--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Sun, 22 May 2016 23:16:18 +0200
+Subject: bpf, inode: disallow userns mounts
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 612bacad78ba6d0a91166fc4487af114bac172a8 ]
+
+Follow-up to commit e27f4a942a0e ("bpf: Use mount_nodev not mount_ns
+to mount the bpf filesystem"), which removes the FS_USERNS_MOUNT flag.
+
+The original idea was to have a per mountns instance instead of a
+single global fs instance, but that didn't work out and we had to
+switch to mount_nodev() model. The intent of that middle ground was
+that we avoid users who don't play nice to create endless instances
+of bpf fs which are difficult to control and discover from an admin
+point of view, but at the same time it would have allowed us to be
+more flexible with regard to namespaces.
+
+Therefore, since we now did the switch to mount_nodev() as a fix
+where individual instances are created, we also need to remove userns
+mount flag along with it to avoid running into mentioned situation.
+I don't expect any breakage at this early point in time with removing
+the flag and we can revisit this later should the requirement for
+this come up with future users. This and commit e27f4a942a0e have
+been split to facilitate tracking should any of them run into the
+unlikely case of causing a regression.
+
+Fixes: b2197755b263 ("bpf: add support for persistent maps/progs")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/inode.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -386,7 +386,6 @@ static struct file_system_type bpf_fs_ty
+ .name = "bpf",
+ .mount = bpf_mount,
+ .kill_sb = kill_litter_super,
+- .fs_flags = FS_USERNS_MOUNT,
+ };
+
+ MODULE_ALIAS_FS("bpf");
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Sat, 4 Jun 2016 20:50:59 +0200
+Subject: bpf, trace: use READ_ONCE for retrieving file ptr
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 5b6c1b4d46b0dae4edea636a776d09f2064f4cd7 ]
+
+In bpf_perf_event_read() and bpf_perf_event_output(), we must use
+READ_ONCE() for fetching the struct file pointer, which could get
+updated concurrently, so we must prevent the compiler from potential
+refetching.
+
+We already do this with tail calls for fetching the related bpf_prog,
+but not so on stored perf events. Semantics for both are the same
+with regards to updates.
+
+Fixes: a43eec304259 ("bpf: introduce bpf_perf_event_output() helper")
+Fixes: 35578d798400 ("bpf: Implement function bpf_perf_event_read() that get the selected hardware PMU conuter")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/bpf_trace.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -194,7 +194,7 @@ static u64 bpf_perf_event_read(u64 r1, u
+ if (unlikely(index >= array->map.max_entries))
+ return -E2BIG;
+
+- file = (struct file *)array->ptrs[index];
++ file = READ_ONCE(array->ptrs[index]);
+ if (unlikely(!file))
+ return -ENOENT;
+
+@@ -238,7 +238,7 @@ static u64 bpf_perf_event_output(u64 r1,
+ if (unlikely(index >= array->map.max_entries))
+ return -E2BIG;
+
+- file = (struct file *)array->ptrs[index];
++ file = READ_ONCE(array->ptrs[index]);
+ if (unlikely(!file))
+ return -ENOENT;
+
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Fri, 20 May 2016 17:22:48 -0500
+Subject: bpf: Use mount_nodev not mount_ns to mount the bpf filesystem
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+[ Upstream commit e27f4a942a0ee4b84567a3c6cfa84f273e55cbb7 ]
+
+While reviewing the filesystems that set FS_USERNS_MOUNT I spotted the
+bpf filesystem. Looking at the code I saw a broken usage of mount_ns
+with current->nsproxy->mnt_ns. As the code does not acquire a
+reference to the mount namespace it can not possibly be correct to
+store the mount namespace on the superblock as it does.
+
+Replace mount_ns with mount_nodev so that each mount of the bpf
+filesystem returns a distinct instance, and the code is not buggy.
+
+In discussion with Hannes Frederic Sowa it was reported that the use
+of mount_ns was an attempt to have one bpf instance per mount
+namespace, in an attempt to keep resources that pin resources from
+hiding. That intent simply does not work, the vfs is not built to
+allow that kind of behavior. Which means that the bpf filesystem
+really is buggy both semantically and in it's implemenation as it does
+not nor can it implement the original intent.
+
+This change is userspace visible, but my experience with similar
+filesystems leads me to believe nothing will break with a model of each
+mount of the bpf filesystem is distinct from all others.
+
+Fixes: b2197755b263 ("bpf: add support for persistent maps/progs")
+Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/inode.c
++++ b/kernel/bpf/inode.c
+@@ -378,7 +378,7 @@ static int bpf_fill_super(struct super_b
+ static struct dentry *bpf_mount(struct file_system_type *type, int flags,
+ const char *dev_name, void *data)
+ {
+- return mount_ns(type, flags, current->nsproxy->mnt_ns, bpf_fill_super);
++ return mount_nodev(type, flags, data, bpf_fill_super);
+ }
+
+ static struct file_system_type bpf_fs_type = {
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 7 Jun 2016 19:14:17 +0900
+Subject: bridge: Don't insert unnecessary local fdb entry on changing mac address
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+[ Upstream commit 0b148def403153a4d1565f1640356cb78ce5109f ]
+
+The missing br_vlan_should_use() test caused creation of an unneeded
+local fdb entry on changing mac address of a bridge device when there is
+a vlan which is configured on a bridge port but not on the bridge
+device.
+
+Fixes: 2594e9064a57 ("bridge: vlan: add per-vlan struct and move to rhashtables")
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_fdb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -279,6 +279,8 @@ void br_fdb_change_mac_address(struct ne
+ * change from under us.
+ */
+ list_for_each_entry(v, &vg->vlan_list, vlist) {
++ if (!br_vlan_should_use(v))
++ continue;
+ f = __br_fdb_get(br, br->dev->dev_addr, v->vid);
+ if (f && f->is_local && !f->dst)
+ fdb_delete_local(br, NULL, f);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Date: Fri, 20 May 2016 13:21:10 -0300
+Subject: ipv4: Fix non-initialized TTL when CONFIG_SYSCTL=n
+
+From: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+
+[ Upstream commit 049bbf589ec651685205bd8ce73221fdd62345cf ]
+
+Commit fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
+moves the default TTL assignment, and as side-effect IPv4 TTL now
+has a default value only if sysctl support is enabled (CONFIG_SYSCTL=y).
+
+The sysctl_ip_default_ttl is fundamental for IP to work properly,
+as it provides the TTL to be used as default. The defautl TTL may be
+used in ip_selected_ttl, through the following flow:
+
+ ip_select_ttl
+ ip4_dst_hoplimit
+ net->ipv4.sysctl_ip_default_ttl
+
+This commit fixes the issue by assigning net->ipv4.sysctl_ip_default_ttl
+in net_init_net, called during ipv4's initialization.
+
+Without this commit, a kernel built without sysctl support will send
+all IP packets with zero TTL (unless a TTL is explicitly set, e.g.
+with setsockopt).
+
+Given a similar issue might appear on the other knobs that were
+namespaceify, this commit also moves them.
+
+Fixes: fa50d974d104 ("ipv4: Namespaceify ip_default_ttl sysctl knob")
+Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/af_inet.c | 8 ++++++++
+ net/ipv4/sysctl_net_ipv4.c | 4 ----
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1660,6 +1660,14 @@ static __net_init int inet_init_net(stru
+ */
+ net->ipv4.ping_group_range.range[0] = make_kgid(&init_user_ns, 1);
+ net->ipv4.ping_group_range.range[1] = make_kgid(&init_user_ns, 0);
++
++ /* Default values for sysctl-controlled parameters.
++ * We set them here, in case sysctl is not compiled.
++ */
++ net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
++ net->ipv4.sysctl_ip_dynaddr = 0;
++ net->ipv4.sysctl_ip_early_demux = 1;
++
+ return 0;
+ }
+
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -988,10 +988,6 @@ static __net_init int ipv4_sysctl_init_n
+ if (!net->ipv4.sysctl_local_reserved_ports)
+ goto err_ports;
+
+- net->ipv4.sysctl_ip_default_ttl = IPDEFTTL;
+- net->ipv4.sysctl_ip_dynaddr = 0;
+- net->ipv4.sysctl_ip_early_demux = 1;
+-
+ return 0;
+
+ err_ports:
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Jakub Sitnicki <jkbs@redhat.com>
+Date: Wed, 8 Jun 2016 15:13:34 +0200
+Subject: ipv6: Skip XFRM lookup if dst_entry in socket cache is valid
+
+From: Jakub Sitnicki <jkbs@redhat.com>
+
+[ Upstream commit 00bc0ef5880dc7b82f9c320dead4afaad48e47be ]
+
+At present we perform an xfrm_lookup() for each UDPv6 message we
+send. The lookup involves querying the flow cache (flow_cache_lookup)
+and, in case of a cache miss, creating an XFRM bundle.
+
+If we miss the flow cache, we can end up creating a new bundle and
+deriving the path MTU (xfrm_init_pmtu) from on an already transformed
+dst_entry, which we pass from the socket cache (sk->sk_dst_cache) down
+to xfrm_lookup(). This can happen only if we're caching the dst_entry
+in the socket, that is when we're using a connected UDP socket.
+
+To put it another way, the path MTU shrinks each time we miss the flow
+cache, which later on leads to incorrectly fragmented payload. It can
+be observed with ESPv6 in transport mode:
+
+ 1) Set up a transformation and lower the MTU to trigger fragmentation
+ # ip xfrm policy add dir out src ::1 dst ::1 \
+ tmpl src ::1 dst ::1 proto esp spi 1
+ # ip xfrm state add src ::1 dst ::1 \
+ proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ # ip link set dev lo mtu 1500
+
+ 2) Monitor the packet flow and set up an UDP sink
+ # tcpdump -ni lo -ttt &
+ # socat udp6-listen:12345,fork /dev/null &
+
+ 3) Send a datagram that needs fragmentation with a connected socket
+ # perl -e 'print "@" x 1470 | socat - udp6:[::1]:12345
+ 2016/06/07 18:52:52 socat[724] E read(3, 0x555bb3d5ba00, 8192): Protocol error
+ 00:00:00.000000 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x2), length 1448
+ 00:00:00.000014 IP6 ::1 > ::1: frag (1448|32)
+ 00:00:00.000050 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x3), length 1272
+ (^ ICMPv6 Parameter Problem)
+ 00:00:00.000022 IP6 ::1 > ::1: ESP(spi=0x00000001,seq=0x5), length 136
+
+ 4) Compare it to a non-connected socket
+ # perl -e 'print "@" x 1500' | socat - udp6-sendto:[::1]:12345
+ 00:00:40.535488 IP6 ::1 > ::1: frag (0|1448) ESP(spi=0x00000001,seq=0x6), length 1448
+ 00:00:00.000010 IP6 ::1 > ::1: frag (1448|64)
+
+What happens in step (3) is:
+
+ 1) when connecting the socket in __ip6_datagram_connect(), we
+ perform an XFRM lookup, miss the flow cache, create an XFRM
+ bundle, and cache the destination,
+
+ 2) afterwards, when sending the datagram, we perform an XFRM lookup,
+ again, miss the flow cache (due to mismatch of flowi6_iif and
+ flowi6_oif, which is an issue of its own), and recreate an XFRM
+ bundle based on the cached (and already transformed) destination.
+
+To prevent the recreation of an XFRM bundle, avoid an XFRM lookup
+altogether whenever we already have a destination entry cached in the
+socket. This prevents the path MTU shrinkage and brings us on par with
+UDPv4.
+
+The fix also benefits connected PINGv6 sockets, another user of
+ip6_sk_dst_lookup_flow(), who also suffer messages being transformed
+twice.
+
+Joint work with Hannes Frederic Sowa.
+
+Reported-by: Jan Tluka <jtluka@redhat.com>
+Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1071,17 +1071,12 @@ struct dst_entry *ip6_sk_dst_lookup_flow
+ const struct in6_addr *final_dst)
+ {
+ struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
+- int err;
+
+ dst = ip6_sk_dst_check(sk, dst, fl6);
++ if (!dst)
++ dst = ip6_dst_lookup_flow(sk, fl6, final_dst);
+
+- err = ip6_dst_lookup_tail(sock_net(sk), sk, &dst, fl6);
+- if (err)
+- return ERR_PTR(err);
+- if (final_dst)
+- fl6->daddr = *final_dst;
+-
+- return xfrm_lookup_route(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
++ return dst;
+ }
+ EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
+
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Wed, 8 Jun 2016 12:59:17 +0200
+Subject: l2tp: fix configuration passed to setup_udp_tunnel_sock()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+[ Upstream commit a5c5e2da8551eb69e5d5d09d51d526140b5db9fb ]
+
+Unused fields of udp_cfg must be all zeros. Otherwise
+setup_udp_tunnel_sock() fills ->gro_receive and ->gro_complete
+callbacks with garbage, eventually resulting in panic when used by
+udp_gro_receive().
+
+[ 72.694123] BUG: unable to handle kernel paging request at ffff880033f87d78
+[ 72.695518] IP: [<ffff880033f87d78>] 0xffff880033f87d78
+[ 72.696530] PGD 26e2067 PUD 26e3067 PMD 342ed063 PTE 8000000033f87163
+[ 72.696530] Oops: 0011 [#1] SMP KASAN
+[ 72.696530] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pptp gre pppox ppp_generic slhc crc32c_intel ghash_clmulni_intel jitterentropy_rng sha256_generic hmac drbg ansi_cprng aesni_intel evdev aes_x86_64 ablk_helper cryptd lrw gf128mul glue_helper serio_raw acpi_cpufreq button proc\
+essor ext4 crc16 jbd2 mbcache virtio_blk virtio_net virtio_pci virtio_ring virtio
+[ 72.696530] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.7.0-rc1 #1
+[ 72.696530] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
+[ 72.696530] task: ffff880035b59700 ti: ffff880035b70000 task.ti: ffff880035b70000
+[ 72.696530] RIP: 0010:[<ffff880033f87d78>] [<ffff880033f87d78>] 0xffff880033f87d78
+[ 72.696530] RSP: 0018:ffff880035f87bc0 EFLAGS: 00010246
+[ 72.696530] RAX: ffffed000698f996 RBX: ffff88003326b840 RCX: ffffffff814cc823
+[ 72.696530] RDX: ffff88003326b840 RSI: ffff880033e48038 RDI: ffff880034c7c780
+[ 72.696530] RBP: ffff880035f87c18 R08: 000000000000a506 R09: 0000000000000000
+[ 72.696530] R10: ffff880035f87b38 R11: ffff880034b9344d R12: 00000000ebfea715
+[ 72.696530] R13: 0000000000000000 R14: ffff880034c7c780 R15: 0000000000000000
+[ 72.696530] FS: 0000000000000000(0000) GS:ffff880035f80000(0000) knlGS:0000000000000000
+[ 72.696530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 72.696530] CR2: ffff880033f87d78 CR3: 0000000033c98000 CR4: 00000000000406a0
+[ 72.696530] Stack:
+[ 72.696530] ffffffff814cc834 ffff880034b93468 0000001481416818 ffff88003326b874
+[ 72.696530] ffff880034c7ccb0 ffff880033e48038 ffff88003326b840 ffff880034b93462
+[ 72.696530] ffff88003326b88a ffff88003326b88c ffff880034b93468 ffff880035f87c70
+[ 72.696530] Call Trace:
+[ 72.696530] <IRQ>
+[ 72.696530] [<ffffffff814cc834>] ? udp_gro_receive+0x1c6/0x1f9
+[ 72.696530] [<ffffffff814ccb1c>] udp4_gro_receive+0x2b5/0x310
+[ 72.696530] [<ffffffff814d989b>] inet_gro_receive+0x4a3/0x4cd
+[ 72.696530] [<ffffffff81431b32>] dev_gro_receive+0x584/0x7a3
+[ 72.696530] [<ffffffff810adf7a>] ? __lock_is_held+0x29/0x64
+[ 72.696530] [<ffffffff814321f7>] napi_gro_receive+0x124/0x21d
+[ 72.696530] [<ffffffffa000b145>] virtnet_receive+0x8df/0x8f6 [virtio_net]
+[ 72.696530] [<ffffffffa000b27e>] virtnet_poll+0x1d/0x8d [virtio_net]
+[ 72.696530] [<ffffffff81431350>] net_rx_action+0x15b/0x3b9
+[ 72.696530] [<ffffffff815893d6>] __do_softirq+0x216/0x546
+[ 72.696530] [<ffffffff81062392>] irq_exit+0x49/0xb6
+[ 72.696530] [<ffffffff81588e9a>] do_IRQ+0xe2/0xfa
+[ 72.696530] [<ffffffff81587a49>] common_interrupt+0x89/0x89
+[ 72.696530] <EOI>
+[ 72.696530] [<ffffffff810b05df>] ? trace_hardirqs_on_caller+0x229/0x270
+[ 72.696530] [<ffffffff8102b3c7>] ? default_idle+0x1c/0x2d
+[ 72.696530] [<ffffffff8102b3c5>] ? default_idle+0x1a/0x2d
+[ 72.696530] [<ffffffff8102bb8c>] arch_cpu_idle+0xa/0xc
+[ 72.696530] [<ffffffff810a6c39>] default_idle_call+0x1a/0x1c
+[ 72.696530] [<ffffffff810a6d96>] cpu_startup_entry+0x15b/0x20f
+[ 72.696530] [<ffffffff81039a81>] start_secondary+0x12c/0x133
+[ 72.696530] Code: ff ff ff ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f 00 7e f8 33 00 88 ff ff 6d 61 58 81 ff ff ff ff 5e de 0a 81 ff ff ff ff <00> 5c e2 34 00 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 72.696530] RIP [<ffff880033f87d78>] 0xffff880033f87d78
+[ 72.696530] RSP <ffff880035f87bc0>
+[ 72.696530] CR2: ffff880033f87d78
+[ 72.696530] ---[ end trace ad7758b9a1dccf99 ]---
+[ 72.696530] Kernel panic - not syncing: Fatal exception in interrupt
+[ 72.696530] Kernel Offset: disabled
+[ 72.696530] ---[ end Kernel panic - not syncing: Fatal exception in interrupt
+
+v2: use empty initialiser instead of "{ NULL }" to avoid relying on
+ first field's type.
+
+Fixes: 38fd2af24fcf ("udp: Add socket based GRO and config")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -1581,7 +1581,7 @@ int l2tp_tunnel_create(struct net *net,
+ /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
+ tunnel->encap = encap;
+ if (encap == L2TP_ENCAPTYPE_UDP) {
+- struct udp_tunnel_sock_cfg udp_cfg;
++ struct udp_tunnel_sock_cfg udp_cfg = { };
+
+ udp_cfg.sk_user_data = tunnel;
+ udp_cfg.encap_type = UDP_ENCAP_L2TPINUDP;
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 18 May 2016 13:34:40 +0200
+Subject: macsec: fix netlink attribute for key id
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 1968a0b8b6ca088bc029bd99ee696f1aca4090d0 ]
+
+In my last commit I replaced MACSEC_SA_ATTR_KEYID by
+MACSEC_SA_ATTR_KEY.
+
+Fixes: 8acca6acebd0 ("macsec: key identifier is 128 bits, not 64")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1645,7 +1645,7 @@ static int macsec_add_rxsa(struct sk_buf
+ if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
+ rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
+
+- nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
++ nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
+ rx_sa->sc = rx_sc;
+ rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
+
+@@ -1784,7 +1784,7 @@ static int macsec_add_txsa(struct sk_buf
+ return -ENOMEM;
+ }
+
+- nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEY], MACSEC_KEYID_LEN);
++ nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
+
+ spin_lock_bh(&tx_sa->lock);
+ tx_sa->next_pn = nla_get_u32(tb_sa[MACSEC_SA_ATTR_PN]);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Feng Tang <feng.tang@intel.com>
+Date: Wed, 25 May 2016 14:49:54 +0800
+Subject: net: alx: use custom skb allocator
+
+From: Feng Tang <feng.tang@intel.com>
+
+[ Upstream commit 26c5f03b2ae8018418ceb25b2e6a48560e8c2f5b ]
+
+This patch follows Eric Dumazet's commit 7b70176421 for Atheros
+atl1c driver to fix one exactly same bug in alx driver, that the
+network link will be lost in 1-5 minutes after the device is up.
+
+My laptop Lenovo Y580 with Atheros AR8161 ethernet device hit the
+same problem with kernel 4.4, and it will be cured by Jarod Wilson's
+commit c406700c for alx driver which get merged in 4.5. But there
+are still some alx devices can't function well even with Jarod's
+patch, while this patch could make them work fine. More details on
+ https://bugzilla.kernel.org/show_bug.cgi?id=70761
+
+The debug shows the issue is very likely to be related with the RX
+DMA address, specifically 0x...f80, if RX buffer get 0x...f80 several
+times, their will be RX overflow error and device will stop working.
+
+For kernel 4.5.0 with Jarod's patch which works fine with my
+AR8161/Lennov Y580, if I made some change to the
+ __netdev_alloc_skb
+ --> __alloc_page_frag()
+to make the allocated buffer can get an address with 0x...f80,
+then the same error happens. If I make it to 0x...f40 or 0x....fc0,
+everything will be still fine. So I tend to believe that the
+0x..f80 address cause the silicon to behave abnormally.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=70761
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Johannes Berg <johannes@sipsolutions.net>
+Cc: Jarod Wilson <jarod@redhat.com>
+Signed-off-by: Feng Tang <feng.tang@intel.com>
+Tested-by: Ole Lukoie <olelukoie@mail.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/atheros/alx/alx.h | 4 ++
+ drivers/net/ethernet/atheros/alx/main.c | 48 +++++++++++++++++++++++++++++++-
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/atheros/alx/alx.h
++++ b/drivers/net/ethernet/atheros/alx/alx.h
+@@ -96,6 +96,10 @@ struct alx_priv {
+ unsigned int rx_ringsz;
+ unsigned int rxbuf_size;
+
++ struct page *rx_page;
++ unsigned int rx_page_offset;
++ unsigned int rx_frag_size;
++
+ struct napi_struct napi;
+ struct alx_tx_queue txq;
+ struct alx_rx_queue rxq;
+--- a/drivers/net/ethernet/atheros/alx/main.c
++++ b/drivers/net/ethernet/atheros/alx/main.c
+@@ -70,6 +70,35 @@ static void alx_free_txbuf(struct alx_pr
+ }
+ }
+
++static struct sk_buff *alx_alloc_skb(struct alx_priv *alx, gfp_t gfp)
++{
++ struct sk_buff *skb;
++ struct page *page;
++
++ if (alx->rx_frag_size > PAGE_SIZE)
++ return __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
++
++ page = alx->rx_page;
++ if (!page) {
++ alx->rx_page = page = alloc_page(gfp);
++ if (unlikely(!page))
++ return NULL;
++ alx->rx_page_offset = 0;
++ }
++
++ skb = build_skb(page_address(page) + alx->rx_page_offset,
++ alx->rx_frag_size);
++ if (likely(skb)) {
++ alx->rx_page_offset += alx->rx_frag_size;
++ if (alx->rx_page_offset >= PAGE_SIZE)
++ alx->rx_page = NULL;
++ else
++ get_page(page);
++ }
++ return skb;
++}
++
++
+ static int alx_refill_rx_ring(struct alx_priv *alx, gfp_t gfp)
+ {
+ struct alx_rx_queue *rxq = &alx->rxq;
+@@ -86,7 +115,7 @@ static int alx_refill_rx_ring(struct alx
+ while (!cur_buf->skb && next != rxq->read_idx) {
+ struct alx_rfd *rfd = &rxq->rfd[cur];
+
+- skb = __netdev_alloc_skb(alx->dev, alx->rxbuf_size, gfp);
++ skb = alx_alloc_skb(alx, gfp);
+ if (!skb)
+ break;
+ dma = dma_map_single(&alx->hw.pdev->dev,
+@@ -124,6 +153,7 @@ static int alx_refill_rx_ring(struct alx
+ alx_write_mem16(&alx->hw, ALX_RFD_PIDX, cur);
+ }
+
++
+ return count;
+ }
+
+@@ -592,6 +622,11 @@ static void alx_free_rings(struct alx_pr
+ kfree(alx->txq.bufs);
+ kfree(alx->rxq.bufs);
+
++ if (alx->rx_page) {
++ put_page(alx->rx_page);
++ alx->rx_page = NULL;
++ }
++
+ dma_free_coherent(&alx->hw.pdev->dev,
+ alx->descmem.size,
+ alx->descmem.virt,
+@@ -646,6 +681,7 @@ static int alx_request_irq(struct alx_pr
+ alx->dev->name, alx);
+ if (!err)
+ goto out;
++
+ /* fall back to legacy interrupt */
+ pci_disable_msi(alx->hw.pdev);
+ }
+@@ -689,6 +725,7 @@ static int alx_init_sw(struct alx_priv *
+ struct pci_dev *pdev = alx->hw.pdev;
+ struct alx_hw *hw = &alx->hw;
+ int err;
++ unsigned int head_size;
+
+ err = alx_identify_hw(alx);
+ if (err) {
+@@ -704,7 +741,12 @@ static int alx_init_sw(struct alx_priv *
+
+ hw->smb_timer = 400;
+ hw->mtu = alx->dev->mtu;
++
+ alx->rxbuf_size = ALX_MAX_FRAME_LEN(hw->mtu);
++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
++ alx->rx_frag_size = roundup_pow_of_two(head_size);
++
+ alx->tx_ringsz = 256;
+ alx->rx_ringsz = 512;
+ hw->imt = 200;
+@@ -806,6 +848,7 @@ static int alx_change_mtu(struct net_dev
+ {
+ struct alx_priv *alx = netdev_priv(netdev);
+ int max_frame = ALX_MAX_FRAME_LEN(mtu);
++ unsigned int head_size;
+
+ if ((max_frame < ALX_MIN_FRAME_SIZE) ||
+ (max_frame > ALX_MAX_FRAME_SIZE))
+@@ -817,6 +860,9 @@ static int alx_change_mtu(struct net_dev
+ netdev->mtu = mtu;
+ alx->hw.mtu = mtu;
+ alx->rxbuf_size = max(max_frame, ALX_DEF_RXBUF_SIZE);
++ head_size = SKB_DATA_ALIGN(alx->rxbuf_size + NET_SKB_PAD) +
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
++ alx->rx_frag_size = roundup_pow_of_two(head_size);
+ netdev_update_features(netdev);
+ if (netif_running(netdev))
+ alx_reinit(alx);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Tue, 24 May 2016 18:03:26 +0200
+Subject: net: hwbm: Fix unbalanced spinlock in error case
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+[ Upstream commit b388fc7405e901c7d6f7817d05193c054e761815 ]
+
+When hwbm_pool_add exited in error the spinlock was not released. This
+patch fixes this issue.
+
+Fixes: 8cb2d8bf57e6 ("net: add a hardware buffer management helper API")
+Reported-by: Jean-Jacques Hiblot <jjhiblot@traphandler.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/hwbm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/hwbm.c
++++ b/net/core/hwbm.c
+@@ -55,18 +55,21 @@ int hwbm_pool_add(struct hwbm_pool *bm_p
+ spin_lock_irqsave(&bm_pool->lock, flags);
+ if (bm_pool->buf_num == bm_pool->size) {
+ pr_warn("pool already filled\n");
++ spin_unlock_irqrestore(&bm_pool->lock, flags);
+ return bm_pool->buf_num;
+ }
+
+ if (buf_num + bm_pool->buf_num > bm_pool->size) {
+ pr_warn("cannot allocate %d buffers for pool\n",
+ buf_num);
++ spin_unlock_irqrestore(&bm_pool->lock, flags);
+ return 0;
+ }
+
+ if ((buf_num + bm_pool->buf_num) < bm_pool->buf_num) {
+ pr_warn("Adding %d buffers to the %d current buffers will overflow\n",
+ buf_num, bm_pool->buf_num);
++ spin_unlock_irqrestore(&bm_pool->lock, flags);
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Date: Tue, 24 May 2016 18:03:25 +0200
+Subject: net: mvneta: Fix lacking spinlock initialization
+
+From: Gregory CLEMENT <gregory.clement@free-electrons.com>
+
+[ Upstream commit 91c45e38b9478ff507e05f10151d64cd0d1aad7b ]
+
+The spinlock used by the hwbm functions must be initialized by the
+network driver. This commit fixes this lack and the following erros when
+lockdep is enabled:
+
+INFO: trying to register non-static key.
+the code is fine but needs lockdep annotation.
+turning off the locking correctness validator.
+[<c010ff80>] (unwind_backtrace) from [<c010bd08>] (show_stack+0x10/0x14)
+[<c010bd08>] (show_stack) from [<c032913c>] (dump_stack+0xb4/0xe0)
+[<c032913c>] (dump_stack) from [<c01670e4>] (__lock_acquire+0x1f58/0x2060)
+[<c01670e4>] (__lock_acquire) from [<c0167dec>] (lock_acquire+0xa4/0xd0)
+[<c0167dec>] (lock_acquire) from [<c06f6650>] (_raw_spin_lock_irqsave+0x54/0x68)
+[<c06f6650>] (_raw_spin_lock_irqsave) from [<c058e830>] (hwbm_pool_add+0x1c/0xdc)
+[<c058e830>] (hwbm_pool_add) from [<c043f4e8>] (mvneta_bm_pool_use+0x338/0x490)
+[<c043f4e8>] (mvneta_bm_pool_use) from [<c0443198>] (mvneta_probe+0x654/0x1284)
+[<c0443198>] (mvneta_probe) from [<c03b894c>] (platform_drv_probe+0x4c/0xb0)
+[<c03b894c>] (platform_drv_probe) from [<c03b7158>] (driver_probe_device+0x214/0x2c0)
+[<c03b7158>] (driver_probe_device) from [<c03b72c4>] (__driver_attach+0xc0/0xc4)
+[<c03b72c4>] (__driver_attach) from [<c03b5440>] (bus_for_each_dev+0x68/0x9c)
+[<c03b5440>] (bus_for_each_dev) from [<c03b65b8>] (bus_add_driver+0x1a0/0x218)
+[<c03b65b8>] (bus_add_driver) from [<c03b79cc>] (driver_register+0x78/0xf8)
+[<c03b79cc>] (driver_register) from [<c01018f4>] (do_one_initcall+0x90/0x1dc)
+[<c01018f4>] (do_one_initcall) from [<c0900de4>] (kernel_init_freeable+0x15c/0x1fc)
+[<c0900de4>] (kernel_init_freeable) from [<c06eed90>] (kernel_init+0x8/0x114)
+[<c06eed90>] (kernel_init) from [<c0107910>] (ret_from_fork+0x14/0x24)
+
+Fixes: baa11ebc0c76 ("net: mvneta: Use the new hwbm framework")
+Reported-by: Russell King <rmk+kernel@armlinux.org.uk>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta_bm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/marvell/mvneta_bm.c
++++ b/drivers/net/ethernet/marvell/mvneta_bm.c
+@@ -189,6 +189,7 @@ struct mvneta_bm_pool *mvneta_bm_pool_us
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+ hwbm_pool->construct = mvneta_bm_construct;
+ hwbm_pool->priv = new_pool;
++ spin_lock_init(&hwbm_pool->lock);
+
+ /* Create new pool */
+ err = mvneta_bm_pool_create(priv, new_pool);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Elad Kanfi <eladkan@mellanox.com>
+Date: Thu, 26 May 2016 15:00:06 +0300
+Subject: net: nps_enet: Disable interrupts before napi reschedule
+
+From: Elad Kanfi <eladkan@mellanox.com>
+
+[ Upstream commit 86651650d16a359e4142c6a8b0467c87e48c4c94 ]
+
+Since NAPI works by shutting down event interrupts when theres
+work and turning them on when theres none, the net driver must
+make sure that interrupts are disabled when it reschedules polling.
+By calling napi_reschedule, the driver switches to polling mode,
+therefor there should be no interrupt interference.
+Any received packets will be handled in nps_enet_poll by polling the HW
+indication of received packet until all packets are handled.
+
+Signed-off-by: Elad Kanfi <eladkan@mellanox.com>
+Acked-by: Noam Camus <noamca@mellanox.com>
+Tested-by: Alexey Brodkin <abrodkin@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ezchip/nps_enet.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ezchip/nps_enet.c
++++ b/drivers/net/ethernet/ezchip/nps_enet.c
+@@ -205,8 +205,10 @@ static int nps_enet_poll(struct napi_str
+ * re-adding ourselves to the poll list.
+ */
+
+- if (priv->tx_skb && !tx_ctrl_ct)
++ if (priv->tx_skb && !tx_ctrl_ct) {
++ nps_enet_reg_set(priv, NPS_ENET_REG_BUF_INT_ENABLE, 0);
+ napi_reschedule(napi);
++ }
+ }
+
+ return work_done;
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Marek Vasut <marex@denx.de>
+Date: Thu, 26 May 2016 00:40:23 +0200
+Subject: net: stmmac: Fix incorrect memcpy source memory
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 643d60bf575daaba93c1ac0d0e1c4b1d4ded1f75 ]
+
+The memcpy() currently copies mdio_bus_data into new_bus->irq, which
+makes no sense, since the mdio_bus_data structure contains more than
+just irqs. The code was likely supposed to copy mdio_bus_data->irqs
+into the new_bus->irq instead, so fix this.
+
+Fixes: e7f4dc3536a4 ("mdio: Move allocation of interrupts into core")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+@@ -209,7 +209,7 @@ int stmmac_mdio_register(struct net_devi
+ return -ENOMEM;
+
+ if (mdio_bus_data->irqs)
+- memcpy(new_bus->irq, mdio_bus_data, sizeof(new_bus->irq));
++ memcpy(new_bus->irq, mdio_bus_data->irqs, sizeof(new_bus->irq));
+
+ #ifdef CONFIG_OF
+ if (priv->device->of_node)
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Mon, 16 May 2016 17:28:16 +0800
+Subject: netlink: Fix dump skb leak/double free
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 92964c79b357efd980812c4de5c1fd2ec8bb5520 ]
+
+When we free cb->skb after a dump, we do it after releasing the
+lock. This means that a new dump could have started in the time
+being and we'll end up freeing their skb instead of ours.
+
+This patch saves the skb and module before we unlock so we free
+the right memory.
+
+Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
+Reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2059,6 +2059,7 @@ static int netlink_dump(struct sock *sk)
+ struct netlink_callback *cb;
+ struct sk_buff *skb = NULL;
+ struct nlmsghdr *nlh;
++ struct module *module;
+ int len, err = -ENOBUFS;
+ int alloc_min_size;
+ int alloc_size;
+@@ -2134,9 +2135,11 @@ static int netlink_dump(struct sock *sk)
+ cb->done(cb);
+
+ nlk->cb_running = false;
++ module = cb->module;
++ skb = cb->skb;
+ mutex_unlock(nlk->cb_mutex);
+- module_put(cb->module);
+- consume_skb(cb->skb);
++ module_put(module);
++ consume_skb(skb);
+ return 0;
+
+ errout_skb:
scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch
scsi-add-qemu-cd-rom-to-vpd-inquiry-blacklist.patch
+tipc-check-nl-sock-before-parsing-nested-attributes.patch
+netlink-fix-dump-skb-leak-double-free.patch
+tipc-fix-nametable-publication-field-in-nl-compat.patch
+switchdev-pass-pointer-to-fib_info-instead-of-copy.patch
+macsec-fix-netlink-attribute-for-key-id.patch
+tuntap-correctly-wake-up-process-during-uninit.patch
+bpf-use-mount_nodev-not-mount_ns-to-mount-the-bpf-filesystem.patch
+udp-prevent-skbs-lingering-in-tunnel-socket-queues.patch
+uapi-glibc-compat-fix-compilation-when-__use_misc-in-glibc.patch
+ipv4-fix-non-initialized-ttl-when-config_sysctl-n.patch
+bpf-inode-disallow-userns-mounts.patch
+net-mvneta-fix-lacking-spinlock-initialization.patch
+net-hwbm-fix-unbalanced-spinlock-in-error-case.patch
+sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch
+team-don-t-call-netdev_change_features-under-team-lock.patch
+net-alx-use-custom-skb-allocator.patch
+net-stmmac-fix-incorrect-memcpy-source-memory.patch
+vxlan-accept-user-specified-mtu-value-when-create-new-vxlan-link.patch
+net-nps_enet-disable-interrupts-before-napi-reschedule.patch
+bpf-trace-use-read_once-for-retrieving-file-ptr.patch
+tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch
+bridge-don-t-insert-unnecessary-local-fdb-entry-on-changing-mac-address.patch
+l2tp-fix-configuration-passed-to-setup_udp_tunnel_sock.patch
+ipv6-skip-xfrm-lookup-if-dst_entry-in-socket-cache-is-valid.patch
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Edward Cree <ecree@solarflare.com>
+Date: Tue, 24 May 2016 18:53:36 +0100
+Subject: sfc: on MC reset, clear PIO buffer linkage in TXQs
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit c0795bf64cba4d1b796fdc5b74b33772841ed1bb ]
+
+Otherwise, if we fail to allocate new PIO buffers, our TXQs will try to
+use the old ones, which aren't there any more.
+
+Fixes: 183233bec810 "sfc: Allocate and link PIO buffers; map them with write-combining"
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/ef10.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/ethernet/sfc/ef10.c
++++ b/drivers/net/ethernet/sfc/ef10.c
+@@ -619,6 +619,17 @@ fail:
+ return rc;
+ }
+
++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
++{
++ struct efx_channel *channel;
++ struct efx_tx_queue *tx_queue;
++
++ /* All our existing PIO buffers went away */
++ efx_for_each_channel(channel, efx)
++ efx_for_each_channel_tx_queue(tx_queue, channel)
++ tx_queue->piobuf = NULL;
++}
++
+ #else /* !EFX_USE_PIO */
+
+ static int efx_ef10_alloc_piobufs(struct efx_nic *efx, unsigned int n)
+@@ -635,6 +646,10 @@ static void efx_ef10_free_piobufs(struct
+ {
+ }
+
++static void efx_ef10_forget_old_piobufs(struct efx_nic *efx)
++{
++}
++
+ #endif /* EFX_USE_PIO */
+
+ static void efx_ef10_remove(struct efx_nic *efx)
+@@ -1018,6 +1033,7 @@ static void efx_ef10_reset_mc_allocation
+ nic_data->must_realloc_vis = true;
+ nic_data->must_restore_filters = true;
+ nic_data->must_restore_piobufs = true;
++ efx_ef10_forget_old_piobufs(efx);
+ nic_data->rx_rss_context = EFX_EF10_RSS_CONTEXT_INVALID;
+
+ /* Driver-created vswitches and vports must be re-created */
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 17 May 2016 18:58:08 +0200
+Subject: switchdev: pass pointer to fib_info instead of copy
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit da4ed55165d41b1073f9a476f1c18493e9bf8c8e ]
+
+The problem is that fib_info->nh is [0] so the struct fib_info
+allocation size depends on number of nexthops. If we just copy fib_info,
+we do not copy the nexthops info and driver accesses memory which is not
+ours.
+
+Given the fact that fib4 does not defer operations and therefore it does
+not need copy, just pass the pointer down to drivers as it was done
+before.
+
+Fixes: 850d0cbc91 ("switchdev: remove pointers from switchdev objects")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/rocker/rocker_ofdpa.c | 4 ++--
+ include/net/switchdev.h | 2 +-
+ net/switchdev/switchdev.c | 6 ++----
+ 3 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
++++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
+@@ -2727,7 +2727,7 @@ static int ofdpa_port_obj_fib4_add(struc
+
+ return ofdpa_port_fib_ipv4(ofdpa_port, trans,
+ htonl(fib4->dst), fib4->dst_len,
+- &fib4->fi, fib4->tb_id, 0);
++ fib4->fi, fib4->tb_id, 0);
+ }
+
+ static int ofdpa_port_obj_fib4_del(struct rocker_port *rocker_port,
+@@ -2737,7 +2737,7 @@ static int ofdpa_port_obj_fib4_del(struc
+
+ return ofdpa_port_fib_ipv4(ofdpa_port, NULL,
+ htonl(fib4->dst), fib4->dst_len,
+- &fib4->fi, fib4->tb_id,
++ fib4->fi, fib4->tb_id,
+ OFDPA_OP_FLAG_REMOVE);
+ }
+
+--- a/include/net/switchdev.h
++++ b/include/net/switchdev.h
+@@ -97,7 +97,7 @@ struct switchdev_obj_ipv4_fib {
+ struct switchdev_obj obj;
+ u32 dst;
+ int dst_len;
+- struct fib_info fi;
++ struct fib_info *fi;
+ u8 tos;
+ u8 type;
+ u32 nlflags;
+--- a/net/switchdev/switchdev.c
++++ b/net/switchdev/switchdev.c
+@@ -1188,6 +1188,7 @@ int switchdev_fib_ipv4_add(u32 dst, int
+ .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
+ .dst = dst,
+ .dst_len = dst_len,
++ .fi = fi,
+ .tos = tos,
+ .type = type,
+ .nlflags = nlflags,
+@@ -1196,8 +1197,6 @@ int switchdev_fib_ipv4_add(u32 dst, int
+ struct net_device *dev;
+ int err = 0;
+
+- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
+-
+ /* Don't offload route if using custom ip rules or if
+ * IPv4 FIB offloading has been disabled completely.
+ */
+@@ -1242,6 +1241,7 @@ int switchdev_fib_ipv4_del(u32 dst, int
+ .obj.id = SWITCHDEV_OBJ_ID_IPV4_FIB,
+ .dst = dst,
+ .dst_len = dst_len,
++ .fi = fi,
+ .tos = tos,
+ .type = type,
+ .nlflags = 0,
+@@ -1250,8 +1250,6 @@ int switchdev_fib_ipv4_del(u32 dst, int
+ struct net_device *dev;
+ int err = 0;
+
+- memcpy(&ipv4_fib.fi, fi, sizeof(ipv4_fib.fi));
+-
+ if (!(fi->fib_flags & RTNH_F_OFFLOAD))
+ return 0;
+
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Yuchung Cheng <ycheng@google.com>
+Date: Mon, 6 Jun 2016 15:07:18 -0700
+Subject: tcp: record TLP and ER timer stats in v6 stats
+
+From: Yuchung Cheng <ycheng@google.com>
+
+[ Upstream commit ce3cf4ec0305919fc69a972f6c2b2efd35d36abc ]
+
+The v6 tcp stats scan do not provide TLP and ER timer information
+correctly like the v4 version . This patch fixes that.
+
+Fixes: 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)")
+Fixes: eed530b6c676 ("tcp: early retransmit")
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/tcp_ipv6.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1717,7 +1717,9 @@ static void get_tcp6_sock(struct seq_fil
+ destp = ntohs(inet->inet_dport);
+ srcp = ntohs(inet->inet_sport);
+
+- if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
++ if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
++ icsk->icsk_pending == ICSK_TIME_EARLY_RETRANS ||
++ icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
+ timer_active = 1;
+ timer_expires = icsk->icsk_timeout;
+ } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Wed, 25 May 2016 21:21:52 +0200
+Subject: team: don't call netdev_change_features under team->lock
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit f6988cb63a4e698d8a62a1d085d263d1fcc351ea ]
+
+The team_device_event() notifier calls team_compute_features() to fix
+vlan_features under team->lock to protect team->port_list. The problem is
+that subsequent __team_compute_features() calls netdev_change_features()
+to propagate vlan_features to upper vlan devices while team->lock is still
+taken. This can lead to deadlock when NETIF_F_LRO is modified on lower
+devices or team device itself.
+
+Example:
+The team0 as active backup with eth0 and eth1 NICs. Both eth0 & eth1 are
+LRO capable and LRO is enabled. Thus LRO is also enabled on team0.
+
+The command 'ethtool -K team0 lro off' now hangs due to this deadlock:
+
+dev_ethtool()
+-> ethtool_set_features()
+ -> __netdev_update_features(team)
+ -> netdev_sync_lower_features()
+ -> netdev_update_features(lower_1)
+ -> __netdev_update_features(lower_1)
+ -> netdev_features_change(lower_1)
+ -> call_netdevice_notifiers(...)
+ -> team_device_event(lower_1)
+ -> team_compute_features(team) [TAKES team->lock]
+ -> netdev_change_features(team)
+ -> __netdev_update_features(team)
+ -> netdev_sync_lower_features()
+ -> netdev_update_features(lower_2)
+ -> __netdev_update_features(lower_2)
+ -> netdev_features_change(lower_2)
+ -> call_netdevice_notifiers(...)
+ -> team_device_event(lower_2)
+ -> team_compute_features(team) [DEADLOCK]
+
+The bug is present in team from the beginning but it appeared after the commit
+fd867d5 (net/core: generic support for disabling netdev features down stack)
+that adds synchronization of features with lower devices.
+
+Fixes: fd867d5 (net/core: generic support for disabling netdev features down stack)
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -990,7 +990,7 @@ static void team_port_disable(struct tea
+ #define TEAM_ENC_FEATURES (NETIF_F_HW_CSUM | NETIF_F_SG | \
+ NETIF_F_RXCSUM | NETIF_F_ALL_TSO)
+
+-static void __team_compute_features(struct team *team)
++static void ___team_compute_features(struct team *team)
+ {
+ struct team_port *port;
+ u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
+@@ -1021,15 +1021,20 @@ static void __team_compute_features(stru
+ team->dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
+ if (dst_release_flag == (IFF_XMIT_DST_RELEASE | IFF_XMIT_DST_RELEASE_PERM))
+ team->dev->priv_flags |= IFF_XMIT_DST_RELEASE;
++}
+
++static void __team_compute_features(struct team *team)
++{
++ ___team_compute_features(team);
+ netdev_change_features(team->dev);
+ }
+
+ static void team_compute_features(struct team *team)
+ {
+ mutex_lock(&team->lock);
+- __team_compute_features(team);
++ ___team_compute_features(team);
+ mutex_unlock(&team->lock);
++ netdev_change_features(team->dev);
+ }
+
+ static int team_port_enter(struct team *team, struct team_port *port)
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Mon, 16 May 2016 11:14:54 +0200
+Subject: tipc: check nl sock before parsing nested attributes
+
+From: Richard Alpe <richard.alpe@ericsson.com>
+
+[ Upstream commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c ]
+
+Make sure the socket for which the user is listing publication exists
+before parsing the socket netlink attributes.
+
+Prior to this patch a call without any socket caused a NULL pointer
+dereference in tipc_nl_publ_dump().
+
+Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/socket.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -2807,6 +2807,9 @@ int tipc_nl_publ_dump(struct sk_buff *sk
+ if (err)
+ return err;
+
++ if (!attrs[TIPC_NLA_SOCK])
++ return -EINVAL;
++
+ err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
+ attrs[TIPC_NLA_SOCK],
+ tipc_nl_sock_policy);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Richard Alpe <richard.alpe@ericsson.com>
+Date: Tue, 17 May 2016 16:57:37 +0200
+Subject: tipc: fix nametable publication field in nl compat
+
+From: Richard Alpe <richard.alpe@ericsson.com>
+
+[ Upstream commit 03aaaa9b941e136757b55c4cf775aab6068dfd94 ]
+
+The publication field of the old netlink API should contain the
+publication key and not the publication reference.
+
+Fixes: 44a8ae94fd55 (tipc: convert legacy nl name table dump to nl compat)
+Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -802,7 +802,7 @@ static int tipc_nl_compat_name_table_dum
+ goto out;
+
+ tipc_tlv_sprintf(msg->rep, "%-10u %s",
+- nla_get_u32(publ[TIPC_NLA_PUBL_REF]),
++ nla_get_u32(publ[TIPC_NLA_PUBL_KEY]),
+ scope_str[nla_get_u32(publ[TIPC_NLA_PUBL_SCOPE])]);
+ out:
+ tipc_tlv_sprintf(msg->rep, "\n");
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Jason Wang <jasowang@redhat.com>
+Date: Thu, 19 May 2016 13:36:51 +0800
+Subject: tuntap: correctly wake up process during uninit
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit addf8fc4acb1cf79492ac64966f07178793cb3d7 ]
+
+We used to check dev->reg_state against NETREG_REGISTERED after each
+time we are woke up. But after commit 9e641bdcfa4e ("net-tun:
+restructure tun_do_read for better sleep/wakeup efficiency"), it uses
+skb_recv_datagram() which does not check dev->reg_state. This will
+result if we delete a tun/tap device after a process is blocked in the
+reading. The device will wait for the reference count which was held
+by that process for ever.
+
+Fixes this by using RCV_SHUTDOWN which will be checked during
+sk_recv_datagram() before trying to wake up the process during uninit.
+
+Fixes: 9e641bdcfa4e ("net-tun: restructure tun_do_read for better
+sleep/wakeup efficiency")
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Xi Wang <xii@google.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -568,11 +568,13 @@ static void tun_detach_all(struct net_de
+ for (i = 0; i < n; i++) {
+ tfile = rtnl_dereference(tun->tfiles[i]);
+ BUG_ON(!tfile);
++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
+ tfile->socket.sk->sk_data_ready(tfile->socket.sk);
+ RCU_INIT_POINTER(tfile->tun, NULL);
+ --tun->numqueues;
+ }
+ list_for_each_entry(tfile, &tun->disabled, next) {
++ tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;
+ tfile->socket.sk->sk_data_ready(tfile->socket.sk);
+ RCU_INIT_POINTER(tfile->tun, NULL);
+ }
+@@ -628,6 +630,7 @@ static int tun_attach(struct tun_struct
+ goto out;
+ }
+ tfile->queue_index = tun->numqueues;
++ tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN;
+ rcu_assign_pointer(tfile->tun, tun);
+ rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
+ tun->numqueues++;
+@@ -1425,9 +1428,6 @@ static ssize_t tun_do_read(struct tun_st
+ if (!iov_iter_count(to))
+ return 0;
+
+- if (tun->dev->reg_state != NETREG_REGISTERED)
+- return -EIO;
+-
+ /* Read frames from queue */
+ skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,
+ &peeked, &off, &err);
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Date: Thu, 19 May 2016 17:26:29 +0200
+Subject: uapi glibc compat: fix compilation when !__USE_MISC in glibc
+
+From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+
+[ Upstream commit f0a3fdca794d1e68ae284ef4caefe681f7c18e89 ]
+
+These structures are defined only if __USE_MISC is set in glibc net/if.h
+headers, ie when _BSD_SOURCE or _SVID_SOURCE are defined.
+
+CC: Jan Engelhardt <jengelh@inai.de>
+CC: Josh Boyer <jwboyer@fedoraproject.org>
+CC: Stephen Hemminger <shemming@brocade.com>
+CC: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
+CC: Gabriel Laskar <gabriel@lse.epita.fr>
+CC: Mikko Rapeli <mikko.rapeli@iki.fi>
+Fixes: 4a91cb61bb99 ("uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h")
+Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/libc-compat.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/libc-compat.h
++++ b/include/uapi/linux/libc-compat.h
+@@ -52,7 +52,7 @@
+ #if defined(__GLIBC__)
+
+ /* Coordinate with glibc net/if.h header. */
+-#if defined(_NET_IF_H)
++#if defined(_NET_IF_H) && defined(__USE_MISC)
+
+ /* GLIBC headers included first so don't define anything
+ * that would already be defined. */
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Date: Thu, 19 May 2016 15:58:33 +0200
+Subject: udp: prevent skbs lingering in tunnel socket queues
+
+From: Hannes Frederic Sowa <hannes@stressinduktion.org>
+
+[ Upstream commit e5aed006be918af163eb397e45aa5ea6cefd5e01 ]
+
+In case we find a socket with encapsulation enabled we should call
+the encap_recv function even if just a udp header without payload is
+available. The callbacks are responsible for correctly verifying and
+dropping the packets.
+
+Also, in case the header validation fails for geneve and vxlan we
+shouldn't put the skb back into the socket queue, no one will pick
+them up there. Instead we can simply discard them in the respective
+encap_recv functions.
+
+Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 10 +++-------
+ drivers/net/vxlan.c | 4 ++--
+ net/ipv4/udp.c | 2 +-
+ net/ipv6/udp.c | 2 +-
+ 4 files changed, 7 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -336,15 +336,15 @@ static int geneve_udp_encap_recv(struct
+
+ /* Need Geneve and inner Ethernet header to be present */
+ if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN)))
+- goto error;
++ goto drop;
+
+ /* Return packets with reserved bits set */
+ geneveh = geneve_hdr(skb);
+ if (unlikely(geneveh->ver != GENEVE_VER))
+- goto error;
++ goto drop;
+
+ if (unlikely(geneveh->proto_type != htons(ETH_P_TEB)))
+- goto error;
++ goto drop;
+
+ gs = rcu_dereference_sk_user_data(sk);
+ if (!gs)
+@@ -367,10 +367,6 @@ drop:
+ /* Consume bad packet */
+ kfree_skb(skb);
+ return 0;
+-
+-error:
+- /* Let the UDP layer deal with the skb */
+- return 1;
+ }
+
+ static struct socket *geneve_create_sock(struct net *net, bool ipv6,
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1262,7 +1262,7 @@ static int vxlan_rcv(struct sock *sk, st
+
+ /* Need Vxlan and inner Ethernet header to be present */
+ if (!pskb_may_pull(skb, VXLAN_HLEN))
+- return 1;
++ goto drop;
+
+ unparsed = *vxlan_hdr(skb);
+ /* VNI flag always required to be set */
+@@ -1271,7 +1271,7 @@ static int vxlan_rcv(struct sock *sk, st
+ ntohl(vxlan_hdr(skb)->vx_flags),
+ ntohl(vxlan_hdr(skb)->vx_vni));
+ /* Return non vxlan pkt */
+- return 1;
++ goto drop;
+ }
+ unparsed.vx_flags &= ~VXLAN_HF_VNI;
+ unparsed.vx_vni &= ~VXLAN_VNI_MASK;
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1616,7 +1616,7 @@ int udp_queue_rcv_skb(struct sock *sk, s
+
+ /* if we're overly short, let UDP handle it */
+ encap_rcv = ACCESS_ONCE(up->encap_rcv);
+- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
++ if (encap_rcv) {
+ int ret;
+
+ /* Verify checksum before giving to encap */
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -653,7 +653,7 @@ int udpv6_queue_rcv_skb(struct sock *sk,
+
+ /* if we're overly short, let UDP handle it */
+ encap_rcv = ACCESS_ONCE(up->encap_rcv);
+- if (skb->len > sizeof(struct udphdr) && encap_rcv) {
++ if (encap_rcv) {
+ int ret;
+
+ /* Verify checksum before giving to encap */
--- /dev/null
+From foo@baz Fri Jun 17 08:34:39 PDT 2016
+From: Chen Haiquan <oc@yunify.com>
+Date: Fri, 27 May 2016 10:49:11 +0800
+Subject: vxlan: Accept user specified MTU value when create new vxlan link
+
+From: Chen Haiquan <oc@yunify.com>
+
+[ Upstream commit ce577668a426c6a9e2470a09dcd07fbd6e45272a ]
+
+When create a new vxlan link, example:
+ ip link add vtap mtu 1440 type vxlan vni 1 dev eth0
+
+The argument "mtu" has no effect, because it is not set to conf->mtu. The
+default value is used in vxlan_dev_configure function.
+
+This problem was introduced by commit 0dfbdf4102b9 (vxlan: Factor out device
+configuration).
+
+Fixes: 0dfbdf4102b9 (vxlan: Factor out device configuration)
+Signed-off-by: Chen Haiquan <oc@yunify.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2959,6 +2959,9 @@ static int vxlan_newlink(struct net *src
+ if (data[IFLA_VXLAN_REMCSUM_NOPARTIAL])
+ conf.flags |= VXLAN_F_REMCSUM_NOPARTIAL;
+
++ if (tb[IFLA_MTU])
++ conf.mtu = nla_get_u32(tb[IFLA_MTU]);
++
+ err = vxlan_dev_configure(src_net, dev, &conf);
+ switch (err) {
+ case -ENODEV:
projects / thirdparty / kernel / stable-queue.git / commitdiff
