--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 4 Feb 2020 19:26:05 -0800
+Subject: bonding/alb: properly access headers in bond_alb_xmit()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 38f88c45404293bbc027b956def6c10cbd45c616 ]
+
+syzbot managed to send an IPX packet through bond_alb_xmit()
+and af_packet and triggered a use-after-free.
+
+First, bond_alb_xmit() was using ipx_hdr() helper to reach
+the IPX header, but ipx_hdr() was using the transport offset
+instead of the network offset. In the particular syzbot
+report transport offset was 0xFFFF
+
+This patch removes ipx_hdr() since it was only (mis)used from bonding.
+
+Then we need to make sure IPv4/IPv6/IPX headers are pulled
+in skb->head before dereferencing anything.
+
+BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
+Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
+ (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
+
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
+ [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
+ [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
+ [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
+ [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
+ [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
+ [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
+ [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
+ [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
+ [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
+ [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
+ [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
+ [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
+ [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
+ [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
+ [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
+ [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
+ [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
+ [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
+ [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
+ [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
+ [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
+ [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_alb.c | 44 +++++++++++++++++++++++++++++------------
+ include/net/ipx.h | 5 ----
+ 2 files changed, 32 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -1399,26 +1399,31 @@ netdev_tx_t bond_alb_xmit(struct sk_buff
+ bool do_tx_balance = true;
+ u32 hash_index = 0;
+ const u8 *hash_start = NULL;
+- struct ipv6hdr *ip6hdr;
+
+ skb_reset_mac_header(skb);
+ eth_data = eth_hdr(skb);
+
+ switch (ntohs(skb->protocol)) {
+ case ETH_P_IP: {
+- const struct iphdr *iph = ip_hdr(skb);
++ const struct iphdr *iph;
+
+ if (is_broadcast_ether_addr(eth_data->h_dest) ||
+- iph->daddr == ip_bcast ||
+- iph->protocol == IPPROTO_IGMP) {
++ !pskb_network_may_pull(skb, sizeof(*iph))) {
++ do_tx_balance = false;
++ break;
++ }
++ iph = ip_hdr(skb);
++ if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) {
+ do_tx_balance = false;
+ break;
+ }
+ hash_start = (char *)&(iph->daddr);
+ hash_size = sizeof(iph->daddr);
+- }
+ break;
+- case ETH_P_IPV6:
++ }
++ case ETH_P_IPV6: {
++ const struct ipv6hdr *ip6hdr;
++
+ /* IPv6 doesn't really use broadcast mac address, but leave
+ * that here just in case.
+ */
+@@ -1435,7 +1440,11 @@ netdev_tx_t bond_alb_xmit(struct sk_buff
+ break;
+ }
+
+- /* Additianally, DAD probes should not be tx-balanced as that
++ if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) {
++ do_tx_balance = false;
++ break;
++ }
++ /* Additionally, DAD probes should not be tx-balanced as that
+ * will lead to false positives for duplicate addresses and
+ * prevent address configuration from working.
+ */
+@@ -1445,17 +1454,26 @@ netdev_tx_t bond_alb_xmit(struct sk_buff
+ break;
+ }
+
+- hash_start = (char *)&(ipv6_hdr(skb)->daddr);
+- hash_size = sizeof(ipv6_hdr(skb)->daddr);
++ hash_start = (char *)&ip6hdr->daddr;
++ hash_size = sizeof(ip6hdr->daddr);
+ break;
+- case ETH_P_IPX:
+- if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) {
++ }
++ case ETH_P_IPX: {
++ const struct ipxhdr *ipxhdr;
++
++ if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) {
++ do_tx_balance = false;
++ break;
++ }
++ ipxhdr = (struct ipxhdr *)skb_network_header(skb);
++
++ if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) {
+ /* something is wrong with this packet */
+ do_tx_balance = false;
+ break;
+ }
+
+- if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) {
++ if (ipxhdr->ipx_type != IPX_TYPE_NCP) {
+ /* The only protocol worth balancing in
+ * this family since it has an "ARP" like
+ * mechanism
+@@ -1464,9 +1482,11 @@ netdev_tx_t bond_alb_xmit(struct sk_buff
+ break;
+ }
+
++ eth_data = eth_hdr(skb);
+ hash_start = (char *)eth_data->h_dest;
+ hash_size = ETH_ALEN;
+ break;
++ }
+ case ETH_P_ARP:
+ do_tx_balance = false;
+ if (bond_info->rlb_enabled)
+--- a/include/net/ipx.h
++++ b/include/net/ipx.h
+@@ -47,11 +47,6 @@ struct ipxhdr {
+ /* From af_ipx.c */
+ extern int sysctl_ipx_pprop_broadcasting;
+
+-static __inline__ struct ipxhdr *ipx_hdr(struct sk_buff *skb)
+-{
+- return (struct ipxhdr *)skb_transport_header(skb);
+-}
+-
+ struct ipx_interface {
+ /* IPX address */
+ __be32 if_netnum;
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 6 Feb 2020 11:07:45 -0800
+Subject: net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan()
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit df373702bc0f8f2d83980ea441e71639fc1efcf8 ]
+
+b53_configure_vlan() is called by the bcm_sf2 driver upon setup and
+indirectly through resume as well. During the initial setup, we are
+guaranteed that dev->vlan_enabled is false, so there is no change in
+behavior, however during suspend, we may have enabled VLANs before, so we
+do want to restore that setting.
+
+Fixes: dad8d7c6452b ("net: dsa: b53: Properly account for VLAN filtering")
+Fixes: 967dd82ffc52 ("net: dsa: b53: Add support for Broadcom RoboSwitch")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -655,7 +655,7 @@ int b53_configure_vlan(struct dsa_switch
+ b53_do_vlan_op(dev, VTA_CMD_CLEAR);
+ }
+
+- b53_enable_vlan(dev, false, dev->vlan_filtering_enabled);
++ b53_enable_vlan(dev, dev->vlan_enabled, dev->vlan_filtering_enabled);
+
+ b53_for_each_port(dev, i)
+ b53_write16(dev, B53_VLAN_PAGE,
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 6 Feb 2020 11:23:52 -0800
+Subject: net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit de34d7084edd069dac5aa010cfe32bd8c4619fa6 ]
+
+The 7445 switch clocking profiles do not allow us to run the IMP port at
+2Gb/sec in a way that it is reliable and consistent. Make sure that the
+setting is only applied to the 7278 family.
+
+Fixes: 8f1880cbe8d0 ("net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/bcm_sf2.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/bcm_sf2.c
++++ b/drivers/net/dsa/bcm_sf2.c
+@@ -72,7 +72,9 @@ static void bcm_sf2_imp_setup(struct dsa
+
+ /* Force link status for IMP port */
+ reg = core_readl(priv, offset);
+- reg |= (MII_SW_OR | LINK_STS | GMII_SPEED_UP_2G);
++ reg |= (MII_SW_OR | LINK_STS);
++ if (priv->type == BCM7278_DEVICE_ID)
++ reg |= GMII_SPEED_UP_2G;
+ core_writel(priv, reg, offset);
+
+ /* Enable Broadcast, Multicast, Unicast forwarding to IMP port */
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Harini Katakam <harini.katakam@xilinx.com>
+Date: Wed, 5 Feb 2020 18:08:12 +0530
+Subject: net: macb: Limit maximum GEM TX length in TSO
+
+From: Harini Katakam <harini.katakam@xilinx.com>
+
+[ Upstream commit f822e9c4ffa511a5c681cf866287d9383a3b6f1b ]
+
+GEM_MAX_TX_LEN currently resolves to 0x3FF8 for any IP version supporting
+TSO with full 14bits of length field in payload descriptor. But an IP
+errata causes false amba_error (bit 6 of ISR) when length in payload
+descriptors is specified above 16387. The error occurs because the DMA
+falsely concludes that there is not enough space in SRAM for incoming
+payload. These errors were observed continuously under stress of large
+packets using iperf on a version where SRAM was 16K for each queue. This
+errata will be documented shortly and affects all versions since TSO
+functionality was added. Hence limit the max length to 0x3FC0 (rounded).
+
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -66,7 +66,11 @@
+ /* Max length of transmit frame must be a multiple of 8 bytes */
+ #define MACB_TX_LEN_ALIGN 8
+ #define MACB_MAX_TX_LEN ((unsigned int)((1 << MACB_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1)))
+-#define GEM_MAX_TX_LEN ((unsigned int)((1 << GEM_TX_FRMLEN_SIZE) - 1) & ~((unsigned int)(MACB_TX_LEN_ALIGN - 1)))
++/* Limit maximum TX length as per Cadence TSO errata. This is to avoid a
++ * false amba_error in TX path from the DMA assuming there is not enough
++ * space in the SRAM (16KB) even when there is.
++ */
++#define GEM_MAX_TX_LEN (unsigned int)(0x3FC0)
+
+ #define GEM_MTU_MIN_SIZE ETH_MIN_MTU
+ #define MACB_NETIF_LSO NETIF_F_TSO
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Harini Katakam <harini.katakam@xilinx.com>
+Date: Wed, 5 Feb 2020 18:08:11 +0530
+Subject: net: macb: Remove unnecessary alignment check for TSO
+
+From: Harini Katakam <harini.katakam@xilinx.com>
+
+[ Upstream commit 41c1ef978c8d0259c6636e6d2d854777e92650eb ]
+
+The IP TSO implementation does NOT require the length to be a
+multiple of 8. That is only a requirement for UFO as per IP
+documentation. Hence, exit macb_features_check function in the
+beginning if the protocol is not UDP. Only when it is UDP,
+proceed further to the alignment checks. Update comments to
+reflect the same. Also remove dead code checking for protocol
+TCP when calculating header length.
+
+Fixes: 1629dd4f763c ("cadence: Add LSO support.")
+Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1654,16 +1654,14 @@ static netdev_features_t macb_features_c
+
+ /* Validate LSO compatibility */
+
+- /* there is only one buffer */
+- if (!skb_is_nonlinear(skb))
++ /* there is only one buffer or protocol is not UDP */
++ if (!skb_is_nonlinear(skb) || (ip_hdr(skb)->protocol != IPPROTO_UDP))
+ return features;
+
+ /* length of header */
+ hdrlen = skb_transport_offset(skb);
+- if (ip_hdr(skb)->protocol == IPPROTO_TCP)
+- hdrlen += tcp_hdrlen(skb);
+
+- /* For LSO:
++ /* For UFO only:
+ * When software supplies two or more payload buffers all payload buffers
+ * apart from the last must be a multiple of 8 bytes in size.
+ */
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Raed Salem <raeds@mellanox.com>
+Date: Tue, 24 Dec 2019 09:54:45 +0200
+Subject: net/mlx5: IPsec, Fix esp modify function attribute
+
+From: Raed Salem <raeds@mellanox.com>
+
+[ Upstream commit 0dc2c534f17c05bed0622b37a744bc38b48ca88a ]
+
+The function mlx5_fpga_esp_validate_xfrm_attrs is wrongly used
+with negative negation as zero value indicates success but it
+used as failure return value instead.
+
+Fix by remove the unary not negation operator.
+
+Fixes: 05564d0ae075 ("net/mlx5: Add flow-steering commands for FPGA IPSec implementation")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+@@ -1472,7 +1472,7 @@ int mlx5_fpga_esp_modify_xfrm(struct mlx
+ if (!memcmp(&xfrm->attrs, attrs, sizeof(xfrm->attrs)))
+ return 0;
+
+- if (!mlx5_fpga_esp_validate_xfrm_attrs(mdev, attrs)) {
++ if (mlx5_fpga_esp_validate_xfrm_attrs(mdev, attrs)) {
+ mlx5_core_warn(mdev, "Tried to create an esp with unsupported attrs\n");
+ return -EOPNOTSUPP;
+ }
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Raed Salem <raeds@mellanox.com>
+Date: Wed, 23 Oct 2019 16:41:21 +0300
+Subject: net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx
+
+From: Raed Salem <raeds@mellanox.com>
+
+[ Upstream commit 08db2cf577487f5123aebcc2f913e0b8a2c14b43 ]
+
+SA context is allocated at mlx5_fpga_ipsec_create_sa_ctx,
+however the counterpart mlx5_fpga_ipsec_delete_sa_ctx function
+nullifies sa_ctx pointer without freeing the memory allocated,
+hence the memory leak.
+
+Fix by free SA context when the SA is released.
+
+Fixes: d6c4f0298cec ("net/mlx5: Refactor accel IPSec code")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Boris Pismenny <borisp@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fpga/ipsec.c
+@@ -848,6 +848,7 @@ void mlx5_fpga_ipsec_delete_sa_ctx(void
+ mutex_lock(&fpga_xfrm->lock);
+ if (!--fpga_xfrm->num_rules) {
+ mlx5_fpga_ipsec_release_sa_ctx(fpga_xfrm->sa_ctx);
++ kfree(fpga_xfrm->sa_ctx);
+ fpga_xfrm->sa_ctx = NULL;
+ }
+ mutex_unlock(&fpga_xfrm->lock);
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+Date: Thu, 6 Feb 2020 10:14:39 +0100
+Subject: net: mvneta: move rx_dropped and rx_errors in per-cpu stats
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit c35947b8ff8acca33134ee39c31708233765c31a ]
+
+Move rx_dropped and rx_errors counters in mvneta_pcpu_stats in order to
+avoid possible races updating statistics
+
+Fixes: 562e2f467e71 ("net: mvneta: Improve the buffer allocation method for SWBM")
+Fixes: dc35a10f68d3 ("net: mvneta: bm: add support for hardware buffer management")
+Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP network unit")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -385,6 +385,8 @@ struct mvneta_pcpu_stats {
+ struct u64_stats_sync syncp;
+ u64 rx_packets;
+ u64 rx_bytes;
++ u64 rx_dropped;
++ u64 rx_errors;
+ u64 tx_packets;
+ u64 tx_bytes;
+ };
+@@ -701,6 +703,8 @@ mvneta_get_stats64(struct net_device *de
+ struct mvneta_pcpu_stats *cpu_stats;
+ u64 rx_packets;
+ u64 rx_bytes;
++ u64 rx_dropped;
++ u64 rx_errors;
+ u64 tx_packets;
+ u64 tx_bytes;
+
+@@ -709,19 +713,20 @@ mvneta_get_stats64(struct net_device *de
+ start = u64_stats_fetch_begin_irq(&cpu_stats->syncp);
+ rx_packets = cpu_stats->rx_packets;
+ rx_bytes = cpu_stats->rx_bytes;
++ rx_dropped = cpu_stats->rx_dropped;
++ rx_errors = cpu_stats->rx_errors;
+ tx_packets = cpu_stats->tx_packets;
+ tx_bytes = cpu_stats->tx_bytes;
+ } while (u64_stats_fetch_retry_irq(&cpu_stats->syncp, start));
+
+ stats->rx_packets += rx_packets;
+ stats->rx_bytes += rx_bytes;
++ stats->rx_dropped += rx_dropped;
++ stats->rx_errors += rx_errors;
+ stats->tx_packets += tx_packets;
+ stats->tx_bytes += tx_bytes;
+ }
+
+- stats->rx_errors = dev->stats.rx_errors;
+- stats->rx_dropped = dev->stats.rx_dropped;
+-
+ stats->tx_dropped = dev->stats.tx_dropped;
+ }
+
+@@ -1698,8 +1703,14 @@ static u32 mvneta_txq_desc_csum(int l3_o
+ static void mvneta_rx_error(struct mvneta_port *pp,
+ struct mvneta_rx_desc *rx_desc)
+ {
++ struct mvneta_pcpu_stats *stats = this_cpu_ptr(pp->stats);
+ u32 status = rx_desc->status;
+
++ /* update per-cpu counter */
++ u64_stats_update_begin(&stats->syncp);
++ stats->rx_errors++;
++ u64_stats_update_end(&stats->syncp);
++
+ switch (status & MVNETA_RXD_ERR_CODE_MASK) {
+ case MVNETA_RXD_ERR_CRC:
+ netdev_err(pp->dev, "bad rx status %08x (crc error), size=%d\n",
+@@ -1960,7 +1971,6 @@ static int mvneta_rx_swbm(struct napi_st
+ /* Check errors only for FIRST descriptor */
+ if (rx_status & MVNETA_RXD_ERR_SUMMARY) {
+ mvneta_rx_error(pp, rx_desc);
+- dev->stats.rx_errors++;
+ /* leave the descriptor untouched */
+ continue;
+ }
+@@ -1971,11 +1981,17 @@ static int mvneta_rx_swbm(struct napi_st
+ skb_size = max(rx_copybreak, rx_header_size);
+ rxq->skb = netdev_alloc_skb_ip_align(dev, skb_size);
+ if (unlikely(!rxq->skb)) {
++ struct mvneta_pcpu_stats *stats = this_cpu_ptr(pp->stats);
++
+ netdev_err(dev,
+ "Can't allocate skb on queue %d\n",
+ rxq->id);
+- dev->stats.rx_dropped++;
++
+ rxq->skb_alloc_err++;
++
++ u64_stats_update_begin(&stats->syncp);
++ stats->rx_dropped++;
++ u64_stats_update_end(&stats->syncp);
+ continue;
+ }
+ copy_size = min(skb_size, rx_bytes);
+@@ -2135,7 +2151,6 @@ err_drop_frame_ret_pool:
+ mvneta_bm_pool_put_bp(pp->bm_priv, bm_pool,
+ rx_desc->buf_phys_addr);
+ err_drop_frame:
+- dev->stats.rx_errors++;
+ mvneta_rx_error(pp, rx_desc);
+ /* leave the descriptor untouched */
+ continue;
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Wed, 5 Feb 2020 12:32:04 -0800
+Subject: net: systemport: Avoid RBUF stuck in Wake-on-LAN mode
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 263a425a482fc495d6d3f9a29b9103a664c38b69 ]
+
+After a number of suspend and resume cycles, it is possible for the RBUF
+to be stuck in Wake-on-LAN mode, despite the MPD enable bit being
+cleared which instructed the RBUF to exit that mode.
+
+Avoid creating that problematic condition by clearing the RX_EN and
+TX_EN bits in the UniMAC prior to disable the Magic Packet Detector
+logic which is guaranteed to make the RBUF exit Wake-on-LAN mode.
+
+Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2716,6 +2716,9 @@ static int __maybe_unused bcm_sysport_re
+
+ umac_reset(priv);
+
++ /* Disable the UniMAC RX/TX */
++ umac_enable_set(priv, CMD_RX_EN | CMD_TX_EN, 0);
++
+ /* We may have been suspended and never received a WOL event that
+ * would turn off MPD detection, take care of that now
+ */
--- /dev/null
+From foo@baz Sun 09 Feb 2020 10:56:46 PM CET
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Tue, 4 Feb 2020 11:10:12 -0800
+Subject: net_sched: fix a resource leak in tcindex_set_parms()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 52b5ae501c045010aeeb1d5ac0373ff161a88291 ]
+
+Jakub noticed there is a potential resource leak in
+tcindex_set_parms(): when tcindex_filter_result_init() fails
+and it jumps to 'errout1' which doesn't release the memory
+and resources allocated by tcindex_alloc_perfect_hash().
+
+We should just jump to 'errout_alloc' which calls
+tcindex_free_perfect_hash().
+
+Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_tcindex.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -365,7 +365,7 @@ tcindex_set_parms(struct net *net, struc
+
+ err = tcindex_filter_result_init(&new_filter_result);
+ if (err < 0)
+- goto errout1;
++ goto errout_alloc;
+ if (old_r)
+ cr = r->res;
+
+@@ -484,7 +484,6 @@ errout_alloc:
+ tcindex_free_perfect_hash(cp);
+ else if (balloc == 2)
+ kfree(cp->h);
+-errout1:
+ tcf_exts_destroy(&new_filter_result.exts);
+ errout:
+ kfree(cp);
ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch
mfd-da9062-fix-watchdog-compatible-string.patch
mfd-rn5t618-mark-adc-control-register-volatile.patch
+bonding-alb-properly-access-headers-in-bond_alb_xmit.patch
+net-dsa-bcm_sf2-only-7278-supports-2gb-sec-imp-port.patch
+net-mvneta-move-rx_dropped-and-rx_errors-in-per-cpu-stats.patch
+net_sched-fix-a-resource-leak-in-tcindex_set_parms.patch
+net-systemport-avoid-rbuf-stuck-in-wake-on-lan-mode.patch
+net-mlx5-ipsec-fix-esp-modify-function-attribute.patch
+net-mlx5-ipsec-fix-memory-leak-at-mlx5_fpga_ipsec_delete_sa_ctx.patch
+net-macb-remove-unnecessary-alignment-check-for-tso.patch
+net-macb-limit-maximum-gem-tx-length-in-tso.patch
+net-dsa-b53-always-use-dev-vlan_enabled-in-b53_configure_vlan.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
