--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 6 Jan 2020 06:45:37 -0800
+Subject: gtp: fix bad unlock balance in gtp_encap_enable_socket
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 90d72256addff9e5f8ad645e8f632750dd1f8935 ]
+
+WARNING: bad unlock balance detected!
+5.5.0-rc5-syzkaller #0 Not tainted
+-------------------------------------
+syz-executor921/9688 is trying to release lock (sk_lock-AF_INET6) at:
+[<ffffffff84bf8506>] gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
+but there are no more locks to release!
+
+other info that might help us debug this:
+2 locks held by syz-executor921/9688:
+ #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
+ #0: ffffffff8a4d8840 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x405/0xaf0 net/core/rtnetlink.c:5421
+ #1: ffff88809304b560 (slock-AF_INET6){+...}, at: spin_lock_bh include/linux/spinlock.h:343 [inline]
+ #1: ffff88809304b560 (slock-AF_INET6){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2951
+
+stack backtrace:
+CPU: 0 PID: 9688 Comm: syz-executor921 Not tainted 5.5.0-rc5-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_unlock_imbalance_bug kernel/locking/lockdep.c:4008 [inline]
+ print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3984
+ __lock_release kernel/locking/lockdep.c:4242 [inline]
+ lock_release+0x5f2/0x960 kernel/locking/lockdep.c:4503
+ sock_release_ownership include/net/sock.h:1496 [inline]
+ release_sock+0x17c/0x1c0 net/core/sock.c:2961
+ gtp_encap_enable_socket+0x146/0x400 drivers/net/gtp.c:830
+ gtp_encap_enable drivers/net/gtp.c:852 [inline]
+ gtp_newlink+0x9fc/0xc60 drivers/net/gtp.c:666
+ __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305
+ rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363
+ rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:659
+ ____sys_sendmsg+0x753/0x880 net/socket.c:2330
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2384
+ __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
+ __do_sys_sendmsg net/socket.c:2426 [inline]
+ __se_sys_sendmsg net/socket.c:2424 [inline]
+ __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x445d49
+Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f8019074db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000445d49
+RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
+RBP: 00000000006dac30 R08: 0000000000000004 R09: 0000000000000000
+R10: 0000000000000008 R11: 0000000000000246 R12: 00000000006dac3c
+R13: 00007ffea687f6bf R14: 00007f80190759c0 R15: 20c49ba5e353f7cf
+
+Fixes: e198987e7dd7 ("gtp: fix suspicious RCU usage")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/gtp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -818,7 +818,7 @@ static struct sock *gtp_encap_enable_soc
+ lock_sock(sock->sk);
+ if (sock->sk->sk_user_data) {
+ sk = ERR_PTR(-EBUSY);
+- goto out_sock;
++ goto out_rel_sock;
+ }
+
+ sk = sock->sk;
+@@ -831,8 +831,9 @@ static struct sock *gtp_encap_enable_soc
+
+ setup_udp_tunnel_sock(sock_net(sock->sk), sock, &tuncfg);
+
+-out_sock:
++out_rel_sock:
+ release_sock(sock->sk);
++out_sock:
+ sockfd_put(sock);
+ return sk;
+ }
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 6 Jan 2020 12:30:48 -0800
+Subject: macvlan: do not assume mac_header is set in macvlan_broadcast()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ]
+
+Use of eth_hdr() in tx path is error prone.
+
+Many drivers call skb_reset_mac_header() before using it,
+but others do not.
+
+Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()")
+attempted to fix this generically, but commit d346a3fae3ff
+("packet: introduce PACKET_QDISC_BYPASS socket option") brought
+back the macvlan bug.
+
+Lets add a new helper, so that tx paths no longer have
+to call skb_reset_mac_header() only to get a pointer
+to skb->data.
+
+Hopefully we will be able to revert 6d1ccff62780
+("net: reset mac header in dev_start_xmit()") and save few cycles
+in transmit fast path.
+
+BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
+BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline]
+BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
+Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579
+
+CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x197/0x210 lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
+ __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:639
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
+ __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
+ mc_hash drivers/net/macvlan.c:251 [inline]
+ macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
+ macvlan_queue_xmit drivers/net/macvlan.c:520 [inline]
+ macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559
+ __netdev_start_xmit include/linux/netdevice.h:4447 [inline]
+ netdev_start_xmit include/linux/netdevice.h:4461 [inline]
+ dev_direct_xmit+0x419/0x630 net/core/dev.c:4079
+ packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240
+ packet_snd net/packet/af_packet.c:2966 [inline]
+ packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991
+ sock_sendmsg_nosec net/socket.c:639 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:659
+ __sys_sendto+0x262/0x380 net/socket.c:1985
+ __do_sys_sendto net/socket.c:1997 [inline]
+ __se_sys_sendto net/socket.c:1993 [inline]
+ __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x442639
+Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639
+RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000
+
+Allocated by task 9389:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ __kasan_kmalloc mm/kasan/common.c:513 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
+ __do_kmalloc mm/slab.c:3656 [inline]
+ __kmalloc+0x163/0x770 mm/slab.c:3665
+ kmalloc include/linux/slab.h:561 [inline]
+ tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
+ tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
+ security_inode_getattr+0xf2/0x150 security/security.c:1222
+ vfs_getattr+0x25/0x70 fs/stat.c:115
+ vfs_statx_fd+0x71/0xc0 fs/stat.c:145
+ vfs_fstat include/linux/fs.h:3265 [inline]
+ __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
+ __se_sys_newfstat fs/stat.c:375 [inline]
+ __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 9389:
+ save_stack+0x23/0x90 mm/kasan/common.c:72
+ set_track mm/kasan/common.c:80 [inline]
+ kasan_set_free_info mm/kasan/common.c:335 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
+ __cache_free mm/slab.c:3426 [inline]
+ kfree+0x10a/0x2c0 mm/slab.c:3757
+ tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
+ tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
+ security_inode_getattr+0xf2/0x150 security/security.c:1222
+ vfs_getattr+0x25/0x70 fs/stat.c:115
+ vfs_statx_fd+0x71/0xc0 fs/stat.c:145
+ vfs_fstat include/linux/fs.h:3265 [inline]
+ __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
+ __se_sys_newfstat fs/stat.c:375 [inline]
+ __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff8880a4932000
+ which belongs to the cache kmalloc-4k of size 4096
+The buggy address is located 1025 bytes inside of
+ 4096-byte region [ffff8880a4932000, ffff8880a4933000)
+The buggy address belongs to the page:
+page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
+raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000
+raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: b863ceb7ddce ("[NET]: Add macvlan driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ include/linux/if_ether.h | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -263,7 +263,7 @@ static void macvlan_broadcast(struct sk_
+ struct net_device *src,
+ enum macvlan_mode mode)
+ {
+- const struct ethhdr *eth = eth_hdr(skb);
++ const struct ethhdr *eth = skb_eth_hdr(skb);
+ const struct macvlan_dev *vlan;
+ struct sk_buff *nskb;
+ unsigned int i;
+--- a/include/linux/if_ether.h
++++ b/include/linux/if_ether.h
+@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con
+ return (struct ethhdr *)skb_mac_header(skb);
+ }
+
++/* Prefer this version in TX path, instead of
++ * skb_reset_mac_header() + eth_hdr()
++ */
++static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb)
++{
++ return (struct ethhdr *)skb->data;
++}
++
+ static inline struct ethhdr *inner_eth_hdr(const struct sk_buff *skb)
+ {
+ return (struct ethhdr *)skb_inner_mac_header(skb);
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 6 Jan 2020 18:01:55 +0000
+Subject: mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 3971a535b839489e4ea31796cc086e6ce616318c ]
+
+The following patch will change PRIO to replace a removed Qdisc with an
+invisible FIFO, instead of NOOP. mlxsw will see this replacement due to the
+graft message that is generated. But because FIFO does not issue its own
+REPLACE message, when the graft operation takes place, the Qdisc that mlxsw
+tracks under the indicated band is still the old one. The child
+handle (0:0) therefore does not match, and mlxsw rejects the graft
+operation, which leads to an extack message:
+
+ Warning: Offloading graft operation failed.
+
+Fix by ignoring the invisible children in the PRIO graft handler. The
+DESTROY message of the removed Qdisc is going to follow shortly and handle
+the removal.
+
+Fixes: 32dc5efc6cb4 ("mlxsw: spectrum: qdiscs: prio: Handle graft command")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_qdisc.c
+@@ -650,6 +650,13 @@ mlxsw_sp_qdisc_prio_graft(struct mlxsw_s
+ mlxsw_sp_port->tclass_qdiscs[tclass_num].handle == p->child_handle)
+ return 0;
+
++ if (!p->child_handle) {
++ /* This is an invisible FIFO replacing the original Qdisc.
++ * Ignore it--the original Qdisc's destroy will follow.
++ */
++ return 0;
++ }
++
+ /* See if the grafted qdisc is already offloaded on any tclass. If so,
+ * unoffload it.
+ */
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sat, 4 Jan 2020 23:14:51 +0100
+Subject: net: dsa: mv88e6xxx: Preserve priority when setting CPU port.
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+[ Upstream commit d8dc2c9676e614ef62f54a155b50076888c8a29a ]
+
+The 6390 family uses an extended register to set the port connected to
+the CPU. The lower 5 bits indicate the port, the upper three bits are
+the priority of the frames as they pass through the switch, what
+egress queue they should use, etc. Since frames being set to the CPU
+are typically management frames, BPDU, IGMP, ARP, etc set the priority
+to 7, the reset default, and the highest.
+
+Fixes: 33641994a676 ("net: dsa: mv88e6xxx: Monitor and Management tables")
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Tested-by: Chris Healy <cphealy@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/global1.c | 5 +++++
+ drivers/net/dsa/mv88e6xxx/global1.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/global1.c
++++ b/drivers/net/dsa/mv88e6xxx/global1.c
+@@ -371,6 +371,11 @@ int mv88e6390_g1_set_cpu_port(struct mv8
+ {
+ u16 ptr = MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST;
+
++ /* Use the default high priority for management frames sent to
++ * the CPU.
++ */
++ port |= MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI;
++
+ return mv88e6390_g1_monitor_write(chip, ptr, port);
+ }
+
+--- a/drivers/net/dsa/mv88e6xxx/global1.h
++++ b/drivers/net/dsa/mv88e6xxx/global1.h
+@@ -197,6 +197,7 @@
+ #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_INGRESS_DEST 0x2000
+ #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_EGRESS_DEST 0x2100
+ #define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST 0x3000
++#define MV88E6390_G1_MONITOR_MGMT_CTL_PTR_CPU_DEST_MGMTPRI 0x00e0
+ #define MV88E6390_G1_MONITOR_MGMT_CTL_DATA_MASK 0x00ff
+
+ /* Offset 0x1C: Global Control 2 */
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 6 Jan 2020 18:01:56 +0000
+Subject: net: sch_prio: When ungrafting, replace with FIFO
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 240ce7f6428ff5188b9eedc066e1e4d645b8635f ]
+
+When a child Qdisc is removed from one of the PRIO Qdisc's bands, it is
+replaced unconditionally by a NOOP qdisc. As a result, any traffic hitting
+that band gets dropped. That is incorrect--no Qdisc was explicitly added
+when PRIO was created, and after removal, none should have to be added
+either.
+
+Fix PRIO by first attempting to create a default Qdisc and only falling
+back to noop when that fails. This pattern of attempting to create an
+invisible FIFO, using NOOP only as a fallback, is also seen in other
+Qdiscs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_prio.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_prio.c
++++ b/net/sched/sch_prio.c
+@@ -314,8 +314,14 @@ static int prio_graft(struct Qdisc *sch,
+ bool any_qdisc_is_offloaded;
+ int err;
+
+- if (new == NULL)
+- new = &noop_qdisc;
++ if (!new) {
++ new = qdisc_create_dflt(sch->dev_queue, &pfifo_qdisc_ops,
++ TC_H_MAKE(sch->handle, arg), extack);
++ if (!new)
++ new = &noop_qdisc;
++ else
++ qdisc_hash_add(new, true);
++ }
+
+ *old = qdisc_replace(sch, new, &q->queues[band]);
+
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Mon, 6 Jan 2020 11:09:45 +0800
+Subject: net: stmmac: dwmac-sun8i: Allow all RGMII modes
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit f1239d8aa84dad8fe4b6cc1356f40fc8e842db47 ]
+
+Allow all the RGMII modes to be used. This would allow us to represent
+the hardware better in the device tree with RGMII_ID where in most
+cases the PHY's internal delay for both RX and TX are used.
+
+Fixes: 9f93ac8d4085 ("net-next: stmmac: Add dwmac-sun8i")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.c
+@@ -946,6 +946,9 @@ static int sun8i_dwmac_set_syscon(struct
+ /* default */
+ break;
+ case PHY_INTERFACE_MODE_RGMII:
++ case PHY_INTERFACE_MODE_RGMII_ID:
++ case PHY_INTERFACE_MODE_RGMII_RXID:
++ case PHY_INTERFACE_MODE_RGMII_TXID:
+ reg |= SYSCON_EPIT | SYSCON_ETCS_INT_GMII;
+ break;
+ case PHY_INTERFACE_MODE_RMII:
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Chen-Yu Tsai <wens@csie.org>
+Date: Mon, 6 Jan 2020 11:09:22 +0800
+Subject: net: stmmac: dwmac-sunxi: Allow all RGMII modes
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit 52cc73e5404c7ba0cbfc50cb4c265108c84b3d5a ]
+
+Allow all the RGMII modes to be used. This would allow us to represent
+the hardware better in the device tree with RGMII_ID where in most
+cases the PHY's internal delay for both RX and TX are used.
+
+Fixes: af0bd4e9ba80 ("net: stmmac: sunxi platform extensions for GMAC in Allwinner A20 SoC's")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.c
+@@ -53,7 +53,7 @@ static int sun7i_gmac_init(struct platfo
+ * rate, which then uses the auto-reparenting feature of the
+ * clock driver, and enabling/disabling the clock.
+ */
+- if (gmac->interface == PHY_INTERFACE_MODE_RGMII) {
++ if (phy_interface_mode_is_rgmii(gmac->interface)) {
+ clk_set_rate(gmac->tx_clk, SUN7I_GMAC_GMII_RGMII_RATE);
+ clk_prepare_enable(gmac->tx_clk);
+ gmac->clk_enabled = 1;
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 7 Jan 2020 10:57:01 -0800
+Subject: net: usb: lan78xx: fix possible skb leak
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 47240ba0cd09bb6fe6db9889582048324999dfa4 ]
+
+If skb_linearize() fails, we need to free the skb.
+
+TSO makes skb bigger, and this bug might be the reason
+Raspberry Pi 3B+ users had to disable TSO.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: RENARD Pierre-Francois <pfrenard@gmail.com>
+Cc: Stefan Wahren <stefan.wahren@i2se.com>
+Cc: Woojung Huh <woojung.huh@microchip.com>
+Cc: Microchip Linux Driver Support <UNGLinuxDriver@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/lan78xx.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2736,11 +2736,6 @@ static int lan78xx_stop(struct net_devic
+ return 0;
+ }
+
+-static int lan78xx_linearize(struct sk_buff *skb)
+-{
+- return skb_linearize(skb);
+-}
+-
+ static struct sk_buff *lan78xx_tx_prep(struct lan78xx_net *dev,
+ struct sk_buff *skb, gfp_t flags)
+ {
+@@ -2751,8 +2746,10 @@ static struct sk_buff *lan78xx_tx_prep(s
+ return NULL;
+ }
+
+- if (lan78xx_linearize(skb) < 0)
++ if (skb_linearize(skb)) {
++ dev_kfree_skb_any(skb);
+ return NULL;
++ }
+
+ tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN_MASK_) | TX_CMD_A_FCS_;
+
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 6 Jan 2020 06:10:39 -0800
+Subject: pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d9e15a2733067c9328fb56d98fe8e574fa19ec31 ]
+
+As diagnosed by Florian :
+
+If TCA_FQ_QUANTUM is set to 0x80000000, fq_deueue()
+can loop forever in :
+
+if (f->credit <= 0) {
+ f->credit += q->quantum;
+ goto begin;
+}
+
+... because f->credit is either 0 or -2147483648.
+
+Let's limit TCA_FQ_QUANTUM to no more than 1 << 20 :
+This max value should limit risks of breaking user setups
+while fixing this bug.
+
+Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Diagnosed-by: Florian Westphal <fw@strlen.de>
+Reported-by: syzbot+dc9071cc5a85950bdfce@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -735,10 +735,12 @@ static int fq_change(struct Qdisc *sch,
+ if (tb[TCA_FQ_QUANTUM]) {
+ u32 quantum = nla_get_u32(tb[TCA_FQ_QUANTUM]);
+
+- if (quantum > 0)
++ if (quantum > 0 && quantum <= (1 << 20)) {
+ q->quantum = quantum;
+- else
++ } else {
++ NL_SET_ERR_MSG_MOD(extack, "invalid quantum");
+ err = -EINVAL;
++ }
+ }
+
+ if (tb[TCA_FQ_INITIAL_QUANTUM])
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Thu, 2 Jan 2020 17:21:43 +0800
+Subject: sch_cake: avoid possible divide by zero in cake_enqueue()
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+[ Upstream commit 68aab823c223646fab311f8a6581994facee66a0 ]
+
+The variables 'window_interval' is u64 and do_div()
+truncates it to 32 bits, which means it can test
+non-zero and be truncated to zero for division.
+The unit of window_interval is nanoseconds,
+so its lower 32-bit is relatively easy to exceed.
+Fix this issue by using div64_u64() instead.
+
+Fixes: 7298de9cd725 ("sch_cake: Add ingress mode")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Cc: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Cc: Toke Høiland-Jørgensen <toke@redhat.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: cake@lists.bufferbloat.net
+Cc: netdev@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_cake.c
++++ b/net/sched/sch_cake.c
+@@ -1758,7 +1758,7 @@ static s32 cake_enqueue(struct sk_buff *
+ q->avg_window_begin));
+ u64 b = q->avg_window_bytes * (u64)NSEC_PER_SEC;
+
+- do_div(b, window_interval);
++ b = div64_u64(b, window_interval);
+ q->avg_peak_bandwidth =
+ cake_ewma(q->avg_peak_bandwidth, b,
+ b > q->avg_peak_bandwidth ? 2 : 8);
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sat, 4 Jan 2020 14:15:02 +0800
+Subject: sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit be7a7729207797476b6666f046d765bdf9630407 ]
+
+This patch is to fix a memleak caused by no place to free cmd->obj.chunk
+for the unprocessed SCTP_CMD_REPLY. This issue occurs when failing to
+process a cmd while there're still SCTP_CMD_REPLY cmds on the cmd seq
+with an allocated chunk in cmd->obj.chunk.
+
+So fix it by freeing cmd->obj.chunk for each SCTP_CMD_REPLY cmd left on
+the cmd seq when any cmd returns error. While at it, also remove 'nomem'
+label.
+
+Reported-by: syzbot+107c4aff5f392bf1517f@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -1373,8 +1373,10 @@ static int sctp_cmd_interpreter(enum sct
+ /* Generate an INIT ACK chunk. */
+ new_obj = sctp_make_init_ack(asoc, chunk, GFP_ATOMIC,
+ 0);
+- if (!new_obj)
+- goto nomem;
++ if (!new_obj) {
++ error = -ENOMEM;
++ break;
++ }
+
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ SCTP_CHUNK(new_obj));
+@@ -1396,7 +1398,8 @@ static int sctp_cmd_interpreter(enum sct
+ if (!new_obj) {
+ if (cmd->obj.chunk)
+ sctp_chunk_free(cmd->obj.chunk);
+- goto nomem;
++ error = -ENOMEM;
++ break;
+ }
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ SCTP_CHUNK(new_obj));
+@@ -1443,8 +1446,10 @@ static int sctp_cmd_interpreter(enum sct
+
+ /* Generate a SHUTDOWN chunk. */
+ new_obj = sctp_make_shutdown(asoc, chunk);
+- if (!new_obj)
+- goto nomem;
++ if (!new_obj) {
++ error = -ENOMEM;
++ break;
++ }
+ sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
+ SCTP_CHUNK(new_obj));
+ break;
+@@ -1780,11 +1785,17 @@ static int sctp_cmd_interpreter(enum sct
+ break;
+ }
+
+- if (error)
++ if (error) {
++ cmd = sctp_next_cmd(commands);
++ while (cmd) {
++ if (cmd->verb == SCTP_CMD_REPLY)
++ sctp_chunk_free(cmd->obj.chunk);
++ cmd = sctp_next_cmd(commands);
++ }
+ break;
++ }
+ }
+
+-out:
+ /* If this is in response to a received chunk, wait until
+ * we are done with the packet to open the queue so that we don't
+ * send multiple packets in response to a single request.
+@@ -1799,7 +1810,4 @@ out:
+ sp->data_ready_signalled = 0;
+
+ return error;
+-nomem:
+- error = -ENOMEM;
+- goto out;
+ }
arm-dts-imx6ul-use-nvmem-cells-for-cpu-speed-grading.patch
pci-switchtec-read-all-64-bits-of-part_event_bitmap.patch
arm64-kvm-trap-vm-ops-when-arm64_workaround_cavium_tx2_219_tvm-is-set.patch
+gtp-fix-bad-unlock-balance-in-gtp_encap_enable_socket.patch
+macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch
+net-dsa-mv88e6xxx-preserve-priority-when-setting-cpu-port.patch
+net-stmmac-dwmac-sun8i-allow-all-rgmii-modes.patch
+net-stmmac-dwmac-sunxi-allow-all-rgmii-modes.patch
+net-usb-lan78xx-fix-possible-skb-leak.patch
+pkt_sched-fq-do-not-accept-silly-tca_fq_quantum.patch
+sch_cake-avoid-possible-divide-by-zero-in-cake_enqueue.patch
+sctp-free-cmd-obj.chunk-for-the-unprocessed-sctp_cmd_reply.patch
+tcp-fix-old-stuff-d-sack-causing-sack-to-be-treated-as-d-sack.patch
+vxlan-fix-tos-value-before-xmit.patch
+vlan-fix-memory-leak-in-vlan_dev_set_egress_priority.patch
+vlan-vlan_changelink-should-propagate-errors.patch
+mlxsw-spectrum_qdisc-ignore-grafting-of-invisible-fifo.patch
+net-sch_prio-when-ungrafting-replace-with-fifo.patch
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Pengcheng Yang <yangpc@wangsu.com>
+Date: Mon, 30 Dec 2019 17:54:41 +0800
+Subject: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
+
+From: Pengcheng Yang <yangpc@wangsu.com>
+
+[ Upstream commit c9655008e7845bcfdaac10a1ed8554ec167aea88 ]
+
+When we receive a D-SACK, where the sequence number satisfies:
+ undo_marker <= start_seq < end_seq <= prior_snd_una
+we consider this is a valid D-SACK and tcp_is_sackblock_valid()
+returns true, then this D-SACK is discarded as "old stuff",
+but the variable first_sack_index is not marked as negative
+in tcp_sacktag_write_queue().
+
+If this D-SACK also carries a SACK that needs to be processed
+(for example, the previous SACK segment was lost), this SACK
+will be treated as a D-SACK in the following processing of
+tcp_sacktag_write_queue(), which will eventually lead to
+incorrect updates of undo_retrans and reordering.
+
+Fixes: fd6dad616d4f ("[TCP]: Earlier SACK block verification & simplify access to them")
+Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1716,8 +1716,11 @@ tcp_sacktag_write_queue(struct sock *sk,
+ }
+
+ /* Ignore very old stuff early */
+- if (!after(sp[used_sacks].end_seq, prior_snd_una))
++ if (!after(sp[used_sacks].end_seq, prior_snd_una)) {
++ if (i == 0)
++ first_sack_index = -1;
+ continue;
++ }
+
+ used_sacks++;
+ }
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 7 Jan 2020 01:42:24 -0800
+Subject: vlan: fix memory leak in vlan_dev_set_egress_priority
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9bbd917e0bec9aebdbd0c8dbc966caec15eb33e9 ]
+
+There are few cases where the ndo_uninit() handler might be not
+called if an error happens while device is initialized.
+
+Since vlan_newlink() calls vlan_changelink() before
+trying to register the netdevice, we need to make sure
+vlan_dev_uninit() has been called at least once,
+or we might leak allocated memory.
+
+BUG: memory leak
+unreferenced object 0xffff888122a206c0 (size 32):
+ comm "syz-executor511", pid 7124, jiffies 4294950399 (age 32.240s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 61 73 00 00 00 00 00 00 00 00 ......as........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000000eb3bb85>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<000000000eb3bb85>] slab_post_alloc_hook mm/slab.h:586 [inline]
+ [<000000000eb3bb85>] slab_alloc mm/slab.c:3320 [inline]
+ [<000000000eb3bb85>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
+ [<000000007b99f620>] kmalloc include/linux/slab.h:556 [inline]
+ [<000000007b99f620>] vlan_dev_set_egress_priority+0xcc/0x150 net/8021q/vlan_dev.c:194
+ [<000000007b0cb745>] vlan_changelink+0xd6/0x140 net/8021q/vlan_netlink.c:126
+ [<0000000065aba83a>] vlan_newlink+0x135/0x200 net/8021q/vlan_netlink.c:181
+ [<00000000fb5dd7a2>] __rtnl_newlink+0x89a/0xb80 net/core/rtnetlink.c:3305
+ [<00000000ae4273a1>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3363
+ [<00000000decab39f>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
+ [<00000000accba4ee>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
+ [<00000000319fe20f>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
+ [<00000000d51938dc>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ [<00000000d51938dc>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
+ [<00000000e539ac79>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
+ [<000000006250c27e>] sock_sendmsg_nosec net/socket.c:639 [inline]
+ [<000000006250c27e>] sock_sendmsg+0x54/0x70 net/socket.c:659
+ [<00000000e2a156d1>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
+ [<000000008c87466e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
+ [<00000000110e3054>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
+ [<00000000d71077c8>] __do_sys_sendmsg net/socket.c:2426 [inline]
+ [<00000000d71077c8>] __se_sys_sendmsg net/socket.c:2424 [inline]
+ [<00000000d71077c8>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
+
+Fixe: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.h | 1 +
+ net/8021q/vlan_dev.c | 3 ++-
+ net/8021q/vlan_netlink.c | 9 +++++----
+ 3 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/net/8021q/vlan.h
++++ b/net/8021q/vlan.h
+@@ -114,6 +114,7 @@ int vlan_check_real_dev(struct net_devic
+ void vlan_setup(struct net_device *dev);
+ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack);
+ void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
++void vlan_dev_uninit(struct net_device *dev);
+ bool vlan_dev_inherit_address(struct net_device *dev,
+ struct net_device *real_dev);
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -612,7 +612,8 @@ static int vlan_dev_init(struct net_devi
+ return 0;
+ }
+
+-static void vlan_dev_uninit(struct net_device *dev)
++/* Note: this function might be called multiple times for the same device. */
++void vlan_dev_uninit(struct net_device *dev)
+ {
+ struct vlan_priority_tci_mapping *pm;
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -181,10 +181,11 @@ static int vlan_newlink(struct net *src_
+ return -EINVAL;
+
+ err = vlan_changelink(dev, tb, data, extack);
+- if (err < 0)
+- return err;
+-
+- return register_vlan_dev(dev, extack);
++ if (!err)
++ err = register_vlan_dev(dev, extack);
++ if (err)
++ vlan_dev_uninit(dev);
++ return err;
+ }
+
+ static inline size_t vlan_qos_map_size(unsigned int n)
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 7 Jan 2020 01:42:25 -0800
+Subject: vlan: vlan_changelink() should propagate errors
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb8ef2a3c50092bb018077c047b8dba1ce0e78e3 ]
+
+Both vlan_dev_change_flags() and vlan_dev_set_egress_priority()
+can return an error. vlan_changelink() should not ignore them.
+
+Fixes: 07b5b17e157b ("[VLAN]: Use rtnl_link API")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_netlink.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -110,11 +110,13 @@ static int vlan_changelink(struct net_de
+ struct ifla_vlan_flags *flags;
+ struct ifla_vlan_qos_mapping *m;
+ struct nlattr *attr;
+- int rem;
++ int rem, err;
+
+ if (data[IFLA_VLAN_FLAGS]) {
+ flags = nla_data(data[IFLA_VLAN_FLAGS]);
+- vlan_dev_change_flags(dev, flags->flags, flags->mask);
++ err = vlan_dev_change_flags(dev, flags->flags, flags->mask);
++ if (err)
++ return err;
+ }
+ if (data[IFLA_VLAN_INGRESS_QOS]) {
+ nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) {
+@@ -125,7 +127,9 @@ static int vlan_changelink(struct net_de
+ if (data[IFLA_VLAN_EGRESS_QOS]) {
+ nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) {
+ m = nla_data(attr);
+- vlan_dev_set_egress_priority(dev, m->from, m->to);
++ err = vlan_dev_set_egress_priority(dev, m->from, m->to);
++ if (err)
++ return err;
+ }
+ }
+ return 0;
--- /dev/null
+From foo@baz Sat 11 Jan 2020 09:14:34 AM CET
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Thu, 2 Jan 2020 17:23:45 +0800
+Subject: vxlan: fix tos value before xmit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 71130f29979c7c7956b040673e6b9d5643003176 ]
+
+Before ip_tunnel_ecn_encap() and udp_tunnel_xmit_skb() we should filter
+tos value by RT_TOS() instead of using config tos directly.
+
+vxlan_get_route() would filter the tos to fl4.flowi4_tos but we didn't
+return it back, as geneve_get_v4_rt() did. So we have to use RT_TOS()
+directly in function ip_tunnel_ecn_encap().
+
+Fixes: 206aaafcd279 ("VXLAN: Use IP Tunnels tunnel ENC encap API")
+Fixes: 1400615d64cf ("vxlan: allow setting ipv6 traffic class")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2217,7 +2217,7 @@ static void vxlan_xmit_one(struct sk_buf
+ ndst = &rt->dst;
+ skb_tunnel_check_pmtu(skb, ndst, VXLAN_HEADROOM);
+
+- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb);
+ ttl = ttl ? : ip4_dst_hoplimit(&rt->dst);
+ err = vxlan_build_skb(skb, ndst, sizeof(struct iphdr),
+ vni, md, flags, udp_sum);
+@@ -2254,7 +2254,7 @@ static void vxlan_xmit_one(struct sk_buf
+
+ skb_tunnel_check_pmtu(skb, ndst, VXLAN6_HEADROOM);
+
+- tos = ip_tunnel_ecn_encap(tos, old_iph, skb);
++ tos = ip_tunnel_ecn_encap(RT_TOS(tos), old_iph, skb);
+ ttl = ttl ? : ip6_dst_hoplimit(ndst);
+ skb_scrub_packet(skb, xnet);
+ err = vxlan_build_skb(skb, ndst, sizeof(struct ipv6hdr),
projects / thirdparty / kernel / stable-queue.git / commitdiff
