--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 27 Feb 2019 03:58:53 -0500
+Subject: bnxt_en: Drop oversize TX packets to prevent errors.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 2b3c6885386020b1b9d92d45e8349637e27d1f66 ]
+
+There have been reports of oversize UDP packets being sent to the
+driver to be transmitted, causing error conditions. The issue is
+likely caused by the dst of the SKB switching between 'lo' with
+64K MTU and the hardware device with a smaller MTU. Patches are
+being proposed by Mahesh Bandewar <maheshb@google.com> to fix the
+issue.
+
+In the meantime, add a quick length check in the driver to prevent
+the error. The driver uses the TX packet size as index to look up an
+array to setup the TX BD. The array is large enough to support all MTU
+sizes supported by the driver. The oversize TX packet causes the
+driver to index beyond the array and put garbage values into the
+TX BD. Add a simple check to prevent this.
+
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -463,6 +463,12 @@ normal_tx:
+ }
+
+ length >>= 9;
++ if (unlikely(length >= ARRAY_SIZE(bnxt_lhint_arr))) {
++ dev_warn_ratelimited(&pdev->dev, "Dropped oversize %d bytes TX packet.\n",
++ skb->len);
++ i = 0;
++ goto tx_dma_error;
++ }
+ flags |= bnxt_lhint_arr[length];
+ txbd->tx_bd_len_flags_type = cpu_to_le32(flags);
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Jiri Benc <jbenc@redhat.com>
+Date: Thu, 28 Feb 2019 14:56:04 +0100
+Subject: geneve: correctly handle ipv6.disable module parameter
+
+From: Jiri Benc <jbenc@redhat.com>
+
+[ Upstream commit cf1c9ccba7308e48a68fa77f476287d9d614e4c7 ]
+
+When IPv6 is compiled but disabled at runtime, geneve_sock_add returns
+-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole
+operation of bringing up the tunnel.
+
+Ignore failure of IPv6 socket creation for metadata based tunnels caused by
+IPv6 not being available.
+
+This is the same fix as what commit d074bf960044 ("vxlan: correctly handle
+ipv6.disable module parameter") is doing for vxlan.
+
+Note there's also commit c0a47e44c098 ("geneve: should not call rt6_lookup()
+when ipv6 was disabled") which fixes a similar issue but for regular
+tunnels, while this patch is needed for metadata based tunnels.
+
+Signed-off-by: Jiri Benc <jbenc@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -636,15 +636,20 @@ out:
+ static int geneve_open(struct net_device *dev)
+ {
+ struct geneve_dev *geneve = netdev_priv(dev);
+- bool ipv6 = !!(geneve->info.mode & IP_TUNNEL_INFO_IPV6);
+ bool metadata = geneve->collect_md;
++ bool ipv4, ipv6;
+ int ret = 0;
+
++ ipv6 = geneve->info.mode & IP_TUNNEL_INFO_IPV6 || metadata;
++ ipv4 = !ipv6 || metadata;
+ #if IS_ENABLED(CONFIG_IPV6)
+- if (ipv6 || metadata)
++ if (ipv6) {
+ ret = geneve_sock_add(geneve, true);
++ if (ret < 0 && ret != -EAFNOSUPPORT)
++ ipv4 = false;
++ }
+ #endif
+- if (!ret && (!ipv6 || metadata))
++ if (ipv4)
+ ret = geneve_sock_add(geneve, false);
+ if (ret < 0)
+ geneve_sock_release(geneve);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Fri, 22 Feb 2019 18:25:03 +0000
+Subject: hv_netvsc: Fix IP header checksum for coalesced packets
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit bf48648d650db1146b75b9bd358502431e86cf4f ]
+
+Incoming packets may have IP header checksum verified by the host.
+They may not have IP header checksum computed after coalescing.
+This patch re-compute the checksum when necessary, otherwise the
+packets may be dropped, because Linux network stack always checks it.
+
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -743,6 +743,14 @@ void netvsc_linkstatus_callback(struct n
+ schedule_delayed_work(&ndev_ctx->dwork, 0);
+ }
+
++static void netvsc_comp_ipcsum(struct sk_buff *skb)
++{
++ struct iphdr *iph = (struct iphdr *)skb->data;
++
++ iph->check = 0;
++ iph->check = ip_fast_csum(iph, iph->ihl);
++}
++
+ static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net,
+ struct napi_struct *napi,
+ const struct ndis_tcp_ip_checksum_info *csum_info,
+@@ -766,9 +774,17 @@ static struct sk_buff *netvsc_alloc_recv
+ /* skb is already created with CHECKSUM_NONE */
+ skb_checksum_none_assert(skb);
+
+- /*
+- * In Linux, the IP checksum is always checked.
+- * Do L4 checksum offload if enabled and present.
++ /* Incoming packets may have IP header checksum verified by the host.
++ * They may not have IP header checksum computed after coalescing.
++ * We compute it here if the flags are set, because on Linux, the IP
++ * checksum is always checked.
++ */
++ if (csum_info && csum_info->receive.ip_checksum_value_invalid &&
++ csum_info->receive.ip_checksum_succeeded &&
++ skb->protocol == htons(ETH_P_IP))
++ netvsc_comp_ipcsum(skb);
++
++ /* Do L4 checksum offload if enabled and present.
+ */
+ if (csum_info && (net->features & NETIF_F_RXCSUM)) {
+ if (csum_info->receive.tcp_checksum_succeeded ||
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Sun, 3 Mar 2019 07:34:57 +0000
+Subject: ip6mr: Do not call __IP6_INC_STATS() from preemptible context
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf ]
+
+Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from
+improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot
+assume preemption is disabled when incrementing the counter and
+accessing a per-CPU variable.
+
+Preemption can be enabled when we add a route in process context that
+corresponds to packets stored in the unresolved queue, which are then
+forwarded using this route [1].
+
+Fix this by using IP6_INC_STATS() which takes care of disabling
+preemption on architectures where it is needed.
+
+[1]
+[ 157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314
+[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0
+[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336
+[ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
+[ 157.460461] Call Trace:
+[ 157.460486] dump_stack+0xf9/0x1be
+[ 157.460553] check_preemption_disabled+0x1d6/0x200
+[ 157.460576] ip6mr_forward2+0x73e/0x10e0
+[ 157.460705] ip6_mr_forward+0x9a0/0x1510
+[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00
+[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0
+[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060
+[ 157.462013] ipv6_setsockopt+0x90/0x110
+[ 157.462036] rawv6_setsockopt+0x4a/0x120
+[ 157.462058] __sys_setsockopt+0x16b/0x340
+[ 157.462198] __x64_sys_setsockopt+0xbf/0x160
+[ 157.462220] do_syscall_64+0x14d/0x610
+[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Amit Cohen <amitc@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -1954,10 +1954,10 @@ int ip6mr_compat_ioctl(struct sock *sk,
+
+ static inline int ip6mr_forward2_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
+- __IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+- IPSTATS_MIB_OUTFORWDATAGRAMS);
+- __IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)),
+- IPSTATS_MIB_OUTOCTETS, skb->len);
++ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
++ IPSTATS_MIB_OUTFORWDATAGRAMS);
++ IP6_ADD_STATS(net, ip6_dst_idev(skb_dst(skb)),
++ IPSTATS_MIB_OUTOCTETS, skb->len);
+ return dst_output(net, sk, skb);
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Wed, 27 Feb 2019 16:15:29 +0800
+Subject: ipv4: Add ICMPv6 support when parse route ipproto
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 5e1a99eae84999a2536f50a0beaf5d5262337f40 ]
+
+For ip rules, we need to use 'ipproto ipv6-icmp' to match ICMPv6 headers.
+But for ip -6 route, currently we only support tcp, udp and icmp.
+
+Add ICMPv6 support so we can match ipv6-icmp rules for route lookup.
+
+v2: As David Ahern and Sabrina Dubroca suggested, Add an argument to
+rtm_getroute_parse_ip_proto() to handle ICMP/ICMPv6 with different family.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Fixes: eacb9384a3fe ("ipv6: support sport, dport and ip_proto in RTM_GETROUTE")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 2 +-
+ net/ipv4/netlink.c | 17 +++++++++++++----
+ net/ipv4/route.c | 2 +-
+ net/ipv6/route.c | 3 ++-
+ 4 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -687,7 +687,7 @@ extern int sysctl_icmp_msgs_burst;
+ int ip_misc_proc_init(void);
+ #endif
+
+-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto,
++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family,
+ struct netlink_ext_ack *extack);
+
+ #endif /* _IP_H */
+--- a/net/ipv4/netlink.c
++++ b/net/ipv4/netlink.c
+@@ -3,9 +3,10 @@
+ #include <linux/types.h>
+ #include <net/net_namespace.h>
+ #include <net/netlink.h>
++#include <linux/in6.h>
+ #include <net/ip.h>
+
+-int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto,
++int rtm_getroute_parse_ip_proto(struct nlattr *attr, u8 *ip_proto, u8 family,
+ struct netlink_ext_ack *extack)
+ {
+ *ip_proto = nla_get_u8(attr);
+@@ -13,11 +14,19 @@ int rtm_getroute_parse_ip_proto(struct n
+ switch (*ip_proto) {
+ case IPPROTO_TCP:
+ case IPPROTO_UDP:
++ return 0;
+ case IPPROTO_ICMP:
++ if (family != AF_INET)
++ break;
++ return 0;
++#if IS_ENABLED(CONFIG_IPV6)
++ case IPPROTO_ICMPV6:
++ if (family != AF_INET6)
++ break;
+ return 0;
+- default:
+- NL_SET_ERR_MSG(extack, "Unsupported ip proto");
+- return -EOPNOTSUPP;
++#endif
+ }
++ NL_SET_ERR_MSG(extack, "Unsupported ip proto");
++ return -EOPNOTSUPP;
+ }
+ EXPORT_SYMBOL_GPL(rtm_getroute_parse_ip_proto);
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2814,7 +2814,7 @@ static int inet_rtm_getroute(struct sk_b
+
+ if (tb[RTA_IP_PROTO]) {
+ err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO],
+- &ip_proto, extack);
++ &ip_proto, AF_INET, extack);
+ if (err)
+ return err;
+ }
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -4907,7 +4907,8 @@ static int inet6_rtm_getroute(struct sk_
+
+ if (tb[RTA_IP_PROTO]) {
+ err = rtm_getroute_parse_ip_proto(tb[RTA_IP_PROTO],
+- &fl6.flowi6_proto, extack);
++ &fl6.flowi6_proto, AF_INET6,
++ extack);
+ if (err)
+ goto errout;
+ }
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 25 Feb 2019 13:55:48 -0800
+Subject: ipv4: Pass original device to ip_rcv_finish_core
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit a1fd1ad2552fad9e649eeb85fd79301e2880a886 ]
+
+ip_route_input_rcu expects the original ingress device (e.g., for
+proper multicast handling). The skb->dev can be changed by l3mdev_ip_rcv,
+so dev needs to be saved prior to calling it. This was the behavior prior
+to the listify changes.
+
+Fixes: 5fa12739a53d0 ("net: ipv4: listify ip_rcv_finish")
+Cc: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_input.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -308,11 +308,10 @@ drop:
+ }
+
+ static int ip_rcv_finish_core(struct net *net, struct sock *sk,
+- struct sk_buff *skb)
++ struct sk_buff *skb, struct net_device *dev)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+ int (*edemux)(struct sk_buff *skb);
+- struct net_device *dev = skb->dev;
+ struct rtable *rt;
+ int err;
+
+@@ -401,6 +400,7 @@ drop_error:
+
+ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
+ {
++ struct net_device *dev = skb->dev;
+ int ret;
+
+ /* if ingress device is enslaved to an L3 master device pass the
+@@ -410,7 +410,7 @@ static int ip_rcv_finish(struct net *net
+ if (!skb)
+ return NET_RX_SUCCESS;
+
+- ret = ip_rcv_finish_core(net, sk, skb);
++ ret = ip_rcv_finish_core(net, sk, skb, dev);
+ if (ret != NET_RX_DROP)
+ ret = dst_input(skb);
+ return ret;
+@@ -550,6 +550,7 @@ static void ip_list_rcv_finish(struct ne
+
+ INIT_LIST_HEAD(&sublist);
+ list_for_each_entry_safe(skb, next, head, list) {
++ struct net_device *dev = skb->dev;
+ struct dst_entry *dst;
+
+ skb_list_del_init(skb);
+@@ -559,7 +560,7 @@ static void ip_list_rcv_finish(struct ne
+ skb = l3mdev_ip_rcv(skb);
+ if (!skb)
+ continue;
+- if (ip_rcv_finish_core(net, sk, skb) == NET_RX_DROP)
++ if (ip_rcv_finish_core(net, sk, skb, dev) == NET_RX_DROP)
+ continue;
+
+ dst = skb_dst(skb);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 26 Feb 2019 09:00:02 -0800
+Subject: ipv4: Return error for RTA_VIA attribute
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit b6e9e5df4ecf100f6a10ab2ade8e46d47a4b9779 ]
+
+IPv4 currently does not support nexthops outside of the AF_INET family.
+Specifically, it does not handle RTA_VIA attribute. If it is passed
+in a route add request, the actual route added only uses the device
+which is clearly not what the user intended:
+
+ $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0
+ $ ip ro ls
+ ...
+ 172.16.1.0/24 dev eth0
+
+Catch this and fail the route add:
+ $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0
+ Error: IPv4 does not support RTA_VIA attribute.
+
+Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_frontend.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -700,6 +700,10 @@ static int rtm_to_fib_config(struct net
+ case RTA_GATEWAY:
+ cfg->fc_gw = nla_get_be32(attr);
+ break;
++ case RTA_VIA:
++ NL_SET_ERR_MSG(extack, "IPv4 does not support RTA_VIA attribute");
++ err = -EINVAL;
++ goto errout;
+ case RTA_PRIORITY:
+ cfg->fc_priority = nla_get_u32(attr);
+ break;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 26 Feb 2019 09:00:03 -0800
+Subject: ipv6: Return error for RTA_VIA attribute
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit e3818541b49fb88650ba339d33cc53e4095da5b3 ]
+
+IPv6 currently does not support nexthops outside of the AF_INET6 family.
+Specifically, it does not handle RTA_VIA attribute. If it is passed
+in a route add request, the actual route added only uses the device
+which is clearly not what the user intended:
+
+ $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0
+ $ ip ro ls
+ ...
+ 2001:db8:2::/64 dev eth0 metric 1024 pref medium
+
+Catch this and fail the route add:
+ $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0
+ Error: IPv6 does not support RTA_VIA attribute.
+
+Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -4213,6 +4213,10 @@ static int rtm_to_fib6_config(struct sk_
+ cfg->fc_gateway = nla_get_in6_addr(tb[RTA_GATEWAY]);
+ cfg->fc_flags |= RTF_GATEWAY;
+ }
++ if (tb[RTA_VIA]) {
++ NL_SET_ERR_MSG(extack, "IPv6 does not support RTA_VIA attribute");
++ goto errout;
++ }
+
+ if (tb[RTA_DST]) {
+ int plen = (rtm->rtm_dst_len + 7) >> 3;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Bryan Whitehead <Bryan.Whitehead@microchip.com>
+Date: Tue, 26 Feb 2019 14:06:26 -0500
+Subject: lan743x: Fix TX Stall Issue
+
+From: Bryan Whitehead <Bryan.Whitehead@microchip.com>
+
+[ Upstream commit 90490ef7269906423a1c1b917fc24be8b1602658 ]
+
+It has been observed that tx queue stalls while downloading
+from certain web sites (example www.speedtest.net)
+
+The cause has been tracked down to a corner case where
+dma descriptors where not setup properly. And there for a tx
+completion interrupt was not signaled.
+
+This fix corrects the problem by properly marking the end of
+a multi descriptor transmission.
+
+Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
+Signed-off-by: Bryan Whitehead <Bryan.Whitehead@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microchip/lan743x_main.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -1403,7 +1403,8 @@ static int lan743x_tx_frame_start(struct
+ }
+
+ static void lan743x_tx_frame_add_lso(struct lan743x_tx *tx,
+- unsigned int frame_length)
++ unsigned int frame_length,
++ int nr_frags)
+ {
+ /* called only from within lan743x_tx_xmit_frame.
+ * assuming tx->ring_lock has already been acquired.
+@@ -1413,6 +1414,10 @@ static void lan743x_tx_frame_add_lso(str
+
+ /* wrap up previous descriptor */
+ tx->frame_data0 |= TX_DESC_DATA0_EXT_;
++ if (nr_frags <= 0) {
++ tx->frame_data0 |= TX_DESC_DATA0_LS_;
++ tx->frame_data0 |= TX_DESC_DATA0_IOC_;
++ }
+ tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail];
+ tx_descriptor->data0 = tx->frame_data0;
+
+@@ -1517,8 +1522,11 @@ static void lan743x_tx_frame_end(struct
+ u32 tx_tail_flags = 0;
+
+ /* wrap up previous descriptor */
+- tx->frame_data0 |= TX_DESC_DATA0_LS_;
+- tx->frame_data0 |= TX_DESC_DATA0_IOC_;
++ if ((tx->frame_data0 & TX_DESC_DATA0_DTYPE_MASK_) ==
++ TX_DESC_DATA0_DTYPE_DATA_) {
++ tx->frame_data0 |= TX_DESC_DATA0_LS_;
++ tx->frame_data0 |= TX_DESC_DATA0_IOC_;
++ }
+
+ tx_descriptor = &tx->ring_cpu_ptr[tx->frame_tail];
+ buffer_info = &tx->buffer_info[tx->frame_tail];
+@@ -1603,7 +1611,7 @@ static netdev_tx_t lan743x_tx_xmit_frame
+ }
+
+ if (gso)
+- lan743x_tx_frame_add_lso(tx, frame_length);
++ lan743x_tx_frame_add_lso(tx, frame_length, nr_frags);
+
+ if (nr_frags <= 0)
+ goto finish;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 26 Feb 2019 09:00:04 -0800
+Subject: mpls: Return error for RTA_GATEWAY attribute
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit be48220edd48ca0d569782992840488a52373a24 ]
+
+MPLS does not support nexthops with an MPLS address family.
+Specifically, it does not handle RTA_GATEWAY attribute. Make it
+clear by returning an error.
+
+Fixes: 03c0566542f4c ("mpls: Netlink commands to add, remove, and dump routes")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mpls/af_mpls.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -1822,6 +1822,9 @@ static int rtm_to_route_config(struct sk
+ goto errout;
+ break;
+ }
++ case RTA_GATEWAY:
++ NL_SET_ERR_MSG(extack, "MPLS does not support RTA_GATEWAY attribute");
++ goto errout;
+ case RTA_VIA:
+ {
+ if (nla_get_via(nla, &cfg->rc_via_alen,
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+Date: Mon, 25 Feb 2019 19:24:15 +0300
+Subject: net: Add __icmp_send helper.
+
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+
+[ Upstream commit 9ef6b42ad6fd7929dd1b6092cb02014e382c6a91 ]
+
+Add __icmp_send function having ip_options struct parameter
+
+Signed-off-by: Sergey Nazarov <s-nazarov@yandex.ru>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/icmp.h | 9 ++++++++-
+ net/ipv4/icmp.c | 7 ++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/include/net/icmp.h
++++ b/include/net/icmp.h
+@@ -22,6 +22,7 @@
+
+ #include <net/inet_sock.h>
+ #include <net/snmp.h>
++#include <net/ip.h>
+
+ struct icmp_err {
+ int errno;
+@@ -39,7 +40,13 @@ struct net_proto_family;
+ struct sk_buff;
+ struct net;
+
+-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info);
++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
++ const struct ip_options *opt);
++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
++{
++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt);
++}
++
+ int icmp_rcv(struct sk_buff *skb);
+ void icmp_err(struct sk_buff *skb, u32 info);
+ int icmp_init(void);
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -570,7 +570,8 @@ relookup_failed:
+ * MUST reply to only the first fragment.
+ */
+
+-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
++ const struct ip_options *opt)
+ {
+ struct iphdr *iph;
+ int room;
+@@ -691,7 +692,7 @@ void icmp_send(struct sk_buff *skb_in, i
+ iph->tos;
+ mark = IP4_REPLY_MARK(net, skb_in->mark);
+
+- if (ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in))
++ if (__ip_options_echo(net, &icmp_param.replyopts.opt.opt, skb_in, opt))
+ goto out_unlock;
+
+
+@@ -742,7 +743,7 @@ out_bh_enable:
+ local_bh_enable();
+ out:;
+ }
+-EXPORT_SYMBOL(icmp_send);
++EXPORT_SYMBOL(__icmp_send);
+
+
+ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+Date: Mon, 25 Feb 2019 19:27:15 +0300
+Subject: net: avoid use IPCB in cipso_v4_error
+
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+
+[ Upstream commit 3da1ed7ac398f34fff1694017a07054d69c5f5c5 ]
+
+Extract IP options in cipso_v4_error and use __icmp_send.
+
+Signed-off-by: Sergey Nazarov <s-nazarov@yandex.ru>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 2 ++
+ net/ipv4/cipso_ipv4.c | 17 +++++++++++++++--
+ net/ipv4/ip_options.c | 22 +++++++++++++++++-----
+ 3 files changed, 34 insertions(+), 7 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -638,6 +638,8 @@ static inline int ip_options_echo(struct
+ }
+
+ void ip_options_fragment(struct sk_buff *skb);
++int __ip_options_compile(struct net *net, struct ip_options *opt,
++ struct sk_buff *skb, __be32 *info);
+ int ip_options_compile(struct net *net, struct ip_options *opt,
+ struct sk_buff *skb);
+ int ip_options_get(struct net *net, struct ip_options_rcu **optp,
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1736,13 +1736,26 @@ validate_return:
+ */
+ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
+ {
++ unsigned char optbuf[sizeof(struct ip_options) + 40];
++ struct ip_options *opt = (struct ip_options *)optbuf;
++
+ if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
+ return;
+
++ /*
++ * We might be called above the IP layer,
++ * so we can not use icmp_send and IPCB here.
++ */
++
++ memset(opt, 0, sizeof(struct ip_options));
++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL))
++ return;
++
+ if (gateway)
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt);
+ else
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt);
+ }
+
+ /**
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -251,8 +251,9 @@ static void spec_dst_fill(__be32 *spec_d
+ * If opt == NULL, then skb->data should point to IP header.
+ */
+
+-int ip_options_compile(struct net *net,
+- struct ip_options *opt, struct sk_buff *skb)
++int __ip_options_compile(struct net *net,
++ struct ip_options *opt, struct sk_buff *skb,
++ __be32 *info)
+ {
+ __be32 spec_dst = htonl(INADDR_ANY);
+ unsigned char *pp_ptr = NULL;
+@@ -468,11 +469,22 @@ eol:
+ return 0;
+
+ error:
+- if (skb) {
+- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24));
+- }
++ if (info)
++ *info = htonl((pp_ptr-iph)<<24);
+ return -EINVAL;
+ }
++
++int ip_options_compile(struct net *net,
++ struct ip_options *opt, struct sk_buff *skb)
++{
++ int ret;
++ __be32 info;
++
++ ret = __ip_options_compile(net, opt, skb, &info);
++ if (ret != 0 && skb)
++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info);
++ return ret;
++}
+ EXPORT_SYMBOL(ip_options_compile);
+
+ /*
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Fri, 1 Mar 2019 23:43:39 +0100
+Subject: net: dsa: mv88e6xxx: Fix statistics on mv88e6161
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit a6da21bb0eae459a375d5bd48baed821d14301d0 ]
+
+Despite what the datesheet says, the silicon implements the older way
+of snapshoting the statistics. Change the op.
+
+Reported-by: Chris.Healy@zii.aero
+Tested-by: Chris.Healy@zii.aero
+Fixes: 0ac64c394900 ("net: dsa: mv88e6xxx: mv88e6161 uses mv88e6320 stats snapshot")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3070,7 +3070,7 @@ static const struct mv88e6xxx_ops mv88e6
+ .port_disable_pri_override = mv88e6xxx_port_disable_pri_override,
+ .port_link_state = mv88e6352_port_link_state,
+ .port_get_cmode = mv88e6185_port_get_cmode,
+- .stats_snapshot = mv88e6320_g1_stats_snapshot,
++ .stats_snapshot = mv88e6xxx_g1_stats_snapshot,
+ .stats_set_histogram = mv88e6095_g1_stats_set_histogram,
+ .stats_get_sset_count = mv88e6095_stats_get_sset_count,
+ .stats_get_strings = mv88e6095_stats_get_strings,
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Thu, 28 Feb 2019 18:14:03 +0100
+Subject: net: dsa: mv88e6xxx: Fix u64 statistics
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit 6e46e2d821bb22b285ae8187959096b65d063b0d ]
+
+The switch maintains u64 counters for the number of octets sent and
+received. These are kept as two u32's which need to be combined. Fix
+the combing, which wrongly worked on u16's.
+
+Fixes: 80c4627b2719 ("dsa: mv88x6xxx: Refactor getting a single statistic")
+Reported-by: Chris Healy <Chris.Healy@zii.aero>
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -884,7 +884,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s
+ default:
+ return U64_MAX;
+ }
+- value = (((u64)high) << 16) | low;
++ value = (((u64)high) << 32) | low;
+ return value;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Fri, 1 Mar 2019 19:53:57 +0100
+Subject: net: dsa: mv88e6xxx: handle unknown duplex modes gracefully in mv88e6xxx_port_set_duplex
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit c6195a8bdfc62a7cecf7df685e64847a4b700275 ]
+
+When testing another issue I faced the problem that
+mv88e6xxx_port_setup_mac() failed due to DUPLEX_UNKNOWN being passed
+as argument to mv88e6xxx_port_set_duplex(). We should handle this case
+gracefully and return -EOPNOTSUPP, like e.g. mv88e6xxx_port_set_speed()
+is doing it.
+
+Fixes: 7f1ae07b51e8 ("net: dsa: mv88e6xxx: add port duplex setter")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/port.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/port.c
++++ b/drivers/net/dsa/mv88e6xxx/port.c
+@@ -190,7 +190,7 @@ int mv88e6xxx_port_set_duplex(struct mv8
+ /* normal duplex detection */
+ break;
+ default:
+- return -EINVAL;
++ return -EOPNOTSUPP;
+ }
+
+ err = mv88e6xxx_port_write(chip, port, MV88E6XXX_PORT_MAC_CTL, reg);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Thu, 28 Feb 2019 22:14:33 +0100
+Subject: net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit d235c48b40d399328585a68f3f9bf7cc3062d586 ]
+
+Upon setting the cmode on 6390 and 6390X, the associated serdes
+interfaces must be powered off/on.
+
+Both 6390X and 6390 share code to do so, but it currently uses the 6390
+specific helper mv88e6390_serdes_power() to disable and enable the
+serdes interface.
+
+This call will fail silently on 6390X when trying so set a 10G interface
+such as XAUI or RXAUI, since mv88e6390_serdes_power() internally grabs
+the lane number based on modes supported by the 6390, and returns 0 when
+getting -ENODEV as a lane number.
+
+Using mv88e6390x_serdes_power() should be safe here, since we explicitly
+rule-out all ports but the 9 and 10, and because modes supported by 6390
+ports 9 and 10 are a subset of those supported on 6390X.
+
+This was tested on 6390X using RXAUI mode.
+
+Fixes: 364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/port.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/port.c
++++ b/drivers/net/dsa/mv88e6xxx/port.c
+@@ -384,7 +384,7 @@ int mv88e6390x_port_set_cmode(struct mv8
+ return err;
+ }
+
+- err = mv88e6390_serdes_power(chip, port, false);
++ err = mv88e6390x_serdes_power(chip, port, false);
+ if (err)
+ return err;
+
+@@ -400,7 +400,7 @@ int mv88e6390x_port_set_cmode(struct mv8
+ if (err)
+ return err;
+
+- err = mv88e6390_serdes_power(chip, port, true);
++ err = mv88e6390x_serdes_power(chip, port, true);
+ if (err)
+ return err;
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 28 Feb 2019 07:39:15 +0100
+Subject: net: dsa: mv88e6xxx: prevent interrupt storm caused by mv88e6390x_port_set_cmode
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit ed8fe20205ac054bf585156709de3913d1890f30 ]
+
+When debugging another issue I faced an interrupt storm in this
+driver (88E6390, port 9 in SGMII mode), consisting of alternating
+link-up / link-down interrupts. Analysis showed that the driver
+wanted to set a cmode that was set already. But so far
+mv88e6390x_port_set_cmode() doesn't check this and powers down
+SERDES, what causes the link to break, and eventually results in
+the described interrupt storm.
+
+Fix this by checking whether the cmode actually changes. We want
+that the very first call to mv88e6390x_port_set_cmode() always
+configures the registers, therefore initialize port.cmode with
+a value that is different from any supported cmode value.
+We have to take care that we only init the ports cmode once
+chip->info->num_ports is set.
+
+v2:
+- add small helper and init the number of actual ports only
+
+Fixes: 364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 10 ++++++++++
+ drivers/net/dsa/mv88e6xxx/port.c | 4 ++++
+ drivers/net/dsa/mv88e6xxx/port.h | 1 +
+ 3 files changed, 15 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4561,6 +4561,14 @@ static int mv88e6xxx_smi_init(struct mv8
+ return 0;
+ }
+
++static void mv88e6xxx_ports_cmode_init(struct mv88e6xxx_chip *chip)
++{
++ int i;
++
++ for (i = 0; i < mv88e6xxx_num_ports(chip); i++)
++ chip->ports[i].cmode = MV88E6XXX_PORT_STS_CMODE_INVALID;
++}
++
+ static enum dsa_tag_protocol mv88e6xxx_get_tag_protocol(struct dsa_switch *ds,
+ int port)
+ {
+@@ -4597,6 +4605,8 @@ static const char *mv88e6xxx_drv_probe(s
+ if (err)
+ goto free;
+
++ mv88e6xxx_ports_cmode_init(chip);
++
+ mutex_lock(&chip->reg_lock);
+ err = mv88e6xxx_switch_reset(chip);
+ mutex_unlock(&chip->reg_lock);
+--- a/drivers/net/dsa/mv88e6xxx/port.c
++++ b/drivers/net/dsa/mv88e6xxx/port.c
+@@ -374,6 +374,10 @@ int mv88e6390x_port_set_cmode(struct mv8
+ cmode = 0;
+ }
+
++ /* cmode doesn't change, nothing to do for us */
++ if (cmode == chip->ports[port].cmode)
++ return 0;
++
+ lane = mv88e6390x_serdes_get_lane(chip, port);
+ if (lane < 0)
+ return lane;
+--- a/drivers/net/dsa/mv88e6xxx/port.h
++++ b/drivers/net/dsa/mv88e6xxx/port.h
+@@ -52,6 +52,7 @@
+ #define MV88E6185_PORT_STS_CMODE_1000BASE_X 0x0005
+ #define MV88E6185_PORT_STS_CMODE_PHY 0x0006
+ #define MV88E6185_PORT_STS_CMODE_DISABLED 0x0007
++#define MV88E6XXX_PORT_STS_CMODE_INVALID 0xff
+
+ /* Offset 0x01: MAC (or PCS or Physical) Control Register */
+ #define MV88E6XXX_PORT_MAC_CTL 0x01
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sat, 2 Mar 2019 10:06:05 +0100
+Subject: net: dsa: mv8e6xxx: fix number of internal PHYs for 88E6x90 family
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 95150f29ae480276e76368cdf8a9524b5a96c0ca ]
+
+Ports 9 and 10 don't have internal PHY's but are (dependent on the
+version) SERDES/SGMII/XAUI/RXAUI ports.
+
+v2:
+- fix it for all 88E6x90 family members
+
+Fixes: bc3931557d1d ("net: dsa: mv88e6xxx: Add number of internal PHYs")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -4188,7 +4188,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6190",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .num_gpio = 16,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
+@@ -4211,7 +4211,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6190X",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .num_gpio = 16,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
+@@ -4234,7 +4234,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6191",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
+ .phy_base_addr = 0x0,
+@@ -4281,7 +4281,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6290",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .num_gpio = 16,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
+@@ -4443,7 +4443,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6390",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .num_gpio = 16,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
+@@ -4466,7 +4466,7 @@ static const struct mv88e6xxx_info mv88e
+ .name = "Marvell 88E6390X",
+ .num_databases = 4096,
+ .num_ports = 11, /* 10 + Z80 */
+- .num_internal_phys = 11,
++ .num_internal_phys = 9,
+ .num_gpio = 16,
+ .max_vid = 8191,
+ .port_base_addr = 0x0,
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Sheng Lan <lansheng@huawei.com>
+Date: Thu, 28 Feb 2019 18:47:58 +0800
+Subject: net: netem: fix skb length BUG_ON in __skb_to_sgvec
+
+From: Sheng Lan <lansheng@huawei.com>
+
+[ Upstream commit 5845f706388a4cde0f6b80f9e5d33527e942b7d9 ]
+
+It can be reproduced by following steps:
+1. virtio_net NIC is configured with gso/tso on
+2. configure nginx as http server with an index file bigger than 1M bytes
+3. use tc netem to produce duplicate packets and delay:
+ tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
+4. continually curl the nginx http server to get index file on client
+5. BUG_ON is seen quickly
+
+[10258690.371129] kernel BUG at net/core/skbuff.c:4028!
+[10258690.371748] invalid opcode: 0000 [#1] SMP PTI
+[10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2
+[10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202
+[10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea
+[10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002
+[10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028
+[10258690.372094] FS: 0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000
+[10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0
+[10258690.372094] Call Trace:
+[10258690.372094] <IRQ>
+[10258690.372094] skb_to_sgvec+0x11/0x40
+[10258690.372094] start_xmit+0x38c/0x520 [virtio_net]
+[10258690.372094] dev_hard_start_xmit+0x9b/0x200
+[10258690.372094] sch_direct_xmit+0xff/0x260
+[10258690.372094] __qdisc_run+0x15e/0x4e0
+[10258690.372094] net_tx_action+0x137/0x210
+[10258690.372094] __do_softirq+0xd6/0x2a9
+[10258690.372094] irq_exit+0xde/0xf0
+[10258690.372094] smp_apic_timer_interrupt+0x74/0x140
+[10258690.372094] apic_timer_interrupt+0xf/0x20
+[10258690.372094] </IRQ>
+
+In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
+linear data size and nonlinear data size, thus BUG_ON triggered.
+Because the skb is cloned and a part of nonlinear data is split off.
+
+Duplicate packet is cloned in netem_enqueue() and may be delayed
+some time in qdisc. When qdisc len reached the limit and returns
+NET_XMIT_DROP, the skb will be retransmit later in write queue.
+the skb will be fragmented by tso_fragment(), the limit size
+that depends on cwnd and mss decrease, the skb's nonlinear
+data will be split off. The length of the skb cloned by netem
+will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
+the BUG_ON trigger.
+
+To fix it, netem returns NET_XMIT_SUCCESS to upper stack
+when it clones a duplicate packet.
+
+Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
+Signed-off-by: Sheng Lan <lansheng@huawei.com>
+Reported-by: Qin Ji <jiqin.ji@huawei.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -440,6 +440,7 @@ static int netem_enqueue(struct sk_buff
+ int nb = 0;
+ int count = 1;
+ int rc = NET_XMIT_SUCCESS;
++ int rc_drop = NET_XMIT_DROP;
+
+ /* Do not fool qdisc_drop_all() */
+ skb->prev = NULL;
+@@ -479,6 +480,7 @@ static int netem_enqueue(struct sk_buff
+ q->duplicate = 0;
+ rootq->enqueue(skb2, rootq, to_free);
+ q->duplicate = dupsave;
++ rc_drop = NET_XMIT_SUCCESS;
+ }
+
+ /*
+@@ -491,7 +493,7 @@ static int netem_enqueue(struct sk_buff
+ if (skb_is_gso(skb)) {
+ segs = netem_segment(skb, sch, to_free);
+ if (!segs)
+- return NET_XMIT_DROP;
++ return rc_drop;
+ } else {
+ segs = skb;
+ }
+@@ -514,8 +516,10 @@ static int netem_enqueue(struct sk_buff
+ 1<<(prandom_u32() % 8);
+ }
+
+- if (unlikely(sch->q.qlen >= sch->limit))
+- return qdisc_drop_all(skb, sch, to_free);
++ if (unlikely(sch->q.qlen >= sch->limit)) {
++ qdisc_drop_all(skb, sch, to_free);
++ return rc_drop;
++ }
+
+ qdisc_qstats_backlog_inc(sch, skb);
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 22 Feb 2019 15:37:58 +0800
+Subject: net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 ]
+
+KASAN report this:
+
+BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
+Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401
+
+CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ kasan_report+0x171/0x18d mm/kasan/report.c:321
+ memcpy+0x1f/0x50 mm/kasan/common.c:130
+ nfc_llcp_build_gb+0x37f/0x540 [nfc]
+ nfc_llcp_register_device+0x6eb/0xb50 [nfc]
+ nfc_register_device+0x50/0x1d0 [nfc]
+ nfcsim_device_new+0x394/0x67d [nfcsim]
+ ? 0xffffffffc1080000
+ nfcsim_init+0x6b/0x1000 [nfcsim]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
+RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+nfc_llcp_build_tlv will return NULL on fails, caller should check it,
+otherwise will trigger a NULL dereference.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_commands.c | 20 ++++++++++++++++++++
+ net/nfc/llcp_core.c | 24 ++++++++++++++++++++----
+ 2 files changed, 40 insertions(+), 4 deletions(-)
+
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -419,6 +419,10 @@ int nfc_llcp_send_connect(struct nfc_llc
+ sock->service_name,
+ sock->service_name_len,
+ &service_name_tlv_length);
++ if (!service_name_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += service_name_tlv_length;
+ }
+
+@@ -429,9 +433,17 @@ int nfc_llcp_send_connect(struct nfc_llc
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+ &miux_tlv_length);
++ if (!miux_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += miux_tlv_length;
+
+ rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
++ if (!rw_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += rw_tlv_length;
+
+ pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
+@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+ &miux_tlv_length);
++ if (!miux_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += miux_tlv_length;
+
+ rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
++ if (!rw_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += rw_tlv_length;
+
+ skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -532,10 +532,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru
+
+ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
+ {
+- u8 *gb_cur, *version_tlv, version, version_length;
+- u8 *lto_tlv, lto_length;
+- u8 *wks_tlv, wks_length;
+- u8 *miux_tlv, miux_length;
++ u8 *gb_cur, version, version_length;
++ u8 lto_length, wks_length, miux_length;
++ u8 *version_tlv = NULL, *lto_tlv = NULL,
++ *wks_tlv = NULL, *miux_tlv = NULL;
+ __be16 wks = cpu_to_be16(local->local_wks);
+ u8 gb_len = 0;
+ int ret = 0;
+@@ -543,17 +543,33 @@ static int nfc_llcp_build_gb(struct nfc_
+ version = LLCP_VERSION_11;
+ version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
+ 1, &version_length);
++ if (!version_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += version_length;
+
+ lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length);
++ if (!lto_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += lto_length;
+
+ pr_debug("Local wks 0x%lx\n", local->local_wks);
+ wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
++ if (!wks_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += wks_length;
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
+ &miux_length);
++ if (!miux_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += miux_length;
+
+ gb_len += ARRAY_SIZE(llcp_magic);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+Date: Wed, 27 Feb 2019 17:43:19 +0530
+Subject: net: phy: Micrel KSZ8061: link failure after cable connect
+
+From: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+
+[ Upstream commit 232ba3a51cc224b339c7114888ed7f0d4d95695e ]
+
+With Micrel KSZ8061 PHY, the link may occasionally not come up after
+Ethernet cable connect. The vendor's (Microchip, former Micrel) errata
+sheet 80000688A.pdf descripes the problem and possible workarounds in
+detail, see below.
+The batch implements workaround 1, which permanently fixes the issue.
+
+DESCRIPTION
+Link-up may not occur properly when the Ethernet cable is initially
+connected. This issue occurs more commonly when the cable is connected
+slowly, but it may occur any time a cable is connected. This issue occurs
+in the auto-negotiation circuit, and will not occur if auto-negotiation
+is disabled (which requires that the two link partners be set to the
+same speed and duplex).
+
+END USER IMPLICATIONS
+When this issue occurs, link is not established. Subsequent cable
+plug/unplaug cycle will not correct the issue.
+
+WORk AROUND
+There are four approaches to work around this issue:
+1. This issue can be prevented by setting bit 15 in MMD device address 1,
+ register 2, prior to connecting the cable or prior to setting the
+ Restart Auto-negotiation bit in register 0h. The MMD registers are
+ accessed via the indirect access registers Dh and Eh, or via the Micrel
+ EthUtil utility as shown here:
+ . if using the EthUtil utility (usually with a Micrel KSZ8061
+ Evaluation Board), type the following commands:
+ > address 1
+ > mmd 1
+ > iw 2 b61a
+ . Alternatively, write the following registers to write to the
+ indirect MMD register:
+ Write register Dh, data 0001h
+ Write register Eh, data 0002h
+ Write register Dh, data 4001h
+ Write register Eh, data B61Ah
+2. The issue can be avoided by disabling auto-negotiation in the KSZ8061,
+ either by the strapping option, or by clearing bit 12 in register 0h.
+ Care must be taken to ensure that the KSZ8061 and the link partner
+ will link with the same speed and duplex. Note that the KSZ8061
+ defaults to full-duplex when auto-negotiation is off, but other
+ devices may default to half-duplex in the event of failed
+ auto-negotiation.
+3. The issue can be avoided by connecting the cable prior to powering-up
+ or resetting the KSZ8061, and leaving it plugged in thereafter.
+4. If the above measures are not taken and the problem occurs, link can
+ be recovered by setting the Restart Auto-Negotiation bit in
+ register 0h, or by resetting or power cycling the device. Reset may
+ be either hardware reset or software reset (register 0h, bit 15).
+
+PLAN
+This errata will not be corrected in the future revision.
+
+Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs")
+Signed-off-by: Alexander Onnasch <alexander.onnasch@landisgyr.com>
+Signed-off-by: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -339,6 +339,17 @@ static int ksz8041_config_aneg(struct ph
+ return genphy_config_aneg(phydev);
+ }
+
++static int ksz8061_config_init(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A);
++ if (ret)
++ return ret;
++
++ return kszphy_config_init(phydev);
++}
++
+ static int ksz9021_load_values_from_of(struct phy_device *phydev,
+ const struct device_node *of_node,
+ u16 reg,
+@@ -810,7 +821,7 @@ static struct phy_driver ksphy_driver[]
+ .features = PHY_BASIC_FEATURES,
+ .flags = PHY_HAS_INTERRUPT,
+ .driver_data = &ks8737_type,
+- .config_init = kszphy_config_init,
++ .config_init = ksz8061_config_init,
+ .ack_interrupt = kszphy_ack_interrupt,
+ .config_intr = kszphy_config_intr,
+ .suspend = genphy_suspend,
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Tue, 26 Feb 2019 19:29:22 +0100
+Subject: net: phy: phylink: fix uninitialized variable in phylink_get_mac_state
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit d25ed413d5e51644e18f66e34eec049f17a7abcb ]
+
+When debugging an issue I found implausible values in state->pause.
+Reason in that state->pause isn't initialized and later only single
+bits are changed. Also the struct itself isn't initialized in
+phylink_resolve(). So better initialize state->pause and other
+not yet initialized fields.
+
+v2:
+- use right function name in subject
+v3:
+- initialize additional fields
+
+Fixes: 9525ae83959b ("phylink: add phylink infrastructure")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phylink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -348,6 +348,10 @@ static int phylink_get_mac_state(struct
+ linkmode_zero(state->lp_advertising);
+ state->interface = pl->link_config.interface;
+ state->an_enabled = pl->link_config.an_enabled;
++ state->speed = SPEED_UNKNOWN;
++ state->duplex = DUPLEX_UNKNOWN;
++ state->pause = MLO_PAUSE_NONE;
++ state->an_complete = 0;
+ state->link = 1;
+
+ return pl->ops->mac_link_state(ndev, state);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 22 Feb 2019 12:33:25 +0100
+Subject: net/sched: act_ipt: fix refcount leak when replace fails
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 8f67c90ee9148eab3d2b4393c3cf76489b27f87c ]
+
+After commit 4e8ddd7f1758 ("net: sched: don't release reference on action
+overwrite"), the error path of all actions was converted to drop refcount
+also when the action was being overwritten. But we forgot act_ipt_init(),
+in case allocation of 'tname' was not successful:
+
+ # tc action add action xt -j LOG --log-prefix hello index 100
+ tablename: mangle hook: NF_IP_POST_ROUTING
+ target: LOG level warning prefix "hello" index 100
+ # tc action show action xt
+ total acts 1
+
+ action order 0: tablename: mangle hook: NF_IP_POST_ROUTING
+ target LOG level warning prefix "hello"
+ index 100 ref 1 bind 0
+ # tc action replace action xt -j LOG --log-prefix world index 100
+ tablename: mangle hook: NF_IP_POST_ROUTING
+ target: LOG level warning prefix "world" index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action show action xt
+ total acts 1
+
+ action order 0: tablename: mangle hook: NF_IP_POST_ROUTING
+ target LOG level warning prefix "hello"
+ index 100 ref 2 bind 0
+
+Ensure we call tcf_idr_release(), in case 'tname' allocation failed, also
+when the action is being replaced.
+
+Fixes: 4e8ddd7f1758 ("net: sched: don't release reference on action overwrite")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ipt.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sched/act_ipt.c
++++ b/net/sched/act_ipt.c
+@@ -199,8 +199,7 @@ err3:
+ err2:
+ kfree(tname);
+ err1:
+- if (ret == ACT_P_CREATED)
+- tcf_idr_release(*a, bind);
++ tcf_idr_release(*a, bind);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Fri, 22 Feb 2019 12:33:26 +0100
+Subject: net/sched: act_skbedit: fix refcount leak when replace fails
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 6191da98062d25276a3b88fb2a94dcbcfb3ea65d ]
+
+when act_skbedit was converted to use RCU in the data plane, we added an
+error path, but we forgot to drop the action refcount in case of failure
+during a 'replace' operation:
+
+ # tc actions add action skbedit ptype otherhost pass index 100
+ # tc action show action skbedit
+ total acts 1
+
+ action order 0: skbedit ptype otherhost pass
+ index 100 ref 1 bind 0
+ # tc actions replace action skbedit ptype otherhost drop index 100
+ RTNETLINK answers: Cannot allocate memory
+ We have an error talking to the kernel
+ # tc action show action skbedit
+ total acts 1
+
+ action order 0: skbedit ptype otherhost pass
+ index 100 ref 2 bind 0
+
+Ensure we call tcf_idr_release(), in case 'params_new' allocation failed,
+also when the action is being replaced.
+
+Fixes: c749cdda9089 ("net/sched: act_skbedit: don't use spinlock in the data path")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_skbedit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sched/act_skbedit.c
++++ b/net/sched/act_skbedit.c
+@@ -191,8 +191,7 @@ static int tcf_skbedit_init(struct net *
+
+ params_new = kzalloc(sizeof(*params_new), GFP_KERNEL);
+ if (unlikely(!params_new)) {
+- if (ret == ACT_P_CREATED)
+- tcf_idr_release(*a, bind);
++ tcf_idr_release(*a, bind);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Vlad Buslov <vladbu@mellanox.com>
+Date: Mon, 25 Feb 2019 17:28:27 +0200
+Subject: net: sched: act_tunnel_key: fix NULL pointer dereference during init
+
+From: Vlad Buslov <vladbu@mellanox.com>
+
+[ Upstream commit a3df633a3c92bb96b06552c3f828d7c267774379 ]
+
+Metadata pointer is only initialized for action TCA_TUNNEL_KEY_ACT_SET, but
+it is unconditionally dereferenced in tunnel_key_init() error handler.
+Verify that metadata pointer is not NULL before dereferencing it in
+tunnel_key_init error handling code.
+
+Fixes: ee28bb56ac5b ("net/sched: fix memory leak in act_tunnel_key_init()")
+Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
+Reviewed-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_tunnel_key.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -377,7 +377,8 @@ static int tunnel_key_init(struct net *n
+ return ret;
+
+ release_tun_meta:
+- dst_release(&metadata->dst);
++ if (metadata)
++ dst_release(&metadata->dst);
+
+ err_out:
+ if (exists)
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 28 Feb 2019 12:55:43 -0800
+Subject: net: sched: put back q.qlen into a single location
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 46b1c18f9deb326a7e18348e668e4c7ab7c7458b ]
+
+In the series fc8b81a5981f ("Merge branch 'lockless-qdisc-series'")
+John made the assumption that the data path had no need to read
+the qdisc qlen (number of packets in the qdisc).
+
+It is true when pfifo_fast is used as the root qdisc, or as direct MQ/MQPRIO
+children.
+
+But pfifo_fast can be used as leaf in class full qdiscs, and existing
+logic needs to access the child qlen in an efficient way.
+
+HTB breaks badly, since it uses cl->leaf.q->q.qlen in :
+ htb_activate() -> WARN_ON()
+ htb_dequeue_tree() to decide if a class can be htb_deactivated
+ when it has no more packets.
+
+HFSC, DRR, CBQ, QFQ have similar issues, and some calls to
+qdisc_tree_reduce_backlog() also read q.qlen directly.
+
+Using qdisc_qlen_sum() (which iterates over all possible cpus)
+in the data path is a non starter.
+
+It seems we have to put back qlen in a central location,
+at least for stable kernels.
+
+For all qdisc but pfifo_fast, qlen is guarded by the qdisc lock,
+so the existing q.qlen{++|--} are correct.
+
+For 'lockless' qdisc (pfifo_fast so far), we need to use atomic_{inc|dec}()
+because the spinlock might be not held (for example from
+pfifo_fast_enqueue() and pfifo_fast_dequeue())
+
+This patch adds atomic_qlen (in the same location than qlen)
+and renames the following helpers, since we want to express
+they can be used without qdisc lock, and that qlen is no longer percpu.
+
+- qdisc_qstats_cpu_qlen_dec -> qdisc_qstats_atomic_qlen_dec()
+- qdisc_qstats_cpu_qlen_inc -> qdisc_qstats_atomic_qlen_inc()
+
+Later (net-next) we might revert this patch by tracking all these
+qlen uses and replace them by a more efficient method (not having
+to access a precise qlen, but an empty/non_empty status that might
+be less expensive to maintain/track).
+
+Another possibility is to have a legacy pfifo_fast version that would
+be used when used a a child qdisc, since the parent qdisc needs
+a spinlock anyway. But then, future lockless qdiscs would also
+have the same problem.
+
+Fixes: 7e66016f2c65 ("net: sched: helpers to sum qlen and qlen for per cpu logic")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sch_generic.h | 31 +++++++++++++------------------
+ net/core/gen_stats.c | 2 --
+ net/sched/sch_generic.c | 13 ++++++-------
+ 3 files changed, 19 insertions(+), 27 deletions(-)
+
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -47,7 +47,10 @@ struct qdisc_size_table {
+ struct qdisc_skb_head {
+ struct sk_buff *head;
+ struct sk_buff *tail;
+- __u32 qlen;
++ union {
++ u32 qlen;
++ atomic_t atomic_qlen;
++ };
+ spinlock_t lock;
+ };
+
+@@ -384,27 +387,19 @@ static inline void qdisc_cb_private_vali
+ BUILD_BUG_ON(sizeof(qcb->data) < sz);
+ }
+
+-static inline int qdisc_qlen_cpu(const struct Qdisc *q)
+-{
+- return this_cpu_ptr(q->cpu_qstats)->qlen;
+-}
+-
+ static inline int qdisc_qlen(const struct Qdisc *q)
+ {
+ return q->q.qlen;
+ }
+
+-static inline int qdisc_qlen_sum(const struct Qdisc *q)
++static inline u32 qdisc_qlen_sum(const struct Qdisc *q)
+ {
+- __u32 qlen = q->qstats.qlen;
+- int i;
++ u32 qlen = q->qstats.qlen;
+
+- if (q->flags & TCQ_F_NOLOCK) {
+- for_each_possible_cpu(i)
+- qlen += per_cpu_ptr(q->cpu_qstats, i)->qlen;
+- } else {
++ if (q->flags & TCQ_F_NOLOCK)
++ qlen += atomic_read(&q->q.atomic_qlen);
++ else
+ qlen += q->q.qlen;
+- }
+
+ return qlen;
+ }
+@@ -776,14 +771,14 @@ static inline void qdisc_qstats_cpu_back
+ this_cpu_add(sch->cpu_qstats->backlog, qdisc_pkt_len(skb));
+ }
+
+-static inline void qdisc_qstats_cpu_qlen_inc(struct Qdisc *sch)
++static inline void qdisc_qstats_atomic_qlen_inc(struct Qdisc *sch)
+ {
+- this_cpu_inc(sch->cpu_qstats->qlen);
++ atomic_inc(&sch->q.atomic_qlen);
+ }
+
+-static inline void qdisc_qstats_cpu_qlen_dec(struct Qdisc *sch)
++static inline void qdisc_qstats_atomic_qlen_dec(struct Qdisc *sch)
+ {
+- this_cpu_dec(sch->cpu_qstats->qlen);
++ atomic_dec(&sch->q.atomic_qlen);
+ }
+
+ static inline void qdisc_qstats_cpu_requeues_inc(struct Qdisc *sch)
+--- a/net/core/gen_stats.c
++++ b/net/core/gen_stats.c
+@@ -256,7 +256,6 @@ __gnet_stats_copy_queue_cpu(struct gnet_
+ for_each_possible_cpu(i) {
+ const struct gnet_stats_queue *qcpu = per_cpu_ptr(q, i);
+
+- qstats->qlen = 0;
+ qstats->backlog += qcpu->backlog;
+ qstats->drops += qcpu->drops;
+ qstats->requeues += qcpu->requeues;
+@@ -272,7 +271,6 @@ void __gnet_stats_copy_queue(struct gnet
+ if (cpu) {
+ __gnet_stats_copy_queue_cpu(qstats, cpu);
+ } else {
+- qstats->qlen = q->qlen;
+ qstats->backlog = q->backlog;
+ qstats->drops = q->drops;
+ qstats->requeues = q->requeues;
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -68,7 +68,7 @@ static inline struct sk_buff *__skb_dequ
+ skb = __skb_dequeue(&q->skb_bad_txq);
+ if (qdisc_is_percpu_stats(q)) {
+ qdisc_qstats_cpu_backlog_dec(q, skb);
+- qdisc_qstats_cpu_qlen_dec(q);
++ qdisc_qstats_atomic_qlen_dec(q);
+ } else {
+ qdisc_qstats_backlog_dec(q, skb);
+ q->q.qlen--;
+@@ -108,7 +108,7 @@ static inline void qdisc_enqueue_skb_bad
+
+ if (qdisc_is_percpu_stats(q)) {
+ qdisc_qstats_cpu_backlog_inc(q, skb);
+- qdisc_qstats_cpu_qlen_inc(q);
++ qdisc_qstats_atomic_qlen_inc(q);
+ } else {
+ qdisc_qstats_backlog_inc(q, skb);
+ q->q.qlen++;
+@@ -147,7 +147,7 @@ static inline int dev_requeue_skb_locked
+
+ qdisc_qstats_cpu_requeues_inc(q);
+ qdisc_qstats_cpu_backlog_inc(q, skb);
+- qdisc_qstats_cpu_qlen_inc(q);
++ qdisc_qstats_atomic_qlen_inc(q);
+
+ skb = next;
+ }
+@@ -252,7 +252,7 @@ static struct sk_buff *dequeue_skb(struc
+ skb = __skb_dequeue(&q->gso_skb);
+ if (qdisc_is_percpu_stats(q)) {
+ qdisc_qstats_cpu_backlog_dec(q, skb);
+- qdisc_qstats_cpu_qlen_dec(q);
++ qdisc_qstats_atomic_qlen_dec(q);
+ } else {
+ qdisc_qstats_backlog_dec(q, skb);
+ q->q.qlen--;
+@@ -633,7 +633,7 @@ static int pfifo_fast_enqueue(struct sk_
+ if (unlikely(err))
+ return qdisc_drop_cpu(skb, qdisc, to_free);
+
+- qdisc_qstats_cpu_qlen_inc(qdisc);
++ qdisc_qstats_atomic_qlen_inc(qdisc);
+ /* Note: skb can not be used after skb_array_produce(),
+ * so we better not use qdisc_qstats_cpu_backlog_inc()
+ */
+@@ -658,7 +658,7 @@ static struct sk_buff *pfifo_fast_dequeu
+ if (likely(skb)) {
+ qdisc_qstats_cpu_backlog_dec(qdisc, skb);
+ qdisc_bstats_cpu_update(qdisc, skb);
+- qdisc_qstats_cpu_qlen_dec(qdisc);
++ qdisc_qstats_atomic_qlen_dec(qdisc);
+ }
+
+ return skb;
+@@ -702,7 +702,6 @@ static void pfifo_fast_reset(struct Qdis
+ struct gnet_stats_queue *q = per_cpu_ptr(qdisc->cpu_qstats, i);
+
+ q->backlog = 0;
+- q->qlen = 0;
+ }
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 1 Mar 2019 23:06:40 +0800
+Subject: net: sit: fix memory leak in sit_init_net()
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d ]
+
+If register_netdev() is failed to register sitn->fb_tunnel_dev,
+it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev).
+
+BUG: memory leak
+unreferenced object 0xffff888378daad00 (size 512):
+ comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s)
+ hex dump (first 32 bytes):
+ 00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+ [<00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline]
+ [<00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline]
+ [<00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline]
+ [<00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970
+ [<00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848
+ [<00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129
+ [<00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314
+ [<0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437
+ [<0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107
+ [<00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165
+ [<0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919
+ [<00000000fff78746>] copy_process kernel/fork.c:1713 [inline]
+ [<00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224
+ [<000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
+ [<00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<0000000039acff8a>] 0xffffffffffffffff
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1873,6 +1873,7 @@ static int __net_init sit_init_net(struc
+
+ err_reg_dev:
+ ipip6_dev_free(sitn->fb_tunnel_dev);
++ free_netdev(sitn->fb_tunnel_dev);
+ err_alloc_dev:
+ return err;
+ }
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 21 Feb 2019 14:13:56 -0800
+Subject: net: socket: set sock->sk to NULL after calling proto_ops::release()
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit ff7b11aa481f682e0e9711abfeb7d03f5cd612bf ]
+
+Commit 9060cb719e61 ("net: crypto set sk to NULL when af_alg_release.")
+fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
+closed concurrently with fchownat(). However, it ignored that many
+other proto_ops::release() methods don't set sock->sk to NULL and
+therefore allow the same use-after-free:
+
+ - base_sock_release
+ - bnep_sock_release
+ - cmtp_sock_release
+ - data_sock_release
+ - dn_release
+ - hci_sock_release
+ - hidp_sock_release
+ - iucv_sock_release
+ - l2cap_sock_release
+ - llcp_sock_release
+ - llc_ui_release
+ - rawsock_release
+ - rfcomm_sock_release
+ - sco_sock_release
+ - svc_release
+ - vcc_release
+ - x25_release
+
+Rather than fixing all these and relying on every socket type to get
+this right forever, just make __sock_release() set sock->sk to NULL
+itself after calling proto_ops::release().
+
+Reproducer that produces the KASAN splat when any of these socket types
+are configured into the kernel:
+
+ #include <pthread.h>
+ #include <stdlib.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ pthread_t t;
+ volatile int fd;
+
+ void *close_thread(void *arg)
+ {
+ for (;;) {
+ usleep(rand() % 100);
+ close(fd);
+ }
+ }
+
+ int main()
+ {
+ pthread_create(&t, NULL, close_thread, NULL);
+ for (;;) {
+ fd = socket(rand() % 50, rand() % 11, 0);
+ fchownat(fd, "", 1000, 1000, 0x1000);
+ close(fd);
+ }
+ }
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -577,6 +577,7 @@ static void __sock_release(struct socket
+ if (inode)
+ inode_lock(inode);
+ sock->ops->release(sock);
++ sock->sk = NULL;
+ if (inode)
+ inode_unlock(inode);
+ sock->ops = NULL;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 2 Mar 2019 10:34:55 +0800
+Subject: net-sysfs: Fix mem leak in netdev_register_kobject
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab ]
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffff88837a71a500 (size 256):
+ comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ........ .......
+ backtrace:
+ [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751
+ [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516
+ [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline]
+ [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883
+ [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline]
+ [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690
+ [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705
+ [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline]
+ [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline]
+ [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710
+ [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
+ [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000115be9bb>] 0xffffffffffffffff
+
+It should call kset_unregister to free 'dev->queues_kset'
+in error path of register_queue_kobjects, otherwise will cause a mem leak.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net-sysfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1547,6 +1547,9 @@ static int register_queue_kobjects(struc
+ error:
+ netdev_queue_update_kobjects(dev, txq, 0);
+ net_rx_queue_update_kobjects(dev, rxq, 0);
++#ifdef CONFIG_SYSFS
++ kset_unregister(dev->queues_kset);
++#endif
+ return error;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 25 Feb 2019 19:06:06 -0500
+Subject: netlabel: fix out-of-bounds memory accesses
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 5578de4834fe0f2a34fedc7374be691443396d1f ]
+
+There are two array out-of-bounds memory accesses, one in
+cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
+errors are embarassingly simple, and the fixes are straightforward.
+
+As a FYI for anyone backporting this patch to kernels prior to v4.8,
+you'll want to apply the netlbl_bitmap_walk() patch to
+cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
+Linux v4.8.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
+Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/cipso_ipv4.c | 3 ++-
+ net/netlabel/netlabel_kapi.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -667,7 +667,8 @@ static int cipso_v4_map_lvl_valid(const
+ case CIPSO_V4_MAP_PASS:
+ return 0;
+ case CIPSO_V4_MAP_TRANS:
+- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
++ if ((level < doi_def->map.std->lvl.cipso_size) &&
++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
+ return 0;
+ break;
+ }
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -903,7 +903,8 @@ int netlbl_bitmap_walk(const unsigned ch
+ (state == 0 && (byte & bitmask) == 0))
+ return bit_spot;
+
+- bit_spot++;
++ if (++bit_spot >= bitmap_len)
++ return -1;
+ bitmask >>= 1;
+ if (bitmask == 0) {
+ byte = bitmap[++byte_offset];
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Kristian Evensen <kristian.evensen@gmail.com>
+Date: Sat, 2 Mar 2019 13:32:26 +0100
+Subject: qmi_wwan: Add support for Quectel EG12/EM12
+
+From: Kristian Evensen <kristian.evensen@gmail.com>
+
+[ Upstream commit 822e44b45eb991c63487c5e2ce7d636411870a8d ]
+
+Quectel EG12 (module)/EM12 (M.2 card) is a Cat. 12 LTE modem. The modem
+behaves in the same way as the EP06, so the "set DTR"-quirk must be
+applied and the diagnostic-interface check performed. Since the
+diagnostic-check now applies to more modems, I have renamed the function
+from quectel_ep06_diag_detected() to quectel_diag_detected().
+
+Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -976,6 +976,13 @@ static const struct usb_device_id produc
+ 0xff),
+ .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
+ },
++ { /* Quectel EG12/EM12 */
++ USB_DEVICE_AND_INTERFACE_INFO(0x2c7c, 0x0512,
++ USB_CLASS_VENDOR_SPEC,
++ USB_SUBCLASS_VENDOR_SPEC,
++ 0xff),
++ .driver_info = (unsigned long)&qmi_wwan_info_quirk_dtr,
++ },
+
+ /* 3. Combined interface devices matching on interface number */
+ {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */
+@@ -1343,17 +1350,20 @@ static bool quectel_ec20_detected(struct
+ return false;
+ }
+
+-static bool quectel_ep06_diag_detected(struct usb_interface *intf)
++static bool quectel_diag_detected(struct usb_interface *intf)
+ {
+ struct usb_device *dev = interface_to_usbdev(intf);
+ struct usb_interface_descriptor intf_desc = intf->cur_altsetting->desc;
++ u16 id_vendor = le16_to_cpu(dev->descriptor.idVendor);
++ u16 id_product = le16_to_cpu(dev->descriptor.idProduct);
+
+- if (le16_to_cpu(dev->descriptor.idVendor) == 0x2c7c &&
+- le16_to_cpu(dev->descriptor.idProduct) == 0x0306 &&
+- intf_desc.bNumEndpoints == 2)
+- return true;
++ if (id_vendor != 0x2c7c || intf_desc.bNumEndpoints != 2)
++ return false;
+
+- return false;
++ if (id_product == 0x0306 || id_product == 0x0512)
++ return true;
++ else
++ return false;
+ }
+
+ static int qmi_wwan_probe(struct usb_interface *intf,
+@@ -1390,13 +1400,13 @@ static int qmi_wwan_probe(struct usb_int
+ return -ENODEV;
+ }
+
+- /* Quectel EP06/EM06/EG06 supports dynamic interface configuration, so
++ /* Several Quectel modems supports dynamic interface configuration, so
+ * we need to match on class/subclass/protocol. These values are
+ * identical for the diagnostic- and QMI-interface, but bNumEndpoints is
+ * different. Ignore the current interface if the number of endpoints
+ * the number for the diag interface (two).
+ */
+- if (quectel_ep06_diag_detected(intf))
++ if (quectel_diag_detected(intf))
+ return -ENODEV;
+
+ return usbnet_probe(intf, id);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 3 Mar 2019 16:50:26 +0800
+Subject: sctp: call iov_iter_revert() after sending ABORT
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 901efe12318b1ea8d3e2c88a7b75ed6e6d5d7245 ]
+
+The user msg is also copied to the abort packet when doing SCTP_ABORT in
+sctp_sendmsg_check_sflags(). When SCTP_SENDALL is set, iov_iter_revert()
+should have been called for sending abort on the next asoc with copying
+this msg. Otherwise, memcpy_from_msg() in sctp_make_abort_user() will
+fail and return error.
+
+Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
+Reported-by: Ying Xu <yinxu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1884,6 +1884,7 @@ static int sctp_sendmsg_check_sflags(str
+
+ pr_debug("%s: aborting association:%p\n", __func__, asoc);
+ sctp_primitive_ABORT(net, asoc, chunk);
++ iov_iter_revert(&msg->msg_iter, msg_len);
+
+ return 0;
+ }
staging-android-ion-fix-sys-heap-pool-s-gfp_flags.patch
staging-android-ashmem-don-t-call-fallocate-with-ashmem_mutex-held.patch
staging-android-ashmem-avoid-range_alloc-allocation-with-ashmem_mutex-held.patch
+ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch
+net-dsa-mv88e6xxx-handle-unknown-duplex-modes-gracefully-in-mv88e6xxx_port_set_duplex.patch
+net-dsa-mv8e6xxx-fix-number-of-internal-phys-for-88e6x90-family.patch
+net-sched-put-back-q.qlen-into-a-single-location.patch
+net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch
+qmi_wwan-add-support-for-quectel-eg12-em12.patch
+sctp-call-iov_iter_revert-after-sending-abort.patch
+sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch
+team-free-bpf-filter-when-unregistering-netdev.patch
+tipc-fix-rdm-dgram-connect-regression.patch
+bnxt_en-drop-oversize-tx-packets-to-prevent-errors.patch
+geneve-correctly-handle-ipv6.disable-module-parameter.patch
+hv_netvsc-fix-ip-header-checksum-for-coalesced-packets.patch
+ipv4-add-icmpv6-support-when-parse-route-ipproto.patch
+lan743x-fix-tx-stall-issue.patch
+net-dsa-mv88e6xxx-fix-statistics-on-mv88e6161.patch
+net-dsa-mv88e6xxx-fix-u64-statistics.patch
+netlabel-fix-out-of-bounds-memory-accesses.patch
+net-netem-fix-skb-length-bug_on-in-__skb_to_sgvec.patch
+net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch
+net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch
+net-phy-phylink-fix-uninitialized-variable-in-phylink_get_mac_state.patch
+net-sit-fix-memory-leak-in-sit_init_net.patch
+net-socket-set-sock-sk-to-null-after-calling-proto_ops-release.patch
+tipc-fix-race-condition-causing-hung-sendto.patch
+tun-fix-blocking-read.patch
+xen-netback-don-t-populate-the-hash-cache-on-xenbus-disconnect.patch
+xen-netback-fix-occasional-leak-of-grant-ref-mappings-under-memory-pressure.patch
+tun-remove-unnecessary-memory-barrier.patch
+net-add-__icmp_send-helper.patch
+net-avoid-use-ipcb-in-cipso_v4_error.patch
+ipv4-return-error-for-rta_via-attribute.patch
+ipv6-return-error-for-rta_via-attribute.patch
+mpls-return-error-for-rta_gateway-attribute.patch
+ipv4-pass-original-device-to-ip_rcv_finish_core.patch
+net-dsa-mv88e6xxx-power-serdes-on-off-for-10g-interfaces-on-6390x.patch
+net-dsa-mv88e6xxx-prevent-interrupt-storm-caused-by-mv88e6390x_port_set_cmode.patch
+net-sched-act_ipt-fix-refcount-leak-when-replace-fails.patch
+net-sched-act_skbedit-fix-refcount-leak-when-replace-fails.patch
+net-sched-act_tunnel_key-fix-null-pointer-dereference-during-init.patch
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 4 Mar 2019 15:00:03 +0800
+Subject: sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit b33b7cd6fd86478dd2890a9abeb6f036aa01fdf7 ]
+
+Some sky2 chips fire IRQ after S3, before the driver is fully resumed:
+[ 686.804877] do_IRQ: 1.37 No irq handler for vector
+
+This is likely a platform bug that device isn't fully quiesced during
+S3. Use MSI-X, maskable MSI or INTx can prevent this issue from
+happening.
+
+Since MSI-X and maskable MSI are not supported by this device, fallback
+to use INTx on affected platforms.
+
+BugLink: https://bugs.launchpad.net/bugs/1807259
+BugLink: https://bugs.launchpad.net/bugs/1809843
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -46,6 +46,7 @@
+ #include <linux/mii.h>
+ #include <linux/of_device.h>
+ #include <linux/of_net.h>
++#include <linux/dmi.h>
+
+ #include <asm/irq.h>
+
+@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128
+ module_param(copybreak, int, 0);
+ MODULE_PARM_DESC(copybreak, "Receive copy threshold");
+
+-static int disable_msi = 0;
++static int disable_msi = -1;
+ module_param(disable_msi, int, 0);
+ MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)");
+
+@@ -4931,6 +4932,24 @@ static const char *sky2_name(u8 chipid,
+ return buf;
+ }
+
++static const struct dmi_system_id msi_blacklist[] = {
++ {
++ .ident = "Dell Inspiron 1545",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"),
++ },
++ },
++ {
++ .ident = "Gateway P-79",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
++ },
++ },
++ {}
++};
++
+ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct net_device *dev, *dev1;
+@@ -5042,6 +5061,9 @@ static int sky2_probe(struct pci_dev *pd
+ goto err_out_free_pci;
+ }
+
++ if (disable_msi == -1)
++ disable_msi = !!dmi_check_system(msi_blacklist);
++
+ if (!disable_msi && pci_enable_msi(pdev) == 0) {
+ err = sky2_test_msi(hw);
+ if (err) {
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Sun, 3 Mar 2019 07:35:51 +0000
+Subject: team: Free BPF filter when unregistering netdev
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 692c31bd4054212312396b1d303bffab2c5b93a7 ]
+
+When team is used in loadbalance mode a BPF filter can be used to
+provide a hash which will determine the Tx port.
+
+When the netdev is later unregistered the filter is not freed which
+results in memory leaks [1].
+
+Fix by freeing the program and the corresponding filter when
+unregistering the netdev.
+
+[1]
+unreferenced object 0xffff8881dbc47cc8 (size 16):
+ comm "teamd", pid 3068, jiffies 4294997779 (age 438.247s)
+ hex dump (first 16 bytes):
+ a3 00 6b 6b 6b 6b 6b 6b 88 a5 82 e1 81 88 ff ff ..kkkkkk........
+ backtrace:
+ [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0
+ [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080
+ [<00000000610ef838>] genl_rcv_msg+0xca/0x170
+ [<00000000a281df93>] netlink_rcv_skb+0x132/0x380
+ [<000000004d9448a2>] genl_rcv+0x29/0x40
+ [<000000000321b2f4>] netlink_unicast+0x4c0/0x690
+ [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10
+ [<00000000068298c5>] sock_sendmsg+0xc8/0x110
+ [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0
+ [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250
+ [<0000000027c5f11a>] do_syscall_64+0x14d/0x610
+ [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000e23197e2>] 0xffffffffffffffff
+unreferenced object 0xffff8881e182a588 (size 2048):
+ comm "teamd", pid 3068, jiffies 4294997780 (age 438.247s)
+ hex dump (first 32 bytes):
+ 20 00 00 00 02 00 00 00 30 00 00 00 28 f0 ff ff .......0...(...
+ 07 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 ........(.......
+ backtrace:
+ [<000000002daf01fb>] lb_bpf_func_set+0x45c/0x6d0
+ [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0
+ [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080
+ [<00000000610ef838>] genl_rcv_msg+0xca/0x170
+ [<00000000a281df93>] netlink_rcv_skb+0x132/0x380
+ [<000000004d9448a2>] genl_rcv+0x29/0x40
+ [<000000000321b2f4>] netlink_unicast+0x4c0/0x690
+ [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10
+ [<00000000068298c5>] sock_sendmsg+0xc8/0x110
+ [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0
+ [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250
+ [<0000000027c5f11a>] do_syscall_64+0x14d/0x610
+ [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000e23197e2>] 0xffffffffffffffff
+
+Fixes: 01d7f30a9f96 ("team: add loadbalance mode")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Amit Cohen <amitc@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/team/team_mode_loadbalance.c
++++ b/drivers/net/team/team_mode_loadbalance.c
+@@ -325,6 +325,20 @@ static int lb_bpf_func_set(struct team *
+ return 0;
+ }
+
++static void lb_bpf_func_free(struct team *team)
++{
++ struct lb_priv *lb_priv = get_lb_priv(team);
++ struct bpf_prog *fp;
++
++ if (!lb_priv->ex->orig_fprog)
++ return;
++
++ __fprog_destroy(lb_priv->ex->orig_fprog);
++ fp = rcu_dereference_protected(lb_priv->fp,
++ lockdep_is_held(&team->lock));
++ bpf_prog_destroy(fp);
++}
++
+ static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx)
+ {
+ struct lb_priv *lb_priv = get_lb_priv(team);
+@@ -639,6 +653,7 @@ static void lb_exit(struct team *team)
+
+ team_options_unregister(team, lb_options,
+ ARRAY_SIZE(lb_options));
++ lb_bpf_func_free(team);
+ cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw);
+ free_percpu(lb_priv->pcpu_stats);
+ kfree(lb_priv->ex);
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Date: Mon, 25 Feb 2019 10:57:20 +0700
+Subject: tipc: fix race condition causing hung sendto
+
+From: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+
+[ Upstream commit bfd07f3dd4f111b884d7922b37eb239280f83d8c ]
+
+When sending multicast messages via blocking socket,
+if sending link is congested (tsk->cong_link_cnt is set to 1),
+the sending thread will be put into sleeping state. However,
+tipc_sk_filter_rcv() is called under socket spin lock but
+tipc_wait_for_cond() is not. So, there is no guarantee that
+the setting of tsk->cong_link_cnt to 0 in tipc_sk_proto_rcv() in
+CPU-1 will be perceived by CPU-0. If that is the case, the sending
+thread in CPU-0 after being waken up, will continue to see
+tsk->cong_link_cnt as 1 and put the sending thread into sleeping
+state again. The sending thread will sleep forever.
+
+CPU-0 | CPU-1
+tipc_wait_for_cond() |
+{ |
+ // condition_ = !tsk->cong_link_cnt |
+ while ((rc_ = !(condition_))) { |
+ ... |
+ release_sock(sk_); |
+ wait_woken(); |
+ | if (!sock_owned_by_user(sk))
+ | tipc_sk_filter_rcv()
+ | {
+ | ...
+ | tipc_sk_proto_rcv()
+ | {
+ | ...
+ | tsk->cong_link_cnt--;
+ | ...
+ | sk->sk_write_space(sk);
+ | ...
+ | }
+ | ...
+ | }
+ sched_annotate_sleep(); |
+ lock_sock(sk_); |
+ remove_wait_queue(); |
+ } |
+} |
+
+This commit fixes it by adding memory barrier to tipc_sk_proto_rcv()
+and tipc_wait_for_cond().
+
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -377,11 +377,13 @@ static int tipc_sk_sock_err(struct socke
+
+ #define tipc_wait_for_cond(sock_, timeo_, condition_) \
+ ({ \
++ DEFINE_WAIT_FUNC(wait_, woken_wake_function); \
+ struct sock *sk_; \
+ int rc_; \
+ \
+ while ((rc_ = !(condition_))) { \
+- DEFINE_WAIT_FUNC(wait_, woken_wake_function); \
++ /* coupled with smp_wmb() in tipc_sk_proto_rcv() */ \
++ smp_rmb(); \
+ sk_ = (sock_)->sk; \
+ rc_ = tipc_sk_sock_err((sock_), timeo_); \
+ if (rc_) \
+@@ -1961,6 +1963,8 @@ static void tipc_sk_proto_rcv(struct soc
+ return;
+ case SOCK_WAKEUP:
+ tipc_dest_del(&tsk->cong_links, msg_orignode(hdr), 0);
++ /* coupled with smp_rmb() in tipc_wait_for_cond() */
++ smp_wmb();
+ tsk->cong_link_cnt--;
+ wakeup = true;
+ break;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Erik Hugne <erik.hugne@gmail.com>
+Date: Mon, 4 Mar 2019 23:26:10 +0100
+Subject: tipc: fix RDM/DGRAM connect() regression
+
+From: Erik Hugne <erik.hugne@gmail.com>
+
+[ Upstream commit 0e63208915a8d7590d0a6218dadb2a6a00ac705a ]
+
+Fix regression bug introduced in
+commit 365ad353c256 ("tipc: reduce risk of user starvation during link
+congestion")
+
+Only signal -EDESTADDRREQ for RDM/DGRAM if we don't have a cached
+sockaddr.
+
+Fixes: 365ad353c256 ("tipc: reduce risk of user starvation during link congestion")
+Signed-off-by: Erik Hugne <erik.hugne@gmail.com>
+Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -1318,7 +1318,7 @@ static int __tipc_sendmsg(struct socket
+
+ if (unlikely(!dest)) {
+ dest = &tsk->peer;
+- if (!syn || dest->family != AF_TIPC)
++ if (!syn && dest->family != AF_TIPC)
+ return -EDESTADDRREQ;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Timur Celik <mail@timurcelik.de>
+Date: Sat, 23 Feb 2019 12:53:13 +0100
+Subject: tun: fix blocking read
+
+From: Timur Celik <mail@timurcelik.de>
+
+[ Upstream commit 71828b2240692cec0e68b8d867bc00e1745e7fae ]
+
+This patch moves setting of the current state into the loop. Otherwise
+the task may end up in a busy wait loop if none of the break conditions
+are met.
+
+Signed-off-by: Timur Celik <mail@timurcelik.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2122,9 +2122,9 @@ static void *tun_ring_recv(struct tun_fi
+ }
+
+ add_wait_queue(&tfile->wq.wait, &wait);
+- current->state = TASK_INTERRUPTIBLE;
+
+ while (1) {
++ set_current_state(TASK_INTERRUPTIBLE);
+ ptr = ptr_ring_consume(&tfile->tx_ring);
+ if (ptr)
+ break;
+@@ -2140,7 +2140,7 @@ static void *tun_ring_recv(struct tun_fi
+ schedule();
+ }
+
+- current->state = TASK_RUNNING;
++ set_current_state(TASK_RUNNING);
+ remove_wait_queue(&tfile->wq.wait, &wait);
+
+ out:
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Timur Celik <mail@timurcelik.de>
+Date: Mon, 25 Feb 2019 21:13:13 +0100
+Subject: tun: remove unnecessary memory barrier
+
+From: Timur Celik <mail@timurcelik.de>
+
+[ Upstream commit ecef67cb10db7b83b3b71c61dbb29aa070ab0112 ]
+
+Replace set_current_state with __set_current_state since no memory
+barrier is needed at this point.
+
+Signed-off-by: Timur Celik <mail@timurcelik.de>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -2140,7 +2140,7 @@ static void *tun_ring_recv(struct tun_fi
+ schedule();
+ }
+
+- set_current_state(TASK_RUNNING);
++ __set_current_state(TASK_RUNNING);
+ remove_wait_queue(&tfile->wq.wait, &wait);
+
+ out:
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+Date: Thu, 28 Feb 2019 14:11:26 +0000
+Subject: xen-netback: don't populate the hash cache on XenBus disconnect
+
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+
+[ Upstream commit a2288d4e355992d369c50c45d017a85f6061ff71 ]
+
+Occasionally, during the disconnection procedure on XenBus which
+includes hash cache deinitialization there might be some packets
+still in-flight on other processors. Handling of these packets includes
+hashing and hash cache population that finally results in hash cache
+data structure corruption.
+
+In order to avoid this we prevent hashing of those packets if there
+are no queues initialized. In that case RCU protection of queues guards
+the hash cache as well.
+
+Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/hash.c | 2 ++
+ drivers/net/xen-netback/interface.c | 7 +++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/net/xen-netback/hash.c
++++ b/drivers/net/xen-netback/hash.c
+@@ -454,6 +454,8 @@ void xenvif_init_hash(struct xenvif *vif
+ if (xenvif_hash_cache_size == 0)
+ return;
+
++ BUG_ON(vif->hash.cache.count);
++
+ spin_lock_init(&vif->hash.cache.lock);
+ INIT_LIST_HEAD(&vif->hash.cache.list);
+ }
+--- a/drivers/net/xen-netback/interface.c
++++ b/drivers/net/xen-netback/interface.c
+@@ -153,6 +153,13 @@ static u16 xenvif_select_queue(struct ne
+ {
+ struct xenvif *vif = netdev_priv(dev);
+ unsigned int size = vif->hash.size;
++ unsigned int num_queues;
++
++ /* If queues are not set up internally - always return 0
++ * as the packet going to be dropped anyway */
++ num_queues = READ_ONCE(vif->num_queues);
++ if (num_queues < 1)
++ return 0;
+
+ if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
+ return fallback(dev, skb, NULL) % dev->real_num_tx_queues;
--- /dev/null
+From foo@baz Fri Mar 8 08:25:51 CET 2019
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+Date: Thu, 28 Feb 2019 12:48:03 +0000
+Subject: xen-netback: fix occasional leak of grant ref mappings under memory pressure
+
+From: Igor Druzhinin <igor.druzhinin@citrix.com>
+
+[ Upstream commit 99e87f56b48f490fb16b6e0f74691c1e664dea95 ]
+
+Zero-copy callback flag is not yet set on frag list skb at the moment
+xenvif_handle_frag_list() returns -ENOMEM. This eventually results in
+leaking grant ref mappings since xenvif_zerocopy_callback() is never
+called for these fragments. Those eventually build up and cause Xen
+to kill Dom0 as the slots get reused for new mappings:
+
+"d0v0 Attempt to implicitly unmap a granted PTE c010000329fce005"
+
+That behavior is observed under certain workloads where sudden spikes
+of page cache writes coexist with active atomic skb allocations from
+network traffic. Additionally, rework the logic to deal with frag_list
+deallocation in a single place.
+
+Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
+Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
+Acked-by: Wei Liu <wei.liu2@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -1072,11 +1072,6 @@ static int xenvif_handle_frag_list(struc
+ skb_frag_size_set(&frags[i], len);
+ }
+
+- /* Copied all the bits from the frag list -- free it. */
+- skb_frag_list_init(skb);
+- xenvif_skb_zerocopy_prepare(queue, nskb);
+- kfree_skb(nskb);
+-
+ /* Release all the original (foreign) frags. */
+ for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
+ skb_frag_unref(skb, f);
+@@ -1145,6 +1140,8 @@ static int xenvif_tx_submit(struct xenvi
+ xenvif_fill_frags(queue, skb);
+
+ if (unlikely(skb_has_frag_list(skb))) {
++ struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
++ xenvif_skb_zerocopy_prepare(queue, nskb);
+ if (xenvif_handle_frag_list(queue, skb)) {
+ if (net_ratelimit())
+ netdev_err(queue->vif->dev,
+@@ -1153,6 +1150,9 @@ static int xenvif_tx_submit(struct xenvi
+ kfree_skb(skb);
+ continue;
+ }
++ /* Copied all the bits from the frag list -- free it. */
++ skb_frag_list_init(skb);
++ kfree_skb(nskb);
+ }
+
+ skb->dev = queue->vif->dev;
projects / thirdparty / kernel / stable-queue.git / commitdiff
