--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 1 Mar 2020 22:07:17 -0500
+Subject: bnxt_en: reinitialize IRQs when MTU is modified
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ]
+
+MTU changes may affect the number of IRQs so we must call
+bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter
+set to true. The reason is that a larger MTU may require
+aggregation rings not needed with smaller MTU. We may not be
+able to allocate the required number of aggregation rings and
+so we reduce the number of channels which will change the number
+of IRQs. Without this patch, it may crash eventually in
+pci_disable_msix() when the IRQs are not properly unwound.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6439,13 +6439,13 @@ static int bnxt_change_mtu(struct net_de
+ return -EINVAL;
+
+ if (netif_running(dev))
+- bnxt_close_nic(bp, false, false);
++ bnxt_close_nic(bp, true, false);
+
+ dev->mtu = new_mtu;
+ bnxt_set_ring_params(bp);
+
+ if (netif_running(dev))
+- return bnxt_open_nic(bp, false, false);
++ return bnxt_open_nic(bp, true, false);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 09:32:16 -0800
+Subject: bonding/alb: make sure arp header is pulled before accessing it
+
+From: Eric Dumazet <edumazet@google.com>
+
+Similar to commit 38f88c454042 ("bonding/alb: properly access headers
+in bond_alb_xmit()"), we need to make sure arp header was pulled
+in skb->head before blindly accessing it in rlb_arp_xmit().
+
+Remove arp_pkt() private helper, since it is more readable/obvious
+to have the following construct back to back :
+
+ if (!pskb_network_may_pull(skb, sizeof(*arp)))
+ return NULL;
+ arp = (struct arp_pkt *)skb_network_header(skb);
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+ rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+ bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+ __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
+ bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
+ __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4538 [inline]
+ xmit_one net/core/dev.c:3470 [inline]
+ dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
+ __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
+ packet_snd net/packet/af_packet.c:2967 [inline]
+ packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45c479
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
+RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
+RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ packet_alloc_skb net/packet/af_packet.c:2815 [inline]
+ packet_snd net/packet/af_packet.c:2910 [inline]
+ packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_alb.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -71,11 +71,6 @@ struct arp_pkt {
+ };
+ #pragma pack()
+
+-static inline struct arp_pkt *arp_pkt(const struct sk_buff *skb)
+-{
+- return (struct arp_pkt *)skb_network_header(skb);
+-}
+-
+ /* Forward declaration */
+ static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[],
+ bool strict_match);
+@@ -574,10 +569,11 @@ static void rlb_req_update_subnet_client
+ spin_unlock(&bond->mode_lock);
+ }
+
+-static struct slave *rlb_choose_channel(struct sk_buff *skb, struct bonding *bond)
++static struct slave *rlb_choose_channel(struct sk_buff *skb,
++ struct bonding *bond,
++ const struct arp_pkt *arp)
+ {
+ struct alb_bond_info *bond_info = &(BOND_ALB_INFO(bond));
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *assigned_slave, *curr_active_slave;
+ struct rlb_client_info *client_info;
+ u32 hash_index = 0;
+@@ -674,8 +670,12 @@ static struct slave *rlb_choose_channel(
+ */
+ static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond)
+ {
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *tx_slave = NULL;
++ struct arp_pkt *arp;
++
++ if (!pskb_network_may_pull(skb, sizeof(*arp)))
++ return NULL;
++ arp = (struct arp_pkt *)skb_network_header(skb);
+
+ /* Don't modify or load balance ARPs that do not originate locally
+ * (e.g.,arrive via a bridge).
+@@ -685,7 +685,7 @@ static struct slave *rlb_arp_xmit(struct
+
+ if (arp->op_code == htons(ARPOP_REPLY)) {
+ /* the arp must be sent on the selected rx channel */
+- tx_slave = rlb_choose_channel(skb, bond);
++ tx_slave = rlb_choose_channel(skb, bond, arp);
+ if (tx_slave)
+ ether_addr_copy(arp->mac_src, tx_slave->dev->dev_addr);
+ netdev_dbg(bond->dev, "Server sent ARP Reply packet\n");
+@@ -695,7 +695,7 @@ static struct slave *rlb_arp_xmit(struct
+ * When the arp reply is received the entry will be updated
+ * with the correct unicast address of the client.
+ */
+- rlb_choose_channel(skb, bond);
++ rlb_choose_channel(skb, bond, arp);
+
+ /* The ARP reply packets must be delayed so that
+ * they can cancel out the influence of the ARP request.
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Shakeel Butt <shakeelb@google.com>
+Date: Mon, 9 Mar 2020 22:16:05 -0700
+Subject: cgroup: memcg: net: do not associate sock with unrelated cgroup
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit e876ecc67db80dfdb8e237f71e5b43bb88ae549c ]
+
+We are testing network memory accounting in our setup and noticed
+inconsistent network memory usage and often unrelated cgroups network
+usage correlates with testing workload. On further inspection, it
+seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in
+irq context specially for cgroup v1.
+
+mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context
+and kind of assumes that this can only happen from sk_clone_lock()
+and the source sock object has already associated cgroup. However in
+cgroup v1, where network memory accounting is opt-in, the source sock
+can be unassociated with any cgroup and the new cloned sock can get
+associated with unrelated interrupted cgroup.
+
+Cgroup v2 can also suffer if the source sock object was created by
+process in the root cgroup or if sk_alloc() is called in irq context.
+The fix is to just do nothing in interrupt.
+
+WARNING: Please note that about half of the TCP sockets are allocated
+from the IRQ context, so, memory used by such sockets will not be
+accouted by the memcg.
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+
+CPU: 70 PID: 12720 Comm: ssh Tainted: 5.6.0-smp-DEV #1
+Hardware name: ...
+Call Trace:
+ <IRQ>
+ dump_stack+0x57/0x75
+ mem_cgroup_sk_alloc+0xe9/0xf0
+ sk_clone_lock+0x2a7/0x420
+ inet_csk_clone_lock+0x1b/0x110
+ tcp_create_openreq_child+0x23/0x3b0
+ tcp_v6_syn_recv_sock+0x88/0x730
+ tcp_check_req+0x429/0x560
+ tcp_v6_rcv+0x72d/0xa40
+ ip6_protocol_deliver_rcu+0xc9/0x400
+ ip6_input+0x44/0xd0
+ ? ip6_protocol_deliver_rcu+0x400/0x400
+ ip6_rcv_finish+0x71/0x80
+ ipv6_rcv+0x5b/0xe0
+ ? ip6_sublist_rcv+0x2e0/0x2e0
+ process_backlog+0x108/0x1e0
+ net_rx_action+0x26b/0x460
+ __do_softirq+0x104/0x2a6
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.19+0x40/0x50
+ __local_bh_enable_ip+0x51/0x60
+ ip6_finish_output2+0x23d/0x520
+ ? ip6table_mangle_hook+0x55/0x160
+ __ip6_finish_output+0xa1/0x100
+ ip6_finish_output+0x30/0xd0
+ ip6_output+0x73/0x120
+ ? __ip6_finish_output+0x100/0x100
+ ip6_xmit+0x2e3/0x600
+ ? ipv6_anycast_cleanup+0x50/0x50
+ ? inet6_csk_route_socket+0x136/0x1e0
+ ? skb_free_head+0x1e/0x30
+ inet6_csk_xmit+0x95/0xf0
+ __tcp_transmit_skb+0x5b4/0xb20
+ __tcp_send_ack.part.60+0xa3/0x110
+ tcp_send_ack+0x1d/0x20
+ tcp_rcv_state_process+0xe64/0xe80
+ ? tcp_v6_connect+0x5d1/0x5f0
+ tcp_v6_do_rcv+0x1b1/0x3f0
+ ? tcp_v6_do_rcv+0x1b1/0x3f0
+ __release_sock+0x7f/0xd0
+ release_sock+0x30/0xa0
+ __inet_stream_connect+0x1c3/0x3b0
+ ? prepare_to_wait+0xb0/0xb0
+ inet_stream_connect+0x3b/0x60
+ __sys_connect+0x101/0x120
+ ? __sys_getsockopt+0x11b/0x140
+ __x64_sys_connect+0x1a/0x20
+ do_syscall_64+0x51/0x200
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+Fixes: 2d7580738345 ("mm: memcontrol: consolidate cgroup socket tracking")
+Fixes: d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup.c | 4 ++++
+ mm/memcontrol.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -6335,6 +6335,10 @@ void cgroup_sk_alloc(struct sock_cgroup_
+ return;
+ }
+
++ /* Don't associate the sock with unrelated interrupted task's cgroup. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+
+ while (true) {
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -5726,6 +5726,10 @@ void mem_cgroup_sk_alloc(struct sock *sk
+ return;
+ }
+
++ /* Do not associate the sock with unrelated interrupted task's memcg. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+ memcg = mem_cgroup_from_task(current);
+ if (memcg == root_mem_cgroup)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+Date: Thu, 5 Mar 2020 17:45:57 +0300
+Subject: cgroup, netclassid: periodically release file_lock on classid updating
+
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+
+[ Upstream commit 018d26fcd12a75fb9b5fe233762aa3f2f0854b88 ]
+
+In our production environment we have faced with problem that updating
+classid in cgroup with heavy tasks cause long freeze of the file tables
+in this tasks. By heavy tasks we understand tasks with many threads and
+opened sockets (e.g. balancers). This freeze leads to an increase number
+of client timeouts.
+
+This patch implements following logic to fix this issue:
+аfter iterating 1000 file descriptors file table lock will be released
+thus providing a time gap for socket creation/deletion.
+
+Now update is non atomic and socket may be skipped using calls:
+
+dup2(oldfd, newfd);
+close(oldfd);
+
+But this case is not typical. Moreover before this patch skip is possible
+too by hiding socket fd in unix socket buffer.
+
+New sockets will be allocated with updated classid because cgroup state
+is updated before start of the file descriptors iteration.
+
+So in common cases this patch has no side effects.
+
+Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netclassid_cgroup.c | 47 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+--- a/net/core/netclassid_cgroup.c
++++ b/net/core/netclassid_cgroup.c
+@@ -55,30 +55,60 @@ static void cgrp_css_free(struct cgroup_
+ kfree(css_cls_state(css));
+ }
+
++/*
++ * To avoid freezing of sockets creation for tasks with big number of threads
++ * and opened sockets lets release file_lock every 1000 iterated descriptors.
++ * New sockets will already have been created with new classid.
++ */
++
++struct update_classid_context {
++ u32 classid;
++ unsigned int batch;
++};
++
++#define UPDATE_CLASSID_BATCH 1000
++
+ static int update_classid_sock(const void *v, struct file *file, unsigned n)
+ {
+ int err;
++ struct update_classid_context *ctx = (void *)v;
+ struct socket *sock = sock_from_file(file, &err);
+
+ if (sock) {
+ spin_lock(&cgroup_sk_update_lock);
+- sock_cgroup_set_classid(&sock->sk->sk_cgrp_data,
+- (unsigned long)v);
++ sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, ctx->classid);
+ spin_unlock(&cgroup_sk_update_lock);
+ }
++ if (--ctx->batch == 0) {
++ ctx->batch = UPDATE_CLASSID_BATCH;
++ return n + 1;
++ }
+ return 0;
+ }
+
++static void update_classid_task(struct task_struct *p, u32 classid)
++{
++ struct update_classid_context ctx = {
++ .classid = classid,
++ .batch = UPDATE_CLASSID_BATCH
++ };
++ unsigned int fd = 0;
++
++ do {
++ task_lock(p);
++ fd = iterate_fd(p->files, fd, update_classid_sock, &ctx);
++ task_unlock(p);
++ cond_resched();
++ } while (fd);
++}
++
+ static void cgrp_attach(struct cgroup_taskset *tset)
+ {
+ struct cgroup_subsys_state *css;
+ struct task_struct *p;
+
+ cgroup_taskset_for_each(p, css, tset) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)css_cls_state(css)->classid);
+- task_unlock(p);
++ update_classid_task(p, css_cls_state(css)->classid);
+ }
+ }
+
+@@ -100,10 +130,7 @@ static int write_classid(struct cgroup_s
+
+ css_task_iter_start(css, &it);
+ while ((p = css_task_iter_next(&it))) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)cs->classid);
+- task_unlock(p);
++ update_classid_task(p, cs->classid);
+ cond_resched();
+ }
+ css_task_iter_end(&it);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:13 -0800
+Subject: fib: add missing attribute validation for tun_id
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4c16d64ea04056f1b1b324ab6916019f6a064114 ]
+
+Add missing netlink policy entry for FRA_TUN_ID.
+
+Fixes: e7030878fc84 ("fib: Add fib rule match on tunnel id")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/fib_rules.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/fib_rules.h
++++ b/include/net/fib_rules.h
+@@ -87,6 +87,7 @@ struct fib_rules_ops {
+ [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_PRIORITY] = { .type = NLA_U32 }, \
+ [FRA_FWMARK] = { .type = NLA_U32 }, \
++ [FRA_TUN_ID] = { .type = NLA_U64 }, \
+ [FRA_FWMASK] = { .type = NLA_U32 }, \
+ [FRA_TABLE] = { .type = NLA_U32 }, \
+ [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Mar 2020 22:05:14 -0800
+Subject: gre: fix uninit-value in __iptunnel_pull_header
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ]
+
+syzbot found an interesting case of the kernel reading
+an uninit-value [1]
+
+Problem is in the handling of ETH_P_WCCP in gre_parse_header()
+
+We look at the byte following GRE options to eventually decide
+if the options are four bytes longer.
+
+Use skb_header_pointer() to not pull bytes if we found
+that no more bytes were needed.
+
+All callers of gre_parse_header() are properly using pskb_may_pull()
+anyway before proceeding to next header.
+
+[1]
+BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline]
+BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ pskb_may_pull include/linux/skbuff.h:2303 [inline]
+ __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+ iptunnel_pull_header include/net/ip_tunnels.h:411 [inline]
+ gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606
+ ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432
+ ip6_input_finish net/ipv6/ip6_input.c:473 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ip6_input net/ipv6/ip6_input.c:482 [inline]
+ ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576
+ dst_input include/net/dst.h:442 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306
+ __netif_receive_skb_one_core net/core/dev.c:5198 [inline]
+ __netif_receive_skb net/core/dev.c:5312 [inline]
+ netif_receive_skb_internal net/core/dev.c:5402 [inline]
+ netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461
+ tun_rx_batched include/linux/skbuff.h:4321 [inline]
+ tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f62d99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580
+RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004
+RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ tun_alloc_skb drivers/net/tun.c:1529 [inline]
+ tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers")
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/gre_demux.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -60,7 +60,9 @@ int gre_del_protocol(const struct gre_pr
+ }
+ EXPORT_SYMBOL_GPL(gre_del_protocol);
+
+-/* Fills in tpi and returns header length to be pulled. */
++/* Fills in tpi and returns header length to be pulled.
++ * Note that caller must use pskb_may_pull() before pulling GRE header.
++ */
+ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ bool *csum_err, __be16 proto, int nhs)
+ {
+@@ -114,8 +116,14 @@ int gre_parse_header(struct sk_buff *skb
+ * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header
+ */
+ if (greh->flags == 0 && tpi->proto == htons(ETH_P_WCCP)) {
++ u8 _val, *val;
++
++ val = skb_header_pointer(skb, nhs + hdr_len,
++ sizeof(_val), &_val);
++ if (!val)
++ return -EINVAL;
+ tpi->proto = proto;
+- if ((*(u8 *)options & 0xF0) != 0x40)
++ if ((*val & 0xF0) != 0x40)
+ hdr_len += 4;
+ }
+ tpi->hdr_len = hdr_len;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 10 Mar 2020 15:27:37 +0800
+Subject: ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 60380488e4e0b95e9e82aa68aa9705baa86de84c ]
+
+Rafał found an issue that for non-Ethernet interface, if we down and up
+frequently, the memory will be consumed slowly.
+
+The reason is we add allnodes/allrouters addressed in multicast list in
+ipv6_add_dev(). When link down, we call ipv6_mc_down(), store all multicast
+addresses via mld_add_delrec(). But when link up, we don't call ipv6_mc_up()
+for non-Ethernet interface to remove the addresses. This makes idev->mc_tomb
+getting bigger and bigger. The call stack looks like:
+
+addrconf_notify(NETDEV_REGISTER)
+ ipv6_add_dev
+ ipv6_dev_mc_inc(ff01::1)
+ ipv6_dev_mc_inc(ff02::1)
+ ipv6_dev_mc_inc(ff02::2)
+
+addrconf_notify(NETDEV_UP)
+ addrconf_dev_config
+ /* Alas, we support only Ethernet autoconfiguration. */
+ return;
+
+addrconf_notify(NETDEV_DOWN)
+ addrconf_ifdown
+ ipv6_mc_down
+ igmp6_group_dropped(ff02::2)
+ mld_add_delrec(ff02::2)
+ igmp6_group_dropped(ff02::1)
+ igmp6_group_dropped(ff01::1)
+
+After investigating, I can't found a rule to disable multicast on
+non-Ethernet interface. In RFC2460, the link could be Ethernet, PPP, ATM,
+tunnels, etc. In IPv4, it doesn't check the dev type when calls ip_mc_up()
+in inetdev_event(). Even for IPv6, we don't check the dev type and call
+ipv6_add_dev(), ipv6_dev_mc_inc() after register device.
+
+So I think it's OK to fix this memory consumer by calling ipv6_mc_up() for
+non-Ethernet interface.
+
+v2: Also check IFF_MULTICAST flag to make sure the interface supports
+ multicast
+
+Reported-by: Rafał Miłecki <zajec5@gmail.com>
+Tested-by: Rafał Miłecki <zajec5@gmail.com>
+Fixes: 74235a25c673 ("[IPV6] addrconf: Fix IPv6 on tuntap tunnels")
+Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3189,6 +3189,10 @@ static void addrconf_dev_config(struct n
+ (dev->type != ARPHRD_6LOWPAN) &&
+ (dev->type != ARPHRD_NONE)) {
+ /* Alas, we support only Ethernet autoconfiguration. */
++ idev = __in6_dev_get(dev);
++ if (!IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP &&
++ dev->flags & IFF_MULTICAST)
++ ipv6_mc_up(idev);
+ return;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:02 -0700
+Subject: ipvlan: add cond_resched_rcu() while processing muticast backlog
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ]
+
+If there are substantial number of slaves created as simulated by
+Syzbot, the backlog processing could take much longer and result
+into the issue found in the Syzbot report.
+
+INFO: rcu_sched detected stalls on CPUs/tasks:
+ (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752)
+All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0
+syz-executor.1 R running task on cpu 1 10984 11210 3866 0x30020008 179034491270
+Call Trace:
+ <IRQ>
+ [<ffffffff81497163>] _sched_show_task kernel/sched/core.c:8063 [inline]
+ [<ffffffff81497163>] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030
+ [<ffffffff8146a91b>] sched_show_task+0xb/0x10 kernel/sched/core.c:8073
+ [<ffffffff815c931b>] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline]
+ [<ffffffff815c931b>] check_cpu_stall kernel/rcu/tree.c:1695 [inline]
+ [<ffffffff815c931b>] __rcu_pending kernel/rcu/tree.c:3478 [inline]
+ [<ffffffff815c931b>] rcu_pending kernel/rcu/tree.c:3540 [inline]
+ [<ffffffff815c931b>] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876
+ [<ffffffff815e3962>] update_process_times+0x32/0x80 kernel/time/timer.c:1635
+ [<ffffffff816164f0>] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161
+ [<ffffffff81616ae4>] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193
+ [<ffffffff815e75f7>] __run_hrtimer kernel/time/hrtimer.c:1393 [inline]
+ [<ffffffff815e75f7>] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455
+ [<ffffffff815e90ea>] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513
+ [<ffffffff844050f4>] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline]
+ [<ffffffff844050f4>] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153
+RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12
+RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000
+RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0
+RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273
+R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8
+R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0
+ [<ffffffff8101460e>] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline]
+ [<ffffffff8101460e>] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240
+ [<ffffffff840d78ca>] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006
+ [<ffffffff84023439>] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482
+ [<ffffffff840211c8>] dst_input include/net/dst.h:449 [inline]
+ [<ffffffff840211c8>] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:292 [inline]
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:286 [inline]
+ [<ffffffff840214de>] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278
+ [<ffffffff83a29efa>] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303
+ [<ffffffff83a2a15c>] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417
+ [<ffffffff83a2f536>] process_backlog+0x216/0x6c0 net/core/dev.c:6243
+ [<ffffffff83a30d1b>] napi_poll net/core/dev.c:6680 [inline]
+ [<ffffffff83a30d1b>] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748
+ [<ffffffff846002c8>] __do_softirq+0x2c8/0x99a kernel/softirq.c:317
+ [<ffffffff813e656a>] invoke_softirq kernel/softirq.c:399 [inline]
+ [<ffffffff813e656a>] irq_exit+0x16a/0x1a0 kernel/softirq.c:439
+ [<ffffffff84405115>] exiting_irq arch/x86/include/asm/apic.h:561 [inline]
+ [<ffffffff84405115>] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+ </IRQ>
+RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102
+RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12
+RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000
+RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005
+RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000
+R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
+ [<ffffffff816236d1>] do_futex+0x151/0x1d50 kernel/futex.c:3548
+ [<ffffffff816260f0>] C_SYSC_futex kernel/futex_compat.c:201 [inline]
+ [<ffffffff816260f0>] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175
+ [<ffffffff8101da17>] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline]
+ [<ffffffff8101da17>] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415
+ [<ffffffff84401a9b>] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f23c69
+RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0
+RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c
+RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1
+rcu_sched R running task on cpu 1 13048 8 2 0x90000000 179099587640
+Call Trace:
+ [<ffffffff8147321f>] context_switch+0x60f/0xa60 kernel/sched/core.c:3209
+ [<ffffffff8100095a>] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934
+ [<ffffffff810021df>] schedule+0x8f/0x1b0 kernel/sched/core.c:4011
+ [<ffffffff8101116d>] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803
+ [<ffffffff815c13f1>] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327
+ [<ffffffff8144b318>] kthread+0x348/0x420 kernel/kthread.c:246
+ [<ffffffff84400266>] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393
+
+Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -240,6 +240,7 @@ void ipvlan_process_multicast(struct wor
+ ret = netif_rx(nskb);
+ acct:
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
++ cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 12:39:05 PM CET
+From: Jiri Wiesner <jwiesner@suse.com>
+Date: Sat, 7 Mar 2020 13:31:57 +0100
+Subject: ipvlan: do not add hardware address of master to its unicast filter list
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+[ Upstream commit 63aae7b17344d4b08a7d05cb07044de4c0f9dcc6 ]
+
+There is a problem when ipvlan slaves are created on a master device that
+is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not
+support unicast address filtering. When an ipvlan device is brought up in
+ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware
+address of the vmxnet3 master device to the unicast address list of the
+master device, phy_dev->uc. This inevitably leads to the vmxnet3 master
+device being forced into promiscuous mode by __dev_set_rx_mode().
+
+Promiscuous mode is switched on the master despite the fact that there is
+still only one hardware address that the master device should use for
+filtering in order for the ipvlan device to be able to receive packets.
+The comment above struct net_device describes the uc_promisc member as a
+"counter, that indicates, that promiscuous mode has been enabled due to
+the need to listen to additional unicast addresses in a device that does
+not implement ndo_set_rx_mode()". Moreover, the design of ipvlan
+guarantees that only the hardware address of a master device,
+phy_dev->dev_addr, will be used to transmit and receive all packets from
+its ipvlan slaves. Thus, the unicast address list of the master device
+should not be modified by ipvlan_open() and ipvlan_stop() in order to make
+ipvlan a workable option on masters that do not support unicast address
+filtering.
+
+Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver")
+Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -217,7 +217,6 @@ static void ipvlan_uninit(struct net_dev
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+- struct net_device *phy_dev = ipvlan->phy_dev;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -229,7 +228,7 @@ static int ipvlan_open(struct net_device
+ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_add(ipvlan, addr);
+
+- return dev_uc_add(phy_dev, phy_dev->dev_addr);
++ return 0;
+ }
+
+ static int ipvlan_stop(struct net_device *dev)
+@@ -241,8 +240,6 @@ static int ipvlan_stop(struct net_device
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- dev_uc_del(phy_dev, phy_dev->dev_addr);
+-
+ list_for_each_entry(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 9 Mar 2020 18:22:58 -0700
+Subject: ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ]
+
+Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while
+processing muticast backlog") added a cond_resched_rcu() in a loop
+using rcu protection to iterate over slaves.
+
+This is breaking rcu rules, so lets instead use cond_resched()
+at a point we can reschedule
+
+Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -240,7 +240,6 @@ void ipvlan_process_multicast(struct wor
+ ret = netif_rx(nskb);
+ acct:
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
+- cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
+@@ -252,6 +251,7 @@ acct:
+ } else {
+ kfree_skb(skb);
+ }
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:56:56 -0700
+Subject: ipvlan: don't deref eth hdr before checking it's set
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ]
+
+IPvlan in L3 mode discards outbound multicast packets but performs
+the check before ensuring the ether-header is set or not. This is
+an error that Eric found through code browsing.
+
+Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -444,19 +444,21 @@ static int ipvlan_process_outbound(struc
+ struct ethhdr *ethh = eth_hdr(skb);
+ int ret = NET_XMIT_DROP;
+
+- /* In this mode we dont care about multicast and broadcast traffic */
+- if (is_multicast_ether_addr(ethh->h_dest)) {
+- pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n",
+- ntohs(skb->protocol));
+- kfree_skb(skb);
+- goto out;
+- }
+-
+ /* The ipvlan is a pseudo-L2 device, so the packets that we receive
+ * will have L2; which need to discarded and processed further
+ * in the net-ns of the main-device.
+ */
+ if (skb_mac_header_was_set(skb)) {
++ /* In this mode we dont care about
++ * multicast and broadcast traffic */
++ if (is_multicast_ether_addr(ethh->h_dest)) {
++ pr_debug_ratelimited(
++ "Dropped {multi|broad}cast of type=[%x]\n",
++ ntohs(skb->protocol));
++ kfree_skb(skb);
++ goto out;
++ }
++
+ skb_pull(skb, sizeof(*ethh));
+ skb->mac_header = (typeof(skb->mac_header))~0U;
+ skb_reset_network_header(skb);
--- /dev/null
+From cccc200fcaf04cff4342036a72e51d6adf6c98c1 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 28 Feb 2018 11:43:27 +0100
+Subject: ipvlan: egress mcast packets are not exceptional
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit cccc200fcaf04cff4342036a72e51d6adf6c98c1 upstream.
+
+Currently, if IPv6 is enabled on top of an ipvlan device in l3
+mode, the following warning message:
+
+ Dropped {multi|broad}cast of type= [86dd]
+
+is emitted every time that a RS is generated and dmseg is soon
+filled with irrelevant messages. Replace pr_warn with pr_debug,
+to preserve debuggability, without scaring the sysadmin.
+
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ipvlan/ipvlan_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -446,8 +446,8 @@ static int ipvlan_process_outbound(struc
+
+ /* In this mode we dont care about multicast and broadcast traffic */
+ if (is_multicast_ether_addr(ethh->h_dest)) {
+- pr_warn_ratelimited("Dropped {multi|broad}cast of type= [%x]\n",
+- ntohs(skb->protocol));
++ pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n",
++ ntohs(skb->protocol));
+ kfree_skb(skb);
+ goto out;
+ }
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:17 -0800
+Subject: macsec: add missing attribute validation for port
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 31d9a1c524964bac77b7f9d0a1ac140dc6b57461 ]
+
+Add missing attribute validation for IFLA_MACSEC_PORT
+to the netlink policy.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2982,6 +2982,7 @@ static const struct device_type macsec_t
+
+ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
++ [IFLA_MACSEC_PORT] = { .type = NLA_U16 },
+ [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
+ [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
+ [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:07 -0700
+Subject: macvlan: add cond_resched() during multicast processing
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ce9a4186f9ac475c415ffd20348176a4ea366670 ]
+
+The Rx bound multicast packets are deferred to a workqueue and
+macvlan can also suffer from the same attack that was discovered
+by Syzbot for IPvlan. This solution is not as effective as in
+IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing
+to a workqueue while macvlan does this way only for the Rx. This
+fix should address the Rx codition to certain extent.
+
+Tx is still suseptible. Tx multicast processing happens when
+.ndo_start_xmit is called, hence we cannot add cond_resched().
+However, it's not that severe since the user which is generating
+ / flooding will be affected the most.
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -309,6 +309,8 @@ static void macvlan_process_broadcast(st
+ if (src)
+ dev_put(src->dev);
+ kfree_skb(skb);
++
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 10 Mar 2020 20:36:16 -0700
+Subject: net: fec: validate the new settings in fec_enet_set_coalesce()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ab14961d10d02d20767612c78ce148f6eb85bd58 ]
+
+fec_enet_set_coalesce() validates the previously set params
+and if they are within range proceeds to apply the new ones.
+The new ones, however, are not validated. This seems backwards,
+probably a copy-paste error?
+
+Compile tested only.
+
+Fixes: d851b47b22fc ("net: fec: add interrupt coalescence feature support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2470,15 +2470,15 @@ fec_enet_set_coalesce(struct net_device
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->rx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+ pr_err("Rx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->tx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+- pr_err("Rx coalesced usec exceed hardware limitation\n");
++ pr_err("Tx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:19 -0800
+Subject: net: fq: add missing attribute validation for orphan mask
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 7e6dc03eeb023e18427a373522f1d247b916a641 ]
+
+Add missing attribute validation for TCA_FQ_ORPHAN_MASK
+to the netlink policy.
+
+Fixes: 06eb395fa985 ("pkt_sched: fq: better control of DDOS traffic")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -697,6 +697,7 @@ static const struct nla_policy fq_policy
+ [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 },
+ [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 },
+ [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 },
++ [TCA_FQ_ORPHAN_MASK] = { .type = NLA_U32 },
+ [TCA_FQ_LOW_RATE_THRESHOLD] = { .type = NLA_U32 },
+ };
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+Date: Tue, 10 Mar 2020 18:22:24 +0300
+Subject: net: macsec: update SCI upon MAC address change.
+
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+
+[ Upstream commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823 ]
+
+SCI should be updated, because it contains MAC in its first 6 octets.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2871,6 +2871,11 @@ static void macsec_dev_set_rx_mode(struc
+ dev_uc_sync(real_dev, dev);
+ }
+
++static sci_t dev_to_sci(struct net_device *dev, __be16 port)
++{
++ return make_sci(dev->dev_addr, port);
++}
++
+ static int macsec_set_mac_address(struct net_device *dev, void *p)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
+@@ -2892,6 +2897,7 @@ static int macsec_set_mac_address(struct
+
+ out:
+ ether_addr_copy(dev->dev_addr, addr->sa_data);
++ macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES);
+ return 0;
+ }
+
+@@ -3160,11 +3166,6 @@ static bool sci_exists(struct net_device
+ return false;
+ }
+
+-static sci_t dev_to_sci(struct net_device *dev, __be16 port)
+-{
+- return make_sci(dev->dev_addr, port);
+-}
+-
+ static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Mar 2020 17:24:31 +0300
+Subject: net: nfc: fix bounds checking bugs on "pipe"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a3aefbfe45751bf7b338c181b97608e276b5bb73 ]
+
+This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
+corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0
+("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
+added range checks on "pipe".
+
+The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
+It's in the 0-255 range. We're using it as the array index into the
+hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
+
+Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/hci/core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/net/nfc/hci/core.c
++++ b/net/nfc/hci/core.c
+@@ -193,13 +193,20 @@ exit:
+ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
+ struct sk_buff *skb)
+ {
+- u8 gate = hdev->pipes[pipe].gate;
+ u8 status = NFC_HCI_ANY_OK;
+ struct hci_create_pipe_resp *create_info;
+ struct hci_delete_pipe_noti *delete_info;
+ struct hci_all_pipe_cleared_noti *cleared_info;
++ u8 gate;
+
+- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
++ pr_debug("from pipe %x cmd %x\n", pipe, cmd);
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ status = NFC_HCI_ANY_E_NOK;
++ goto exit;
++ }
++
++ gate = hdev->pipes[pipe].gate;
+
+ switch (cmd) {
+ case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
+@@ -387,8 +394,14 @@ void nfc_hci_event_received(struct nfc_h
+ struct sk_buff *skb)
+ {
+ int r = 0;
+- u8 gate = hdev->pipes[pipe].gate;
++ u8 gate;
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe);
++ goto exit;
++ }
+
++ gate = hdev->pipes[pipe].gate;
+ if (gate == NFC_HCI_INVALID_GATE) {
+ pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
+ goto exit;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 12:39:05 PM CET
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 12 Mar 2020 22:25:20 +0100
+Subject: net: phy: fix MDIO bus PM PHY resuming
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 611d779af7cad2b87487ff58e4931a90c20b113c ]
+
+So far we have the unfortunate situation that mdio_bus_phy_may_suspend()
+is called in suspend AND resume path, assuming that function result is
+the same. After the original change this is no longer the case,
+resulting in broken resume as reported by Geert.
+
+To fix this call mdio_bus_phy_may_suspend() in the suspend path only,
+and let the phy_device store the info whether it was suspended by
+MDIO bus PM.
+
+Fixes: 503ba7c69610 ("net: phy: Avoid multiple suspends")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 6 +++++-
+ include/linux/phy.h | 2 ++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -129,6 +129,8 @@ static int mdio_bus_phy_suspend(struct d
+ if (!mdio_bus_phy_may_suspend(phydev))
+ return 0;
+
++ phydev->suspended_by_mdio_bus = true;
++
+ return phy_suspend(phydev);
+ }
+
+@@ -137,9 +139,11 @@ static int mdio_bus_phy_resume(struct de
+ struct phy_device *phydev = to_phy_device(dev);
+ int ret;
+
+- if (!mdio_bus_phy_may_suspend(phydev))
++ if (!phydev->suspended_by_mdio_bus)
+ goto no_resume;
+
++ phydev->suspended_by_mdio_bus = false;
++
+ ret = phy_resume(phydev);
+ if (ret < 0)
+ return ret;
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -333,6 +333,7 @@ struct phy_c45_device_ids {
+ * is_pseudo_fixed_link: Set to true if this phy is an Ethernet switch, etc.
+ * has_fixups: Set to true if this phy has fixups/quirks.
+ * suspended: Set to true if this phy has been suspended successfully.
++ * suspended_by_mdio_bus: Set to true if this phy was suspended by MDIO bus.
+ * state: state of the PHY for management purposes
+ * dev_flags: Device-specific flags used by the PHY driver.
+ * link_timeout: The number of timer firings to wait before the
+@@ -369,6 +370,7 @@ struct phy_device {
+ bool is_pseudo_fixed_link;
+ bool has_fixups;
+ bool suspended;
++ bool suspended_by_mdio_bus;
+
+ enum phy_state state;
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:24 -0800
+Subject: nfc: add missing attribute validation for SE API
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 361d23e41ca6e504033f7e66a03b95788377caae ]
+
+Add missing attribute validation for NFC_ATTR_SE_INDEX
+to the netlink policy.
+
+Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -62,6 +62,7 @@ static const struct nla_policy nfc_genl_
+ [NFC_ATTR_LLC_SDP] = { .type = NLA_NESTED },
+ [NFC_ATTR_FIRMWARE_NAME] = { .type = NLA_STRING,
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
++ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:26 -0800
+Subject: nfc: add missing attribute validation for vendor subcommand
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6ba3da446551f2150fadbf8c7788edcb977683d3 ]
+
+Add missing attribute validation for vendor subcommand attributes
+to the netlink policy.
+
+Fixes: 9e58095f9660 ("NFC: netlink: Implement vendor command support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -64,6 +64,8 @@ static const struct nla_policy nfc_genl_
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
+ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
++ [NFC_ATTR_VENDOR_ID] = { .type = NLA_U32 },
++ [NFC_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
+ };
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:15 -0800
+Subject: nl802154: add missing attribute validation for dev_type
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit b60673c4c418bef7550d02faf53c34fbfeb366bf ]
+
+Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE
+to the netlink policy.
+
+Fixes: 90c049b2c6ae ("ieee802154: interface type to be added")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -36,6 +36,7 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_DEV_TYPE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_COORD_PAN_ID] = { .type = NLA_U16, },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:14 -0800
+Subject: nl802154: add missing attribute validation
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 9322cd7c4af2ccc7fe7c5f01adb53f4f77949e92 ]
+
+Add missing attribute validation for several u8 types.
+
+Fixes: 2c21d11518b6 ("net: add NL802154 interface for configuration of 802.15.4 devices")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -30,6 +30,11 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_PAN_ID] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_CHANNEL] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BCN_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_SF_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_PAN_COORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+Date: Wed, 26 Feb 2020 23:37:10 +0800
+Subject: r8152: check disconnect status after long sleep
+
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+
+[ Upstream commit d64c7a08034b32c285e576208ae44fc3ba3fa7df ]
+
+Dell USB Type C docking WD19/WD19DC attaches additional peripherals as:
+
+ /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M
+ |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class,
+ Driver=r8152, 5000M
+
+where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock.
+
+When hotplugging such dock with additional usb devices already attached on
+it, the probing process may reset usb 2.1 port, therefore r8152 ethernet
+device is also reset. However, during r8152 device init there are several
+for-loops that, when it's unable to retrieve hardware registers due to
+being disconnected from USB, may take up to 14 seconds each in practice,
+and that has to be completed before USB may re-enumerate devices on the
+bus. As a result, devices attached to the dock will only be available
+after nearly 1 minute after the dock was plugged in:
+
+ [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface
+ [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id
+ [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready
+ [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr
+ [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail
+
+This happens in, for example, r8153_init:
+
+ static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size,
+ void *data, u16 type)
+ {
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return -ENODEV;
+ ...
+ }
+
+ static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index)
+ {
+ u32 data;
+ ...
+ generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen);
+
+ data = __le32_to_cpu(tmp);
+ ...
+ return (u16)data;
+ }
+
+ static void r8153_init(struct r8152 *tp)
+ {
+ ...
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+ for (i = 0; i < 500; i++) {
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
+ msleep(20);
+ }
+ ...
+ }
+
+Since ocp_read_word() doesn't check the return status of
+generic_ocp_read(), and the only exit condition for the loop is to have
+a match in the returned value, such loops will only ends after exceeding
+its maximum runs when the device has been marked as disconnected, which
+takes 500 * 20ms = 10 seconds in theory, 14 in practice.
+
+To solve this long latency another test to RTL8152_UNPLUG flag should be
+added after those 20ms sleep to skip unnecessary loops, so that the device
+probe can complete early and proceed to parent port reset/reprobe process.
+
+This can be reproduced on all kernel versions up to latest v5.6-rc2, but
+after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less
+while it was around 1/2.
+
+Signed-off-by: You-Sheng Yang <vicamo.yang@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -2789,6 +2789,8 @@ static void r8153_aldps_en(struct r8152
+ data &= ~EN_ALDPS;
+ ocp_reg_write(tp, OCP_POWER_CFG, data);
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+ }
+
+@@ -3423,7 +3425,10 @@ static void r8153_init(struct r8152 *tp)
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ for (i = 0; i < 500; i++) {
+@@ -3447,7 +3452,10 @@ static void r8153_init(struct r8152 *tp)
+ ocp_data = ocp_reg_read(tp, OCP_PHY_STATUS) & PHY_STAT_MASK;
+ if (ocp_data == PHY_STAT_LAN_ON)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ usb_disable_lpm(tp->udev);
nfs-remove-superfluous-kmap-in-nfs_readdir_xdr_to_ar.patch
phy-revert-toggling-reset-changes.patch
net-phy-avoid-multiple-suspends.patch
+cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch
+gre-fix-uninit-value-in-__iptunnel_pull_header.patch
+ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch
+net-macsec-update-sci-upon-mac-address-change.patch
+net-nfc-fix-bounds-checking-bugs-on-pipe.patch
+r8152-check-disconnect-status-after-long-sleep.patch
+bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch
+fib-add-missing-attribute-validation-for-tun_id.patch
+nl802154-add-missing-attribute-validation.patch
+nl802154-add-missing-attribute-validation-for-dev_type.patch
+macsec-add-missing-attribute-validation-for-port.patch
+net-fq-add-missing-attribute-validation-for-orphan-mask.patch
+team-add-missing-attribute-validation-for-port-ifindex.patch
+team-add-missing-attribute-validation-for-array-index.patch
+nfc-add-missing-attribute-validation-for-se-api.patch
+nfc-add-missing-attribute-validation-for-vendor-subcommand.patch
+ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch
+ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch
+ipvlan-egress-mcast-packets-are-not-exceptional.patch
+ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch
+ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch
+macvlan-add-cond_resched-during-multicast-processing.patch
+net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch
+slip-make-slhc_compress-more-robust-against-malicious-packets.patch
+bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch
+cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch
+net-phy-fix-mdio-bus-pm-phy-resuming.patch
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 15:51:43 -0800
+Subject: slip: make slhc_compress() more robust against malicious packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 110a40dfb708fe940a3f3704d470e431c368d256 ]
+
+Before accessing various fields in IPV4 network header
+and TCP header, make sure the packet :
+
+- Has IP version 4 (ip->version == 4)
+- Has not a silly network length (ip->ihl >= 5)
+- Is big enough to hold network and transport headers
+- Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+ ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
+ __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
+ ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
+ ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f7cd99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
+RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: b5451d783ade ("slip: Move the SLIP drivers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slhc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, u
+ register struct cstate *cs = lcs->next;
+ register unsigned long deltaS, deltaA;
+ register short changes = 0;
+- int hlen;
++ int nlen, hlen;
+ unsigned char new_seq[16];
+ register unsigned char *cp = new_seq;
+ struct iphdr *ip;
+@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, u
+ return isize;
+
+ ip = (struct iphdr *) icp;
++ if (ip->version != 4 || ip->ihl < 5)
++ return isize;
+
+ /* Bail if this packet isn't TCP, or is an IP fragment */
+ if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) {
+@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, u
+ comp->sls_o_tcp++;
+ return isize;
+ }
+- /* Extract TCP header */
++ nlen = ip->ihl * 4;
++ if (isize < nlen + sizeof(*th))
++ return isize;
+
+- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4);
+- hlen = ip->ihl*4 + th->doff*4;
++ th = (struct tcphdr *)(icp + nlen);
++ if (th->doff < sizeof(struct tcphdr) / 4)
++ return isize;
++ hlen = nlen + th->doff * 4;
+
+ /* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or
+ * some other control bit is set). Also uncompressible if
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:22 -0800
+Subject: team: add missing attribute validation for array index
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 669fcd7795900cd1880237cbbb57a7db66cb9ac8 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX
+to the netlink policy.
+
+Fixes: b13033262d24 ("team: introduce array options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2217,6 +2217,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
+ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
++ [TEAM_ATTR_OPTION_ARRAY_INDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 01:01:22 PM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:21 -0800
+Subject: team: add missing attribute validation for port ifindex
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit dd25cb272ccce4db67dc8509278229099e4f5e99 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX
+to the netlink policy.
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2216,6 +2216,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_CHANGED] = { .type = NLA_FLAG },
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
++ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
projects / thirdparty / kernel / stable-queue.git / commitdiff
