--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Sun, 3 Mar 2019 07:34:57 +0000
+Subject: ip6mr: Do not call __IP6_INC_STATS() from preemptible context
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 87c11f1ddbbad38ad8bad47af133a8208985fbdf ]
+
+Similar to commit 44f49dd8b5a6 ("ipmr: fix possible race resulting from
+improper usage of IP_INC_STATS_BH() in preemptible context."), we cannot
+assume preemption is disabled when incrementing the counter and
+accessing a per-CPU variable.
+
+Preemption can be enabled when we add a route in process context that
+corresponds to packets stored in the unresolved queue, which are then
+forwarded using this route [1].
+
+Fix this by using IP6_INC_STATS() which takes care of disabling
+preemption on architectures where it is needed.
+
+[1]
+[ 157.451447] BUG: using __this_cpu_add() in preemptible [00000000] code: smcrouted/2314
+[ 157.460409] caller is ip6mr_forward2+0x73e/0x10e0
+[ 157.460434] CPU: 3 PID: 2314 Comm: smcrouted Not tainted 5.0.0-rc7-custom-03635-g22f2712113f1 #1336
+[ 157.460449] Hardware name: Mellanox Technologies Ltd. MSN2100-CB2FO/SA001017, BIOS 5.6.5 06/07/2016
+[ 157.460461] Call Trace:
+[ 157.460486] dump_stack+0xf9/0x1be
+[ 157.460553] check_preemption_disabled+0x1d6/0x200
+[ 157.460576] ip6mr_forward2+0x73e/0x10e0
+[ 157.460705] ip6_mr_forward+0x9a0/0x1510
+[ 157.460771] ip6mr_mfc_add+0x16b3/0x1e00
+[ 157.461155] ip6_mroute_setsockopt+0x3cb/0x13c0
+[ 157.461384] do_ipv6_setsockopt.isra.8+0x348/0x4060
+[ 157.462013] ipv6_setsockopt+0x90/0x110
+[ 157.462036] rawv6_setsockopt+0x4a/0x120
+[ 157.462058] __sys_setsockopt+0x16b/0x340
+[ 157.462198] __x64_sys_setsockopt+0xbf/0x160
+[ 157.462220] do_syscall_64+0x14d/0x610
+[ 157.462349] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 0912ea38de61 ("[IPV6] MROUTE: Add stats in multicast routing module method ip6_mr_forward().")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Amit Cohen <amitc@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6mr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6mr.c
++++ b/net/ipv6/ip6mr.c
+@@ -1987,10 +1987,10 @@ int ip6mr_compat_ioctl(struct sock *sk,
+
+ static inline int ip6mr_forward2_finish(struct sk_buff *skb)
+ {
+- IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+- IPSTATS_MIB_OUTFORWDATAGRAMS);
+- IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+- IPSTATS_MIB_OUTOCTETS, skb->len);
++ IP6_INC_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
++ IPSTATS_MIB_OUTFORWDATAGRAMS);
++ IP6_ADD_STATS(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
++ IPSTATS_MIB_OUTOCTETS, skb->len);
+ return dst_output(skb);
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 09:51:16 CET 2019
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+Date: Mon, 25 Feb 2019 19:24:15 +0300
+Subject: net: Add __icmp_send helper.
+
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+
+[ Upstream commit 9ef6b42ad6fd7929dd1b6092cb02014e382c6a91 ]
+
+Add __icmp_send function having ip_options struct parameter
+
+Signed-off-by: Sergey Nazarov <s-nazarov@yandex.ru>
+Reviewed-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/icmp.h | 9 ++++++++-
+ net/ipv4/icmp.c | 7 ++++---
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/include/net/icmp.h
++++ b/include/net/icmp.h
+@@ -22,6 +22,7 @@
+
+ #include <net/inet_sock.h>
+ #include <net/snmp.h>
++#include <net/ip.h>
+
+ struct icmp_err {
+ int errno;
+@@ -39,7 +40,13 @@ struct net_proto_family;
+ struct sk_buff;
+ struct net;
+
+-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info);
++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
++ const struct ip_options *opt);
++static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
++{
++ __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt);
++}
++
+ int icmp_rcv(struct sk_buff *skb);
+ void icmp_err(struct sk_buff *skb, u32 info);
+ int icmp_init(void);
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -541,7 +541,8 @@ relookup_failed:
+ * MUST reply to only the first fragment.
+ */
+
+-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
++void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
++ const struct ip_options *opt)
+ {
+ struct iphdr *iph;
+ int room;
+@@ -655,7 +656,7 @@ void icmp_send(struct sk_buff *skb_in, i
+ iph->tos;
+ mark = IP4_REPLY_MARK(net, skb_in->mark);
+
+- if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in))
++ if (__ip_options_echo(&icmp_param->replyopts.opt.opt, skb_in, opt))
+ goto out_unlock;
+
+
+@@ -707,7 +708,7 @@ out_free:
+ kfree(icmp_param);
+ out:;
+ }
+-EXPORT_SYMBOL(icmp_send);
++EXPORT_SYMBOL(__icmp_send);
+
+
+ static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+Date: Mon, 25 Feb 2019 19:27:15 +0300
+Subject: net: avoid use IPCB in cipso_v4_error
+
+From: Nazarov Sergey <s-nazarov@yandex.ru>
+
+[ Upstream commit 3da1ed7ac398f34fff1694017a07054d69c5f5c5 ]
+
+Extract IP options in cipso_v4_error and use __icmp_send.
+
+Signed-off-by: Sergey Nazarov <s-nazarov@yandex.ru>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 2 ++
+ net/ipv4/cipso_ipv4.c | 17 +++++++++++++++--
+ net/ipv4/ip_options.c | 22 +++++++++++++++++-----
+ 3 files changed, 34 insertions(+), 7 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -512,6 +512,8 @@ static inline int ip_options_echo(struct
+ }
+
+ void ip_options_fragment(struct sk_buff *skb);
++int __ip_options_compile(struct net *net, struct ip_options *opt,
++ struct sk_buff *skb, __be32 *info);
+ int ip_options_compile(struct net *net, struct ip_options *opt,
+ struct sk_buff *skb);
+ int ip_options_get(struct net *net, struct ip_options_rcu **optp,
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1803,13 +1803,26 @@ validate_return:
+ */
+ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway)
+ {
++ unsigned char optbuf[sizeof(struct ip_options) + 40];
++ struct ip_options *opt = (struct ip_options *)optbuf;
++
+ if (ip_hdr(skb)->protocol == IPPROTO_ICMP || error != -EACCES)
+ return;
+
++ /*
++ * We might be called above the IP layer,
++ * so we can not use icmp_send and IPCB here.
++ */
++
++ memset(opt, 0, sizeof(struct ip_options));
++ opt->optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
++ if (__ip_options_compile(dev_net(skb->dev), opt, skb, NULL))
++ return;
++
+ if (gateway)
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0);
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_NET_ANO, 0, opt);
+ else
+- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0);
++ __icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_ANO, 0, opt);
+ }
+
+ /**
+--- a/net/ipv4/ip_options.c
++++ b/net/ipv4/ip_options.c
+@@ -253,8 +253,9 @@ static void spec_dst_fill(__be32 *spec_d
+ * If opt == NULL, then skb->data should point to IP header.
+ */
+
+-int ip_options_compile(struct net *net,
+- struct ip_options *opt, struct sk_buff *skb)
++int __ip_options_compile(struct net *net,
++ struct ip_options *opt, struct sk_buff *skb,
++ __be32 *info)
+ {
+ __be32 spec_dst = htonl(INADDR_ANY);
+ unsigned char *pp_ptr = NULL;
+@@ -470,11 +471,22 @@ eol:
+ return 0;
+
+ error:
+- if (skb) {
+- icmp_send(skb, ICMP_PARAMETERPROB, 0, htonl((pp_ptr-iph)<<24));
+- }
++ if (info)
++ *info = htonl((pp_ptr-iph)<<24);
+ return -EINVAL;
+ }
++
++int ip_options_compile(struct net *net,
++ struct ip_options *opt, struct sk_buff *skb)
++{
++ int ret;
++ __be32 info;
++
++ ret = __ip_options_compile(net, opt, skb, &info);
++ if (ret != 0 && skb)
++ icmp_send(skb, ICMP_PARAMETERPROB, 0, info);
++ return ret;
++}
+ EXPORT_SYMBOL(ip_options_compile);
+
+ /*
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Fri, 22 Feb 2019 15:37:58 +0800
+Subject: net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 58bdd544e2933a21a51eecf17c3f5f94038261b5 ]
+
+KASAN report this:
+
+BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
+Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401
+
+CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xfa/0x1ce lib/dump_stack.c:113
+ kasan_report+0x171/0x18d mm/kasan/report.c:321
+ memcpy+0x1f/0x50 mm/kasan/common.c:130
+ nfc_llcp_build_gb+0x37f/0x540 [nfc]
+ nfc_llcp_register_device+0x6eb/0xb50 [nfc]
+ nfc_register_device+0x50/0x1d0 [nfc]
+ nfcsim_device_new+0x394/0x67d [nfcsim]
+ ? 0xffffffffc1080000
+ nfcsim_init+0x6b/0x1000 [nfcsim]
+ do_one_initcall+0xfa/0x5ca init/main.c:887
+ do_init_module+0x204/0x5f6 kernel/module.c:3460
+ load_module+0x66b2/0x8570 kernel/module.c:3808
+ __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
+ do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x462e99
+Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
+RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
+RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
+R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
+
+nfc_llcp_build_tlv will return NULL on fails, caller should check it,
+otherwise will trigger a NULL dereference.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
+Fixes: d646960f7986 ("NFC: Initial LLCP support")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_commands.c | 20 ++++++++++++++++++++
+ net/nfc/llcp_core.c | 24 ++++++++++++++++++++----
+ 2 files changed, 40 insertions(+), 4 deletions(-)
+
+--- a/net/nfc/llcp_commands.c
++++ b/net/nfc/llcp_commands.c
+@@ -418,6 +418,10 @@ int nfc_llcp_send_connect(struct nfc_llc
+ sock->service_name,
+ sock->service_name_len,
+ &service_name_tlv_length);
++ if (!service_name_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += service_name_tlv_length;
+ }
+
+@@ -428,9 +432,17 @@ int nfc_llcp_send_connect(struct nfc_llc
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+ &miux_tlv_length);
++ if (!miux_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += miux_tlv_length;
+
+ rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
++ if (!rw_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += rw_tlv_length;
+
+ pr_debug("SKB size %d SN length %zu\n", size, sock->service_name_len);
+@@ -484,9 +496,17 @@ int nfc_llcp_send_cc(struct nfc_llcp_soc
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&miux, 0,
+ &miux_tlv_length);
++ if (!miux_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += miux_tlv_length;
+
+ rw_tlv = nfc_llcp_build_tlv(LLCP_TLV_RW, &rw, 0, &rw_tlv_length);
++ if (!rw_tlv) {
++ err = -ENOMEM;
++ goto error_tlv;
++ }
+ size += rw_tlv_length;
+
+ skb = llcp_allocate_pdu(sock, LLCP_PDU_CC, size);
+--- a/net/nfc/llcp_core.c
++++ b/net/nfc/llcp_core.c
+@@ -531,10 +531,10 @@ static u8 nfc_llcp_reserve_sdp_ssap(stru
+
+ static int nfc_llcp_build_gb(struct nfc_llcp_local *local)
+ {
+- u8 *gb_cur, *version_tlv, version, version_length;
+- u8 *lto_tlv, lto_length;
+- u8 *wks_tlv, wks_length;
+- u8 *miux_tlv, miux_length;
++ u8 *gb_cur, version, version_length;
++ u8 lto_length, wks_length, miux_length;
++ u8 *version_tlv = NULL, *lto_tlv = NULL,
++ *wks_tlv = NULL, *miux_tlv = NULL;
+ __be16 wks = cpu_to_be16(local->local_wks);
+ u8 gb_len = 0;
+ int ret = 0;
+@@ -542,17 +542,33 @@ static int nfc_llcp_build_gb(struct nfc_
+ version = LLCP_VERSION_11;
+ version_tlv = nfc_llcp_build_tlv(LLCP_TLV_VERSION, &version,
+ 1, &version_length);
++ if (!version_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += version_length;
+
+ lto_tlv = nfc_llcp_build_tlv(LLCP_TLV_LTO, &local->lto, 1, <o_length);
++ if (!lto_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += lto_length;
+
+ pr_debug("Local wks 0x%lx\n", local->local_wks);
+ wks_tlv = nfc_llcp_build_tlv(LLCP_TLV_WKS, (u8 *)&wks, 2, &wks_length);
++ if (!wks_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += wks_length;
+
+ miux_tlv = nfc_llcp_build_tlv(LLCP_TLV_MIUX, (u8 *)&local->miux, 0,
+ &miux_length);
++ if (!miux_tlv) {
++ ret = -ENOMEM;
++ goto out;
++ }
+ gb_len += miux_length;
+
+ gb_len += ARRAY_SIZE(llcp_magic);
--- /dev/null
+From foo@baz Fri Mar 8 08:55:03 CET 2019
+From: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+Date: Wed, 27 Feb 2019 17:43:19 +0530
+Subject: net: phy: Micrel KSZ8061: link failure after cable connect
+
+From: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+
+[ Upstream commit 232ba3a51cc224b339c7114888ed7f0d4d95695e ]
+
+With Micrel KSZ8061 PHY, the link may occasionally not come up after
+Ethernet cable connect. The vendor's (Microchip, former Micrel) errata
+sheet 80000688A.pdf descripes the problem and possible workarounds in
+detail, see below.
+The batch implements workaround 1, which permanently fixes the issue.
+
+DESCRIPTION
+Link-up may not occur properly when the Ethernet cable is initially
+connected. This issue occurs more commonly when the cable is connected
+slowly, but it may occur any time a cable is connected. This issue occurs
+in the auto-negotiation circuit, and will not occur if auto-negotiation
+is disabled (which requires that the two link partners be set to the
+same speed and duplex).
+
+END USER IMPLICATIONS
+When this issue occurs, link is not established. Subsequent cable
+plug/unplaug cycle will not correct the issue.
+
+WORk AROUND
+There are four approaches to work around this issue:
+1. This issue can be prevented by setting bit 15 in MMD device address 1,
+ register 2, prior to connecting the cable or prior to setting the
+ Restart Auto-negotiation bit in register 0h. The MMD registers are
+ accessed via the indirect access registers Dh and Eh, or via the Micrel
+ EthUtil utility as shown here:
+ . if using the EthUtil utility (usually with a Micrel KSZ8061
+ Evaluation Board), type the following commands:
+ > address 1
+ > mmd 1
+ > iw 2 b61a
+ . Alternatively, write the following registers to write to the
+ indirect MMD register:
+ Write register Dh, data 0001h
+ Write register Eh, data 0002h
+ Write register Dh, data 4001h
+ Write register Eh, data B61Ah
+2. The issue can be avoided by disabling auto-negotiation in the KSZ8061,
+ either by the strapping option, or by clearing bit 12 in register 0h.
+ Care must be taken to ensure that the KSZ8061 and the link partner
+ will link with the same speed and duplex. Note that the KSZ8061
+ defaults to full-duplex when auto-negotiation is off, but other
+ devices may default to half-duplex in the event of failed
+ auto-negotiation.
+3. The issue can be avoided by connecting the cable prior to powering-up
+ or resetting the KSZ8061, and leaving it plugged in thereafter.
+4. If the above measures are not taken and the problem occurs, link can
+ be recovered by setting the Restart Auto-Negotiation bit in
+ register 0h, or by resetting or power cycling the device. Reset may
+ be either hardware reset or software reset (register 0h, bit 15).
+
+PLAN
+This errata will not be corrected in the future revision.
+
+Fixes: 7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs")
+Signed-off-by: Alexander Onnasch <alexander.onnasch@landisgyr.com>
+Signed-off-by: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/micrel.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -27,6 +27,7 @@
+ #include <linux/micrel_phy.h>
+ #include <linux/of.h>
+ #include <linux/clk.h>
++#include <uapi/linux/mdio.h>
+
+ /* Operation Mode Strap Override */
+ #define MII_KSZPHY_OMSO 0x16
+@@ -217,6 +218,17 @@ static int ks8051_config_init(struct phy
+ return rc < 0 ? rc : 0;
+ }
+
++static int ksz8061_config_init(struct phy_device *phydev)
++{
++ int ret;
++
++ ret = phy_write_mmd(phydev, MDIO_MMD_PMAPMD, MDIO_DEVID1, 0xB61A);
++ if (ret)
++ return ret;
++
++ return kszphy_config_init(phydev);
++}
++
+ static int ksz9021_load_values_from_of(struct phy_device *phydev,
+ struct device_node *of_node, u16 reg,
+ char *field1, char *field2,
+@@ -593,7 +605,7 @@ static struct phy_driver ksphy_driver[]
+ .phy_id_mask = 0x00fffff0,
+ .features = (PHY_BASIC_FEATURES | SUPPORTED_Pause),
+ .flags = PHY_HAS_MAGICANEG | PHY_HAS_INTERRUPT,
+- .config_init = kszphy_config_init,
++ .config_init = ksz8061_config_init,
+ .config_aneg = genphy_config_aneg,
+ .read_status = genphy_read_status,
+ .ack_interrupt = kszphy_ack_interrupt,
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: Mao Wenan <maowenan@huawei.com>
+Date: Fri, 1 Mar 2019 23:06:40 +0800
+Subject: net: sit: fix memory leak in sit_init_net()
+
+From: Mao Wenan <maowenan@huawei.com>
+
+[ Upstream commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d ]
+
+If register_netdev() is failed to register sitn->fb_tunnel_dev,
+it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev).
+
+BUG: memory leak
+unreferenced object 0xffff888378daad00 (size 512):
+ comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s)
+ hex dump (first 32 bytes):
+ 00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+backtrace:
+ [<00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline]
+ [<00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline]
+ [<00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline]
+ [<00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970
+ [<00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848
+ [<00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129
+ [<00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314
+ [<0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437
+ [<0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107
+ [<00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165
+ [<0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919
+ [<00000000fff78746>] copy_process kernel/fork.c:1713 [inline]
+ [<00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224
+ [<000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
+ [<00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<0000000039acff8a>] 0xffffffffffffffff
+
+Signed-off-by: Mao Wenan <maowenan@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/sit.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1841,6 +1841,7 @@ static int __net_init sit_init_net(struc
+
+ err_reg_dev:
+ ipip6_dev_free(sitn->fb_tunnel_dev);
++ free_netdev(sitn->fb_tunnel_dev);
+ err_alloc_dev:
+ return err;
+ }
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Sat, 2 Mar 2019 10:34:55 +0800
+Subject: net-sysfs: Fix mem leak in netdev_register_kobject
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 895a5e96dbd6386c8e78e5b78e067dcc67b7f0ab ]
+
+syzkaller report this:
+BUG: memory leak
+unreferenced object 0xffff88837a71a500 (size 256):
+ comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
+ ff ff ff ff ff ff ff ff 20 c0 ef 86 ff ff ff ff ........ .......
+ backtrace:
+ [<00000000db12624b>] netdev_register_kobject+0x124/0x2e0 net/core/net-sysfs.c:1751
+ [<00000000dc49a994>] register_netdevice+0xcc1/0x1270 net/core/dev.c:8516
+ [<00000000e5f3fea0>] tun_set_iff drivers/net/tun.c:2649 [inline]
+ [<00000000e5f3fea0>] __tun_chr_ioctl+0x2218/0x3d20 drivers/net/tun.c:2883
+ [<000000001b8ac127>] vfs_ioctl fs/ioctl.c:46 [inline]
+ [<000000001b8ac127>] do_vfs_ioctl+0x1a5/0x10e0 fs/ioctl.c:690
+ [<0000000079b269f8>] ksys_ioctl+0x89/0xa0 fs/ioctl.c:705
+ [<00000000de649beb>] __do_sys_ioctl fs/ioctl.c:712 [inline]
+ [<00000000de649beb>] __se_sys_ioctl fs/ioctl.c:710 [inline]
+ [<00000000de649beb>] __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:710
+ [<000000007ebded1e>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
+ [<00000000db315d36>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000115be9bb>] 0xffffffffffffffff
+
+It should call kset_unregister to free 'dev->queues_kset'
+in error path of register_queue_kobjects, otherwise will cause a mem leak.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 1d24eb4815d1 ("xps: Transmit Packet Steering")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/net-sysfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/net-sysfs.c
++++ b/net/core/net-sysfs.c
+@@ -1241,6 +1241,9 @@ static int register_queue_kobjects(struc
+ error:
+ netdev_queue_update_kobjects(dev, txq, 0);
+ net_rx_queue_update_kobjects(dev, rxq, 0);
++#ifdef CONFIG_SYSFS
++ kset_unregister(dev->queues_kset);
++#endif
+ return error;
+ }
+
--- /dev/null
+From foo@baz Fri Mar 8 10:00:48 CET 2019
+From: Paul Moore <paul@paul-moore.com>
+Date: Mon, 25 Feb 2019 19:06:06 -0500
+Subject: netlabel: fix out-of-bounds memory accesses
+
+From: Paul Moore <paul@paul-moore.com>
+
+[ Upstream commit 5578de4834fe0f2a34fedc7374be691443396d1f ]
+
+There are two array out-of-bounds memory accesses, one in
+cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
+errors are embarassingly simple, and the fixes are straightforward.
+
+As a FYI for anyone backporting this patch to kernels prior to v4.8,
+you'll want to apply the netlbl_bitmap_walk() patch to
+cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
+Linux v4.8.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
+Fixes: 3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/cipso_ipv4.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -165,7 +165,8 @@ static int cipso_v4_bitmap_walk(const un
+ (state == 0 && (byte & bitmask) == 0))
+ return bit_spot;
+
+- bit_spot++;
++ if (++bit_spot >= bitmap_len)
++ return -1;
+ bitmask >>= 1;
+ if (bitmask == 0) {
+ byte = bitmap[++byte_offset];
+@@ -735,7 +736,8 @@ static int cipso_v4_map_lvl_valid(const
+ case CIPSO_V4_MAP_PASS:
+ return 0;
+ case CIPSO_V4_MAP_TRANS:
+- if (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL)
++ if ((level < doi_def->map.std->lvl.cipso_size) &&
++ (doi_def->map.std->lvl.cipso[level] < CIPSO_V4_INV_LVL))
+ return 0;
+ break;
+ }
mmc-spi-fix-card-detection-during-probe.patch
mm-enforce-min-addr-even-if-capable-in-expand_downwards.patch
usb-serial-cp210x-add-id-for-ingenico-3070.patch
+net-sysfs-fix-mem-leak-in-netdev_register_kobject.patch
+sky2-disable-msi-on-dell-inspiron-1545-and-gateway-p-79.patch
+team-free-bpf-filter-when-unregistering-netdev.patch
+net-nfc-fix-null-dereference-on-nfc_llcp_build_tlv-fails.patch
+net-sit-fix-memory-leak-in-sit_init_net.patch
+net-add-__icmp_send-helper.patch
+net-avoid-use-ipcb-in-cipso_v4_error.patch
+net-phy-micrel-ksz8061-link-failure-after-cable-connect.patch
+netlabel-fix-out-of-bounds-memory-accesses.patch
+ip6mr-do-not-call-__ip6_inc_stats-from-preemptible-context.patch
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Mon, 4 Mar 2019 15:00:03 +0800
+Subject: sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit b33b7cd6fd86478dd2890a9abeb6f036aa01fdf7 ]
+
+Some sky2 chips fire IRQ after S3, before the driver is fully resumed:
+[ 686.804877] do_IRQ: 1.37 No irq handler for vector
+
+This is likely a platform bug that device isn't fully quiesced during
+S3. Use MSI-X, maskable MSI or INTx can prevent this issue from
+happening.
+
+Since MSI-X and maskable MSI are not supported by this device, fallback
+to use INTx on affected platforms.
+
+BugLink: https://bugs.launchpad.net/bugs/1807259
+BugLink: https://bugs.launchpad.net/bugs/1809843
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -46,6 +46,7 @@
+ #include <linux/mii.h>
+ #include <linux/of_device.h>
+ #include <linux/of_net.h>
++#include <linux/dmi.h>
+
+ #include <asm/irq.h>
+
+@@ -93,7 +94,7 @@ static int copybreak __read_mostly = 128
+ module_param(copybreak, int, 0);
+ MODULE_PARM_DESC(copybreak, "Receive copy threshold");
+
+-static int disable_msi = 0;
++static int disable_msi = -1;
+ module_param(disable_msi, int, 0);
+ MODULE_PARM_DESC(disable_msi, "Disable Message Signaled Interrupt (MSI)");
+
+@@ -4913,6 +4914,24 @@ static const char *sky2_name(u8 chipid,
+ return buf;
+ }
+
++static const struct dmi_system_id msi_blacklist[] = {
++ {
++ .ident = "Dell Inspiron 1545",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1545"),
++ },
++ },
++ {
++ .ident = "Gateway P-79",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Gateway"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
++ },
++ },
++ {}
++};
++
+ static int sky2_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct net_device *dev, *dev1;
+@@ -5024,6 +5043,9 @@ static int sky2_probe(struct pci_dev *pd
+ goto err_out_free_pci;
+ }
+
++ if (disable_msi == -1)
++ disable_msi = !!dmi_check_system(msi_blacklist);
++
+ if (!disable_msi && pci_enable_msi(pdev) == 0) {
+ err = sky2_test_msi(hw);
+ if (err) {
--- /dev/null
+From foo@baz Fri Mar 8 10:35:39 CET 2019
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Sun, 3 Mar 2019 07:35:51 +0000
+Subject: team: Free BPF filter when unregistering netdev
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 692c31bd4054212312396b1d303bffab2c5b93a7 ]
+
+When team is used in loadbalance mode a BPF filter can be used to
+provide a hash which will determine the Tx port.
+
+When the netdev is later unregistered the filter is not freed which
+results in memory leaks [1].
+
+Fix by freeing the program and the corresponding filter when
+unregistering the netdev.
+
+[1]
+unreferenced object 0xffff8881dbc47cc8 (size 16):
+ comm "teamd", pid 3068, jiffies 4294997779 (age 438.247s)
+ hex dump (first 16 bytes):
+ a3 00 6b 6b 6b 6b 6b 6b 88 a5 82 e1 81 88 ff ff ..kkkkkk........
+ backtrace:
+ [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0
+ [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080
+ [<00000000610ef838>] genl_rcv_msg+0xca/0x170
+ [<00000000a281df93>] netlink_rcv_skb+0x132/0x380
+ [<000000004d9448a2>] genl_rcv+0x29/0x40
+ [<000000000321b2f4>] netlink_unicast+0x4c0/0x690
+ [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10
+ [<00000000068298c5>] sock_sendmsg+0xc8/0x110
+ [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0
+ [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250
+ [<0000000027c5f11a>] do_syscall_64+0x14d/0x610
+ [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000e23197e2>] 0xffffffffffffffff
+unreferenced object 0xffff8881e182a588 (size 2048):
+ comm "teamd", pid 3068, jiffies 4294997780 (age 438.247s)
+ hex dump (first 32 bytes):
+ 20 00 00 00 02 00 00 00 30 00 00 00 28 f0 ff ff .......0...(...
+ 07 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 ........(.......
+ backtrace:
+ [<000000002daf01fb>] lb_bpf_func_set+0x45c/0x6d0
+ [<000000008a3b47e3>] team_nl_cmd_options_set+0x88f/0x11b0
+ [<00000000c4f4f27e>] genl_family_rcv_msg+0x78f/0x1080
+ [<00000000610ef838>] genl_rcv_msg+0xca/0x170
+ [<00000000a281df93>] netlink_rcv_skb+0x132/0x380
+ [<000000004d9448a2>] genl_rcv+0x29/0x40
+ [<000000000321b2f4>] netlink_unicast+0x4c0/0x690
+ [<000000008c25dffb>] netlink_sendmsg+0x929/0xe10
+ [<00000000068298c5>] sock_sendmsg+0xc8/0x110
+ [<0000000082a61ff0>] ___sys_sendmsg+0x77a/0x8f0
+ [<00000000663ae29d>] __sys_sendmsg+0xf7/0x250
+ [<0000000027c5f11a>] do_syscall_64+0x14d/0x610
+ [<000000006cfbc8d3>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ [<00000000e23197e2>] 0xffffffffffffffff
+
+Fixes: 01d7f30a9f96 ("team: add loadbalance mode")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Amit Cohen <amitc@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/net/team/team_mode_loadbalance.c
++++ b/drivers/net/team/team_mode_loadbalance.c
+@@ -305,6 +305,20 @@ static int lb_bpf_func_set(struct team *
+ return 0;
+ }
+
++static void lb_bpf_func_free(struct team *team)
++{
++ struct lb_priv *lb_priv = get_lb_priv(team);
++ struct bpf_prog *fp;
++
++ if (!lb_priv->ex->orig_fprog)
++ return;
++
++ __fprog_destroy(lb_priv->ex->orig_fprog);
++ fp = rcu_dereference_protected(lb_priv->fp,
++ lockdep_is_held(&team->lock));
++ bpf_prog_destroy(fp);
++}
++
+ static int lb_tx_method_get(struct team *team, struct team_gsetter_ctx *ctx)
+ {
+ struct lb_priv *lb_priv = get_lb_priv(team);
+@@ -619,6 +633,7 @@ static void lb_exit(struct team *team)
+
+ team_options_unregister(team, lb_options,
+ ARRAY_SIZE(lb_options));
++ lb_bpf_func_free(team);
+ cancel_delayed_work_sync(&lb_priv->ex->stats.refresh_dw);
+ free_percpu(lb_priv->pcpu_stats);
+ kfree(lb_priv->ex);
projects / thirdparty / kernel / stable-queue.git / commitdiff
