-flow-direction-in-l2-key.patch
+net-sched-update-skbedit-action-for-batched-events-operations.patch
+tc-testing-updated-skbedit-action-tests-with-batch-create-delete.patch
+netdevsim-restore-per-network-namespace-accounting-for-fib-entries.patch
+net-mlx5e-ethtool-avoid-setting-speed-to-56gbase-when-autoneg-off.patch
+net-mlx5e-fix-false-negative-indication-on-tx-reporter-cqe-recovery.patch
+net-mlx5e-remove-redundant-check-in-cqe-recovery-flow-of-tx-reporter.patch
+net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
+net-tls-prevent-skb_orphan-from-leaking-tls-plain-text-with-offload.patch
+net-phy-consider-an_restart-status-when-reading-link-status.patch
+netlink-fix-nlmsg_parse-as-a-wrapper-for-strict-message-parsing.patch
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Wed, 7 Aug 2019 15:57:29 -0400
+Subject: tc-testing: updated skbedit action tests with batch create/delete
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+[ Upstream commit 7bc161846dcf4af0485f260930d17fdd892a4980 ]
+
+Update TDC tests with cases varifying ability of TC to install or delete
+batches of skbedit actions.
+
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json | 47 ++++++++++
+ 1 file changed, 47 insertions(+)
+
+--- a/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json
++++ b/tools/testing/selftests/tc-testing/tc-tests/actions/skbedit.json
+@@ -509,5 +509,52 @@
+ "teardown": [
+ "$TC actions flush action skbedit"
+ ]
++ },
++ {
++ "id": "630c",
++ "name": "Add batch of 32 skbedit actions with all parameters and cookie",
++ "category": [
++ "actions",
++ "skbedit"
++ ],
++ "setup": [
++ [
++ "$TC actions flush action skbedit",
++ 0,
++ 1,
++ 255
++ ]
++ ],
++ "cmdUnderTest": "bash -c \"for i in \\`seq 1 32\\`; do cmd=\\\"action skbedit queue_mapping 2 priority 10 mark 7/0xaabbccdd ptype host inheritdsfield index \\$i cookie aabbccddeeff112233445566778800a1 \\\"; args=\"\\$args\\$cmd\"; done && $TC actions add \\$args\"",
++ "expExitCode": "0",
++ "verifyCmd": "$TC actions list action skbedit",
++ "matchPattern": "^[ \t]+index [0-9]+ ref",
++ "matchCount": "32",
++ "teardown": [
++ "$TC actions flush action skbedit"
++ ]
++ },
++ {
++ "id": "706d",
++ "name": "Delete batch of 32 skbedit actions with all parameters",
++ "category": [
++ "actions",
++ "skbedit"
++ ],
++ "setup": [
++ [
++ "$TC actions flush action skbedit",
++ 0,
++ 1,
++ 255
++ ],
++ "bash -c \"for i in \\`seq 1 32\\`; do cmd=\\\"action skbedit queue_mapping 2 priority 10 mark 7/0xaabbccdd ptype host inheritdsfield index \\$i \\\"; args=\\\"\\$args\\$cmd\\\"; done && $TC actions add \\$args\""
++ ],
++ "cmdUnderTest": "bash -c \"for i in \\`seq 1 32\\`; do cmd=\\\"action skbedit index \\$i \\\"; args=\"\\$args\\$cmd\"; done && $TC actions del \\$args\"",
++ "expExitCode": "0",
++ "verifyCmd": "$TC actions list action skbedit",
++ "matchPattern": "^[ \t]+index [0-9]+ ref",
++ "matchCount": "0",
++ "teardown": []
+ }
+ ]
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 8 Aug 2019 14:22:47 +0800
+Subject: team: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 227f2f030e28d8783c3d10ce70ff4ba79cad653f ]
+
+We should also enable team's vlan tx offload in hw_enc_features,
+pass the vlan packets to the slave devices with vlan tci, let the
+slave handle vlan tunneling offload implementation.
+
+Fixes: 3268e5cb494d ("team: Advertise tunneling offload features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1004,6 +1004,8 @@ static void __team_compute_features(stru
+
+ team->dev->vlan_features = vlan_features;
+ team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++ NETIF_F_HW_VLAN_CTAG_TX |
++ NETIF_F_HW_VLAN_STAG_TX |
+ NETIF_F_GSO_UDP_L4;
+ team->dev->hard_header_len = max_hard_header_len;
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Mon, 12 Aug 2019 08:18:25 +1200
+Subject: tipc: initialise addr_trail_end when setting node addresses
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+[ Upstream commit 8874ecae2977e5a2d4f0ba301364435b81c05938 ]
+
+We set the field 'addr_trial_end' to 'jiffies', instead of the current
+value 0, at the moment the node address is initialized. This guarantees
+we don't inadvertently enter an address trial period when the node
+address is explicitly set by the user.
+
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/addr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/addr.c
++++ b/net/tipc/addr.c
+@@ -75,6 +75,7 @@ void tipc_set_node_addr(struct net *net,
+ tipc_set_node_id(net, node_id);
+ }
+ tn->trial_addr = addr;
++ tn->addr_trial_end = jiffies;
+ pr_info("32-bit node address hash set to %x\n", addr);
+ }
+
--- /dev/null
+From foo@baz Tue 20 Aug 2019 04:18:04 PM PDT
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 5 Aug 2019 16:34:34 +0100
+Subject: xen/netback: Reset nr_frags before freeing skb
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 3a0233ddec554b886298de2428edb5c50a20e694 ]
+
+At this point nr_frags has been incremented but the frag does not yet
+have a page assigned so freeing the skb results in a crash. Reset
+nr_frags before freeing the skb to prevent this.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -925,6 +925,7 @@ static void xenvif_tx_build_gops(struct
+ skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
+ nskb = xenvif_alloc_skb(0);
+ if (unlikely(nskb == NULL)) {
++ skb_shinfo(skb)->nr_frags = 0;
+ kfree_skb(skb);
+ xenvif_tx_err(queue, &txreq, extra_count, idx);
+ if (net_ratelimit())
+@@ -940,6 +941,7 @@ static void xenvif_tx_build_gops(struct
+
+ if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
+ /* Failure in xenvif_set_skb_gso is fatal. */
++ skb_shinfo(skb)->nr_frags = 0;
+ kfree_skb(skb);
+ kfree_skb(nskb);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
