--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 26 Sep 2018 00:41:04 -0400
+Subject: bnxt_en: Fix TX timeout during netpoll.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 73f21c653f930f438d53eed29b5e4c65c8a0f906 ]
+
+The current netpoll implementation in the bnxt_en driver has problems
+that may miss TX completion events. bnxt_poll_work() in effect is
+only handling at most 1 TX packet before exiting. In addition,
+there may be in flight TX completions that ->poll() may miss even
+after we fix bnxt_poll_work() to handle all visible TX completions.
+netpoll may not call ->poll() again and HW may not generate IRQ
+because the driver does not ARM the IRQ when the budget (0 for netpoll)
+is reached.
+
+We fix it by handling all TX completions and to always ARM the IRQ
+when we exit ->poll() with 0 budget.
+
+Also, the logic to ACK the completion ring in case it is almost filled
+with TX completions need to be adjusted to take care of the 0 budget
+case, as discussed with Eric Dumazet <edumazet@google.com>
+
+Reported-by: Song Liu <songliubraving@fb.com>
+Reviewed-by: Song Liu <songliubraving@fb.com>
+Tested-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1343,8 +1343,11 @@ static int bnxt_poll_work(struct bnxt *b
+ if (TX_CMP_TYPE(txcmp) == CMP_TYPE_TX_L2_CMP) {
+ tx_pkts++;
+ /* return full budget so NAPI will complete. */
+- if (unlikely(tx_pkts > bp->tx_wake_thresh))
++ if (unlikely(tx_pkts > bp->tx_wake_thresh)) {
+ rx_pkts = budget;
++ raw_cons = NEXT_RAW_CMP(raw_cons);
++ break;
++ }
+ } else if ((TX_CMP_TYPE(txcmp) & 0x30) == 0x10) {
+ rc = bnxt_rx_pkt(bp, bnapi, &raw_cons, &agg_event);
+ if (likely(rc >= 0))
+@@ -1362,7 +1365,7 @@ static int bnxt_poll_work(struct bnxt *b
+ }
+ raw_cons = NEXT_RAW_CMP(raw_cons);
+
+- if (rx_pkts == budget)
++ if (rx_pkts && rx_pkts == budget)
+ break;
+ }
+
+@@ -1404,8 +1407,12 @@ static int bnxt_poll(struct napi_struct
+ while (1) {
+ work_done += bnxt_poll_work(bp, bnapi, budget - work_done);
+
+- if (work_done >= budget)
++ if (work_done >= budget) {
++ if (!budget)
++ BNXT_CP_DB_REARM(cpr->cp_doorbell,
++ cpr->cp_raw_cons);
+ break;
++ }
+
+ if (!bnxt_has_work(bp, cpr)) {
+ napi_complete(napi);
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 24 Sep 2018 14:40:11 -0700
+Subject: bonding: avoid possible dead-lock
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit d4859d749aa7090ffb743d15648adb962a1baeae ]
+
+Syzkaller reported this on a slightly older kernel but it's still
+applicable to the current kernel -
+
+======================================================
+WARNING: possible circular locking dependency detected
+4.18.0-next-20180823+ #46 Not tainted
+------------------------------------------------------
+syz-executor4/26841 is trying to acquire lock:
+00000000dd41ef48 ((wq_completion)bond_dev->name){+.+.}, at: flush_workqueue+0x2db/0x1e10 kernel/workqueue.c:2652
+
+but task is already holding lock:
+00000000768ab431 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
+00000000768ab431 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x412/0xc30 net/core/rtnetlink.c:4708
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #2 (rtnl_mutex){+.+.}:
+ __mutex_lock_common kernel/locking/mutex.c:925 [inline]
+ __mutex_lock+0x171/0x1700 kernel/locking/mutex.c:1073
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1088
+ rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77
+ bond_netdev_notify drivers/net/bonding/bond_main.c:1310 [inline]
+ bond_netdev_notify_work+0x44/0xd0 drivers/net/bonding/bond_main.c:1320
+ process_one_work+0xc73/0x1aa0 kernel/workqueue.c:2153
+ worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+-> #1 ((work_completion)(&(&nnw->work)->work)){+.+.}:
+ process_one_work+0xc0b/0x1aa0 kernel/workqueue.c:2129
+ worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
+ kthread+0x35a/0x420 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+-> #0 ((wq_completion)bond_dev->name){+.+.}:
+ lock_acquire+0x1e4/0x4f0 kernel/locking/lockdep.c:3901
+ flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655
+ drain_workqueue+0x2a9/0x640 kernel/workqueue.c:2820
+ destroy_workqueue+0xc6/0x9d0 kernel/workqueue.c:4155
+ __alloc_workqueue_key+0xef9/0x1190 kernel/workqueue.c:4138
+ bond_init+0x269/0x940 drivers/net/bonding/bond_main.c:4734
+ register_netdevice+0x337/0x1100 net/core/dev.c:8410
+ bond_newlink+0x49/0xa0 drivers/net/bonding/bond_netlink.c:453
+ rtnl_newlink+0xef4/0x1d50 net/core/rtnetlink.c:3099
+ rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4711
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
+ rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4729
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:632
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2115
+ __sys_sendmsg+0x11d/0x290 net/socket.c:2153
+ __do_sys_sendmsg net/socket.c:2162 [inline]
+ __se_sys_sendmsg net/socket.c:2160 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+other info that might help us debug this:
+
+Chain exists of:
+ (wq_completion)bond_dev->name --> (work_completion)(&(&nnw->work)->work) --> rtnl_mutex
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(rtnl_mutex);
+ lock((work_completion)(&(&nnw->work)->work));
+ lock(rtnl_mutex);
+ lock((wq_completion)bond_dev->name);
+
+ *** DEADLOCK ***
+
+1 lock held by syz-executor4/26841:
+
+stack backtrace:
+CPU: 1 PID: 26841 Comm: syz-executor4 Not tainted 4.18.0-next-20180823+ #46
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
+ print_circular_bug.isra.34.cold.55+0x1bd/0x27d kernel/locking/lockdep.c:1222
+ check_prev_add kernel/locking/lockdep.c:1862 [inline]
+ check_prevs_add kernel/locking/lockdep.c:1975 [inline]
+ validate_chain kernel/locking/lockdep.c:2416 [inline]
+ __lock_acquire+0x3449/0x5020 kernel/locking/lockdep.c:3412
+ lock_acquire+0x1e4/0x4f0 kernel/locking/lockdep.c:3901
+ flush_workqueue+0x30a/0x1e10 kernel/workqueue.c:2655
+ drain_workqueue+0x2a9/0x640 kernel/workqueue.c:2820
+ destroy_workqueue+0xc6/0x9d0 kernel/workqueue.c:4155
+ __alloc_workqueue_key+0xef9/0x1190 kernel/workqueue.c:4138
+ bond_init+0x269/0x940 drivers/net/bonding/bond_main.c:4734
+ register_netdevice+0x337/0x1100 net/core/dev.c:8410
+ bond_newlink+0x49/0xa0 drivers/net/bonding/bond_netlink.c:453
+ rtnl_newlink+0xef4/0x1d50 net/core/rtnetlink.c:3099
+ rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4711
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
+ rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4729
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:622 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:632
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2115
+ __sys_sendmsg+0x11d/0x290 net/socket.c:2153
+ __do_sys_sendmsg net/socket.c:2162 [inline]
+ __se_sys_sendmsg net/socket.c:2160 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2160
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x457089
+Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f2df20a5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f2df20a66d4 RCX: 0000000000457089
+RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+RBP: 0000000000930140 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000004d40b8 R14: 00000000004c8ad8 R15: 0000000000000001
+
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 43 +++++++++++++++-------------------------
+ include/net/bonding.h | 7 ------
+ 2 files changed, 18 insertions(+), 32 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -216,6 +216,7 @@ static struct rtnl_link_stats64 *bond_ge
+ static void bond_slave_arr_handler(struct work_struct *work);
+ static bool bond_time_in_interval(struct bonding *bond, unsigned long last_act,
+ int mod);
++static void bond_netdev_notify_work(struct work_struct *work);
+
+ /*---------------------------- General routines -----------------------------*/
+
+@@ -1237,6 +1238,8 @@ static struct slave *bond_alloc_slave(st
+ return NULL;
+ }
+ }
++ INIT_DELAYED_WORK(&slave->notify_work, bond_netdev_notify_work);
++
+ return slave;
+ }
+
+@@ -1244,6 +1247,7 @@ static void bond_free_slave(struct slave
+ {
+ struct bonding *bond = bond_get_bond_by_slave(slave);
+
++ cancel_delayed_work_sync(&slave->notify_work);
+ if (BOND_MODE(bond) == BOND_MODE_8023AD)
+ kfree(SLAVE_AD_INFO(slave));
+
+@@ -1265,39 +1269,26 @@ static void bond_fill_ifslave(struct sla
+ info->link_failure_count = slave->link_failure_count;
+ }
+
+-static void bond_netdev_notify(struct net_device *dev,
+- struct netdev_bonding_info *info)
+-{
+- rtnl_lock();
+- netdev_bonding_info_change(dev, info);
+- rtnl_unlock();
+-}
+-
+ static void bond_netdev_notify_work(struct work_struct *_work)
+ {
+- struct netdev_notify_work *w =
+- container_of(_work, struct netdev_notify_work, work.work);
++ struct slave *slave = container_of(_work, struct slave,
++ notify_work.work);
++
++ if (rtnl_trylock()) {
++ struct netdev_bonding_info binfo;
+
+- bond_netdev_notify(w->dev, &w->bonding_info);
+- dev_put(w->dev);
+- kfree(w);
++ bond_fill_ifslave(slave, &binfo.slave);
++ bond_fill_ifbond(slave->bond, &binfo.master);
++ netdev_bonding_info_change(slave->dev, &binfo);
++ rtnl_unlock();
++ } else {
++ queue_delayed_work(slave->bond->wq, &slave->notify_work, 1);
++ }
+ }
+
+ void bond_queue_slave_event(struct slave *slave)
+ {
+- struct bonding *bond = slave->bond;
+- struct netdev_notify_work *nnw = kzalloc(sizeof(*nnw), GFP_ATOMIC);
+-
+- if (!nnw)
+- return;
+-
+- dev_hold(slave->dev);
+- nnw->dev = slave->dev;
+- bond_fill_ifslave(slave, &nnw->bonding_info.slave);
+- bond_fill_ifbond(bond, &nnw->bonding_info.master);
+- INIT_DELAYED_WORK(&nnw->work, bond_netdev_notify_work);
+-
+- queue_delayed_work(slave->bond->wq, &nnw->work, 0);
++ queue_delayed_work(slave->bond->wq, &slave->notify_work, 0);
+ }
+
+ /* enslave device <slave> to bond device <master> */
+--- a/include/net/bonding.h
++++ b/include/net/bonding.h
+@@ -146,12 +146,6 @@ struct bond_parm_tbl {
+ int mode;
+ };
+
+-struct netdev_notify_work {
+- struct delayed_work work;
+- struct net_device *dev;
+- struct netdev_bonding_info bonding_info;
+-};
+-
+ struct slave {
+ struct net_device *dev; /* first - useful for panic debug */
+ struct bonding *bond; /* our master */
+@@ -177,6 +171,7 @@ struct slave {
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+ struct netpoll *np;
+ #endif
++ struct delayed_work notify_work;
+ struct kobject kobj;
+ struct rtnl_link_stats64 slave_stats;
+ };
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 19 Sep 2018 15:02:07 +0200
+Subject: ip6_tunnel: be careful when accessing the inner header
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 76c0ddd8c3a683f6e2c6e60e11dc1a1558caf4bc ]
+
+the ip6 tunnel xmit ndo assumes that the processed skb always
+contains an ip[v6] header, but syzbot has found a way to send
+frames that fall short of this assumption, leading to the following splat:
+
+BUG: KMSAN: uninit-value in ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1307
+[inline]
+BUG: KMSAN: uninit-value in ip6_tnl_start_xmit+0x7d2/0x1ef0
+net/ipv6/ip6_tunnel.c:1390
+CPU: 0 PID: 4504 Comm: syz-executor558 Not tainted 4.16.0+ #87
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
+ ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1307 [inline]
+ ip6_tnl_start_xmit+0x7d2/0x1ef0 net/ipv6/ip6_tunnel.c:1390
+ __netdev_start_xmit include/linux/netdevice.h:4066 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4075 [inline]
+ xmit_one net/core/dev.c:3026 [inline]
+ dev_hard_start_xmit+0x5f1/0xc70 net/core/dev.c:3042
+ __dev_queue_xmit+0x27ee/0x3520 net/core/dev.c:3557
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x7c70/0x8a30 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmmsg+0x42d/0x800 net/socket.c:2136
+ SYSC_sendmmsg+0xc4/0x110 net/socket.c:2167
+ SyS_sendmmsg+0x63/0x90 net/socket.c:2162
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x441819
+RSP: 002b:00007ffe58ee8268 EFLAGS: 00000213 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441819
+RDX: 0000000000000002 RSI: 0000000020000100 RDI: 0000000000000003
+RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000402510
+R13: 00000000004025a0 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
+ sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
+ packet_alloc_skb net/packet/af_packet.c:2803 [inline]
+ packet_snd net/packet/af_packet.c:2894 [inline]
+ packet_sendmsg+0x6454/0x8a30 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmmsg+0x42d/0x800 net/socket.c:2136
+ SYSC_sendmmsg+0xc4/0x110 net/socket.c:2167
+ SyS_sendmmsg+0x63/0x90 net/socket.c:2162
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+This change addresses the issue adding the needed check before
+accessing the inner header.
+
+The ipv4 side of the issue is apparently there since the ipv4 over ipv6
+initial support, and the ipv6 side predates git history.
+
+Fixes: c4d3efafcc93 ("[IPV6] IP6TUNNEL: Add support to IPv4 over IPv6 tunnel.")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+3fde91d4d394747d6db4@syzkaller.appspotmail.com
+Tested-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1096,7 +1096,7 @@ static inline int
+ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+- const struct iphdr *iph = ip_hdr(skb);
++ const struct iphdr *iph;
+ int encap_limit = -1;
+ struct flowi6 fl6;
+ __u8 dsfield;
+@@ -1104,6 +1104,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str
+ u8 tproto;
+ int err;
+
++ /* ensure we can access the full inner ip header */
++ if (!pskb_may_pull(skb, sizeof(struct iphdr)))
++ return -1;
++
++ iph = ip_hdr(skb);
+ memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
+
+ tproto = ACCESS_ONCE(t->parms.proto);
+@@ -1140,7 +1145,7 @@ static inline int
+ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
+ {
+ struct ip6_tnl *t = netdev_priv(dev);
+- struct ipv6hdr *ipv6h = ipv6_hdr(skb);
++ struct ipv6hdr *ipv6h;
+ int encap_limit = -1;
+ __u16 offset;
+ struct flowi6 fl6;
+@@ -1149,6 +1154,10 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
+ u8 tproto;
+ int err;
+
++ if (unlikely(!pskb_may_pull(skb, sizeof(*ipv6h))))
++ return -1;
++
++ ipv6h = ipv6_hdr(skb);
+ tproto = ACCESS_ONCE(t->parms.proto);
+ if ((tproto != IPPROTO_IPV6 && tproto != 0) ||
+ ip6_tnl_addr_conflict(t, ipv6h))
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 24 Sep 2018 15:48:19 +0200
+Subject: ip_tunnel: be careful when accessing the inner header
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit ccfec9e5cb2d48df5a955b7bf47f7782157d3bc2]
+
+Cong noted that we need the same checks introduced by commit 76c0ddd8c3a6
+("ip6_tunnel: be careful when accessing the inner header")
+even for ipv4 tunnels.
+
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -597,6 +597,7 @@ void ip_tunnel_xmit(struct sk_buff *skb,
+ const struct iphdr *tnl_params, u8 protocol)
+ {
+ struct ip_tunnel *tunnel = netdev_priv(dev);
++ unsigned int inner_nhdr_len = 0;
+ const struct iphdr *inner_iph;
+ struct flowi4 fl4;
+ u8 tos, ttl;
+@@ -607,6 +608,14 @@ void ip_tunnel_xmit(struct sk_buff *skb,
+ int err;
+ bool connected;
+
++ /* ensure we can access the inner net header, for several users below */
++ if (skb->protocol == htons(ETH_P_IP))
++ inner_nhdr_len = sizeof(struct iphdr);
++ else if (skb->protocol == htons(ETH_P_IPV6))
++ inner_nhdr_len = sizeof(struct ipv6hdr);
++ if (unlikely(!pskb_may_pull(skb, inner_nhdr_len)))
++ goto tx_error;
++
+ inner_iph = (const struct iphdr *)skb_inner_network_header(skb);
+ connected = (tunnel->parms.iph.daddr != 0);
+
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 30 Sep 2018 11:33:39 -0700
+Subject: ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 64199fc0a46ba211362472f7f942f900af9492fd ]
+
+Caching ip_hdr(skb) before a call to pskb_may_pull() is buggy,
+do not do it.
+
+Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_sockglue.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_sockglue.c
++++ b/net/ipv4/ip_sockglue.c
+@@ -134,7 +134,6 @@ static void ip_cmsg_recv_security(struct
+ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
+ {
+ struct sockaddr_in sin;
+- const struct iphdr *iph = ip_hdr(skb);
+ __be16 *ports;
+ int end;
+
+@@ -149,7 +148,7 @@ static void ip_cmsg_recv_dstaddr(struct
+ ports = (__be16 *)skb_transport_header(skb);
+
+ sin.sin_family = AF_INET;
+- sin.sin_addr.s_addr = iph->daddr;
++ sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
+ sin.sin_port = ports[1];
+ memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
+
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 9 Oct 2018 17:48:14 +0200
+Subject: net: ipv4: update fnhe_pmtu when first hop's MTU changes
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit af7d6cce53694a88d6a1bb60c9a239a6a5144459 ]
+
+Since commit 5aad1de5ea2c ("ipv4: use separate genid for next hop
+exceptions"), exceptions get deprecated separately from cached
+routes. In particular, administrative changes don't clear PMTU anymore.
+
+As Stefano described in commit e9fa1495d738 ("ipv6: Reflect MTU changes
+on PMTU of exceptions for MTU-less routes"), the PMTU discovered before
+the local MTU change can become stale:
+ - if the local MTU is now lower than the PMTU, that PMTU is now
+ incorrect
+ - if the local MTU was the lowest value in the path, and is increased,
+ we might discover a higher PMTU
+
+Similarly to what commit e9fa1495d738 did for IPv6, update PMTU in those
+cases.
+
+If the exception was locked, the discovered PMTU was smaller than the
+minimal accepted PMTU. In that case, if the new local MTU is smaller
+than the current PMTU, let PMTU discovery figure out if locking of the
+exception is still needed.
+
+To do this, we need to know the old link MTU in the NETDEV_CHANGEMTU
+notifier. By the time the notifier is called, dev->mtu has been
+changed. This patch adds the old MTU as additional information in the
+notifier structure, and a new call_netdevice_notifiers_u32() function.
+
+Fixes: 5aad1de5ea2c ("ipv4: use separate genid for next hop exceptions")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 7 ++++++
+ include/net/ip_fib.h | 1
+ net/core/dev.c | 28 +++++++++++++++++++++++--
+ net/ipv4/fib_frontend.c | 12 +++++++----
+ net/ipv4/fib_semantics.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 92 insertions(+), 6 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -2168,6 +2168,13 @@ struct netdev_notifier_info {
+ struct net_device *dev;
+ };
+
++struct netdev_notifier_info_ext {
++ struct netdev_notifier_info info; /* must be first */
++ union {
++ u32 mtu;
++ } ext;
++};
++
+ struct netdev_notifier_change_info {
+ struct netdev_notifier_info info; /* must be first */
+ unsigned int flags_changed;
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -322,6 +322,7 @@ int ip_fib_check_default(__be32 gw, stru
+ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force);
+ int fib_sync_down_addr(struct net *net, __be32 local);
+ int fib_sync_up(struct net_device *dev, unsigned int nh_flags);
++void fib_sync_mtu(struct net_device *dev, u32 orig_mtu);
+
+ extern u32 fib_multipath_secret __read_mostly;
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -1660,6 +1660,28 @@ int call_netdevice_notifiers(unsigned lo
+ }
+ EXPORT_SYMBOL(call_netdevice_notifiers);
+
++/**
++ * call_netdevice_notifiers_mtu - call all network notifier blocks
++ * @val: value passed unmodified to notifier function
++ * @dev: net_device pointer passed unmodified to notifier function
++ * @arg: additional u32 argument passed to the notifier function
++ *
++ * Call all network notifier blocks. Parameters and return value
++ * are as for raw_notifier_call_chain().
++ */
++static int call_netdevice_notifiers_mtu(unsigned long val,
++ struct net_device *dev, u32 arg)
++{
++ struct netdev_notifier_info_ext info = {
++ .info.dev = dev,
++ .ext.mtu = arg,
++ };
++
++ BUILD_BUG_ON(offsetof(struct netdev_notifier_info_ext, info) != 0);
++
++ return call_netdevice_notifiers_info(val, dev, &info.info);
++}
++
+ #ifdef CONFIG_NET_INGRESS
+ static struct static_key ingress_needed __read_mostly;
+
+@@ -6134,14 +6156,16 @@ int dev_set_mtu(struct net_device *dev,
+ err = __dev_set_mtu(dev, new_mtu);
+
+ if (!err) {
+- err = call_netdevice_notifiers(NETDEV_CHANGEMTU, dev);
++ err = call_netdevice_notifiers_mtu(NETDEV_CHANGEMTU, dev,
++ orig_mtu);
+ err = notifier_to_errno(err);
+ if (err) {
+ /* setting mtu back and notifying everyone again,
+ * so that they have a chance to revert changes.
+ */
+ __dev_set_mtu(dev, orig_mtu);
+- call_netdevice_notifiers(NETDEV_CHANGEMTU, dev);
++ call_netdevice_notifiers_mtu(NETDEV_CHANGEMTU, dev,
++ new_mtu);
+ }
+ }
+ return err;
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -1170,7 +1170,8 @@ static int fib_inetaddr_event(struct not
+ static int fib_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+- struct netdev_notifier_changeupper_info *info;
++ struct netdev_notifier_changeupper_info *upper_info = ptr;
++ struct netdev_notifier_info_ext *info_ext = ptr;
+ struct in_device *in_dev;
+ struct net *net = dev_net(dev);
+ unsigned int flags;
+@@ -1205,16 +1206,19 @@ static int fib_netdev_event(struct notif
+ fib_sync_up(dev, RTNH_F_LINKDOWN);
+ else
+ fib_sync_down_dev(dev, event, false);
+- /* fall through */
++ rt_cache_flush(net);
++ break;
+ case NETDEV_CHANGEMTU:
++ fib_sync_mtu(dev, info_ext->ext.mtu);
+ rt_cache_flush(net);
+ break;
+ case NETDEV_CHANGEUPPER:
+- info = ptr;
++ upper_info = ptr;
+ /* flush all routes if dev is linked to or unlinked from
+ * an L3 master device (e.g., VRF)
+ */
+- if (info->upper_dev && netif_is_l3_master(info->upper_dev))
++ if (upper_info->upper_dev &&
++ netif_is_l3_master(upper_info->upper_dev))
+ fib_disable_ip(dev, NETDEV_DOWN, true);
+ break;
+ }
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -1373,6 +1373,56 @@ int fib_sync_down_addr(struct net *net,
+ return ret;
+ }
+
++/* Update the PMTU of exceptions when:
++ * - the new MTU of the first hop becomes smaller than the PMTU
++ * - the old MTU was the same as the PMTU, and it limited discovery of
++ * larger MTUs on the path. With that limit raised, we can now
++ * discover larger MTUs
++ * A special case is locked exceptions, for which the PMTU is smaller
++ * than the minimal accepted PMTU:
++ * - if the new MTU is greater than the PMTU, don't make any change
++ * - otherwise, unlock and set PMTU
++ */
++static void nh_update_mtu(struct fib_nh *nh, u32 new, u32 orig)
++{
++ struct fnhe_hash_bucket *bucket;
++ int i;
++
++ bucket = rcu_dereference_protected(nh->nh_exceptions, 1);
++ if (!bucket)
++ return;
++
++ for (i = 0; i < FNHE_HASH_SIZE; i++) {
++ struct fib_nh_exception *fnhe;
++
++ for (fnhe = rcu_dereference_protected(bucket[i].chain, 1);
++ fnhe;
++ fnhe = rcu_dereference_protected(fnhe->fnhe_next, 1)) {
++ if (fnhe->fnhe_mtu_locked) {
++ if (new <= fnhe->fnhe_pmtu) {
++ fnhe->fnhe_pmtu = new;
++ fnhe->fnhe_mtu_locked = false;
++ }
++ } else if (new < fnhe->fnhe_pmtu ||
++ orig == fnhe->fnhe_pmtu) {
++ fnhe->fnhe_pmtu = new;
++ }
++ }
++ }
++}
++
++void fib_sync_mtu(struct net_device *dev, u32 orig_mtu)
++{
++ unsigned int hash = fib_devindex_hashfn(dev->ifindex);
++ struct hlist_head *head = &fib_info_devhash[hash];
++ struct fib_nh *nh;
++
++ hlist_for_each_entry(nh, head, nh_hash) {
++ if (nh->nh_dev == dev)
++ nh_update_mtu(nh, dev->mtu, orig_mtu);
++ }
++}
++
+ /* Event force Flags Description
+ * NETDEV_CHANGE 0 LINKDOWN Carrier OFF, not for scope host
+ * NETDEV_DOWN 0 LINKDOWN|DEAD Link down, not for scope host
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Jeff Barnhill <0xeffeff@gmail.com>
+Date: Fri, 21 Sep 2018 00:45:27 +0000
+Subject: net/ipv6: Display all addresses in output of /proc/net/if_inet6
+
+From: Jeff Barnhill <0xeffeff@gmail.com>
+
+[ Upstream commit 86f9bd1ff61c413a2a251fa736463295e4e24733 ]
+
+The backend handling for /proc/net/if_inet6 in addrconf.c doesn't properly
+handle starting/stopping the iteration. The problem is that at some point
+during the iteration, an overflow is detected and the process is
+subsequently stopped. The item being shown via seq_printf() when the
+overflow occurs is not actually shown, though. When start() is
+subsequently called to resume iterating, it returns the next item, and
+thus the item that was being processed when the overflow occurred never
+gets printed.
+
+Alter the meaning of the private data member "offset". Currently, when it
+is not 0 (which only happens at the very beginning), "offset" represents
+the next hlist item to be printed. After this change, "offset" always
+represents the current item.
+
+This is also consistent with the private data member "bucket", which
+represents the current bucket, and also the use of "pos" as defined in
+seq_file.txt:
+ The pos passed to start() will always be either zero, or the most
+ recent pos used in the previous session.
+
+Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3786,7 +3786,6 @@ static struct inet6_ifaddr *if6_get_firs
+ p++;
+ continue;
+ }
+- state->offset++;
+ return ifa;
+ }
+
+@@ -3810,13 +3809,12 @@ static struct inet6_ifaddr *if6_get_next
+ return ifa;
+ }
+
++ state->offset = 0;
+ while (++state->bucket < IN6_ADDR_HSIZE) {
+- state->offset = 0;
+ hlist_for_each_entry_rcu_bh(ifa,
+ &inet6_addr_lst[state->bucket], addr_lst) {
+ if (!net_eq(dev_net(ifa->idev->dev), net))
+ continue;
+- state->offset++;
+ return ifa;
+ }
+ }
--- /dev/null
+From foo@baz Tue Oct 16 16:15:55 CEST 2018
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Fri, 5 Oct 2018 09:04:40 +0200
+Subject: net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 35f3625c21852ad839f20c91c7d81c4c1101e207 ]
+
+When offloading the L3 and L4 csum computation on TX, we need to extract
+the l3_proto from the ethtype, independently of the presence of a vlan
+tag.
+
+The actual driver uses skb->protocol as-is, resulting in packets with
+the wrong L4 checksum being sent when there's a vlan tag in the packet
+header and checksum offloading is enabled.
+
+This commit makes use of vlan_protocol_get() to get the correct ethtype
+regardless the presence of a vlan tag.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -29,6 +29,7 @@
+ #include <linux/clk.h>
+ #include <linux/hrtimer.h>
+ #include <linux/ktime.h>
++#include <linux/if_vlan.h>
+ #include <uapi/linux/ppp_defs.h>
+ #include <net/ip.h>
+ #include <net/ipv6.h>
+@@ -4268,7 +4269,7 @@ static void mvpp2_txq_desc_put(struct mv
+ }
+
+ /* Set Tx descriptors fields relevant for CSUM calculation */
+-static u32 mvpp2_txq_desc_csum(int l3_offs, int l3_proto,
++static u32 mvpp2_txq_desc_csum(int l3_offs, __be16 l3_proto,
+ int ip_hdr_len, int l4_proto)
+ {
+ u32 command;
+@@ -5032,14 +5033,15 @@ static u32 mvpp2_skb_tx_csum(struct mvpp
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+ int ip_hdr_len = 0;
+ u8 l4_proto;
++ __be16 l3_proto = vlan_get_protocol(skb);
+
+- if (skb->protocol == htons(ETH_P_IP)) {
++ if (l3_proto == htons(ETH_P_IP)) {
+ struct iphdr *ip4h = ip_hdr(skb);
+
+ /* Calculate IPv4 checksum and L4 checksum */
+ ip_hdr_len = ip4h->ihl;
+ l4_proto = ip4h->protocol;
+- } else if (skb->protocol == htons(ETH_P_IPV6)) {
++ } else if (l3_proto == htons(ETH_P_IPV6)) {
+ struct ipv6hdr *ip6h = ipv6_hdr(skb);
+
+ /* Read l4_protocol from one of IPv6 extra headers */
+@@ -5051,7 +5053,7 @@ static u32 mvpp2_skb_tx_csum(struct mvpp
+ }
+
+ return mvpp2_txq_desc_csum(skb_network_offset(skb),
+- skb->protocol, ip_hdr_len, l4_proto);
++ l3_proto, ip_hdr_len, l4_proto);
+ }
+
+ return MVPP2_TXD_L4_CSUM_NOT | MVPP2_TXD_IP_CSUM_DISABLE;
--- /dev/null
+From foo@baz Tue Oct 16 16:15:55 CEST 2018
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Tue, 2 Oct 2018 16:52:03 -0700
+Subject: net: systemport: Fix wake-up interrupt race during resume
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 45ec318578c0c22a11f5b9927d064418e1ab1905 ]
+
+The AON_PM_L2 is normally used to trigger and identify the source of a
+wake-up event. Since the RX_SYS clock is no longer turned off, we also
+have an interrupt being sent to the SYSTEMPORT INTRL_2_0 controller, and
+that interrupt remains active up until the magic packet detector is
+disabled which happens much later during the driver resumption.
+
+The race happens if we have a CPU that is entering the SYSTEMPORT
+INTRL2_0 handler during resume, and another CPU has managed to clear the
+wake-up interrupt during bcm_sysport_resume_from_wol(). In that case, we
+have the first CPU stuck in the interrupt handler with an interrupt
+cause that has been cleared under its feet, and so we keep returning
+IRQ_NONE and we never make any progress.
+
+This was not a problem before because we would always turn off the
+RX_SYS clock during WoL, so the SYSTEMPORT INTRL2_0 would also be turned
+off as well, thus not latching the interrupt.
+
+The fix is to make sure we do not enable either the MPD or
+BRCM_TAG_MATCH interrupts since those are redundant with what the
+AON_PM_L2 interrupt controller already processes and they would cause
+such a race to occur.
+
+Fixes: bb9051a2b230 ("net: systemport: Add support for WAKE_FILTER")
+Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -850,14 +850,22 @@ static void bcm_sysport_resume_from_wol(
+ {
+ u32 reg;
+
+- /* Stop monitoring MPD interrupt */
+- intrl2_0_mask_set(priv, INTRL2_0_MPD);
+-
+ /* Clear the MagicPacket detection logic */
+ reg = umac_readl(priv, UMAC_MPD_CTRL);
+ reg &= ~MPD_EN;
+ umac_writel(priv, reg, UMAC_MPD_CTRL);
+
++ reg = intrl2_0_readl(priv, INTRL2_CPU_STATUS);
++ if (reg & INTRL2_0_MPD)
++ netdev_info(priv->netdev, "Wake-on-LAN (MPD) interrupt!\n");
++
++ if (reg & INTRL2_0_BRCM_MATCH_TAG) {
++ reg = rxchk_readl(priv, RXCHK_BRCM_TAG_MATCH_STATUS) &
++ RXCHK_BRCM_TAG_MATCH_MASK;
++ netdev_info(priv->netdev,
++ "Wake-on-LAN (filters 0x%02x) interrupt!\n", reg);
++ }
++
+ netif_dbg(priv, wol, priv->netdev, "resumed from WOL\n");
+ }
+
+@@ -890,11 +898,6 @@ static irqreturn_t bcm_sysport_rx_isr(in
+ if (priv->irq0_stat & INTRL2_0_TX_RING_FULL)
+ bcm_sysport_tx_reclaim_all(priv);
+
+- if (priv->irq0_stat & INTRL2_0_MPD) {
+- netdev_info(priv->netdev, "Wake-on-LAN interrupt!\n");
+- bcm_sysport_resume_from_wol(priv);
+- }
+-
+ return IRQ_HANDLED;
+ }
+
+@@ -1915,9 +1918,6 @@ static int bcm_sysport_suspend_to_wol(st
+ /* UniMAC receive needs to be turned on */
+ umac_enable_set(priv, CMD_RX_EN, 1);
+
+- /* Enable the interrupt wake-up source */
+- intrl2_0_mask_clear(priv, INTRL2_0_MPD);
+-
+ netif_dbg(priv, wol, ndev, "entered WOL mode\n");
+
+ return 0;
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Yu Zhao <yuzhao@google.com>
+Date: Fri, 28 Sep 2018 17:04:30 -0600
+Subject: net/usb: cancel pending work when unbinding smsc75xx
+
+From: Yu Zhao <yuzhao@google.com>
+
+[ Upstream commit f7b2a56e1f3dcbdb4cf09b2b63e859ffe0e09df8 ]
+
+Cancel pending work before freeing smsc75xx private data structure
+during binding. This fixes the following crash in the driver:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000050
+IP: mutex_lock+0x2b/0x3f
+<snipped>
+Workqueue: events smsc75xx_deferred_multicast_write [smsc75xx]
+task: ffff8caa83e85700 task.stack: ffff948b80518000
+RIP: 0010:mutex_lock+0x2b/0x3f
+<snipped>
+Call Trace:
+ smsc75xx_deferred_multicast_write+0x40/0x1af [smsc75xx]
+ process_one_work+0x18d/0x2fc
+ worker_thread+0x1a2/0x269
+ ? pr_cont_work+0x58/0x58
+ kthread+0xfa/0x10a
+ ? pr_cont_work+0x58/0x58
+ ? rcu_read_unlock_sched_notrace+0x48/0x48
+ ret_from_fork+0x22/0x40
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/smsc75xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -1506,6 +1506,7 @@ static void smsc75xx_unbind(struct usbne
+ {
+ struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]);
+ if (pdata) {
++ cancel_work_sync(&pdata->set_multicast);
+ netif_dbg(dev, ifdown, dev->net, "free pdata\n");
+ kfree(pdata);
+ pdata = NULL;
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Sean Tranchetti <stranche@codeaurora.org>
+Date: Thu, 20 Sep 2018 14:29:45 -0600
+Subject: netlabel: check for IPV4MASK in addrinfo_get
+
+From: Sean Tranchetti <stranche@codeaurora.org>
+
+[ Upstream commit f88b4c01b97e09535505cf3c327fdbce55c27f00 ]
+
+netlbl_unlabel_addrinfo_get() assumes that if it finds the
+NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
+NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
+not necessarily the case as the current checks in
+netlbl_unlabel_staticadd() and friends are not sufficent to
+enforce this.
+
+If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
+NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
+these functions will all call netlbl_unlabel_addrinfo_get() which
+will then attempt dereference NULL when fetching the non-existent
+NLBL_UNLABEL_A_IPV4MASK attribute:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0
+Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
+Call trace:
+ netlbl_unlabel_addrinfo_get+0x44/0xd8
+ netlbl_unlabel_staticremovedef+0x98/0xe0
+ genl_rcv_msg+0x354/0x388
+ netlink_rcv_skb+0xac/0x118
+ genl_rcv+0x34/0x48
+ netlink_unicast+0x158/0x1f0
+ netlink_sendmsg+0x32c/0x338
+ sock_sendmsg+0x44/0x60
+ ___sys_sendmsg+0x1d0/0x2a8
+ __sys_sendmsg+0x64/0xb4
+ SyS_sendmsg+0x34/0x4c
+ el0_svc_naked+0x34/0x38
+Code: 51001149 7100113f 540000a0 f9401508 (79400108)
+---[ end trace f6438a488e737143 ]---
+Kernel panic - not syncing: Fatal exception
+
+Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlabel/netlabel_unlabeled.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netlabel/netlabel_unlabeled.c
++++ b/net/netlabel/netlabel_unlabeled.c
+@@ -787,7 +787,8 @@ static int netlbl_unlabel_addrinfo_get(s
+ {
+ u32 addr_len;
+
+- if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR]) {
++ if (info->attrs[NLBL_UNLABEL_A_IPV4ADDR] &&
++ info->attrs[NLBL_UNLABEL_A_IPV4MASK]) {
+ addr_len = nla_len(info->attrs[NLBL_UNLABEL_A_IPV4ADDR]);
+ if (addr_len != sizeof(struct in_addr) &&
+ addr_len != nla_len(info->attrs[NLBL_UNLABEL_A_IPV4MASK]))
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Shahed Shaikh <shahed.shaikh@cavium.com>
+Date: Wed, 26 Sep 2018 12:41:10 -0700
+Subject: qlcnic: fix Tx descriptor corruption on 82xx devices
+
+From: Shahed Shaikh <shahed.shaikh@cavium.com>
+
+[ Upstream commit c333fa0c4f220f8f7ea5acd6b0ebf3bf13fd684d ]
+
+In regular NIC transmission flow, driver always configures MAC using
+Tx queue zero descriptor as a part of MAC learning flow.
+But with multi Tx queue supported NIC, regular transmission can occur on
+any non-zero Tx queue and from that context it uses
+Tx queue zero descriptor to configure MAC, at the same time TX queue
+zero could be used by another CPU for regular transmission
+which could lead to Tx queue zero descriptor corruption and cause FW
+abort.
+
+This patch fixes this in such a way that driver always configures
+learned MAC address from the same Tx queue which is used for
+regular transmission.
+
+Fixes: 7e2cf4feba05 ("qlcnic: change driver hardware interface mechanism")
+Signed-off-by: Shahed Shaikh <shahed.shaikh@cavium.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic.h | 8 +++++---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 3 ++-
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h | 3 ++-
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h | 3 ++-
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c | 12 ++++++------
+ 5 files changed, 17 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h
+@@ -1802,7 +1802,8 @@ struct qlcnic_hardware_ops {
+ int (*config_loopback) (struct qlcnic_adapter *, u8);
+ int (*clear_loopback) (struct qlcnic_adapter *, u8);
+ int (*config_promisc_mode) (struct qlcnic_adapter *, u32);
+- void (*change_l2_filter) (struct qlcnic_adapter *, u64 *, u16);
++ void (*change_l2_filter)(struct qlcnic_adapter *adapter, u64 *addr,
++ u16 vlan, struct qlcnic_host_tx_ring *tx_ring);
+ int (*get_board_info) (struct qlcnic_adapter *);
+ void (*set_mac_filter_count) (struct qlcnic_adapter *);
+ void (*free_mac_list) (struct qlcnic_adapter *);
+@@ -2044,9 +2045,10 @@ static inline int qlcnic_nic_set_promisc
+ }
+
+ static inline void qlcnic_change_filter(struct qlcnic_adapter *adapter,
+- u64 *addr, u16 id)
++ u64 *addr, u16 vlan,
++ struct qlcnic_host_tx_ring *tx_ring)
+ {
+- adapter->ahw->hw_ops->change_l2_filter(adapter, addr, id);
++ adapter->ahw->hw_ops->change_l2_filter(adapter, addr, vlan, tx_ring);
+ }
+
+ static inline int qlcnic_get_board_info(struct qlcnic_adapter *adapter)
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -2132,7 +2132,8 @@ out:
+ }
+
+ void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *adapter, u64 *addr,
+- u16 vlan_id)
++ u16 vlan_id,
++ struct qlcnic_host_tx_ring *tx_ring)
+ {
+ u8 mac[ETH_ALEN];
+ memcpy(&mac, addr, ETH_ALEN);
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.h
+@@ -550,7 +550,8 @@ int qlcnic_83xx_wrt_reg_indirect(struct
+ int qlcnic_83xx_nic_set_promisc(struct qlcnic_adapter *, u32);
+ int qlcnic_83xx_config_hw_lro(struct qlcnic_adapter *, int);
+ int qlcnic_83xx_config_rss(struct qlcnic_adapter *, int);
+-void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *, u64 *, u16);
++void qlcnic_83xx_change_l2_filter(struct qlcnic_adapter *adapter, u64 *addr,
++ u16 vlan, struct qlcnic_host_tx_ring *ring);
+ int qlcnic_83xx_get_pci_info(struct qlcnic_adapter *, struct qlcnic_pci_info *);
+ int qlcnic_83xx_set_nic_info(struct qlcnic_adapter *, struct qlcnic_info *);
+ void qlcnic_83xx_initialize_nic(struct qlcnic_adapter *, int);
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.h
+@@ -173,7 +173,8 @@ int qlcnic_82xx_napi_add(struct qlcnic_a
+ struct net_device *netdev);
+ void qlcnic_82xx_get_beacon_state(struct qlcnic_adapter *);
+ void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter,
+- u64 *uaddr, u16 vlan_id);
++ u64 *uaddr, u16 vlan_id,
++ struct qlcnic_host_tx_ring *tx_ring);
+ int qlcnic_82xx_config_intr_coalesce(struct qlcnic_adapter *,
+ struct ethtool_coalesce *);
+ int qlcnic_82xx_set_rx_coalesce(struct qlcnic_adapter *);
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c
+@@ -269,13 +269,12 @@ static void qlcnic_add_lb_filter(struct
+ }
+
+ void qlcnic_82xx_change_filter(struct qlcnic_adapter *adapter, u64 *uaddr,
+- u16 vlan_id)
++ u16 vlan_id, struct qlcnic_host_tx_ring *tx_ring)
+ {
+ struct cmd_desc_type0 *hwdesc;
+ struct qlcnic_nic_req *req;
+ struct qlcnic_mac_req *mac_req;
+ struct qlcnic_vlan_req *vlan_req;
+- struct qlcnic_host_tx_ring *tx_ring = adapter->tx_ring;
+ u32 producer;
+ u64 word;
+
+@@ -302,7 +301,8 @@ void qlcnic_82xx_change_filter(struct ql
+
+ static void qlcnic_send_filter(struct qlcnic_adapter *adapter,
+ struct cmd_desc_type0 *first_desc,
+- struct sk_buff *skb)
++ struct sk_buff *skb,
++ struct qlcnic_host_tx_ring *tx_ring)
+ {
+ struct vlan_ethhdr *vh = (struct vlan_ethhdr *)(skb->data);
+ struct ethhdr *phdr = (struct ethhdr *)(skb->data);
+@@ -336,7 +336,7 @@ static void qlcnic_send_filter(struct ql
+ tmp_fil->vlan_id == vlan_id) {
+ if (jiffies > (QLCNIC_READD_AGE * HZ + tmp_fil->ftime))
+ qlcnic_change_filter(adapter, &src_addr,
+- vlan_id);
++ vlan_id, tx_ring);
+ tmp_fil->ftime = jiffies;
+ return;
+ }
+@@ -351,7 +351,7 @@ static void qlcnic_send_filter(struct ql
+ if (!fil)
+ return;
+
+- qlcnic_change_filter(adapter, &src_addr, vlan_id);
++ qlcnic_change_filter(adapter, &src_addr, vlan_id, tx_ring);
+ fil->ftime = jiffies;
+ fil->vlan_id = vlan_id;
+ memcpy(fil->faddr, &src_addr, ETH_ALEN);
+@@ -767,7 +767,7 @@ netdev_tx_t qlcnic_xmit_frame(struct sk_
+ }
+
+ if (adapter->drv_mac_learn)
+- qlcnic_send_filter(adapter, first_desc, skb);
++ qlcnic_send_filter(adapter, first_desc, skb, tx_ring);
+
+ tx_ring->tx_stats.tx_bytes += skb->len;
+ tx_ring->tx_stats.xmit_called++;
--- /dev/null
+From foo@baz Tue Oct 16 16:15:55 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 2 Oct 2018 15:47:35 -0700
+Subject: rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0e1d6eca5113858ed2caea61a5adc03c595f6096 ]
+
+We have an impressive number of syzkaller bugs that are linked
+to the fact that syzbot was able to create a networking device
+with millions of TX (or RX) queues.
+
+Let's limit the number of RX/TX queues to 4096, this really should
+cover all known cases.
+
+A separate patch will add various cond_resched() in the loops
+handling sysfs entries at device creation and dismantle.
+
+Tested:
+
+lpaa6:~# ip link add gre-4097 numtxqueues 4097 numrxqueues 4097 type ip6gretap
+RTNETLINK answers: Invalid argument
+
+lpaa6:~# time ip link add gre-4096 numtxqueues 4096 numrxqueues 4096 type ip6gretap
+
+real 0m0.180s
+user 0m0.000s
+sys 0m0.107s
+
+Fixes: 76ff5cc91935 ("rtnl: allow to specify number of rx and tx queues on device creation")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -2116,6 +2116,12 @@ struct net_device *rtnl_create_link(stru
+ else if (ops->get_num_rx_queues)
+ num_rx_queues = ops->get_num_rx_queues();
+
++ if (num_tx_queues < 1 || num_tx_queues > 4096)
++ return ERR_PTR(-EINVAL);
++
++ if (num_rx_queues < 1 || num_rx_queues > 4096)
++ return ERR_PTR(-EINVAL);
++
+ err = -ENOMEM;
+ dev = alloc_netdev_mqs(ops->priv_size, ifname, name_assign_type,
+ ops->setup, num_tx_queues, num_rx_queues);
i2c-i2c-scmi-fix-for-i2c_smbus_write_block_data.patch
xhci-don-t-print-a-warning-when-setting-link-state-for-disabled-ports.patch
jffs2-return-erange-when-xattr-buffer-is-too-small.patch
+bnxt_en-fix-tx-timeout-during-netpoll.patch
+bonding-avoid-possible-dead-lock.patch
+ip6_tunnel-be-careful-when-accessing-the-inner-header.patch
+ip_tunnel-be-careful-when-accessing-the-inner-header.patch
+ipv4-fix-use-after-free-in-ip_cmsg_recv_dstaddr.patch
+net-ipv4-update-fnhe_pmtu-when-first-hop-s-mtu-changes.patch
+net-ipv6-display-all-addresses-in-output-of-proc-net-if_inet6.patch
+netlabel-check-for-ipv4mask-in-addrinfo_get.patch
+net-usb-cancel-pending-work-when-unbinding-smsc75xx.patch
+qlcnic-fix-tx-descriptor-corruption-on-82xx-devices.patch
+team-forbid-enslaving-team-device-to-itself.patch
+net-mvpp2-extract-the-correct-ethtype-from-the-skb-for-tx-csum-offload.patch
+net-systemport-fix-wake-up-interrupt-race-during-resume.patch
+rtnl-limit-ifla_num_tx_queues-and-ifla_num_rx_queues-to-4096.patch
--- /dev/null
+From foo@baz Tue Oct 16 16:47:53 CEST 2018
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 1 Oct 2018 12:21:59 +0300
+Subject: team: Forbid enslaving team device to itself
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 471b83bd8bbe4e89743683ef8ecb78f7029d8288 ]
+
+team's ndo_add_slave() acquires 'team->lock' and later tries to open the
+newly enslaved device via dev_open(). This emits a 'NETDEV_UP' event
+that causes the VLAN driver to add VLAN 0 on the team device. team's
+ndo_vlan_rx_add_vid() will also try to acquire 'team->lock' and
+deadlock.
+
+Fix this by checking early at the enslavement function that a team
+device is not being enslaved to itself.
+
+A similar check was added to the bond driver in commit 09a89c219baf
+("bonding: disallow enslaving a bond to itself").
+
+WARNING: possible recursive locking detected
+4.18.0-rc7+ #176 Not tainted
+--------------------------------------------
+syz-executor4/6391 is trying to acquire lock:
+(____ptrval____) (&team->lock){+.+.}, at: team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
+
+but task is already holding lock:
+(____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&team->lock);
+ lock(&team->lock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by syz-executor4/6391:
+ #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:77 [inline]
+ #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x412/0xc30 net/core/rtnetlink.c:4662
+ #1: (____ptrval____) (&team->lock){+.+.}, at: team_add_slave+0xdb/0x1c30 drivers/net/team/team.c:1947
+
+stack backtrace:
+CPU: 1 PID: 6391 Comm: syz-executor4 Not tainted 4.18.0-rc7+ #176
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
+ print_deadlock_bug kernel/locking/lockdep.c:1765 [inline]
+ check_deadlock kernel/locking/lockdep.c:1809 [inline]
+ validate_chain kernel/locking/lockdep.c:2405 [inline]
+ __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435
+ lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924
+ __mutex_lock_common kernel/locking/mutex.c:757 [inline]
+ __mutex_lock+0x176/0x1820 kernel/locking/mutex.c:894
+ mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:909
+ team_vlan_rx_add_vid+0x3b/0x1e0 drivers/net/team/team.c:1868
+ vlan_add_rx_filter_info+0x14a/0x1d0 net/8021q/vlan_core.c:210
+ __vlan_vid_add net/8021q/vlan_core.c:278 [inline]
+ vlan_vid_add+0x63e/0x9d0 net/8021q/vlan_core.c:308
+ vlan_device_event.cold.12+0x2a/0x2f net/8021q/vlan.c:381
+ notifier_call_chain+0x180/0x390 kernel/notifier.c:93
+ __raw_notifier_call_chain kernel/notifier.c:394 [inline]
+ raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
+ call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735
+ call_netdevice_notifiers net/core/dev.c:1753 [inline]
+ dev_open+0x173/0x1b0 net/core/dev.c:1433
+ team_port_add drivers/net/team/team.c:1219 [inline]
+ team_add_slave+0xa8b/0x1c30 drivers/net/team/team.c:1948
+ do_set_master+0x1c9/0x220 net/core/rtnetlink.c:2248
+ do_setlink+0xba4/0x3e10 net/core/rtnetlink.c:2382
+ rtnl_setlink+0x2a9/0x400 net/core/rtnetlink.c:2636
+ rtnetlink_rcv_msg+0x46e/0xc30 net/core/rtnetlink.c:4665
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2455
+ rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:4683
+ netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
+ netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
+ netlink_sendmsg+0xa18/0xfd0 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:642 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:652
+ ___sys_sendmsg+0x7fd/0x930 net/socket.c:2126
+ __sys_sendmsg+0x11d/0x290 net/socket.c:2164
+ __do_sys_sendmsg net/socket.c:2173 [inline]
+ __se_sys_sendmsg net/socket.c:2171 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2171
+ do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x456b29
+Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f9706bf8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f9706bf96d4 RCX: 0000000000456b29
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
+RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000004d3548 R14: 00000000004c8227 R15: 0000000000000000
+
+Fixes: 87002b03baab ("net: introduce vlan_vid_[add/del] and use them instead of direct [add/kill]_vid ndo calls")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-and-tested-by: syzbot+bd051aba086537515cdb@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1142,6 +1142,11 @@ static int team_port_add(struct team *te
+ return -EBUSY;
+ }
+
++ if (dev == port_dev) {
++ netdev_err(dev, "Cannot enslave team device to itself\n");
++ return -EINVAL;
++ }
++
+ if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
+ vlan_uses_dev(dev)) {
+ netdev_err(dev, "Device %s is VLAN challenged and team device has VLAN set up\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
