--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 1 Mar 2020 22:07:17 -0500
+Subject: bnxt_en: reinitialize IRQs when MTU is modified
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit a9b952d267e59a3b405e644930f46d252cea7122 ]
+
+MTU changes may affect the number of IRQs so we must call
+bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter
+set to true. The reason is that a larger MTU may require
+aggregation rings not needed with smaller MTU. We may not be
+able to allocate the required number of aggregation rings and
+so we reduce the number of channels which will change the number
+of IRQs. Without this patch, it may crash eventually in
+pci_disable_msix() when the IRQs are not properly unwound.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8097,13 +8097,13 @@ static int bnxt_change_mtu(struct net_de
+ struct bnxt *bp = netdev_priv(dev);
+
+ if (netif_running(dev))
+- bnxt_close_nic(bp, false, false);
++ bnxt_close_nic(bp, true, false);
+
+ dev->mtu = new_mtu;
+ bnxt_set_ring_params(bp);
+
+ if (netif_running(dev))
+- return bnxt_open_nic(bp, false, false);
++ return bnxt_open_nic(bp, true, false);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 09:32:16 -0800
+Subject: bonding/alb: make sure arp header is pulled before accessing it
+
+From: Eric Dumazet <edumazet@google.com>
+
+Similar to commit 38f88c454042 ("bonding/alb: properly access headers
+in bond_alb_xmit()"), we need to make sure arp header was pulled
+in skb->head before blindly accessing it in rlb_arp_xmit().
+
+Remove arp_pkt() private helper, since it is more readable/obvious
+to have the following construct back to back :
+
+ if (!pskb_network_may_pull(skb, sizeof(*arp)))
+ return NULL;
+ arp = (struct arp_pkt *)skb_network_header(skb);
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
+ rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
+ bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
+ __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
+ bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
+ __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4538 [inline]
+ xmit_one net/core/dev.c:3470 [inline]
+ dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
+ __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
+ packet_snd net/packet/af_packet.c:2967 [inline]
+ packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+RIP: 0033:0x45c479
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
+RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
+RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ packet_alloc_skb net/packet/af_packet.c:2815 [inline]
+ packet_snd net/packet/af_packet.c:2910 [inline]
+ packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg net/socket.c:672 [inline]
+ __sys_sendto+0xc1b/0xc50 net/socket.c:1998
+ __do_sys_sendto net/socket.c:2010 [inline]
+ __se_sys_sendto+0x107/0x130 net/socket.c:2006
+ __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
+ do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_alb.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/bonding/bond_alb.c
++++ b/drivers/net/bonding/bond_alb.c
+@@ -66,11 +66,6 @@ struct arp_pkt {
+ };
+ #pragma pack()
+
+-static inline struct arp_pkt *arp_pkt(const struct sk_buff *skb)
+-{
+- return (struct arp_pkt *)skb_network_header(skb);
+-}
+-
+ /* Forward declaration */
+ static void alb_send_learning_packets(struct slave *slave, u8 mac_addr[],
+ bool strict_match);
+@@ -568,10 +563,11 @@ static void rlb_req_update_subnet_client
+ spin_unlock(&bond->mode_lock);
+ }
+
+-static struct slave *rlb_choose_channel(struct sk_buff *skb, struct bonding *bond)
++static struct slave *rlb_choose_channel(struct sk_buff *skb,
++ struct bonding *bond,
++ const struct arp_pkt *arp)
+ {
+ struct alb_bond_info *bond_info = &(BOND_ALB_INFO(bond));
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *assigned_slave, *curr_active_slave;
+ struct rlb_client_info *client_info;
+ u32 hash_index = 0;
+@@ -668,8 +664,12 @@ static struct slave *rlb_choose_channel(
+ */
+ static struct slave *rlb_arp_xmit(struct sk_buff *skb, struct bonding *bond)
+ {
+- struct arp_pkt *arp = arp_pkt(skb);
+ struct slave *tx_slave = NULL;
++ struct arp_pkt *arp;
++
++ if (!pskb_network_may_pull(skb, sizeof(*arp)))
++ return NULL;
++ arp = (struct arp_pkt *)skb_network_header(skb);
+
+ /* Don't modify or load balance ARPs that do not originate locally
+ * (e.g.,arrive via a bridge).
+@@ -679,7 +679,7 @@ static struct slave *rlb_arp_xmit(struct
+
+ if (arp->op_code == htons(ARPOP_REPLY)) {
+ /* the arp must be sent on the selected rx channel */
+- tx_slave = rlb_choose_channel(skb, bond);
++ tx_slave = rlb_choose_channel(skb, bond, arp);
+ if (tx_slave)
+ bond_hw_addr_copy(arp->mac_src, tx_slave->dev->dev_addr,
+ tx_slave->dev->addr_len);
+@@ -690,7 +690,7 @@ static struct slave *rlb_arp_xmit(struct
+ * When the arp reply is received the entry will be updated
+ * with the correct unicast address of the client.
+ */
+- rlb_choose_channel(skb, bond);
++ rlb_choose_channel(skb, bond, arp);
+
+ /* The ARP reply packets must be delayed so that
+ * they can cancel out the influence of the ARP request.
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:16 -0800
+Subject: can: add missing attribute validation for termination
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ab02ad660586b94f5d08912a3952b939cf4c4430 ]
+
+Add missing attribute validation for IFLA_CAN_TERMINATION
+to the netlink policy.
+
+Fixes: 12a6075cabc0 ("can: dev: add CAN interface termination API")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/can/dev.c
++++ b/drivers/net/can/dev.c
+@@ -892,6 +892,7 @@ static const struct nla_policy can_polic
+ = { .len = sizeof(struct can_bittiming) },
+ [IFLA_CAN_DATA_BITTIMING_CONST]
+ = { .len = sizeof(struct can_bittiming_const) },
++ [IFLA_CAN_TERMINATION] = { .type = NLA_U16 },
+ };
+
+ static int can_validate(struct nlattr *tb[], struct nlattr *data[],
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Shakeel Butt <shakeelb@google.com>
+Date: Mon, 9 Mar 2020 22:16:05 -0700
+Subject: cgroup: memcg: net: do not associate sock with unrelated cgroup
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit e876ecc67db80dfdb8e237f71e5b43bb88ae549c ]
+
+We are testing network memory accounting in our setup and noticed
+inconsistent network memory usage and often unrelated cgroups network
+usage correlates with testing workload. On further inspection, it
+seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in
+irq context specially for cgroup v1.
+
+mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context
+and kind of assumes that this can only happen from sk_clone_lock()
+and the source sock object has already associated cgroup. However in
+cgroup v1, where network memory accounting is opt-in, the source sock
+can be unassociated with any cgroup and the new cloned sock can get
+associated with unrelated interrupted cgroup.
+
+Cgroup v2 can also suffer if the source sock object was created by
+process in the root cgroup or if sk_alloc() is called in irq context.
+The fix is to just do nothing in interrupt.
+
+WARNING: Please note that about half of the TCP sockets are allocated
+from the IRQ context, so, memory used by such sockets will not be
+accouted by the memcg.
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+
+CPU: 70 PID: 12720 Comm: ssh Tainted: 5.6.0-smp-DEV #1
+Hardware name: ...
+Call Trace:
+ <IRQ>
+ dump_stack+0x57/0x75
+ mem_cgroup_sk_alloc+0xe9/0xf0
+ sk_clone_lock+0x2a7/0x420
+ inet_csk_clone_lock+0x1b/0x110
+ tcp_create_openreq_child+0x23/0x3b0
+ tcp_v6_syn_recv_sock+0x88/0x730
+ tcp_check_req+0x429/0x560
+ tcp_v6_rcv+0x72d/0xa40
+ ip6_protocol_deliver_rcu+0xc9/0x400
+ ip6_input+0x44/0xd0
+ ? ip6_protocol_deliver_rcu+0x400/0x400
+ ip6_rcv_finish+0x71/0x80
+ ipv6_rcv+0x5b/0xe0
+ ? ip6_sublist_rcv+0x2e0/0x2e0
+ process_backlog+0x108/0x1e0
+ net_rx_action+0x26b/0x460
+ __do_softirq+0x104/0x2a6
+ do_softirq_own_stack+0x2a/0x40
+ </IRQ>
+ do_softirq.part.19+0x40/0x50
+ __local_bh_enable_ip+0x51/0x60
+ ip6_finish_output2+0x23d/0x520
+ ? ip6table_mangle_hook+0x55/0x160
+ __ip6_finish_output+0xa1/0x100
+ ip6_finish_output+0x30/0xd0
+ ip6_output+0x73/0x120
+ ? __ip6_finish_output+0x100/0x100
+ ip6_xmit+0x2e3/0x600
+ ? ipv6_anycast_cleanup+0x50/0x50
+ ? inet6_csk_route_socket+0x136/0x1e0
+ ? skb_free_head+0x1e/0x30
+ inet6_csk_xmit+0x95/0xf0
+ __tcp_transmit_skb+0x5b4/0xb20
+ __tcp_send_ack.part.60+0xa3/0x110
+ tcp_send_ack+0x1d/0x20
+ tcp_rcv_state_process+0xe64/0xe80
+ ? tcp_v6_connect+0x5d1/0x5f0
+ tcp_v6_do_rcv+0x1b1/0x3f0
+ ? tcp_v6_do_rcv+0x1b1/0x3f0
+ __release_sock+0x7f/0xd0
+ release_sock+0x30/0xa0
+ __inet_stream_connect+0x1c3/0x3b0
+ ? prepare_to_wait+0xb0/0xb0
+ inet_stream_connect+0x3b/0x60
+ __sys_connect+0x101/0x120
+ ? __sys_getsockopt+0x11b/0x140
+ __x64_sys_connect+0x1a/0x20
+ do_syscall_64+0x51/0x200
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
+Fixes: 2d7580738345 ("mm: memcontrol: consolidate cgroup socket tracking")
+Fixes: d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Roman Gushchin <guro@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup.c | 4 ++++
+ mm/memcontrol.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -5929,6 +5929,10 @@ void cgroup_sk_alloc(struct sock_cgroup_
+ return;
+ }
+
++ /* Don't associate the sock with unrelated interrupted task's cgroup. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+
+ while (true) {
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6321,6 +6321,10 @@ void mem_cgroup_sk_alloc(struct sock *sk
+ return;
+ }
+
++ /* Do not associate the sock with unrelated interrupted task's memcg. */
++ if (in_interrupt())
++ return;
++
+ rcu_read_lock();
+ memcg = mem_cgroup_from_task(current);
+ if (memcg == root_mem_cgroup)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+Date: Thu, 5 Mar 2020 17:45:57 +0300
+Subject: cgroup, netclassid: periodically release file_lock on classid updating
+
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+
+[ Upstream commit 018d26fcd12a75fb9b5fe233762aa3f2f0854b88 ]
+
+In our production environment we have faced with problem that updating
+classid in cgroup with heavy tasks cause long freeze of the file tables
+in this tasks. By heavy tasks we understand tasks with many threads and
+opened sockets (e.g. balancers). This freeze leads to an increase number
+of client timeouts.
+
+This patch implements following logic to fix this issue:
+аfter iterating 1000 file descriptors file table lock will be released
+thus providing a time gap for socket creation/deletion.
+
+Now update is non atomic and socket may be skipped using calls:
+
+dup2(oldfd, newfd);
+close(oldfd);
+
+But this case is not typical. Moreover before this patch skip is possible
+too by hiding socket fd in unix socket buffer.
+
+New sockets will be allocated with updated classid because cgroup state
+is updated before start of the file descriptors iteration.
+
+So in common cases this patch has no side effects.
+
+Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netclassid_cgroup.c | 47 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+--- a/net/core/netclassid_cgroup.c
++++ b/net/core/netclassid_cgroup.c
+@@ -57,30 +57,60 @@ static void cgrp_css_free(struct cgroup_
+ kfree(css_cls_state(css));
+ }
+
++/*
++ * To avoid freezing of sockets creation for tasks with big number of threads
++ * and opened sockets lets release file_lock every 1000 iterated descriptors.
++ * New sockets will already have been created with new classid.
++ */
++
++struct update_classid_context {
++ u32 classid;
++ unsigned int batch;
++};
++
++#define UPDATE_CLASSID_BATCH 1000
++
+ static int update_classid_sock(const void *v, struct file *file, unsigned n)
+ {
+ int err;
++ struct update_classid_context *ctx = (void *)v;
+ struct socket *sock = sock_from_file(file, &err);
+
+ if (sock) {
+ spin_lock(&cgroup_sk_update_lock);
+- sock_cgroup_set_classid(&sock->sk->sk_cgrp_data,
+- (unsigned long)v);
++ sock_cgroup_set_classid(&sock->sk->sk_cgrp_data, ctx->classid);
+ spin_unlock(&cgroup_sk_update_lock);
+ }
++ if (--ctx->batch == 0) {
++ ctx->batch = UPDATE_CLASSID_BATCH;
++ return n + 1;
++ }
+ return 0;
+ }
+
++static void update_classid_task(struct task_struct *p, u32 classid)
++{
++ struct update_classid_context ctx = {
++ .classid = classid,
++ .batch = UPDATE_CLASSID_BATCH
++ };
++ unsigned int fd = 0;
++
++ do {
++ task_lock(p);
++ fd = iterate_fd(p->files, fd, update_classid_sock, &ctx);
++ task_unlock(p);
++ cond_resched();
++ } while (fd);
++}
++
+ static void cgrp_attach(struct cgroup_taskset *tset)
+ {
+ struct cgroup_subsys_state *css;
+ struct task_struct *p;
+
+ cgroup_taskset_for_each(p, css, tset) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)css_cls_state(css)->classid);
+- task_unlock(p);
++ update_classid_task(p, css_cls_state(css)->classid);
+ }
+ }
+
+@@ -102,10 +132,7 @@ static int write_classid(struct cgroup_s
+
+ css_task_iter_start(css, 0, &it);
+ while ((p = css_task_iter_next(&it))) {
+- task_lock(p);
+- iterate_fd(p->files, 0, update_classid_sock,
+- (void *)(unsigned long)cs->classid);
+- task_unlock(p);
++ update_classid_task(p, cs->classid);
+ cond_resched();
+ }
+ css_task_iter_end(&it);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:11 -0800
+Subject: devlink: validate length of param values
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 8750939b6ad86abc3f53ec8a9683a1cded4a5654 ]
+
+DEVLINK_ATTR_PARAM_VALUE_DATA may have different types
+so it's not checked by the normal netlink policy. Make
+sure the attribute length is what we expect.
+
+Fixes: e3b7ca18ad7b ("devlink: Add param set command")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 31 +++++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 12 deletions(-)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -2995,34 +2995,41 @@ devlink_param_value_get_from_info(const
+ struct genl_info *info,
+ union devlink_param_value *value)
+ {
++ struct nlattr *param_data;
+ int len;
+
+- if (param->type != DEVLINK_PARAM_TYPE_BOOL &&
+- !info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA])
++ param_data = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA];
++
++ if (param->type != DEVLINK_PARAM_TYPE_BOOL && !param_data)
+ return -EINVAL;
+
+ switch (param->type) {
+ case DEVLINK_PARAM_TYPE_U8:
+- value->vu8 = nla_get_u8(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u8))
++ return -EINVAL;
++ value->vu8 = nla_get_u8(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_U16:
+- value->vu16 = nla_get_u16(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u16))
++ return -EINVAL;
++ value->vu16 = nla_get_u16(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_U32:
+- value->vu32 = nla_get_u32(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]);
++ if (nla_len(param_data) != sizeof(u32))
++ return -EINVAL;
++ value->vu32 = nla_get_u32(param_data);
+ break;
+ case DEVLINK_PARAM_TYPE_STRING:
+- len = strnlen(nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]),
+- nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]));
+- if (len == nla_len(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]) ||
++ len = strnlen(nla_data(param_data), nla_len(param_data));
++ if (len == nla_len(param_data) ||
+ len >= __DEVLINK_PARAM_MAX_STRING_VALUE)
+ return -EINVAL;
+- strcpy(value->vstr,
+- nla_data(info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA]));
++ strcpy(value->vstr, nla_data(param_data));
+ break;
+ case DEVLINK_PARAM_TYPE_BOOL:
+- value->vbool = info->attrs[DEVLINK_ATTR_PARAM_VALUE_DATA] ?
+- true : false;
++ if (param_data && nla_len(param_data))
++ return -EINVAL;
++ value->vbool = nla_get_flag(param_data);
+ break;
+ }
+ return 0;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:12 -0800
+Subject: devlink: validate length of region addr/len
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ff3b63b8c299b73ac599b120653b47e275407656 ]
+
+DEVLINK_ATTR_REGION_CHUNK_ADDR and DEVLINK_ATTR_REGION_CHUNK_LEN
+lack entries in the netlink policy. Corresponding nla_get_u64()s
+may read beyond the end of the message.
+
+Fixes: 4e54795a27f5 ("devlink: Add support for region snapshot read command")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -3607,6 +3607,8 @@ static const struct nla_policy devlink_n
+ [DEVLINK_ATTR_PARAM_VALUE_CMODE] = { .type = NLA_U8 },
+ [DEVLINK_ATTR_REGION_NAME] = { .type = NLA_NUL_STRING },
+ [DEVLINK_ATTR_REGION_SNAPSHOT_ID] = { .type = NLA_U32 },
++ [DEVLINK_ATTR_REGION_CHUNK_ADDR] = { .type = NLA_U64 },
++ [DEVLINK_ATTR_REGION_CHUNK_LEN] = { .type = NLA_U64 },
+ };
+
+ static const struct genl_ops devlink_nl_ops[] = {
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:13 -0800
+Subject: fib: add missing attribute validation for tun_id
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 4c16d64ea04056f1b1b324ab6916019f6a064114 ]
+
+Add missing netlink policy entry for FRA_TUN_ID.
+
+Fixes: e7030878fc84 ("fib: Add fib rule match on tunnel id")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/fib_rules.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/fib_rules.h
++++ b/include/net/fib_rules.h
+@@ -107,6 +107,7 @@ struct fib_rule_notifier_info {
+ [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_PRIORITY] = { .type = NLA_U32 }, \
+ [FRA_FWMARK] = { .type = NLA_U32 }, \
++ [FRA_TUN_ID] = { .type = NLA_U64 }, \
+ [FRA_FWMASK] = { .type = NLA_U32 }, \
+ [FRA_TABLE] = { .type = NLA_U32 }, \
+ [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 }, \
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 7 Mar 2020 22:05:14 -0800
+Subject: gre: fix uninit-value in __iptunnel_pull_header
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ]
+
+syzbot found an interesting case of the kernel reading
+an uninit-value [1]
+
+Problem is in the handling of ETH_P_WCCP in gre_parse_header()
+
+We look at the byte following GRE options to eventually decide
+if the options are four bytes longer.
+
+Use skb_header_pointer() to not pull bytes if we found
+that no more bytes were needed.
+
+All callers of gre_parse_header() are properly using pskb_may_pull()
+anyway before proceeding to next header.
+
+[1]
+BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline]
+BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ pskb_may_pull include/linux/skbuff.h:2303 [inline]
+ __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
+ iptunnel_pull_header include/net/ip_tunnels.h:411 [inline]
+ gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606
+ ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432
+ ip6_input_finish net/ipv6/ip6_input.c:473 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ip6_input net/ipv6/ip6_input.c:482 [inline]
+ ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576
+ dst_input include/net/dst.h:442 [inline]
+ ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306
+ __netif_receive_skb_one_core net/core/dev.c:5198 [inline]
+ __netif_receive_skb net/core/dev.c:5312 [inline]
+ netif_receive_skb_internal net/core/dev.c:5402 [inline]
+ netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461
+ tun_rx_batched include/linux/skbuff.h:4321 [inline]
+ tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f62d99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580
+RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004
+RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
+ sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
+ tun_alloc_skb drivers/net/tun.c:1529 [inline]
+ tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843
+ tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
+ call_write_iter include/linux/fs.h:1901 [inline]
+ new_sync_write fs/read_write.c:483 [inline]
+ __vfs_write+0xa5a/0xca0 fs/read_write.c:496
+ vfs_write+0x44a/0x8f0 fs/read_write.c:558
+ ksys_write+0x267/0x450 fs/read_write.c:611
+ __do_sys_write fs/read_write.c:623 [inline]
+ __se_sys_write fs/read_write.c:620 [inline]
+ __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers")
+Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/gre_demux.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/gre_demux.c
++++ b/net/ipv4/gre_demux.c
+@@ -61,7 +61,9 @@ int gre_del_protocol(const struct gre_pr
+ }
+ EXPORT_SYMBOL_GPL(gre_del_protocol);
+
+-/* Fills in tpi and returns header length to be pulled. */
++/* Fills in tpi and returns header length to be pulled.
++ * Note that caller must use pskb_may_pull() before pulling GRE header.
++ */
+ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ bool *csum_err, __be16 proto, int nhs)
+ {
+@@ -115,8 +117,14 @@ int gre_parse_header(struct sk_buff *skb
+ * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header
+ */
+ if (greh->flags == 0 && tpi->proto == htons(ETH_P_WCCP)) {
++ u8 _val, *val;
++
++ val = skb_header_pointer(skb, nhs + hdr_len,
++ sizeof(_val), &_val);
++ if (!val)
++ return -EINVAL;
+ tpi->proto = proto;
+- if ((*(u8 *)options & 0xF0) != 0x40)
++ if ((*val & 0xF0) != 0x40)
+ hdr_len += 4;
+ }
+ tpi->hdr_len = hdr_len;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+Date: Thu, 5 Mar 2020 15:33:12 +0300
+Subject: inet_diag: return classid for all socket types
+
+From: Dmitry Yakunin <zeil@yandex-team.ru>
+
+[ Upstream commit 83f73c5bb7b9a9135173f0ba2b1aa00c06664ff9 ]
+
+In commit 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and
+fallback to priority") croup classid reporting was fixed. But this works
+only for TCP sockets because for other socket types icsk parameter can
+be NULL and classid code path is skipped. This change moves classid
+handling to inet_diag_msg_attrs_fill() function.
+
+Also inet_diag_msg_attrs_size() helper was added and addends in
+nlmsg_new() were reordered to save order from inet_sk_diag_fill().
+
+Fixes: 1ec17dbd90f8 ("inet_diag: fix reporting cgroup classid and fallback to priority")
+Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/inet_diag.h | 18 ++++++++++++------
+ net/ipv4/inet_diag.c | 44 ++++++++++++++++++++------------------------
+ net/ipv4/raw_diag.c | 5 +++--
+ net/ipv4/udp_diag.c | 5 +++--
+ net/sctp/diag.c | 8 ++------
+ 5 files changed, 40 insertions(+), 40 deletions(-)
+
+--- a/include/linux/inet_diag.h
++++ b/include/linux/inet_diag.h
+@@ -2,15 +2,10 @@
+ #ifndef _INET_DIAG_H_
+ #define _INET_DIAG_H_ 1
+
++#include <net/netlink.h>
+ #include <uapi/linux/inet_diag.h>
+
+-struct net;
+-struct sock;
+ struct inet_hashinfo;
+-struct nlattr;
+-struct nlmsghdr;
+-struct sk_buff;
+-struct netlink_callback;
+
+ struct inet_diag_handler {
+ void (*dump)(struct sk_buff *skb,
+@@ -62,6 +57,17 @@ int inet_diag_bc_sk(const struct nlattr
+
+ void inet_diag_msg_common_fill(struct inet_diag_msg *r, struct sock *sk);
+
++static inline size_t inet_diag_msg_attrs_size(void)
++{
++ return nla_total_size(1) /* INET_DIAG_SHUTDOWN */
++ + nla_total_size(1) /* INET_DIAG_TOS */
++#if IS_ENABLED(CONFIG_IPV6)
++ + nla_total_size(1) /* INET_DIAG_TCLASS */
++ + nla_total_size(1) /* INET_DIAG_SKV6ONLY */
++#endif
++ + nla_total_size(4) /* INET_DIAG_MARK */
++ + nla_total_size(4); /* INET_DIAG_CLASS_ID */
++}
+ int inet_diag_msg_attrs_fill(struct sock *sk, struct sk_buff *skb,
+ struct inet_diag_msg *r, int ext,
+ struct user_namespace *user_ns, bool net_admin);
+--- a/net/ipv4/inet_diag.c
++++ b/net/ipv4/inet_diag.c
+@@ -104,13 +104,9 @@ static size_t inet_sk_attr_size(struct s
+ aux = handler->idiag_get_aux_size(sk, net_admin);
+
+ return nla_total_size(sizeof(struct tcp_info))
+- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+- + nla_total_size(1) /* INET_DIAG_TOS */
+- + nla_total_size(1) /* INET_DIAG_TCLASS */
+- + nla_total_size(4) /* INET_DIAG_MARK */
+- + nla_total_size(4) /* INET_DIAG_CLASS_ID */
+- + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(sizeof(struct inet_diag_msg))
++ + inet_diag_msg_attrs_size()
++ + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
+ + nla_total_size(TCP_CA_NAME_MAX)
+ + nla_total_size(sizeof(struct tcpvegas_info))
+@@ -151,6 +147,24 @@ int inet_diag_msg_attrs_fill(struct sock
+ if (net_admin && nla_put_u32(skb, INET_DIAG_MARK, sk->sk_mark))
+ goto errout;
+
++ if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
++ ext & (1 << (INET_DIAG_TCLASS - 1))) {
++ u32 classid = 0;
++
++#ifdef CONFIG_SOCK_CGROUP_DATA
++ classid = sock_cgroup_classid(&sk->sk_cgrp_data);
++#endif
++ /* Fallback to socket priority if class id isn't set.
++ * Classful qdiscs use it as direct reference to class.
++ * For cgroup2 classid is always zero.
++ */
++ if (!classid)
++ classid = sk->sk_priority;
++
++ if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
++ goto errout;
++ }
++
+ r->idiag_uid = from_kuid_munged(user_ns, sock_i_uid(sk));
+ r->idiag_inode = sock_i_ino(sk);
+
+@@ -288,24 +302,6 @@ int inet_sk_diag_fill(struct sock *sk, s
+ goto errout;
+ }
+
+- if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
+- ext & (1 << (INET_DIAG_TCLASS - 1))) {
+- u32 classid = 0;
+-
+-#ifdef CONFIG_SOCK_CGROUP_DATA
+- classid = sock_cgroup_classid(&sk->sk_cgrp_data);
+-#endif
+- /* Fallback to socket priority if class id isn't set.
+- * Classful qdiscs use it as direct reference to class.
+- * For cgroup2 classid is always zero.
+- */
+- if (!classid)
+- classid = sk->sk_priority;
+-
+- if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
+- goto errout;
+- }
+-
+ out:
+ nlmsg_end(skb, nlh);
+ return 0;
+--- a/net/ipv4/raw_diag.c
++++ b/net/ipv4/raw_diag.c
+@@ -99,8 +99,9 @@ static int raw_diag_dump_one(struct sk_b
+ if (IS_ERR(sk))
+ return PTR_ERR(sk);
+
+- rep = nlmsg_new(sizeof(struct inet_diag_msg) +
+- sizeof(struct inet_diag_meminfo) + 64,
++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) +
++ inet_diag_msg_attrs_size() +
++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64,
+ GFP_KERNEL);
+ if (!rep) {
+ sock_put(sk);
+--- a/net/ipv4/udp_diag.c
++++ b/net/ipv4/udp_diag.c
+@@ -67,8 +67,9 @@ static int udp_dump_one(struct udp_table
+ goto out;
+
+ err = -ENOMEM;
+- rep = nlmsg_new(sizeof(struct inet_diag_msg) +
+- sizeof(struct inet_diag_meminfo) + 64,
++ rep = nlmsg_new(nla_total_size(sizeof(struct inet_diag_msg)) +
++ inet_diag_msg_attrs_size() +
++ nla_total_size(sizeof(struct inet_diag_meminfo)) + 64,
+ GFP_KERNEL);
+ if (!rep)
+ goto out;
+--- a/net/sctp/diag.c
++++ b/net/sctp/diag.c
+@@ -252,15 +252,11 @@ static size_t inet_assoc_attr_size(struc
+ addrcnt++;
+
+ return nla_total_size(sizeof(struct sctp_info))
+- + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+- + nla_total_size(1) /* INET_DIAG_TOS */
+- + nla_total_size(1) /* INET_DIAG_TCLASS */
+- + nla_total_size(4) /* INET_DIAG_MARK */
+- + nla_total_size(4) /* INET_DIAG_CLASS_ID */
+ + nla_total_size(addrlen * asoc->peer.transport_count)
+ + nla_total_size(addrlen * addrcnt)
+- + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + nla_total_size(sizeof(struct inet_diag_msg))
++ + inet_diag_msg_attrs_size()
++ + nla_total_size(sizeof(struct inet_diag_meminfo))
+ + 64;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 10 Mar 2020 15:27:37 +0800
+Subject: ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 60380488e4e0b95e9e82aa68aa9705baa86de84c ]
+
+Rafał found an issue that for non-Ethernet interface, if we down and up
+frequently, the memory will be consumed slowly.
+
+The reason is we add allnodes/allrouters addressed in multicast list in
+ipv6_add_dev(). When link down, we call ipv6_mc_down(), store all multicast
+addresses via mld_add_delrec(). But when link up, we don't call ipv6_mc_up()
+for non-Ethernet interface to remove the addresses. This makes idev->mc_tomb
+getting bigger and bigger. The call stack looks like:
+
+addrconf_notify(NETDEV_REGISTER)
+ ipv6_add_dev
+ ipv6_dev_mc_inc(ff01::1)
+ ipv6_dev_mc_inc(ff02::1)
+ ipv6_dev_mc_inc(ff02::2)
+
+addrconf_notify(NETDEV_UP)
+ addrconf_dev_config
+ /* Alas, we support only Ethernet autoconfiguration. */
+ return;
+
+addrconf_notify(NETDEV_DOWN)
+ addrconf_ifdown
+ ipv6_mc_down
+ igmp6_group_dropped(ff02::2)
+ mld_add_delrec(ff02::2)
+ igmp6_group_dropped(ff02::1)
+ igmp6_group_dropped(ff01::1)
+
+After investigating, I can't found a rule to disable multicast on
+non-Ethernet interface. In RFC2460, the link could be Ethernet, PPP, ATM,
+tunnels, etc. In IPv4, it doesn't check the dev type when calls ip_mc_up()
+in inetdev_event(). Even for IPv6, we don't check the dev type and call
+ipv6_add_dev(), ipv6_dev_mc_inc() after register device.
+
+So I think it's OK to fix this memory consumer by calling ipv6_mc_up() for
+non-Ethernet interface.
+
+v2: Also check IFF_MULTICAST flag to make sure the interface supports
+ multicast
+
+Reported-by: Rafał Miłecki <zajec5@gmail.com>
+Tested-by: Rafał Miłecki <zajec5@gmail.com>
+Fixes: 74235a25c673 ("[IPV6] addrconf: Fix IPv6 on tuntap tunnels")
+Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -3291,6 +3291,10 @@ static void addrconf_dev_config(struct n
+ (dev->type != ARPHRD_NONE) &&
+ (dev->type != ARPHRD_RAWIP)) {
+ /* Alas, we support only Ethernet autoconfiguration. */
++ idev = __in6_dev_get(dev);
++ if (!IS_ERR_OR_NULL(idev) && dev->flags & IFF_UP &&
++ dev->flags & IFF_MULTICAST)
++ ipv6_mc_up(idev);
+ return;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:02 -0700
+Subject: ipvlan: add cond_resched_rcu() while processing muticast backlog
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit e18b353f102e371580f3f01dd47567a25acc3c1d ]
+
+If there are substantial number of slaves created as simulated by
+Syzbot, the backlog processing could take much longer and result
+into the issue found in the Syzbot report.
+
+INFO: rcu_sched detected stalls on CPUs/tasks:
+ (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752)
+All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0
+syz-executor.1 R running task on cpu 1 10984 11210 3866 0x30020008 179034491270
+Call Trace:
+ <IRQ>
+ [<ffffffff81497163>] _sched_show_task kernel/sched/core.c:8063 [inline]
+ [<ffffffff81497163>] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030
+ [<ffffffff8146a91b>] sched_show_task+0xb/0x10 kernel/sched/core.c:8073
+ [<ffffffff815c931b>] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline]
+ [<ffffffff815c931b>] check_cpu_stall kernel/rcu/tree.c:1695 [inline]
+ [<ffffffff815c931b>] __rcu_pending kernel/rcu/tree.c:3478 [inline]
+ [<ffffffff815c931b>] rcu_pending kernel/rcu/tree.c:3540 [inline]
+ [<ffffffff815c931b>] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876
+ [<ffffffff815e3962>] update_process_times+0x32/0x80 kernel/time/timer.c:1635
+ [<ffffffff816164f0>] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161
+ [<ffffffff81616ae4>] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193
+ [<ffffffff815e75f7>] __run_hrtimer kernel/time/hrtimer.c:1393 [inline]
+ [<ffffffff815e75f7>] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455
+ [<ffffffff815e90ea>] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513
+ [<ffffffff844050f4>] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline]
+ [<ffffffff844050f4>] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153
+RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12
+RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000
+RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0
+RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273
+R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8
+R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0
+ [<ffffffff8101460e>] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline]
+ [<ffffffff8101460e>] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240
+ [<ffffffff840d78ca>] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006
+ [<ffffffff84023439>] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482
+ [<ffffffff840211c8>] dst_input include/net/dst.h:449 [inline]
+ [<ffffffff840211c8>] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:292 [inline]
+ [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:286 [inline]
+ [<ffffffff840214de>] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278
+ [<ffffffff83a29efa>] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303
+ [<ffffffff83a2a15c>] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417
+ [<ffffffff83a2f536>] process_backlog+0x216/0x6c0 net/core/dev.c:6243
+ [<ffffffff83a30d1b>] napi_poll net/core/dev.c:6680 [inline]
+ [<ffffffff83a30d1b>] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748
+ [<ffffffff846002c8>] __do_softirq+0x2c8/0x99a kernel/softirq.c:317
+ [<ffffffff813e656a>] invoke_softirq kernel/softirq.c:399 [inline]
+ [<ffffffff813e656a>] irq_exit+0x16a/0x1a0 kernel/softirq.c:439
+ [<ffffffff84405115>] exiting_irq arch/x86/include/asm/apic.h:561 [inline]
+ [<ffffffff84405115>] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058
+ [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
+ </IRQ>
+RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102
+RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12
+RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000
+RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005
+RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000
+R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
+ [<ffffffff816236d1>] do_futex+0x151/0x1d50 kernel/futex.c:3548
+ [<ffffffff816260f0>] C_SYSC_futex kernel/futex_compat.c:201 [inline]
+ [<ffffffff816260f0>] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175
+ [<ffffffff8101da17>] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline]
+ [<ffffffff8101da17>] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415
+ [<ffffffff84401a9b>] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f23c69
+RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0
+RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c
+RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1
+rcu_sched R running task on cpu 1 13048 8 2 0x90000000 179099587640
+Call Trace:
+ [<ffffffff8147321f>] context_switch+0x60f/0xa60 kernel/sched/core.c:3209
+ [<ffffffff8100095a>] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934
+ [<ffffffff810021df>] schedule+0x8f/0x1b0 kernel/sched/core.c:4011
+ [<ffffffff8101116d>] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803
+ [<ffffffff815c13f1>] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327
+ [<ffffffff8144b318>] kthread+0x348/0x420 kernel/kthread.c:246
+ [<ffffffff84400266>] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393
+
+Fixes: ba35f8588f47 (“ipvlan: Defer multicast / broadcast processing to a work-queue”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -282,6 +282,7 @@ void ipvlan_process_multicast(struct wor
+ }
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
+ local_bh_enable();
++ cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jiri Wiesner <jwiesner@suse.com>
+Date: Sat, 7 Mar 2020 13:31:57 +0100
+Subject: ipvlan: do not add hardware address of master to its unicast filter list
+
+From: Jiri Wiesner <jwiesner@suse.com>
+
+[ Upstream commit 63aae7b17344d4b08a7d05cb07044de4c0f9dcc6 ]
+
+There is a problem when ipvlan slaves are created on a master device that
+is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not
+support unicast address filtering. When an ipvlan device is brought up in
+ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware
+address of the vmxnet3 master device to the unicast address list of the
+master device, phy_dev->uc. This inevitably leads to the vmxnet3 master
+device being forced into promiscuous mode by __dev_set_rx_mode().
+
+Promiscuous mode is switched on the master despite the fact that there is
+still only one hardware address that the master device should use for
+filtering in order for the ipvlan device to be able to receive packets.
+The comment above struct net_device describes the uc_promisc member as a
+"counter, that indicates, that promiscuous mode has been enabled due to
+the need to listen to additional unicast addresses in a device that does
+not implement ndo_set_rx_mode()". Moreover, the design of ipvlan
+guarantees that only the hardware address of a master device,
+phy_dev->dev_addr, will be used to transmit and receive all packets from
+its ipvlan slaves. Thus, the unicast address list of the master device
+should not be modified by ipvlan_open() and ipvlan_stop() in order to make
+ipvlan a workable option on masters that do not support unicast address
+filtering.
+
+Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver")
+Reported-by: Per Sundstrom <per.sundstrom@redqube.se>
+Signed-off-by: Jiri Wiesner <jwiesner@suse.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_main.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_main.c
++++ b/drivers/net/ipvlan/ipvlan_main.c
+@@ -236,7 +236,6 @@ static void ipvlan_uninit(struct net_dev
+ static int ipvlan_open(struct net_device *dev)
+ {
+ struct ipvl_dev *ipvlan = netdev_priv(dev);
+- struct net_device *phy_dev = ipvlan->phy_dev;
+ struct ipvl_addr *addr;
+
+ if (ipvlan->port->mode == IPVLAN_MODE_L3 ||
+@@ -250,7 +249,7 @@ static int ipvlan_open(struct net_device
+ ipvlan_ht_addr_add(ipvlan, addr);
+ rcu_read_unlock();
+
+- return dev_uc_add(phy_dev, phy_dev->dev_addr);
++ return 0;
+ }
+
+ static int ipvlan_stop(struct net_device *dev)
+@@ -262,8 +261,6 @@ static int ipvlan_stop(struct net_device
+ dev_uc_unsync(phy_dev, dev);
+ dev_mc_unsync(phy_dev, dev);
+
+- dev_uc_del(phy_dev, phy_dev->dev_addr);
+-
+ rcu_read_lock();
+ list_for_each_entry_rcu(addr, &ipvlan->addrs, anode)
+ ipvlan_ht_addr_del(addr);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 9 Mar 2020 18:22:58 -0700
+Subject: ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit afe207d80a61e4d6e7cfa0611a4af46d0ba95628 ]
+
+Commit e18b353f102e ("ipvlan: add cond_resched_rcu() while
+processing muticast backlog") added a cond_resched_rcu() in a loop
+using rcu protection to iterate over slaves.
+
+This is breaking rcu rules, so lets instead use cond_resched()
+at a point we can reschedule
+
+Fixes: e18b353f102e ("ipvlan: add cond_resched_rcu() while processing muticast backlog")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -282,7 +282,6 @@ void ipvlan_process_multicast(struct wor
+ }
+ ipvlan_count_rx(ipvlan, len, ret == NET_RX_SUCCESS, true);
+ local_bh_enable();
+- cond_resched_rcu();
+ }
+ rcu_read_unlock();
+
+@@ -299,6 +298,7 @@ void ipvlan_process_multicast(struct wor
+ }
+ if (dev)
+ dev_put(dev);
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:56:56 -0700
+Subject: ipvlan: don't deref eth hdr before checking it's set
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ad8192767c9f9cf97da57b9ffcea70fb100febef ]
+
+IPvlan in L3 mode discards outbound multicast packets but performs
+the check before ensuring the ether-header is set or not. This is
+an error that Eric found through code browsing.
+
+Fixes: 2ad7bf363841 (“ipvlan: Initial check-in of the IPVLAN driver.”)
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Reported-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -505,19 +505,21 @@ static int ipvlan_process_outbound(struc
+ struct ethhdr *ethh = eth_hdr(skb);
+ int ret = NET_XMIT_DROP;
+
+- /* In this mode we dont care about multicast and broadcast traffic */
+- if (is_multicast_ether_addr(ethh->h_dest)) {
+- pr_debug_ratelimited("Dropped {multi|broad}cast of type=[%x]\n",
+- ntohs(skb->protocol));
+- kfree_skb(skb);
+- goto out;
+- }
+-
+ /* The ipvlan is a pseudo-L2 device, so the packets that we receive
+ * will have L2; which need to discarded and processed further
+ * in the net-ns of the main-device.
+ */
+ if (skb_mac_header_was_set(skb)) {
++ /* In this mode we dont care about
++ * multicast and broadcast traffic */
++ if (is_multicast_ether_addr(ethh->h_dest)) {
++ pr_debug_ratelimited(
++ "Dropped {multi|broad}cast of type=[%x]\n",
++ ntohs(skb->protocol));
++ kfree_skb(skb);
++ goto out;
++ }
++
+ skb_pull(skb, sizeof(*ethh));
+ skb->mac_header = (typeof(skb->mac_header))~0U;
+ skb_reset_network_header(skb);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:17 -0800
+Subject: macsec: add missing attribute validation for port
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 31d9a1c524964bac77b7f9d0a1ac140dc6b57461 ]
+
+Add missing attribute validation for IFLA_MACSEC_PORT
+to the netlink policy.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2995,6 +2995,7 @@ static const struct device_type macsec_t
+
+ static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
+ [IFLA_MACSEC_SCI] = { .type = NLA_U64 },
++ [IFLA_MACSEC_PORT] = { .type = NLA_U16 },
+ [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
+ [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
+ [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Mahesh Bandewar <maheshb@google.com>
+Date: Mon, 9 Mar 2020 15:57:07 -0700
+Subject: macvlan: add cond_resched() during multicast processing
+
+From: Mahesh Bandewar <maheshb@google.com>
+
+[ Upstream commit ce9a4186f9ac475c415ffd20348176a4ea366670 ]
+
+The Rx bound multicast packets are deferred to a workqueue and
+macvlan can also suffer from the same attack that was discovered
+by Syzbot for IPvlan. This solution is not as effective as in
+IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing
+to a workqueue while macvlan does this way only for the Rx. This
+fix should address the Rx codition to certain extent.
+
+Tx is still suseptible. Tx multicast processing happens when
+.ndo_start_xmit is called, hence we cannot add cond_resched().
+However, it's not that severe since the user which is generating
+ / flooding will be affected the most.
+
+Fixes: 412ca1550cbe ("macvlan: Move broadcasts into a work queue")
+Signed-off-by: Mahesh Bandewar <maheshb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -338,6 +338,8 @@ static void macvlan_process_broadcast(st
+ if (src)
+ dev_put(src->dev);
+ kfree_skb(skb);
++
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 10 Mar 2020 20:36:16 -0700
+Subject: net: fec: validate the new settings in fec_enet_set_coalesce()
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit ab14961d10d02d20767612c78ce148f6eb85bd58 ]
+
+fec_enet_set_coalesce() validates the previously set params
+and if they are within range proceeds to apply the new ones.
+The new ones, however, are not validated. This seems backwards,
+probably a copy-paste error?
+
+Compile tested only.
+
+Fixes: d851b47b22fc ("net: fec: add interrupt coalescence feature support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Fugang Duan <fugang.duan@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2476,15 +2476,15 @@ fec_enet_set_coalesce(struct net_device
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->rx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+ pr_err("Rx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
+- cycle = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
++ cycle = fec_enet_us_to_itr_clock(ndev, ec->tx_coalesce_usecs);
+ if (cycle > 0xFFFF) {
+- pr_err("Rx coalesced usec exceed hardware limitation\n");
++ pr_err("Tx coalesced usec exceed hardware limitation\n");
+ return -EINVAL;
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:19 -0800
+Subject: net: fq: add missing attribute validation for orphan mask
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 7e6dc03eeb023e18427a373522f1d247b916a641 ]
+
+Add missing attribute validation for TCA_FQ_ORPHAN_MASK
+to the netlink policy.
+
+Fixes: 06eb395fa985 ("pkt_sched: fq: better control of DDOS traffic")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -695,6 +695,7 @@ static const struct nla_policy fq_policy
+ [TCA_FQ_FLOW_MAX_RATE] = { .type = NLA_U32 },
+ [TCA_FQ_BUCKETS_LOG] = { .type = NLA_U32 },
+ [TCA_FQ_FLOW_REFILL_DELAY] = { .type = NLA_U32 },
++ [TCA_FQ_ORPHAN_MASK] = { .type = NLA_U32 },
+ [TCA_FQ_LOW_RATE_THRESHOLD] = { .type = NLA_U32 },
+ };
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:34 +0800
+Subject: net/ipv6: need update peer route when modify metric
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 617940123e0140521f3080d2befc2bf55bcda094 ]
+
+When we modify the route metric, the peer address's route need also
+be updated. Before the fix:
+
++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2 metric 60
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 60 pref medium
+2001:db8::2 proto kernel metric 60 pref medium
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 61 pref medium
+2001:db8::2 proto kernel metric 60 pref medium
+
+After the fix:
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::2 metric 61
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 61 pref medium
+2001:db8::2 proto kernel metric 61 pref medium
+
+Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -4535,12 +4535,13 @@ inet6_rtm_deladdr(struct sk_buff *skb, s
+ }
+
+ static int modify_prefix_route(struct inet6_ifaddr *ifp,
+- unsigned long expires, u32 flags)
++ unsigned long expires, u32 flags,
++ bool modify_peer)
+ {
+ struct fib6_info *f6i;
+ u32 prio;
+
+- f6i = addrconf_get_prefix_route(&ifp->addr,
++ f6i = addrconf_get_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr,
+ ifp->prefix_len,
+ ifp->idev->dev,
+ 0, RTF_GATEWAY | RTF_DEFAULT);
+@@ -4553,7 +4554,8 @@ static int modify_prefix_route(struct in
+ ip6_del_rt(dev_net(ifp->idev->dev), f6i);
+
+ /* add new one */
+- addrconf_prefix_route(&ifp->addr, ifp->prefix_len,
++ addrconf_prefix_route(modify_peer ? &ifp->peer_addr : &ifp->addr,
++ ifp->prefix_len,
+ ifp->rt_priority, ifp->idev->dev,
+ expires, flags, GFP_KERNEL);
+ } else {
+@@ -4629,7 +4631,7 @@ static int inet6_addr_modify(struct inet
+ int rc = -ENOENT;
+
+ if (had_prefixroute)
+- rc = modify_prefix_route(ifp, expires, flags);
++ rc = modify_prefix_route(ifp, expires, flags, false);
+
+ /* prefix route could have been deleted; if so restore it */
+ if (rc == -ENOENT) {
+@@ -4637,6 +4639,15 @@ static int inet6_addr_modify(struct inet
+ ifp->rt_priority, ifp->idev->dev,
+ expires, flags, GFP_KERNEL);
+ }
++
++ if (had_prefixroute && !ipv6_addr_any(&ifp->peer_addr))
++ rc = modify_prefix_route(ifp, expires, flags, true);
++
++ if (rc == -ENOENT && !ipv6_addr_any(&ifp->peer_addr)) {
++ addrconf_prefix_route(&ifp->peer_addr, ifp->prefix_len,
++ ifp->rt_priority, ifp->idev->dev,
++ expires, flags, GFP_KERNEL);
++ }
+ } else if (had_prefixroute) {
+ enum cleanup_prefix_rt_t action;
+ unsigned long rt_expires;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:35 +0800
+Subject: net/ipv6: remove the old peer route if change it to a new one
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit d0098e4c6b83e502cc1cd96d67ca86bc79a6c559 ]
+
+When we modify the peer route and changed it to a new one, we should
+remove the old route first. Before the fix:
+
++ ip addr add dev dummy1 2001:db8::1 peer 2001:db8::2
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
+
+After the fix:
++ ip addr change dev dummy1 2001:db8::1 peer 2001:db8::3
++ ip -6 route show dev dummy1
+2001:db8::1 proto kernel metric 256 pref medium
+2001:db8::3 proto kernel metric 256 pref medium
+
+This patch depend on the previous patch "net/ipv6: need update peer route
+when modify metric" to update new peer route after delete old one.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -1175,11 +1175,12 @@ check_cleanup_prefix_route(struct inet6_
+ }
+
+ static void
+-cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires, bool del_rt)
++cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
++ bool del_rt, bool del_peer)
+ {
+ struct fib6_info *f6i;
+
+- f6i = addrconf_get_prefix_route(&ifp->addr,
++ f6i = addrconf_get_prefix_route(del_peer ? &ifp->peer_addr : &ifp->addr,
+ ifp->prefix_len,
+ ifp->idev->dev,
+ 0, RTF_GATEWAY | RTF_DEFAULT);
+@@ -1244,7 +1245,7 @@ static void ipv6_del_addr(struct inet6_i
+
+ if (action != CLEANUP_PREFIX_RT_NOP) {
+ cleanup_prefix_route(ifp, expires,
+- action == CLEANUP_PREFIX_RT_DEL);
++ action == CLEANUP_PREFIX_RT_DEL, false);
+ }
+
+ /* clean up prefsrc entries */
+@@ -4577,6 +4578,7 @@ static int inet6_addr_modify(struct inet
+ unsigned long timeout;
+ bool was_managetempaddr;
+ bool had_prefixroute;
++ bool new_peer = false;
+
+ ASSERT_RTNL();
+
+@@ -4608,6 +4610,13 @@ static int inet6_addr_modify(struct inet
+ cfg->preferred_lft = timeout;
+ }
+
++ if (cfg->peer_pfx &&
++ memcmp(&ifp->peer_addr, cfg->peer_pfx, sizeof(struct in6_addr))) {
++ if (!ipv6_addr_any(&ifp->peer_addr))
++ cleanup_prefix_route(ifp, expires, true, true);
++ new_peer = true;
++ }
++
+ spin_lock_bh(&ifp->lock);
+ was_managetempaddr = ifp->flags & IFA_F_MANAGETEMPADDR;
+ had_prefixroute = ifp->flags & IFA_F_PERMANENT &&
+@@ -4623,6 +4632,9 @@ static int inet6_addr_modify(struct inet
+ if (cfg->rt_priority && cfg->rt_priority != ifp->rt_priority)
+ ifp->rt_priority = cfg->rt_priority;
+
++ if (new_peer)
++ ifp->peer_addr = *cfg->peer_pfx;
++
+ spin_unlock_bh(&ifp->lock);
+ if (!(ifp->flags&IFA_F_TENTATIVE))
+ ipv6_ifa_notify(0, ifp);
+@@ -4658,7 +4670,7 @@ static int inet6_addr_modify(struct inet
+
+ if (action != CLEANUP_PREFIX_RT_NOP) {
+ cleanup_prefix_route(ifp, rt_expires,
+- action == CLEANUP_PREFIX_RT_DEL);
++ action == CLEANUP_PREFIX_RT_DEL, false);
+ }
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Sat, 29 Feb 2020 17:27:13 +0800
+Subject: net/ipv6: use configured metric when add peer route
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 07758eb9ff52794fba15d03aa88d92dbd1b7d125 ]
+
+When we add peer address with metric configured, IPv4 could set the dest
+metric correctly, but IPv6 do not. e.g.
+
+]# ip addr add 192.0.2.1 peer 192.0.2.2/32 dev eth1 metric 20
+]# ip route show dev eth1
+192.0.2.2 proto kernel scope link src 192.0.2.1 metric 20
+]# ip addr add 2001:db8::1 peer 2001:db8::2/128 dev eth1 metric 20
+]# ip -6 route show dev eth1
+2001:db8::1 proto kernel metric 20 pref medium
+2001:db8::2 proto kernel metric 256 pref medium
+
+Fix this by using configured metric instead of default one.
+
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Fixes: 8308f3ff1753 ("net/ipv6: Add support for specifying metric of connected routes")
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/addrconf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5706,9 +5706,9 @@ static void __ipv6_ifa_notify(int event,
+ if (ifp->idev->cnf.forwarding)
+ addrconf_join_anycast(ifp);
+ if (!ipv6_addr_any(&ifp->peer_addr))
+- addrconf_prefix_route(&ifp->peer_addr, 128, 0,
+- ifp->idev->dev, 0, 0,
+- GFP_ATOMIC);
++ addrconf_prefix_route(&ifp->peer_addr, 128,
++ ifp->rt_priority, ifp->idev->dev,
++ 0, 0, GFP_ATOMIC);
+ break;
+ case RTM_DELADDR:
+ if (ifp->idev->cnf.forwarding)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+Date: Tue, 10 Mar 2020 18:22:24 +0300
+Subject: net: macsec: update SCI upon MAC address change.
+
+From: Dmitry Bogdanov <dbogdanov@marvell.com>
+
+[ Upstream commit 6fc498bc82929ee23aa2f35a828c6178dfd3f823 ]
+
+SCI should be updated, because it contains MAC in its first 6 octets.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Signed-off-by: Mark Starovoytov <mstarovoitov@marvell.com>
+Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -2886,6 +2886,11 @@ static void macsec_dev_set_rx_mode(struc
+ dev_uc_sync(real_dev, dev);
+ }
+
++static sci_t dev_to_sci(struct net_device *dev, __be16 port)
++{
++ return make_sci(dev->dev_addr, port);
++}
++
+ static int macsec_set_mac_address(struct net_device *dev, void *p)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
+@@ -2907,6 +2912,7 @@ static int macsec_set_mac_address(struct
+
+ out:
+ ether_addr_copy(dev->dev_addr, addr->sa_data);
++ macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES);
+ return 0;
+ }
+
+@@ -3188,11 +3194,6 @@ static bool sci_exists(struct net_device
+ return false;
+ }
+
+-static sci_t dev_to_sci(struct net_device *dev, __be16 port)
+-{
+- return make_sci(dev->dev_addr, port);
+-}
+-
+ static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Mar 2020 11:44:26 -0700
+Subject: net: memcg: fix lockdep splat in inet_csk_accept()
+
+From: Eric Dumazet <edumazet@google.com>
+
+Locking newsk while still holding the listener lock triggered
+a lockdep splat [1]
+
+We can simply move the memcg code after we release the listener lock,
+as this can also help if multiple threads are sharing a common listener.
+
+Also fix a typo while reading socket sk_rmem_alloc.
+
+[1]
+WARNING: possible recursive locking detected
+5.6.0-rc3-syzkaller #0 Not tainted
+--------------------------------------------
+syz-executor598/9524 is trying to acquire lock:
+ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ffff88808b5b8b90 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492
+
+but task is already holding lock:
+ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(sk_lock-AF_INET6);
+ lock(sk_lock-AF_INET6);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+1 lock held by syz-executor598/9524:
+ #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: lock_sock include/net/sock.h:1541 [inline]
+ #0: ffff88808b5b9590 (sk_lock-AF_INET6){+.+.}, at: inet_csk_accept+0x8d/0xd30 net/ipv4/inet_connection_sock.c:445
+
+stack backtrace:
+CPU: 0 PID: 9524 Comm: syz-executor598 Not tainted 5.6.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_deadlock_bug kernel/locking/lockdep.c:2370 [inline]
+ check_deadlock kernel/locking/lockdep.c:2411 [inline]
+ validate_chain kernel/locking/lockdep.c:2954 [inline]
+ __lock_acquire.cold+0x114/0x288 kernel/locking/lockdep.c:3954
+ lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4484
+ lock_sock_nested+0xc5/0x110 net/core/sock.c:2947
+ lock_sock include/net/sock.h:1541 [inline]
+ inet_csk_accept+0x69f/0xd30 net/ipv4/inet_connection_sock.c:492
+ inet_accept+0xe9/0x7c0 net/ipv4/af_inet.c:734
+ __sys_accept4_file+0x3ac/0x5b0 net/socket.c:1758
+ __sys_accept4+0x53/0x90 net/socket.c:1809
+ __do_sys_accept4 net/socket.c:1821 [inline]
+ __se_sys_accept4 net/socket.c:1818 [inline]
+ __x64_sys_accept4+0x93/0xf0 net/socket.c:1818
+ do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4445c9
+Code: e8 0c 0d 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffc35b37608 EFLAGS: 00000246 ORIG_RAX: 0000000000000120
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004445c9
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000306777 R09: 0000000000306777
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00000000004053d0 R14: 0000000000000000 R15: 0000000000000000
+
+Fixes: d752a4986532 ("net: memcg: late association of sock to memcg")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/inet_connection_sock.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -480,27 +480,27 @@ struct sock *inet_csk_accept(struct sock
+ spin_unlock_bh(&queue->fastopenq.lock);
+ }
+
+- if (mem_cgroup_sockets_enabled) {
++out:
++ release_sock(sk);
++ if (newsk && mem_cgroup_sockets_enabled) {
+ int amt;
+
+ /* atomically get the memory usage, set and charge the
+- * sk->sk_memcg.
++ * newsk->sk_memcg.
+ */
+ lock_sock(newsk);
+
+- /* The sk has not been accepted yet, no need to look at
+- * sk->sk_wmem_queued.
++ /* The socket has not been accepted yet, no need to look at
++ * newsk->sk_wmem_queued.
+ */
+ amt = sk_mem_pages(newsk->sk_forward_alloc +
+- atomic_read(&sk->sk_rmem_alloc));
++ atomic_read(&newsk->sk_rmem_alloc));
+ mem_cgroup_sk_alloc(newsk);
+ if (newsk->sk_memcg && amt)
+ mem_cgroup_charge_skmem(newsk->sk_memcg, amt);
+
+ release_sock(newsk);
+ }
+-out:
+- release_sock(sk);
+ if (req)
+ reqsk_put(req);
+ return newsk;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Shakeel Butt <shakeelb@google.com>
+Date: Mon, 9 Mar 2020 22:16:06 -0700
+Subject: net: memcg: late association of sock to memcg
+
+From: Shakeel Butt <shakeelb@google.com>
+
+[ Upstream commit d752a4986532cb6305dfd5290a614cde8072769d ]
+
+If a TCP socket is allocated in IRQ context or cloned from unassociated
+(i.e. not associated to a memcg) in IRQ context then it will remain
+unassociated for its whole life. Almost half of the TCPs created on the
+system are created in IRQ context, so, memory used by such sockets will
+not be accounted by the memcg.
+
+This issue is more widespread in cgroup v1 where network memory
+accounting is opt-in but it can happen in cgroup v2 if the source socket
+for the cloning was created in root memcg.
+
+To fix the issue, just do the association of the sockets at the accept()
+time in the process context and then force charge the memory buffer
+already used and reserved by the socket.
+
+Signed-off-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 14 --------------
+ net/core/sock.c | 5 ++++-
+ net/ipv4/inet_connection_sock.c | 20 ++++++++++++++++++++
+ 3 files changed, 24 insertions(+), 15 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -6307,20 +6307,6 @@ void mem_cgroup_sk_alloc(struct sock *sk
+ if (!mem_cgroup_sockets_enabled)
+ return;
+
+- /*
+- * Socket cloning can throw us here with sk_memcg already
+- * filled. It won't however, necessarily happen from
+- * process context. So the test for root memcg given
+- * the current task's memcg won't help us in this case.
+- *
+- * Respecting the original socket's memcg is a better
+- * decision in this case.
+- */
+- if (sk->sk_memcg) {
+- css_get(&sk->sk_memcg->css);
+- return;
+- }
+-
+ /* Do not associate the sock with unrelated interrupted task's memcg. */
+ if (in_interrupt())
+ return;
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1689,7 +1689,10 @@ struct sock *sk_clone_lock(const struct
+ atomic_set(&newsk->sk_zckey, 0);
+
+ sock_reset_flag(newsk, SOCK_DONE);
+- mem_cgroup_sk_alloc(newsk);
++
++ /* sk->sk_memcg will be populated at accept() time */
++ newsk->sk_memcg = NULL;
++
+ cgroup_sk_alloc(&newsk->sk_cgrp_data);
+
+ rcu_read_lock();
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -479,6 +479,26 @@ struct sock *inet_csk_accept(struct sock
+ }
+ spin_unlock_bh(&queue->fastopenq.lock);
+ }
++
++ if (mem_cgroup_sockets_enabled) {
++ int amt;
++
++ /* atomically get the memory usage, set and charge the
++ * sk->sk_memcg.
++ */
++ lock_sock(newsk);
++
++ /* The sk has not been accepted yet, no need to look at
++ * sk->sk_wmem_queued.
++ */
++ amt = sk_mem_pages(newsk->sk_forward_alloc +
++ atomic_read(&sk->sk_rmem_alloc));
++ mem_cgroup_sk_alloc(newsk);
++ if (newsk->sk_memcg && amt)
++ mem_cgroup_charge_skmem(newsk->sk_memcg, amt);
++
++ release_sock(newsk);
++ }
+ out:
+ release_sock(sk);
+ if (req)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 4 Mar 2020 17:24:31 +0300
+Subject: net: nfc: fix bounds checking bugs on "pipe"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit a3aefbfe45751bf7b338c181b97608e276b5bb73 ]
+
+This is similar to commit 674d9de02aa7 ("NFC: Fix possible memory
+corruption when handling SHDLC I-Frame commands") and commit d7ee81ad09f0
+("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
+added range checks on "pipe".
+
+The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
+It's in the 0-255 range. We're using it as the array index into the
+hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
+
+Fixes: 118278f20aa8 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/hci/core.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/net/nfc/hci/core.c
++++ b/net/nfc/hci/core.c
+@@ -193,13 +193,20 @@ exit:
+ void nfc_hci_cmd_received(struct nfc_hci_dev *hdev, u8 pipe, u8 cmd,
+ struct sk_buff *skb)
+ {
+- u8 gate = hdev->pipes[pipe].gate;
+ u8 status = NFC_HCI_ANY_OK;
+ struct hci_create_pipe_resp *create_info;
+ struct hci_delete_pipe_noti *delete_info;
+ struct hci_all_pipe_cleared_noti *cleared_info;
++ u8 gate;
+
+- pr_debug("from gate %x pipe %x cmd %x\n", gate, pipe, cmd);
++ pr_debug("from pipe %x cmd %x\n", pipe, cmd);
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ status = NFC_HCI_ANY_E_NOK;
++ goto exit;
++ }
++
++ gate = hdev->pipes[pipe].gate;
+
+ switch (cmd) {
+ case NFC_HCI_ADM_NOTIFY_PIPE_CREATED:
+@@ -387,8 +394,14 @@ void nfc_hci_event_received(struct nfc_h
+ struct sk_buff *skb)
+ {
+ int r = 0;
+- u8 gate = hdev->pipes[pipe].gate;
++ u8 gate;
++
++ if (pipe >= NFC_HCI_MAX_PIPES) {
++ pr_err("Discarded event %x to invalid pipe %x\n", event, pipe);
++ goto exit;
++ }
+
++ gate = hdev->pipes[pipe].gate;
+ if (gate == NFC_HCI_INVALID_GATE) {
+ pr_err("Discarded event %x to unopened pipe %x\n", event, pipe);
+ goto exit;
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 9 Mar 2020 11:34:35 -0400
+Subject: net/packet: tpacket_rcv: do not increment ring index on drop
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 46e4c421a053c36bf7a33dda2272481bcaf3eed3 ]
+
+In one error case, tpacket_rcv drops packets after incrementing the
+ring producer index.
+
+If this happens, it does not update tp_status to TP_STATUS_USER and
+thus the reader is stalled for an iteration of the ring, causing out
+of order arrival.
+
+The only such error path is when virtio_net_hdr_from_skb fails due
+to encountering an unknown GSO type.
+
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2260,6 +2260,13 @@ static int tpacket_rcv(struct sk_buff *s
+ TP_STATUS_KERNEL, (macoff+snaplen));
+ if (!h.raw)
+ goto drop_n_account;
++
++ if (do_vnet &&
++ virtio_net_hdr_from_skb(skb, h.raw + macoff -
++ sizeof(struct virtio_net_hdr),
++ vio_le(), true, 0))
++ goto drop_n_account;
++
+ if (po->tp_version <= TPACKET_V2) {
+ packet_increment_rx_head(po, &po->rx_ring);
+ /*
+@@ -2272,12 +2279,6 @@ static int tpacket_rcv(struct sk_buff *s
+ status |= TP_STATUS_LOSING;
+ }
+
+- if (do_vnet &&
+- virtio_net_hdr_from_skb(skb, h.raw + macoff -
+- sizeof(struct virtio_net_hdr),
+- vio_le(), true, 0))
+- goto drop_n_account;
+-
+ po->stats.stats1.tp_packets++;
+ if (copy_skb) {
+ status |= TP_STATUS_COPY;
--- /dev/null
+From 503ba7c6961034ff0047707685644cad9287c226 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 20 Feb 2020 15:34:53 -0800
+Subject: net: phy: Avoid multiple suspends
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 503ba7c6961034ff0047707685644cad9287c226 upstream.
+
+It is currently possible for a PHY device to be suspended as part of a
+network device driver's suspend call while it is still being attached to
+that net_device, either via phy_suspend() or implicitly via phy_stop().
+
+Later on, when the MDIO bus controller get suspended, we would attempt
+to suspend again the PHY because it is still attached to a network
+device.
+
+This is both a waste of time and creates an opportunity for improper
+clock/power management bugs to creep in.
+
+Fixes: 803dd9c77ac3 ("net: phy: avoid suspending twice a PHY")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/phy_device.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -91,7 +91,7 @@ static bool mdio_bus_phy_may_suspend(str
+ * MDIO bus driver and clock gated at this point.
+ */
+ if (!netdev)
+- return !phydev->suspended;
++ goto out;
+
+ if (netdev->wol_enabled)
+ return false;
+@@ -111,7 +111,8 @@ static bool mdio_bus_phy_may_suspend(str
+ if (device_may_wakeup(&netdev->dev))
+ return false;
+
+- return true;
++out:
++ return !phydev->suspended;
+ }
+
+ static int mdio_bus_phy_suspend(struct device *dev)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Thu, 12 Mar 2020 22:25:20 +0100
+Subject: net: phy: fix MDIO bus PM PHY resuming
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 611d779af7cad2b87487ff58e4931a90c20b113c ]
+
+So far we have the unfortunate situation that mdio_bus_phy_may_suspend()
+is called in suspend AND resume path, assuming that function result is
+the same. After the original change this is no longer the case,
+resulting in broken resume as reported by Geert.
+
+To fix this call mdio_bus_phy_may_suspend() in the suspend path only,
+and let the phy_device store the info whether it was suspended by
+MDIO bus PM.
+
+Fixes: 503ba7c69610 ("net: phy: Avoid multiple suspends")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phy_device.c | 6 +++++-
+ include/linux/phy.h | 2 ++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -130,6 +130,8 @@ static int mdio_bus_phy_suspend(struct d
+ if (!mdio_bus_phy_may_suspend(phydev))
+ return 0;
+
++ phydev->suspended_by_mdio_bus = 1;
++
+ return phy_suspend(phydev);
+ }
+
+@@ -138,9 +140,11 @@ static int mdio_bus_phy_resume(struct de
+ struct phy_device *phydev = to_phy_device(dev);
+ int ret;
+
+- if (!mdio_bus_phy_may_suspend(phydev))
++ if (!phydev->suspended_by_mdio_bus)
+ goto no_resume;
+
++ phydev->suspended_by_mdio_bus = 0;
++
+ ret = phy_resume(phydev);
+ if (ret < 0)
+ return ret;
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -373,6 +373,7 @@ struct phy_c45_device_ids {
+ * is_pseudo_fixed_link: Set to true if this phy is an Ethernet switch, etc.
+ * has_fixups: Set to true if this phy has fixups/quirks.
+ * suspended: Set to true if this phy has been suspended successfully.
++ * suspended_by_mdio_bus: Set to true if this phy was suspended by MDIO bus.
+ * sysfs_links: Internal boolean tracking sysfs symbolic links setup/removal.
+ * loopback_enabled: Set true if this phy has been loopbacked successfully.
+ * state: state of the PHY for management purposes
+@@ -411,6 +412,7 @@ struct phy_device {
+ unsigned is_pseudo_fixed_link:1;
+ unsigned has_fixups:1;
+ unsigned suspended:1;
++ unsigned suspended_by_mdio_bus:1;
+ unsigned sysfs_links:1;
+ unsigned loopback_enabled:1;
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Remi Pommarel <repk@triplefau.lt>
+Date: Sun, 8 Mar 2020 10:25:56 +0100
+Subject: net: stmmac: dwmac1000: Disable ACS if enhanced descs are not used
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit b723bd933980f4956dabc8a8d84b3e83be8d094c ]
+
+ACS (auto PAD/FCS stripping) removes FCS off 802.3 packets (LLC) so that
+there is no need to manually strip it for such packets. The enhanced DMA
+descriptors allow to flag LLC packets so that the receiving callback can
+use that to strip FCS manually or not. On the other hand, normal
+descriptors do not support that.
+
+Thus in order to not truncate LLC packet ACS should be disabled when
+using normal DMA descriptors.
+
+Fixes: 47dd7a540b8a0 ("net: add support for STMicroelectronics Ethernet controllers.")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c
+@@ -34,6 +34,7 @@
+ static void dwmac1000_core_init(struct mac_device_info *hw,
+ struct net_device *dev)
+ {
++ struct stmmac_priv *priv = netdev_priv(dev);
+ void __iomem *ioaddr = hw->pcsr;
+ u32 value = readl(ioaddr + GMAC_CONTROL);
+ int mtu = dev->mtu;
+@@ -45,7 +46,7 @@ static void dwmac1000_core_init(struct m
+ * Broadcom tags can look like invalid LLC/SNAP packets and cause the
+ * hardware to truncate packets on reception.
+ */
+- if (netdev_uses_dsa(dev))
++ if (netdev_uses_dsa(dev) || !priv->plat->enh_desc)
+ value &= ~GMAC_CONTROL_ACS;
+
+ if (mtu > 1500)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 12 Mar 2020 15:04:30 +0000
+Subject: net: systemport: fix index check to avoid an array out of bounds access
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit c0368595c1639947839c0db8294ee96aca0b3b86 ]
+
+Currently the bounds check on index is off by one and can lead to
+an out of bounds access on array priv->filters_loc when index is
+RXCHK_BRCM_TAG_MAX.
+
+Fixes: bb9051a2b230 ("net: systemport: Add support for WAKE_FILTER")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -2168,7 +2168,7 @@ static int bcm_sysport_rule_set(struct b
+ return -ENOSPC;
+
+ index = find_first_zero_bit(priv->filters, RXCHK_BRCM_TAG_MAX);
+- if (index > RXCHK_BRCM_TAG_MAX)
++ if (index >= RXCHK_BRCM_TAG_MAX)
+ return -ENOSPC;
+
+ /* Location is the classification ID, and index is the position
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 26 Feb 2020 19:47:34 +0100
+Subject: netlink: Use netlink header as base to calculate bad attribute offset
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 84b3268027641401bb8ad4427a90a3cce2eb86f5 ]
+
+Userspace might send a batch that is composed of several netlink
+messages. The netlink_ack() function must use the pointer to the netlink
+header as base to calculate the bad attribute offset.
+
+Fixes: 2d4bc93368f5 ("netlink: extended ACK reporting")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netlink/af_netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -2411,7 +2411,7 @@ void netlink_ack(struct sk_buff *in_skb,
+ in_skb->len))
+ WARN_ON(nla_put_u32(skb, NLMSGERR_ATTR_OFFS,
+ (u8 *)extack->bad_attr -
+- in_skb->data));
++ (u8 *)nlh));
+ } else {
+ if (extack->cookie_len)
+ WARN_ON(nla_put(skb, NLMSGERR_ATTR_COOKIE,
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:25 -0800
+Subject: nfc: add missing attribute validation for deactivate target
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 88e706d5168b07df4792dbc3d1bc37b83e4bd74d ]
+
+Add missing attribute validation for NFC_ATTR_TARGET_INDEX
+to the netlink policy.
+
+Fixes: 4d63adfe12dd ("NFC: Add NFC_CMD_DEACTIVATE_TARGET support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -44,6 +44,7 @@ static const struct nla_policy nfc_genl_
+ [NFC_ATTR_DEVICE_NAME] = { .type = NLA_STRING,
+ .len = NFC_DEVICE_NAME_MAXSIZE },
+ [NFC_ATTR_PROTOCOLS] = { .type = NLA_U32 },
++ [NFC_ATTR_TARGET_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_COMM_MODE] = { .type = NLA_U8 },
+ [NFC_ATTR_RF_MODE] = { .type = NLA_U8 },
+ [NFC_ATTR_DEVICE_POWERED] = { .type = NLA_U8 },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:24 -0800
+Subject: nfc: add missing attribute validation for SE API
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 361d23e41ca6e504033f7e66a03b95788377caae ]
+
+Add missing attribute validation for NFC_ATTR_SE_INDEX
+to the netlink policy.
+
+Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -55,6 +55,7 @@ static const struct nla_policy nfc_genl_
+ [NFC_ATTR_LLC_SDP] = { .type = NLA_NESTED },
+ [NFC_ATTR_FIRMWARE_NAME] = { .type = NLA_STRING,
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
++ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:26 -0800
+Subject: nfc: add missing attribute validation for vendor subcommand
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 6ba3da446551f2150fadbf8c7788edcb977683d3 ]
+
+Add missing attribute validation for vendor subcommand attributes
+to the netlink policy.
+
+Fixes: 9e58095f9660 ("NFC: netlink: Implement vendor command support")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -58,6 +58,8 @@ static const struct nla_policy nfc_genl_
+ .len = NFC_FIRMWARE_NAME_MAXSIZE },
+ [NFC_ATTR_SE_INDEX] = { .type = NLA_U32 },
+ [NFC_ATTR_SE_APDU] = { .type = NLA_BINARY },
++ [NFC_ATTR_VENDOR_ID] = { .type = NLA_U32 },
++ [NFC_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
+ [NFC_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
+
+ };
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:15 -0800
+Subject: nl802154: add missing attribute validation for dev_type
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit b60673c4c418bef7550d02faf53c34fbfeb366bf ]
+
+Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE
+to the netlink policy.
+
+Fixes: 90c049b2c6ae ("ieee802154: interface type to be added")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -36,6 +36,7 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_DEV_TYPE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_COORD_PAN_ID] = { .type = NLA_U16, },
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:14 -0800
+Subject: nl802154: add missing attribute validation
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 9322cd7c4af2ccc7fe7c5f01adb53f4f77949e92 ]
+
+Add missing attribute validation for several u8 types.
+
+Fixes: 2c21d11518b6 ("net: add NL802154 interface for configuration of 802.15.4 devices")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/nl_policy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ieee802154/nl_policy.c
++++ b/net/ieee802154/nl_policy.c
+@@ -30,6 +30,11 @@ const struct nla_policy ieee802154_polic
+ [IEEE802154_ATTR_HW_ADDR] = { .type = NLA_HW_ADDR, },
+ [IEEE802154_ATTR_PAN_ID] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_CHANNEL] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BCN_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_SF_ORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_PAN_COORD] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_BAT_EXT] = { .type = NLA_U8, },
++ [IEEE802154_ATTR_COORD_REALIGN] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_PAGE] = { .type = NLA_U8, },
+ [IEEE802154_ATTR_COORD_SHORT_ADDR] = { .type = NLA_U16, },
+ [IEEE802154_ATTR_COORD_HW_ADDR] = { .type = NLA_HW_ADDR, },
--- /dev/null
+From 7b566f70e1bf65b189b66eb3de6f431c30f7dff2 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 4 Dec 2018 08:47:44 -0800
+Subject: phy: Revert toggling reset changes.
+
+From: David S. Miller <davem@davemloft.net>
+
+commit 7b566f70e1bf65b189b66eb3de6f431c30f7dff2 upstream.
+
+This reverts:
+
+ef1b5bf506b1 ("net: phy: Fix not to call phy_resume() if PHY is not attached")
+8c85f4b81296 ("net: phy: micrel: add toggling phy reset if PHY is not attached")
+
+Andrew Lunn informs me that there are alternative efforts
+underway to fix this more properly.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[just take the ef1b5bf506b1 revert - gregkh]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/phy/phy_device.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -76,7 +76,7 @@ static LIST_HEAD(phy_fixup_list);
+ static DEFINE_MUTEX(phy_fixup_lock);
+
+ #ifdef CONFIG_PM
+-static bool mdio_bus_phy_may_suspend(struct phy_device *phydev, bool suspend)
++static bool mdio_bus_phy_may_suspend(struct phy_device *phydev)
+ {
+ struct device_driver *drv = phydev->mdio.dev.driver;
+ struct phy_driver *phydrv = to_phy_driver(drv);
+@@ -88,11 +88,10 @@ static bool mdio_bus_phy_may_suspend(str
+ /* PHY not attached? May suspend if the PHY has not already been
+ * suspended as part of a prior call to phy_disconnect() ->
+ * phy_detach() -> phy_suspend() because the parent netdev might be the
+- * MDIO bus driver and clock gated at this point. Also may resume if
+- * PHY is not attached.
++ * MDIO bus driver and clock gated at this point.
+ */
+ if (!netdev)
+- return suspend ? !phydev->suspended : phydev->suspended;
++ return !phydev->suspended;
+
+ if (netdev->wol_enabled)
+ return false;
+@@ -127,7 +126,7 @@ static int mdio_bus_phy_suspend(struct d
+ if (phydev->attached_dev && phydev->adjust_link)
+ phy_stop_machine(phydev);
+
+- if (!mdio_bus_phy_may_suspend(phydev, true))
++ if (!mdio_bus_phy_may_suspend(phydev))
+ return 0;
+
+ return phy_suspend(phydev);
+@@ -138,7 +137,7 @@ static int mdio_bus_phy_resume(struct de
+ struct phy_device *phydev = to_phy_device(dev);
+ int ret;
+
+- if (!mdio_bus_phy_may_suspend(phydev, false))
++ if (!mdio_bus_phy_may_suspend(phydev))
+ goto no_resume;
+
+ ret = phy_resume(phydev);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+Date: Wed, 26 Feb 2020 23:37:10 +0800
+Subject: r8152: check disconnect status after long sleep
+
+From: You-Sheng Yang <vicamo.yang@canonical.com>
+
+[ Upstream commit d64c7a08034b32c285e576208ae44fc3ba3fa7df ]
+
+Dell USB Type C docking WD19/WD19DC attaches additional peripherals as:
+
+ /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M
+ |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M
+ |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class,
+ Driver=r8152, 5000M
+
+where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock.
+
+When hotplugging such dock with additional usb devices already attached on
+it, the probing process may reset usb 2.1 port, therefore r8152 ethernet
+device is also reset. However, during r8152 device init there are several
+for-loops that, when it's unable to retrieve hardware registers due to
+being disconnected from USB, may take up to 14 seconds each in practice,
+and that has to be completed before USB may re-enumerate devices on the
+bus. As a result, devices attached to the dock will only be available
+after nearly 1 minute after the dock was plugged in:
+
+ [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface
+ [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id
+ [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready
+ [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr
+ [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail
+
+This happens in, for example, r8153_init:
+
+ static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size,
+ void *data, u16 type)
+ {
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return -ENODEV;
+ ...
+ }
+
+ static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index)
+ {
+ u32 data;
+ ...
+ generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen);
+
+ data = __le32_to_cpu(tmp);
+ ...
+ return (u16)data;
+ }
+
+ static void r8153_init(struct r8152 *tp)
+ {
+ ...
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+ for (i = 0; i < 500; i++) {
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
+ msleep(20);
+ }
+ ...
+ }
+
+Since ocp_read_word() doesn't check the return status of
+generic_ocp_read(), and the only exit condition for the loop is to have
+a match in the returned value, such loops will only ends after exceeding
+its maximum runs when the device has been marked as disconnected, which
+takes 500 * 20ms = 10 seconds in theory, 14 in practice.
+
+To solve this long latency another test to RTL8152_UNPLUG flag should be
+added after those 20ms sleep to skip unnecessary loops, so that the device
+probe can complete early and proceed to parent port reset/reprobe process.
+
+This can be reproduced on all kernel versions up to latest v5.6-rc2, but
+after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less
+while it was around 1/2.
+
+Signed-off-by: You-Sheng Yang <vicamo.yang@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/r8152.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -2701,6 +2701,8 @@ static u16 r8153_phy_status(struct r8152
+ }
+
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ return data;
+@@ -4062,7 +4064,10 @@ static void r8153_init(struct r8152 *tp)
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ data = r8153_phy_status(tp, 0);
+@@ -4180,7 +4185,10 @@ static void r8153b_init(struct r8152 *tp
+ if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
+ AUTOLOAD_DONE)
+ break;
++
+ msleep(20);
++ if (test_bit(RTL8152_UNPLUG, &tp->flags))
++ break;
+ }
+
+ data = r8153_phy_status(tp, 0);
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Tue, 3 Mar 2020 14:37:36 +0800
+Subject: selftests/net/fib_tests: update addr_metric_test for peer route testing
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 0d29169a708bf730ede287248e429d579f432d1d ]
+
+This patch update {ipv4, ipv6}_addr_metric_test with
+1. Set metric of address with peer route and see if the route added
+correctly.
+2. Modify metric and peer address for peer route and see if the route
+changed correctly.
+
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 34 ++++++++++++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -979,6 +979,27 @@ ipv6_addr_metric_test()
+ fi
+ log_test $rc 0 "Prefix route with metric on link up"
+
++ # verify peer metric added correctly
++ set -e
++ run_cmd "$IP -6 addr flush dev dummy2"
++ run_cmd "$IP -6 addr add dev dummy2 2001:db8:104::1 peer 2001:db8:104::2 metric 260"
++ set +e
++
++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 260"
++ log_test $? 0 "Set metric with peer route on local side"
++ log_test $? 0 "User specified metric on local address"
++ check_route6 "2001:db8:104::2 dev dummy2 proto kernel metric 260"
++ log_test $? 0 "Set metric with peer route on peer side"
++
++ set -e
++ run_cmd "$IP -6 addr change dev dummy2 2001:db8:104::1 peer 2001:db8:104::3 metric 261"
++ set +e
++
++ check_route6 "2001:db8:104::1 dev dummy2 proto kernel metric 261"
++ log_test $? 0 "Modify metric and peer address on local side"
++ check_route6 "2001:db8:104::3 dev dummy2 proto kernel metric 261"
++ log_test $? 0 "Modify metric and peer address on peer side"
++
+ $IP li del dummy1
+ $IP li del dummy2
+ cleanup
+@@ -1320,13 +1341,20 @@ ipv4_addr_metric_test()
+
+ run_cmd "$IP addr flush dev dummy2"
+ run_cmd "$IP addr add dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 260"
+- run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.2 metric 261"
+ rc=$?
+ if [ $rc -eq 0 ]; then
+- check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261"
++ check_route "172.16.104.2 dev dummy2 proto kernel scope link src 172.16.104.1 metric 260"
++ rc=$?
++ fi
++ log_test $rc 0 "Set metric of address with peer route"
++
++ run_cmd "$IP addr change dev dummy2 172.16.104.1/32 peer 172.16.104.3 metric 261"
++ rc=$?
++ if [ $rc -eq 0 ]; then
++ check_route "172.16.104.3 dev dummy2 proto kernel scope link src 172.16.104.1 metric 261"
+ rc=$?
+ fi
+- log_test $rc 0 "Modify metric of address with peer route"
++ log_test $rc 0 "Modify metric and peer address for peer route"
+
+ $IP li del dummy1
+ $IP li del dummy2
--- /dev/null
+phy-revert-toggling-reset-changes.patch
+net-phy-avoid-multiple-suspends.patch
+cgroup-netclassid-periodically-release-file_lock-on-classid-updating.patch
+gre-fix-uninit-value-in-__iptunnel_pull_header.patch
+inet_diag-return-classid-for-all-socket-types.patch
+ipv6-addrconf-call-ipv6_mc_up-for-non-ethernet-interface.patch
+ipvlan-add-cond_resched_rcu-while-processing-muticast-backlog.patch
+ipvlan-do-not-add-hardware-address-of-master-to-its-unicast-filter-list.patch
+ipvlan-do-not-use-cond_resched_rcu-in-ipvlan_process_multicast.patch
+ipvlan-don-t-deref-eth-hdr-before-checking-it-s-set.patch
+net-ipv6-use-configured-metric-when-add-peer-route.patch
+netlink-use-netlink-header-as-base-to-calculate-bad-attribute-offset.patch
+net-macsec-update-sci-upon-mac-address-change.patch
+net-nfc-fix-bounds-checking-bugs-on-pipe.patch
+net-packet-tpacket_rcv-do-not-increment-ring-index-on-drop.patch
+net-stmmac-dwmac1000-disable-acs-if-enhanced-descs-are-not-used.patch
+net-systemport-fix-index-check-to-avoid-an-array-out-of-bounds-access.patch
+r8152-check-disconnect-status-after-long-sleep.patch
+sfc-detach-from-cb_page-in-efx_copy_channel.patch
+bnxt_en-reinitialize-irqs-when-mtu-is-modified.patch
+cgroup-memcg-net-do-not-associate-sock-with-unrelated-cgroup.patch
+net-memcg-late-association-of-sock-to-memcg.patch
+net-memcg-fix-lockdep-splat-in-inet_csk_accept.patch
+devlink-validate-length-of-param-values.patch
+fib-add-missing-attribute-validation-for-tun_id.patch
+nl802154-add-missing-attribute-validation.patch
+nl802154-add-missing-attribute-validation-for-dev_type.patch
+can-add-missing-attribute-validation-for-termination.patch
+macsec-add-missing-attribute-validation-for-port.patch
+net-fq-add-missing-attribute-validation-for-orphan-mask.patch
+team-add-missing-attribute-validation-for-port-ifindex.patch
+team-add-missing-attribute-validation-for-array-index.patch
+nfc-add-missing-attribute-validation-for-se-api.patch
+nfc-add-missing-attribute-validation-for-deactivate-target.patch
+nfc-add-missing-attribute-validation-for-vendor-subcommand.patch
+net-phy-fix-mdio-bus-pm-phy-resuming.patch
+selftests-net-fib_tests-update-addr_metric_test-for-peer-route-testing.patch
+net-ipv6-need-update-peer-route-when-modify-metric.patch
+net-ipv6-remove-the-old-peer-route-if-change-it-to-a-new-one.patch
+tipc-add-missing-attribute-validation-for-mtu-property.patch
+devlink-validate-length-of-region-addr-len.patch
+bonding-alb-make-sure-arp-header-is-pulled-before-accessing-it.patch
+slip-make-slhc_compress-more-robust-against-malicious-packets.patch
+net-fec-validate-the-new-settings-in-fec_enet_set_coalesce.patch
+macvlan-add-cond_resched-during-multicast-processing.patch
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Edward Cree <ecree@solarflare.com>
+Date: Mon, 9 Mar 2020 18:16:24 +0000
+Subject: sfc: detach from cb_page in efx_copy_channel()
+
+From: Edward Cree <ecree@solarflare.com>
+
+[ Upstream commit 4b1bd9db078f7d5332c8601a2f5bd43cf0458fd4 ]
+
+It's a resource, not a parameter, so we can't copy it into the new
+ channel's TX queues, otherwise aliasing will lead to resource-
+ management bugs if the channel is subsequently torn down without
+ being initialised.
+
+Before the Fixes:-tagged commit there was a similar bug with
+ tsoh_page, but I'm not sure it's worth doing another fix for such
+ old kernels.
+
+Fixes: e9117e5099ea ("sfc: Firmware-Assisted TSO version 2")
+Suggested-by: Derek Shute <Derek.Shute@stratus.com>
+Signed-off-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/sfc/efx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/sfc/efx.c
++++ b/drivers/net/ethernet/sfc/efx.c
+@@ -522,6 +522,7 @@ efx_copy_channel(const struct efx_channe
+ if (tx_queue->channel)
+ tx_queue->channel = channel;
+ tx_queue->buffer = NULL;
++ tx_queue->cb_page = NULL;
+ memset(&tx_queue->txd, 0, sizeof(tx_queue->txd));
+ }
+
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 4 Mar 2020 15:51:43 -0800
+Subject: slip: make slhc_compress() more robust against malicious packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 110a40dfb708fe940a3f3704d470e431c368d256 ]
+
+Before accessing various fields in IPV4 network header
+and TCP header, make sure the packet :
+
+- Has IP version 4 (ip->version == 4)
+- Has not a silly network length (ip->ihl >= 5)
+- Is big enough to hold network and transport headers
+- Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
+
+syzbot reported :
+
+BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1c9/0x220 lib/dump_stack.c:118
+ kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
+ slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
+ ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
+ __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
+ ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
+ ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+RIP: 0023:0xf7f7cd99
+Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
+RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
+RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
+ kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
+ kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
+ slab_alloc_node mm/slub.c:2793 [inline]
+ __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
+ __kmalloc_reserve net/core/skbuff.c:142 [inline]
+ __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
+ alloc_skb include/linux/skbuff.h:1051 [inline]
+ ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
+ do_loop_readv_writev fs/read_write.c:717 [inline]
+ do_iter_write+0x812/0xdc0 fs/read_write.c:1000
+ compat_writev+0x2df/0x5a0 fs/read_write.c:1351
+ do_compat_pwritev64 fs/read_write.c:1400 [inline]
+ __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
+ __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
+ __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
+ do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
+ do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
+ entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
+
+Fixes: b5451d783ade ("slip: Move the SLIP drivers")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slhc.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/slip/slhc.c
++++ b/drivers/net/slip/slhc.c
+@@ -232,7 +232,7 @@ slhc_compress(struct slcompress *comp, u
+ register struct cstate *cs = lcs->next;
+ register unsigned long deltaS, deltaA;
+ register short changes = 0;
+- int hlen;
++ int nlen, hlen;
+ unsigned char new_seq[16];
+ register unsigned char *cp = new_seq;
+ struct iphdr *ip;
+@@ -248,6 +248,8 @@ slhc_compress(struct slcompress *comp, u
+ return isize;
+
+ ip = (struct iphdr *) icp;
++ if (ip->version != 4 || ip->ihl < 5)
++ return isize;
+
+ /* Bail if this packet isn't TCP, or is an IP fragment */
+ if (ip->protocol != IPPROTO_TCP || (ntohs(ip->frag_off) & 0x3fff)) {
+@@ -258,10 +260,14 @@ slhc_compress(struct slcompress *comp, u
+ comp->sls_o_tcp++;
+ return isize;
+ }
+- /* Extract TCP header */
++ nlen = ip->ihl * 4;
++ if (isize < nlen + sizeof(*th))
++ return isize;
+
+- th = (struct tcphdr *)(((unsigned char *)ip) + ip->ihl*4);
+- hlen = ip->ihl*4 + th->doff*4;
++ th = (struct tcphdr *)(icp + nlen);
++ if (th->doff < sizeof(struct tcphdr) / 4)
++ return isize;
++ hlen = nlen + th->doff * 4;
+
+ /* Bail if the TCP packet isn't `compressible' (i.e., ACK isn't set or
+ * some other control bit is set). Also uncompressible if
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:22 -0800
+Subject: team: add missing attribute validation for array index
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 669fcd7795900cd1880237cbbb57a7db66cb9ac8 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX
+to the netlink policy.
+
+Fixes: b13033262d24 ("team: introduce array options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2216,6 +2216,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
+ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
++ [TEAM_ATTR_OPTION_ARRAY_INDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:21 -0800
+Subject: team: add missing attribute validation for port ifindex
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit dd25cb272ccce4db67dc8509278229099e4f5e99 ]
+
+Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX
+to the netlink policy.
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2215,6 +2215,7 @@ team_nl_option_policy[TEAM_ATTR_OPTION_M
+ [TEAM_ATTR_OPTION_CHANGED] = { .type = NLA_FLAG },
+ [TEAM_ATTR_OPTION_TYPE] = { .type = NLA_U8 },
+ [TEAM_ATTR_OPTION_DATA] = { .type = NLA_BINARY },
++ [TEAM_ATTR_OPTION_PORT_IFINDEX] = { .type = NLA_U32 },
+ };
+
+ static int team_nl_cmd_noop(struct sk_buff *skb, struct genl_info *info)
--- /dev/null
+From foo@baz Sun 15 Mar 2020 11:34:22 AM CET
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Mon, 2 Mar 2020 21:05:23 -0800
+Subject: tipc: add missing attribute validation for MTU property
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 213320a67962ff6e7b83b704d55cbebc341426db ]
+
+Add missing attribute validation for TIPC_NLA_PROP_MTU
+to the netlink policy.
+
+Fixes: 901271e0403a ("tipc: implement configuration of UDP media MTU")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -110,7 +110,8 @@ const struct nla_policy tipc_nl_prop_pol
+ [TIPC_NLA_PROP_UNSPEC] = { .type = NLA_UNSPEC },
+ [TIPC_NLA_PROP_PRIO] = { .type = NLA_U32 },
+ [TIPC_NLA_PROP_TOL] = { .type = NLA_U32 },
+- [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 }
++ [TIPC_NLA_PROP_WIN] = { .type = NLA_U32 },
++ [TIPC_NLA_PROP_MTU] = { .type = NLA_U32 }
+ };
+
+ const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = {
projects / thirdparty / kernel / stable-queue.git / commitdiff
