--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 20 Feb 2020 17:26:34 -0500
+Subject: bnxt_en: Improve device shutdown method.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 5567ae4a8d569d996d0d88d0eceb76205e4c7ce5 ]
+
+Especially when bnxt_shutdown() is called during kexec, we need to
+disable MSIX and disable Bus Master to completely quiesce the device.
+Make these 2 calls unconditionally in the shutdown method.
+
+Fixes: c20dc142dd7b ("bnxt_en: Disable bus master during PCI shutdown and driver unload.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11908,10 +11908,10 @@ static void bnxt_shutdown(struct pci_dev
+ dev_close(dev);
+
+ bnxt_ulp_shutdown(bp);
++ bnxt_clear_int_mode(bp);
++ pci_disable_device(pdev);
+
+ if (system_state == SYSTEM_POWER_OFF) {
+- bnxt_clear_int_mode(bp);
+- pci_disable_device(pdev);
+ pci_wake_from_d3(pdev, bp->wol);
+ pci_set_power_state(pdev, PCI_D3hot);
+ }
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 20 Feb 2020 17:26:35 -0500
+Subject: bnxt_en: Issue PCIe FLR in kdump kernel to cleanup pending DMAs.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 8743db4a9acfd51f805ac0c87bcaae92c42d1061 ]
+
+If crashed kernel does not shutdown the NIC properly, PCIe FLR
+is required in the kdump kernel in order to initialize all the
+functions properly.
+
+Fixes: d629522e1d66 ("bnxt_en: Reduce memory usage when running in kdump kernel.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11712,6 +11712,14 @@ static int bnxt_init_one(struct pci_dev
+ if (version_printed++ == 0)
+ pr_info("%s", version);
+
++ /* Clear any pending DMA transactions from crash kernel
++ * while loading driver in capture kernel.
++ */
++ if (is_kdump_kernel()) {
++ pci_clear_master(pdev);
++ pcie_flr(pdev);
++ }
++
+ max_irqs = bnxt_get_max_irq(pdev);
+ dev = alloc_etherdev_mq(sizeof(*bp), max_irqs);
+ if (!dev)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:08 +0000
+Subject: bonding: add missing netdev_update_lockdep_key()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 064ff66e2bef84f1153087612032b5b9eab005bd ]
+
+After bond_release(), netdev_update_lockdep_key() should be called.
+But both ioctl path and attribute path don't call
+netdev_update_lockdep_key().
+This patch adds missing netdev_update_lockdep_key().
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ifenslave bond0 bond1
+ ifenslave -d bond0 bond1
+ ifenslave bond1 bond0
+
+Splat looks like:
+[ 29.501182][ T1046] WARNING: possible circular locking dependency detected
+[ 29.501945][ T1039] hardirqs last disabled at (1962): [<ffffffffac6c807f>] handle_mm_fault+0x13f/0x700
+[ 29.503442][ T1046] 5.5.0+ #322 Not tainted
+[ 29.503447][ T1046] ------------------------------------------------------
+[ 29.504277][ T1039] softirqs last enabled at (1180): [<ffffffffade00678>] __do_softirq+0x678/0x981
+[ 29.505443][ T1046] ifenslave/1046 is trying to acquire lock:
+[ 29.505886][ T1039] softirqs last disabled at (1169): [<ffffffffac19c18a>] irq_exit+0x17a/0x1a0
+[ 29.509997][ T1046] ffff88805d5da280 (&dev->addr_list_lock_key#3){+...}, at: dev_mc_sync_multiple+0x95/0x120
+[ 29.511243][ T1046]
+[ 29.511243][ T1046] but task is already holding lock:
+[ 29.512192][ T1046] ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding]
+[ 29.514124][ T1046]
+[ 29.514124][ T1046] which lock already depends on the new lock.
+[ 29.514124][ T1046]
+[ 29.517297][ T1046]
+[ 29.517297][ T1046] the existing dependency chain (in reverse order) is:
+[ 29.518231][ T1046]
+[ 29.518231][ T1046] -> #1 (&dev->addr_list_lock_key#4){+...}:
+[ 29.519076][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.519588][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.520208][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.520862][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ 29.521640][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding]
+[ 29.522438][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding]
+[ 29.523251][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding]
+[ 29.524082][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding]
+[ 29.524959][ T1046] kernfs_fop_write+0x276/0x410
+[ 29.525620][ T1046] vfs_write+0x197/0x4a0
+[ 29.526218][ T1046] ksys_write+0x141/0x1d0
+[ 29.526818][ T1046] do_syscall_64+0x99/0x4f0
+[ 29.527430][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 29.528265][ T1046]
+[ 29.528265][ T1046] -> #0 (&dev->addr_list_lock_key#3){+...}:
+[ 29.529272][ T1046] __lock_acquire+0x2d8d/0x3de0
+[ 29.529935][ T1046] lock_acquire+0x164/0x3b0
+[ 29.530638][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.531187][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.531790][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.532451][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ 29.533163][ T1046] __bond_opt_set+0x1ff/0xbb0 [bonding]
+[ 29.533789][ T1046] __bond_opt_set_notify+0x2b/0xf0 [bonding]
+[ 29.534595][ T1046] bond_opt_tryset_rtnl+0x92/0xf0 [bonding]
+[ 29.535500][ T1046] bonding_sysfs_store_option+0x8a/0xf0 [bonding]
+[ 29.536379][ T1046] kernfs_fop_write+0x276/0x410
+[ 29.537057][ T1046] vfs_write+0x197/0x4a0
+[ 29.537640][ T1046] ksys_write+0x141/0x1d0
+[ 29.538251][ T1046] do_syscall_64+0x99/0x4f0
+[ 29.538870][ T1046] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 29.539659][ T1046]
+[ 29.539659][ T1046] other info that might help us debug this:
+[ 29.539659][ T1046]
+[ 29.540953][ T1046] Possible unsafe locking scenario:
+[ 29.540953][ T1046]
+[ 29.541883][ T1046] CPU0 CPU1
+[ 29.542540][ T1046] ---- ----
+[ 29.543209][ T1046] lock(&dev->addr_list_lock_key#4);
+[ 29.543880][ T1046] lock(&dev->addr_list_lock_key#3);
+[ 29.544873][ T1046] lock(&dev->addr_list_lock_key#4);
+[ 29.545863][ T1046] lock(&dev->addr_list_lock_key#3);
+[ 29.546525][ T1046]
+[ 29.546525][ T1046] *** DEADLOCK ***
+[ 29.546525][ T1046]
+[ 29.547542][ T1046] 5 locks held by ifenslave/1046:
+[ 29.548196][ T1046] #0: ffff88806044c478 (sb_writers#5){.+.+}, at: vfs_write+0x3bb/0x4a0
+[ 29.549248][ T1046] #1: ffff88805af00890 (&of->mutex){+.+.}, at: kernfs_fop_write+0x1cf/0x410
+[ 29.550343][ T1046] #2: ffff88805b8b54b0 (kn->count#157){.+.+}, at: kernfs_fop_write+0x1f2/0x410
+[ 29.551575][ T1046] #3: ffffffffaecf4cf0 (rtnl_mutex){+.+.}, at: bond_opt_tryset_rtnl+0x5f/0xf0 [bonding]
+[ 29.552819][ T1046] #4: ffff8880460f2280 (&dev->addr_list_lock_key#4){+...}, at: bond_enslave+0x4482/0x47b0 [bonding]
+[ 29.554175][ T1046]
+[ 29.554175][ T1046] stack backtrace:
+[ 29.554907][ T1046] CPU: 0 PID: 1046 Comm: ifenslave Not tainted 5.5.0+ #322
+[ 29.555854][ T1046] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 29.557064][ T1046] Call Trace:
+[ 29.557504][ T1046] dump_stack+0x96/0xdb
+[ 29.558054][ T1046] check_noncircular+0x371/0x450
+[ 29.558723][ T1046] ? print_circular_bug.isra.35+0x310/0x310
+[ 29.559486][ T1046] ? hlock_class+0x130/0x130
+[ 29.560100][ T1046] ? __lock_acquire+0x2d8d/0x3de0
+[ 29.560761][ T1046] __lock_acquire+0x2d8d/0x3de0
+[ 29.561366][ T1046] ? register_lock_class+0x14d0/0x14d0
+[ 29.562045][ T1046] ? find_held_lock+0x39/0x1d0
+[ 29.562641][ T1046] lock_acquire+0x164/0x3b0
+[ 29.563199][ T1046] ? dev_mc_sync_multiple+0x95/0x120
+[ 29.563872][ T1046] _raw_spin_lock+0x30/0x70
+[ 29.564464][ T1046] ? dev_mc_sync_multiple+0x95/0x120
+[ 29.565146][ T1046] dev_mc_sync_multiple+0x95/0x120
+[ 29.565793][ T1046] bond_enslave+0x448d/0x47b0 [bonding]
+[ 29.566487][ T1046] ? bond_update_slave_arr+0x940/0x940 [bonding]
+[ 29.567279][ T1046] ? bstr_printf+0xc20/0xc20
+[ 29.567857][ T1046] ? stack_trace_consume_entry+0x160/0x160
+[ 29.568614][ T1046] ? deactivate_slab.isra.77+0x2c5/0x800
+[ 29.569320][ T1046] ? check_chain_key+0x236/0x5d0
+[ 29.569939][ T1046] ? sscanf+0x93/0xc0
+[ 29.570442][ T1046] ? vsscanf+0x1e20/0x1e20
+[ 29.571003][ T1046] bond_option_slaves_set+0x1a3/0x370 [bonding]
+[ ... ]
+
+Fixes: ab92d68fc22f ("net: core: add generic lockdep keys")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 ++
+ drivers/net/bonding/bond_options.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3550,6 +3550,8 @@ static int bond_do_ioctl(struct net_devi
+ case BOND_RELEASE_OLD:
+ case SIOCBONDRELEASE:
+ res = bond_release(bond_dev, slave_dev);
++ if (!res)
++ netdev_update_lockdep_key(slave_dev);
+ break;
+ case BOND_SETHWADDR_OLD:
+ case SIOCBONDSETHWADDR:
+--- a/drivers/net/bonding/bond_options.c
++++ b/drivers/net/bonding/bond_options.c
+@@ -1398,6 +1398,8 @@ static int bond_option_slaves_set(struct
+ case '-':
+ slave_dbg(bond->dev, dev, "Releasing interface\n");
+ ret = bond_release(bond->dev, dev);
++ if (!ret)
++ netdev_update_lockdep_key(dev);
+ break;
+
+ default:
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:40 +0000
+Subject: bonding: fix lockdep warning in bond_get_stats()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit b3e80d44f5b1b470dd9e2dbc6816e63a5c519709 ]
+
+In the "struct bonding", there is stats_lock.
+This lock protects "bond_stats" in the "struct bonding".
+bond_stats is updated in the bond_get_stats() and this function would be
+executed concurrently. So, the lock is needed.
+
+Bonding interfaces would be nested.
+So, either stats_lock should use dynamic lockdep class key or stats_lock
+should be used by spin_lock_nested(). In the current code, stats_lock is
+using a dynamic lockdep class key.
+But there is no updating stats_lock_key routine So, lockdep warning
+will occur.
+
+Test commands:
+ ip link add bond0 type bond
+ ip link add bond1 type bond
+ ip link set bond0 master bond1
+ ip link set bond0 nomaster
+ ip link set bond1 master bond0
+
+Splat looks like:
+[ 38.420603][ T957] 5.5.0+ #394 Not tainted
+[ 38.421074][ T957] ------------------------------------------------------
+[ 38.421837][ T957] ip/957 is trying to acquire lock:
+[ 38.422399][ T957] ffff888063262cd8 (&bond->stats_lock_key#2){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.423528][ T957]
+[ 38.423528][ T957] but task is already holding lock:
+[ 38.424526][ T957] ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.426075][ T957]
+[ 38.426075][ T957] which lock already depends on the new lock.
+[ 38.426075][ T957]
+[ 38.428536][ T957]
+[ 38.428536][ T957] the existing dependency chain (in reverse order) is:
+[ 38.429475][ T957]
+[ 38.429475][ T957] -> #1 (&bond->stats_lock_key){+.+.}:
+[ 38.430273][ T957] _raw_spin_lock+0x30/0x70
+[ 38.430812][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.431451][ T957] dev_get_stats+0x1ec/0x270
+[ 38.432088][ T957] bond_get_stats+0x1a5/0x4d0 [bonding]
+[ 38.432767][ T957] dev_get_stats+0x1ec/0x270
+[ 38.433322][ T957] rtnl_fill_stats+0x44/0xbe0
+[ 38.433866][ T957] rtnl_fill_ifinfo+0xeb2/0x3720
+[ 38.434474][ T957] rtmsg_ifinfo_build_skb+0xca/0x170
+[ 38.435081][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0
+[ 38.436848][ T957] rtnetlink_event+0xcd/0x120
+[ 38.437455][ T957] notifier_call_chain+0x90/0x160
+[ 38.438067][ T957] netdev_change_features+0x74/0xa0
+[ 38.438708][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding]
+[ 38.439522][ T957] bond_enslave+0x3639/0x47b0 [bonding]
+[ 38.440225][ T957] do_setlink+0xaab/0x2ef0
+[ 38.440786][ T957] __rtnl_newlink+0x9c5/0x1270
+[ 38.441463][ T957] rtnl_newlink+0x65/0x90
+[ 38.442075][ T957] rtnetlink_rcv_msg+0x4a8/0x890
+[ 38.442774][ T957] netlink_rcv_skb+0x121/0x350
+[ 38.443451][ T957] netlink_unicast+0x42e/0x610
+[ 38.444282][ T957] netlink_sendmsg+0x65a/0xb90
+[ 38.444992][ T957] ____sys_sendmsg+0x5ce/0x7a0
+[ 38.445679][ T957] ___sys_sendmsg+0x10f/0x1b0
+[ 38.446365][ T957] __sys_sendmsg+0xc6/0x150
+[ 38.447007][ T957] do_syscall_64+0x99/0x4f0
+[ 38.447668][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 38.448538][ T957]
+[ 38.448538][ T957] -> #0 (&bond->stats_lock_key#2){+.+.}:
+[ 38.449554][ T957] __lock_acquire+0x2d8d/0x3de0
+[ 38.450148][ T957] lock_acquire+0x164/0x3b0
+[ 38.450711][ T957] _raw_spin_lock+0x30/0x70
+[ 38.451292][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.451950][ T957] dev_get_stats+0x1ec/0x270
+[ 38.452425][ T957] bond_get_stats+0x1a5/0x4d0 [bonding]
+[ 38.453362][ T957] dev_get_stats+0x1ec/0x270
+[ 38.453825][ T957] rtnl_fill_stats+0x44/0xbe0
+[ 38.454390][ T957] rtnl_fill_ifinfo+0xeb2/0x3720
+[ 38.456257][ T957] rtmsg_ifinfo_build_skb+0xca/0x170
+[ 38.456998][ T957] rtmsg_ifinfo_event.part.33+0x1b/0xb0
+[ 38.459351][ T957] rtnetlink_event+0xcd/0x120
+[ 38.460086][ T957] notifier_call_chain+0x90/0x160
+[ 38.460829][ T957] netdev_change_features+0x74/0xa0
+[ 38.461752][ T957] bond_compute_features.isra.45+0x4e6/0x6f0 [bonding]
+[ 38.462705][ T957] bond_enslave+0x3639/0x47b0 [bonding]
+[ 38.463476][ T957] do_setlink+0xaab/0x2ef0
+[ 38.464141][ T957] __rtnl_newlink+0x9c5/0x1270
+[ 38.464897][ T957] rtnl_newlink+0x65/0x90
+[ 38.465522][ T957] rtnetlink_rcv_msg+0x4a8/0x890
+[ 38.466215][ T957] netlink_rcv_skb+0x121/0x350
+[ 38.466895][ T957] netlink_unicast+0x42e/0x610
+[ 38.467583][ T957] netlink_sendmsg+0x65a/0xb90
+[ 38.468285][ T957] ____sys_sendmsg+0x5ce/0x7a0
+[ 38.469202][ T957] ___sys_sendmsg+0x10f/0x1b0
+[ 38.469884][ T957] __sys_sendmsg+0xc6/0x150
+[ 38.470587][ T957] do_syscall_64+0x99/0x4f0
+[ 38.471245][ T957] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+[ 38.472093][ T957]
+[ 38.472093][ T957] other info that might help us debug this:
+[ 38.472093][ T957]
+[ 38.473438][ T957] Possible unsafe locking scenario:
+[ 38.473438][ T957]
+[ 38.474898][ T957] CPU0 CPU1
+[ 38.476234][ T957] ---- ----
+[ 38.480171][ T957] lock(&bond->stats_lock_key);
+[ 38.480808][ T957] lock(&bond->stats_lock_key#2);
+[ 38.481791][ T957] lock(&bond->stats_lock_key);
+[ 38.482754][ T957] lock(&bond->stats_lock_key#2);
+[ 38.483416][ T957]
+[ 38.483416][ T957] *** DEADLOCK ***
+[ 38.483416][ T957]
+[ 38.484505][ T957] 3 locks held by ip/957:
+[ 38.485048][ T957] #0: ffffffffbccf6230 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x457/0x890
+[ 38.486198][ T957] #1: ffff888065fd2cd8 (&bond->stats_lock_key){+.+.}, at: bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.487625][ T957] #2: ffffffffbc9254c0 (rcu_read_lock){....}, at: bond_get_stats+0x5/0x4d0 [bonding]
+[ 38.488897][ T957]
+[ 38.488897][ T957] stack backtrace:
+[ 38.489646][ T957] CPU: 1 PID: 957 Comm: ip Not tainted 5.5.0+ #394
+[ 38.490497][ T957] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 38.492810][ T957] Call Trace:
+[ 38.493219][ T957] dump_stack+0x96/0xdb
+[ 38.493709][ T957] check_noncircular+0x371/0x450
+[ 38.494344][ T957] ? lookup_address+0x60/0x60
+[ 38.494923][ T957] ? print_circular_bug.isra.35+0x310/0x310
+[ 38.495699][ T957] ? hlock_class+0x130/0x130
+[ 38.496334][ T957] ? __lock_acquire+0x2d8d/0x3de0
+[ 38.496979][ T957] __lock_acquire+0x2d8d/0x3de0
+[ 38.497607][ T957] ? register_lock_class+0x14d0/0x14d0
+[ 38.498333][ T957] ? check_chain_key+0x236/0x5d0
+[ 38.499003][ T957] lock_acquire+0x164/0x3b0
+[ 38.499800][ T957] ? bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.500706][ T957] _raw_spin_lock+0x30/0x70
+[ 38.501435][ T957] ? bond_get_stats+0x90/0x4d0 [bonding]
+[ 38.502311][ T957] bond_get_stats+0x90/0x4d0 [bonding]
+[ ... ]
+
+But, there is another problem.
+The dynamic lockdep class key is protected by RTNL, but bond_get_stats()
+would be called outside of RTNL.
+So, it would use an invalid dynamic lockdep class key.
+
+In order to fix this issue, stats_lock uses spin_lock_nested() instead of
+a dynamic lockdep key.
+The bond_get_stats() calls bond_get_lowest_level_rcu() to get the correct
+nest level value, which will be used by spin_lock_nested().
+The "dev->lower_level" indicates lower nest level value, but this value
+is invalid outside of RTNL.
+So, bond_get_lowest_level_rcu() returns valid lower nest level value in
+the RCU critical section.
+bond_get_lowest_level_rcu() will be work only when LOCKDEP is enabled.
+
+Fixes: 089bca2caed0 ("bonding: use dynamic lockdep key instead of subclass")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 53 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 50 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3436,6 +3436,47 @@ static void bond_fold_stats(struct rtnl_
+ }
+ }
+
++#ifdef CONFIG_LOCKDEP
++static int bond_get_lowest_level_rcu(struct net_device *dev)
++{
++ struct net_device *ldev, *next, *now, *dev_stack[MAX_NEST_DEV + 1];
++ struct list_head *niter, *iter, *iter_stack[MAX_NEST_DEV + 1];
++ int cur = 0, max = 0;
++
++ now = dev;
++ iter = &dev->adj_list.lower;
++
++ while (1) {
++ next = NULL;
++ while (1) {
++ ldev = netdev_next_lower_dev_rcu(now, &iter);
++ if (!ldev)
++ break;
++
++ next = ldev;
++ niter = &ldev->adj_list.lower;
++ dev_stack[cur] = now;
++ iter_stack[cur++] = iter;
++ if (max <= cur)
++ max = cur;
++ break;
++ }
++
++ if (!next) {
++ if (!cur)
++ return max;
++ next = dev_stack[--cur];
++ niter = iter_stack[cur];
++ }
++
++ now = next;
++ iter = niter;
++ }
++
++ return max;
++}
++#endif
++
+ static void bond_get_stats(struct net_device *bond_dev,
+ struct rtnl_link_stats64 *stats)
+ {
+@@ -3443,11 +3484,17 @@ static void bond_get_stats(struct net_de
+ struct rtnl_link_stats64 temp;
+ struct list_head *iter;
+ struct slave *slave;
++ int nest_level = 0;
+
+- spin_lock(&bond->stats_lock);
+- memcpy(stats, &bond->bond_stats, sizeof(*stats));
+
+ rcu_read_lock();
++#ifdef CONFIG_LOCKDEP
++ nest_level = bond_get_lowest_level_rcu(bond_dev);
++#endif
++
++ spin_lock_nested(&bond->stats_lock, nest_level);
++ memcpy(stats, &bond->bond_stats, sizeof(*stats));
++
+ bond_for_each_slave_rcu(bond, slave, iter) {
+ const struct rtnl_link_stats64 *new =
+ dev_get_stats(slave->dev, &temp);
+@@ -3457,10 +3504,10 @@ static void bond_get_stats(struct net_de
+ /* save off the slave stats for the next run */
+ memcpy(&slave->slave_stats, new, sizeof(*new));
+ }
+- rcu_read_unlock();
+
+ memcpy(&bond->bond_stats, stats, sizeof(*stats));
+ spin_unlock(&bond->stats_lock);
++ rcu_read_unlock();
+ }
+
+ static int bond_do_ioctl(struct net_device *bond_dev, struct ifreq *ifr, int cmd)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:07 +0900
+Subject: ipv6: Fix nlmsg_flags when splitting a multipath route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit afecdb376bd81d7e16578f0cfe82a1aec7ae18f3 ]
+
+When splitting an RTA_MULTIPATH request into multiple routes and adding the
+second and later components, we must not simply remove NLM_F_REPLACE but
+instead replace it by NLM_F_CREATE. Otherwise, it may look like the netlink
+message was malformed.
+
+For example,
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0 \
+ nexthop via fe80::30:2 dev dummy0
+results in the following warnings:
+[ 1035.057019] IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
+[ 1035.057517] IPv6: NLM_F_CREATE should be set when creating new route
+
+This patch makes the nlmsg sequence look equivalent for __ip6_ins_rt() to
+what it would get if the multipath route had been added in multiple netlink
+operations:
+ ip route add 2001:db8::1/128 dev dummy0
+ ip route change 2001:db8::1/128 nexthop via fe80::30:1 dev dummy0
+ ip route append 2001:db8::1/128 nexthop via fe80::30:2 dev dummy0
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -5155,6 +5155,7 @@ static int ip6_route_multipath_add(struc
+ */
+ cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
+ NLM_F_REPLACE);
++ cfg->fc_nlinfo.nlh->nlmsg_flags |= NLM_F_CREATE;
+ nhn++;
+ }
+
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Date: Wed, 12 Feb 2020 10:41:06 +0900
+Subject: ipv6: Fix route replacement with dev-only route
+
+From: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+
+[ Upstream commit e404b8c7cfb31654c9024d497cec58a501501692 ]
+
+After commit 27596472473a ("ipv6: fix ECMP route replacement") it is no
+longer possible to replace an ECMP-able route by a non ECMP-able route.
+For example,
+ ip route add 2001:db8::1/128 via fe80::1 dev dummy0
+ ip route replace 2001:db8::1/128 dev dummy0
+does not work as expected.
+
+Tweak the replacement logic so that point 3 in the log of the above commit
+becomes:
+3. If the new route is not ECMP-able, and no matching non-ECMP-able route
+exists, replace matching ECMP-able route (if any) or add the new route.
+
+We can now summarize the entire replace semantics to:
+When doing a replace, prefer replacing a matching route of the same
+"ECMP-able-ness" as the replace argument. If there is no such candidate,
+fallback to the first route found.
+
+Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
+Signed-off-by: Benjamin Poirier <bpoirier@cumulusnetworks.com>
+Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_fib.c | 7 ++++---
+ tools/testing/selftests/net/fib_tests.sh | 6 ++++++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -1050,8 +1050,7 @@ static int fib6_add_rt2node(struct fib6_
+ found++;
+ break;
+ }
+- if (rt_can_ecmp)
+- fallback_ins = fallback_ins ?: ins;
++ fallback_ins = fallback_ins ?: ins;
+ goto next_iter;
+ }
+
+@@ -1094,7 +1093,9 @@ next_iter:
+ }
+
+ if (fallback_ins && !found) {
+- /* No ECMP-able route found, replace first non-ECMP one */
++ /* No matching route with same ecmp-able-ness found, replace
++ * first matching route
++ */
+ ins = fallback_ins;
+ iter = rcu_dereference_protected(*ins,
+ lockdep_is_held(&rt->fib6_table->tb6_lock));
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -910,6 +910,12 @@ ipv6_rt_replace_mpath()
+ check_route6 "2001:db8:104::/64 via 2001:db8:101::3 dev veth1 metric 1024"
+ log_test $? 0 "Multipath with single path via multipath attribute"
+
++ # multipath with dev-only
++ add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2"
++ run_cmd "$IP -6 ro replace 2001:db8:104::/64 dev veth1"
++ check_route6 "2001:db8:104::/64 dev veth1 metric 1024"
++ log_test $? 0 "Multipath with dev-only"
++
+ # route replace fails - invalid nexthop 1
+ add_initial_route6 "nexthop via 2001:db8:101::2 nexthop via 2001:db8:103::2"
+ run_cmd "$IP -6 ro replace 2001:db8:104::/64 nexthop via 2001:db8:111::3 nexthop via 2001:db8:103::3"
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Fri, 14 Feb 2020 15:26:19 -0800
+Subject: net: dsa: b53: Ensure the default VID is untagged
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit d965a5432d4c3e6b9c3d2bc1d4a800013bbf76f6 ]
+
+We need to ensure that the default VID is untagged otherwise the switch
+will be sending tagged frames and the results can be problematic. This
+is especially true with b53 switches that use VID 0 as their default
+VLAN since VID 0 has a special meaning.
+
+Fixes: fea83353177a ("net: dsa: b53: Fix default VLAN ID")
+Fixes: 061f6a505ac3 ("net: dsa: Add ndo_vlan_rx_{add, kill}_vid implementation")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1353,6 +1353,9 @@ void b53_vlan_add(struct dsa_switch *ds,
+
+ b53_get_vlan_entry(dev, vid, vl);
+
++ if (vid == 0 && vid == b53_default_pvid(dev))
++ untagged = true;
++
+ vl->members |= BIT(port);
+ if (untagged && !dsa_is_cpu_port(ds, port))
+ vl->untag |= BIT(port);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 15 Feb 2020 10:50:21 +0000
+Subject: net: export netdev_next_lower_dev_rcu()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 7151affeef8d527f50b4b68a871fd28bd660023f ]
+
+netdev_next_lower_dev_rcu() will be used to implement a function,
+which is to walk all lower interfaces.
+There are already functions that they walk their lower interface.
+(netdev_walk_all_lower_dev_rcu, netdev_walk_all_lower_dev()).
+But, there would be cases that couldn't be covered by given
+netdev_walk_all_lower_dev_{rcu}() function.
+So, some modules would want to implement own function,
+which is to walk all lower interfaces.
+
+In the next patch, netdev_next_lower_dev_rcu() will be used.
+In addition, this patch removes two unused prototypes in netdevice.h.
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/netdevice.h | 7 +++----
+ net/core/dev.c | 6 +++---
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -72,6 +72,8 @@ void netdev_set_default_ethtool_ops(stru
+ #define NET_RX_SUCCESS 0 /* keep 'em coming, baby */
+ #define NET_RX_DROP 1 /* packet dropped */
+
++#define MAX_NEST_DEV 8
++
+ /*
+ * Transmit return codes: transmit return codes originate from three different
+ * namespaces:
+@@ -4294,11 +4296,8 @@ void *netdev_lower_get_next(struct net_d
+ ldev; \
+ ldev = netdev_lower_get_next(dev, &(iter)))
+
+-struct net_device *netdev_all_lower_get_next(struct net_device *dev,
++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
+ struct list_head **iter);
+-struct net_device *netdev_all_lower_get_next_rcu(struct net_device *dev,
+- struct list_head **iter);
+-
+ int netdev_walk_all_lower_dev(struct net_device *dev,
+ int (*fn)(struct net_device *lower_dev,
+ void *data),
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -146,7 +146,6 @@
+ #include "net-sysfs.h"
+
+ #define MAX_GRO_SKBS 8
+-#define MAX_NEST_DEV 8
+
+ /* This should be increased if a protocol with a bigger head is added. */
+ #define GRO_MAX_HEAD (MAX_HEADER + 128)
+@@ -6914,8 +6913,8 @@ static int __netdev_walk_all_lower_dev(s
+ return 0;
+ }
+
+-static struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
+- struct list_head **iter)
++struct net_device *netdev_next_lower_dev_rcu(struct net_device *dev,
++ struct list_head **iter)
+ {
+ struct netdev_adjacent *lower;
+
+@@ -6927,6 +6926,7 @@ static struct net_device *netdev_next_lo
+
+ return lower->dev;
+ }
++EXPORT_SYMBOL(netdev_next_lower_dev_rcu);
+
+ static u8 __netdev_upper_depth(struct net_device *dev)
+ {
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Jethro Beekman <jethro@fortanix.com>
+Date: Wed, 12 Feb 2020 16:43:41 +0100
+Subject: net: fib_rules: Correctly set table field when table number exceeds 8 bits
+
+From: Jethro Beekman <jethro@fortanix.com>
+
+[ Upstream commit 540e585a79e9d643ede077b73bcc7aa2d7b4d919 ]
+
+In 709772e6e06564ed94ba740de70185ac3d792773, RT_TABLE_COMPAT was added to
+allow legacy software to deal with routing table numbers >= 256, but the
+same change to FIB rule queries was overlooked.
+
+Signed-off-by: Jethro Beekman <jethro@fortanix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/fib_rules.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/fib_rules.c
++++ b/net/core/fib_rules.c
+@@ -967,7 +967,7 @@ static int fib_nl_fill_rule(struct sk_bu
+
+ frh = nlmsg_data(nlh);
+ frh->family = ops->family;
+- frh->table = rule->table;
++ frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT;
+ if (nla_put_u32(skb, FRA_TABLE, rule->table))
+ goto nla_put_failure;
+ if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen))
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Date: Wed, 12 Feb 2020 17:45:38 +0100
+Subject: net: macb: ensure interface is not suspended on at91rm9200
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit e6a41c23df0d5da01540d2abef41591589c0b4be ]
+
+Because of autosuspend, at91ether_start is called with clocks disabled.
+Ensure that pm_runtime doesn't suspend the interface as soon as it is
+opened as there is no pm_runtime support is the other relevant parts of the
+platform support for at91rm9200.
+
+Fixes: d54f89af6cc4 ("net: macb: Add pm runtime support")
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -3690,6 +3690,10 @@ static int at91ether_open(struct net_dev
+ u32 ctl;
+ int ret;
+
++ ret = pm_runtime_get_sync(&lp->pdev->dev);
++ if (ret < 0)
++ return ret;
++
+ /* Clear internal statistics */
+ ctl = macb_readl(lp, NCR);
+ macb_writel(lp, NCR, ctl | MACB_BIT(CLRSTAT));
+@@ -3750,7 +3754,7 @@ static int at91ether_close(struct net_de
+ q->rx_buffers, q->rx_buffers_dma);
+ q->rx_buffers = NULL;
+
+- return 0;
++ return pm_runtime_put(&lp->pdev->dev);
+ }
+
+ /* Transmit packet */
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+Date: Mon, 17 Feb 2020 09:31:33 +0100
+Subject: net: mscc: fix in frame extraction
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit a81541041ceb55bcec9a8bb8ad3482263f0a205a ]
+
+Each extracted frame on Ocelot has an IFH. The frame and IFH are extracted
+by reading chuncks of 4 bytes from a register.
+
+In case the IFH and frames were read corretly it would try to read the next
+frame. In case there are no more frames in the queue, it checks if there
+were any previous errors and in that case clear the queue. But this check
+will always succeed also when there are no errors. Because when extracting
+the IFH the error is checked against 4(number of bytes read) and then the
+error is set only if the extraction of the frame failed. So in a happy case
+where there are no errors the err variable is still 4. So it could be
+a case where after the check that there are no more frames in the queue, a
+frame will arrive in the queue but because the error is not reseted, it
+would try to flush the queue. So the frame will be lost.
+
+The fix consist in resetting the error after reading the IFH.
+
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mscc/ocelot_board.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/mscc/ocelot_board.c
++++ b/drivers/net/ethernet/mscc/ocelot_board.c
+@@ -112,6 +112,14 @@ static irqreturn_t ocelot_xtr_irq_handle
+ if (err != 4)
+ break;
+
++ /* At this point the IFH was read correctly, so it is safe to
++ * presume that there is no error. The err needs to be reset
++ * otherwise a frame could come in CPU queue between the while
++ * condition and the check for error later on. And in that case
++ * the new frame is just removed and not processed.
++ */
++ err = 0;
++
+ ocelot_parse_ifh(ifh, &info);
+
+ dev = ocelot->ports[info.port]->dev;
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Date: Fri, 14 Feb 2020 13:47:46 -0800
+Subject: net: phy: restore mdio regs in the iproc mdio driver
+
+From: Arun Parameswaran <arun.parameswaran@broadcom.com>
+
+The mii management register in iproc mdio block
+does not have a retention register so it is lost on suspend.
+Save and restore value of register while resuming from suspend.
+
+Fixes: bb1a619735b4 ("net: phy: Initialize mdio clock at probe function")
+Signed-off-by: Arun Parameswaran <arun.parameswaran@broadcom.com>
+Signed-off-by: Scott Branden <scott.branden@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-bcm-iproc.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/net/phy/mdio-bcm-iproc.c
++++ b/drivers/net/phy/mdio-bcm-iproc.c
+@@ -178,6 +178,23 @@ static int iproc_mdio_remove(struct plat
+ return 0;
+ }
+
++#ifdef CONFIG_PM_SLEEP
++int iproc_mdio_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct iproc_mdio_priv *priv = platform_get_drvdata(pdev);
++
++ /* restore the mii clock configuration */
++ iproc_mdio_config_clk(priv->base);
++
++ return 0;
++}
++
++static const struct dev_pm_ops iproc_mdio_pm_ops = {
++ .resume = iproc_mdio_resume
++};
++#endif /* CONFIG_PM_SLEEP */
++
+ static const struct of_device_id iproc_mdio_of_match[] = {
+ { .compatible = "brcm,iproc-mdio", },
+ { /* sentinel */ },
+@@ -188,6 +205,9 @@ static struct platform_driver iproc_mdio
+ .driver = {
+ .name = "iproc-mdio",
+ .of_match_table = iproc_mdio_of_match,
++#ifdef CONFIG_PM_SLEEP
++ .pm = &iproc_mdio_pm_ops,
++#endif
+ },
+ .probe = iproc_mdio_probe,
+ .remove = iproc_mdio_remove,
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Jason Baron <jbaron@akamai.com>
+Date: Mon, 17 Feb 2020 15:38:09 -0500
+Subject: net: sched: correct flower port blocking
+
+From: Jason Baron <jbaron@akamai.com>
+
+[ Upstream commit 8a9093c79863b58cc2f9874d7ae788f0d622a596 ]
+
+tc flower rules that are based on src or dst port blocking are sometimes
+ineffective due to uninitialized stack data. __skb_flow_dissect() extracts
+ports from the skb for tc flower to match against. However, the port
+dissection is not done when when the FLOW_DIS_IS_FRAGMENT bit is set in
+key_control->flags. All callers of __skb_flow_dissect(), zero-out the
+key_control field except for fl_classify() as used by the flower
+classifier. Thus, the FLOW_DIS_IS_FRAGMENT may be set on entry to
+__skb_flow_dissect(), since key_control is allocated on the stack
+and may not be initialized.
+
+Since key_basic and key_control are present for all flow keys, let's
+make sure they are initialized.
+
+Fixes: 62230715fd24 ("flow_dissector: do not dissect l4 ports for fragments")
+Co-developed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/flow_dissector.h | 9 +++++++++
+ net/sched/cls_flower.c | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/include/net/flow_dissector.h
++++ b/include/net/flow_dissector.h
+@@ -5,6 +5,7 @@
+ #include <linux/types.h>
+ #include <linux/in6.h>
+ #include <linux/siphash.h>
++#include <linux/string.h>
+ #include <uapi/linux/if_ether.h>
+
+ /**
+@@ -338,4 +339,12 @@ struct bpf_flow_dissector {
+ void *data_end;
+ };
+
++static inline void
++flow_dissector_init_keys(struct flow_dissector_key_control *key_control,
++ struct flow_dissector_key_basic *key_basic)
++{
++ memset(key_control, 0, sizeof(*key_control));
++ memset(key_basic, 0, sizeof(*key_basic));
++}
++
+ #endif
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -303,6 +303,7 @@ static int fl_classify(struct sk_buff *s
+ struct cls_fl_filter *f;
+
+ list_for_each_entry_rcu(mask, &head->masks, list) {
++ flow_dissector_init_keys(&skb_key.control, &skb_key.basic);
+ fl_clear_masked_range(&skb_key, mask);
+
+ skb_flow_dissect_meta(skb, &mask->dissector, &skb_key);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Rohit Maheshwari <rohitm@chelsio.com>
+Date: Wed, 19 Feb 2020 09:40:22 +0530
+Subject: net/tls: Fix to avoid gettig invalid tls record
+
+From: Rohit Maheshwari <rohitm@chelsio.com>
+
+[ Upstream commit 06f5201c6392f998a49ca9c9173e2930c8eb51d8 ]
+
+Current code doesn't check if tcp sequence number is starting from (/after)
+1st record's start sequnce number. It only checks if seq number is before
+1st record's end sequnce number. This problem will always be a possibility
+in re-transmit case. If a record which belongs to a requested seq number is
+already deleted, tls_get_record will start looking into list and as per the
+check it will look if seq number is before the end seq of 1st record, which
+will always be true and will return 1st record always, it should in fact
+return NULL.
+As part of the fix, start looking each record only if the sequence number
+lies in the list else return NULL.
+There is one more check added, driver look for the start marker record to
+handle tcp packets which are before the tls offload start sequence number,
+hence return 1st record if the record is tls start marker and seq number is
+before the 1st record's starting sequence number.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Rohit Maheshwari <rohitm@chelsio.com>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -581,7 +581,7 @@ struct tls_record_info *tls_get_record(s
+ u32 seq, u64 *p_record_sn)
+ {
+ u64 record_sn = context->hint_record_sn;
+- struct tls_record_info *info;
++ struct tls_record_info *info, *last;
+
+ info = context->retransmit_hint;
+ if (!info ||
+@@ -593,6 +593,24 @@ struct tls_record_info *tls_get_record(s
+ struct tls_record_info, list);
+ if (!info)
+ return NULL;
++ /* send the start_marker record if seq number is before the
++ * tls offload start marker sequence number. This record is
++ * required to handle TCP packets which are before TLS offload
++ * started.
++ * And if it's not start marker, look if this seq number
++ * belongs to the list.
++ */
++ if (likely(!tls_record_is_start_marker(info))) {
++ /* we have the first record, get the last record to see
++ * if this seq number belongs to the list.
++ */
++ last = list_last_entry(&context->records_list,
++ struct tls_record_info, list);
++
++ if (!between(seq, tls_record_start_seq(info),
++ last->end_seq))
++ return NULL;
++ }
+ record_sn = context->unacked_record_sn;
+ }
+
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Wed, 19 Feb 2020 18:01:22 +0300
+Subject: nfc: pn544: Fix occasional HW initialization failure
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+[ Upstream commit c3331d2fe3fd4d5e321f2467d01f72de7edfb5d0 ]
+
+The PN544 driver checks the "enable" polarity during of driver's probe and
+it's doing that by turning ON and OFF NFC with different polarities until
+enabling succeeds. It takes some time for the hardware to power-down, and
+thus, to deassert the IRQ that is raised by turning ON the hardware.
+Since the delay after last power-down of the polarity-checking process is
+missed in the code, the interrupt may trigger immediately after installing
+the IRQ handler (right after the checking is done), which results in IRQ
+handler trying to touch the disabled HW and ends with marking NFC as
+'DEAD' during of the driver's probe:
+
+ pn544_hci_i2c 1-002a: NFC: nfc_en polarity : active high
+ pn544_hci_i2c 1-002a: NFC: invalid len byte
+ shdlc: llc_shdlc_recv_frame: NULL Frame -> link is dead
+
+This patch fixes the occasional NFC initialization failure on Nexus 7
+device.
+
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/pn544/i2c.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nfc/pn544/i2c.c
++++ b/drivers/nfc/pn544/i2c.c
+@@ -225,6 +225,7 @@ static void pn544_hci_i2c_platform_init(
+
+ out:
+ gpiod_set_value_cansleep(phy->gpiod_en, !phy->en_polarity);
++ usleep_range(10000, 15000);
+ }
+
+ static void pn544_hci_i2c_enable_mode(struct pn544_i2c_phy *phy, int run_mode)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Michal Kalderon <michal.kalderon@marvell.com>
+Date: Mon, 17 Feb 2020 13:37:18 +0200
+Subject: qede: Fix race between rdma destroy workqueue and link change event
+
+From: Michal Kalderon <michal.kalderon@marvell.com>
+
+[ Upstream commit af6565adb02d3129d3fae4d9d5da945abaf4417a ]
+
+If an event is added while the rdma workqueue is being destroyed
+it could lead to several races, list corruption, null pointer
+dereference during queue_work or init_queue.
+This fixes the race between the two flows which can occur during
+shutdown.
+
+A kref object and a completion object are added to the rdma_dev
+structure, these are initialized before the workqueue is created.
+The refcnt is used to indicate work is being added to the
+workqueue and ensures the cleanup flow won't start while we're in
+the middle of adding the event.
+Once the work is added, the refcnt is decreased and the cleanup flow
+is safe to run.
+
+Fixes: cee9fbd8e2e ("qede: Add qedr framework")
+Signed-off-by: Ariel Elior <ariel.elior@marvell.com>
+Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede.h | 2 +
+ drivers/net/ethernet/qlogic/qede/qede_rdma.c | 29 ++++++++++++++++++++++++++-
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede.h
++++ b/drivers/net/ethernet/qlogic/qede/qede.h
+@@ -163,6 +163,8 @@ struct qede_rdma_dev {
+ struct list_head entry;
+ struct list_head rdma_event_list;
+ struct workqueue_struct *rdma_wq;
++ struct kref refcnt;
++ struct completion event_comp;
+ bool exp_recovery;
+ };
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c
+@@ -59,6 +59,9 @@ static void _qede_rdma_dev_add(struct qe
+ static int qede_rdma_create_wq(struct qede_dev *edev)
+ {
+ INIT_LIST_HEAD(&edev->rdma_info.rdma_event_list);
++ kref_init(&edev->rdma_info.refcnt);
++ init_completion(&edev->rdma_info.event_comp);
++
+ edev->rdma_info.rdma_wq = create_singlethread_workqueue("rdma_wq");
+ if (!edev->rdma_info.rdma_wq) {
+ DP_NOTICE(edev, "qedr: Could not create workqueue\n");
+@@ -83,8 +86,23 @@ static void qede_rdma_cleanup_event(stru
+ }
+ }
+
++static void qede_rdma_complete_event(struct kref *ref)
++{
++ struct qede_rdma_dev *rdma_dev =
++ container_of(ref, struct qede_rdma_dev, refcnt);
++
++ /* no more events will be added after this */
++ complete(&rdma_dev->event_comp);
++}
++
+ static void qede_rdma_destroy_wq(struct qede_dev *edev)
+ {
++ /* Avoid race with add_event flow, make sure it finishes before
++ * we start accessing the list and cleaning up the work
++ */
++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event);
++ wait_for_completion(&edev->rdma_info.event_comp);
++
+ qede_rdma_cleanup_event(edev);
+ destroy_workqueue(edev->rdma_info.rdma_wq);
+ }
+@@ -310,15 +328,24 @@ static void qede_rdma_add_event(struct q
+ if (!edev->rdma_info.qedr_dev)
+ return;
+
++ /* We don't want the cleanup flow to start while we're allocating and
++ * scheduling the work
++ */
++ if (!kref_get_unless_zero(&edev->rdma_info.refcnt))
++ return; /* already being destroyed */
++
+ event_node = qede_rdma_get_free_event_node(edev);
+ if (!event_node)
+- return;
++ goto out;
+
+ event_node->event = event;
+ event_node->ptr = edev;
+
+ INIT_WORK(&event_node->work, qede_rdma_handle_event);
+ queue_work(edev->rdma_info.rdma_wq, &event_node->work);
++
++out:
++ kref_put(&edev->rdma_info.refcnt, qede_rdma_complete_event);
+ }
+
+ void qede_rdma_dev_event_open(struct qede_dev *edev)
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:10 AM CET
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 18 Feb 2020 18:15:44 +0100
+Subject: Revert "net: dev: introduce support for sch BYPASS for lockless qdisc"
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 379349e9bc3b42b8b2f8f7a03f64a97623fff323 ]
+
+This reverts commit ba27b4cdaaa66561aaedb2101876e563738d36fe
+
+Ahmed reported ouf-of-order issues bisected to commit ba27b4cdaaa6
+("net: dev: introduce support for sch BYPASS for lockless qdisc").
+I can't find any working solution other than a plain revert.
+
+This will introduce some minor performance regressions for
+pfifo_fast qdisc. I plan to address them in net-next with more
+indirect call wrapper boilerplate for qdiscs.
+
+Reported-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Fixes: ba27b4cdaaa6 ("net: dev: introduce support for sch BYPASS for lockless qdisc")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 22 ++--------------------
+ 1 file changed, 2 insertions(+), 20 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -3386,26 +3386,8 @@ static inline int __dev_xmit_skb(struct
+ qdisc_calculate_pkt_len(skb, q);
+
+ if (q->flags & TCQ_F_NOLOCK) {
+- if ((q->flags & TCQ_F_CAN_BYPASS) && READ_ONCE(q->empty) &&
+- qdisc_run_begin(q)) {
+- if (unlikely(test_bit(__QDISC_STATE_DEACTIVATED,
+- &q->state))) {
+- __qdisc_drop(skb, &to_free);
+- rc = NET_XMIT_DROP;
+- goto end_run;
+- }
+- qdisc_bstats_cpu_update(q, skb);
+-
+- rc = NET_XMIT_SUCCESS;
+- if (sch_direct_xmit(skb, q, dev, txq, NULL, true))
+- __qdisc_run(q);
+-
+-end_run:
+- qdisc_run_end(q);
+- } else {
+- rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
+- qdisc_run(q);
+- }
++ rc = q->enqueue(skb, q, &to_free) & NET_XMIT_MASK;
++ qdisc_run(q);
+
+ if (unlikely(to_free))
+ kfree_skb_list(to_free);
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 18 Feb 2020 12:07:53 +0800
+Subject: sctp: move the format error check out of __sctp_sf_do_9_1_abort
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ]
+
+When T2 timer is to be stopped, the asoc should also be deleted,
+otherwise, there will be no chance to call sctp_association_free
+and the asoc could last in memory forever.
+
+However, in sctp_sf_shutdown_sent_abort(), after adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the
+format error from __sctp_sf_do_9_1_abort() and miss adding
+SCTP_CMD_ASSOC_FAILED where the asoc will be deleted.
+
+This patch is to fix it by moving the format error check out of
+__sctp_sf_do_9_1_abort(), and do it before adding the cmd
+SCTP_CMD_TIMER_STOP for T2 timer.
+
+Thanks Hangbin for reporting this issue by the fuzz testing.
+
+v1->v2:
+ - improve the comment in the code as Marcelo's suggestion.
+
+Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause")
+Reported-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_statefuns.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -170,6 +170,16 @@ static inline bool sctp_chunk_length_val
+ return true;
+ }
+
++/* Check for format error in an ABORT chunk */
++static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk)
++{
++ struct sctp_errhdr *err;
++
++ sctp_walk_errors(err, chunk->chunk_hdr);
++
++ return (void *)err == (void *)chunk->chunk_end;
++}
++
+ /**********************************************************
+ * These are the state functions for handling chunk events.
+ **********************************************************/
+@@ -2255,6 +2265,9 @@ enum sctp_disposition sctp_sf_shutdown_p
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2298,6 +2311,9 @@ enum sctp_disposition sctp_sf_shutdown_s
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ /* Stop the T2-shutdown timer. */
+ sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
+ SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN));
+@@ -2565,6 +2581,9 @@ enum sctp_disposition sctp_sf_do_9_1_abo
+ sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
+ return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+
++ if (!sctp_err_chunk_valid(chunk))
++ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
++
+ return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands);
+ }
+
+@@ -2582,16 +2601,8 @@ static enum sctp_disposition __sctp_sf_d
+
+ /* See if we have an error cause code in the chunk. */
+ len = ntohs(chunk->chunk_hdr->length);
+- if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+- struct sctp_errhdr *err;
+-
+- sctp_walk_errors(err, chunk->chunk_hdr);
+- if ((void *)err != (void *)chunk->chunk_end)
+- return sctp_sf_pdiscard(net, ep, asoc, type, arg,
+- commands);
+-
++ if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+ error = ((struct sctp_errhdr *)chunk->skb->data)->cause;
+- }
+
+ sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
+ /* ASSOC_FAILED will DELETE_TCB. */
io_uring-grab-fs-as-part-of-async-offload.patch
edac-skx_common-downgrade-message-importance-on-miss.patch
+net-dsa-b53-ensure-the-default-vid-is-untagged.patch
+net-fib_rules-correctly-set-table-field-when-table-number-exceeds-8-bits.patch
+net-macb-ensure-interface-is-not-suspended-on-at91rm9200.patch
+net-mscc-fix-in-frame-extraction.patch
+net-phy-restore-mdio-regs-in-the-iproc-mdio-driver.patch
+net-sched-correct-flower-port-blocking.patch
+net-tls-fix-to-avoid-gettig-invalid-tls-record.patch
+nfc-pn544-fix-occasional-hw-initialization-failure.patch
+qede-fix-race-between-rdma-destroy-workqueue-and-link-change-event.patch
+revert-net-dev-introduce-support-for-sch-bypass-for-lockless-qdisc.patch
+udp-rehash-on-disconnect.patch
+sctp-move-the-format-error-check-out-of-__sctp_sf_do_9_1_abort.patch
+bnxt_en-improve-device-shutdown-method.patch
+bnxt_en-issue-pcie-flr-in-kdump-kernel-to-cleanup-pending-dmas.patch
+bonding-add-missing-netdev_update_lockdep_key.patch
+net-export-netdev_next_lower_dev_rcu.patch
+bonding-fix-lockdep-warning-in-bond_get_stats.patch
+ipv6-fix-route-replacement-with-dev-only-route.patch
+ipv6-fix-nlmsg_flags-when-splitting-a-multipath-route.patch
--- /dev/null
+From foo@baz Sun 01 Mar 2020 10:25:11 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Wed, 19 Feb 2020 14:16:32 -0500
+Subject: udp: rehash on disconnect
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 303d0403b8c25e994e4a6e45389e173cf8706fb5 ]
+
+As of the below commit, udp sockets bound to a specific address can
+coexist with one bound to the any addr for the same port.
+
+The commit also phased out the use of socket hashing based only on
+port (hslot), in favor of always hashing on {addr, port} (hslot2).
+
+The change broke the following behavior with disconnect (AF_UNSPEC):
+
+ server binds to 0.0.0.0:1337
+ server connects to 127.0.0.1:80
+ server disconnects
+ client connects to 127.0.0.1:1337
+ client sends "hello"
+ server reads "hello" // times out, packet did not find sk
+
+On connect the server acquires a specific source addr suitable for
+routing to its destination. On disconnect it reverts to the any addr.
+
+The connect call triggers a rehash to a different hslot2. On
+disconnect, add the same to return to the original hslot2.
+
+Skip this step if the socket is going to be unhashed completely.
+
+Fixes: 4cdeeee9252a ("net: udp: prefer listeners bound to an address")
+Reported-by: Pavel Roskin <plroskin@gmail.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/udp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1856,8 +1856,12 @@ int __udp_disconnect(struct sock *sk, in
+ inet->inet_dport = 0;
+ sock_rps_reset_rxhash(sk);
+ sk->sk_bound_dev_if = 0;
+- if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
++ if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK)) {
+ inet_reset_saddr(sk);
++ if (sk->sk_prot->rehash &&
++ (sk->sk_userlocks & SOCK_BINDPORT_LOCK))
++ sk->sk_prot->rehash(sk);
++ }
+
+ if (!(sk->sk_userlocks & SOCK_BINDPORT_LOCK)) {
+ sk->sk_prot->unhash(sk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
