--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 20 Feb 2020 17:26:34 -0500
+Subject: bnxt_en: Improve device shutdown method.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 5567ae4a8d569d996d0d88d0eceb76205e4c7ce5 ]
+
+Especially when bnxt_shutdown() is called during kexec, we need to
+disable MSIX and disable Bus Master to completely quiesce the device.
+Make these 2 calls unconditionally in the shutdown method.
+
+Fixes: c20dc142dd7b ("bnxt_en: Disable bus master during PCI shutdown and driver unload.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11972,10 +11972,10 @@ static void bnxt_shutdown(struct pci_dev
+ dev_close(dev);
+
+ bnxt_ulp_shutdown(bp);
++ bnxt_clear_int_mode(bp);
++ pci_disable_device(pdev);
+
+ if (system_state == SYSTEM_POWER_OFF) {
+- bnxt_clear_int_mode(bp);
+- pci_disable_device(pdev);
+ pci_wake_from_d3(pdev, bp->wol);
+ pci_set_power_state(pdev, PCI_D3hot);
+ }
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 20 Feb 2020 17:26:35 -0500
+Subject: bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 8743db4a9acfd51f805ac0c87bcaae92c42d1061 ]
+
+If crashed kernel does not shutdown the NIC properly, PCIe FLR
+is required in the kdump kernel in order to initialize all the
+functions properly.
+
+Fixes: d629522e1d66 ("bnxt_en: Reduce memory usage when running in kdump kernel.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11775,6 +11775,14 @@ static int bnxt_init_one(struct pci_dev
+ if (version_printed++ == 0)
+ pr_info("%s", version);
+
++ /* Clear any pending DMA transactions from crash kernel
++ * while loading driver in capture kernel.
++ */
++ if (is_kdump_kernel()) {
++ pci_clear_master(pdev);
++ pcie_flr(pdev);
++ }
++
+ max_irqs = bnxt_get_max_irq(pdev);
+ dev = alloc_etherdev_mq(sizeof(*bp), max_irqs);
+ if (!dev)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:08 +0000
+Subject: bonding: add missing netdev_update_lockdep_key()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 064ff66e2bef84f1153087612032b5b9eab005bd ]
+
+After bond_release(), netdev_update_lockdep_key() should be called.
+But both ioctl path and attribute path don't call
+netdev_update_lockdep_key().
+This patch adds missing netdev_update_lockdep_key().
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ifenslave bond0 bond1
+ ifenslave -d bond0 bond1
+ ifenslave bond1 bond0
+
+Splat looks like:
+[ 29.501182][ T1046] WARNING: possible circular locking dependency detected
+[ 29.501945][ T1039] hardirqs last disabled at (1962): [<ffffffffac6c807f>] handle_mm_fault+0x13f/0x700
+[ 29.503442][ T1046] 5.5.0+ #322 Not tainted
+[ 29.503447][ T1046] ------------------------------------------------------
+[ 29.504277][ T1039] softirqs last enabled at (1180): [<ffffffffade00678>] __do_softirq+0x678/0x981
+[ 29.505443][ T1046] ifenslave/1046 is trying to acquire lock:
+[ 29.505886][ T1039] softirqs last disabled at (1169): [<ffffffffac19c18a>] irq_exit+0x17a/0x1a0
+[ 29.509997][ T1046] ffff88805d5da280 (&dev->addr_list_lock_key#3){+...}, at: dev_mc_sync_multiple+0x95/0x120
+[ 29.511243][ T1046]
+[ 29.511243][ T1046] but task is already holding lock:
+[ 29.512192][ T1046] ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding]
+[ 29.514124][ T1046]
+[ 29.514124][ T1046] which lock already depends on the new lock.
+[ 29.514124][ T1046]
+[ 29.517297][ T1046]
+[ 29.517297][ T1046] the existing dependency chain (in reverse order) is:
+[ 29.518231][ T1046]
+[ 29.518231][ T1046] -> #1 (&dev->addr_list_lock_key#4){+...}:
+[ 29.519076][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.519588][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.520208][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.520862][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ 29.521640][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding]
+[ 29.522438][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding]
+[ 29.523251][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding]
+[ 29.524082][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding]
+[ 29.524959][ T1046] kernfs_fop_write+0x276/0x410
+[ 29.525620][ T1046] vfs_write+0x197/0x4a0
+[ 29.526218][ T1046] ksys_write+0x141/0x1d0
+[ 29.526818][ T1046] do_syscall_64+0x99/0x4f0
+[ 29.527430][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 29.528265][ T1046]
+[ 29.528265][ T1046] -> #0 (&dev->addr_list_lock_key#3){+...}:
+[ 29.529272][ T1046] __lock_acquire+0x2d8d/0x3de0
+[ 29.529935][ T1046] lock_acquire+0x164/0x3b0
+[ 29.530638][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.531187][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.531790][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.532451][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ 29.533163][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding]
+[ 29.533789][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding]
+[ 29.534595][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding]
+[ 29.535500][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding]
+[ 29.536379][ T1046] kernfs_fop_write+0x276/0x410
+[ 29.537057][ T1046] vfs_write+0x197/0x4a0
+[ 29.537640][ T1046] ksys_write+0x141/0x1d0
+[ 29.538251][ T1046] do_syscall_64+0x99/0x4f0
+[ 29.538870][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 29.539659][ T1046]
+[ 29.539659][ T1046] other info that might help us debug this:
+[ 29.539659][ T1046]
+[ 29.540953][ T1046] Possible unsafe locking scenario:
+[ 29.540953][ T1046]
+[ 29.541883][ T1046] CPU0 CPU1
+[ 29.542540][ T1046] ---- ----
+[ 29.543209][ T1046] lock(&dev->addr_list_lock_key#4);
+[ 29.543880][ T1046] lock(&dev->addr_list_lock_key#3);
+[ 29.544873][ T1046] lock(&dev->addr_list_lock_key#4);
+[ 29.545863][ T1046] lock(&dev->addr_list_lock_key#3);
+[ 29.546525][ T1046]
+[ 29.546525][ T1046] *** DEADLOCK ***
+[ 29.546525][ T1046]
+[ 29.547542][ T1046] 5 locks held by ifenslave/1046:
+[ 29.548196][ T1046] #0: ffff88806044c478 (sb_writers#5){.+.+}, at: vfs_write+0x3bb/0x4a0
+[ 29.549248][ T1046] #1: ffff88805af00890 (&of->mutex){+.+.}, at: kernfs_fop_write+0x1cf/0x410
+[ 29.550343][ T1046] #2: ffff88805b8b54b0 (kn->count#157){.+.+}, at: kernfs_fop_write+0x1f2/0x410
+[ 29.551575][ T1046] #3: ffffffffaecf4cf0 (rtnl_mutex){+.+.}, at: bond_opt_tryset_rtnl+0x5f/0xf0 [bonding]
+[ 29.552819][ T1046] #4: ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding]
+[ 29.554175][ T1046]
+[ 29.554175][ T1046] stack backtrace:
+[ 29.554907][ T1046] CPU: 0 PID: 1046 Comm: ifenslave Not tainted 5.5.0+ #322
+[ 29.555854][ T1046] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 29.557064][ T1046] Call Trace:
+[ 29.557504][ T1046] dump_stack+0x96/0xdb
+[ 29.558054][ T1046] check_noncircular+0x371/0x450
+[ 29.558723][ T1046] ? print_circular_bug.isra.35+0x310/0x310
+[ 29.559486][ T1046] ? hlock_class+0x130/0x130
+[ 29.560100][ T1046] ? __lock_acquire+0x2d8d/0x3de0
+[ 29.560761][ T1046] __lock_acquire+0x2d8d/0x3de0
+[ 29.561366][ T1046] ? register_lock_class+0x14d0/0x14d0
+[ 29.562045][ T1046] ? find_held_lock+0x39/0x1d0
+[ 29.562641][ T1046] lock_acquire+0x164/0x3b0
+[ 29.563199][ T1046] ? dev_mc_sync_multiple+0x95/0x120
+[ 29.563872][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.564464][ T1046] ? dev_mc_sync_multiple+0x95/0x120
+[ 29.565146][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.565793][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.566487][ T1046] ? bond_update_slave_arr+0x940/0x940 [bonding]
+[ 29.567279][ T1046] ? bstr_printf+0xc20/0xc20
+[ 29.567857][ T1046] ? stack_trace_consume_entry+0x160/0x160
+[ 29.568614][ T1046] ? deactivate_slab.isra.77+0x2c5/0x800
+[ 29.569320][ T1046] ? check_chain_key+0x236/0x5d0
+[ 29.569939][ T1046] ? sscanf+0x93/0xc0
+[ 29.570442][ T1046] ? vsscanf+0x1e20/0x1e20
+[ 29.571003][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ ... ]
+
+Fixes: ab92d68fc22f ("net: core: add generic lockdep keys")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 ++
+ drivers/net/bonding/bond_options.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3640,6 +3640,8 @@ static int bond_do_ioctl(struct net_devi
+ case BOND_RELEASE_OLD:
+ case SIOCBONDRELEASE:
+ res = bond_release(bond_dev, slave_dev);
++ if (!res)
++ netdev_update_lockdep_key(slave_dev);
+ break;
+ case BOND_SETHWADDR_OLD:
+ case SIOCBONDSETHWADDR:
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1398,6 +1398,8 @@ static int bond_option_slaves_set(struct
+ case '-':
+ slave_dbg(bond->dev, dev, "Releasing interface\n");
+ ret = bond_release(bond->dev, dev);
++ if (!ret)
++ netdev_update_lockdep_key(dev);
+ break;
+
+ default:
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:40 +0000
+Subject: bonding: fix lockdep warning in bond_get_stats()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b3e80d44f5b1b470dd9e2dbc6816e63a5c519709 ]
+
+In the "struct bonding", there is stats_lock.
+This lock protects "bond_stats" in the "struct bonding".
+bond_stats is updated in the bond_get_stats() and this function would be
+executed concurrently. So, the lock is needed.
+
+Bonding interfaces would be nested.
+So, either stats_lock should use dynamic lockdep class key or stats_lock
+should be used by spin_lock_nested(). In the current code, stats_lock is
+using a dynamic lockdep class key.
+But there is no updating stats_lock_key routine So, lockdep warning
+will occur.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ip link set bond0 master bond1
+ ip link set bond0 nomaster
+ ip link set bond1 master bond0
+
+Splat looks like:
+[ 38.420603][ T957] 5.5.0+ #394 Not tainted
+[ 38.421074][ T957] ------------------------------------------------------
+[ 38.421837][ T957] ip/957 is trying to acquire lock:
+[ 38.422399][ T957] ffff888063262cd8 (&bond->stats_lock_key#2){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.423528][ T957]
+[ 38.423528][ T957] but task is already holding lock:
+[ 38.424526][ T957] ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.426075][ T957]
+[ 38.426075][ T957] which lock already depends on the new lock.
+[ 38.426075][ T957]
+[ 38.428536][ T957]
+[ 38.428536][ T957] the existing dependency chain (in reverse order) is:
+[ 38.429475][ T957]
+[ 38.429475][ T957] -> #1 (&bond->stats_lock_key){+.+.}:
+[ 38.430273][ T957] _raw_spin_lock+0x30/0x70
+[ 38.430812][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.431451][ T957] dev_get_stats+0x1ec/0x270
+[ 38.432088][ T957] bond_get_stats+0x1a5/0x4d0 [bonding]
+[ 38.432767][ T957] dev_get_stats+0x1ec/0x270
+[ 38.433322][ T957] rtnl_fill_stats+0x44/0xbe0
+[ 38.433866][ T957] rtnl_fill_ifinfo+0xeb2/0x3720
+[ 38.434474][ T957] rtmsg_ifinfo_build_skb+0xca/0x170
+[ 38.435081][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0
+[ 38.436848][ T957] rtnetlink_event+0xcd/0x120
+[ 38.437455][ T957] notifier_call_chain+0x90/0x160
+[ 38.438067][ T957] netdev_change_features+0x74/0xa0
+[ 38.438708][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding]
+[ 38.439522][ T957] bond_enslave+0x3639/0x47b0 [bonding]
+[ 38.440225][ T957] do_setlink+0xaab/0x2ef0
+[ 38.440786][ T957] __rtnl_newlink+0x9c5/0x1270
+[ 38.441463][ T957] rtnl_newlink+0x65/0x90
+[ 38.442075][ T957] rtnetlink_rcv_msg+0x4a8/0x890
+[ 38.442774][ T957] netlink_rcv_skb+0x121/0x350
+[ 38.443451][ T957] netlink_unicast+0x42e/0x610
+[ 38.444282][ T957] netlink_sendmsg+0x65a/0xb90
+[ 38.444992][ T957] ____sys_sendmsg+0x5ce/0x7a0
+[ 38.445679][ T957] ___sys_sendmsg+0x10f/0x1b0
+[ 38.446365][ T957] __sys_sendmsg+0xc6/0x150
+[ 38.447007][ T957] do_syscall_64+0x99/0x4f0
+[ 38.447668][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 38.448538][ T957]
+[ 38.448538][ T957] -> #0 (&bond->stats_lock_key#2){+.+.}:
+[ 38.449554][ T957] __lock_acquire+0x2d8d/0x3de0
+[ 38.450148][ T957] lock_acquire+0x164/0x3b0
+[ 38.450711][ T957] _raw_spin_lock+0x30/0x70
+[ 38.451292][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.451950][ T957] dev_get_stats+0x1ec/0x270
+[ 38.452425][ T957] bond_get_stats+0x1a5/0x4d0 [bonding]
+[ 38.453362][ T957] dev_get_stats+0x1ec/0x270
+[ 38.453825][ T957] rtnl_fill_stats+0x44/0xbe0
+[ 38.454390][ T957] rtnl_fill_ifinfo+0xeb2/0x3720
+[ 38.456257][ T957] rtmsg_ifinfo_build_skb+0xca/0x170
+[ 38.456998][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0
+[ 38.459351][ T957] rtnetlink_event+0xcd/0x120
+[ 38.460086][ T957] notifier_call_chain+0x90/0x160
+[ 38.460829][ T957] netdev_change_features+0x74/0xa0
+[ 38.461752][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding]
+[ 38.462705][ T957] bond_enslave+0x3639/0x47b0 [bonding]
+[ 38.463476][ T957] do_setlink+0xaab/0x2ef0
+[ 38.464141][ T957] __rtnl_newlink+0x9c5/0x1270
+[ 38.464897][ T957] rtnl_newlink+0x65/0x90
+[ 38.465522][ T957] rtnetlink_rcv_msg+0x4a8/0x890
+[ 38.466215][ T957] netlink_rcv_skb+0x121/0x350
+[ 38.466895][ T957] netlink_unicast+0x42e/0x610
+[ 38.467583][ T957] netlink_sendmsg+0x65a/0xb90
+[ 38.468285][ T957] ____sys_sendmsg+0x5ce/0x7a0
+[ 38.469202][ T957] ___sys_sendmsg+0x10f/0x1b0
+[ 38.469884][ T957] __sys_sendmsg+0xc6/0x150
+[ 38.470587][ T957] do_syscall_64+0x99/0x4f0
+[ 38.471245][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 38.472093][ T957]
+[ 38.472093][ T957] other info that might help us debug this:
+[ 38.472093][ T957]
+[ 38.473438][ T957] Possible unsafe locking scenario:
+[ 38.473438][ T957]
+[ 38.474898][ T957] CPU0 CPU1
+[ 38.476234][ T957] ---- ----
+[ 38.480171][ T957] lock(&bond->stats_lock_key);
+[ 38.480808][ T957] lock(&bond->stats_lock_key#2);
+[ 38.481791][ T957] lock(&bond->stats_lock_key);
+[ 38.482754][ T957] lock(&bond->stats_lock_key#2);
+[ 38.483416][ T957]
+[ 38.483416][ T957] *** DEADLOCK ***
+[ 38.483416][ T957]
+[ 38.484505][ T957] 3 locks held by ip/957:
+[ 38.485048][ T957] #0: ffffffffbccf6230 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x457/0x890
+[ 38.486198][ T957] #1: ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.487625][ T957] #2: ffffffffbc9254c0 (rcu_read_lock){....}, at: bond_get_stats+0x5/0x4d0 [bonding]
+[ 38.488897][ T957]
+[ 38.488897][ T957] stack backtrace:
+[ 38.489646][ T957] CPU: 1 PID: 957 Comm: ip Not tainted 5.5.0+ #394
+[ 38.490497][ T957] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 38.492810][ T957] Call Trace:
+[ 38.493219][ T957] dump_stack+0x96/0xdb
+[ 38.493709][ T957] check_noncircular+0x371/0x450
+[ 38.494344][ T957] ? lookup_address+0x60/0x60
+[ 38.494923][ T957] ? print_circular_bug.isra.35+0x310/0x310
+[ 38.495699][ T957] ? hlock_class+0x130/0x130
+[ 38.496334][ T957] ? __lock_acquire+0x2d8d/0x3de0
+[ 38.496979][ T957] __lock_acquire+0x2d8d/0x3de0
+[ 38.497607][ T957] ? register_lock_class+0x14d0/0x14d0
+[ 38.498333][ T957] ? check_chain_key+0x236/0x5d0
+[ 38.499003][ T957] lock_acquire+0x164/0x3b0
+[ 38.499800][ T957] ? bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.500706][ T957] _raw_spin_lock+0x30/0x70
+[ 38.501435][ T957] ? bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.502311][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ ... ]
+
+But, there is another problem.
+The dynamic lockdep class key is protected by RTNL, but bond_get_stats()
+would be called outside of RTNL.
+So, it would use an invalid dynamic lockdep class key.
+
+In order to fix this issue, stats_lock uses spin_lock_nested() instead of
+a dynamic lockdep key.
+The bond_get_stats() calls bond_get_lowest_level_rcu() to get the correct
+nest level value, which will be used by spin_lock_nested().
+The "dev->lower_level" indicates lower nest level value, but this value
+is invalid outside of RTNL.
+So, bond_get_lowest_level_rcu() returns valid lower nest level value in
+the RCU critical section.
+bond_get_lowest_level_rcu() will be work only when LOCKDEP is enabled.
+
+Fixes: 089bca2caed0 ("bonding: use dynamic lockdep key instead of subclass")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 53 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3526,6 +3526,47 @@ static void bond_fold_stats(struct rtnl_
+ }
+ }
+
++#ifdef CONFIG_LOCKDEP
++static int bond_get_lowest_level_rcu(struct net_device *dev)
++{
++ struct net_device *ldev, *next, *now, *dev_stack[MAX_NEST_DEV + 1];
++ struct list_head *niter, *iter, *iter_stack[MAX_NEST_DEV + 1];
++ int cur = 0, max = 0;
++
++ now = dev;
++ iter = &dev->adj_list.lower;
++
++ while (1) {
++ next = NULL;
++ while (1) {
++ ldev = netdev_next_lower_dev_rcu(now, &iter);
++ if (!ldev)
++ break;
++
++ next = ldev;
++ niter = &ldev->adj_list.lower;
++ dev_stack[cur] = now;
++ iter_stack[cur++] = iter;
++ if (max <= cur)
++ max = cur;
++ break;
++ }
++
++ if (!next) {
++ if (!cur)
++ return max;
++ next = dev_stack[--cur];
++ niter = iter_stack[cur];
++ }
++
++ now = next;
++ iter = niter;
++ }
++
++ return max;
++}
++#endif
++
+ static void bond_get_stats(struct net_device *bond_dev,
+ struct rtnl_link_stats64 *stats)
+ {
+@@ -3533,11 +3574,17 @@ static void bond_get_stats(struct net_de
+ struct rtnl_link_stats64 temp;
+ struct list_head *iter;
+ struct slave *slave;
++ int nest_level = 0;
+
+- spin_lock(&bond->stats_lock);
+- memcpy(stats, &bond->bond_stats, sizeof(*stats));
+
+ rcu_read_lock();
++#ifdef CONFIG_LOCKDEP
++ nest_level = bond_get_lowest_level_rcu(bond_dev);
++#endif
++
++ spin_lock_nested(&bond->stats_lock, nest_level);
++ memcpy(stats, &bond->bond_stats, sizeof(*stats));
++
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ const struct rtnl_link_stats64 *new =
+ dev_get_stats(slave->dev, &temp);
+@@ -3547,10 +3594,10 @@ static void bond_get_stats(struct net_de
+ /* save off the slave stats for the next run */
+ memcpy(&slave->slave_stats, new, sizeof(*new));
+ }
+- rcu_read_unlock();
+
+ memcpy(&bond->bond_stats, stats, sizeof(*stats));
+ spin_unlock(&bond->stats_lock);
++ rcu_read_unlock();
+ }
+
+ static int bond_do_ioctl(struct net_device *bond_dev, struct ifreq *ifr, int cmd)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Shannon Nelson <snelson@pensando.io>
+Date: Wed, 19 Feb 2020 14:59:42 -0800
+Subject: ionic: fix fw_status read
+
+From: Shannon Nelson <snelson@pensando.io>
+
+[ Upstream commit 68b759a75d6257759d1e37ff13f2d0659baf1112 ]
+
+The fw_status field is only 8 bits, so fix the read. Also,
+we only want to look at the one status bit, to allow for future
+use of the other bits, and watch for a bad PCI read.
+
+Fixes: 97ca486592c0 ("ionic: add heartbeat check")
+Signed-off-by: Shannon Nelson <snelson@pensando.io>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_dev.c | 11 +++++++----
+ drivers/net/ethernet/pensando/ionic/ionic_if.h | 1 +
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/pensando/ionic/ionic_dev.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_dev.c
+@@ -103,7 +103,7 @@ int ionic_heartbeat_check(struct ionic *
+ {
+ struct ionic_dev *idev = &ionic->idev;
+ unsigned long hb_time;
+- u32 fw_status;
++ u8 fw_status;
+ u32 hb;
+
+ /* wait a little more than one second before testing again */
+@@ -111,9 +111,12 @@ int ionic_heartbeat_check(struct ionic *
+ if (time_before(hb_time, (idev->last_hb_time + ionic->watchdog_period)))
+ return 0;
+
+- /* firmware is useful only if fw_status is non-zero */
+- fw_status = ioread32(&idev->dev_info_regs->fw_status);
+- if (!fw_status)
++ /* firmware is useful only if the running bit is set and
++ * fw_status != 0xff (bad PCI read)
++ */
++ fw_status = ioread8(&idev->dev_info_regs->fw_status);
++ if (fw_status == 0xff ||
++ !(fw_status & IONIC_FW_STS_F_RUNNING))
+ return -ENXIO;
+
+ /* early FW has no heartbeat, else FW will return non-zero */
+--- a/drivers/net/ethernet/pensando/ionic/ionic_if.h
++++ b/drivers/net/ethernet/pensando/ionic/ionic_if.h
+@@ -2348,6 +2348,7 @@ union ionic_dev_info_regs {
+ u8 version;
+ u8 asic_type;
+ u8 asic_rev;
++#define IONIC_FW_STS_F_RUNNING 0x1
+ u8 fw_status;
+ u32 fw_heartbeat;
+ char fw_version[IONIC_DEVINFO_FWVERS_BUFLEN];
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:07 +0900
+Subject: ipv6: Fix nlmsg_flags when splitting a multipath route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit afecdb376bd81d7e16578f0cfe82a1aec7ae18f3 ]
+
+When splitting an RTA_MULTIPATH request into multiple routes and adding the
+second and later components, we must not simply remove NLM_F_REPLACE but
+instead replace it by NLM_F_CREATE. Otherwise, it may look like the netlink
+message was malformed.
+
+For example,
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 \
+ nexthop via fe80::30:2 dev dummy0
+results in the following warnings:
+[ 1035.057019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
+[ 1035.057517] IPv6: NLM_F_CREATE should be set when creating new route
+
+This patch makes the nlmsg sequence look equivalent for __ip6_ins_rt() to
+what it would get if the multipath route had been added in multiple netlink
+operations:
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0
+ ip route append 2001:db8::1/128 nexthop via fe80::30:2 dev dummy0
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5152,6 +5152,7 @@ static int ip6_route_multipath_add(struc
+ */
+ cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
+ NLM_F_REPLACE);
++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
+ nhn++;
+ }
+
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:06 +0900
+Subject: ipv6: Fix route replacement with dev-only route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit e404b8c7cfb31654c9024d497cec58a501501692 ]
+
+After commit 27596472473a ("ipv6: fix ECMP route replacement") it is no
+longer possible to replace an ECMP-able route by a non ECMP-able route.
+For example,
+ ip route add 2001:db8::1/128 via fe80::1 dev dummy0
+ ip route replace 2001:db8::1/128 dev dummy0
+does not work as expected.
+
+Tweak the replacement logic so that point 3 in the log of the above commit
+becomes:
+3. If the new route is not ECMP-able, and no matching non-ECMP-able route
+exists, replace matching ECMP-able route (if any) or add the new route.
+
+We can now summarize the entire replace semantics to:
+When doing a replace, prefer replacing a matching route of the same
+"ECMP-able-ness" as the replace argument. If there is no such candidate,
+fallback to the first route found.
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 7 ++++---
+ tools/testing/selftests/net/fib_tests.sh | 6 ++++++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1068,8 +1068,7 @@ static int fib6_add_rt2node(struct fib6_
+ found++;
+ break;
+ }
+- if (rt_can_ecmp)
+- fallback_ins = fallback_ins ?: ins;
++ fallback_ins = fallback_ins ?: ins;
+ goto next_iter;
+ }
+
+@@ -1112,7 +1111,9 @@ next_iter:
+ }
+
+ if (fallback_ins && !found) {
+- /* No ECMP-able route found, replace first non-ECMP one */
++ /* No matching route with same ecmp-able-ness found, replace
++ * first matching route
++ */
+ ins = fallback_ins;
+ iter = rcu_dereference_protected(*ins,
+ lockdep_is_held(&rt->fib6_table->tb6_lock));
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -910,6 +910,12 @@ ipv6_rt_replace_mpath()
+ check_route6 "2001:db8:104::/64 via 2001:db8:101::3 dev veth1 metric 1024"
+ log_test $? 0 "Multipath with single path via multipath attribute"
+
++ # multipath with dev-only
++ add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2"
++ run_cmd "$IP -6 ro replace 2001:db8:104::/64 dev veth1"
++ check_route6 "2001:db8:104::/64 dev veth1 metric 1024"
++ log_test $? 0 "Multipath with dev-only"
++
+ # route replace fails - invalid nexthop 1
+ add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2"
+ run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:111::3 nexthop via 2001:db8:103::3"
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 14 Feb 2020 07:53:53 -0800
+Subject: net: add strict checks in netdev_name_node_alt_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e08ad80551b4b33c02f2fce1522f6c227d3976cf ]
+
+netdev_name_node_alt_destroy() does a lookup over all
+device names of a namespace.
+
+We need to make sure the name belongs to the device
+of interest, and that we do not destroy its primary
+name, since we rely on it being not deleted :
+dev->name_node would indeed point to freed memory.
+
+syzbot report was the following :
+
+BUG: KASAN: use-after-free in dev_net include/linux/netdevice.h:2206 [inline]
+BUG: KASAN: use-after-free in mld_force_mld_version net/ipv6/mcast.c:1172 [inline]
+BUG: KASAN: use-after-free in mld_in_v2_mode_only net/ipv6/mcast.c:1180 [inline]
+BUG: KASAN: use-after-free in mld_in_v1_mode+0x203/0x230 net/ipv6/mcast.c:1190
+Read of size 8 at addr ffff88809886c588 by task swapper/1/0
+
+CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+ __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:641
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
+ dev_net include/linux/netdevice.h:2206 [inline]
+ mld_force_mld_version net/ipv6/mcast.c:1172 [inline]
+ mld_in_v2_mode_only net/ipv6/mcast.c:1180 [inline]
+ mld_in_v1_mode+0x203/0x230 net/ipv6/mcast.c:1190
+ mld_send_initial_cr net/ipv6/mcast.c:2083 [inline]
+ mld_dad_timer_expire+0x24/0x230 net/ipv6/mcast.c:2118
+ call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
+ expire_timers kernel/time/timer.c:1449 [inline]
+ __run_timers kernel/time/timer.c:1773 [inline]
+ __run_timers kernel/time/timer.c:1740 [inline]
+ run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
+ __do_softirq+0x262/0x98c kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0x19b/0x1e0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:546 [inline]
+ smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1146
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
+ </IRQ>
+RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
+Code: 68 73 c5 f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 be 59 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 be 59 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 de 2a 74 f9 e8 09
+RSP: 0018:ffffc90000d3fd68 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
+RAX: 1ffffffff136761a RBX: ffff8880a99fc340 RCX: 0000000000000000
+RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a99fcbd4
+RBP: ffffc90000d3fd98 R08: ffff8880a99fc340 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
+R13: ffffffff8aa5a1c0 R14: 0000000000000000 R15: 0000000000000001
+ arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:686
+ default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
+ cpuidle_idle_call kernel/sched/idle.c:154 [inline]
+ do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
+ cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
+ start_secondary+0x2f4/0x410 arch/x86/kernel/smpboot.c:264
+ secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
+
+Allocated by task 10229:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc mm/kasan/common.c:515 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529
+ __do_kmalloc_node mm/slab.c:3616 [inline]
+ __kmalloc_node+0x4e/0x70 mm/slab.c:3623
+ kmalloc_node include/linux/slab.h:578 [inline]
+ kvmalloc_node+0x68/0x100 mm/util.c:574
+ kvmalloc include/linux/mm.h:645 [inline]
+ kvzalloc include/linux/mm.h:653 [inline]
+ alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9797
+ rtnl_create_link+0x22d/0xaf0 net/core/rtnetlink.c:3047
+ __rtnl_newlink+0xf9f/0x1790 net/core/rtnetlink.c:3309
+ rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3377
+ rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:672
+ __sys_sendto+0x262/0x380 net/socket.c:1998
+ __do_compat_sys_socketcall net/compat.c:771 [inline]
+ __se_compat_sys_socketcall net/compat.c:719 [inline]
+ __ia32_compat_sys_socketcall+0x530/0x710 net/compat.c:719
+ do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
+ do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+
+Freed by task 10229:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:337 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:485
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x10a/0x2c0 mm/slab.c:3757
+ __netdev_name_node_alt_destroy+0x1ff/0x2a0 net/core/dev.c:322
+ netdev_name_node_alt_destroy+0x57/0x80 net/core/dev.c:334
+ rtnl_alt_ifname net/core/rtnetlink.c:3518 [inline]
+ rtnl_linkprop.isra.0+0x575/0x6f0 net/core/rtnetlink.c:3567
+ rtnl_dellinkprop+0x46/0x60 net/core/rtnetlink.c:3588
+ rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:672
+ ____sys_sendmsg+0x753/0x880 net/socket.c:2343
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2397
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2430
+ __compat_sys_sendmsg net/compat.c:642 [inline]
+ __do_compat_sys_sendmsg net/compat.c:649 [inline]
+ __se_compat_sys_sendmsg net/compat.c:646 [inline]
+ __ia32_compat_sys_sendmsg+0x7a/0xb0 net/compat.c:646
+ do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
+ do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
+ entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
+
+The buggy address belongs to the object at ffff88809886c000
+ which belongs to the cache kmalloc-4k of size 4096
+The buggy address is located 1416 bytes inside of
+ 4096-byte region [ffff88809886c000, ffff88809886d000)
+The buggy address belongs to the page:
+page:ffffea0002621b00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
+flags: 0xfffe0000010200(slab|head)
+raw: 00fffe0000010200 ffffea0002610d08 ffffea0002607608 ffff8880aa402000
+raw: 0000000000000000 ffff88809886c000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff88809886c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88809886c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff88809886c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff88809886c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff88809886c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -330,6 +330,12 @@ int netdev_name_node_alt_destroy(struct
+ name_node = netdev_name_node_lookup(net, name);
+ if (!name_node)
+ return -ENOENT;
++ /* lookup might have found our primary name or a name belonging
++ * to another device.
++ */
++ if (name_node == dev->name_node || name_node->dev != dev)
++ return -EINVAL;
++
+ __netdev_name_node_alt_destroy(name_node);
+
+ return 0;
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 14 Feb 2020 15:26:19 -0800
+Subject: net: dsa: b53: Ensure the default VID is untagged
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit d965a5432d4c3e6b9c3d2bc1d4a800013bbf76f6 ]
+
+We need to ensure that the default VID is untagged otherwise the switch
+will be sending tagged frames and the results can be problematic. This
+is especially true with b53 switches that use VID 0 as their default
+VLAN since VID 0 has a special meaning.
+
+Fixes: fea83353177a ("net: dsa: b53: Fix default VLAN ID")
+Fixes: 061f6a505ac3 ("net: dsa: Add ndo_vlan_rx_{add, kill}_vid implementation")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1353,6 +1353,9 @@ void b53_vlan_add(struct dsa_switch *ds,
+
+ b53_get_vlan_entry(dev, vid, vl);
+
++ if (vid == 0 && vid == b53_default_pvid(dev))
++ untagged = true;
++
+ vl->members |= BIT(port);
+ if (untagged && !dsa_is_cpu_port(ds, port))
+ vl->untag |= BIT(port);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:21 +0000
+Subject: net: export netdev_next_lower_dev_rcu()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 7151affeef8d527f50b4b68a871fd28bd660023f ]
+
+netdev_next_lower_dev_rcu() will be used to implement a function,
+which is to walk all lower interfaces.
+There are already functions that they walk their lower interface.
+(netdev_walk_all_lower_dev_rcu, netdev_walk_all_lower_dev()).
+But, there would be cases that couldn't be covered by given
+netdev_walk_all_lower_dev_{rcu}() function.
+So, some modules would want to implement own function,
+which is to walk all lower interfaces.
+
+In the next patch, netdev_next_lower_dev_rcu() will be used.
+In addition, this patch removes two unused prototypes in netdevice.h.
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 7 +++----
+ net/core/dev.c | 6 +++---
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -72,6 +72,8 @@ void netdev_set_default_ethtool_ops(stru
+ #define NET_RX_SUCCESS 0 /* keep 'em coming, baby */
+ #define NET_RX_DROP 1 /* packet dropped */
+
++#define MAX_NEST_DEV 8
++
+ /*
+ * Transmit return codes: transmit return codes originate from three different
+ * namespaces:
+@@ -4323,11 +4325,8 @@ void *netdev_lower_get_next(struct net_d
+ ldev; \
+ ldev = netdev_lower_get_next(dev, &(iter)))
+
+-struct net_device *netdev_all_lower_get_next(struct net_device *dev,
++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
+ struct list_head **iter);
+-struct net_device *netdev_all_lower_get_next_rcu(struct net_device *dev,
+- struct list_head **iter);
+-
+ int netdev_walk_all_lower_dev(struct net_device *dev,
+ int (*fn)(struct net_device *lower_dev,
+ void *data),
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -146,7 +146,6 @@
+ #include "net-sysfs.h"
+
+ #define MAX_GRO_SKBS 8
+-#define MAX_NEST_DEV 8
+
+ /* This should be increased if a protocol with a bigger head is added. */
+ #define GRO_MAX_HEAD (MAX_HEADER + 128)
+@@ -7135,8 +7134,8 @@ static int __netdev_walk_all_lower_dev(s
+ return 0;
+ }
+
+-static struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
+- struct list_head **iter)
++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
++ struct list_head **iter)
+ {
+ struct netdev_adjacent *lower;
+
+@@ -7148,6 +7147,7 @@ static struct net_device *netdev_next_lo
+
+ return lower->dev;
+ }
++EXPORT_SYMBOL(netdev_next_lower_dev_rcu);
+
+ static u8 __netdev_upper_depth(struct net_device *dev)
+ {
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Jethro Beekman <jethro@fortanix.com>
+Date: Wed, 12 Feb 2020 16:43:41 +0100
+Subject: net: fib_rules: Correctly set table field when table number exceeds 8 bits
+
+From: Jethro Beekman <jethro@fortanix.com>
+
+[ Upstream commit 540e585a79e9d643ede077b73bcc7aa2d7b4d919 ]
+
+In 709772e6e06564ed94ba740de70185ac3d792773, RT_TABLE_COMPAT was added to
+allow legacy software to deal with routing table numbers >= 256, but the
+same change to FIB rule queries was overlooked.
+
+Signed-off-by: Jethro Beekman <jethro@fortanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/fib_rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -974,7 +974,7 @@ static int fib_nl_fill_rule(struct sk_bu
+
+ frh = nlmsg_data(nlh);
+ frh->family = ops->family;
+- frh->table = rule->table;
++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT;
+ if (nla_put_u32(skb, FRA_TABLE, rule->table))
+ goto nla_put_failure;
+ if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen))
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 12 Feb 2020 17:45:38 +0100
+Subject: net: macb: ensure interface is not suspended on at91rm9200
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit e6a41c23df0d5da01540d2abef41591589c0b4be ]
+
+Because of autosuspend, at91ether_start is called with clocks disabled.
+Ensure that pm_runtime doesn't suspend the interface as soon as it is
+opened as there is no pm_runtime support is the other relevant parts of the
+platform support for at91rm9200.
+
+Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3751,6 +3751,10 @@ static int at91ether_open(struct net_dev
+ u32 ctl;
+ int ret;
+
++ ret = pm_runtime_get_sync(&lp->pdev->dev);
++ if (ret < 0)
++ return ret;
++
+ /* Clear internal statistics */
+ ctl = macb_readl(lp, NCR);
+ macb_writel(lp, NCR, ctl | MACB_BIT(CLRSTAT));
+@@ -3815,7 +3819,7 @@ static int at91ether_close(struct net_de
+ q->rx_buffers, q->rx_buffers_dma);
+ q->rx_buffers = NULL;
+
+- return 0;
++ return pm_runtime_put(&lp->pdev->dev);
+ }
+
+ /* Transmit packet */
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 19 Feb 2020 15:15:51 +0100
+Subject: net: macb: Properly handle phylink on at91rm9200
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit ac2fcfa9fd26db67d7000677c05629c34cc94564 ]
+
+at91ether_init was handling the phy mode and speed but since the switch to
+phylink, the NCFGR register got overwritten by macb_mac_config(). The issue
+is that the RM9200_RMII bit and the MACB_CLK_DIV32 field are cleared
+but never restored as they conflict with the PAE, GBE and PCSSEL bits.
+
+Add new capability to differentiate between EMAC and the other versions of
+the IP and use it to set and avoid clearing the relevant bits.
+
+Also, this fixes a NULL pointer dereference in macb_mac_link_up as the EMAC
+doesn't use any rings/bufffers/queues.
+
+Fixes: 7897b071ac3b ("net: macb: convert to phylink")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb.h | 1
+ drivers/net/ethernet/cadence/macb_main.c | 60 ++++++++++++++++---------------
+ 2 files changed, 33 insertions(+), 28 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb.h
++++ b/drivers/net/ethernet/cadence/macb.h
+@@ -645,6 +645,7 @@
+ #define MACB_CAPS_GEM_HAS_PTP 0x00000040
+ #define MACB_CAPS_BD_RD_PREFETCH 0x00000080
+ #define MACB_CAPS_NEEDS_RSTONUBR 0x00000100
++#define MACB_CAPS_MACB_IS_EMAC 0x08000000
+ #define MACB_CAPS_FIFO_MODE 0x10000000
+ #define MACB_CAPS_GIGABIT_MODE_AVAILABLE 0x20000000
+ #define MACB_CAPS_SG_DISABLED 0x40000000
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -533,8 +533,21 @@ static void macb_mac_config(struct phyli
+ old_ctrl = ctrl = macb_or_gem_readl(bp, NCFGR);
+
+ /* Clear all the bits we might set later */
+- ctrl &= ~(GEM_BIT(GBE) | MACB_BIT(SPD) | MACB_BIT(FD) | MACB_BIT(PAE) |
+- GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL));
++ ctrl &= ~(MACB_BIT(SPD) | MACB_BIT(FD) | MACB_BIT(PAE));
++
++ if (bp->caps & MACB_CAPS_MACB_IS_EMAC) {
++ if (state->interface == PHY_INTERFACE_MODE_RMII)
++ ctrl |= MACB_BIT(RM9200_RMII);
++ } else {
++ ctrl &= ~(GEM_BIT(GBE) | GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL));
++
++ /* We do not support MLO_PAUSE_RX yet */
++ if (state->pause & MLO_PAUSE_TX)
++ ctrl |= MACB_BIT(PAE);
++
++ if (state->interface == PHY_INTERFACE_MODE_SGMII)
++ ctrl |= GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL);
++ }
+
+ if (state->speed == SPEED_1000)
+ ctrl |= GEM_BIT(GBE);
+@@ -544,13 +557,6 @@ static void macb_mac_config(struct phyli
+ if (state->duplex)
+ ctrl |= MACB_BIT(FD);
+
+- /* We do not support MLO_PAUSE_RX yet */
+- if (state->pause & MLO_PAUSE_TX)
+- ctrl |= MACB_BIT(PAE);
+-
+- if (state->interface == PHY_INTERFACE_MODE_SGMII)
+- ctrl |= GEM_BIT(SGMIIEN) | GEM_BIT(PCSSEL);
+-
+ /* Apply the new configuration, if any */
+ if (old_ctrl ^ ctrl)
+ macb_or_gem_writel(bp, NCFGR, ctrl);
+@@ -569,9 +575,10 @@ static void macb_mac_link_down(struct ph
+ unsigned int q;
+ u32 ctrl;
+
+- for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
+- queue_writel(queue, IDR,
+- bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC))
++ for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
++ queue_writel(queue, IDR,
++ bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
+
+ /* Disable Rx and Tx */
+ ctrl = macb_readl(bp, NCR) & ~(MACB_BIT(RE) | MACB_BIT(TE));
+@@ -588,17 +595,19 @@ static void macb_mac_link_up(struct phyl
+ struct macb_queue *queue;
+ unsigned int q;
+
+- macb_set_tx_clk(bp->tx_clk, bp->speed, ndev);
++ if (!(bp->caps & MACB_CAPS_MACB_IS_EMAC)) {
++ macb_set_tx_clk(bp->tx_clk, bp->speed, ndev);
+
+- /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
+- * cleared the pipeline and control registers.
+- */
+- bp->macbgem_ops.mog_init_rings(bp);
+- macb_init_buffers(bp);
++ /* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
++ * cleared the pipeline and control registers.
++ */
++ bp->macbgem_ops.mog_init_rings(bp);
++ macb_init_buffers(bp);
+
+- for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
+- queue_writel(queue, IER,
+- bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
++ for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
++ queue_writel(queue, IER,
++ bp->rx_intr_mask | MACB_TX_INT_FLAGS | MACB_BIT(HRESP));
++ }
+
+ /* Enable Rx and Tx */
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(RE) | MACB_BIT(TE));
+@@ -4002,7 +4011,6 @@ static int at91ether_init(struct platfor
+ struct net_device *dev = platform_get_drvdata(pdev);
+ struct macb *bp = netdev_priv(dev);
+ int err;
+- u32 reg;
+
+ bp->queues[0].bp = bp;
+
+@@ -4016,11 +4024,7 @@ static int at91ether_init(struct platfor
+
+ macb_writel(bp, NCR, 0);
+
+- reg = MACB_BF(CLK, MACB_CLK_DIV32) | MACB_BIT(BIG);
+- if (bp->phy_interface == PHY_INTERFACE_MODE_RMII)
+- reg |= MACB_BIT(RM9200_RMII);
+-
+- macb_writel(bp, NCFGR, reg);
++ macb_writel(bp, NCFGR, MACB_BF(CLK, MACB_CLK_DIV32) | MACB_BIT(BIG));
+
+ return 0;
+ }
+@@ -4179,7 +4183,7 @@ static const struct macb_config sama5d4_
+ };
+
+ static const struct macb_config emac_config = {
+- .caps = MACB_CAPS_NEEDS_RSTONUBR,
++ .caps = MACB_CAPS_NEEDS_RSTONUBR | MACB_CAPS_MACB_IS_EMAC,
+ .clk_init = at91ether_clk_init,
+ .init = at91ether_init,
+ };
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+Date: Mon, 17 Feb 2020 09:31:33 +0100
+Subject: net: mscc: fix in frame extraction
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit a81541041ceb55bcec9a8bb8ad3482263f0a205a ]
+
+Each extracted frame on Ocelot has an IFH. The frame and IFH are extracted
+by reading chuncks of 4 bytes from a register.
+
+In case the IFH and frames were read corretly it would try to read the next
+frame. In case there are no more frames in the queue, it checks if there
+were any previous errors and in that case clear the queue. But this check
+will always succeed also when there are no errors. Because when extracting
+the IFH the error is checked against 4(number of bytes read) and then the
+error is set only if the extraction of the frame failed. So in a happy case
+where there are no errors the err variable is still 4. So it could be
+a case where after the check that there are no more frames in the queue, a
+frame will arrive in the queue but because the error is not reseted, it
+would try to flush the queue. So the frame will be lost.
+
+The fix consist in resetting the error after reading the IFH.
+
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot_board.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/mscc/ocelot_board.c
++++ b/drivers/net/ethernet/mscc/ocelot_board.c
+@@ -114,6 +114,14 @@ static irqreturn_t ocelot_xtr_irq_handle
+ if (err != 4)
+ break;
+
++ /* At this point the IFH was read correctly, so it is safe to
++ * presume that there is no error. The err needs to be reset
++ * otherwise a frame could come in CPU queue between the while
++ * condition and the check for error later on. And in that case
++ * the new frame is just removed and not processed.
++ */
++ err = 0;
++
+ ocelot_parse_ifh(ifh, &info);
+
+ ocelot_port = ocelot->ports[info.port];
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Date: Fri, 14 Feb 2020 13:47:46 -0800
+Subject: net: phy: restore mdio regs in the iproc mdio driver
+
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+
+The mii management register in iproc mdio block
+does not have a retention register so it is lost on suspend.
+Save and restore value of register while resuming from suspend.
+
+Fixes: bb1a619735b4 ("net: phy: Initialize mdio clock at probe function")
+Signed-off-by: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/net/phy/mdio-bcm-iproc.c
++++ b/drivers/net/phy/mdio-bcm-iproc.c
+@@ -178,6 +178,23 @@ static int iproc_mdio_remove(struct plat
+ return 0;
+ }
+
++#ifdef CONFIG_PM_SLEEP
++int iproc_mdio_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev);
++
++ /* restore the mii clock configuration */
++ iproc_mdio_config_clk(priv->base);
++
++ return 0;
++}
++
++static const struct dev_pm_ops iproc_mdio_pm_ops = {
++ .resume = iproc_mdio_resume
++};
++#endif /* CONFIG_PM_SLEEP */
++
+ static const struct of_device_id iproc_mdio_of_match[] = {
+ { .compatible = "brcm,iproc-mdio", },
+ { /* sentinel */ },
+@@ -188,6 +205,9 @@ static struct platform_driver iproc_mdio
+ .driver = {
+ .name = "iproc-mdio",
+ .of_match_table = iproc_mdio_of_match,
++#ifdef CONFIG_PM_SLEEP
++ .pm = &iproc_mdio_pm_ops,
++#endif
+ },
+ .probe = iproc_mdio_probe,
+ .remove = iproc_mdio_remove,
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 12 Feb 2020 20:58:26 -0800
+Subject: net: rtnetlink: fix bugs in rtnl_alt_ifname()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 44bfa9c5e5f06c72540273813e4c66beb5a8c213 ]
+
+Since IFLA_ALT_IFNAME is an NLA_STRING, we have no
+guarantee it is nul terminated.
+
+We should use nla_strdup() instead of kstrdup(), since this
+helper will make sure not accessing out-of-bounds data.
+
+BUG: KMSAN: uninit-value in strlen+0x5e/0xa0 lib/string.c:535
+CPU: 1 PID: 19157 Comm: syz-executor.5 Not tainted 5.5.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ strlen+0x5e/0xa0 lib/string.c:535
+ kstrdup+0x7f/0x1a0 mm/util.c:59
+ rtnl_alt_ifname net/core/rtnetlink.c:3495 [inline]
+ rtnl_linkprop+0x85d/0xc00 net/core/rtnetlink.c:3553
+ rtnl_newlinkprop+0x9d/0xb0 net/core/rtnetlink.c:3568
+ rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424
+ netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45b3b9
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ff1c7b1ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007ff1c7b1b6d4 RCX: 000000000045b3b9
+RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000009cb R14: 00000000004cb3dd R15: 000000000075bf2c
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2774 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
+ __kmalloc_reserve net/core/skbuff.c:141 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
+ alloc_skb include/linux/skbuff.h:1049 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
+ netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg net/socket.c:659 [inline]
+ ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
+ ___sys_sendmsg net/socket.c:2384 [inline]
+ __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
+ __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -3499,27 +3499,25 @@ static int rtnl_alt_ifname(int cmd, stru
+ if (err)
+ return err;
+
+- alt_ifname = nla_data(attr);
++ alt_ifname = nla_strdup(attr, GFP_KERNEL);
++ if (!alt_ifname)
++ return -ENOMEM;
++
+ if (cmd == RTM_NEWLINKPROP) {
+- alt_ifname = kstrdup(alt_ifname, GFP_KERNEL);
+- if (!alt_ifname)
+- return -ENOMEM;
+ err = netdev_name_node_alt_create(dev, alt_ifname);
+- if (err) {
+- kfree(alt_ifname);
+- return err;
+- }
++ if (!err)
++ alt_ifname = NULL;
+ } else if (cmd == RTM_DELLINKPROP) {
+ err = netdev_name_node_alt_destroy(dev, alt_ifname);
+- if (err)
+- return err;
+ } else {
+- WARN_ON(1);
+- return 0;
++ WARN_ON_ONCE(1);
++ err = -EINVAL;
+ }
+
+- *changed = true;
+- return 0;
++ kfree(alt_ifname);
++ if (!err)
++ *changed = true;
++ return err;
+ }
+
+ static int rtnl_linkprop(int cmd, struct sk_buff *skb, struct nlmsghdr *nlh,
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 17 Feb 2020 15:38:09 -0500
+Subject: net: sched: correct flower port blocking
+
+From: Jason Baron <jbaron@akamai.com>
+
+[ Upstream commit 8a9093c79863b58cc2f9874d7ae788f0d622a596 ]
+
+tc flower rules that are based on src or dst port blocking are sometimes
+ineffective due to uninitialized stack data. __skb_flow_dissect() extracts
+ports from the skb for tc flower to match against. However, the port
+dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in
+key_control->flags. All callers of __skb_flow_dissect(), zero-out the
+key_control field except for fl_classify() as used by the flower
+classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to
+__skb_flow_dissect(), since key_control is allocated on the stack
+and may not be initialized.
+
+Since key_basic and key_control are present for all flow keys, let's
+make sure they are initialized.
+
+Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments")
+Co-developed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/flow_dissector.h | 9 +++++++++
+ net/sched/cls_flower.c | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/include/net/flow_dissector.h
++++ b/include/net/flow_dissector.h
+@@ -5,6 +5,7 @@
+ #include <linux/types.h>
+ #include <linux/in6.h>
+ #include <linux/siphash.h>
++#include <linux/string.h>
+ #include <uapi/linux/if_ether.h>
+
+ struct sk_buff;
+@@ -349,4 +350,12 @@ struct bpf_flow_dissector {
+ void *data_end;
+ };
+
++static inline void
++flow_dissector_init_keys(struct flow_dissector_key_control *key_control,
++ struct flow_dissector_key_basic *key_basic)
++{
++ memset(key_control, 0, sizeof(*key_control));
++ memset(key_basic, 0, sizeof(*key_basic));
++}
++
+ #endif
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -305,6 +305,7 @@ static int fl_classify(struct sk_buff *s
+ struct cls_fl_filter *f;
+
+ list_for_each_entry_rcu(mask, &head->masks, list) {
++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic);
+ fl_clear_masked_range(&skb_key, mask);
+
+ skb_flow_dissect_meta(skb, &mask->dissector, &skb_key);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Rohit Maheshwari <rohitm@chelsio.com>
+Date: Wed, 19 Feb 2020 09:40:22 +0530
+Subject: net/tls: Fix to avoid gettig invalid tls record
+
+From: Rohit Maheshwari <rohitm@chelsio.com>
+
+[ Upstream commit 06f5201c6392f998a49ca9c9173e2930c8eb51d8 ]
+
+Current code doesn't check if tcp sequence number is starting from (/after)
+1st record's start sequnce number. It only checks if seq number is before
+1st record's end sequnce number. This problem will always be a possibility
+in re-transmit case. If a record which belongs to a requested seq number is
+already deleted, tls_get_record will start looking into list and as per the
+check it will look if seq number is before the end seq of 1st record, which
+will always be true and will return 1st record always, it should in fact
+return NULL.
+As part of the fix, start looking each record only if the sequence number
+lies in the list else return NULL.
+There is one more check added, driver look for the start marker record to
+handle tcp packets which are before the tls offload start sequence number,
+hence return 1st record if the record is tls start marker and seq number is
+before the 1st record's starting sequence number.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -592,7 +592,7 @@ struct tls_record_info *tls_get_record(s
+ u32 seq, u64 *p_record_sn)
+ {
+ u64 record_sn = context->hint_record_sn;
+- struct tls_record_info *info;
++ struct tls_record_info *info, *last;
+
+ info = context->retransmit_hint;
+ if (!info ||
+@@ -604,6 +604,24 @@ struct tls_record_info *tls_get_record(s
+ struct tls_record_info, list);
+ if (!info)
+ return NULL;
++ /* send the start_marker record if seq number is before the
++ * tls offload start marker sequence number. This record is
++ * required to handle TCP packets which are before TLS offload
++ * started.
++ * And if it's not start marker, look if this seq number
++ * belongs to the list.
++ */
++ if (likely(!tls_record_is_start_marker(info))) {
++ /* we have the first record, get the last record to see
++ * if this seq number belongs to the list.
++ */
++ last = list_last_entry(&context->records_list,
++ struct tls_record_info, list);
++
++ if (!between(seq, tls_record_start_seq(info),
++ last->end_seq))
++ return NULL;
++ }
+ record_sn = context->unacked_record_sn;
+ }
+
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Wed, 19 Feb 2020 18:01:22 +0300
+Subject: nfc: pn544: Fix occasional HW initialization failure
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c3331d2fe3fd4d5e321f2467d01f72de7edfb5d0 ]
+
+The PN544 driver checks the "enable" polarity during of driver's probe and
+it's doing that by turning ON and OFF NFC with different polarities until
+enabling succeeds. It takes some time for the hardware to power-down, and
+thus, to deassert the IRQ that is raised by turning ON the hardware.
+Since the delay after last power-down of the polarity-checking process is
+missed in the code, the interrupt may trigger immediately after installing
+the IRQ handler (right after the checking is done), which results in IRQ
+handler trying to touch the disabled HW and ends with marking NFC as
+'DEAD' during of the driver's probe:
+
+ pn544_hci_i2c 1-002a: NFC: nfc_en polarity : active high
+ pn544_hci_i2c 1-002a: NFC: invalid len byte
+ shdlc: llc_shdlc_recv_frame: NULL Frame -> link is dead
+
+This patch fixes the occasional NFC initialization failure on Nexus 7
+device.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/pn544/i2c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nfc/pn544/i2c.c
++++ b/drivers/nfc/pn544/i2c.c
+@@ -225,6 +225,7 @@ static void pn544_hci_i2c_platform_init(
+
+ out:
+ gpiod_set_value_cansleep(phy->gpiod_en, !phy->en_polarity);
++ usleep_range(10000, 15000);
+ }
+
+ static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Mon, 17 Feb 2020 13:37:18 +0200
+Subject: qede: Fix race between rdma destroy workqueue and link change event
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit af6565adb02d3129d3fae4d9d5da945abaf4417a ]
+
+If an event is added while the rdma workqueue is being destroyed
+it could lead to several races, list corruption, null pointer
+dereference during queue_work or init_queue.
+This fixes the race between the two flows which can occur during
+shutdown.
+
+A kref object and a completion object are added to the rdma_dev
+structure, these are initialized before the workqueue is created.
+The refcnt is used to indicate work is being added to the
+workqueue and ensures the cleanup flow won't start while we're in
+the middle of adding the event.
+Once the work is added, the refcnt is decreased and the cleanup flow
+is safe to run.
+
+Fixes: cee9fbd8e2e ("qede: Add qedr framework")
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede.h | 2 +
+ drivers/net/ethernet/qlogic/qede/qede_rdma.c | 29 ++++++++++++++++++++++++++-
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede.h
++++ b/drivers/net/ethernet/qlogic/qede/qede.h
+@@ -163,6 +163,8 @@ struct qede_rdma_dev {
+ struct list_head entry;
+ struct list_head rdma_event_list;
+ struct workqueue_struct *rdma_wq;
++ struct kref refcnt;
++ struct completion event_comp;
+ bool exp_recovery;
+ };
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c
+@@ -59,6 +59,9 @@ static void _qede_rdma_dev_add(struct qe
+ static int qede_rdma_create_wq(struct qede_dev *edev)
+ {
+ INIT_LIST_HEAD(&edev->rdma_info.rdma_event_list);
++ kref_init(&edev->rdma_info.refcnt);
++ init_completion(&edev->rdma_info.event_comp);
++
+ edev->rdma_info.rdma_wq = create_singlethread_workqueue("rdma_wq");
+ if (!edev->rdma_info.rdma_wq) {
+ DP_NOTICE(edev, "qedr: Could not create workqueue\n");
+@@ -83,8 +86,23 @@ static void qede_rdma_cleanup_event(stru
+ }
+ }
+
++static void qede_rdma_complete_event(struct kref *ref)
++{
++ struct qede_rdma_dev *rdma_dev =
++ container_of(ref, struct qede_rdma_dev, refcnt);
++
++ /* no more events will be added after this */
++ complete(&rdma_dev->event_comp);
++}
++
+ static void qede_rdma_destroy_wq(struct qede_dev *edev)
+ {
++ /* Avoid race with add_event flow, make sure it finishes before
++ * we start accessing the list and cleaning up the work
++ */
++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event);
++ wait_for_completion(&edev->rdma_info.event_comp);
++
+ qede_rdma_cleanup_event(edev);
+ destroy_workqueue(edev->rdma_info.rdma_wq);
+ }
+@@ -310,15 +328,24 @@ static void qede_rdma_add_event(struct q
+ if (!edev->rdma_info.qedr_dev)
+ return;
+
++ /* We don't want the cleanup flow to start while we're allocating and
++ * scheduling the work
++ */
++ if (!kref_get_unless_zero(&edev->rdma_info.refcnt))
++ return; /* already being destroyed */
++
+ event_node = qede_rdma_get_free_event_node(edev);
+ if (!event_node)
+- return;
++ goto out;
+
+ event_node->event = event;
+ event_node->ptr = edev;
+
+ INIT_WORK(&event_node->work, qede_rdma_handle_event);
+ queue_work(edev->rdma_info.rdma_wq, &event_node->work);
++
++out:
++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event);
+ }
+
+ void qede_rdma_dev_event_open(struct qede_dev *edev)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 18 Feb 2020 18:15:44 +0100
+Subject: Revert "net: dev: introduce support for sch BYPASS for lockless qdisc"
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 379349e9bc3b42b8b2f8f7a03f64a97623fff323 ]
+
+This reverts commit ba27b4cdaaa66561aaedb2101876e563738d36fe
+
+Ahmed reported ouf-of-order issues bisected to commit ba27b4cdaaa6
+("net: dev: introduce support for sch BYPASS for lockless qdisc").
+I can't find any working solution other than a plain revert.
+
+This will introduce some minor performance regressions for
+pfifo_fast qdisc. I plan to address them in net-next with more
+indirect call wrapper boilerplate for qdiscs.
+
+Reported-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Fixes: ba27b4cdaaa6 ("net: dev: introduce support for sch BYPASS for lockless qdisc")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3607,26 +3607,8 @@ static inline int __dev_xmit_skb(struct
+ qdisc_calculate_pkt_len(skb, q);
+
+ if (q->flags & TCQ_F_NOLOCK) {
+- if ((q->flags & TCQ_F_CAN_BYPASS) && READ_ONCE(q->empty) &&
+- qdisc_run_begin(q)) {
+- if (unlikely(test_bit(__QDISC_STATE_DEACTIVATED,
+- &q->state))) {
+- __qdisc_drop(skb, &to_free);
+- rc = NET_XMIT_DROP;
+- goto end_run;
+- }
+- qdisc_bstats_cpu_update(q, skb);
+-
+- rc = NET_XMIT_SUCCESS;
+- if (sch_direct_xmit(skb, q, dev, txq, NULL, true))
+- __qdisc_run(q);
+-
+-end_run:
+- qdisc_run_end(q);
+- } else {
+- rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
+- qdisc_run(q);
+- }
++ rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
++ qdisc_run(q);
+
+ if (unlikely(to_free))
+ kfree_skb_list(to_free);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 18 Feb 2020 12:07:53 +0800
+Subject: sctp: move the format error check out of __sctp_sf_do_9_1_abort
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ]
+
+When T2 timer is to be stopped, the asoc should also be deleted,
+otherwise, there will be no chance to call sctp_association_free
+and the asoc could last in memory forever.
+
+However, in sctp_sf_shutdown_sent_abort(), after adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the
+format error from __sctp_sf_do_9_1_abort() and miss adding
+SCTP_CMD_ASSOC_FAILED where the asoc will be deleted.
+
+This patch is to fix it by moving the format error check out of
+__sctp_sf_do_9_1_abort(), and do it before adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer.
+
+Thanks Hangbin for reporting this issue by the fuzz testing.
+
+v1->v2:
+ - improve the comment in the code as Marcelo's suggestion.
+
+Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_statefuns.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -170,6 +170,16 @@ static inline bool sctp_chunk_length_val
+ return true;
+ }
+
++/* Check for format error in an ABORT chunk */
++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
++{
++ struct sctp_errhdr *err;
++
++ sctp_walk_errors(err, chunk->chunk_hdr);
++
++ return (void *)err == (void *)chunk->chunk_end;
++}
++
+ /**********************************************************
+ * These are the state functions for handling chunk events.
+ **********************************************************/
+@@ -2255,6 +2265,9 @@ enum sctp_disposition sctp_sf_shutdown_p
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2298,6 +2311,9 @@ enum sctp_disposition sctp_sf_shutdown_s
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ /* Stop the T2-shutdown timer. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
+ SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
+@@ -2565,6 +2581,9 @@ enum sctp_disposition sctp_sf_do_9_1_abo
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2582,16 +2601,8 @@ static enum sctp_disposition __sctp_sf_d
+
+ /* See if we have an error cause code in the chunk. */
+ len = ntohs(chunk->chunk_hdr->length);
+- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+- struct sctp_errhdr *err;
+-
+- sctp_walk_errors(err, chunk->chunk_hdr);
+- if ((void *)err != (void *)chunk->chunk_end)
+- return sctp_sf_pdiscard(net, ep, asoc, type, arg,
+- commands);
+-
++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+ error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
+- }
+
+ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
+ /* ASSOC_FAILED will DELETE_TCB. */
edac-skx_common-downgrade-message-importance-on-miss.patch
+net-dsa-b53-ensure-the-default-vid-is-untagged.patch
+net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch
+net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch
+net-mscc-fix-in-frame-extraction.patch
+net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch
+net-sched-correct-flower-port-blocking.patch
+net-tls-fix-to-avoid-gettig-invalid-tls-record.patch
+nfc-pn544-fix-occasional-hw-initialization-failure.patch
+qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch
+revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch
+udp-rehash-on-disconnect.patch
+sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch
+bnxt_en-improve-device-shutdown-method.patch
+bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch
+bonding-add-missing-netdev_update_lockdep_key.patch
+net-export-netdev_next_lower_dev_rcu.patch
+bonding-fix-lockdep-warning-in-bond_get_stats.patch
+ipv6-fix-route-replacement-with-dev-only-route.patch
+ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch
+ionic-fix-fw_status-read.patch
+net-add-strict-checks-in-netdev_name_node_alt_destroy.patch
+net-macb-properly-handle-phylink-on-at91rm9200.patch
+net-rtnetlink-fix-bugs-in-rtnl_alt_ifname.patch
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:24:06 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 19 Feb 2020 14:16:32 -0500
+Subject: udp: rehash on disconnect
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 303d0403b8c25e994e4a6e45389e173cf8706fb5 ]
+
+As of the below commit, udp sockets bound to a specific address can
+coexist with one bound to the any addr for the same port.
+
+The commit also phased out the use of socket hashing based only on
+port (hslot), in favor of always hashing on {addr, port} (hslot2).
+
+The change broke the following behavior with disconnect (AF_UNSPEC):
+
+ server binds to 0.0.0.0:1337
+ server connects to 127.0.0.1:80
+ server disconnects
+ client connects to 127.0.0.1:1337
+ client sends "hello"
+ server reads "hello" // times out, packet did not find sk
+
+On connect the server acquires a specific source addr suitable for
+routing to its destination. On disconnect it reverts to the any addr.
+
+The connect call triggers a rehash to a different hslot2. On
+disconnect, add the same to return to the original hslot2.
+
+Skip this step if the socket is going to be unhashed completely.
+
+Fixes: 4cdeeee9252a ("net: udp: prefer listeners bound to an address")
+Reported-by: Pavel Roskin <plroskin@gmail.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1856,8 +1856,12 @@ int __udp_disconnect(struct sock *sk, in
+ inet->inet_dport = 0;
+ sock_rps_reset_rxhash(sk);
+ sk->sk_bound_dev_if = 0;
+- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) {
+ inet_reset_saddr(sk);
++ if (sk->sk_prot->rehash &&
++ (sk->sk_userlocks & SOCK_BINDPORT_LOCK))
++ sk->sk_prot->rehash(sk);
++ }
+
+ if (!(sk->sk_userlocks & SOCK_BINDPORT_LOCK)) {
+ sk->sk_prot->unhash(sk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
