--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Brian King <brking@linux.vnet.ibm.com>
+Date: Mon, 15 Jul 2019 16:41:50 -0500
+Subject: bnx2x: Prevent load reordering in tx completion processing
+
+From: Brian King <brking@linux.vnet.ibm.com>
+
+[ Upstream commit ea811b795df24644a8eb760b493c43fba4450677 ]
+
+This patch fixes an issue seen on Power systems with bnx2x which results
+in the skb is NULL WARN_ON in bnx2x_free_tx_pkt firing due to the skb
+pointer getting loaded in bnx2x_free_tx_pkt prior to the hw_cons
+load in bnx2x_tx_int. Adding a read memory barrier resolves the issue.
+
+Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -286,6 +286,9 @@ int bnx2x_tx_int(struct bnx2x *bp, struc
+ hw_cons = le16_to_cpu(*txdata->tx_cons_sb);
+ sw_cons = txdata->tx_pkt_cons;
+
++ /* Ensure subsequent loads occur after hw_cons */
++ smp_rmb();
++
+ while (sw_cons != hw_cons) {
+ u16 pkt_cons;
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: "Guilherme G. Piccoli" <gpiccoli@canonical.com>
+Date: Thu, 27 Jun 2019 13:31:33 -0300
+Subject: bnx2x: Prevent ptp_task to be rescheduled indefinitely
+
+From: "Guilherme G. Piccoli" <gpiccoli@canonical.com>
+
+[ Upstream commit 3c91f25c2f72ba6001775a5932857c1d2131c531 ]
+
+Currently bnx2x ptp worker tries to read a register with timestamp
+information in case of TX packet timestamping and in case it fails,
+the routine reschedules itself indefinitely. This was reported as a
+kworker always at 100% of CPU usage, which was narrowed down to be
+bnx2x ptp_task.
+
+By following the ioctl handler, we could narrow down the problem to
+an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
+RX filter zeroed; this isn't reproducible for example with ptp4l
+(from linuxptp) since this tool requests a supported RX filter.
+It seems NIC FW timestamp mechanism cannot work well with
+RX_FILTER_NONE - driver's PTP filter init routine skips a register
+write to the adapter if there's not a supported filter request.
+
+This patch addresses the problem of bnx2x ptp thread's everlasting
+reschedule by retrying the register read 10 times; between the read
+attempts the thread sleeps for an increasing amount of time starting
+in 1ms to give FW some time to perform the timestamping. If it still
+fails after all retries, we bail out in order to prevent an unbound
+resource consumption from bnx2x.
+
+The patch also adds an ethtool statistic for accounting the skipped
+TX timestamp packets and it reduces the priority of timestamping
+error messages to prevent log flooding. The code was tested using
+both linuxptp and chrony.
+
+Reported-and-tested-by: Przemyslaw Hausman <przemyslaw.hausman@canonical.com>
+Suggested-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
+Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 5 ++-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 4 +-
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 33 ++++++++++++++------
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h | 3 +
+ 4 files changed, 34 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3863,9 +3863,12 @@ netdev_tx_t bnx2x_start_xmit(struct sk_b
+
+ if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)) {
+ if (!(bp->flags & TX_TIMESTAMPING_EN)) {
++ bp->eth_stats.ptp_skip_tx_ts++;
+ BNX2X_ERR("Tx timestamping was not enabled, this packet will not be timestamped\n");
+ } else if (bp->ptp_tx_skb) {
+- BNX2X_ERR("The device supports only a single outstanding packet to timestamp, this packet will not be timestamped\n");
++ bp->eth_stats.ptp_skip_tx_ts++;
++ netdev_err_once(bp->dev,
++ "Device supports only a single outstanding packet to timestamp, this packet won't be timestamped\n");
+ } else {
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+ /* schedule check for Tx timestamp */
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c
+@@ -182,7 +182,9 @@ static const struct {
+ { STATS_OFFSET32(driver_filtered_tx_pkt),
+ 4, false, "driver_filtered_tx_pkt" },
+ { STATS_OFFSET32(eee_tx_lpi),
+- 4, true, "Tx LPI entry count"}
++ 4, true, "Tx LPI entry count"},
++ { STATS_OFFSET32(ptp_skip_tx_ts),
++ 4, false, "ptp_skipped_tx_tstamp" },
+ };
+
+ #define BNX2X_NUM_STATS ARRAY_SIZE(bnx2x_stats_arr)
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -15261,11 +15261,24 @@ static void bnx2x_ptp_task(struct work_s
+ u32 val_seq;
+ u64 timestamp, ns;
+ struct skb_shared_hwtstamps shhwtstamps;
++ bool bail = true;
++ int i;
+
+- /* Read Tx timestamp registers */
+- val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
+- NIG_REG_P0_TLLH_PTP_BUF_SEQID);
+- if (val_seq & 0x10000) {
++ /* FW may take a while to complete timestamping; try a bit and if it's
++ * still not complete, may indicate an error state - bail out then.
++ */
++ for (i = 0; i < 10; i++) {
++ /* Read Tx timestamp registers */
++ val_seq = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_SEQID :
++ NIG_REG_P0_TLLH_PTP_BUF_SEQID);
++ if (val_seq & 0x10000) {
++ bail = false;
++ break;
++ }
++ msleep(1 << i);
++ }
++
++ if (!bail) {
+ /* There is a valid timestamp value */
+ timestamp = REG_RD(bp, port ? NIG_REG_P1_TLLH_PTP_BUF_TS_MSB :
+ NIG_REG_P0_TLLH_PTP_BUF_TS_MSB);
+@@ -15280,16 +15293,18 @@ static void bnx2x_ptp_task(struct work_s
+ memset(&shhwtstamps, 0, sizeof(shhwtstamps));
+ shhwtstamps.hwtstamp = ns_to_ktime(ns);
+ skb_tstamp_tx(bp->ptp_tx_skb, &shhwtstamps);
+- dev_kfree_skb_any(bp->ptp_tx_skb);
+- bp->ptp_tx_skb = NULL;
+
+ DP(BNX2X_MSG_PTP, "Tx timestamp, timestamp cycles = %llu, ns = %llu\n",
+ timestamp, ns);
+ } else {
+- DP(BNX2X_MSG_PTP, "There is no valid Tx timestamp yet\n");
+- /* Reschedule to keep checking for a valid timestamp value */
+- schedule_work(&bp->ptp_task);
++ DP(BNX2X_MSG_PTP,
++ "Tx timestamp is not recorded (register read=%u)\n",
++ val_seq);
++ bp->eth_stats.ptp_skip_tx_ts++;
+ }
++
++ dev_kfree_skb_any(bp->ptp_tx_skb);
++ bp->ptp_tx_skb = NULL;
+ }
+
+ void bnx2x_set_rx_ts(struct bnx2x *bp, struct sk_buff *skb)
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.h
+@@ -207,6 +207,9 @@ struct bnx2x_eth_stats {
+ u32 driver_filtered_tx_pkt;
+ /* src: Clear-on-Read register; Will not survive PMF Migration */
+ u32 eee_tx_lpi;
++
++ /* PTP */
++ u32 ptp_skip_tx_ts;
+ };
+
+ struct bnx2x_eth_q_stats {
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 1 Jul 2019 20:40:24 -0700
+Subject: bonding: validate ip header before check IPPROTO_IGMP
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 9d1bc24b52fb8c5d859f9a47084bf1179470e04c ]
+
+bond_xmit_roundrobin() checks for IGMP packets but it parses
+the IP header even before checking skb->protocol.
+
+We should validate the IP header with pskb_may_pull() before
+using iph->protocol.
+
+Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
+Fixes: a2fd940f4cff ("bonding: fix broken multicast with round-robin mode")
+Cc: Jay Vosburgh <j.vosburgh@gmail.com>
+Cc: Veaceslav Falico <vfalico@gmail.com>
+Cc: Andy Gospodarek <andy@greyhouse.net>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 37 +++++++++++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3788,8 +3788,8 @@ static u32 bond_rr_gen_slave_id(struct b
+ static int bond_xmit_roundrobin(struct sk_buff *skb, struct net_device *bond_dev)
+ {
+ struct bonding *bond = netdev_priv(bond_dev);
+- struct iphdr *iph = ip_hdr(skb);
+ struct slave *slave;
++ int slave_cnt;
+ u32 slave_id;
+
+ /* Start with the curr_active_slave that joined the bond as the
+@@ -3798,23 +3798,32 @@ static int bond_xmit_roundrobin(struct s
+ * send the join/membership reports. The curr_active_slave found
+ * will send all of this type of traffic.
+ */
+- if (iph->protocol == IPPROTO_IGMP && skb->protocol == htons(ETH_P_IP)) {
+- slave = rcu_dereference(bond->curr_active_slave);
+- if (slave)
+- bond_dev_queue_xmit(bond, skb, slave->dev);
+- else
+- bond_xmit_slave_id(bond, skb, 0);
+- } else {
+- int slave_cnt = ACCESS_ONCE(bond->slave_cnt);
++ if (skb->protocol == htons(ETH_P_IP)) {
++ int noff = skb_network_offset(skb);
++ struct iphdr *iph;
++
++ if (unlikely(!pskb_may_pull(skb, noff + sizeof(*iph))))
++ goto non_igmp;
+
+- if (likely(slave_cnt)) {
+- slave_id = bond_rr_gen_slave_id(bond);
+- bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
+- } else {
+- bond_tx_drop(bond_dev, skb);
++ iph = ip_hdr(skb);
++ if (iph->protocol == IPPROTO_IGMP) {
++ slave = rcu_dereference(bond->curr_active_slave);
++ if (slave)
++ bond_dev_queue_xmit(bond, skb, slave->dev);
++ else
++ bond_xmit_slave_id(bond, skb, 0);
++ return NETDEV_TX_OK;
+ }
+ }
+
++non_igmp:
++ slave_cnt = ACCESS_ONCE(bond->slave_cnt);
++ if (likely(slave_cnt)) {
++ slave_id = bond_rr_gen_slave_id(bond);
++ bond_xmit_slave_id(bond, skb, slave_id % slave_cnt);
++ } else {
++ bond_tx_drop(bond_dev, skb);
++ }
+ return NETDEV_TX_OK;
+ }
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 15 Jul 2019 14:10:17 +0900
+Subject: caif-hsi: fix possible deadlock in cfhsi_exit_module()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit fdd258d49e88a9e0b49ef04a506a796f1c768a8e ]
+
+cfhsi_exit_module() calls unregister_netdev() under rtnl_lock().
+but unregister_netdev() internally calls rtnl_lock().
+So deadlock would occur.
+
+Fixes: c41254006377 ("caif-hsi: Add rtnl support")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/caif/caif_hsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/caif/caif_hsi.c
++++ b/drivers/net/caif/caif_hsi.c
+@@ -1464,7 +1464,7 @@ static void __exit cfhsi_exit_module(voi
+ rtnl_lock();
+ list_for_each_safe(list_node, n, &cfhsi_list) {
+ cfhsi = list_entry(list_node, struct cfhsi, list);
+- unregister_netdev(cfhsi->ndev);
++ unregister_netdevice(cfhsi->ndev);
+ }
+ rtnl_unlock();
+ }
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 27 Jun 2019 01:27:01 -0700
+Subject: igmp: fix memory leak in igmpv3_del_delrec()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit e5b1c6c6277d5a283290a8c033c72544746f9b5b ]
+
+im->tomb and/or im->sources might not be NULL, but we
+currently overwrite their values blindly.
+
+Using swap() will make sure the following call to kfree_pmc(pmc)
+will properly free the psf structures.
+
+Tested with the C repro provided by syzbot, which basically does :
+
+ socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
+ setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
+ ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
+ setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
+ ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
+ exit_group(0) = ?
+
+BUG: memory leak
+unreferenced object 0xffff88811450f140 (size 64):
+ comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+ [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline]
+ [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline]
+ [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline]
+ [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
+ [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
+ [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
+ [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
+ [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
+ [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
+ [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
+ [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072
+ [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline]
+ [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline]
+ [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
+ [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Hangbin Liu <liuhangbin@gmail.com>
+Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -1212,12 +1212,8 @@ static void igmpv3_del_delrec(struct in_
+ im->interface = pmc->interface;
+ im->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+ if (im->sfmode == MCAST_INCLUDE) {
+- im->tomb = pmc->tomb;
+- pmc->tomb = NULL;
+-
+- im->sources = pmc->sources;
+- pmc->sources = NULL;
+-
++ swap(im->tomb, pmc->tomb);
++ swap(im->sources, pmc->sources);
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = im->crcount;
+ }
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Matteo Croce <mcroce@redhat.com>
+Date: Mon, 1 Jul 2019 19:01:55 +0200
+Subject: ipv4: don't set IPv6 only flags to IPv4 addresses
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 2e60546368165c2449564d71f6005dda9205b5fb ]
+
+Avoid the situation where an IPV6 only flag is applied to an IPv4 address:
+
+ # ip addr add 192.0.2.1/24 dev dummy0 nodad home mngtmpaddr noprefixroute
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global noprefixroute dummy0
+ valid_lft forever preferred_lft forever
+
+Or worse, by sending a malicious netlink command:
+
+ # ip -4 addr show dev dummy0
+ 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
+ inet 192.0.2.1/24 scope global nodad optimistic dadfailed home tentative mngtmpaddr noprefixroute stable-privacy dummy0
+ valid_lft forever preferred_lft forever
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/devinet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -67,6 +67,11 @@
+
+ #include "fib_lookup.h"
+
++#define IPV6ONLY_FLAGS \
++ (IFA_F_NODAD | IFA_F_OPTIMISTIC | IFA_F_DADFAILED | \
++ IFA_F_HOMEADDRESS | IFA_F_TENTATIVE | \
++ IFA_F_MANAGETEMPADDR | IFA_F_STABLE_PRIVACY)
++
+ static struct ipv4_devconf ipv4_devconf = {
+ .data = {
+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
+@@ -453,6 +458,9 @@ static int __inet_insert_ifa(struct in_i
+ ifa->ifa_flags &= ~IFA_F_SECONDARY;
+ last_primary = &in_dev->ifa_list;
+
++ /* Don't set IPv6 only flags to IPv4 addresses */
++ ifa->ifa_flags &= ~IPV6ONLY_FLAGS;
++
+ for (ifap = &in_dev->ifa_list; (ifa1 = *ifap) != NULL;
+ ifap = &ifa1->ifa_next) {
+ if (!(ifa1->ifa_flags & IFA_F_SECONDARY) &&
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:45 +0200
+Subject: macsec: fix checksumming after decryption
+
+From: Andreas Steinmetz <ast@domdv.de>
+
+[ Upstream commit 7d8b16b9facb0dd81d1469808dd9a575fa1d525a ]
+
+Fix checksumming after decryption.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -867,6 +867,7 @@ static void macsec_reset_skb(struct sk_b
+
+ static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
+ {
++ skb->ip_summed = CHECKSUM_NONE;
+ memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
+ skb_pull(skb, hdr_len);
+ pskb_trim_unique(skb, skb->len - icv_len);
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Andreas Steinmetz <ast@domdv.de>
+Date: Sun, 30 Jun 2019 22:46:42 +0200
+Subject: macsec: fix use-after-free of skb during RX
+
+From: Andreas Steinmetz <ast@domdv.de>
+
+[ Upstream commit 095c02da80a41cf6d311c504d8955d6d1c2add10 ]
+
+Fix use-after-free of skb when rx_handler returns RX_HANDLER_PASS.
+
+Signed-off-by: Andreas Steinmetz <ast@domdv.de>
+Acked-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1105,10 +1105,9 @@ static rx_handler_result_t macsec_handle
+ }
+
+ skb = skb_unshare(skb, GFP_ATOMIC);
+- if (!skb) {
+- *pskb = NULL;
++ *pskb = skb;
++ if (!skb)
+ return RX_HANDLER_CONSUMED;
+- }
+
+ pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
+ if (!pulled_sci) {
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Justin Chen <justinpopo6@gmail.com>
+Date: Wed, 17 Jul 2019 14:58:53 -0700
+Subject: net: bcmgenet: use promisc for unsupported filters
+
+From: Justin Chen <justinpopo6@gmail.com>
+
+[ Upstream commit 35cbef9863640f06107144687bd13151bc2e8ce3 ]
+
+Currently we silently ignore filters if we cannot meet the filter
+requirements. This will lead to the MAC dropping packets that are
+expected to pass. A better solution would be to set the NIC to promisc
+mode when the required filters cannot be met.
+
+Also correct the number of MDF filters supported. It should be 17,
+not 16.
+
+Signed-off-by: Justin Chen <justinpopo6@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 57 +++++++++++--------------
+ 1 file changed, 26 insertions(+), 31 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3002,39 +3002,42 @@ static void bcmgenet_timeout(struct net_
+ netif_tx_wake_all_queues(dev);
+ }
+
+-#define MAX_MC_COUNT 16
++#define MAX_MDF_FILTER 17
+
+ static inline void bcmgenet_set_mdf_addr(struct bcmgenet_priv *priv,
+ unsigned char *addr,
+- int *i,
+- int *mc)
++ int *i)
+ {
+- u32 reg;
+-
+ bcmgenet_umac_writel(priv, addr[0] << 8 | addr[1],
+ UMAC_MDF_ADDR + (*i * 4));
+ bcmgenet_umac_writel(priv, addr[2] << 24 | addr[3] << 16 |
+ addr[4] << 8 | addr[5],
+ UMAC_MDF_ADDR + ((*i + 1) * 4));
+- reg = bcmgenet_umac_readl(priv, UMAC_MDF_CTRL);
+- reg |= (1 << (MAX_MC_COUNT - *mc));
+- bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ *i += 2;
+- (*mc)++;
+ }
+
+ static void bcmgenet_set_rx_mode(struct net_device *dev)
+ {
+ struct bcmgenet_priv *priv = netdev_priv(dev);
+ struct netdev_hw_addr *ha;
+- int i, mc;
++ int i, nfilter;
+ u32 reg;
+
+ netif_dbg(priv, hw, dev, "%s: %08X\n", __func__, dev->flags);
+
+- /* Promiscuous mode */
++ /* Number of filters needed */
++ nfilter = netdev_uc_count(dev) + netdev_mc_count(dev) + 2;
++
++ /*
++ * Turn on promicuous mode for three scenarios
++ * 1. IFF_PROMISC flag is set
++ * 2. IFF_ALLMULTI flag is set
++ * 3. The number of filters needed exceeds the number filters
++ * supported by the hardware.
++ */
+ reg = bcmgenet_umac_readl(priv, UMAC_CMD);
+- if (dev->flags & IFF_PROMISC) {
++ if ((dev->flags & (IFF_PROMISC | IFF_ALLMULTI)) ||
++ (nfilter > MAX_MDF_FILTER)) {
+ reg |= CMD_PROMISC;
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ bcmgenet_umac_writel(priv, 0, UMAC_MDF_CTRL);
+@@ -3044,32 +3047,24 @@ static void bcmgenet_set_rx_mode(struct
+ bcmgenet_umac_writel(priv, reg, UMAC_CMD);
+ }
+
+- /* UniMac doesn't support ALLMULTI */
+- if (dev->flags & IFF_ALLMULTI) {
+- netdev_warn(dev, "ALLMULTI is not supported\n");
+- return;
+- }
+-
+ /* update MDF filter */
+ i = 0;
+- mc = 0;
+ /* Broadcast */
+- bcmgenet_set_mdf_addr(priv, dev->broadcast, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, dev->broadcast, &i);
+ /* my own address.*/
+- bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i, &mc);
+- /* Unicast list*/
+- if (netdev_uc_count(dev) > (MAX_MC_COUNT - mc))
+- return;
++ bcmgenet_set_mdf_addr(priv, dev->dev_addr, &i);
+
+- if (!netdev_uc_empty(dev))
+- netdev_for_each_uc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
+- /* Multicast */
+- if (netdev_mc_empty(dev) || netdev_mc_count(dev) >= (MAX_MC_COUNT - mc))
+- return;
++ /* Unicast */
++ netdev_for_each_uc_addr(ha, dev)
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
+
++ /* Multicast */
+ netdev_for_each_mc_addr(ha, dev)
+- bcmgenet_set_mdf_addr(priv, ha->addr, &i, &mc);
++ bcmgenet_set_mdf_addr(priv, ha->addr, &i);
++
++ /* Enable filters */
++ reg = GENMASK(MAX_MDF_FILTER - 1, MAX_MDF_FILTER - nfilter);
++ bcmgenet_umac_writel(priv, reg, UMAC_MDF_CTRL);
+ }
+
+ /* Set the hardware MAC address. */
--- /dev/null
+From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:19 +0300
+Subject: net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 3b26a5d03d35d8f732d75951218983c0f7f68dff ]
+
+We get a pointer to the ipv6 hdr in br_ip6_multicast_query but we may
+call pskb_may_pull afterwards and end up using a stale pointer.
+So use the header directly, it's just 1 place where it's needed.
+
+Fixes: 08b202b67264 ("bridge br_multicast: IPv6 MLD support.")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1379,7 +1379,6 @@ static int br_ip6_multicast_query(struct
+ struct sk_buff *skb,
+ u16 vid)
+ {
+- const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+ struct mld_msg *mld;
+ struct net_bridge_mdb_entry *mp;
+ struct mld2_query *mld2q;
+@@ -1423,7 +1422,7 @@ static int br_ip6_multicast_query(struct
+
+ if (is_general_query) {
+ saddr.proto = htons(ETH_P_IPV6);
+- saddr.u.ip6 = ip6h->saddr;
++ saddr.u.ip6 = ipv6_hdr(skb)->saddr;
+
+ br_multicast_query_received(br, port, &br->ip6_other_query,
+ &saddr, max_delay);
--- /dev/null
+From foo@baz Fri 26 Jul 2019 11:17:03 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:18 +0300
+Subject: net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ]
+
+We take a pointer to grec prior to calling pskb_may_pull and use it
+afterwards to get nsrcs so record nsrcs before the pull when handling
+igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling
+mld2 which again could lead to reading 2 bytes out-of-bounds.
+
+ ==================================================================
+ BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16
+
+ CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+ Call Trace:
+ dump_stack+0x71/0xab
+ print_address_description+0x6a/0x280
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ __kasan_report+0x152/0x1aa
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ kasan_report+0xe/0x20
+ br_multicast_rcv+0x480c/0x4ad0 [bridge]
+ ? br_multicast_disable_port+0x150/0x150 [bridge]
+ ? ktime_get_with_offset+0xb4/0x150
+ ? __kasan_kmalloc.constprop.6+0xa6/0xf0
+ ? __netif_receive_skb+0x1b0/0x1b0
+ ? br_fdb_update+0x10e/0x6e0 [bridge]
+ ? br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ br_handle_frame_finish+0x3c6/0x11d0 [bridge]
+ ? br_pass_frame_up+0x3a0/0x3a0 [bridge]
+ ? virtnet_probe+0x1c80/0x1c80 [virtio_net]
+ br_handle_frame+0x731/0xd90 [bridge]
+ ? select_idle_sibling+0x25/0x7d0
+ ? br_handle_frame_finish+0x11d0/0x11d0 [bridge]
+ __netif_receive_skb_core+0xced/0x2d70
+ ? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring]
+ ? do_xdp_generic+0x20/0x20
+ ? virtqueue_napi_complete+0x39/0x70 [virtio_net]
+ ? virtnet_poll+0x94d/0xc78 [virtio_net]
+ ? receive_buf+0x5120/0x5120 [virtio_net]
+ ? __netif_receive_skb_one_core+0x97/0x1d0
+ __netif_receive_skb_one_core+0x97/0x1d0
+ ? __netif_receive_skb_core+0x2d70/0x2d70
+ ? _raw_write_trylock+0x100/0x100
+ ? __queue_work+0x41e/0xbe0
+ process_backlog+0x19c/0x650
+ ? _raw_read_lock_irq+0x40/0x40
+ net_rx_action+0x71e/0xbc0
+ ? __switch_to_asm+0x40/0x70
+ ? napi_complete_done+0x360/0x360
+ ? __switch_to_asm+0x34/0x70
+ ? __switch_to_asm+0x40/0x70
+ ? __schedule+0x85e/0x14d0
+ __do_softirq+0x1db/0x5f9
+ ? takeover_tasklets+0x5f0/0x5f0
+ run_ksoftirqd+0x26/0x40
+ smpboot_thread_fn+0x443/0x680
+ ? sort_range+0x20/0x20
+ ? schedule+0x94/0x210
+ ? __kthread_parkme+0x78/0xf0
+ ? sort_range+0x20/0x20
+ kthread+0x2ae/0x3a0
+ ? kthread_create_worker_on_cpu+0xc0/0xc0
+ ret_from_fork+0x35/0x40
+
+ The buggy address belongs to the page:
+ page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
+ flags: 0xffffc000000000()
+ raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000
+ raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ > ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ^
+ ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
+Reported-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Martin Weinelt <martin@linuxlounge.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1036,6 +1036,7 @@ static int br_ip4_multicast_igmp3_report
+ int type;
+ int err = 0;
+ __be32 group;
++ u16 nsrcs;
+
+ ih = igmpv3_report_hdr(skb);
+ num = ntohs(ih->ngrec);
+@@ -1049,8 +1050,9 @@ static int br_ip4_multicast_igmp3_report
+ grec = (void *)(skb->data + len - sizeof(*grec));
+ group = grec->grec_mca;
+ type = grec->grec_type;
++ nsrcs = ntohs(grec->grec_nsrcs);
+
+- len += ntohs(grec->grec_nsrcs) * 4;
++ len += nsrcs * 4;
+ if (!pskb_may_pull(skb, len))
+ return -EINVAL;
+
+@@ -1070,7 +1072,7 @@ static int br_ip4_multicast_igmp3_report
+
+ if ((type == IGMPV3_CHANGE_TO_INCLUDE ||
+ type == IGMPV3_MODE_IS_INCLUDE) &&
+- ntohs(grec->grec_nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip4_multicast_leave_group(br, port, group, vid);
+ } else {
+ err = br_ip4_multicast_add_group(br, port, group, vid);
+@@ -1103,23 +1105,26 @@ static int br_ip6_multicast_mld2_report(
+ len = skb_transport_offset(skb) + sizeof(*icmp6h);
+
+ for (i = 0; i < num; i++) {
+- __be16 *nsrcs, _nsrcs;
++ __be16 *_nsrcs, __nsrcs;
++ u16 nsrcs;
+
+- nsrcs = skb_header_pointer(skb,
+- len + offsetof(struct mld2_grec,
+- grec_nsrcs),
+- sizeof(_nsrcs), &_nsrcs);
+- if (!nsrcs)
++ _nsrcs = skb_header_pointer(skb,
++ len + offsetof(struct mld2_grec,
++ grec_nsrcs),
++ sizeof(__nsrcs), &__nsrcs);
++ if (!_nsrcs)
+ return -EINVAL;
+
++ nsrcs = ntohs(*_nsrcs);
++
+ if (!pskb_may_pull(skb,
+ len + sizeof(*grec) +
+- sizeof(struct in6_addr) * ntohs(*nsrcs)))
++ sizeof(struct in6_addr) * nsrcs))
+ return -EINVAL;
+
+ grec = (struct mld2_grec *)(skb->data + len);
+ len += sizeof(*grec) +
+- sizeof(struct in6_addr) * ntohs(*nsrcs);
++ sizeof(struct in6_addr) * nsrcs;
+
+ /* We treat these as MLDv1 reports for now. */
+ switch (grec->grec_type) {
+@@ -1137,7 +1142,7 @@ static int br_ip6_multicast_mld2_report(
+
+ if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE ||
+ grec->grec_type == MLD2_MODE_IS_INCLUDE) &&
+- ntohs(*nsrcs) == 0) {
++ nsrcs == 0) {
+ br_ip6_multicast_leave_group(br, port, &grec->grec_mca,
+ vid);
+ } else {
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 2 Jul 2019 15:00:21 +0300
+Subject: net: bridge: stp: don't cache eth dest pointer before skb pull
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 2446a68ae6a8cee6d480e2f5b52f5007c7c41312 ]
+
+Don't cache eth dest pointer before calling pskb_may_pull.
+
+Fixes: cf0f02d04a83 ("[BRIDGE]: use llc for receiving STP packets")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_stp_bpdu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -147,7 +147,6 @@ void br_send_tcn_bpdu(struct net_bridge_
+ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb,
+ struct net_device *dev)
+ {
+- const unsigned char *dest = eth_hdr(skb)->h_dest;
+ struct net_bridge_port *p;
+ struct net_bridge *br;
+ const unsigned char *buf;
+@@ -176,7 +175,7 @@ void br_stp_rcv(const struct stp_proto *
+ if (p->state == BR_STATE_DISABLED)
+ goto out;
+
+- if (!ether_addr_equal(dest, br->group_addr))
++ if (!ether_addr_equal(eth_hdr(skb)->h_dest, br->group_addr))
+ goto out;
+
+ if (p->flags & BR_BPDU_GUARD) {
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Thu, 27 Jun 2019 21:17:39 +0300
+Subject: net: dsa: mv88e6xxx: wait after reset deactivation
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit 7b75e49de424ceb53d13e60f35d0a73765626fda ]
+
+Add a 1ms delay after reset deactivation. Otherwise the chip returns
+bogus ID value. This is observed with 88E6390 (Peridot) chip.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3846,6 +3846,8 @@ static int mv88e6xxx_probe(struct mdio_d
+ mv88e6xxx_mdio_unregister(chip);
+ return err;
+ }
++ if (chip->reset)
++ usleep_range(1000, 2000);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 26 Jun 2019 20:40:45 +0200
+Subject: net: make skb_dst_force return true when dst is refcounted
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ]
+
+netfilter did not expect that skb_dst_force() can cause skb to lose its
+dst entry.
+
+I got a bug report with a skb->dst NULL dereference in netfilter
+output path. The backtrace contains nf_reinject(), so the dst might have
+been cleared when skb got queued to userspace.
+
+Other users were fixed via
+if (skb_dst(skb)) {
+ skb_dst_force(skb);
+ if (!skb_dst(skb))
+ goto handle_err;
+}
+
+But I think its preferable to make the 'dst might be cleared' part
+of the function explicit.
+
+In netfilter case, skb with a null dst is expected when queueing in
+prerouting hook, so drop skb for the other hooks.
+
+v2:
+ v1 of this patch returned true in case skb had no dst entry.
+ Eric said:
+ Say if we have two skb_dst_force() calls for some reason
+ on the same skb, only the first one will return false.
+
+ This now returns false even when skb had no dst, as per Erics
+ suggestion, so callers might need to check skb_dst() first before
+ skb_dst_force().
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst.h | 5 ++++-
+ net/netfilter/nf_queue.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/include/net/dst.h
++++ b/include/net/dst.h
+@@ -315,14 +315,17 @@ static inline void skb_dst_copy(struct s
+ * @skb: buffer
+ *
+ * If dst is not yet refcounted, let's do it
++ * Returns true if dst is refcounted.
+ */
+-static inline void skb_dst_force(struct sk_buff *skb)
++static inline bool skb_dst_force(struct sk_buff *skb)
+ {
+ if (skb_dst_is_noref(skb)) {
+ WARN_ON(!rcu_read_lock_held());
+ skb->_skb_refdst &= ~SKB_DST_NOREF;
+ dst_clone(skb_dst(skb));
+ }
++
++ return skb->_skb_refdst != 0UL;
+ }
+
+ /**
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -133,6 +133,11 @@ static int __nf_queue(struct sk_buff *sk
+ goto err;
+ }
+
++ if (!skb_dst_force(skb) && state->hook != NF_INET_PRE_ROUTING) {
++ status = -ENETDOWN;
++ goto err;
++ }
++
+ *entry = (struct nf_queue_entry) {
+ .skb = skb,
+ .state = *state,
+@@ -140,7 +145,6 @@ static int __nf_queue(struct sk_buff *sk
+ };
+
+ nf_queue_entry_get_refs(entry);
+- skb_dst_force(skb);
+ afinfo->saveroute(skb, entry);
+ status = qh->outfn(entry, queuenum);
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Date: Sun, 14 Jul 2019 23:36:11 +0200
+Subject: net: neigh: fix multiple neigh timer scheduling
+
+From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+
+[ Upstream commit 071c37983d99da07797294ea78e9da1a6e287144 ]
+
+Neigh timer can be scheduled multiple times from userspace adding
+multiple neigh entries and forcing the neigh timer scheduling passing
+NTF_USE in the netlink requests.
+This will result in a refcount leak and in the following dump stack:
+
+[ 32.465295] NEIGH: BUG, double timer add, state is 8
+[ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ #65
+[ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
+[ 32.465313] Call Trace:
+[ 32.465318] dump_stack+0x7c/0xc0
+[ 32.465323] __neigh_event_send+0x20c/0x880
+[ 32.465326] ? ___neigh_create+0x846/0xfb0
+[ 32.465329] ? neigh_lookup+0x2a9/0x410
+[ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800
+[ 32.465334] neigh_add+0x4f8/0x5e0
+[ 32.465337] ? neigh_xmit+0x620/0x620
+[ 32.465341] ? find_held_lock+0x85/0xa0
+[ 32.465345] rtnetlink_rcv_msg+0x204/0x570
+[ 32.465348] ? rtnl_dellink+0x450/0x450
+[ 32.465351] ? mark_held_locks+0x90/0x90
+[ 32.465354] ? match_held_lock+0x1b/0x230
+[ 32.465357] netlink_rcv_skb+0xc4/0x1d0
+[ 32.465360] ? rtnl_dellink+0x450/0x450
+[ 32.465363] ? netlink_ack+0x420/0x420
+[ 32.465366] ? netlink_deliver_tap+0x115/0x560
+[ 32.465369] ? __alloc_skb+0xc9/0x2f0
+[ 32.465372] netlink_unicast+0x270/0x330
+[ 32.465375] ? netlink_attachskb+0x2f0/0x2f0
+[ 32.465378] netlink_sendmsg+0x34f/0x5a0
+[ 32.465381] ? netlink_unicast+0x330/0x330
+[ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20
+[ 32.465388] ? netlink_unicast+0x330/0x330
+[ 32.465391] sock_sendmsg+0x91/0xa0
+[ 32.465394] ___sys_sendmsg+0x407/0x480
+[ 32.465397] ? copy_msghdr_from_user+0x200/0x200
+[ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40
+[ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250
+[ 32.465407] ? __wake_up_common_lock+0xcb/0x110
+[ 32.465410] ? __wake_up_common+0x230/0x230
+[ 32.465413] ? netlink_bind+0x3e1/0x490
+[ 32.465416] ? netlink_setsockopt+0x540/0x540
+[ 32.465420] ? __fget_light+0x9c/0xf0
+[ 32.465423] ? sockfd_lookup_light+0x8c/0xb0
+[ 32.465426] __sys_sendmsg+0xa5/0x110
+[ 32.465429] ? __ia32_sys_shutdown+0x30/0x30
+[ 32.465432] ? __fd_install+0xe1/0x2c0
+[ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100
+[ 32.465438] ? mark_held_locks+0x24/0x90
+[ 32.465441] ? do_syscall_64+0xf/0x270
+[ 32.465444] do_syscall_64+0x63/0x270
+[ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER'
+receiving a netlink request with NTF_USE flag set
+
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Fixes: 0c5c2d308906 ("neigh: Allow for user space users of the neighbour table")
+Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -982,6 +982,7 @@ int __neigh_event_send(struct neighbour
+
+ atomic_set(&neigh->probes,
+ NEIGH_VAR(neigh->parms, UCAST_PROBES));
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_INCOMPLETE;
+ neigh->updated = now;
+ next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
+@@ -998,6 +999,7 @@ int __neigh_event_send(struct neighbour
+ }
+ } else if (neigh->nud_state & NUD_STALE) {
+ neigh_dbg(2, "neigh %p is delayed\n", neigh);
++ neigh_del_timer(neigh);
+ neigh->nud_state = NUD_DELAY;
+ neigh->updated = jiffies;
+ neigh_add_timer(neigh, jiffies +
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: John Hurley <john.hurley@netronome.com>
+Date: Thu, 27 Jun 2019 14:37:30 +0100
+Subject: net: openvswitch: fix csum updates for MPLS actions
+
+From: John Hurley <john.hurley@netronome.com>
+
+[ Upstream commit 0e3183cd2a64843a95b62f8bd4a83605a4cf0615 ]
+
+Skbs may have their checksum value populated by HW. If this is a checksum
+calculated over the entire packet then the CHECKSUM_COMPLETE field is
+marked. Changes to the data pointer on the skb throughout the network
+stack still try to maintain this complete csum value if it is required
+through functions such as skb_postpush_rcsum.
+
+The MPLS actions in Open vSwitch modify a CHECKSUM_COMPLETE value when
+changes are made to packet data without a push or a pull. This occurs when
+the ethertype of the MAC header is changed or when MPLS lse fields are
+modified.
+
+The modification is carried out using the csum_partial function to get the
+csum of a buffer and add it into the larger checksum. The buffer is an
+inversion of the data to be removed followed by the new data. Because the
+csum is calculated over 16 bits and these values align with 16 bits, the
+effect is the removal of the old value from the CHECKSUM_COMPLETE and
+addition of the new value.
+
+However, the csum fed into the function and the outcome of the
+calculation are also inverted. This would only make sense if it was the
+new value rather than the old that was inverted in the input buffer.
+
+Fix the issue by removing the bit inverts in the csum_partial calculation.
+
+The bug was verified and the fix tested by comparing the folded value of
+the updated CHECKSUM_COMPLETE value with the folded value of a full
+software checksum calculation (reset skb->csum to 0 and run
+skb_checksum_complete(skb)). Prior to the fix the outcomes differed but
+after they produce the same result.
+
+Fixes: 25cd9ba0abc0 ("openvswitch: Add basic MPLS support to kernel")
+Fixes: bc7cc5999fd3 ("openvswitch: update checksum in {push,pop}_mpls")
+Signed-off-by: John Hurley <john.hurley@netronome.com>
+Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Simon Horman <simon.horman@netronome.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/actions.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -150,8 +150,7 @@ static void update_ethertype(struct sk_b
+ if (skb->ip_summed == CHECKSUM_COMPLETE) {
+ __be16 diff[] = { ~(hdr->h_proto), ethertype };
+
+- skb->csum = ~csum_partial((char *)diff, sizeof(diff),
+- ~skb->csum);
++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
+ }
+
+ hdr->h_proto = ethertype;
+@@ -239,8 +238,7 @@ static int set_mpls(struct sk_buff *skb,
+ if (skb->ip_summed == CHECKSUM_COMPLETE) {
+ __be32 diff[] = { ~(stack->label_stack_entry), lse };
+
+- skb->csum = ~csum_partial((char *)diff, sizeof(diff),
+- ~skb->csum);
++ skb->csum = csum_partial((char *)diff, sizeof(diff), skb->csum);
+ }
+
+ stack->label_stack_entry = lse;
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 27 Jun 2019 14:30:58 -0700
+Subject: netrom: fix a memory leak in nr_rx_frame()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c8c8218ec5af5d2598381883acbefbf604e56b5e ]
+
+When the skb is associated with a new sock, just assigning
+it to skb->sk is not sufficient, we have to set its destructor
+to free the sock properly too.
+
+Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -870,7 +870,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ unsigned short frametype, flags, window, timeout;
+ int ret;
+
+- skb->sk = NULL; /* Initially we don't know who it's for */
++ skb_orphan(skb);
+
+ /*
+ * skb->data points to the netrom frame start
+@@ -969,6 +969,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+ window = skb->data[20];
+
+ skb->sk = make;
++ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
+
+ /* Fill in his circuit details */
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 22 Jul 2019 20:41:22 -0700
+Subject: netrom: hold sock when setting skb->destructor
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 4638faac032756f7eab5524be7be56bee77e426b ]
+
+sock_efree() releases the sock refcnt, if we don't hold this refcnt
+when setting skb->destructor to it, the refcnt would not be balanced.
+This leads to several bug reports from syzbot.
+
+I have checked other users of sock_efree(), all of them hold the
+sock refcnt.
+
+Fixes: c8c8218ec5af ("netrom: fix a memory leak in nr_rx_frame()")
+Reported-and-tested-by: <syzbot+622bdabb128acc33427d@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+6eaef7158b19e3fec3a0@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+9399c158fcc09b21d0d2@syzkaller.appspotmail.com>
+Reported-and-tested-by: <syzbot+a34e5f3d0300163f0c87@syzkaller.appspotmail.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/af_netrom.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/af_netrom.c
++++ b/net/netrom/af_netrom.c
+@@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, str
+
+ window = skb->data[20];
+
++ sock_hold(make);
+ skb->sk = make;
+ skb->destructor = sock_efree;
+ make->sk_state = TCP_ESTABLISHED;
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Yang Wei <albin_yang@163.com>
+Date: Mon, 8 Jul 2019 22:57:39 +0800
+Subject: nfc: fix potential illegal memory access
+
+From: Yang Wei <albin_yang@163.com>
+
+[ Upstream commit dd006fc434e107ef90f7de0db9907cbc1c521645 ]
+
+The frags_q is not properly initialized, it may result in illegal memory
+access when conn_info is NULL.
+The "goto free_exit" should be replaced by "goto exit".
+
+Signed-off-by: Yang Wei <albin_yang@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/nfc/nci/data.c
++++ b/net/nfc/nci/data.c
+@@ -119,7 +119,7 @@ static int nci_queue_tx_data_frags(struc
+ conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
+ if (!conn_info) {
+ rc = -EPROTO;
+- goto free_exit;
++ goto exit;
+ }
+
+ __skb_queue_head_init(&frags_q);
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: David Howells <dhowells@redhat.com>
+Date: Tue, 2 Jul 2019 15:59:12 +0100
+Subject: rxrpc: Fix send on a connected, but unbound socket
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit e835ada07091f40dcfb1bc735082bd0a7c005e59 ]
+
+If sendmsg() or sendmmsg() is called on a connected socket that hasn't had
+bind() called on it, then an oops will occur when the kernel tries to
+connect the call because no local endpoint has been allocated.
+
+Fix this by implicitly binding the socket if it is in the
+RXRPC_CLIENT_UNBOUND state, just like it does for the RXRPC_UNBOUND state.
+
+Further, the state should be transitioned to RXRPC_CLIENT_BOUND after this
+to prevent further attempts to bind it.
+
+This can be tested with:
+
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <arpa/inet.h>
+ #include <linux/rxrpc.h>
+ static const unsigned char inet6_addr[16] = {
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -1, -1, 0xac, 0x14, 0x14, 0xaa
+ };
+ int main(void)
+ {
+ struct sockaddr_rxrpc srx;
+ struct cmsghdr *cm;
+ struct msghdr msg;
+ unsigned char control[16];
+ int fd;
+ memset(&srx, 0, sizeof(srx));
+ srx.srx_family = 0x21;
+ srx.srx_service = 0;
+ srx.transport_type = AF_INET;
+ srx.transport_len = 0x1c;
+ srx.transport.sin6.sin6_family = AF_INET6;
+ srx.transport.sin6.sin6_port = htons(0x4e22);
+ srx.transport.sin6.sin6_flowinfo = htons(0x4e22);
+ srx.transport.sin6.sin6_scope_id = htons(0xaa3b);
+ memcpy(&srx.transport.sin6.sin6_addr, inet6_addr, 16);
+ cm = (struct cmsghdr *)control;
+ cm->cmsg_len = CMSG_LEN(sizeof(unsigned long));
+ cm->cmsg_level = SOL_RXRPC;
+ cm->cmsg_type = RXRPC_USER_CALL_ID;
+ *(unsigned long *)CMSG_DATA(cm) = 0;
+ msg.msg_name = NULL;
+ msg.msg_namelen = 0;
+ msg.msg_iov = NULL;
+ msg.msg_iovlen = 0;
+ msg.msg_control = control;
+ msg.msg_controllen = cm->cmsg_len;
+ msg.msg_flags = 0;
+ fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET);
+ connect(fd, (struct sockaddr *)&srx, sizeof(srx));
+ sendmsg(fd, &msg, 0);
+ return 0;
+ }
+
+Leading to the following oops:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000018
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ ...
+ RIP: 0010:rxrpc_connect_call+0x42/0xa01
+ ...
+ Call Trace:
+ ? mark_held_locks+0x47/0x59
+ ? __local_bh_enable_ip+0xb6/0xba
+ rxrpc_new_client_call+0x3b1/0x762
+ ? rxrpc_do_sendmsg+0x3c0/0x92e
+ rxrpc_do_sendmsg+0x3c0/0x92e
+ rxrpc_sendmsg+0x16b/0x1b5
+ sock_sendmsg+0x2d/0x39
+ ___sys_sendmsg+0x1a4/0x22a
+ ? release_sock+0x19/0x9e
+ ? reacquire_held_locks+0x136/0x160
+ ? release_sock+0x19/0x9e
+ ? find_held_lock+0x2b/0x6e
+ ? __lock_acquire+0x268/0xf73
+ ? rxrpc_connect+0xdd/0xe4
+ ? __local_bh_enable_ip+0xb6/0xba
+ __sys_sendmsg+0x5e/0x94
+ do_syscall_64+0x7d/0x1bf
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 2341e0775747 ("rxrpc: Simplify connect() implementation and simplify sendmsg() op")
+Reported-by: syzbot+7966f2a0b2c7da8939b4@syzkaller.appspotmail.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/af_rxrpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/af_rxrpc.c
++++ b/net/rxrpc/af_rxrpc.c
+@@ -405,6 +405,7 @@ static int rxrpc_sendmsg(struct socket *
+
+ switch (rx->sk.sk_state) {
+ case RXRPC_UNBOUND:
++ case RXRPC_CLIENT_UNBOUND:
+ rx->srx.srx_family = AF_RXRPC;
+ rx->srx.srx_service = 0;
+ rx->srx.transport_type = SOCK_DGRAM;
+@@ -429,10 +430,9 @@ static int rxrpc_sendmsg(struct socket *
+ }
+
+ rx->local = local;
+- rx->sk.sk_state = RXRPC_CLIENT_UNBOUND;
++ rx->sk.sk_state = RXRPC_CLIENT_BOUND;
+ /* Fall through */
+
+- case RXRPC_CLIENT_UNBOUND:
+ case RXRPC_CLIENT_BOUND:
+ if (!m->msg_name &&
+ test_bit(RXRPC_SOCK_CONNECTED, &rx->flags)) {
compiler.h-add-read_word_at_a_time-function.patch
lib-strscpy-shut-up-kasan-false-positives-in-strscpy.patch
ext4-allow-directory-holes.patch
+bnx2x-prevent-load-reordering-in-tx-completion-processing.patch
+bnx2x-prevent-ptp_task-to-be-rescheduled-indefinitely.patch
+caif-hsi-fix-possible-deadlock-in-cfhsi_exit_module.patch
+igmp-fix-memory-leak-in-igmpv3_del_delrec.patch
+ipv4-don-t-set-ipv6-only-flags-to-ipv4-addresses.patch
+net-bcmgenet-use-promisc-for-unsupported-filters.patch
+net-dsa-mv88e6xxx-wait-after-reset-deactivation.patch
+net-neigh-fix-multiple-neigh-timer-scheduling.patch
+net-openvswitch-fix-csum-updates-for-mpls-actions.patch
+nfc-fix-potential-illegal-memory-access.patch
+rxrpc-fix-send-on-a-connected-but-unbound-socket.patch
+sky2-disable-msi-on-asus-p6t.patch
+vrf-make-sure-skb-data-contains-ip-header-to-make-routing.patch
+macsec-fix-use-after-free-of-skb-during-rx.patch
+macsec-fix-checksumming-after-decryption.patch
+netrom-fix-a-memory-leak-in-nr_rx_frame.patch
+netrom-hold-sock-when-setting-skb-destructor.patch
+bonding-validate-ip-header-before-check-ipproto_igmp.patch
+net-make-skb_dst_force-return-true-when-dst-is-refcounted.patch
+tcp-reset-bytes_acked-and-bytes_received-when-disconnecting.patch
+net-bridge-mcast-fix-stale-nsrcs-pointer-in-igmp3-mld2-report-handling.patch
+net-bridge-mcast-fix-stale-ipv6-hdr-pointer-when-handling-v6-query.patch
+net-bridge-stp-don-t-cache-eth-dest-pointer-before-skb-pull.patch
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 23 Jul 2019 17:15:25 +0200
+Subject: sky2: Disable MSI on ASUS P6T
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit a261e3797506bd561700be643fe1a85bf81e9661 ]
+
+The onboard sky2 NIC on ASUS P6T WS PRO doesn't work after PM resume
+due to the infamous IRQ problem. Disabling MSI works around it, so
+let's add it to the blacklist.
+
+Unfortunately the BIOS on the machine doesn't fill the standard
+DMI_SYS_* entry, so we pick up DMI_BOARD_* entries instead.
+
+BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1142496
+Reported-and-tested-by: Marcus Seyfarth <m.seyfarth@gmail.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/sky2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/sky2.c
++++ b/drivers/net/ethernet/marvell/sky2.c
+@@ -4939,6 +4939,13 @@ static const struct dmi_system_id msi_bl
+ DMI_MATCH(DMI_PRODUCT_NAME, "P-79"),
+ },
+ },
++ {
++ .ident = "ASUS P6T",
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."),
++ DMI_MATCH(DMI_BOARD_NAME, "P6T"),
++ },
++ },
+ {}
+ };
+
--- /dev/null
+From foo@baz Fri 26 Jul 2019 12:22:46 PM CEST
+From: Christoph Paasch <cpaasch@apple.com>
+Date: Sat, 6 Jul 2019 16:13:07 -0700
+Subject: tcp: Reset bytes_acked and bytes_received when disconnecting
+
+From: Christoph Paasch <cpaasch@apple.com>
+
+[ Upstream commit e858faf556d4e14c750ba1e8852783c6f9520a0e ]
+
+If an app is playing tricks to reuse a socket via tcp_disconnect(),
+bytes_acked/received needs to be reset to 0. Otherwise tcp_info will
+report the sum of the current and the old connection..
+
+Cc: Eric Dumazet <edumazet@google.com>
+Fixes: 0df48c26d841 ("tcp: add tcpi_bytes_acked to tcp_info")
+Fixes: bdd1f9edacb5 ("tcp: add tcpi_bytes_received to tcp_info")
+Signed-off-by: Christoph Paasch <cpaasch@apple.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2312,6 +2312,8 @@ int tcp_disconnect(struct sock *sk, int
+ dst_release(sk->sk_rx_dst);
+ sk->sk_rx_dst = NULL;
+ tcp_saved_syn_free(tp);
++ tp->bytes_acked = 0;
++ tp->bytes_received = 0;
+
+ WARN_ON(inet->inet_num && !icsk->icsk_bind_hash);
+
--- /dev/null
+From foo@baz Sun 28 Jul 2019 10:45:09 AM CEST
+From: Peter Kosyh <p.kosyh@gmail.com>
+Date: Fri, 19 Jul 2019 11:11:47 +0300
+Subject: vrf: make sure skb->data contains ip header to make routing
+
+From: Peter Kosyh <p.kosyh@gmail.com>
+
+[ Upstream commit 107e47cc80ec37cb332bd41b22b1c7779e22e018 ]
+
+vrf_process_v4_outbound() and vrf_process_v6_outbound() do routing
+using ip/ipv6 addresses, but don't make sure the header is available
+in skb->data[] (skb_headlen() is less then header size).
+
+Case:
+
+1) igb driver from intel.
+2) Packet size is greater then 255.
+3) MPLS forwards to VRF device.
+
+So, patch adds pskb_may_pull() calls in vrf_process_v4/v6_outbound()
+functions.
+
+Signed-off-by: Peter Kosyh <p.kosyh@gmail.com>
+Reviewed-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 58 ++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 23 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -153,23 +153,29 @@ static int vrf_ip6_local_out(struct net
+ static netdev_tx_t vrf_process_v6_outbound(struct sk_buff *skb,
+ struct net_device *dev)
+ {
+- const struct ipv6hdr *iph = ipv6_hdr(skb);
++ const struct ipv6hdr *iph;
+ struct net *net = dev_net(skb->dev);
+- struct flowi6 fl6 = {
+- /* needed to match OIF rule */
+- .flowi6_oif = dev->ifindex,
+- .flowi6_iif = LOOPBACK_IFINDEX,
+- .daddr = iph->daddr,
+- .saddr = iph->saddr,
+- .flowlabel = ip6_flowinfo(iph),
+- .flowi6_mark = skb->mark,
+- .flowi6_proto = iph->nexthdr,
+- .flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF,
+- };
++ struct flowi6 fl6;
+ int ret = NET_XMIT_DROP;
+ struct dst_entry *dst;
+ struct dst_entry *dst_null = &net->ipv6.ip6_null_entry->dst;
+
++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct ipv6hdr)))
++ goto err;
++
++ iph = ipv6_hdr(skb);
++
++ memset(&fl6, 0, sizeof(fl6));
++ /* needed to match OIF rule */
++ fl6.flowi6_oif = dev->ifindex;
++ fl6.flowi6_iif = LOOPBACK_IFINDEX;
++ fl6.daddr = iph->daddr;
++ fl6.saddr = iph->saddr;
++ fl6.flowlabel = ip6_flowinfo(iph);
++ fl6.flowi6_mark = skb->mark;
++ fl6.flowi6_proto = iph->nexthdr;
++ fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
++
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst == dst_null)
+ goto err;
+@@ -257,21 +263,27 @@ static int vrf_ip_local_out(struct net *
+ static netdev_tx_t vrf_process_v4_outbound(struct sk_buff *skb,
+ struct net_device *vrf_dev)
+ {
+- struct iphdr *ip4h = ip_hdr(skb);
++ struct iphdr *ip4h;
+ int ret = NET_XMIT_DROP;
+- struct flowi4 fl4 = {
+- /* needed to match OIF rule */
+- .flowi4_oif = vrf_dev->ifindex,
+- .flowi4_iif = LOOPBACK_IFINDEX,
+- .flowi4_tos = RT_TOS(ip4h->tos),
+- .flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF,
+- .flowi4_proto = ip4h->protocol,
+- .daddr = ip4h->daddr,
+- .saddr = ip4h->saddr,
+- };
++ struct flowi4 fl4;
+ struct net *net = dev_net(vrf_dev);
+ struct rtable *rt;
+
++ if (!pskb_may_pull(skb, ETH_HLEN + sizeof(struct iphdr)))
++ goto err;
++
++ ip4h = ip_hdr(skb);
++
++ memset(&fl4, 0, sizeof(fl4));
++ /* needed to match OIF rule */
++ fl4.flowi4_oif = vrf_dev->ifindex;
++ fl4.flowi4_iif = LOOPBACK_IFINDEX;
++ fl4.flowi4_tos = RT_TOS(ip4h->tos);
++ fl4.flowi4_flags = FLOWI_FLAG_ANYSRC | FLOWI_FLAG_SKIP_NH_OIF;
++ fl4.flowi4_proto = ip4h->protocol;
++ fl4.daddr = ip4h->daddr;
++ fl4.saddr = ip4h->saddr;
++
+ rt = ip_route_output_flow(net, &fl4, NULL);
+ if (IS_ERR(rt))
+ goto err;
projects / thirdparty / kernel / stable-queue.git / commitdiff
