--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Sun, 1 Mar 2020 22:07:18 -0500
+Subject: bnxt_en: fix error handling when flashing from file
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit 22630e28f9c2b55abd217869cc0696def89f2284 ]
+
+After bnxt_hwrm_do_send_message() was updated to return standard error
+codes in a recent commit, a regression in bnxt_flash_package_from_file()
+was introduced. The return value does not properly reflect all
+possible firmware errors when calling firmware to flash the package.
+
+Fix it by consolidating all errors in one local variable rc instead
+of having 2 variables for different errors.
+
+Fixes: d4f1420d3656 ("bnxt_en: Convert error code in firmware message response to standard code.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 24 ++++++++++------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -2005,8 +2005,8 @@ static int bnxt_flash_package_from_file(
+ struct hwrm_nvm_install_update_output *resp = bp->hwrm_cmd_resp_addr;
+ struct hwrm_nvm_install_update_input install = {0};
+ const struct firmware *fw;
+- int rc, hwrm_err = 0;
+ u32 item_len;
++ int rc = 0;
+ u16 index;
+
+ bnxt_hwrm_fw_set_time(bp);
+@@ -2050,15 +2050,14 @@ static int bnxt_flash_package_from_file(
+ memcpy(kmem, fw->data, fw->size);
+ modify.host_src_addr = cpu_to_le64(dma_handle);
+
+- hwrm_err = hwrm_send_message(bp, &modify,
+- sizeof(modify),
+- FLASH_PACKAGE_TIMEOUT);
++ rc = hwrm_send_message(bp, &modify, sizeof(modify),
++ FLASH_PACKAGE_TIMEOUT);
+ dma_free_coherent(&bp->pdev->dev, fw->size, kmem,
+ dma_handle);
+ }
+ }
+ release_firmware(fw);
+- if (rc || hwrm_err)
++ if (rc)
+ goto err_exit;
+
+ if ((install_type & 0xffff) == 0)
+@@ -2067,20 +2066,19 @@ static int bnxt_flash_package_from_file(
+ install.install_type = cpu_to_le32(install_type);
+
+ mutex_lock(&bp->hwrm_cmd_lock);
+- hwrm_err = _hwrm_send_message(bp, &install, sizeof(install),
+- INSTALL_PACKAGE_TIMEOUT);
+- if (hwrm_err) {
++ rc = _hwrm_send_message(bp, &install, sizeof(install),
++ INSTALL_PACKAGE_TIMEOUT);
++ if (rc) {
+ u8 error_code = ((struct hwrm_err_output *)resp)->cmd_err;
+
+ if (resp->error_code && error_code ==
+ NVM_INSTALL_UPDATE_CMD_ERR_CODE_FRAG_ERR) {
+ install.flags |= cpu_to_le16(
+ NVM_INSTALL_UPDATE_REQ_FLAGS_ALLOWED_TO_DEFRAG);
+- hwrm_err = _hwrm_send_message(bp, &install,
+- sizeof(install),
+- INSTALL_PACKAGE_TIMEOUT);
++ rc = _hwrm_send_message(bp, &install, sizeof(install),
++ INSTALL_PACKAGE_TIMEOUT);
+ }
+- if (hwrm_err)
++ if (rc)
+ goto flash_pkg_exit;
+ }
+
+@@ -2092,7 +2090,7 @@ static int bnxt_flash_package_from_file(
+ flash_pkg_exit:
+ mutex_unlock(&bp->hwrm_cmd_lock);
+ err_exit:
+- if (hwrm_err == -EACCES)
++ if (rc == -EACCES)
+ bnxt_print_admin_err(bp);
+ return rc;
+ }
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 1 Mar 2020 22:07:17 -0500
+Subject: bnxt_en: reinitialize IRQs when MTU is modified
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ]
+
+MTU changes may affect the number of IRQs so we must call
+bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter
+set to true. The reason is that a larger MTU may require
+aggregation rings not needed with smaller MTU. We may not be
+able to allocate the required number of aggregation rings and
+so we reduce the number of channels which will change the number
+of IRQs. Without this patch, it may crash eventually in
+pci_disable_msix() when the IRQs are not properly unwound.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -10891,13 +10891,13 @@ static int bnxt_change_mtu(struct net_de
+ struct bnxt *bp = netdev_priv(dev);
+
+ if (netif_running(dev))
+- bnxt_close_nic(bp, false, false);
++ bnxt_close_nic(bp, true, false);
+
+ dev->mtu = new_mtu;
+ bnxt_set_ring_params(bp);
+
+ if (netif_running(dev))
+- return bnxt_open_nic(bp, false, false);
++ return bnxt_open_nic(bp, true, false);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 09:32:16 -0800
+Subject: bonding/alb: make sure arp header is pulled before accessing it
+
+From: Eric Dumazet <edumazet@google.com>
+
+Similar to commit 38f88c454042 ("bonding/alb: properly access headers
+in bond_alb_xmit()"), we need to make sure arp header was pulled
+in skb->head before blindly accessing it in rlb_arp_xmit().
+
+Remove arp_pkt() private helper, since it is more readable/obvious
+to have the following construct back to back :
+
+ if (!pskb_network_may_pull(skb, sizeof(*arp)))
+ return NULL;
+ arp = (struct arp_pkt *)skb_network_header(skb);
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+ rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+ bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+ __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
+ bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
+ __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4538 [inline]
+ xmit_one net/core/dev.c:3470 [inline]
+ dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
+ __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
+ packet_snd net/packet/af_packet.c:2967 [inline]
+ packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45c479
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
+RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
+RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ packet_alloc_skb net/packet/af_packet.c:2815 [inline]
+ packet_snd net/packet/af_packet.c:2910 [inline]
+ packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_alb.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -50,11 +50,6 @@ struct arp_pkt {
+ };
+ #pragma pack()
+
+-static inline struct arp_pkt *arp_pkt(const struct sk_buff *skb)
+-{
+- return (struct arp_pkt *)skb_network_header(skb);
+-}
+-
+ /* Forward declaration */
+ static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[],
+ bool strict_match);
+@@ -553,10 +548,11 @@ static void rlb_req_update_subnet_client
+ spin_unlock(&bond->mode_lock);
+ }
+
+-static struct slave *rlb_choose_channel(struct sk_buff *skb, struct bonding *bond)
++static struct slave *rlb_choose_channel(struct sk_buff *skb,
++ struct bonding *bond,
++ const struct arp_pkt *arp)
+ {
+ struct alb_bond_info *bond_info = &(BOND_ALB_INFO(bond));
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *assigned_slave, *curr_active_slave;
+ struct rlb_client_info *client_info;
+ u32 hash_index = 0;
+@@ -653,8 +649,12 @@ static struct slave *rlb_choose_channel(
+ */
+ static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond)
+ {
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *tx_slave = NULL;
++ struct arp_pkt *arp;
++
++ if (!pskb_network_may_pull(skb, sizeof(*arp)))
++ return NULL;
++ arp = (struct arp_pkt *)skb_network_header(skb);
+
+ /* Don't modify or load balance ARPs that do not originate locally
+ * (e.g.,arrive via a bridge).
+@@ -664,7 +664,7 @@ static struct slave *rlb_arp_xmit(struct
+
+ if (arp->op_code == htons(ARPOP_REPLY)) {
+ /* the arp must be sent on the selected rx channel */
+- tx_slave = rlb_choose_channel(skb, bond);
++ tx_slave = rlb_choose_channel(skb, bond, arp);
+ if (tx_slave)
+ bond_hw_addr_copy(arp->mac_src, tx_slave->dev->dev_addr,
+ tx_slave->dev->addr_len);
+@@ -676,7 +676,7 @@ static struct slave *rlb_arp_xmit(struct
+ * When the arp reply is received the entry will be updated
+ * with the correct unicast address of the client.
+ */
+- tx_slave = rlb_choose_channel(skb, bond);
++ tx_slave = rlb_choose_channel(skb, bond, arp);
+
+ /* The ARP reply packets must be delayed so that
+ * they can cancel out the influence of the ARP request.
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:16 -0800
+Subject: can: add missing attribute validation for termination
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ab02ad660586b94f5d08912a3952b939cf4c4430 ]
+
+Add missing attribute validation for IFLA_CAN_TERMINATION
+to the netlink policy.
+
+Fixes: 12a6075cabc0 ("can: dev: add CAN interface termination API")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -884,6 +884,7 @@ static const struct nla_policy can_polic
+ = { .len = sizeof(struct can_bittiming) },
+ [IFLA_CAN_DATA_BITTIMING_CONST]
+ = { .len = sizeof(struct can_bittiming_const) },
++ [IFLA_CAN_TERMINATION] = { .type = NLA_U16 },
+ };
+
+ static int can_validate(struct nlattr *tb[], struct nlattr *data[],
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Shakeel Butt <shakeelb@google.com>
+Date: Mon, 9 Mar 2020 22:16:05 -0700
+Subject: cgroup: memcg: net: do not associate sock with unrelated cgroup
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit e876ecc67db80dfdb8e237f71e5b43bb88ae549c ]
+
+We are testing network memory accounting in our setup and noticed
+inconsistent network memory usage and often unrelated cgroups network
+usage correlates with testing workload. On further inspection, it
+seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in
+irq context specially for cgroup v1.
+
+mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context
+and kind of assumes that this can only happen from sk_clone_lock()
+and the source sock object has already associated cgroup. However in
+cgroup v1, where network memory accounting is opt-in, the source sock
+can be unassociated with any cgroup and the new cloned sock can get
+associated with unrelated interrupted cgroup.
+
+Cgroup v2 can also suffer if the source sock object was created by
+process in the root cgroup or if sk_alloc() is called in irq context.
+The fix is to just do nothing in interrupt.
+
+WARNING: Please note that about half of the TCP sockets are allocated
+from the IRQ context, so, memory used by such sockets will not be
+accouted by the memcg.
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+
+CPU: 70 PID: 12720 Comm: ssh Tainted: 5.6.0-smp-DEV #1
+Hardware name: ...
+Call Trace:
+ <IRQ>
+ dump_stack+0x57/0x75
+ mem_cgroup_sk_alloc+0xe9/0xf0
+ sk_clone_lock+0x2a7/0x420
+ inet_csk_clone_lock+0x1b/0x110
+ tcp_create_openreq_child+0x23/0x3b0
+ tcp_v6_syn_recv_sock+0x88/0x730
+ tcp_check_req+0x429/0x560
+ tcp_v6_rcv+0x72d/0xa40
+ ip6_protocol_deliver_rcu+0xc9/0x400
+ ip6_input+0x44/0xd0
+ ? ip6_protocol_deliver_rcu+0x400/0x400
+ ip6_rcv_finish+0x71/0x80
+ ipv6_rcv+0x5b/0xe0
+ ? ip6_sublist_rcv+0x2e0/0x2e0
+ process_backlog+0x108/0x1e0
+ net_rx_action+0x26b/0x460
+ __do_softirq+0x104/0x2a6
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.19+0x40/0x50
+ __local_bh_enable_ip+0x51/0x60
+ ip6_finish_output2+0x23d/0x520
+ ? ip6table_mangle_hook+0x55/0x160
+ __ip6_finish_output+0xa1/0x100
+ ip6_finish_output+0x30/0xd0
+ ip6_output+0x73/0x120
+ ? __ip6_finish_output+0x100/0x100
+ ip6_xmit+0x2e3/0x600
+ ? ipv6_anycast_cleanup+0x50/0x50
+ ? inet6_csk_route_socket+0x136/0x1e0
+ ? skb_free_head+0x1e/0x30
+ inet6_csk_xmit+0x95/0xf0
+ __tcp_transmit_skb+0x5b4/0xb20
+ __tcp_send_ack.part.60+0xa3/0x110
+ tcp_send_ack+0x1d/0x20
+ tcp_rcv_state_process+0xe64/0xe80
+ ? tcp_v6_connect+0x5d1/0x5f0
+ tcp_v6_do_rcv+0x1b1/0x3f0
+ ? tcp_v6_do_rcv+0x1b1/0x3f0
+ __release_sock+0x7f/0xd0
+ release_sock+0x30/0xa0
+ __inet_stream_connect+0x1c3/0x3b0
+ ? prepare_to_wait+0xb0/0xb0
+ inet_stream_connect+0x3b/0x60
+ __sys_connect+0x101/0x120
+ ? __sys_getsockopt+0x11b/0x140
+ __x64_sys_connect+0x1a/0x20
+ do_syscall_64+0x51/0x200
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+Fixes: 2d7580738345 ("mm: memcontrol: consolidate cgroup socket tracking")
+Fixes: d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup.c | 4 ++++
+ mm/memcontrol.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -6381,6 +6381,10 @@ void cgroup_sk_alloc(struct sock_cgroup_
+ return;
+ }
+
++ /* Don't associate the sock with unrelated interrupted task's cgroup. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+
+ while (true) {
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6806,6 +6806,10 @@ void mem_cgroup_sk_alloc(struct sock *sk
+ return;
+ }
+
++ /* Do not associate the sock with unrelated interrupted task's memcg. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+ memcg = mem_cgroup_from_task(current);
+ if (memcg == root_mem_cgroup)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+Date: Thu, 5 Mar 2020 17:45:57 +0300
+Subject: cgroup, netclassid: periodically release file_lock on classid updating
+
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+
+[ Upstream commit 018d26fcd12a75fb9b5fe233762aa3f2f0854b88 ]
+
+In our production environment we have faced with problem that updating
+classid in cgroup with heavy tasks cause long freeze of the file tables
+in this tasks. By heavy tasks we understand tasks with many threads and
+opened sockets (e.g. balancers). This freeze leads to an increase number
+of client timeouts.
+
+This patch implements following logic to fix this issue:
+аfter iterating 1000 file descriptors file table lock will be released
+thus providing a time gap for socket creation/deletion.
+
+Now update is non atomic and socket may be skipped using calls:
+
+dup2(oldfd, newfd);
+close(oldfd);
+
+But this case is not typical. Moreover before this patch skip is possible
+too by hiding socket fd in unix socket buffer.
+
+New sockets will be allocated with updated classid because cgroup state
+is updated before start of the file descriptors iteration.
+
+So in common cases this patch has no side effects.
+
+Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netclassid_cgroup.c | 47 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+--- a/net/core/netclassid_cgroup.c
++++ b/net/core/netclassid_cgroup.c
+@@ -53,30 +53,60 @@ static void cgrp_css_free(struct cgroup_
+ kfree(css_cls_state(css));
+ }
+
++/*
++ * To avoid freezing of sockets creation for tasks with big number of threads
++ * and opened sockets lets release file_lock every 1000 iterated descriptors.
++ * New sockets will already have been created with new classid.
++ */
++
++struct update_classid_context {
++ u32 classid;
++ unsigned int batch;
++};
++
++#define UPDATE_CLASSID_BATCH 1000
++
+ static int update_classid_sock(const void *v, struct file *file, unsigned n)
+ {
+ int err;
++ struct update_classid_context *ctx = (void *)v;
+ struct socket *sock = sock_from_file(file, &err);
+
+ if (sock) {
+ spin_lock(&cgroup_sk_update_lock);
+- sock_cgroup_set_classid(&sock->sk->sk_cgrp_data,
+- (unsigned long)v);
++ sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, ctx->classid);
+ spin_unlock(&cgroup_sk_update_lock);
+ }
++ if (--ctx->batch == 0) {
++ ctx->batch = UPDATE_CLASSID_BATCH;
++ return n + 1;
++ }
+ return 0;
+ }
+
++static void update_classid_task(struct task_struct *p, u32 classid)
++{
++ struct update_classid_context ctx = {
++ .classid = classid,
++ .batch = UPDATE_CLASSID_BATCH
++ };
++ unsigned int fd = 0;
++
++ do {
++ task_lock(p);
++ fd = iterate_fd(p->files, fd, update_classid_sock, &ctx);
++ task_unlock(p);
++ cond_resched();
++ } while (fd);
++}
++
+ static void cgrp_attach(struct cgroup_taskset *tset)
+ {
+ struct cgroup_subsys_state *css;
+ struct task_struct *p;
+
+ cgroup_taskset_for_each(p, css, tset) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)css_cls_state(css)->classid);
+- task_unlock(p);
++ update_classid_task(p, css_cls_state(css)->classid);
+ }
+ }
+
+@@ -98,10 +128,7 @@ static int write_classid(struct cgroup_s
+
+ css_task_iter_start(css, 0, &it);
+ while ((p = css_task_iter_next(&it))) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)cs->classid);
+- task_unlock(p);
++ update_classid_task(p, cs->classid);
+ cond_resched();
+ }
+ css_task_iter_end(&it);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:11 -0800
+Subject: devlink: validate length of param values
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 8750939b6ad86abc3f53ec8a9683a1cded4a5654 ]
+
+DEVLINK_ATTR_PARAM_VALUE_DATA may have different types
+so it's not checked by the normal netlink policy. Make
+sure the attribute length is what we expect.
+
+Fixes: e3b7ca18ad7b ("devlink: Add param set command")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -3222,34 +3222,41 @@ devlink_param_value_get_from_info(const
+ struct genl_info *info,
+ union devlink_param_value *value)
+ {
++ struct nlattr *param_data;
+ int len;
+
+- if (param->type != DEVLINK_PARAM_TYPE_BOOL &&
+- !info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA])
++ param_data = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA];
++
++ if (param->type != DEVLINK_PARAM_TYPE_BOOL && !param_data)
+ return -EINVAL;
+
+ switch (param->type) {
+ case DEVLINK_PARAM_TYPE_U8:
+- value->vu8 = nla_get_u8(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u8))
++ return -EINVAL;
++ value->vu8 = nla_get_u8(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_U16:
+- value->vu16 = nla_get_u16(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u16))
++ return -EINVAL;
++ value->vu16 = nla_get_u16(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_U32:
+- value->vu32 = nla_get_u32(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u32))
++ return -EINVAL;
++ value->vu32 = nla_get_u32(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_STRING:
+- len = strnlen(nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]),
+- nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]));
+- if (len == nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]) ||
++ len = strnlen(nla_data(param_data), nla_len(param_data));
++ if (len == nla_len(param_data) ||
+ len >= __DEVLINK_PARAM_MAX_STRING_VALUE)
+ return -EINVAL;
+- strcpy(value->vstr,
+- nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]));
++ strcpy(value->vstr, nla_data(param_data));
+ break;
+ case DEVLINK_PARAM_TYPE_BOOL:
+- value->vbool = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA] ?
+- true : false;
++ if (param_data && nla_len(param_data))
++ return -EINVAL;
++ value->vbool = nla_get_flag(param_data);
+ break;
+ }
+ return 0;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:12 -0800
+Subject: devlink: validate length of region addr/len
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ff3b63b8c299b73ac599b120653b47e275407656 ]
+
+DEVLINK_ATTR_REGION_CHUNK_ADDR and DEVLINK_ATTR_REGION_CHUNK_LEN
+lack entries in the netlink policy. Corresponding nla_get_u64()s
+may read beyond the end of the message.
+
+Fixes: 4e54795a27f5 ("devlink: Add support for region snapshot read command")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -5804,6 +5804,8 @@ static const struct nla_policy devlink_n
+ [DEVLINK_ATTR_PARAM_VALUE_CMODE] = { .type = NLA_U8 },
+ [DEVLINK_ATTR_REGION_NAME] = { .type = NLA_NUL_STRING },
+ [DEVLINK_ATTR_REGION_SNAPSHOT_ID] = { .type = NLA_U32 },
++ [DEVLINK_ATTR_REGION_CHUNK_ADDR] = { .type = NLA_U64 },
++ [DEVLINK_ATTR_REGION_CHUNK_LEN] = { .type = NLA_U64 },
+ [DEVLINK_ATTR_HEALTH_REPORTER_NAME] = { .type = NLA_NUL_STRING },
+ [DEVLINK_ATTR_HEALTH_REPORTER_GRACEFUL_PERIOD] = { .type = NLA_U64 },
+ [DEVLINK_ATTR_HEALTH_REPORTER_AUTO_RECOVER] = { .type = NLA_U8 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:13 -0800
+Subject: fib: add missing attribute validation for tun_id
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4c16d64ea04056f1b1b324ab6916019f6a064114 ]
+
+Add missing netlink policy entry for FRA_TUN_ID.
+
+Fixes: e7030878fc84 ("fib: Add fib rule match on tunnel id")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/fib_rules.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/fib_rules.h
++++ b/include/net/fib_rules.h
+@@ -108,6 +108,7 @@ struct fib_rule_notifier_info {
+ [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_PRIORITY] = { .type = NLA_U32 }, \
+ [FRA_FWMARK] = { .type = NLA_U32 }, \
++ [FRA_TUN_ID] = { .type = NLA_U64 }, \
+ [FRA_FWMASK] = { .type = NLA_U32 }, \
+ [FRA_TABLE] = { .type = NLA_U32 }, \
+ [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Mar 2020 22:05:14 -0800
+Subject: gre: fix uninit-value in __iptunnel_pull_header
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ]
+
+syzbot found an interesting case of the kernel reading
+an uninit-value [1]
+
+Problem is in the handling of ETH_P_WCCP in gre_parse_header()
+
+We look at the byte following GRE options to eventually decide
+if the options are four bytes longer.
+
+Use skb_header_pointer() to not pull bytes if we found
+that no more bytes were needed.
+
+All callers of gre_parse_header() are properly using pskb_may_pull()
+anyway before proceeding to next header.
+
+[1]
+BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline]
+BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ pskb_may_pull include/linux/skbuff.h:2303 [inline]
+ __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+ iptunnel_pull_header include/net/ip_tunnels.h:411 [inline]
+ gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606
+ ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432
+ ip6_input_finish net/ipv6/ip6_input.c:473 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ip6_input net/ipv6/ip6_input.c:482 [inline]
+ ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576
+ dst_input include/net/dst.h:442 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306
+ __netif_receive_skb_one_core net/core/dev.c:5198 [inline]
+ __netif_receive_skb net/core/dev.c:5312 [inline]
+ netif_receive_skb_internal net/core/dev.c:5402 [inline]
+ netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461
+ tun_rx_batched include/linux/skbuff.h:4321 [inline]
+ tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f62d99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580
+RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004
+RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ tun_alloc_skb drivers/net/tun.c:1529 [inline]
+ tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers")
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/gre_demux.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -56,7 +56,9 @@ int gre_del_protocol(const struct gre_pr
+ }
+ EXPORT_SYMBOL_GPL(gre_del_protocol);
+
+-/* Fills in tpi and returns header length to be pulled. */
++/* Fills in tpi and returns header length to be pulled.
++ * Note that caller must use pskb_may_pull() before pulling GRE header.
++ */
+ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ bool *csum_err, __be16 proto, int nhs)
+ {
+@@ -110,8 +112,14 @@ int gre_parse_header(struct sk_buff *skb
+ * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header
+ */
+ if (greh->flags == 0 && tpi->proto == htons(ETH_P_WCCP)) {
++ u8 _val, *val;
++
++ val = skb_header_pointer(skb, nhs + hdr_len,
++ sizeof(_val), &_val);
++ if (!val)
++ return -EINVAL;
+ tpi->proto = proto;
+- if ((*(u8 *)options & 0xF0) != 0x40)
++ if ((*val & 0xF0) != 0x40)
+ hdr_len += 4;
+ }
+ tpi->hdr_len = hdr_len;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+Date: Thu, 5 Mar 2020 15:33:12 +0300
+Subject: inet_diag: return classid for all socket types
+
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+
+[ Upstream commit 83f73c5bb7b9a9135173f0ba2b1aa00c06664ff9 ]
+
+In commit 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and
+fallback to priority") croup classid reporting was fixed. But this works
+only for TCP sockets because for other socket types icsk parameter can
+be NULL and classid code path is skipped. This change moves classid
+handling to inet_diag_msg_attrs_fill() function.
+
+Also inet_diag_msg_attrs_size() helper was added and addends in
+nlmsg_new() were reordered to save order from inet_sk_diag_fill().
+
+Fixes: 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and fallback to priority")
+Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/inet_diag.h | 18 ++++++++++++------
+ net/ipv4/inet_diag.c | 44 ++++++++++++++++++++------------------------
+ net/ipv4/raw_diag.c | 5 +++--
+ net/ipv4/udp_diag.c | 5 +++--
+ net/sctp/diag.c | 8 ++------
+ 5 files changed, 40 insertions(+), 40 deletions(-)
+
+--- a/include/linux/inet_diag.h
++++ b/include/linux/inet_diag.h
+@@ -2,15 +2,10 @@
+ #ifndef _INET_DIAG_H_
+ #define _INET_DIAG_H_ 1
+
++#include <net/netlink.h>
+ #include <uapi/linux/inet_diag.h>
+
+-struct net;
+-struct sock;
+ struct inet_hashinfo;
+-struct nlattr;
+-struct nlmsghdr;
+-struct sk_buff;
+-struct netlink_callback;
+
+ struct inet_diag_handler {
+ void (*dump)(struct sk_buff *skb,
+@@ -62,6 +57,17 @@ int inet_diag_bc_sk(const struct nlattr
+
+ void inet_diag_msg_common_fill(struct inet_diag_msg *r, struct sock *sk);
+
++static inline size_t inet_diag_msg_attrs_size(void)
++{
++ return nla_total_size(1) /* INET_DIAG_SHUTDOWN */
++ + nla_total_size(1) /* INET_DIAG_TOS */
++#if IS_ENABLED(CONFIG_IPV6)
++ + nla_total_size(1) /* INET_DIAG_TCLASS */
++ + nla_total_size(1) /* INET_DIAG_SKV6ONLY */
++#endif
++ + nla_total_size(4) /* INET_DIAG_MARK */
++ + nla_total_size(4); /* INET_DIAG_CLASS_ID */
++}
+ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
+ struct inet_diag_msg *r, int ext,
+ struct user_namespace *user_ns, bool net_admin);
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -100,13 +100,9 @@ static size_t inet_sk_attr_size(struct s
+ aux = handler->idiag_get_aux_size(sk, net_admin);
+
+ return nla_total_size(sizeof(struct tcp_info))
+- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+- + nla_total_size(1) /* INET_DIAG_TOS */
+- + nla_total_size(1) /* INET_DIAG_TCLASS */
+- + nla_total_size(4) /* INET_DIAG_MARK */
+- + nla_total_size(4) /* INET_DIAG_CLASS_ID */
+- + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(sizeof(struct inet_diag_msg))
++ + inet_diag_msg_attrs_size()
++ + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
+ + nla_total_size(TCP_CA_NAME_MAX)
+ + nla_total_size(sizeof(struct tcpvegas_info))
+@@ -147,6 +143,24 @@ int inet_diag_msg_attrs_fill(struct sock
+ if (net_admin && nla_put_u32(skb, INET_DIAG_MARK, sk->sk_mark))
+ goto errout;
+
++ if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
++ ext & (1 << (INET_DIAG_TCLASS - 1))) {
++ u32 classid = 0;
++
++#ifdef CONFIG_SOCK_CGROUP_DATA
++ classid = sock_cgroup_classid(&sk->sk_cgrp_data);
++#endif
++ /* Fallback to socket priority if class id isn't set.
++ * Classful qdiscs use it as direct reference to class.
++ * For cgroup2 classid is always zero.
++ */
++ if (!classid)
++ classid = sk->sk_priority;
++
++ if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
++ goto errout;
++ }
++
+ r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
+ r->idiag_inode = sock_i_ino(sk);
+
+@@ -284,24 +298,6 @@ int inet_sk_diag_fill(struct sock *sk, s
+ goto errout;
+ }
+
+- if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
+- ext & (1 << (INET_DIAG_TCLASS - 1))) {
+- u32 classid = 0;
+-
+-#ifdef CONFIG_SOCK_CGROUP_DATA
+- classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+-#endif
+- /* Fallback to socket priority if class id isn't set.
+- * Classful qdiscs use it as direct reference to class.
+- * For cgroup2 classid is always zero.
+- */
+- if (!classid)
+- classid = sk->sk_priority;
+-
+- if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
+- goto errout;
+- }
+-
+ out:
+ nlmsg_end(skb, nlh);
+ return 0;
+--- a/net/ipv4/raw_diag.c
++++ b/net/ipv4/raw_diag.c
+@@ -100,8 +100,9 @@ static int raw_diag_dump_one(struct sk_b
+ if (IS_ERR(sk))
+ return PTR_ERR(sk);
+
+- rep = nlmsg_new(sizeof(struct inet_diag_msg) +
+- sizeof(struct inet_diag_meminfo) + 64,
++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) +
++ inet_diag_msg_attrs_size() +
++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64,
+ GFP_KERNEL);
+ if (!rep) {
+ sock_put(sk);
+--- a/net/ipv4/udp_diag.c
++++ b/net/ipv4/udp_diag.c
+@@ -64,8 +64,9 @@ static int udp_dump_one(struct udp_table
+ goto out;
+
+ err = -ENOMEM;
+- rep = nlmsg_new(sizeof(struct inet_diag_msg) +
+- sizeof(struct inet_diag_meminfo) + 64,
++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) +
++ inet_diag_msg_attrs_size() +
++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64,
+ GFP_KERNEL);
+ if (!rep)
+ goto out;
+--- a/net/sctp/diag.c
++++ b/net/sctp/diag.c
+@@ -237,15 +237,11 @@ static size_t inet_assoc_attr_size(struc
+ addrcnt++;
+
+ return nla_total_size(sizeof(struct sctp_info))
+- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+- + nla_total_size(1) /* INET_DIAG_TOS */
+- + nla_total_size(1) /* INET_DIAG_TCLASS */
+- + nla_total_size(4) /* INET_DIAG_MARK */
+- + nla_total_size(4) /* INET_DIAG_CLASS_ID */
+ + nla_total_size(addrlen * asoc->peer.transport_count)
+ + nla_total_size(addrlen * addrcnt)
+- + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(sizeof(struct inet_diag_msg))
++ + inet_diag_msg_attrs_size()
++ + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + 64;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 10 Mar 2020 15:27:37 +0800
+Subject: ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 60380488e4e0b95e9e82aa68aa9705baa86de84c ]
+
+Rafał found an issue that for non-Ethernet interface, if we down and up
+frequently, the memory will be consumed slowly.
+
+The reason is we add allnodes/allrouters addressed in multicast list in
+ipv6_add_dev(). When link down, we call ipv6_mc_down(), store all multicast
+addresses via mld_add_delrec(). But when link up, we don't call ipv6_mc_up()
+for non-Ethernet interface to remove the addresses. This makes idev->mc_tomb
+getting bigger and bigger. The call stack looks like:
+
+addrconf_notify(NETDEV_REGISTER)
+ ipv6_add_dev
+ ipv6_dev_mc_inc(ff01::1)
+ ipv6_dev_mc_inc(ff02::1)
+ ipv6_dev_mc_inc(ff02::2)
+
+addrconf_notify(NETDEV_UP)
+ addrconf_dev_config
+ /* Alas, we support only Ethernet autoconfiguration. */
+ return;
+
+addrconf_notify(NETDEV_DOWN)
+ addrconf_ifdown
+ ipv6_mc_down
+ igmp6_group_dropped(ff02::2)
+ mld_add_delrec(ff02::2)
+ igmp6_group_dropped(ff02::1)
+ igmp6_group_dropped(ff01::1)
+
+After investigating, I can't found a rule to disable multicast on
+non-Ethernet interface. In RFC2460, the link could be Ethernet, PPP, ATM,
+tunnels, etc. In IPv4, it doesn't check the dev type when calls ip_mc_up()
+in inetdev_event(). Even for IPv6, we don't check the dev type and call
+ipv6_add_dev(), ipv6_dev_mc_inc() after register device.
+
+So I think it's OK to fix this memory consumer by calling ipv6_mc_up() for
+non-Ethernet interface.
+
+v2: Also check IFF_MULTICAST flag to make sure the interface supports
+ multicast
+
+Reported-by: Rafał Miłecki <zajec5@gmail.com>
+Tested-by: Rafał Miłecki <zajec5@gmail.com>
+Fixes: 74235a25c673 ("[IPV6] addrconf: Fix IPv6 on tuntap tunnels")
+Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3345,6 +3345,10 @@ static void addrconf_dev_config(struct n
+ (dev->type != ARPHRD_NONE) &&
+ (dev->type != ARPHRD_RAWIP)) {
+ /* Alas, we support only Ethernet autoconfiguration. */
++ idev = __in6_dev_get(dev);
++ if (!IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP &&
++ dev->flags & IFF_MULTICAST)
++ ipv6_mc_up(idev);
+ return;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:02 -0700
+Subject: ipvlan: add cond_resched_rcu() while processing muticast backlog
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ]
+
+If there are substantial number of slaves created as simulated by
+Syzbot, the backlog processing could take much longer and result
+into the issue found in the Syzbot report.
+
+INFO: rcu_sched detected stalls on CPUs/tasks:
+ (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752)
+All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0
+syz-executor.1 R running task on cpu 1 10984 11210 3866 0x30020008 179034491270
+Call Trace:
+ <IRQ>
+ [<ffffffff81497163>] _sched_show_task kernel/sched/core.c:8063 [inline]
+ [<ffffffff81497163>] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030
+ [<ffffffff8146a91b>] sched_show_task+0xb/0x10 kernel/sched/core.c:8073
+ [<ffffffff815c931b>] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline]
+ [<ffffffff815c931b>] check_cpu_stall kernel/rcu/tree.c:1695 [inline]
+ [<ffffffff815c931b>] __rcu_pending kernel/rcu/tree.c:3478 [inline]
+ [<ffffffff815c931b>] rcu_pending kernel/rcu/tree.c:3540 [inline]
+ [<ffffffff815c931b>] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876
+ [<ffffffff815e3962>] update_process_times+0x32/0x80 kernel/time/timer.c:1635
+ [<ffffffff816164f0>] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161
+ [<ffffffff81616ae4>] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193
+ [<ffffffff815e75f7>] __run_hrtimer kernel/time/hrtimer.c:1393 [inline]
+ [<ffffffff815e75f7>] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455
+ [<ffffffff815e90ea>] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513
+ [<ffffffff844050f4>] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline]
+ [<ffffffff844050f4>] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153
+RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12
+RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000
+RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0
+RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273
+R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8
+R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0
+ [<ffffffff8101460e>] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline]
+ [<ffffffff8101460e>] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240
+ [<ffffffff840d78ca>] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006
+ [<ffffffff84023439>] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482
+ [<ffffffff840211c8>] dst_input include/net/dst.h:449 [inline]
+ [<ffffffff840211c8>] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:292 [inline]
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:286 [inline]
+ [<ffffffff840214de>] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278
+ [<ffffffff83a29efa>] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303
+ [<ffffffff83a2a15c>] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417
+ [<ffffffff83a2f536>] process_backlog+0x216/0x6c0 net/core/dev.c:6243
+ [<ffffffff83a30d1b>] napi_poll net/core/dev.c:6680 [inline]
+ [<ffffffff83a30d1b>] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748
+ [<ffffffff846002c8>] __do_softirq+0x2c8/0x99a kernel/softirq.c:317
+ [<ffffffff813e656a>] invoke_softirq kernel/softirq.c:399 [inline]
+ [<ffffffff813e656a>] irq_exit+0x16a/0x1a0 kernel/softirq.c:439
+ [<ffffffff84405115>] exiting_irq arch/x86/include/asm/apic.h:561 [inline]
+ [<ffffffff84405115>] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+ </IRQ>
+RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102
+RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12
+RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000
+RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005
+RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000
+R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
+ [<ffffffff816236d1>] do_futex+0x151/0x1d50 kernel/futex.c:3548
+ [<ffffffff816260f0>] C_SYSC_futex kernel/futex_compat.c:201 [inline]
+ [<ffffffff816260f0>] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175
+ [<ffffffff8101da17>] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline]
+ [<ffffffff8101da17>] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415
+ [<ffffffff84401a9b>] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f23c69
+RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0
+RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c
+RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1
+rcu_sched R running task on cpu 1 13048 8 2 0x90000000 179099587640
+Call Trace:
+ [<ffffffff8147321f>] context_switch+0x60f/0xa60 kernel/sched/core.c:3209
+ [<ffffffff8100095a>] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934
+ [<ffffffff810021df>] schedule+0x8f/0x1b0 kernel/sched/core.c:4011
+ [<ffffffff8101116d>] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803
+ [<ffffffff815c13f1>] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327
+ [<ffffffff8144b318>] kthread+0x348/0x420 kernel/kthread.c:246
+ [<ffffffff84400266>] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393
+
+Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -277,6 +277,7 @@ void ipvlan_process_multicast(struct wor
+ }
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
+ local_bh_enable();
++ cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jiri Wiesner <jwiesner@suse.com>
+Date: Sat, 7 Mar 2020 13:31:57 +0100
+Subject: ipvlan: do not add hardware address of master to its unicast filter list
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+[ Upstream commit 63aae7b17344d4b08a7d05cb07044de4c0f9dcc6 ]
+
+There is a problem when ipvlan slaves are created on a master device that
+is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not
+support unicast address filtering. When an ipvlan device is brought up in
+ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware
+address of the vmxnet3 master device to the unicast address list of the
+master device, phy_dev->uc. This inevitably leads to the vmxnet3 master
+device being forced into promiscuous mode by __dev_set_rx_mode().
+
+Promiscuous mode is switched on the master despite the fact that there is
+still only one hardware address that the master device should use for
+filtering in order for the ipvlan device to be able to receive packets.
+The comment above struct net_device describes the uc_promisc member as a
+"counter, that indicates, that promiscuous mode has been enabled due to
+the need to listen to additional unicast addresses in a device that does
+not implement ndo_set_rx_mode()". Moreover, the design of ipvlan
+guarantees that only the hardware address of a master device,
+phy_dev->dev_addr, will be used to transmit and receive all packets from
+its ipvlan slaves. Thus, the unicast address list of the master device
+should not be modified by ipvlan_open() and ipvlan_stop() in order to make
+ipvlan a workable option on masters that do not support unicast address
+filtering.
+
+Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver")
+Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -164,7 +164,6 @@ static void ipvlan_uninit(struct net_dev
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+- struct net_device *phy_dev = ipvlan->phy_dev;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -178,7 +177,7 @@ static int ipvlan_open(struct net_device
+ ipvlan_ht_addr_add(ipvlan, addr);
+ rcu_read_unlock();
+
+- return dev_uc_add(phy_dev, phy_dev->dev_addr);
++ return 0;
+ }
+
+ static int ipvlan_stop(struct net_device *dev)
+@@ -190,8 +189,6 @@ static int ipvlan_stop(struct net_device
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- dev_uc_del(phy_dev, phy_dev->dev_addr);
+-
+ rcu_read_lock();
+ list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 9 Mar 2020 18:22:58 -0700
+Subject: ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ]
+
+Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while
+processing muticast backlog") added a cond_resched_rcu() in a loop
+using rcu protection to iterate over slaves.
+
+This is breaking rcu rules, so lets instead use cond_resched()
+at a point we can reschedule
+
+Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -277,7 +277,6 @@ void ipvlan_process_multicast(struct wor
+ }
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
+ local_bh_enable();
+- cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
+@@ -294,6 +293,7 @@ void ipvlan_process_multicast(struct wor
+ }
+ if (dev)
+ dev_put(dev);
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:56:56 -0700
+Subject: ipvlan: don't deref eth hdr before checking it's set
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ]
+
+IPvlan in L3 mode discards outbound multicast packets but performs
+the check before ensuring the ether-header is set or not. This is
+an error that Eric found through code browsing.
+
+Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -499,19 +499,21 @@ static int ipvlan_process_outbound(struc
+ struct ethhdr *ethh = eth_hdr(skb);
+ int ret = NET_XMIT_DROP;
+
+- /* In this mode we dont care about multicast and broadcast traffic */
+- if (is_multicast_ether_addr(ethh->h_dest)) {
+- pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n",
+- ntohs(skb->protocol));
+- kfree_skb(skb);
+- goto out;
+- }
+-
+ /* The ipvlan is a pseudo-L2 device, so the packets that we receive
+ * will have L2; which need to discarded and processed further
+ * in the net-ns of the main-device.
+ */
+ if (skb_mac_header_was_set(skb)) {
++ /* In this mode we dont care about
++ * multicast and broadcast traffic */
++ if (is_multicast_ether_addr(ethh->h_dest)) {
++ pr_debug_ratelimited(
++ "Dropped {multi|broad}cast of type=[%x]\n",
++ ntohs(skb->protocol));
++ kfree_skb(skb);
++ goto out;
++ }
++
+ skb_pull(skb, sizeof(*ethh));
+ skb->mac_header = (typeof(skb->mac_header))~0U;
+ skb_reset_network_header(skb);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:17 -0800
+Subject: macsec: add missing attribute validation for port
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 31d9a1c524964bac77b7f9d0a1ac140dc6b57461 ]
+
+Add missing attribute validation for IFLA_MACSEC_PORT
+to the netlink policy.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2983,6 +2983,7 @@ static const struct device_type macsec_t
+
+ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
++ [IFLA_MACSEC_PORT] = { .type = NLA_U16 },
+ [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
+ [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
+ [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:07 -0700
+Subject: macvlan: add cond_resched() during multicast processing
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ce9a4186f9ac475c415ffd20348176a4ea366670 ]
+
+The Rx bound multicast packets are deferred to a workqueue and
+macvlan can also suffer from the same attack that was discovered
+by Syzbot for IPvlan. This solution is not as effective as in
+IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing
+to a workqueue while macvlan does this way only for the Rx. This
+fix should address the Rx codition to certain extent.
+
+Tx is still suseptible. Tx multicast processing happens when
+.ndo_start_xmit is called, hence we cannot add cond_resched().
+However, it's not that severe since the user which is generating
+ / flooding will be affected the most.
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -334,6 +334,8 @@ static void macvlan_process_broadcast(st
+ if (src)
+ dev_put(src->dev);
+ consume_skb(skb);
++
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Wed, 11 Mar 2020 16:24:24 +0100
+Subject: net: dsa: Don't instantiate phylink for CPU/DSA ports unless needed
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit a20f997010c4ec76eaa55b8cc047d76dcac69f70 ]
+
+By default, DSA drivers should configure CPU and DSA ports to their
+maximum speed. In many configurations this is sufficient to make the
+link work.
+
+In some cases it is necessary to configure the link to run slower,
+e.g. because of limitations of the SoC it is connected to. Or back to
+back PHYs are used and the PHY needs to be driven in order to
+establish link. In this case, phylink is used.
+
+Only instantiate phylink if it is required. If there is no PHY, or no
+fixed link properties, phylink can upset a link which works in the
+default configuration.
+
+Fixes: 0e27921816ad ("net: dsa: Use PHYLINK for the CPU/DSA ports")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/port.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/dsa/port.c
++++ b/net/dsa/port.c
+@@ -649,9 +649,14 @@ err_phy_connect:
+ int dsa_port_link_register_of(struct dsa_port *dp)
+ {
+ struct dsa_switch *ds = dp->ds;
++ struct device_node *phy_np;
+
+- if (!ds->ops->adjust_link)
+- return dsa_port_phylink_register(dp);
++ if (!ds->ops->adjust_link) {
++ phy_np = of_parse_phandle(dp->dn, "phy-handle", 0);
++ if (of_phy_is_fixed_link(dp->dn) || phy_np)
++ return dsa_port_phylink_register(dp);
++ return 0;
++ }
+
+ dev_warn(ds->dev,
+ "Using legacy PHYLIB callbacks. Please migrate to PHYLINK!\n");
+@@ -666,11 +671,12 @@ void dsa_port_link_unregister_of(struct
+ {
+ struct dsa_switch *ds = dp->ds;
+
+- if (!ds->ops->adjust_link) {
++ if (!ds->ops->adjust_link && dp->pl) {
+ rtnl_lock();
+ phylink_disconnect_phy(dp->pl);
+ rtnl_unlock();
+ phylink_destroy(dp->pl);
++ dp->pl = NULL;
+ return;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 3 Mar 2020 15:01:46 +0000
+Subject: net: dsa: fix phylink_start()/phylink_stop() calls
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 8640f8dc6d657ebfb4e67c202ad32c5457858a13 ]
+
+Place phylink_start()/phylink_stop() inside dsa_port_enable() and
+dsa_port_disable(), which ensures that we call phylink_stop() before
+tearing down phylink - which is a documented requirement. Failure
+to do so can cause use-after-free bugs.
+
+Fixes: 0e27921816ad ("net: dsa: Use PHYLINK for the CPU/DSA ports")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa_priv.h | 2 ++
+ net/dsa/port.c | 32 ++++++++++++++++++++++++++------
+ net/dsa/slave.c | 8 ++------
+ 3 files changed, 30 insertions(+), 12 deletions(-)
+
+--- a/net/dsa/dsa_priv.h
++++ b/net/dsa/dsa_priv.h
+@@ -128,7 +128,9 @@ static inline struct net_device *dsa_mas
+ /* port.c */
+ int dsa_port_set_state(struct dsa_port *dp, u8 state,
+ struct switchdev_trans *trans);
++int dsa_port_enable_rt(struct dsa_port *dp, struct phy_device *phy);
+ int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy);
++void dsa_port_disable_rt(struct dsa_port *dp);
+ void dsa_port_disable(struct dsa_port *dp);
+ int dsa_port_bridge_join(struct dsa_port *dp, struct net_device *br);
+ void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br);
+--- a/net/dsa/port.c
++++ b/net/dsa/port.c
+@@ -63,7 +63,7 @@ static void dsa_port_set_state_now(struc
+ pr_err("DSA: failed to set STP state %u (%d)\n", state, err);
+ }
+
+-int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy)
++int dsa_port_enable_rt(struct dsa_port *dp, struct phy_device *phy)
+ {
+ struct dsa_switch *ds = dp->ds;
+ int port = dp->index;
+@@ -78,14 +78,31 @@ int dsa_port_enable(struct dsa_port *dp,
+ if (!dp->bridge_dev)
+ dsa_port_set_state_now(dp, BR_STATE_FORWARDING);
+
++ if (dp->pl)
++ phylink_start(dp->pl);
++
+ return 0;
+ }
+
+-void dsa_port_disable(struct dsa_port *dp)
++int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy)
++{
++ int err;
++
++ rtnl_lock();
++ err = dsa_port_enable_rt(dp, phy);
++ rtnl_unlock();
++
++ return err;
++}
++
++void dsa_port_disable_rt(struct dsa_port *dp)
+ {
+ struct dsa_switch *ds = dp->ds;
+ int port = dp->index;
+
++ if (dp->pl)
++ phylink_stop(dp->pl);
++
+ if (!dp->bridge_dev)
+ dsa_port_set_state_now(dp, BR_STATE_DISABLED);
+
+@@ -93,6 +110,13 @@ void dsa_port_disable(struct dsa_port *d
+ ds->ops->port_disable(ds, port);
+ }
+
++void dsa_port_disable(struct dsa_port *dp)
++{
++ rtnl_lock();
++ dsa_port_disable_rt(dp);
++ rtnl_unlock();
++}
++
+ int dsa_port_bridge_join(struct dsa_port *dp, struct net_device *br)
+ {
+ struct dsa_notifier_bridge_info info = {
+@@ -615,10 +639,6 @@ static int dsa_port_phylink_register(str
+ goto err_phy_connect;
+ }
+
+- rtnl_lock();
+- phylink_start(dp->pl);
+- rtnl_unlock();
+-
+ return 0;
+
+ err_phy_connect:
+--- a/net/dsa/slave.c
++++ b/net/dsa/slave.c
+@@ -90,12 +90,10 @@ static int dsa_slave_open(struct net_dev
+ goto clear_allmulti;
+ }
+
+- err = dsa_port_enable(dp, dev->phydev);
++ err = dsa_port_enable_rt(dp, dev->phydev);
+ if (err)
+ goto clear_promisc;
+
+- phylink_start(dp->pl);
+-
+ return 0;
+
+ clear_promisc:
+@@ -119,9 +117,7 @@ static int dsa_slave_close(struct net_de
+ cancel_work_sync(&dp->xmit_work);
+ skb_queue_purge(&dp->xmit_queue);
+
+- phylink_stop(dp->pl);
+-
+- dsa_port_disable(dp);
++ dsa_port_disable_rt(dp);
+
+ dev_mc_unsync(master, dev);
+ dev_uc_unsync(master, dev);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Fri, 28 Feb 2020 19:39:41 +0000
+Subject: net: dsa: mv88e6xxx: fix lockup on warm boot
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 0395823b8d9a4d87bd1bf74359123461c2ae801b ]
+
+If the switch is not hardware reset on a warm boot, interrupts can be
+left enabled, and possibly pending. This will cause us to enter an
+infinite loop trying to service an interrupt we are unable to handle,
+thereby preventing the kernel from booting.
+
+Ensure that the global 2 interrupt sources are disabled before we claim
+the parent interrupt.
+
+Observed on the ZII development revision B and C platforms with
+reworked serdes support, and using reboot -f to reboot the platform.
+
+Fixes: dc30c35be720 ("net: dsa: mv88e6xxx: Implement interrupt support.")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/global2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/global2.c
++++ b/drivers/net/dsa/mv88e6xxx/global2.c
+@@ -1083,6 +1083,13 @@ int mv88e6xxx_g2_irq_setup(struct mv88e6
+ {
+ int err, irq, virq;
+
++ chip->g2_irq.masked = ~0;
++ mv88e6xxx_reg_lock(chip);
++ err = mv88e6xxx_g2_int_mask(chip, ~chip->g2_irq.masked);
++ mv88e6xxx_reg_unlock(chip);
++ if (err)
++ return err;
++
+ chip->g2_irq.domain = irq_domain_add_simple(
+ chip->dev->of_node, 16, 0, &mv88e6xxx_g2_irq_domain_ops, chip);
+ if (!chip->g2_irq.domain)
+@@ -1092,7 +1099,6 @@ int mv88e6xxx_g2_irq_setup(struct mv88e6
+ irq_create_mapping(chip->g2_irq.domain, irq);
+
+ chip->g2_irq.chip = mv88e6xxx_g2_irq_chip;
+- chip->g2_irq.masked = ~0;
+
+ chip->device_irq = irq_find_mapping(chip->g1_irq.domain,
+ MV88E6XXX_G1_STS_IRQ_DEVICE);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 10 Mar 2020 20:36:16 -0700
+Subject: net: fec: validate the new settings in fec_enet_set_coalesce()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ab14961d10d02d20767612c78ce148f6eb85bd58 ]
+
+fec_enet_set_coalesce() validates the previously set params
+and if they are within range proceeds to apply the new ones.
+The new ones, however, are not validated. This seems backwards,
+probably a copy-paste error?
+
+Compile tested only.
+
+Fixes: d851b47b22fc ("net: fec: add interrupt coalescence feature support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2529,15 +2529,15 @@ fec_enet_set_coalesce(struct net_device
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->rx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+ dev_err(dev, "Rx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->tx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+- dev_err(dev, "Rx coalesced usec exceed hardware limitation\n");
++ dev_err(dev, "Tx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:19 -0800
+Subject: net: fq: add missing attribute validation for orphan mask
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 7e6dc03eeb023e18427a373522f1d247b916a641 ]
+
+Add missing attribute validation for TCA_FQ_ORPHAN_MASK
+to the netlink policy.
+
+Fixes: 06eb395fa985 ("pkt_sched: fq: better control of DDOS traffic")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -745,6 +745,7 @@ static const struct nla_policy fq_policy
+ [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 },
+ [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 },
+ [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 },
++ [TCA_FQ_ORPHAN_MASK] = { .type = NLA_U32 },
+ [TCA_FQ_LOW_RATE_THRESHOLD] = { .type = NLA_U32 },
+ [TCA_FQ_CE_THRESHOLD] = { .type = NLA_U32 },
+ };
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jian Shen <shenjian15@huawei.com>
+Date: Thu, 5 Mar 2020 09:47:53 +0800
+Subject: net: hns3: fix a not link up issue when fibre port supports autoneg
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 68e1006f618e509fc7869259fe83ceec4a95dac3 ]
+
+When fibre port supports auto-negotiation, the IMP(Intelligent
+Management Process) processes the speed of auto-negotiation
+and the user's speed separately.
+For below case, the port will get a not link up problem.
+step 1: disables auto-negotiation and sets speed to A, then
+the driver's MAC speed will be updated to A.
+step 2: enables auto-negotiation and MAC gets negotiated
+speed B, then the driver's MAC speed will be updated to B
+through querying in periodical task.
+step 3: MAC gets new negotiated speed A.
+step 4: disables auto-negotiation and sets speed to B before
+periodical task query new MAC speed A, the driver will ignore
+the speed configuration.
+
+This patch fixes it by skipping speed and duplex checking when
+fibre port supports auto-negotiation.
+
+Fixes: 22f48e24a23d ("net: hns3: add autoneg and change speed support for fibre port")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -2417,10 +2417,12 @@ static int hclge_cfg_mac_speed_dup_hw(st
+
+ int hclge_cfg_mac_speed_dup(struct hclge_dev *hdev, int speed, u8 duplex)
+ {
++ struct hclge_mac *mac = &hdev->hw.mac;
+ int ret;
+
+ duplex = hclge_check_speed_dup(duplex, speed);
+- if (hdev->hw.mac.speed == speed && hdev->hw.mac.duplex == duplex)
++ if (!mac->support_autoneg && mac->speed == speed &&
++ mac->duplex == duplex)
+ return 0;
+
+ ret = hclge_cfg_mac_speed_dup_hw(hdev, speed, duplex);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:34 +0800
+Subject: net/ipv6: need update peer route when modify metric
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 617940123e0140521f3080d2befc2bf55bcda094 ]
+
+When we modify the route metric, the peer address's route need also
+be updated. Before the fix:
+
++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2 metric 60
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 60 pref medium
+2001:db8::2 proto kernel metric 60 pref medium
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 61 pref medium
+2001:db8::2 proto kernel metric 60 pref medium
+
+After the fix:
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 61 pref medium
+2001:db8::2 proto kernel metric 61 pref medium
+
+Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4590,12 +4590,14 @@ inet6_rtm_deladdr(struct sk_buff *skb, s
+ }
+
+ static int modify_prefix_route(struct inet6_ifaddr *ifp,
+- unsigned long expires, u32 flags)
++ unsigned long expires, u32 flags,
++ bool modify_peer)
+ {
+ struct fib6_info *f6i;
+ u32 prio;
+
+- f6i = addrconf_get_prefix_route(&ifp->addr, ifp->prefix_len,
++ f6i = addrconf_get_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr,
++ ifp->prefix_len,
+ ifp->idev->dev, 0, RTF_DEFAULT, true);
+ if (!f6i)
+ return -ENOENT;
+@@ -4606,7 +4608,8 @@ static int modify_prefix_route(struct in
+ ip6_del_rt(dev_net(ifp->idev->dev), f6i);
+
+ /* add new one */
+- addrconf_prefix_route(&ifp->addr, ifp->prefix_len,
++ addrconf_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr,
++ ifp->prefix_len,
+ ifp->rt_priority, ifp->idev->dev,
+ expires, flags, GFP_KERNEL);
+ } else {
+@@ -4682,7 +4685,7 @@ static int inet6_addr_modify(struct inet
+ int rc = -ENOENT;
+
+ if (had_prefixroute)
+- rc = modify_prefix_route(ifp, expires, flags);
++ rc = modify_prefix_route(ifp, expires, flags, false);
+
+ /* prefix route could have been deleted; if so restore it */
+ if (rc == -ENOENT) {
+@@ -4690,6 +4693,15 @@ static int inet6_addr_modify(struct inet
+ ifp->rt_priority, ifp->idev->dev,
+ expires, flags, GFP_KERNEL);
+ }
++
++ if (had_prefixroute && !ipv6_addr_any(&ifp->peer_addr))
++ rc = modify_prefix_route(ifp, expires, flags, true);
++
++ if (rc == -ENOENT && !ipv6_addr_any(&ifp->peer_addr)) {
++ addrconf_prefix_route(&ifp->peer_addr, ifp->prefix_len,
++ ifp->rt_priority, ifp->idev->dev,
++ expires, flags, GFP_KERNEL);
++ }
+ } else if (had_prefixroute) {
+ enum cleanup_prefix_rt_t action;
+ unsigned long rt_expires;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:35 +0800
+Subject: net/ipv6: remove the old peer route if change it to a new one
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d0098e4c6b83e502cc1cd96d67ca86bc79a6c559 ]
+
+When we modify the peer route and changed it to a new one, we should
+remove the old route first. Before the fix:
+
++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
+
+After the fix:
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::3 proto kernel metric 256 pref medium
+
+This patch depend on the previous patch "net/ipv6: need update peer route
+when modify metric" to update new peer route after delete old one.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1226,11 +1226,13 @@ check_cleanup_prefix_route(struct inet6_
+ }
+
+ static void
+-cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires, bool del_rt)
++cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
++ bool del_rt, bool del_peer)
+ {
+ struct fib6_info *f6i;
+
+- f6i = addrconf_get_prefix_route(&ifp->addr, ifp->prefix_len,
++ f6i = addrconf_get_prefix_route(del_peer ? &ifp->peer_addr : &ifp->addr,
++ ifp->prefix_len,
+ ifp->idev->dev, 0, RTF_DEFAULT, true);
+ if (f6i) {
+ if (del_rt)
+@@ -1293,7 +1295,7 @@ static void ipv6_del_addr(struct inet6_i
+
+ if (action != CLEANUP_PREFIX_RT_NOP) {
+ cleanup_prefix_route(ifp, expires,
+- action == CLEANUP_PREFIX_RT_DEL);
++ action == CLEANUP_PREFIX_RT_DEL, false);
+ }
+
+ /* clean up prefsrc entries */
+@@ -4631,6 +4633,7 @@ static int inet6_addr_modify(struct inet
+ unsigned long timeout;
+ bool was_managetempaddr;
+ bool had_prefixroute;
++ bool new_peer = false;
+
+ ASSERT_RTNL();
+
+@@ -4662,6 +4665,13 @@ static int inet6_addr_modify(struct inet
+ cfg->preferred_lft = timeout;
+ }
+
++ if (cfg->peer_pfx &&
++ memcmp(&ifp->peer_addr, cfg->peer_pfx, sizeof(struct in6_addr))) {
++ if (!ipv6_addr_any(&ifp->peer_addr))
++ cleanup_prefix_route(ifp, expires, true, true);
++ new_peer = true;
++ }
++
+ spin_lock_bh(&ifp->lock);
+ was_managetempaddr = ifp->flags & IFA_F_MANAGETEMPADDR;
+ had_prefixroute = ifp->flags & IFA_F_PERMANENT &&
+@@ -4677,6 +4687,9 @@ static int inet6_addr_modify(struct inet
+ if (cfg->rt_priority && cfg->rt_priority != ifp->rt_priority)
+ ifp->rt_priority = cfg->rt_priority;
+
++ if (new_peer)
++ ifp->peer_addr = *cfg->peer_pfx;
++
+ spin_unlock_bh(&ifp->lock);
+ if (!(ifp->flags&IFA_F_TENTATIVE))
+ ipv6_ifa_notify(0, ifp);
+@@ -4712,7 +4725,7 @@ static int inet6_addr_modify(struct inet
+
+ if (action != CLEANUP_PREFIX_RT_NOP) {
+ cleanup_prefix_route(ifp, rt_expires,
+- action == CLEANUP_PREFIX_RT_DEL);
++ action == CLEANUP_PREFIX_RT_DEL, false);
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Sat, 29 Feb 2020 17:27:13 +0800
+Subject: net/ipv6: use configured metric when add peer route
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 07758eb9ff52794fba15d03aa88d92dbd1b7d125 ]
+
+When we add peer address with metric configured, IPv4 could set the dest
+metric correctly, but IPv6 do not. e.g.
+
+]# ip addr add 192.0.2.1 peer 192.0.2.2/32 dev eth1 metric 20
+]# ip route show dev eth1
+192.0.2.2 proto kernel scope link src 192.0.2.1 metric 20
+]# ip addr add 2001:db8::1 peer 2001:db8::2/128 dev eth1 metric 20
+]# ip -6 route show dev eth1
+2001:db8::1 proto kernel metric 20 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
+
+Fix this by using configured metric instead of default one.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes")
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5988,9 +5988,9 @@ static void __ipv6_ifa_notify(int event,
+ if (ifp->idev->cnf.forwarding)
+ addrconf_join_anycast(ifp);
+ if (!ipv6_addr_any(&ifp->peer_addr))
+- addrconf_prefix_route(&ifp->peer_addr, 128, 0,
+- ifp->idev->dev, 0, 0,
+- GFP_ATOMIC);
++ addrconf_prefix_route(&ifp->peer_addr, 128,
++ ifp->rt_priority, ifp->idev->dev,
++ 0, 0, GFP_ATOMIC);
+ break;
+ case RTM_DELADDR:
+ if (ifp->idev->cnf.forwarding)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+Date: Tue, 10 Mar 2020 18:22:24 +0300
+Subject: net: macsec: update SCI upon MAC address change.
+
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+
+[ Upstream commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823 ]
+
+SCI should be updated, because it contains MAC in its first 6 octets.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2882,6 +2882,11 @@ static void macsec_dev_set_rx_mode(struc
+ dev_uc_sync(real_dev, dev);
+ }
+
++static sci_t dev_to_sci(struct net_device *dev, __be16 port)
++{
++ return make_sci(dev->dev_addr, port);
++}
++
+ static int macsec_set_mac_address(struct net_device *dev, void *p)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
+@@ -2903,6 +2908,7 @@ static int macsec_set_mac_address(struct
+
+ out:
+ ether_addr_copy(dev->dev_addr, addr->sa_data);
++ macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES);
+ return 0;
+ }
+
+@@ -3176,11 +3182,6 @@ static bool sci_exists(struct net_device
+ return false;
+ }
+
+-static sci_t dev_to_sci(struct net_device *dev, __be16 port)
+-{
+- return make_sci(dev->dev_addr, port);
+-}
+-
+ static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Mar 2020 11:44:26 -0700
+Subject: net: memcg: fix lockdep splat in inet_csk_accept()
+
+From: Eric Dumazet <edumazet@google.com>
+
+Locking newsk while still holding the listener lock triggered
+a lockdep splat [1]
+
+We can simply move the memcg code after we release the listener lock,
+as this can also help if multiple threads are sharing a common listener.
+
+Also fix a typo while reading socket sk_rmem_alloc.
+
+[1]
+WARNING: possible recursive locking detected
+5.6.0-rc3-syzkaller #0 Not tainted
+--------------------------------------------
+syz-executor598/9524 is trying to acquire lock:
+ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492
+
+but task is already holding lock:
+ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(sk_lock-AF_INET6);
+ lock(sk_lock-AF_INET6);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+1 lock held by syz-executor598/9524:
+ #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445
+
+stack backtrace:
+CPU: 0 PID: 9524 Comm: syz-executor598 Not tainted 5.6.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_deadlock_bug kernel/locking/lockdep.c:2370 [inline]
+ check_deadlock kernel/locking/lockdep.c:2411 [inline]
+ validate_chain kernel/locking/lockdep.c:2954 [inline]
+ __lock_acquire.cold+0x114/0x288 kernel/locking/lockdep.c:3954
+ lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4484
+ lock_sock_nested+0xc5/0x110 net/core/sock.c:2947
+ lock_sock include/net/sock.h:1541 [inline]
+ inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492
+ inet_accept+0xe9/0x7c0 net/ipv4/af_inet.c:734
+ __sys_accept4_file+0x3ac/0x5b0 net/socket.c:1758
+ __sys_accept4+0x53/0x90 net/socket.c:1809
+ __do_sys_accept4 net/socket.c:1821 [inline]
+ __se_sys_accept4 net/socket.c:1818 [inline]
+ __x64_sys_accept4+0x93/0xf0 net/socket.c:1818
+ do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4445c9
+Code: e8 0c 0d 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffc35b37608 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004445c9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000306777 R09: 0000000000306777
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00000000004053d0 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: d752a4986532 ("net: memcg: late association of sock to memcg")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_connection_sock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -483,27 +483,27 @@ struct sock *inet_csk_accept(struct sock
+ spin_unlock_bh(&queue->fastopenq.lock);
+ }
+
+- if (mem_cgroup_sockets_enabled) {
++out:
++ release_sock(sk);
++ if (newsk && mem_cgroup_sockets_enabled) {
+ int amt;
+
+ /* atomically get the memory usage, set and charge the
+- * sk->sk_memcg.
++ * newsk->sk_memcg.
+ */
+ lock_sock(newsk);
+
+- /* The sk has not been accepted yet, no need to look at
+- * sk->sk_wmem_queued.
++ /* The socket has not been accepted yet, no need to look at
++ * newsk->sk_wmem_queued.
+ */
+ amt = sk_mem_pages(newsk->sk_forward_alloc +
+- atomic_read(&sk->sk_rmem_alloc));
++ atomic_read(&newsk->sk_rmem_alloc));
+ mem_cgroup_sk_alloc(newsk);
+ if (newsk->sk_memcg && amt)
+ mem_cgroup_charge_skmem(newsk->sk_memcg, amt);
+
+ release_sock(newsk);
+ }
+-out:
+- release_sock(sk);
+ if (req)
+ reqsk_put(req);
+ return newsk;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Shakeel Butt <shakeelb@google.com>
+Date: Mon, 9 Mar 2020 22:16:06 -0700
+Subject: net: memcg: late association of sock to memcg
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit d752a4986532cb6305dfd5290a614cde8072769d ]
+
+If a TCP socket is allocated in IRQ context or cloned from unassociated
+(i.e. not associated to a memcg) in IRQ context then it will remain
+unassociated for its whole life. Almost half of the TCPs created on the
+system are created in IRQ context, so, memory used by such sockets will
+not be accounted by the memcg.
+
+This issue is more widespread in cgroup v1 where network memory
+accounting is opt-in but it can happen in cgroup v2 if the source socket
+for the cloning was created in root memcg.
+
+To fix the issue, just do the association of the sockets at the accept()
+time in the process context and then force charge the memory buffer
+already used and reserved by the socket.
+
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 14 --------------
+ net/core/sock.c | 5 ++++-
+ net/ipv4/inet_connection_sock.c | 20 ++++++++++++++++++++
+ 3 files changed, 24 insertions(+), 15 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6792,20 +6792,6 @@ void mem_cgroup_sk_alloc(struct sock *sk
+ if (!mem_cgroup_sockets_enabled)
+ return;
+
+- /*
+- * Socket cloning can throw us here with sk_memcg already
+- * filled. It won't however, necessarily happen from
+- * process context. So the test for root memcg given
+- * the current task's memcg won't help us in this case.
+- *
+- * Respecting the original socket's memcg is a better
+- * decision in this case.
+- */
+- if (sk->sk_memcg) {
+- css_get(&sk->sk_memcg->css);
+- return;
+- }
+-
+ /* Do not associate the sock with unrelated interrupted task's memcg. */
+ if (in_interrupt())
+ return;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1832,7 +1832,10 @@ struct sock *sk_clone_lock(const struct
+ atomic_set(&newsk->sk_zckey, 0);
+
+ sock_reset_flag(newsk, SOCK_DONE);
+- mem_cgroup_sk_alloc(newsk);
++
++ /* sk->sk_memcg will be populated at accept() time */
++ newsk->sk_memcg = NULL;
++
+ cgroup_sk_alloc(&newsk->sk_cgrp_data);
+
+ rcu_read_lock();
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -482,6 +482,26 @@ struct sock *inet_csk_accept(struct sock
+ }
+ spin_unlock_bh(&queue->fastopenq.lock);
+ }
++
++ if (mem_cgroup_sockets_enabled) {
++ int amt;
++
++ /* atomically get the memory usage, set and charge the
++ * sk->sk_memcg.
++ */
++ lock_sock(newsk);
++
++ /* The sk has not been accepted yet, no need to look at
++ * sk->sk_wmem_queued.
++ */
++ amt = sk_mem_pages(newsk->sk_forward_alloc +
++ atomic_read(&sk->sk_rmem_alloc));
++ mem_cgroup_sk_alloc(newsk);
++ if (newsk->sk_memcg && amt)
++ mem_cgroup_charge_skmem(newsk->sk_memcg, amt);
++
++ release_sock(newsk);
++ }
+ out:
+ release_sock(sk);
+ if (req)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Mar 2020 17:24:31 +0300
+Subject: net: nfc: fix bounds checking bugs on "pipe"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a3aefbfe45751bf7b338c181b97608e276b5bb73 ]
+
+This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
+corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0
+("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
+added range checks on "pipe".
+
+The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
+It's in the 0-255 range. We're using it as the array index into the
+hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
+
+Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/hci/core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/net/nfc/hci/core.c
++++ b/net/nfc/hci/core.c
+@@ -181,13 +181,20 @@ exit:
+ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
+ struct sk_buff *skb)
+ {
+- u8 gate = hdev->pipes[pipe].gate;
+ u8 status = NFC_HCI_ANY_OK;
+ struct hci_create_pipe_resp *create_info;
+ struct hci_delete_pipe_noti *delete_info;
+ struct hci_all_pipe_cleared_noti *cleared_info;
++ u8 gate;
+
+- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
++ pr_debug("from pipe %x cmd %x\n", pipe, cmd);
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ status = NFC_HCI_ANY_E_NOK;
++ goto exit;
++ }
++
++ gate = hdev->pipes[pipe].gate;
+
+ switch (cmd) {
+ case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
+@@ -375,8 +382,14 @@ void nfc_hci_event_received(struct nfc_h
+ struct sk_buff *skb)
+ {
+ int r = 0;
+- u8 gate = hdev->pipes[pipe].gate;
++ u8 gate;
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe);
++ goto exit;
++ }
+
++ gate = hdev->pipes[pipe].gate;
+ if (gate == NFC_HCI_INVALID_GATE) {
+ pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
+ goto exit;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 9 Mar 2020 11:34:35 -0400
+Subject: net/packet: tpacket_rcv: do not increment ring index on drop
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 46e4c421a053c36bf7a33dda2272481bcaf3eed3 ]
+
+In one error case, tpacket_rcv drops packets after incrementing the
+ring producer index.
+
+If this happens, it does not update tp_status to TP_STATUS_USER and
+thus the reader is stalled for an iteration of the ring, causing out
+of order arrival.
+
+The only such error path is when virtio_net_hdr_from_skb fails due
+to encountering an unknown GSO type.
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2273,6 +2273,13 @@ static int tpacket_rcv(struct sk_buff *s
+ TP_STATUS_KERNEL, (macoff+snaplen));
+ if (!h.raw)
+ goto drop_n_account;
++
++ if (do_vnet &&
++ virtio_net_hdr_from_skb(skb, h.raw + macoff -
++ sizeof(struct virtio_net_hdr),
++ vio_le(), true, 0))
++ goto drop_n_account;
++
+ if (po->tp_version <= TPACKET_V2) {
+ packet_increment_rx_head(po, &po->rx_ring);
+ /*
+@@ -2285,12 +2292,6 @@ static int tpacket_rcv(struct sk_buff *s
+ status |= TP_STATUS_LOSING;
+ }
+
+- if (do_vnet &&
+- virtio_net_hdr_from_skb(skb, h.raw + macoff -
+- sizeof(struct virtio_net_hdr),
+- vio_le(), true, 0))
+- goto drop_n_account;
+-
+ po->stats.stats1.tp_packets++;
+ if (copy_skb) {
+ status |= TP_STATUS_COPY;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sun, 1 Mar 2020 21:36:09 +0100
+Subject: net: phy: avoid clearing PHY interrupts twice in irq handler
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 249bc9744e165abe74ae326f43e9d70bad54c3b7 ]
+
+On all PHY drivers that implement did_interrupt() reading the interrupt
+status bits clears them. This means we may loose an interrupt that
+is triggered between calling did_interrupt() and phy_clear_interrupt().
+As part of the fix make it a requirement that did_interrupt() clears
+the interrupt.
+
+The Fixes tag refers to the first commit where the patch applies
+cleanly.
+
+Fixes: 49644e68f472 ("net: phy: add callback for custom interrupt handler to struct phy_driver")
+Reported-by: Michael Walle <michael@walle.cc>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy.c | 3 ++-
+ include/linux/phy.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy.c
++++ b/drivers/net/phy/phy.c
+@@ -761,7 +761,8 @@ static irqreturn_t phy_interrupt(int irq
+ phy_trigger_machine(phydev);
+ }
+
+- if (phy_clear_interrupt(phydev))
++ /* did_interrupt() may have cleared the interrupt already */
++ if (!phydev->drv->did_interrupt && phy_clear_interrupt(phydev))
+ goto phy_err;
+ return IRQ_HANDLED;
+
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -524,6 +524,7 @@ struct phy_driver {
+ /*
+ * Checks if the PHY generated an interrupt.
+ * For multi-PHY devices with shared PHY interrupt pin
++ * Set interrupt bits have to be cleared.
+ */
+ int (*did_interrupt)(struct phy_device *phydev);
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jonas Gorski <jonas.gorski@gmail.com>
+Date: Mon, 2 Mar 2020 20:46:57 +0100
+Subject: net: phy: bcm63xx: fix OOPS due to missing driver name
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 43de81b0601df7d7988d3f5617ee0987df65c883 ]
+
+719655a14971 ("net: phy: Replace phy driver features u32 with link_mode
+bitmap") was a bit over-eager and also removed the second phy driver's
+name, resulting in a nasty OOPS on registration:
+
+[ 1.319854] CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 804dd50c, ra == 804dd4f0
+[ 1.330859] Oops[#1]:
+[ 1.333138] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.22 #0
+[ 1.339217] $ 0 : 00000000 00000001 87ca7f00 805c1874
+[ 1.344590] $ 4 : 00000000 00000047 00585000 8701f800
+[ 1.349965] $ 8 : 8701f800 804f4a5c 00000003 64726976
+[ 1.355341] $12 : 00000001 00000000 00000000 00000114
+[ 1.360718] $16 : 87ca7f80 00000000 00000000 80639fe4
+[ 1.366093] $20 : 00000002 00000000 806441d0 80b90000
+[ 1.371470] $24 : 00000000 00000000
+[ 1.376847] $28 : 87c1e000 87c1fda0 80b90000 804dd4f0
+[ 1.382224] Hi : d1c8f8da
+[ 1.385180] Lo : 5518a480
+[ 1.388182] epc : 804dd50c kset_find_obj+0x3c/0x114
+[ 1.393345] ra : 804dd4f0 kset_find_obj+0x20/0x114
+[ 1.398530] Status: 10008703 KERNEL EXL IE
+[ 1.402833] Cause : 00800008 (ExcCode 02)
+[ 1.406952] BadVA : 00000000
+[ 1.409913] PrId : 0002a075 (Broadcom BMIPS4350)
+[ 1.414745] Modules linked in:
+[ 1.417895] Process swapper/0 (pid: 1, threadinfo=(ptrval), task=(ptrval), tls=00000000)
+[ 1.426214] Stack : 87cec000 80630000 80639370 80640658 80640000 80049af4 80639fe4 8063a0d8
+[ 1.434816] 8063a0d8 802ef078 00000002 00000000 806441d0 80b90000 8063a0d8 802ef114
+[ 1.443417] 87cea0de 87c1fde0 00000000 804de488 87cea000 8063a0d8 8063a0d8 80334e48
+[ 1.452018] 80640000 8063984c 80639bf4 00000000 8065de48 00000001 8063a0d8 80334ed0
+[ 1.460620] 806441d0 80b90000 80b90000 802ef164 8065dd70 80620000 80b90000 8065de58
+[ 1.469222] ...
+[ 1.471734] Call Trace:
+[ 1.474255] [<804dd50c>] kset_find_obj+0x3c/0x114
+[ 1.479141] [<802ef078>] driver_find+0x1c/0x44
+[ 1.483665] [<802ef114>] driver_register+0x74/0x148
+[ 1.488719] [<80334e48>] phy_driver_register+0x9c/0xd0
+[ 1.493968] [<80334ed0>] phy_drivers_register+0x54/0xe8
+[ 1.499345] [<8001061c>] do_one_initcall+0x7c/0x1f4
+[ 1.504374] [<80644ed8>] kernel_init_freeable+0x1d4/0x2b4
+[ 1.509940] [<804f4e24>] kernel_init+0x10/0xf8
+[ 1.514502] [<80018e68>] ret_from_kernel_thread+0x14/0x1c
+[ 1.520040] Code: 1060000c 02202025 90650000 <90810000> 24630001 14250004 24840001 14a0fffb 90650000
+[ 1.530061]
+[ 1.531698] ---[ end trace d52f1717cd29bdc8 ]---
+
+Fix it by readding the name.
+
+Fixes: 719655a14971 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/bcm63xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/bcm63xx.c
++++ b/drivers/net/phy/bcm63xx.c
+@@ -73,6 +73,7 @@ static struct phy_driver bcm63xx_driver[
+ /* same phy as above, with just a different OUI */
+ .phy_id = 0x002bdc00,
+ .phy_id_mask = 0xfffffc00,
++ .name = "Broadcom BCM63XX (2)",
+ /* PHY_BASIC_FEATURES */
+ .flags = PHY_IS_INTERNAL,
+ .config_init = bcm63xx_config_init,
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 12 Mar 2020 22:25:20 +0100
+Subject: net: phy: fix MDIO bus PM PHY resuming
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 611d779af7cad2b87487ff58e4931a90c20b113c ]
+
+So far we have the unfortunate situation that mdio_bus_phy_may_suspend()
+is called in suspend AND resume path, assuming that function result is
+the same. After the original change this is no longer the case,
+resulting in broken resume as reported by Geert.
+
+To fix this call mdio_bus_phy_may_suspend() in the suspend path only,
+and let the phy_device store the info whether it was suspended by
+MDIO bus PM.
+
+Fixes: 503ba7c69610 ("net: phy: Avoid multiple suspends")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 6 +++++-
+ include/linux/phy.h | 2 ++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -284,6 +284,8 @@ static int mdio_bus_phy_suspend(struct d
+ if (!mdio_bus_phy_may_suspend(phydev))
+ return 0;
+
++ phydev->suspended_by_mdio_bus = 1;
++
+ return phy_suspend(phydev);
+ }
+
+@@ -292,9 +294,11 @@ static int mdio_bus_phy_resume(struct de
+ struct phy_device *phydev = to_phy_device(dev);
+ int ret;
+
+- if (!mdio_bus_phy_may_suspend(phydev))
++ if (!phydev->suspended_by_mdio_bus)
+ goto no_resume;
+
++ phydev->suspended_by_mdio_bus = 0;
++
+ ret = phy_resume(phydev);
+ if (ret < 0)
+ return ret;
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -336,6 +336,7 @@ struct phy_c45_device_ids {
+ * is_gigabit_capable: Set to true if PHY supports 1000Mbps
+ * has_fixups: Set to true if this phy has fixups/quirks.
+ * suspended: Set to true if this phy has been suspended successfully.
++ * suspended_by_mdio_bus: Set to true if this phy was suspended by MDIO bus.
+ * sysfs_links: Internal boolean tracking sysfs symbolic links setup/removal.
+ * loopback_enabled: Set true if this phy has been loopbacked successfully.
+ * state: state of the PHY for management purposes
+@@ -372,6 +373,7 @@ struct phy_device {
+ unsigned is_gigabit_capable:1;
+ unsigned has_fixups:1;
+ unsigned suspended:1;
++ unsigned suspended_by_mdio_bus:1;
+ unsigned sysfs_links:1;
+ unsigned loopback_enabled:1;
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Remi Pommarel <repk@triplefau.lt>
+Date: Sun, 8 Mar 2020 10:25:56 +0100
+Subject: net: stmmac: dwmac1000: Disable ACS if enhanced descs are not used
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit b723bd933980f4956dabc8a8d84b3e83be8d094c ]
+
+ACS (auto PAD/FCS stripping) removes FCS off 802.3 packets (LLC) so that
+there is no need to manually strip it for such packets. The enhanced DMA
+descriptors allow to flag LLC packets so that the receiving callback can
+use that to strip FCS manually or not. On the other hand, normal
+descriptors do not support that.
+
+Thus in order to not truncate LLC packet ACS should be disabled when
+using normal DMA descriptors.
+
+Fixes: 47dd7a540b8a0 ("net: add support for STMicroelectronics Ethernet controllers.")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -24,6 +24,7 @@
+ static void dwmac1000_core_init(struct mac_device_info *hw,
+ struct net_device *dev)
+ {
++ struct stmmac_priv *priv = netdev_priv(dev);
+ void __iomem *ioaddr = hw->pcsr;
+ u32 value = readl(ioaddr + GMAC_CONTROL);
+ int mtu = dev->mtu;
+@@ -35,7 +36,7 @@ static void dwmac1000_core_init(struct m
+ * Broadcom tags can look like invalid LLC/SNAP packets and cause the
+ * hardware to truncate packets on reception.
+ */
+- if (netdev_uses_dsa(dev))
++ if (netdev_uses_dsa(dev) || !priv->plat->enh_desc)
+ value &= ~GMAC_CONTROL_ACS;
+
+ if (mtu > 1500)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 12 Mar 2020 15:04:30 +0000
+Subject: net: systemport: fix index check to avoid an array out of bounds access
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c0368595c1639947839c0db8294ee96aca0b3b86 ]
+
+Currently the bounds check on index is off by one and can lead to
+an out of bounds access on array priv->filters_loc when index is
+RXCHK_BRCM_TAG_MAX.
+
+Fixes: bb9051a2b230 ("net: systemport: Add support for WAKE_FILTER")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2135,7 +2135,7 @@ static int bcm_sysport_rule_set(struct b
+ return -ENOSPC;
+
+ index = find_first_zero_bit(priv->filters, RXCHK_BRCM_TAG_MAX);
+- if (index > RXCHK_BRCM_TAG_MAX)
++ if (index >= RXCHK_BRCM_TAG_MAX)
+ return -ENOSPC;
+
+ /* Location is the classification ID, and index is the position
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:20 -0800
+Subject: net: taprio: add missing attribute validation for txtime delay
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit e13aaa0643da10006ec35715954e7f92a62899a5 ]
+
+Add missing attribute validation for TCA_TAPRIO_ATTR_TXTIME_DELAY
+to the netlink policy.
+
+Fixes: 4cfd5779bd6e ("taprio: Add support for txtime-assist mode")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -774,6 +774,7 @@ static const struct nla_policy taprio_po
+ [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME] = { .type = NLA_S64 },
+ [TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME_EXTENSION] = { .type = NLA_S64 },
+ [TCA_TAPRIO_ATTR_FLAGS] = { .type = NLA_U32 },
++ [TCA_TAPRIO_ATTR_TXTIME_DELAY] = { .type = NLA_U32 },
+ };
+
+ static int fill_sched_entry(struct nlattr **tb, struct sched_entry *entry,
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 26 Feb 2020 19:47:34 +0100
+Subject: netlink: Use netlink header as base to calculate bad attribute offset
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 84b3268027641401bb8ad4427a90a3cce2eb86f5 ]
+
+Userspace might send a batch that is composed of several netlink
+messages. The netlink_ack() function must use the pointer to the netlink
+header as base to calculate the bad attribute offset.
+
+Fixes: 2d4bc93368f5 ("netlink: extended ACK reporting")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2434,7 +2434,7 @@ void netlink_ack(struct sk_buff *in_skb,
+ in_skb->len))
+ WARN_ON(nla_put_u32(skb, NLMSGERR_ATTR_OFFS,
+ (u8 *)extack->bad_attr -
+- in_skb->data));
++ (u8 *)nlh));
+ } else {
+ if (extack->cookie_len)
+ WARN_ON(nla_put(skb, NLMSGERR_ATTR_COOKIE,
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:25 -0800
+Subject: nfc: add missing attribute validation for deactivate target
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 88e706d5168b07df4792dbc3d1bc37b83e4bd74d ]
+
+Add missing attribute validation for NFC_ATTR_TARGET_INDEX
+to the netlink policy.
+
+Fixes: 4d63adfe12dd ("NFC: Add NFC_CMD_DEACTIVATE_TARGET support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -32,6 +32,7 @@ static const struct nla_policy nfc_genl_
+ [NFC_ATTR_DEVICE_NAME] = { .type = NLA_STRING,
+ .len = NFC_DEVICE_NAME_MAXSIZE },
+ [NFC_ATTR_PROTOCOLS] = { .type = NLA_U32 },
++ [NFC_ATTR_TARGET_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_COMM_MODE] = { .type = NLA_U8 },
+ [NFC_ATTR_RF_MODE] = { .type = NLA_U8 },
+ [NFC_ATTR_DEVICE_POWERED] = { .type = NLA_U8 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:24 -0800
+Subject: nfc: add missing attribute validation for SE API
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 361d23e41ca6e504033f7e66a03b95788377caae ]
+
+Add missing attribute validation for NFC_ATTR_SE_INDEX
+to the netlink policy.
+
+Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -43,6 +43,7 @@ static const struct nla_policy nfc_genl_
+ [NFC_ATTR_LLC_SDP] = { .type = NLA_NESTED },
+ [NFC_ATTR_FIRMWARE_NAME] = { .type = NLA_STRING,
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
++ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:26 -0800
+Subject: nfc: add missing attribute validation for vendor subcommand
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6ba3da446551f2150fadbf8c7788edcb977683d3 ]
+
+Add missing attribute validation for vendor subcommand attributes
+to the netlink policy.
+
+Fixes: 9e58095f9660 ("NFC: netlink: Implement vendor command support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -46,6 +46,8 @@ static const struct nla_policy nfc_genl_
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
+ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
++ [NFC_ATTR_VENDOR_ID] = { .type = NLA_U32 },
++ [NFC_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
+ };
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:15 -0800
+Subject: nl802154: add missing attribute validation for dev_type
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit b60673c4c418bef7550d02faf53c34fbfeb366bf ]
+
+Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE
+to the netlink policy.
+
+Fixes: 90c049b2c6ae ("ieee802154: interface type to be added")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -27,6 +27,7 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_DEV_TYPE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_COORD_PAN_ID] = { .type = NLA_U16, },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:14 -0800
+Subject: nl802154: add missing attribute validation
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 9322cd7c4af2ccc7fe7c5f01adb53f4f77949e92 ]
+
+Add missing attribute validation for several u8 types.
+
+Fixes: 2c21d11518b6 ("net: add NL802154 interface for configuration of 802.15.4 devices")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -21,6 +21,11 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_PAN_ID] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_CHANNEL] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BCN_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_SF_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_PAN_COORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+Date: Wed, 26 Feb 2020 23:37:10 +0800
+Subject: r8152: check disconnect status after long sleep
+
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+
+[ Upstream commit d64c7a08034b32c285e576208ae44fc3ba3fa7df ]
+
+Dell USB Type C docking WD19/WD19DC attaches additional peripherals as:
+
+ /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M
+ |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class,
+ Driver=r8152, 5000M
+
+where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock.
+
+When hotplugging such dock with additional usb devices already attached on
+it, the probing process may reset usb 2.1 port, therefore r8152 ethernet
+device is also reset. However, during r8152 device init there are several
+for-loops that, when it's unable to retrieve hardware registers due to
+being disconnected from USB, may take up to 14 seconds each in practice,
+and that has to be completed before USB may re-enumerate devices on the
+bus. As a result, devices attached to the dock will only be available
+after nearly 1 minute after the dock was plugged in:
+
+ [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface
+ [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id
+ [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready
+ [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr
+ [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail
+
+This happens in, for example, r8153_init:
+
+ static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size,
+ void *data, u16 type)
+ {
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return -ENODEV;
+ ...
+ }
+
+ static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index)
+ {
+ u32 data;
+ ...
+ generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen);
+
+ data = __le32_to_cpu(tmp);
+ ...
+ return (u16)data;
+ }
+
+ static void r8153_init(struct r8152 *tp)
+ {
+ ...
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+ for (i = 0; i < 500; i++) {
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
+ msleep(20);
+ }
+ ...
+ }
+
+Since ocp_read_word() doesn't check the return status of
+generic_ocp_read(), and the only exit condition for the loop is to have
+a match in the returned value, such loops will only ends after exceeding
+its maximum runs when the device has been marked as disconnected, which
+takes 500 * 20ms = 10 seconds in theory, 14 in practice.
+
+To solve this long latency another test to RTL8152_UNPLUG flag should be
+added after those 20ms sleep to skip unnecessary loops, so that the device
+probe can complete early and proceed to parent port reset/reprobe process.
+
+This can be reproduced on all kernel versions up to latest v5.6-rc2, but
+after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less
+while it was around 1/2.
+
+Signed-off-by: You-Sheng Yang <vicamo.yang@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -3006,6 +3006,8 @@ static u16 r8153_phy_status(struct r8152
+ }
+
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ return data;
+@@ -4419,7 +4421,10 @@ static void r8153_init(struct r8152 *tp)
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ data = r8153_phy_status(tp, 0);
+@@ -4545,7 +4550,10 @@ static void r8153b_init(struct r8152 *tp
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ data = r8153_phy_status(tp, 0);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:36 +0800
+Subject: selftests/net/fib_tests: update addr_metric_test for peer route testing
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 0d29169a708bf730ede287248e429d579f432d1d ]
+
+This patch update {ipv4, ipv6}_addr_metric_test with
+1. Set metric of address with peer route and see if the route added
+correctly.
+2. Modify metric and peer address for peer route and see if the route
+changed correctly.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 34 ++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -1041,6 +1041,27 @@ ipv6_addr_metric_test()
+ fi
+ log_test $rc 0 "Prefix route with metric on link up"
+
++ # verify peer metric added correctly
++ set -e
++ run_cmd "$IP -6 addr flush dev dummy2"
++ run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::1 peer 2001:db8:104::2 metric 260"
++ set +e
++
++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260"
++ log_test $? 0 "Set metric with peer route on local side"
++ log_test $? 0 "User specified metric on local address"
++ check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260"
++ log_test $? 0 "Set metric with peer route on peer side"
++
++ set -e
++ run_cmd "$IP -6 addr change dev dummy2 2001:db8:104::1 peer 2001:db8:104::3 metric 261"
++ set +e
++
++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 261"
++ log_test $? 0 "Modify metric and peer address on local side"
++ check_route6 "2001:db8:104::3 dev dummy2 proto kernel metric 261"
++ log_test $? 0 "Modify metric and peer address on peer side"
++
+ $IP li del dummy1
+ $IP li del dummy2
+ cleanup
+@@ -1457,13 +1478,20 @@ ipv4_addr_metric_test()
+
+ run_cmd "$IP addr flush dev dummy2"
+ run_cmd "$IP addr add dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 260"
+- run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 261"
+ rc=$?
+ if [ $rc -eq 0 ]; then
+- check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261"
++ check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 260"
++ rc=$?
++ fi
++ log_test $rc 0 "Set metric of address with peer route"
++
++ run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.3 metric 261"
++ rc=$?
++ if [ $rc -eq 0 ]; then
++ check_route "172.16.104.3 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261"
+ rc=$?
+ fi
+- log_test $rc 0 "Modify metric of address with peer route"
++ log_test $rc 0 "Modify metric and peer address for peer route"
+
+ $IP li del dummy1
+ $IP li del dummy2
alsa-hda-realtek-more-constifications.patch
alsa-hda-realtek-add-headset-mic-supported-for-hp-cpc.patch
alsa-hda-realtek-fixed-one-of-hp-alc671-platform-headset-mic-supported.patch
+cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch
+gre-fix-uninit-value-in-__iptunnel_pull_header.patch
+inet_diag-return-classid-for-all-socket-types.patch
+ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch
+ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch
+ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch
+ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch
+ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch
+macvlan-add-cond_resched-during-multicast-processing.patch
+net-dsa-fix-phylink_start-phylink_stop-calls.patch
+net-dsa-mv88e6xxx-fix-lockup-on-warm-boot.patch
+net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch
+net-hns3-fix-a-not-link-up-issue-when-fibre-port-supports-autoneg.patch
+net-ipv6-use-configured-metric-when-add-peer-route.patch
+netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch
+net-macsec-update-sci-upon-mac-address-change.patch
+net-nfc-fix-bounds-checking-bugs-on-pipe.patch
+net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch
+net-phy-bcm63xx-fix-oops-due-to-missing-driver-name.patch
+net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch
+net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch
+r8152-check-disconnect-status-after-long-sleep.patch
+sfc-detach-from-cb_page-in-efx_copy_channel.patch
+slip-make-slhc_compress-more-robust-against-malicious-packets.patch
+taprio-fix-sending-packets-without-dequeueing-them.patch
+bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch
+bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch
+bnxt_en-fix-error-handling-when-flashing-from-file.patch
+cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch
+net-memcg-late-association-of-sock-to-memcg.patch
+net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch
+devlink-validate-length-of-param-values.patch
+devlink-validate-length-of-region-addr-len.patch
+fib-add-missing-attribute-validation-for-tun_id.patch
+nl802154-add-missing-attribute-validation.patch
+nl802154-add-missing-attribute-validation-for-dev_type.patch
+can-add-missing-attribute-validation-for-termination.patch
+macsec-add-missing-attribute-validation-for-port.patch
+net-fq-add-missing-attribute-validation-for-orphan-mask.patch
+net-taprio-add-missing-attribute-validation-for-txtime-delay.patch
+team-add-missing-attribute-validation-for-port-ifindex.patch
+team-add-missing-attribute-validation-for-array-index.patch
+tipc-add-missing-attribute-validation-for-mtu-property.patch
+nfc-add-missing-attribute-validation-for-se-api.patch
+nfc-add-missing-attribute-validation-for-deactivate-target.patch
+nfc-add-missing-attribute-validation-for-vendor-subcommand.patch
+net-phy-avoid-clearing-phy-interrupts-twice-in-irq-handler.patch
+net-phy-fix-mdio-bus-pm-phy-resuming.patch
+net-ipv6-need-update-peer-route-when-modify-metric.patch
+net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch
+selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch
+net-dsa-don-t-instantiate-phylink-for-cpu-dsa-ports-unless-needed.patch
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Edward Cree <ecree@solarflare.com>
+Date: Mon, 9 Mar 2020 18:16:24 +0000
+Subject: sfc: detach from cb_page in efx_copy_channel()
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit 4b1bd9db078f7d5332c8601a2f5bd43cf0458fd4 ]
+
+It's a resource, not a parameter, so we can't copy it into the new
+ channel's TX queues, otherwise aliasing will lead to resource-
+ management bugs if the channel is subsequently torn down without
+ being initialised.
+
+Before the Fixes:-tagged commit there was a similar bug with
+ tsoh_page, but I'm not sure it's worth doing another fix for such
+ old kernels.
+
+Fixes: e9117e5099ea ("sfc: Firmware-Assisted TSO version 2")
+Suggested-by: Derek Shute <Derek.Shute@stratus.com>
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/efx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -519,6 +519,7 @@ efx_copy_channel(const struct efx_channe
+ if (tx_queue->channel)
+ tx_queue->channel = channel;
+ tx_queue->buffer = NULL;
++ tx_queue->cb_page = NULL;
+ memset(&tx_queue->txd, 0, sizeof(tx_queue->txd));
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 15:51:43 -0800
+Subject: slip: make slhc_compress() more robust against malicious packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 110a40dfb708fe940a3f3704d470e431c368d256 ]
+
+Before accessing various fields in IPV4 network header
+and TCP header, make sure the packet :
+
+- Has IP version 4 (ip->version == 4)
+- Has not a silly network length (ip->ihl >= 5)
+- Is big enough to hold network and transport headers
+- Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+ ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
+ __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
+ ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
+ ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f7cd99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
+RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: b5451d783ade ("slip: Move the SLIP drivers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slhc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, u
+ struct cstate *cs = lcs->next;
+ unsigned long deltaS, deltaA;
+ short changes = 0;
+- int hlen;
++ int nlen, hlen;
+ unsigned char new_seq[16];
+ unsigned char *cp = new_seq;
+ struct iphdr *ip;
+@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, u
+ return isize;
+
+ ip = (struct iphdr *) icp;
++ if (ip->version != 4 || ip->ihl < 5)
++ return isize;
+
+ /* Bail if this packet isn't TCP, or is an IP fragment */
+ if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) {
+@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, u
+ comp->sls_o_tcp++;
+ return isize;
+ }
+- /* Extract TCP header */
++ nlen = ip->ihl * 4;
++ if (isize < nlen + sizeof(*th))
++ return isize;
+
+- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4);
+- hlen = ip->ihl*4 + th->doff*4;
++ th = (struct tcphdr *)(icp + nlen);
++ if (th->doff < sizeof(struct tcphdr) / 4)
++ return isize;
++ hlen = nlen + th->doff * 4;
+
+ /* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or
+ * some other control bit is set). Also uncompressible if
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Date: Mon, 9 Mar 2020 10:39:53 -0700
+Subject: taprio: Fix sending packets without dequeueing them
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit b09fe70ef520e011ba4a64f4b93f948a8f14717b ]
+
+There was a bug that was causing packets to be sent to the driver
+without first calling dequeue() on the "child" qdisc. And the KASAN
+report below shows that sending a packet without calling dequeue()
+leads to bad results.
+
+The problem is that when checking the last qdisc "child" we do not set
+the returned skb to NULL, which can cause it to be sent to the driver,
+and so after the skb is sent, it may be freed, and in some situations a
+reference to it may still be in the child qdisc, because it was never
+dequeued.
+
+The crash log looks like this:
+
+[ 19.937538] ==================================================================
+[ 19.938300] BUG: KASAN: use-after-free in taprio_dequeue_soft+0x620/0x780
+[ 19.938968] Read of size 4 at addr ffff8881128628cc by task swapper/1/0
+[ 19.939612]
+[ 19.939772] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc3+ #97
+[ 19.940397] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qe4
+[ 19.941523] Call Trace:
+[ 19.941774] <IRQ>
+[ 19.941985] dump_stack+0x97/0xe0
+[ 19.942323] print_address_description.constprop.0+0x3b/0x60
+[ 19.942884] ? taprio_dequeue_soft+0x620/0x780
+[ 19.943325] ? taprio_dequeue_soft+0x620/0x780
+[ 19.943767] __kasan_report.cold+0x1a/0x32
+[ 19.944173] ? taprio_dequeue_soft+0x620/0x780
+[ 19.944612] kasan_report+0xe/0x20
+[ 19.944954] taprio_dequeue_soft+0x620/0x780
+[ 19.945380] __qdisc_run+0x164/0x18d0
+[ 19.945749] net_tx_action+0x2c4/0x730
+[ 19.946124] __do_softirq+0x268/0x7bc
+[ 19.946491] irq_exit+0x17d/0x1b0
+[ 19.946824] smp_apic_timer_interrupt+0xeb/0x380
+[ 19.947280] apic_timer_interrupt+0xf/0x20
+[ 19.947687] </IRQ>
+[ 19.947912] RIP: 0010:default_idle+0x2d/0x2d0
+[ 19.948345] Code: 00 00 41 56 41 55 65 44 8b 2d 3f 8d 7c 7c 41 54 55 53 0f 1f 44 00 00 e8 b1 b2 c5 fd e9 07 00 3
+[ 19.950166] RSP: 0018:ffff88811a3efda0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
+[ 19.950909] RAX: 0000000080000000 RBX: ffff88811a3a9600 RCX: ffffffff8385327e
+[ 19.951608] RDX: 1ffff110234752c0 RSI: 0000000000000000 RDI: ffffffff8385262f
+[ 19.952309] RBP: ffffed10234752c0 R08: 0000000000000001 R09: ffffed10234752c1
+[ 19.953009] R10: ffffed10234752c0 R11: ffff88811a3a9607 R12: 0000000000000001
+[ 19.953709] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
+[ 19.954408] ? default_idle_call+0x2e/0x70
+[ 19.954816] ? default_idle+0x1f/0x2d0
+[ 19.955192] default_idle_call+0x5e/0x70
+[ 19.955584] do_idle+0x3d4/0x500
+[ 19.955909] ? arch_cpu_idle_exit+0x40/0x40
+[ 19.956325] ? _raw_spin_unlock_irqrestore+0x23/0x30
+[ 19.956829] ? trace_hardirqs_on+0x30/0x160
+[ 19.957242] cpu_startup_entry+0x19/0x20
+[ 19.957633] start_secondary+0x2a6/0x380
+[ 19.958026] ? set_cpu_sibling_map+0x18b0/0x18b0
+[ 19.958486] secondary_startup_64+0xa4/0xb0
+[ 19.958921]
+[ 19.959078] Allocated by task 33:
+[ 19.959412] save_stack+0x1b/0x80
+[ 19.959747] __kasan_kmalloc.constprop.0+0xc2/0xd0
+[ 19.960222] kmem_cache_alloc+0xe4/0x230
+[ 19.960617] __alloc_skb+0x91/0x510
+[ 19.960967] ndisc_alloc_skb+0x133/0x330
+[ 19.961358] ndisc_send_ns+0x134/0x810
+[ 19.961735] addrconf_dad_work+0xad5/0xf80
+[ 19.962144] process_one_work+0x78e/0x13a0
+[ 19.962551] worker_thread+0x8f/0xfa0
+[ 19.962919] kthread+0x2ba/0x3b0
+[ 19.963242] ret_from_fork+0x3a/0x50
+[ 19.963596]
+[ 19.963753] Freed by task 33:
+[ 19.964055] save_stack+0x1b/0x80
+[ 19.964386] __kasan_slab_free+0x12f/0x180
+[ 19.964830] kmem_cache_free+0x80/0x290
+[ 19.965231] ip6_mc_input+0x38a/0x4d0
+[ 19.965617] ipv6_rcv+0x1a4/0x1d0
+[ 19.965948] __netif_receive_skb_one_core+0xf2/0x180
+[ 19.966437] netif_receive_skb+0x8c/0x3c0
+[ 19.966846] br_handle_frame_finish+0x779/0x1310
+[ 19.967302] br_handle_frame+0x42a/0x830
+[ 19.967694] __netif_receive_skb_core+0xf0e/0x2a90
+[ 19.968167] __netif_receive_skb_one_core+0x96/0x180
+[ 19.968658] process_backlog+0x198/0x650
+[ 19.969047] net_rx_action+0x2fa/0xaa0
+[ 19.969420] __do_softirq+0x268/0x7bc
+[ 19.969785]
+[ 19.969940] The buggy address belongs to the object at ffff888112862840
+[ 19.969940] which belongs to the cache skbuff_head_cache of size 224
+[ 19.971202] The buggy address is located 140 bytes inside of
+[ 19.971202] 224-byte region [ffff888112862840, ffff888112862920)
+[ 19.972344] The buggy address belongs to the page:
+[ 19.972820] page:ffffea00044a1800 refcount:1 mapcount:0 mapping:ffff88811a2bd1c0 index:0xffff8881128625c0 compo0
+[ 19.973930] flags: 0x8000000000010200(slab|head)
+[ 19.974388] raw: 8000000000010200 ffff88811a2ed650 ffff88811a2ed650 ffff88811a2bd1c0
+[ 19.975151] raw: ffff8881128625c0 0000000000190013 00000001ffffffff 0000000000000000
+[ 19.975915] page dumped because: kasan: bad access detected
+[ 19.976461] page_owner tracks the page as allocated
+[ 19.976946] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NO)
+[ 19.978332] prep_new_page+0x24b/0x330
+[ 19.978707] get_page_from_freelist+0x2057/0x2c90
+[ 19.979170] __alloc_pages_nodemask+0x218/0x590
+[ 19.979619] new_slab+0x9d/0x300
+[ 19.979948] ___slab_alloc.constprop.0+0x2f9/0x6f0
+[ 19.980421] __slab_alloc.constprop.0+0x30/0x60
+[ 19.980870] kmem_cache_alloc+0x201/0x230
+[ 19.981269] __alloc_skb+0x91/0x510
+[ 19.981620] alloc_skb_with_frags+0x78/0x4a0
+[ 19.982043] sock_alloc_send_pskb+0x5eb/0x750
+[ 19.982476] unix_stream_sendmsg+0x399/0x7f0
+[ 19.982904] sock_sendmsg+0xe2/0x110
+[ 19.983262] ____sys_sendmsg+0x4de/0x6d0
+[ 19.983660] ___sys_sendmsg+0xe4/0x160
+[ 19.984032] __sys_sendmsg+0xab/0x130
+[ 19.984396] do_syscall_64+0xe7/0xae0
+[ 19.984761] page last free stack trace:
+[ 19.985142] __free_pages_ok+0x432/0xbc0
+[ 19.985533] qlist_free_all+0x56/0xc0
+[ 19.985907] quarantine_reduce+0x149/0x170
+[ 19.986315] __kasan_kmalloc.constprop.0+0x9e/0xd0
+[ 19.986791] kmem_cache_alloc+0xe4/0x230
+[ 19.987182] prepare_creds+0x24/0x440
+[ 19.987548] do_faccessat+0x80/0x590
+[ 19.987906] do_syscall_64+0xe7/0xae0
+[ 19.988276] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 19.988775]
+[ 19.988930] Memory state around the buggy address:
+[ 19.989402] ffff888112862780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 19.990111] ffff888112862800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+[ 19.990822] >ffff888112862880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 19.991529] ^
+[ 19.992081] ffff888112862900: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+[ 19.992796] ffff888112862980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler")
+Reported-by: Michael Schmidt <michael.schmidt@eti.uni-siegen.de>
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Acked-by: Andre Guedes <andre.guedes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_taprio.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -564,8 +564,10 @@ static struct sk_buff *taprio_dequeue_so
+ prio = skb->priority;
+ tc = netdev_get_prio_tc_map(dev, prio);
+
+- if (!(gate_mask & BIT(tc)))
++ if (!(gate_mask & BIT(tc))) {
++ skb = NULL;
+ continue;
++ }
+
+ len = qdisc_pkt_len(skb);
+ guard = ktime_add_ns(taprio_get_time(q),
+@@ -575,13 +577,17 @@ static struct sk_buff *taprio_dequeue_so
+ * guard band ...
+ */
+ if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
+- ktime_after(guard, entry->close_time))
++ ktime_after(guard, entry->close_time)) {
++ skb = NULL;
+ continue;
++ }
+
+ /* ... and no budget. */
+ if (gate_mask != TAPRIO_ALL_GATES_OPEN &&
+- atomic_sub_return(len, &entry->budget) < 0)
++ atomic_sub_return(len, &entry->budget) < 0) {
++ skb = NULL;
+ continue;
++ }
+
+ skb = child->ops->dequeue(child);
+ if (unlikely(!skb))
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:22 -0800
+Subject: team: add missing attribute validation for array index
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 669fcd7795900cd1880237cbbb57a7db66cb9ac8 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX
+to the netlink policy.
+
+Fixes: b13033262d24 ("team: introduce array options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2241,6 +2241,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
+ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
++ [TEAM_ATTR_OPTION_ARRAY_INDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:21 -0800
+Subject: team: add missing attribute validation for port ifindex
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit dd25cb272ccce4db67dc8509278229099e4f5e99 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX
+to the netlink policy.
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2240,6 +2240,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_CHANGED] = { .type = NLA_FLAG },
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
++ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 09:33:48 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:23 -0800
+Subject: tipc: add missing attribute validation for MTU property
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 213320a67962ff6e7b83b704d55cbebc341426db ]
+
+Add missing attribute validation for TIPC_NLA_PROP_MTU
+to the netlink policy.
+
+Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -111,6 +111,7 @@ const struct nla_policy tipc_nl_prop_pol
+ [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 },
+ [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 },
+ [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 },
++ [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 },
+ [TIPC_NLA_PROP_BROADCAST] = { .type = NLA_U32 },
+ [TIPC_NLA_PROP_BROADCAST_RATIO] = { .type = NLA_U32 }
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
