--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Wei Wang <weiwan@google.com>
+Date: Thu, 16 May 2019 13:30:54 -0700
+Subject: ipv6: fix src addr routing with the exception table
+
+From: Wei Wang <weiwan@google.com>
+
+[ Upstream commit 510e2ceda031eed97a7a0f9aad65d271a58b460d ]
+
+When inserting route cache into the exception table, the key is
+generated with both src_addr and dest_addr with src addr routing.
+However, current logic always assumes the src_addr used to generate the
+key is a /128 host address. This is not true in the following scenarios:
+1. When the route is a gateway route or does not have next hop.
+ (rt6_is_gw_or_nonexthop() == false)
+2. When calling ip6_rt_cache_alloc(), saddr is passed in as NULL.
+This means, when looking for a route cache in the exception table, we
+have to do the lookup twice: first time with the passed in /128 host
+address, second time with the src_addr stored in fib6_info.
+
+This solves the pmtu discovery issue reported by Mikael Magnusson where
+a route cache with a lower mtu info is created for a gateway route with
+src addr. However, the lookup code is not able to find this route cache.
+
+Fixes: 2b760fcf5cfb ("ipv6: hook up exception table to store dst cache")
+Reported-by: Mikael Magnusson <mikael.kernel@lists.m7n.se>
+Bisected-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Wei Wang <weiwan@google.com>
+Cc: Martin Lau <kafai@fb.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 51 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 24 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -110,8 +110,8 @@ static int rt6_fill_node(struct net *net
+ int iif, int type, u32 portid, u32 seq,
+ unsigned int flags);
+ static struct rt6_info *rt6_find_cached_rt(struct fib6_info *rt,
+- struct in6_addr *daddr,
+- struct in6_addr *saddr);
++ const struct in6_addr *daddr,
++ const struct in6_addr *saddr);
+
+ #ifdef CONFIG_IPV6_ROUTE_INFO
+ static struct fib6_info *rt6_add_route_info(struct net *net,
+@@ -1542,31 +1542,44 @@ out:
+ * Caller has to hold rcu_read_lock()
+ */
+ static struct rt6_info *rt6_find_cached_rt(struct fib6_info *rt,
+- struct in6_addr *daddr,
+- struct in6_addr *saddr)
++ const struct in6_addr *daddr,
++ const struct in6_addr *saddr)
+ {
++ const struct in6_addr *src_key = NULL;
+ struct rt6_exception_bucket *bucket;
+- struct in6_addr *src_key = NULL;
+ struct rt6_exception *rt6_ex;
+ struct rt6_info *res = NULL;
+
+- bucket = rcu_dereference(rt->rt6i_exception_bucket);
+-
+ #ifdef CONFIG_IPV6_SUBTREES
+ /* rt6i_src.plen != 0 indicates rt is in subtree
+ * and exception table is indexed by a hash of
+ * both rt6i_dst and rt6i_src.
+- * Otherwise, the exception table is indexed by
+- * a hash of only rt6i_dst.
++ * However, the src addr used to create the hash
++ * might not be exactly the passed in saddr which
++ * is a /128 addr from the flow.
++ * So we need to use f6i->fib6_src to redo lookup
++ * if the passed in saddr does not find anything.
++ * (See the logic in ip6_rt_cache_alloc() on how
++ * rt->rt6i_src is updated.)
+ */
+ if (rt->fib6_src.plen)
+ src_key = saddr;
++find_ex:
+ #endif
++ bucket = rcu_dereference(rt->rt6i_exception_bucket);
+ rt6_ex = __rt6_find_exception_rcu(&bucket, daddr, src_key);
+
+ if (rt6_ex && !rt6_check_expired(rt6_ex->rt6i))
+ res = rt6_ex->rt6i;
+
++#ifdef CONFIG_IPV6_SUBTREES
++ /* Use fib6_src as src_key and redo lookup */
++ if (!res && src_key && src_key != &rt->fib6_src.addr) {
++ src_key = &rt->fib6_src.addr;
++ goto find_ex;
++ }
++#endif
++
+ return res;
+ }
+
+@@ -2650,10 +2663,8 @@ out:
+ u32 ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr,
+ struct in6_addr *saddr)
+ {
+- struct rt6_exception_bucket *bucket;
+- struct rt6_exception *rt6_ex;
+- struct in6_addr *src_key;
+ struct inet6_dev *idev;
++ struct rt6_info *rt;
+ u32 mtu = 0;
+
+ if (unlikely(fib6_metric_locked(f6i, RTAX_MTU))) {
+@@ -2662,18 +2673,10 @@ u32 ip6_mtu_from_fib6(struct fib6_info *
+ goto out;
+ }
+
+- src_key = NULL;
+-#ifdef CONFIG_IPV6_SUBTREES
+- if (f6i->fib6_src.plen)
+- src_key = saddr;
+-#endif
+-
+- bucket = rcu_dereference(f6i->rt6i_exception_bucket);
+- rt6_ex = __rt6_find_exception_rcu(&bucket, daddr, src_key);
+- if (rt6_ex && !rt6_check_expired(rt6_ex->rt6i))
+- mtu = dst_metric_raw(&rt6_ex->rt6i->dst, RTAX_MTU);
+-
+- if (likely(!mtu)) {
++ rt = rt6_find_cached_rt(f6i, daddr, saddr);
++ if (unlikely(rt)) {
++ mtu = dst_metric_raw(&rt->dst, RTAX_MTU);
++ } else {
+ struct net_device *dev = fib6_info_nh_dev(f6i);
+
+ mtu = IPV6_MIN_MTU;
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 15 May 2019 19:39:52 -0700
+Subject: ipv6: prevent possible fib6 leaks
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 61fb0d01680771f72cc9d39783fb2c122aaad51e ]
+
+At ipv6 route dismantle, fib6_drop_pcpu_from() is responsible
+for finding all percpu routes and set their ->from pointer
+to NULL, so that fib6_ref can reach its expected value (1).
+
+The problem right now is that other cpus can still catch the
+route being deleted, since there is no rcu grace period
+between the route deletion and call to fib6_drop_pcpu_from()
+
+This can leak the fib6 and associated resources, since no
+notifier will take care of removing the last reference(s).
+
+I decided to add another boolean (fib6_destroying) instead
+of reusing/renaming exception_bucket_flushed to ease stable backports,
+and properly document the memory barriers used to implement this fix.
+
+This patch has been co-developped with Wei Wang.
+
+Fixes: 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Wei Wang <weiwan@google.com>
+Cc: David Ahern <dsahern@gmail.com>
+Cc: Martin Lau <kafai@fb.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_fib.h | 3 ++-
+ net/ipv6/ip6_fib.c | 12 +++++++++---
+ net/ipv6/route.c | 7 +++++++
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -171,7 +171,8 @@ struct fib6_info {
+ dst_nocount:1,
+ dst_nopolicy:1,
+ dst_host:1,
+- unused:3;
++ fib6_destroying:1,
++ unused:2;
+
+ struct fib6_nh fib6_nh;
+ struct rcu_head rcu;
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -877,6 +877,12 @@ static void fib6_drop_pcpu_from(struct f
+ {
+ int cpu;
+
++ /* Make sure rt6_make_pcpu_route() wont add other percpu routes
++ * while we are cleaning them here.
++ */
++ f6i->fib6_destroying = 1;
++ mb(); /* paired with the cmpxchg() in rt6_make_pcpu_route() */
++
+ /* release the reference to this fib entry from
+ * all of its cached pcpu routes
+ */
+@@ -900,6 +906,9 @@ static void fib6_purge_rt(struct fib6_in
+ {
+ struct fib6_table *table = rt->fib6_table;
+
++ if (rt->rt6i_pcpu)
++ fib6_drop_pcpu_from(rt, table);
++
+ if (atomic_read(&rt->fib6_ref) != 1) {
+ /* This route is used as dummy address holder in some split
+ * nodes. It is not leaked, but it still holds other resources,
+@@ -921,9 +930,6 @@ static void fib6_purge_rt(struct fib6_in
+ fn = rcu_dereference_protected(fn->parent,
+ lockdep_is_held(&table->tb6_lock));
+ }
+-
+- if (rt->rt6i_pcpu)
+- fib6_drop_pcpu_from(rt, table);
+ }
+ }
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1268,6 +1268,13 @@ static struct rt6_info *rt6_make_pcpu_ro
+ prev = cmpxchg(p, NULL, pcpu_rt);
+ BUG_ON(prev);
+
++ if (rt->fib6_destroying) {
++ struct fib6_info *from;
++
++ from = xchg((__force struct fib6_info **)&pcpu_rt->from, NULL);
++ fib6_info_release(from);
++ }
++
+ return pcpu_rt;
+ }
+
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 13 May 2019 14:06:24 -0700
+Subject: net: Always descend into dsa/
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 0fe9f173d6cda95874edeb413b1fa9907b5ae830 ]
+
+Jiri reported that with a kernel built with CONFIG_FIXED_PHY=y,
+CONFIG_NET_DSA=m and CONFIG_NET_DSA_LOOP=m, we would not get to a
+functional state where the mock-up driver is registered. Turns out that
+we are not descending into drivers/net/dsa/ unconditionally, and we
+won't be able to link-in dsa_loop_bdinfo.o which does the actual mock-up
+mdio device registration.
+
+Reported-by: Jiri Pirko <jiri@resnulli.us>
+Fixes: 40013ff20b1b ("net: dsa: Fix functional dsa-loop dependency on FIXED_PHY")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Tested-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/Makefile
++++ b/drivers/net/Makefile
+@@ -40,7 +40,7 @@ obj-$(CONFIG_ARCNET) += arcnet/
+ obj-$(CONFIG_DEV_APPLETALK) += appletalk/
+ obj-$(CONFIG_CAIF) += caif/
+ obj-$(CONFIG_CAN) += can/
+-obj-$(CONFIG_NET_DSA) += dsa/
++obj-y += dsa/
+ obj-$(CONFIG_ETHERNET) += ethernet/
+ obj-$(CONFIG_FDDI) += fddi/
+ obj-$(CONFIG_HIPPI) += hippi/
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 16 May 2019 08:09:57 -0700
+Subject: net: avoid weird emergency message
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ]
+
+When host is under high stress, it is very possible thread
+running netdev_wait_allrefs() returns from msleep(250)
+10 seconds late.
+
+This leads to these messages in the syslog :
+
+[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0
+
+If the device refcount is zero, the wait is over.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -8716,7 +8716,7 @@ static void netdev_wait_allrefs(struct n
+
+ refcnt = netdev_refcnt_read(dev);
+
+- if (time_after(jiffies, warning_time + 10 * HZ)) {
++ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
+ pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
+ dev->name, refcnt);
+ warning_time = jiffies;
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Yunjian Wang <wangyunjian@huawei.com>
+Date: Tue, 14 May 2019 19:03:19 +0800
+Subject: net/mlx4_core: Change the error print to info print
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ]
+
+The error print within mlx4_flow_steer_promisc_add() should
+be a info print.
+
+Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering')
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
+@@ -1492,7 +1492,7 @@ int mlx4_flow_steer_promisc_add(struct m
+ rule.port = port;
+ rule.qpn = qpn;
+ INIT_LIST_HEAD(&rule.list);
+- mlx4_err(dev, "going promisc on %x\n", port);
++ mlx4_info(dev, "going promisc on %x\n", port);
+
+ return mlx4_flow_attach(dev, &rule, regid_p);
+ }
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Tue, 7 May 2019 13:15:20 -0700
+Subject: net/mlx5: Imply MLXFW in mlx5_core
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit bad861f31bb15a99becef31aab59640eaeb247e2 ]
+
+mlxfw can be compiled as external module while mlx5_core can be
+builtin, in such case mlx5 will act like mlxfw is disabled.
+
+Since mlxfw is just a service library for mlx* drivers,
+imply it in mlx5_core to make it always reachable if it was enabled.
+
+Fixes: 3ffaabecd1a1 ("net/mlx5e: Support the flash device ethtool callback")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
++++ b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig
+@@ -8,6 +8,7 @@ config MLX5_CORE
+ depends on PCI
+ imply PTP_1588_CLOCK
+ imply VXLAN
++ imply MLXFW
+ default n
+ ---help---
+ Core driver for low level functionality of the ConnectX-4 and
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Tue, 7 May 2019 12:59:38 -0700
+Subject: net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit 8f0916c6dc5cd5e3bc52416fa2a9ff4075080180 ]
+
+ethtool user spaces needs to know ring count via ETHTOOL_GRXRINGS when
+executing (ethtool -x) which is retrieved via ethtool get_rxnfc callback,
+in mlx5 this callback is disabled when CONFIG_MLX5_EN_RXNFC=n.
+
+This patch allows only ETHTOOL_GRXRINGS command on mlx5e_get_rxnfc() when
+CONFIG_MLX5_EN_RXNFC is disabled, so ethtool -x will continue working.
+
+Fixes: fe6d86b3c316 ("net/mlx5e: Add CONFIG_MLX5_EN_RXNFC for ethtool rx nfc")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1609,6 +1609,22 @@ static int mlx5e_flash_device(struct net
+ return mlx5e_ethtool_flash_device(priv, flash);
+ }
+
++#ifndef CONFIG_MLX5_EN_RXNFC
++/* When CONFIG_MLX5_EN_RXNFC=n we only support ETHTOOL_GRXRINGS
++ * otherwise this function will be defined from en_fs_ethtool.c
++ */
++static int mlx5e_get_rxnfc(struct net_device *dev, struct ethtool_rxnfc *info, u32 *rule_locs)
++{
++ struct mlx5e_priv *priv = netdev_priv(dev);
++
++ if (info->cmd != ETHTOOL_GRXRINGS)
++ return -EOPNOTSUPP;
++ /* ring_count is needed by ethtool -x */
++ info->data = priv->channels.params.num_channels;
++ return 0;
++}
++#endif
++
+ const struct ethtool_ops mlx5e_ethtool_ops = {
+ .get_drvinfo = mlx5e_get_drvinfo,
+ .get_link = ethtool_op_get_link,
+@@ -1627,8 +1643,8 @@ const struct ethtool_ops mlx5e_ethtool_o
+ .get_rxfh_indir_size = mlx5e_get_rxfh_indir_size,
+ .get_rxfh = mlx5e_get_rxfh,
+ .set_rxfh = mlx5e_set_rxfh,
+-#ifdef CONFIG_MLX5_EN_RXNFC
+ .get_rxnfc = mlx5e_get_rxnfc,
++#ifdef CONFIG_MLX5_EN_RXNFC
+ .set_rxnfc = mlx5e_set_rxnfc,
+ #endif
+ .flash_device = mlx5e_flash_device,
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 15 May 2019 13:29:16 -0400
+Subject: net: test nouarg before dereferencing zerocopy pointers
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 185ce5c38ea76f29b6bd9c7c8c7a5e5408834920 ]
+
+Zerocopy skbs without completion notification were added for packet
+sockets with PACKET_TX_RING user buffers. Those signal completion
+through the TP_STATUS_USER bit in the ring. Zerocopy annotation was
+added only to avoid premature notification after clone or orphan, by
+triggering a copy on these paths for these packets.
+
+The mechanism had to define a special "no-uarg" mode because packet
+sockets already use skb_uarg(skb) == skb_shinfo(skb)->destructor_arg
+for a different pointer.
+
+Before deferencing skb_uarg(skb), verify that it is a real pointer.
+
+Fixes: 5cd8d46ea1562 ("packet: copy user buffers before orphan or clone")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/skbuff.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -1333,10 +1333,12 @@ static inline void skb_zcopy_clear(struc
+ struct ubuf_info *uarg = skb_zcopy(skb);
+
+ if (uarg) {
+- if (uarg->callback == sock_zerocopy_callback) {
++ if (skb_zcopy_is_nouarg(skb)) {
++ /* no notification callback */
++ } else if (uarg->callback == sock_zerocopy_callback) {
+ uarg->zerocopy = uarg->zerocopy && zerocopy;
+ sock_zerocopy_put(uarg);
+- } else if (!skb_zcopy_is_nouarg(skb)) {
++ } else {
+ uarg->callback(uarg, zerocopy);
+ }
+
+@@ -2587,7 +2589,8 @@ static inline int skb_orphan_frags(struc
+ {
+ if (likely(!skb_zcopy(skb)))
+ return 0;
+- if (skb_uarg(skb)->callback == sock_zerocopy_callback)
++ if (!skb_zcopy_is_nouarg(skb) &&
++ skb_uarg(skb)->callback == sock_zerocopy_callback)
+ return 0;
+ return skb_copy_ubufs(skb, gfp_mask);
+ }
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Wed, 15 May 2019 17:29:43 +0200
+Subject: net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit b4e467c82f8c12af78b6f6fa5730cb7dea7af1b4 ]
+
+Added support for Telit LE910Cx 0x1260 and 0x1261 compositions.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1240,6 +1240,8 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1bc7, 0x1101, 3)}, /* Telit ME910 dual modem */
+ {QMI_FIXED_INTF(0x1bc7, 0x1200, 5)}, /* Telit LE920 */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1201, 2)}, /* Telit LE920, LE920A4 */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1260, 2)}, /* Telit LE910Cx */
++ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1261, 2)}, /* Telit LE910Cx */
+ {QMI_QUIRK_SET_DTR(0x1bc7, 0x1900, 1)}, /* Telit LN940 series */
+ {QMI_FIXED_INTF(0x1c9e, 0x9801, 3)}, /* Telewell TW-3G HSPA+ */
+ {QMI_FIXED_INTF(0x1c9e, 0x9803, 4)}, /* Telewell TW-3G HSPA+ */
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Date: Tue, 14 May 2019 14:28:19 -0700
+Subject: nfp: flower: add rcu locks when accessing netdev for tunnels
+
+From: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+
+[ Upstream commit cb07d915bf278a7a3938b983bbcb4921366b5eff ]
+
+Add rcu locks when accessing netdev when processing route request
+and tunnel keep alive messages received from hardware.
+
+Fixes: 8e6a9046b66a ("nfp: flower vxlan neighbour offload")
+Fixes: 856f5b135758 ("nfp: flower vxlan neighbour keep-alive")
+Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: John Hurley <john.hurley@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 17 ++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+@@ -194,6 +194,7 @@ void nfp_tunnel_keep_alive(struct nfp_ap
+ return;
+ }
+
++ rcu_read_lock();
+ for (i = 0; i < count; i++) {
+ ipv4_addr = payload->tun_info[i].ipv4;
+ port = be32_to_cpu(payload->tun_info[i].egress_port);
+@@ -209,6 +210,7 @@ void nfp_tunnel_keep_alive(struct nfp_ap
+ neigh_event_send(n, NULL);
+ neigh_release(n);
+ }
++ rcu_read_unlock();
+ }
+
+ static bool nfp_tun_is_netdev_to_offload(struct net_device *netdev)
+@@ -404,9 +406,10 @@ void nfp_tunnel_request_route(struct nfp
+
+ payload = nfp_flower_cmsg_get_data(skb);
+
++ rcu_read_lock();
+ netdev = nfp_app_repr_get(app, be32_to_cpu(payload->ingress_port));
+ if (!netdev)
+- goto route_fail_warning;
++ goto fail_rcu_unlock;
+
+ flow.daddr = payload->ipv4_addr;
+ flow.flowi4_proto = IPPROTO_UDP;
+@@ -416,21 +419,23 @@ void nfp_tunnel_request_route(struct nfp
+ rt = ip_route_output_key(dev_net(netdev), &flow);
+ err = PTR_ERR_OR_ZERO(rt);
+ if (err)
+- goto route_fail_warning;
++ goto fail_rcu_unlock;
+ #else
+- goto route_fail_warning;
++ goto fail_rcu_unlock;
+ #endif
+
+ /* Get the neighbour entry for the lookup */
+ n = dst_neigh_lookup(&rt->dst, &flow.daddr);
+ ip_rt_put(rt);
+ if (!n)
+- goto route_fail_warning;
+- nfp_tun_write_neigh(n->dev, app, &flow, n, GFP_KERNEL);
++ goto fail_rcu_unlock;
++ nfp_tun_write_neigh(n->dev, app, &flow, n, GFP_ATOMIC);
+ neigh_release(n);
++ rcu_read_unlock();
+ return;
+
+-route_fail_warning:
++fail_rcu_unlock:
++ rcu_read_unlock();
+ nfp_flower_cmsg_warn(app, "Requested route not found.\n");
+ }
+
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 14 May 2019 22:55:32 +0800
+Subject: ppp: deflate: Fix possible crash in deflate_init
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ]
+
+BUG: unable to handle kernel paging request at ffffffffa018f000
+PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0
+Oops: 0000 [#1] PREEMPT SMP
+CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
+RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic]
+Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0
+75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74
+RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287
+RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a
+RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000
+RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080
+R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78
+FS: 00007f2339557540(0000) GS:ffff888237a00000(0000)
+knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0
+Call Trace:
+ ? 0xffffffffa01a3000
+ deflate_init+0x11/0x1000 [ppp_deflate]
+ ? 0xffffffffa01a3000
+ do_one_initcall+0x6c/0x3cc
+ ? kmem_cache_alloc_trace+0x248/0x3b0
+ do_init_module+0x5b/0x1f1
+ load_module+0x1db1/0x2690
+ ? m_show+0x1d0/0x1d0
+ __do_sys_finit_module+0xc5/0xd0
+ __x64_sys_finit_module+0x15/0x20
+ do_syscall_64+0x6b/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+If ppp_deflate fails to register in deflate_init,
+module initialization failed out, however
+ppp_deflate_draft may has been regiestred and not
+unregistered before return.
+Then the seconed modprobe will trigger crash like this.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ppp/ppp_deflate.c
++++ b/drivers/net/ppp/ppp_deflate.c
+@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra
+
+ static int __init deflate_init(void)
+ {
+- int answer = ppp_register_compressor(&ppp_deflate);
+- if (answer == 0)
+- printk(KERN_INFO
+- "PPP Deflate Compression module registered\n");
+- ppp_register_compressor(&ppp_deflate_draft);
+- return answer;
++ int rc;
++
++ rc = ppp_register_compressor(&ppp_deflate);
++ if (rc)
++ return rc;
++
++ rc = ppp_register_compressor(&ppp_deflate_draft);
++ if (rc) {
++ ppp_unregister_compressor(&ppp_deflate);
++ return rc;
++ }
++
++ pr_info("PPP Deflate Compression module registered\n");
++ return 0;
+ }
+
+ static void __exit deflate_cleanup(void)
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Tue, 14 May 2019 15:12:19 +0200
+Subject: rtnetlink: always put IFLA_LINK for links with a link-netnsid
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit feadc4b6cf42a53a8a93c918a569a0b7e62bd350 ]
+
+Currently, nla_put_iflink() doesn't put the IFLA_LINK attribute when
+iflink == ifindex.
+
+In some cases, a device can be created in a different netns with the
+same ifindex as its parent. That device will not dump its IFLA_LINK
+attribute, which can confuse some userspace software that expects it.
+For example, if the last ifindex created in init_net and foo are both
+8, these commands will trigger the issue:
+
+ ip link add parent type dummy # ifindex 9
+ ip link add link parent netns foo type macvlan # ifindex 9 in ns foo
+
+So, in case a device puts the IFLA_LINK_NETNSID attribute in a dump,
+always put the IFLA_LINK attribute as well.
+
+Thanks to Dan Winship for analyzing the original OpenShift bug down to
+the missing netlink attribute.
+
+v2: change Fixes tag, it's been here forever, as Nicolas Dichtel said
+ add Nicolas' ack
+v3: change Fixes tag
+ fix subject typo, spotted by Edward Cree
+
+Analyzed-by: Dan Winship <danw@redhat.com>
+Fixes: d8a5ec672768 ("[NET]: netlink support for moving devices between network namespaces.")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1496,14 +1496,15 @@ static int put_master_ifindex(struct sk_
+ return ret;
+ }
+
+-static int nla_put_iflink(struct sk_buff *skb, const struct net_device *dev)
++static int nla_put_iflink(struct sk_buff *skb, const struct net_device *dev,
++ bool force)
+ {
+ int ifindex = dev_get_iflink(dev);
+
+- if (dev->ifindex == ifindex)
+- return 0;
++ if (force || dev->ifindex != ifindex)
++ return nla_put_u32(skb, IFLA_LINK, ifindex);
+
+- return nla_put_u32(skb, IFLA_LINK, ifindex);
++ return 0;
+ }
+
+ static noinline_for_stack int nla_put_ifalias(struct sk_buff *skb,
+@@ -1520,6 +1521,8 @@ static int rtnl_fill_link_netnsid(struct
+ const struct net_device *dev,
+ struct net *src_net)
+ {
++ bool put_iflink = false;
++
+ if (dev->rtnl_link_ops && dev->rtnl_link_ops->get_link_net) {
+ struct net *link_net = dev->rtnl_link_ops->get_link_net(dev);
+
+@@ -1528,10 +1531,12 @@ static int rtnl_fill_link_netnsid(struct
+
+ if (nla_put_s32(skb, IFLA_LINK_NETNSID, id))
+ return -EMSGSIZE;
++
++ put_iflink = true;
+ }
+ }
+
+- return 0;
++ return nla_put_iflink(skb, dev, put_iflink);
+ }
+
+ static int rtnl_fill_link_af(struct sk_buff *skb,
+@@ -1617,7 +1622,6 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ #ifdef CONFIG_RPS
+ nla_put_u32(skb, IFLA_NUM_RX_QUEUES, dev->num_rx_queues) ||
+ #endif
+- nla_put_iflink(skb, dev) ||
+ put_master_ifindex(skb, dev) ||
+ nla_put_u8(skb, IFLA_CARRIER, netif_carrier_ok(dev)) ||
+ (dev->qdisc &&
--- /dev/null
+ipv6-fix-src-addr-routing-with-the-exception-table.patch
+ipv6-prevent-possible-fib6-leaks.patch
+net-always-descend-into-dsa.patch
+net-avoid-weird-emergency-message.patch
+net-mlx4_core-change-the-error-print-to-info-print.patch
+net-test-nouarg-before-dereferencing-zerocopy-pointers.patch
+net-usb-qmi_wwan-add-telit-0x1260-and-0x1261-compositions.patch
+nfp-flower-add-rcu-locks-when-accessing-netdev-for-tunnels.patch
+ppp-deflate-fix-possible-crash-in-deflate_init.patch
+rtnetlink-always-put-ifla_link-for-links-with-a-link-netnsid.patch
+tipc-switch-order-of-device-registration-to-fix-a-crash.patch
+vsock-virtio-free-packets-during-the-socket-release.patch
+tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch
+vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch
+net-mlx5-imply-mlxfw-in-mlx5_core.patch
+net-mlx5e-fix-ethtool-rxfh-commands-when-config_mlx5_en_rxnfc-is-disabled.patch
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Junwei Hu <hujunwei4@huawei.com>
+Date: Fri, 17 May 2019 19:27:34 +0800
+Subject: tipc: fix modprobe tipc failed after switch order of device registration
+
+From: Junwei Hu <hujunwei4@huawei.com>
+
+[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ]
+
+Error message printed:
+modprobe: ERROR: could not insert 'tipc': Address family not
+supported by protocol.
+when modprobe tipc after the following patch: switch order of
+device registration, commit 7e27e8d6130c
+("tipc: switch order of device registration to fix a crash")
+
+Because sock_create_kern(net, AF_TIPC, ...) is called by
+tipc_topsrv_create_listener() in the initialization process
+of tipc_net_ops, tipc_socket_init() must be execute before that.
+
+I move tipc_socket_init() into function tipc_init_net().
+
+Fixes: 7e27e8d6130c
+("tipc: switch order of device registration to fix a crash")
+Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
+Reported-by: Wang Wang <wangwang2@huawei.com>
+Reviewed-by: Kang Zhou <zhoukang7@huawei.com>
+Reviewed-by: Suanming Mou <mousuanming@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -66,6 +66,10 @@ static int __net_init tipc_init_net(stru
+ INIT_LIST_HEAD(&tn->node_list);
+ spin_lock_init(&tn->node_list_lock);
+
++ err = tipc_socket_init();
++ if (err)
++ goto out_socket;
++
+ err = tipc_sk_rht_init(net);
+ if (err)
+ goto out_sk_rht;
+@@ -92,6 +96,8 @@ out_subscr:
+ out_nametbl:
+ tipc_sk_rht_destroy(net);
+ out_sk_rht:
++ tipc_socket_stop();
++out_socket:
+ return err;
+ }
+
+@@ -102,6 +108,7 @@ static void __net_exit tipc_exit_net(str
+ tipc_bcast_stop(net);
+ tipc_nametbl_stop(net);
+ tipc_sk_rht_destroy(net);
++ tipc_socket_stop();
+ }
+
+ static struct pernet_operations tipc_net_ops = {
+@@ -137,10 +144,6 @@ static int __init tipc_init(void)
+ if (err)
+ goto out_pernet;
+
+- err = tipc_socket_init();
+- if (err)
+- goto out_socket;
+-
+ err = tipc_bearer_setup();
+ if (err)
+ goto out_bearer;
+@@ -148,8 +151,6 @@ static int __init tipc_init(void)
+ pr_info("Started in single node mode\n");
+ return 0;
+ out_bearer:
+- tipc_socket_stop();
+-out_socket:
+ unregister_pernet_subsys(&tipc_net_ops);
+ out_pernet:
+ tipc_unregister_sysctl();
+@@ -165,7 +166,6 @@ out_netlink:
+ static void __exit tipc_exit(void)
+ {
+ tipc_bearer_cleanup();
+- tipc_socket_stop();
+ unregister_pernet_subsys(&tipc_net_ops);
+ tipc_netlink_stop();
+ tipc_netlink_compat_stop();
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Junwei Hu <hujunwei4@huawei.com>
+Date: Thu, 16 May 2019 10:51:15 +0800
+Subject: tipc: switch order of device registration to fix a crash
+
+From: Junwei Hu <hujunwei4@huawei.com>
+
+[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]
+
+When tipc is loaded while many processes try to create a TIPC socket,
+a crash occurs:
+ PANIC: Unable to handle kernel paging request at virtual
+ address "dfff20000000021d"
+ pc : tipc_sk_create+0x374/0x1180 [tipc]
+ lr : tipc_sk_create+0x374/0x1180 [tipc]
+ Exception class = DABT (current EL), IL = 32 bits
+ Call trace:
+ tipc_sk_create+0x374/0x1180 [tipc]
+ __sock_create+0x1cc/0x408
+ __sys_socket+0xec/0x1f0
+ __arm64_sys_socket+0x74/0xa8
+ ...
+
+This is due to race between sock_create and unfinished
+register_pernet_device. tipc_sk_insert tries to do
+"net_generic(net, tipc_net_id)".
+but tipc_net_id is not initialized yet.
+
+So switch the order of the two to close the race.
+
+This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
+and one process doing module removal.
+
+Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
+Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
+Reported-by: Wang Wang <wangwang2@huawei.com>
+Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -129,10 +129,6 @@ static int __init tipc_init(void)
+ if (err)
+ goto out_netlink_compat;
+
+- err = tipc_socket_init();
+- if (err)
+- goto out_socket;
+-
+ err = tipc_register_sysctl();
+ if (err)
+ goto out_sysctl;
+@@ -141,6 +137,10 @@ static int __init tipc_init(void)
+ if (err)
+ goto out_pernet;
+
++ err = tipc_socket_init();
++ if (err)
++ goto out_socket;
++
+ err = tipc_bearer_setup();
+ if (err)
+ goto out_bearer;
+@@ -148,12 +148,12 @@ static int __init tipc_init(void)
+ pr_info("Started in single node mode\n");
+ return 0;
+ out_bearer:
++ tipc_socket_stop();
++out_socket:
+ unregister_pernet_subsys(&tipc_net_ops);
+ out_pernet:
+ tipc_unregister_sysctl();
+ out_sysctl:
+- tipc_socket_stop();
+-out_socket:
+ tipc_netlink_compat_stop();
+ out_netlink_compat:
+ tipc_netlink_stop();
+@@ -165,10 +165,10 @@ out_netlink:
+ static void __exit tipc_exit(void)
+ {
+ tipc_bearer_cleanup();
++ tipc_socket_stop();
+ unregister_pernet_subsys(&tipc_net_ops);
+ tipc_netlink_stop();
+ tipc_netlink_compat_stop();
+- tipc_socket_stop();
+ tipc_unregister_sysctl();
+
+ pr_info("Deactivated\n");
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 17 May 2019 16:45:43 +0200
+Subject: vsock/virtio: free packets during the socket release
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 ]
+
+When the socket is released, we should free all packets
+queued in the per-socket list in order to avoid a memory
+leak.
+
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -786,12 +786,19 @@ static bool virtio_transport_close(struc
+
+ void virtio_transport_release(struct vsock_sock *vsk)
+ {
++ struct virtio_vsock_sock *vvs = vsk->trans;
++ struct virtio_vsock_pkt *pkt, *tmp;
+ struct sock *sk = &vsk->sk;
+ bool remove_sock = true;
+
+ lock_sock(sk);
+ if (sk->sk_type == SOCK_STREAM)
+ remove_sock = virtio_transport_close(vsk);
++
++ list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) {
++ list_del(&pkt->list);
++ virtio_transport_free_pkt(pkt);
++ }
+ release_sock(sk);
+
+ if (remove_sock)
--- /dev/null
+From foo@baz Wed 22 May 2019 08:37:51 AM CEST
+From: "Jorge E. Moreira" <jemoreira@google.com>
+Date: Thu, 16 May 2019 13:51:07 -0700
+Subject: vsock/virtio: Initialize core virtio vsock before registering the driver
+
+From: "Jorge E. Moreira" <jemoreira@google.com>
+
+[ Upstream commit ba95e5dfd36647622d8897a2a0470dde60e59ffd ]
+
+Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are
+accessed (while handling interrupts) before they are initialized.
+
+[ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8
+[ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0
+[ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI
+[ 4.211379] Modules linked in:
+[ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1
+[ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work
+[ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000
+[ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20
+[ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286
+[ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0
+[ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0
+[ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001
+[ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0
+[ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0
+[ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000
+[ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0
+[ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 4.211379] Call Trace:
+[ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0
+[ 4.211379] virtio_transport_recv_pkt+0x15f/0x740
+[ 4.211379] ? detach_buf+0x1b5/0x210
+[ 4.211379] virtio_transport_rx_work+0xb7/0x140
+[ 4.211379] process_one_work+0x1ef/0x480
+[ 4.211379] worker_thread+0x312/0x460
+[ 4.211379] kthread+0x132/0x140
+[ 4.211379] ? process_one_work+0x480/0x480
+[ 4.211379] ? kthread_destroy_worker+0xd0/0xd0
+[ 4.211379] ret_from_fork+0x35/0x40
+[ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e
+[ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28
+[ 4.211379] CR2: ffffffffffffffe8
+[ 4.211379] ---[ end trace f31cc4a2e6df3689 ]---
+[ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt
+[ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 4.211379] Rebooting in 5 seconds..
+
+Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug")
+Cc: Stefan Hajnoczi <stefanha@redhat.com>
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: kvm@vger.kernel.org
+Cc: virtualization@lists.linux-foundation.org
+Cc: netdev@vger.kernel.org
+Cc: kernel-team@android.com
+Cc: stable@vger.kernel.org [4.9+]
+Signed-off-by: Jorge E. Moreira <jemoreira@google.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -702,28 +702,27 @@ static int __init virtio_vsock_init(void
+ if (!virtio_vsock_workqueue)
+ return -ENOMEM;
+
+- ret = register_virtio_driver(&virtio_vsock_driver);
++ ret = vsock_core_init(&virtio_transport.transport);
+ if (ret)
+ goto out_wq;
+
+- ret = vsock_core_init(&virtio_transport.transport);
++ ret = register_virtio_driver(&virtio_vsock_driver);
+ if (ret)
+- goto out_vdr;
++ goto out_vci;
+
+ return 0;
+
+-out_vdr:
+- unregister_virtio_driver(&virtio_vsock_driver);
++out_vci:
++ vsock_core_exit();
+ out_wq:
+ destroy_workqueue(virtio_vsock_workqueue);
+ return ret;
+-
+ }
+
+ static void __exit virtio_vsock_exit(void)
+ {
+- vsock_core_exit();
+ unregister_virtio_driver(&virtio_vsock_driver);
++ vsock_core_exit();
+ destroy_workqueue(virtio_vsock_workqueue);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
