--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 22 May 2019 19:12:54 -0400
+Subject: bnxt_en: Fix aggregation buffer leak under OOM condition.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 ]
+
+For every RX packet, the driver replenishes all buffers used for that
+packet and puts them back into the RX ring and RX aggregation ring.
+In one code path where the RX packet has one RX buffer and one or more
+aggregation buffers, we missed recycling the aggregation buffer(s) if
+we are unable to allocate a new SKB buffer. This leads to the
+aggregation ring slowly running out of buffers over time. Fix it
+by properly recycling the aggregation buffers.
+
+Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
+Reported-by: Rakesh Hemnani <rhemnani@fb.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -1636,6 +1636,8 @@ static int bnxt_rx_pkt(struct bnxt *bp,
+ skb = bnxt_copy_skb(bnapi, data_ptr, len, dma_addr);
+ bnxt_reuse_rx_data(rxr, cons, data);
+ if (!skb) {
++ if (agg_bufs)
++ bnxt_reuse_rx_agg_bufs(cpr, cp_cons, agg_bufs);
+ rc = -ENOMEM;
+ goto next_rx;
+ }
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 22 May 2019 19:12:55 -0400
+Subject: bnxt_en: Fix possible BUG() condition when calling pci_disable_msix().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit 1b3f0b75c39f534278a895c117282014e9d0ae1f ]
+
+When making configuration changes, the driver calls bnxt_close_nic()
+and then bnxt_open_nic() for the changes to take effect. A parameter
+irq_re_init is passed to the call sequence to indicate if IRQ
+should be re-initialized. This irq_re_init parameter needs to
+be included in the bnxt_reserve_rings() call. bnxt_reserve_rings()
+can only call pci_disable_msix() if the irq_re_init parameter is
+true, otherwise it may hit BUG() because some IRQs may not have been
+freed yet.
+
+Fixes: 41e8d7983752 ("bnxt_en: Modify the ring reservation functions for 57500 series chips.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 13 +++++++------
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 2 +-
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c | 2 +-
+ 4 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7506,22 +7506,23 @@ static void bnxt_clear_int_mode(struct b
+ bp->flags &= ~BNXT_FLAG_USING_MSIX;
+ }
+
+-int bnxt_reserve_rings(struct bnxt *bp)
++int bnxt_reserve_rings(struct bnxt *bp, bool irq_re_init)
+ {
+ int tcs = netdev_get_num_tc(bp->dev);
+- bool reinit_irq = false;
++ bool irq_cleared = false;
+ int rc;
+
+ if (!bnxt_need_reserve_rings(bp))
+ return 0;
+
+- if (BNXT_NEW_RM(bp) && (bnxt_get_num_msix(bp) != bp->total_irqs)) {
++ if (irq_re_init && BNXT_NEW_RM(bp) &&
++ bnxt_get_num_msix(bp) != bp->total_irqs) {
+ bnxt_ulp_irq_stop(bp);
+ bnxt_clear_int_mode(bp);
+- reinit_irq = true;
++ irq_cleared = true;
+ }
+ rc = __bnxt_reserve_rings(bp);
+- if (reinit_irq) {
++ if (irq_cleared) {
+ if (!rc)
+ rc = bnxt_init_int_mode(bp);
+ bnxt_ulp_irq_restart(bp, rc);
+@@ -8420,7 +8421,7 @@ static int __bnxt_open_nic(struct bnxt *
+ return rc;
+ }
+ }
+- rc = bnxt_reserve_rings(bp);
++ rc = bnxt_reserve_rings(bp, irq_re_init);
+ if (rc)
+ return rc;
+ if ((bp->flags & BNXT_FLAG_RFS) &&
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1776,7 +1776,7 @@ unsigned int bnxt_get_avail_stat_ctxs_fo
+ unsigned int bnxt_get_max_func_cp_rings(struct bnxt *bp);
+ unsigned int bnxt_get_avail_cp_rings_for_en(struct bnxt *bp);
+ int bnxt_get_avail_msix(struct bnxt *bp, int num);
+-int bnxt_reserve_rings(struct bnxt *bp);
++int bnxt_reserve_rings(struct bnxt *bp, bool irq_re_init);
+ void bnxt_tx_disable(struct bnxt *bp);
+ void bnxt_tx_enable(struct bnxt *bp);
+ int bnxt_hwrm_set_pause(struct bnxt *);
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -788,7 +788,7 @@ static int bnxt_set_channels(struct net_
+ */
+ }
+ } else {
+- rc = bnxt_reserve_rings(bp);
++ rc = bnxt_reserve_rings(bp, true);
+ }
+
+ return rc;
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ulp.c
+@@ -150,7 +150,7 @@ static int bnxt_req_msix_vecs(struct bnx
+ bnxt_close_nic(bp, true, false);
+ rc = bnxt_open_nic(bp, true, false);
+ } else {
+- rc = bnxt_reserve_rings(bp);
++ rc = bnxt_reserve_rings(bp, true);
+ }
+ }
+ if (rc) {
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Wed, 22 May 2019 19:12:56 -0400
+Subject: bnxt_en: Reduce memory usage when running in kdump kernel.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit d629522e1d66561f38e5c8d4f52bb6d254ec0707 ]
+
+Skip RDMA context memory allocations, reduce to 1 ring, and disable
+TPA when running in the kdump kernel. Without this patch, the driver
+fails to initialize with memory allocation errors when running in a
+typical kdump kernel.
+
+Fixes: cf6daed098d1 ("bnxt_en: Increase context memory allocations on 57500 chips for RDMA.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++--
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6338,7 +6338,7 @@ static int bnxt_alloc_ctx_mem(struct bnx
+ if (!ctx || (ctx->flags & BNXT_CTX_FLAG_INITED))
+ return 0;
+
+- if (bp->flags & BNXT_FLAG_ROCE_CAP) {
++ if ((bp->flags & BNXT_FLAG_ROCE_CAP) && !is_kdump_kernel()) {
+ pg_lvl = 2;
+ extra_qps = 65536;
+ extra_srqs = 8192;
+@@ -10279,7 +10279,7 @@ static int bnxt_set_dflt_rings(struct bn
+
+ if (sh)
+ bp->flags |= BNXT_FLAG_SHARED_RINGS;
+- dflt_rings = netif_get_num_default_rss_queues();
++ dflt_rings = is_kdump_kernel() ? 1 : netif_get_num_default_rss_queues();
+ /* Reduce default rings on multi-port cards so that total default
+ * rings do not exceed CPU count.
+ */
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -20,6 +20,7 @@
+
+ #include <linux/interrupt.h>
+ #include <linux/rhashtable.h>
++#include <linux/crash_dump.h>
+ #include <net/devlink.h>
+ #include <net/dst_metadata.h>
+ #include <net/switchdev.h>
+@@ -1367,7 +1368,8 @@ struct bnxt {
+ #define BNXT_CHIP_TYPE_NITRO_A0(bp) ((bp)->flags & BNXT_FLAG_CHIP_NITRO_A0)
+ #define BNXT_RX_PAGE_MODE(bp) ((bp)->flags & BNXT_FLAG_RX_PAGE_MODE)
+ #define BNXT_SUPPORTS_TPA(bp) (!BNXT_CHIP_TYPE_NITRO_A0(bp) && \
+- !(bp->flags & BNXT_FLAG_CHIP_P5))
++ !(bp->flags & BNXT_FLAG_CHIP_P5) && \
++ !is_kdump_kernel())
+
+ /* Chip class phase 5 */
+ #define BNXT_CHIP_P5(bp) \
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jarod Wilson <jarod@redhat.com>
+Date: Fri, 24 May 2019 09:49:28 -0400
+Subject: bonding/802.3ad: fix slave link initialization transition states
+
+From: Jarod Wilson <jarod@redhat.com>
+
+[ Upstream commit 334031219a84b9994594015aab85ed7754c80176 ]
+
+Once in a while, with just the right timing, 802.3ad slaves will fail to
+properly initialize, winding up in a weird state, with a partner system
+mac address of 00:00:00:00:00:00. This started happening after a fix to
+properly track link_failure_count tracking, where an 802.3ad slave that
+reported itself as link up in the miimon code, but wasn't able to get a
+valid speed/duplex, started getting set to BOND_LINK_FAIL instead of
+BOND_LINK_DOWN. That was the proper thing to do for the general "my link
+went down" case, but has created a link initialization race that can put
+the interface in this odd state.
+
+The simple fix is to instead set the slave link to BOND_LINK_DOWN again,
+if the link has never been up (last_link_up == 0), so the link state
+doesn't bounce from BOND_LINK_DOWN to BOND_LINK_FAIL -- it hasn't failed
+in this case, it simply hasn't been up yet, and this prevents the
+unnecessary state change from DOWN to FAIL and getting stuck in an init
+failure w/o a partner mac.
+
+Fixes: ea53abfab960 ("bonding/802.3ad: fix link_failure_count tracking")
+CC: Jay Vosburgh <j.vosburgh@gmail.com>
+CC: Veaceslav Falico <vfalico@gmail.com>
+CC: Andy Gospodarek <andy@greyhouse.net>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Tested-by: Heesoon Kim <Heesoon.Kim@stratus.com>
+Signed-off-by: Jarod Wilson <jarod@redhat.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -3123,13 +3123,18 @@ static int bond_slave_netdev_event(unsig
+ case NETDEV_CHANGE:
+ /* For 802.3ad mode only:
+ * Getting invalid Speed/Duplex values here will put slave
+- * in weird state. So mark it as link-fail for the time
+- * being and let link-monitoring (miimon) set it right when
+- * correct speeds/duplex are available.
++ * in weird state. Mark it as link-fail if the link was
++ * previously up or link-down if it hasn't yet come up, and
++ * let link-monitoring (miimon) set it right when correct
++ * speeds/duplex are available.
+ */
+ if (bond_update_speed_duplex(slave) &&
+- BOND_MODE(bond) == BOND_MODE_8023AD)
+- slave->link = BOND_LINK_FAIL;
++ BOND_MODE(bond) == BOND_MODE_8023AD) {
++ if (slave->last_link_up)
++ slave->link = BOND_LINK_FAIL;
++ else
++ slave->link = BOND_LINK_DOWN;
++ }
+
+ if (BOND_MODE(bond) == BOND_MODE_8023AD)
+ bond_3ad_adapter_speed_duplex_changed(slave);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Thu, 23 May 2019 20:41:44 +0530
+Subject: cxgb4: offload VLAN flows regardless of VLAN ethtype
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+[ Upstream commit b5730061d1056abf317caea823b94d6e12b5b4f6 ]
+
+VLAN flows never get offloaded unless ivlan_vld is set in filter spec.
+It's not compulsory for vlan_ethtype to be set.
+
+So, always enable ivlan_vld bit for offloading VLAN flows regardless of
+vlan_ethtype is set or not.
+
+Fixes: ad9af3e09c (cxgb4: add tc flower match support for vlan)
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c
+@@ -228,6 +228,9 @@ static void cxgb4_process_flow_match(str
+ fs->val.ivlan = vlan_tci;
+ fs->mask.ivlan = vlan_tci_mask;
+
++ fs->val.ivlan_vld = 1;
++ fs->mask.ivlan_vld = 1;
++
+ /* Chelsio adapters use ivlan_vld bit to match vlan packets
+ * as 802.1Q. Also, when vlan tag is present in packets,
+ * ethtype match is used then to match on ethtype of inner
+@@ -238,8 +241,6 @@ static void cxgb4_process_flow_match(str
+ * ethtype value with ethtype of inner header.
+ */
+ if (fs->val.ethtype == ETH_P_8021Q) {
+- fs->val.ivlan_vld = 1;
+- fs->mask.ivlan_vld = 1;
+ fs->val.ethtype = 0;
+ fs->mask.ethtype = 0;
+ }
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Vishal Kulkarni <vishal@chelsio.com>
+Date: Thu, 23 May 2019 08:07:21 +0530
+Subject: cxgb4: Revert "cxgb4: Remove SGE_HOST_PAGE_SIZE dependency on page size"
+
+From: Vishal Kulkarni <vishal@chelsio.com>
+
+[ Upstream commit ab0610efabb4c4f419a531455708caf1dd29357e ]
+
+This reverts commit 2391b0030e241386d710df10e53e2cfc3c5d4fc1 which has
+introduced regression. Now SGE's BAR2 Doorbell/GTS Page Size is
+interpreted correctly in the firmware itself by using actual host
+page size. Hence previous commit needs to be reverted.
+
+Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c
+@@ -7139,10 +7139,21 @@ int t4_fixup_host_params(struct adapter
+ unsigned int cache_line_size)
+ {
+ unsigned int page_shift = fls(page_size) - 1;
++ unsigned int sge_hps = page_shift - 10;
+ unsigned int stat_len = cache_line_size > 64 ? 128 : 64;
+ unsigned int fl_align = cache_line_size < 32 ? 32 : cache_line_size;
+ unsigned int fl_align_log = fls(fl_align) - 1;
+
++ t4_write_reg(adap, SGE_HOST_PAGE_SIZE_A,
++ HOSTPAGESIZEPF0_V(sge_hps) |
++ HOSTPAGESIZEPF1_V(sge_hps) |
++ HOSTPAGESIZEPF2_V(sge_hps) |
++ HOSTPAGESIZEPF3_V(sge_hps) |
++ HOSTPAGESIZEPF4_V(sge_hps) |
++ HOSTPAGESIZEPF5_V(sge_hps) |
++ HOSTPAGESIZEPF6_V(sge_hps) |
++ HOSTPAGESIZEPF7_V(sge_hps));
++
+ if (is_t4(adap->params.chip)) {
+ t4_set_reg_field(adap, SGE_CONTROL_A,
+ INGPADBOUNDARY_V(INGPADBOUNDARY_M) |
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 27 Mar 2019 12:40:33 -0700
+Subject: inet: switch IP ID generator to siphash
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit df453700e8d81b1bdafdf684365ee2b9431fb702 ]
+
+According to Amit Klein and Benny Pinkas, IP ID generation is too weak
+and might be used by attackers.
+
+Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
+having 64bit key and Jenkins hash is risky.
+
+It is time to switch to siphash and its 128bit keys.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Amit Klein <aksecurity@gmail.com>
+Reported-by: Benny Pinkas <benny@pinkas.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/siphash.h | 5 +++++
+ include/net/netns/ipv4.h | 2 ++
+ net/ipv4/route.c | 12 +++++++-----
+ net/ipv6/output_core.c | 30 ++++++++++++++++--------------
+ 4 files changed, 30 insertions(+), 19 deletions(-)
+
+--- a/include/linux/siphash.h
++++ b/include/linux/siphash.h
+@@ -21,6 +21,11 @@ typedef struct {
+ u64 key[2];
+ } siphash_key_t;
+
++static inline bool siphash_key_is_zero(const siphash_key_t *key)
++{
++ return !(key->key[0] | key->key[1]);
++}
++
+ u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
+ #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -9,6 +9,7 @@
+ #include <linux/uidgid.h>
+ #include <net/inet_frag.h>
+ #include <linux/rcupdate.h>
++#include <linux/siphash.h>
+
+ struct tcpm_hash_bucket;
+ struct ctl_table_header;
+@@ -217,5 +218,6 @@ struct netns_ipv4 {
+ unsigned int ipmr_seq; /* protected by rtnl_mutex */
+
+ atomic_t rt_genid;
++ siphash_key_t ip_id_key;
+ };
+ #endif
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -500,15 +500,17 @@ EXPORT_SYMBOL(ip_idents_reserve);
+
+ void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
+ {
+- static u32 ip_idents_hashrnd __read_mostly;
+ u32 hash, id;
+
+- net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
+
+- hash = jhash_3words((__force u32)iph->daddr,
++ hash = siphash_3u32((__force u32)iph->daddr,
+ (__force u32)iph->saddr,
+- iph->protocol ^ net_hash_mix(net),
+- ip_idents_hashrnd);
++ iph->protocol,
++ &net->ipv4.ip_id_key);
+ id = ip_idents_reserve(hash, segs);
+ iph->id = htons(id);
+ }
+--- a/net/ipv6/output_core.c
++++ b/net/ipv6/output_core.c
+@@ -10,15 +10,25 @@
+ #include <net/secure_seq.h>
+ #include <linux/netfilter.h>
+
+-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
++static u32 __ipv6_select_ident(struct net *net,
+ const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
++ const struct {
++ struct in6_addr dst;
++ struct in6_addr src;
++ } __aligned(SIPHASH_ALIGNMENT) combined = {
++ .dst = *dst,
++ .src = *src,
++ };
+ u32 hash, id;
+
+- hash = __ipv6_addr_jhash(dst, hashrnd);
+- hash = __ipv6_addr_jhash(src, hash);
+- hash ^= net_hash_mix(net);
++ /* Note the following code is not safe, but this is okay. */
++ if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
++ get_random_bytes(&net->ipv4.ip_id_key,
++ sizeof(net->ipv4.ip_id_key));
++
++ hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
+
+ /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
+ * set the hight order instead thus minimizing possible future
+@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct ne
+ */
+ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
+ {
+- static u32 ip6_proxy_idents_hashrnd __read_mostly;
+ struct in6_addr buf[2];
+ struct in6_addr *addrs;
+ u32 id;
+@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct ne
+ if (!addrs)
+ return 0;
+
+- net_get_random_once(&ip6_proxy_idents_hashrnd,
+- sizeof(ip6_proxy_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd,
+- &addrs[1], &addrs[0]);
++ id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
+@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net
+ const struct in6_addr *daddr,
+ const struct in6_addr *saddr)
+ {
+- static u32 ip6_idents_hashrnd __read_mostly;
+ u32 id;
+
+- net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
+-
+- id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr);
++ id = __ipv6_select_ident(net, daddr, saddr);
+ return htonl(id);
+ }
+ EXPORT_SYMBOL(ipv6_select_ident);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 22 May 2019 16:51:22 -0700
+Subject: ipv4/igmp: fix another memory leak in igmpv3_del_delrec()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3580d04aa674383c42de7b635d28e52a1e5bc72c ]
+
+syzbot reported memory leaks [1] that I have back tracked to
+a missing cleanup from igmpv3_del_delrec() when
+(im->sfmode != MCAST_INCLUDE)
+
+Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
+handle the cleanups before freeing.
+
+[1]
+
+BUG: memory leak
+unreferenced object 0xffff888123e32b00 (size 64):
+ comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<000000006105011b>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<000000006105011b>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<000000006105011b>] slab_alloc mm/slab.c:3326 [inline]
+ [<000000006105011b>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
+ [<000000004bba8073>] kmalloc include/linux/slab.h:547 [inline]
+ [<000000004bba8073>] kzalloc include/linux/slab.h:742 [inline]
+ [<000000004bba8073>] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
+ [<000000004bba8073>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
+ [<00000000a46a65a0>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
+ [<000000005956ca89>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
+ [<00000000848e2d2f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
+ [<00000000b9db185c>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
+ [<000000003028e438>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
+ [<0000000015b65589>] __sys_setsockopt+0x98/0x120 net/socket.c:2078
+ [<00000000ac198ef0>] __do_sys_setsockopt net/socket.c:2089 [inline]
+ [<00000000ac198ef0>] __se_sys_setsockopt net/socket.c:2086 [inline]
+ [<00000000ac198ef0>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
+ [<000000000a770437>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<00000000d3adb93b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Hangbin Liu <liuhangbin@gmail.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 47 ++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 30 insertions(+), 17 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -632,6 +632,24 @@ static void igmpv3_clear_zeros(struct ip
+ }
+ }
+
++static void ip_sf_list_clear_all(struct ip_sf_list *psf)
++{
++ struct ip_sf_list *next;
++
++ while (psf) {
++ next = psf->sf_next;
++ kfree(psf);
++ psf = next;
++ }
++}
++
++static void kfree_pmc(struct ip_mc_list *pmc)
++{
++ ip_sf_list_clear_all(pmc->sources);
++ ip_sf_list_clear_all(pmc->tomb);
++ kfree(pmc);
++}
++
+ static void igmpv3_send_cr(struct in_device *in_dev)
+ {
+ struct ip_mc_list *pmc, *pmc_prev, *pmc_next;
+@@ -668,7 +686,7 @@ static void igmpv3_send_cr(struct in_dev
+ else
+ in_dev->mc_tomb = pmc_next;
+ in_dev_put(pmc->interface);
+- kfree(pmc);
++ kfree_pmc(pmc);
+ } else
+ pmc_prev = pmc;
+ }
+@@ -1213,14 +1231,18 @@ static void igmpv3_del_delrec(struct in_
+ im->interface = pmc->interface;
+ if (im->sfmode == MCAST_INCLUDE) {
+ im->tomb = pmc->tomb;
++ pmc->tomb = NULL;
++
+ im->sources = pmc->sources;
++ pmc->sources = NULL;
++
+ for (psf = im->sources; psf; psf = psf->sf_next)
+ psf->sf_crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+ } else {
+ im->crcount = in_dev->mr_qrv ?: net->ipv4.sysctl_igmp_qrv;
+ }
+ in_dev_put(pmc->interface);
+- kfree(pmc);
++ kfree_pmc(pmc);
+ }
+ spin_unlock_bh(&im->lock);
+ }
+@@ -1241,21 +1263,18 @@ static void igmpv3_clear_delrec(struct i
+ nextpmc = pmc->next;
+ ip_mc_clear_src(pmc);
+ in_dev_put(pmc->interface);
+- kfree(pmc);
++ kfree_pmc(pmc);
+ }
+ /* clear dead sources, too */
+ rcu_read_lock();
+ for_each_pmc_rcu(in_dev, pmc) {
+- struct ip_sf_list *psf, *psf_next;
++ struct ip_sf_list *psf;
+
+ spin_lock_bh(&pmc->lock);
+ psf = pmc->tomb;
+ pmc->tomb = NULL;
+ spin_unlock_bh(&pmc->lock);
+- for (; psf; psf = psf_next) {
+- psf_next = psf->sf_next;
+- kfree(psf);
+- }
++ ip_sf_list_clear_all(psf);
+ }
+ rcu_read_unlock();
+ }
+@@ -2133,7 +2152,7 @@ static int ip_mc_add_src(struct in_devic
+
+ static void ip_mc_clear_src(struct ip_mc_list *pmc)
+ {
+- struct ip_sf_list *psf, *nextpsf, *tomb, *sources;
++ struct ip_sf_list *tomb, *sources;
+
+ spin_lock_bh(&pmc->lock);
+ tomb = pmc->tomb;
+@@ -2145,14 +2164,8 @@ static void ip_mc_clear_src(struct ip_mc
+ pmc->sfcount[MCAST_EXCLUDE] = 1;
+ spin_unlock_bh(&pmc->lock);
+
+- for (psf = tomb; psf; psf = nextpsf) {
+- nextpsf = psf->sf_next;
+- kfree(psf);
+- }
+- for (psf = sources; psf; psf = nextpsf) {
+- nextpsf = psf->sf_next;
+- kfree(psf);
+- }
++ ip_sf_list_clear_all(tomb);
++ ip_sf_list_clear_all(sources);
+ }
+
+ /* Join a multicast group
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 22 May 2019 18:35:16 -0700
+Subject: ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 903869bd10e6719b9df6718e785be7ec725df59f ]
+
+ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST
+
+Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/igmp.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -187,6 +187,17 @@ static void ip_ma_put(struct ip_mc_list
+ pmc != NULL; \
+ pmc = rtnl_dereference(pmc->next_rcu))
+
++static void ip_sf_list_clear_all(struct ip_sf_list *psf)
++{
++ struct ip_sf_list *next;
++
++ while (psf) {
++ next = psf->sf_next;
++ kfree(psf);
++ psf = next;
++ }
++}
++
+ #ifdef CONFIG_IP_MULTICAST
+
+ /*
+@@ -632,17 +643,6 @@ static void igmpv3_clear_zeros(struct ip
+ }
+ }
+
+-static void ip_sf_list_clear_all(struct ip_sf_list *psf)
+-{
+- struct ip_sf_list *next;
+-
+- while (psf) {
+- next = psf->sf_next;
+- kfree(psf);
+- psf = next;
+- }
+-}
+-
+ static void kfree_pmc(struct ip_mc_list *pmc)
+ {
+ ip_sf_list_clear_all(pmc->sources);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Mike Manning <mmanning@vyatta.att-mail.com>
+Date: Mon, 20 May 2019 19:57:17 +0100
+Subject: ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
+
+From: Mike Manning <mmanning@vyatta.att-mail.com>
+
+[ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ]
+
+IPv6 does not consider if the socket is bound to a device when binding
+to an address. The result is that a socket can be bound to eth0 and
+then bound to the address of eth1. If the device is a VRF, the result
+is that a socket can only be bound to an address in the default VRF.
+
+Resolve by considering the device if sk_bound_dev_if is set.
+
+Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Tested-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/raw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/raw.c
++++ b/net/ipv6/raw.c
+@@ -287,7 +287,9 @@ static int rawv6_bind(struct sock *sk, s
+ /* Binding to link-local address requires an interface */
+ if (!sk->sk_bound_dev_if)
+ goto out_unlock;
++ }
+
++ if (sk->sk_bound_dev_if) {
+ err = -ENODEV;
+ dev = dev_get_by_index_rcu(sock_net(sk),
+ sk->sk_bound_dev_if);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 22 May 2019 15:12:18 -0700
+Subject: ipv6: Fix redirect with VRF
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 31680ac265802397937d75461a2809a067b9fb93 ]
+
+IPv6 redirect is broken for VRF. __ip6_route_redirect walks the FIB
+entries looking for an exact match on ifindex. With VRF the flowi6_oif
+is updated by l3mdev_update_flow to the l3mdev index and the
+FLOWI_FLAG_SKIP_NH_OIF set in the flags to tell the lookup to skip the
+device match. For redirects the device match is requires so use that
+flag to know when the oif needs to be reset to the skb device index.
+
+Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -2448,6 +2448,12 @@ static struct rt6_info *__ip6_route_redi
+ struct fib6_info *rt;
+ struct fib6_node *fn;
+
++ /* l3mdev_update_flow overrides oif if the device is enslaved; in
++ * this case we must match on the real ingress device, so reset it
++ */
++ if (fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF)
++ fl6->flowi6_oif = skb->dev->ifindex;
++
+ /* Get the "current" route for this destination and
+ * check if the redirect has come from appropriate router.
+ *
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 27 May 2019 17:35:52 -0700
+Subject: llc: fix skb leak in llc_build_and_send_ui_pkt()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
+
+If llc_mac_hdr_init() returns an error, we must drop the skb
+since no llc_build_and_send_ui_pkt() caller will take care of this.
+
+BUG: memory leak
+unreferenced object 0xffff8881202b6800 (size 2048):
+ comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
+ backtrace:
+ [<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
+ [<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
+ [<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
+ [<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
+ [<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
+ [<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
+ [<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
+ [<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
+ [<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
+ [<000000008bdec225>] sock_create net/socket.c:1481 [inline]
+ [<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
+ [<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
+ [<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
+ [<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
+ [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+BUG: memory leak
+unreferenced object 0xffff88811d750d00 (size 224):
+ comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ ....
+ backtrace:
+ [<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
+ [<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
+ [<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
+ [<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
+ [<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
+ [<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
+ [<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
+ [<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
+ [<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
+ [<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
+ [<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
+ [<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
+ [<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
+ [<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
+ [<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
+ [<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
+ [<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
+ [<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/llc_output.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/llc/llc_output.c
++++ b/net/llc/llc_output.c
+@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc
+ rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac);
+ if (likely(!rc))
+ rc = dev_queue_xmit(skb);
++ else
++ kfree_skb(skb);
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Wed, 29 May 2019 10:59:44 +0300
+Subject: mlxsw: spectrum_acl: Avoid warning after identical rules insertion
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit ef74422020aa8c224b00a927e3e47faac4d8fae3 ]
+
+When identical rules are inserted, the latter one goes to C-TCAM. For
+that, a second eRP with the same mask is created. These 2 eRPs by the
+nature cannot be merged and also one cannot be parent of another.
+Teach mlxsw_sp_acl_erp_delta_fill() about this possibility and handle it
+gracefully.
+
+Reported-by: Alex Kushnarov <alexanderk@mellanox.com>
+Fixes: c22291f7cf45 ("mlxsw: spectrum: acl: Implement delta for ERP")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_erp.c
+@@ -1169,13 +1169,12 @@ mlxsw_sp_acl_erp_delta_fill(const struct
+ return -EINVAL;
+ }
+ if (si == -1) {
+- /* The masks are the same, this cannot happen.
+- * That means the caller is broken.
++ /* The masks are the same, this can happen in case eRPs with
++ * the same mask were created in both A-TCAM and C-TCAM.
++ * The only possible condition under which this can happen
++ * is identical rule insertion. Delta is not possible here.
+ */
+- WARN_ON(1);
+- *delta_start = 0;
+- *delta_mask = 0;
+- return 0;
++ return -EINVAL;
+ }
+ pmask = (unsigned char) parent_key->mask[__MASK_IDX(si)];
+ mask = (unsigned char) key->mask[__MASK_IDX(si)];
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Willem de Bruijn <willemb@google.com>
+Date: Thu, 30 May 2019 18:01:21 -0400
+Subject: net: correct zerocopy refcnt with udp MSG_MORE
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 100f6d8e09905c59be45b6316f8f369c0be1b2d8 ]
+
+TCP zerocopy takes a uarg reference for every skb, plus one for the
+tcp_sendmsg_locked datapath temporarily, to avoid reaching refcnt zero
+as it builds, sends and frees skbs inside its inner loop.
+
+UDP and RAW zerocopy do not send inside the inner loop so do not need
+the extra sock_zerocopy_get + sock_zerocopy_put pair. Commit
+52900d22288ed ("udp: elide zerocopy operation in hot path") introduced
+extra_uref to pass the initial reference taken in sock_zerocopy_alloc
+to the first generated skb.
+
+But, sock_zerocopy_realloc takes this extra reference at the start of
+every call. With MSG_MORE, no new skb may be generated to attach the
+extra_uref to, so refcnt is incorrectly 2 with only one skb.
+
+Do not take the extra ref if uarg && !tcp, which implies MSG_MORE.
+Update extra_uref accordingly.
+
+This conditional assignment triggers a false positive may be used
+uninitialized warning, so have to initialize extra_uref at define.
+
+Changes v1->v2: fix typo in Fixes SHA1
+
+Fixes: 52900d22288e7 ("udp: elide zerocopy operation in hot path")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Diagnosed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 6 +++++-
+ net/ipv4/ip_output.c | 4 ++--
+ net/ipv6/ip6_output.c | 4 ++--
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -1001,7 +1001,11 @@ struct ubuf_info *sock_zerocopy_realloc(
+ uarg->len++;
+ uarg->bytelen = bytelen;
+ atomic_set(&sk->sk_zckey, ++next);
+- sock_zerocopy_get(uarg);
++
++ /* no extra ref when appending to datagram (MSG_MORE) */
++ if (sk->sk_type == SOCK_STREAM)
++ sock_zerocopy_get(uarg);
++
+ return uarg;
+ }
+ }
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -883,7 +883,7 @@ static int __ip_append_data(struct sock
+ int csummode = CHECKSUM_NONE;
+ struct rtable *rt = (struct rtable *)cork->dst;
+ unsigned int wmem_alloc_delta = 0;
+- bool paged, extra_uref;
++ bool paged, extra_uref = false;
+ u32 tskey = 0;
+
+ skb = skb_peek_tail(queue);
+@@ -923,7 +923,7 @@ static int __ip_append_data(struct sock
+ uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
+ if (!uarg)
+ return -ENOBUFS;
+- extra_uref = true;
++ extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ if (rt->dst.dev->features & NETIF_F_SG &&
+ csummode == CHECKSUM_PARTIAL) {
+ paged = true;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1269,7 +1269,7 @@ static int __ip6_append_data(struct sock
+ int csummode = CHECKSUM_NONE;
+ unsigned int maxnonfragsize, headersize;
+ unsigned int wmem_alloc_delta = 0;
+- bool paged, extra_uref;
++ bool paged, extra_uref = false;
+
+ skb = skb_peek_tail(queue);
+ if (!skb) {
+@@ -1338,7 +1338,7 @@ emsgsize:
+ uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
+ if (!uarg)
+ return -ENOBUFS;
+- extra_uref = true;
++ extra_uref = !skb; /* only extra ref if !MSG_MORE */
+ if (rt->dst.dev->features & NETIF_F_SG &&
+ csummode == CHECKSUM_PARTIAL) {
+ paged = true;
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Wed, 29 May 2019 07:02:11 +0000
+Subject: net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT
+
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+
+[ Upstream commit 84b3fd1fc9592d431e23b077e692fa4e3fd0f086 ]
+
+Currently, the upper half of a 4-byte STATS_TYPE_PORT statistic ends
+up in bits 47:32 of the return value, instead of bits 31:16 as they
+should.
+
+Fixes: 6e46e2d821bb ("net: dsa: mv88e6xxx: Fix u64 statistics")
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -892,7 +892,7 @@ static uint64_t _mv88e6xxx_get_ethtool_s
+ err = mv88e6xxx_port_read(chip, port, s->reg + 1, ®);
+ if (err)
+ return U64_MAX;
+- high = reg;
++ low |= ((u32)reg) << 16;
+ }
+ break;
+ case STATS_TYPE_BANK1:
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Andy Duan <fugang.duan@nxp.com>
+Date: Thu, 23 May 2019 01:55:28 +0000
+Subject: net: fec: fix the clk mismatch in failed_reset path
+
+From: Andy Duan <fugang.duan@nxp.com>
+
+[ Upstream commit ce8d24f9a5965a58c588f9342689702a1024433c ]
+
+Fix the clk mismatch in the error path "failed_reset" because
+below error path will disable clk_ahb and clk_ipg directly, it
+should use pm_runtime_put_noidle() instead of pm_runtime_put()
+to avoid to call runtime resume callback.
+
+Reported-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Fugang Duan <fugang.duan@nxp.com>
+Tested-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3556,7 +3556,7 @@ failed_init:
+ if (fep->reg_phy)
+ regulator_disable(fep->reg_phy);
+ failed_reset:
+- pm_runtime_put(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+ failed_regulator:
+ clk_disable_unprepare(fep->clk_ahb);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 29 May 2019 15:36:10 -0700
+Subject: net-gro: fix use-after-free read in napi_gro_frags()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]
+
+If a network driver provides to napi_gro_frags() an
+skb with a page fragment of exactly 14 bytes, the call
+to gro_pull_from_frag0() will 'consume' the fragment
+by calling skb_frag_unref(skb, 0), and the page might
+be freed and reused.
+
+Reading eth->h_proto at the end of napi_frags_skb() might
+read mangled data, or crash under specific debugging features.
+
+BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
+BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
+Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
+
+CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
+ __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ kasan_report+0x12/0x20 mm/kasan/common.c:614
+ __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
+ napi_frags_skb net/core/dev.c:5833 [inline]
+ napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
+ tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
+ tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
+ call_write_iter include/linux/fs.h:1872 [inline]
+ do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
+ do_iter_write fs/read_write.c:970 [inline]
+ do_iter_write+0x184/0x610 fs/read_write.c:951
+ vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
+ do_writev+0x15b/0x330 fs/read_write.c:1058
+
+Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5804,7 +5804,6 @@ static struct sk_buff *napi_frags_skb(st
+ skb_reset_mac_header(skb);
+ skb_gro_reset_offset(skb);
+
+- eth = skb_gro_header_fast(skb, 0);
+ if (unlikely(skb_gro_header_hard(skb, hlen))) {
+ eth = skb_gro_header_slow(skb, hlen, 0);
+ if (unlikely(!eth)) {
+@@ -5814,6 +5813,7 @@ static struct sk_buff *napi_frags_skb(st
+ return NULL;
+ }
+ } else {
++ eth = (const struct ethhdr *)skb->data;
+ gro_pull_from_frag0(skb, hlen);
+ NAPI_GRO_CB(skb)->frag0 += hlen;
+ NAPI_GRO_CB(skb)->frag0_len -= hlen;
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Parav Pandit <parav@mellanox.com>
+Date: Fri, 10 May 2019 10:40:08 -0500
+Subject: net/mlx5: Allocate root ns memory using kzalloc to match kfree
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 25fa506b70cadb580c1e9cbd836d6417276d4bcd ]
+
+root ns is yet another fs core node which is freed using kfree() by
+tree_put_node().
+Rest of the other fs core objects are also allocated using kmalloc
+variants.
+
+However, root ns memory is allocated using kvzalloc().
+Hence allocate root ns memory using kzalloc().
+
+Fixes: 2530236303d9e ("net/mlx5_core: Flow steering tree initialization")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -2247,7 +2247,7 @@ static struct mlx5_flow_root_namespace
+ cmds = mlx5_fs_cmd_get_default_ipsec_fpga_cmds(table_type);
+
+ /* Create the root namespace */
+- root_ns = kvzalloc(sizeof(*root_ns), GFP_KERNEL);
++ root_ns = kzalloc(sizeof(*root_ns), GFP_KERNEL);
+ if (!root_ns)
+ return NULL;
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Parav Pandit <parav@mellanox.com>
+Date: Fri, 10 May 2019 10:26:23 -0500
+Subject: net/mlx5: Avoid double free in fs init error unwinding path
+
+From: Parav Pandit <parav@mellanox.com>
+
+[ Upstream commit 9414277a5df3669c67e818708c0f881597e0118e ]
+
+In below code flow, for ingress acl table root ns memory leads
+to double free.
+
+mlx5_init_fs
+ init_ingress_acls_root_ns()
+ init_ingress_acl_root_ns
+ kfree(steering->esw_ingress_root_ns);
+ /* steering->esw_ingress_root_ns is not marked NULL */
+ mlx5_cleanup_fs
+ cleanup_ingress_acls_root_ns
+ steering->esw_ingress_root_ns non NULL check passes.
+ kfree(steering->esw_ingress_root_ns);
+ /* double free */
+
+Similar issue exist for other tables.
+
+Hence zero out the pointers to not process the table again.
+
+Fixes: 9b93ab981e3bf ("net/mlx5: Separate ingress/egress namespaces for each vport")
+Fixes: 40c3eebb49e51 ("net/mlx5: Add support in RDMA RX steering")
+Signed-off-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Mark Bloch <markb@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+@@ -2390,6 +2390,7 @@ static void cleanup_egress_acls_root_ns(
+ cleanup_root_ns(steering->esw_egress_root_ns[i]);
+
+ kfree(steering->esw_egress_root_ns);
++ steering->esw_egress_root_ns = NULL;
+ }
+
+ static void cleanup_ingress_acls_root_ns(struct mlx5_core_dev *dev)
+@@ -2404,6 +2405,7 @@ static void cleanup_ingress_acls_root_ns
+ cleanup_root_ns(steering->esw_ingress_root_ns[i]);
+
+ kfree(steering->esw_ingress_root_ns);
++ steering->esw_ingress_root_ns = NULL;
+ }
+
+ void mlx5_cleanup_fs(struct mlx5_core_dev *dev)
+@@ -2572,6 +2574,7 @@ cleanup_root_ns:
+ for (i--; i >= 0; i--)
+ cleanup_root_ns(steering->esw_egress_root_ns[i]);
+ kfree(steering->esw_egress_root_ns);
++ steering->esw_egress_root_ns = NULL;
+ return err;
+ }
+
+@@ -2599,6 +2602,7 @@ cleanup_root_ns:
+ for (i--; i >= 0; i--)
+ cleanup_root_ns(steering->esw_ingress_root_ns[i]);
+ kfree(steering->esw_ingress_root_ns);
++ steering->esw_ingress_root_ns = NULL;
+ return err;
+ }
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Saeed Mahameed <saeedm@mellanox.com>
+Date: Thu, 23 May 2019 12:55:10 -0700
+Subject: net/mlx5e: Disable rxhash when CQE compress is enabled
+
+From: Saeed Mahameed <saeedm@mellanox.com>
+
+[ Upstream commit c0194e2d0ef0e5ce5e21a35640d23a706827ae28 ]
+
+When CQE compression is enabled (Multi-host systems), compressed CQEs
+might arrive to the driver rx, compressed CQEs don't have a valid hash
+offload and the driver already reports a hash value of 0 and invalid hash
+type on the skb for compressed CQEs, but this is not good enough.
+
+On a congested PCIe, where CQE compression will kick in aggressively,
+gro will deliver lots of out of order packets due to the invalid hash
+and this might cause a serious performance drop.
+
+The only valid solution, is to disable rxhash offload at all when CQE
+compression is favorable (Multi-host systems).
+
+Fixes: 7219ab34f184 ("net/mlx5e: CQE compression")
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3789,6 +3789,12 @@ static netdev_features_t mlx5e_fix_featu
+ netdev_warn(netdev, "Disabling LRO, not supported in legacy RQ\n");
+ }
+
++ if (MLX5E_GET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS)) {
++ features &= ~NETIF_F_RXHASH;
++ if (netdev->features & NETIF_F_RXHASH)
++ netdev_warn(netdev, "Disabling rxhash, not supported when CQE compress is active\n");
++ }
++
+ mutex_unlock(&priv->state_lock);
+
+ return features;
+@@ -3915,6 +3921,9 @@ int mlx5e_hwstamp_set(struct mlx5e_priv
+ memcpy(&priv->tstamp, &config, sizeof(config));
+ mutex_unlock(&priv->state_lock);
+
++ /* might need to fix some features */
++ netdev_update_features(priv->netdev);
++
+ return copy_to_user(ifr->ifr_data, &config,
+ sizeof(config)) ? -EFAULT : 0;
+ }
+@@ -4744,6 +4753,10 @@ static void mlx5e_build_nic_netdev(struc
+ if (!priv->channels.params.scatter_fcs_en)
+ netdev->features &= ~NETIF_F_RXFCS;
+
++ /* prefere CQE compression over rxhash */
++ if (MLX5E_GET_PFLAG(&priv->channels.params, MLX5E_PFLAG_RX_CQE_COMPRESS))
++ netdev->features &= ~NETIF_F_RXHASH;
++
+ #define FT_CAP(f) MLX5_CAP_FLOWTABLE(mdev, flow_table_properties_nic_receive.f)
+ if (FT_CAP(flow_modify_en) &&
+ FT_CAP(modify_root) &&
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Mon, 27 May 2019 11:04:17 +0000
+Subject: net: mvneta: Fix err code path of probe
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit d484e06e25ebb937d841dac02ac1fe76ec7d4ddd ]
+
+Fix below issues in err code path of probe:
+1. we don't need to unregister_netdev() because the netdev isn't
+registered.
+2. when register_netdev() fails, we also need to destroy bm pool for
+HWBM case.
+
+Fixes: dc35a10f68d3 ("net: mvneta: bm: add support for hardware buffer management")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -4619,7 +4619,7 @@ static int mvneta_probe(struct platform_
+ err = register_netdev(dev);
+ if (err < 0) {
+ dev_err(&pdev->dev, "failed to register\n");
+- goto err_free_stats;
++ goto err_netdev;
+ }
+
+ netdev_info(dev, "Using %s mac address %pM\n", mac_from,
+@@ -4630,14 +4630,12 @@ static int mvneta_probe(struct platform_
+ return 0;
+
+ err_netdev:
+- unregister_netdev(dev);
+ if (pp->bm_priv) {
+ mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_long, 1 << pp->id);
+ mvneta_bm_pool_destroy(pp->bm_priv, pp->pool_short,
+ 1 << pp->id);
+ mvneta_bm_put(pp->bm_priv);
+ }
+-err_free_stats:
+ free_percpu(pp->stats);
+ err_free_ports:
+ free_percpu(pp->ports);
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Wed, 29 May 2019 15:59:48 +0200
+Subject: net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
+
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+
+[ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ]
+
+MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but
+the current code is passing the global tx queue offset, so it ends
+up writing to unknown registers (between 0x8280 and 0x82fc, which
+seemed to be unused by the hardware). This fixes the issue by using
+the logical queue id instead.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -1412,7 +1412,7 @@ static inline void mvpp2_xlg_max_rx_size
+ /* Set defaults to the MVPP2 port */
+ static void mvpp2_defaults_set(struct mvpp2_port *port)
+ {
+- int tx_port_num, val, queue, ptxq, lrxq;
++ int tx_port_num, val, queue, lrxq;
+
+ if (port->priv->hw_version == MVPP21) {
+ /* Update TX FIFO MIN Threshold */
+@@ -1433,11 +1433,9 @@ static void mvpp2_defaults_set(struct mv
+ mvpp2_write(port->priv, MVPP2_TXP_SCHED_FIXED_PRIO_REG, 0);
+
+ /* Close bandwidth for all queues */
+- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) {
+- ptxq = mvpp2_txq_phys(port->id, queue);
++ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++)
+ mvpp2_write(port->priv,
+- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0);
+- }
++ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0);
+
+ /* Set refill period to 1 usec, refill tokens
+ * and bucket size to maximum
+@@ -2293,7 +2291,7 @@ static void mvpp2_txq_deinit(struct mvpp
+ txq->descs_dma = 0;
+
+ /* Set minimum bandwidth for disabled TXQs */
+- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0);
++ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0);
+
+ /* Set Tx descriptors queue starting address and size */
+ thread = mvpp2_cpu_to_thread(port->priv, get_cpu());
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Russell King <rmk+kernel@armlinux.org.uk>
+Date: Tue, 28 May 2019 10:34:42 +0100
+Subject: net: phy: marvell10g: report if the PHY fails to boot firmware
+
+From: Russell King <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 3d3ced2ec5d71b99d72ae6910fbdf890bc2eccf0 ]
+
+Some boards do not have the PHY firmware programmed in the 3310's flash,
+which leads to the PHY not working as expected. Warn the user when the
+PHY fails to boot the firmware and refuse to initialise.
+
+Fixes: 20b2af32ff3f ("net: phy: add Marvell Alaska X 88X3310 10Gigabit PHY support")
+Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
+Tested-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/marvell10g.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/net/phy/marvell10g.c
++++ b/drivers/net/phy/marvell10g.c
+@@ -29,6 +29,9 @@
+ #define MDIO_AN_10GBT_CTRL_ADV_NBT_MASK 0x01e0
+
+ enum {
++ MV_PMA_BOOT = 0xc050,
++ MV_PMA_BOOT_FATAL = BIT(0),
++
+ MV_PCS_BASE_T = 0x0000,
+ MV_PCS_BASE_R = 0x1000,
+ MV_PCS_1000BASEX = 0x2000,
+@@ -228,6 +231,16 @@ static int mv3310_probe(struct phy_devic
+ (phydev->c45_ids.devices_in_package & mmd_mask) != mmd_mask)
+ return -ENODEV;
+
++ ret = phy_read_mmd(phydev, MDIO_MMD_PMAPMD, MV_PMA_BOOT);
++ if (ret < 0)
++ return ret;
++
++ if (ret & MV_PMA_BOOT_FATAL) {
++ dev_warn(&phydev->mdio.dev,
++ "PHY failed to boot firmware, status=%04x\n", ret);
++ return -ENODEV;
++ }
++
+ priv = devm_kzalloc(&phydev->mdio.dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Vlad Buslov <vladbu@mellanox.com>
+Date: Thu, 23 May 2019 09:32:31 +0300
+Subject: net: sched: don't use tc_action->order during action dump
+
+From: Vlad Buslov <vladbu@mellanox.com>
+
+[ Upstream commit 4097e9d250fb17958c1d9b94538386edd3f20144 ]
+
+Function tcf_action_dump() relies on tc_action->order field when starting
+nested nla to send action data to userspace. This approach breaks in
+several cases:
+
+- When multiple filters point to same shared action, tc_action->order field
+ is overwritten each time it is attached to filter. This causes filter
+ dump to output action with incorrect attribute for all filters that have
+ the action in different position (different order) from the last set
+ tc_action->order value.
+
+- When action data is displayed using tc action API (RTM_GETACTION), action
+ order is overwritten by tca_action_gd() according to its position in
+ resulting array of nl attributes, which will break filter dump for all
+ filters attached to that shared action that expect it to have different
+ order value.
+
+Don't rely on tc_action->order when dumping actions. Set nla according to
+action position in resulting array of actions instead.
+
+Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_api.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/sched/act_api.c
++++ b/net/sched/act_api.c
+@@ -766,7 +766,7 @@ int tcf_action_dump(struct sk_buff *skb,
+
+ for (i = 0; i < TCA_ACT_MAX_PRIO && actions[i]; i++) {
+ a = actions[i];
+- nest = nla_nest_start(skb, a->order);
++ nest = nla_nest_start(skb, i + 1);
+ if (nest == NULL)
+ goto nla_put_failure;
+ err = tcf_action_dump_1(skb, a, bind, ref);
+@@ -1283,7 +1283,6 @@ tca_action_gd(struct net *net, struct nl
+ ret = PTR_ERR(act);
+ goto err;
+ }
+- act->order = i;
+ attr_size += tcf_action_fill_size(act);
+ actions[i - 1] = act;
+ }
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Weifeng Voon <weifeng.voon@intel.com>
+Date: Tue, 21 May 2019 13:38:38 +0800
+Subject: net: stmmac: dma channel control register need to be init first
+
+From: Weifeng Voon <weifeng.voon@intel.com>
+
+stmmac_init_chan() needs to be called before stmmac_init_rx_chan() and
+stmmac_init_tx_chan(). This is because if PBLx8 is to be used,
+"DMA_CH(#i)_Control.PBLx8" needs to be set before programming
+"DMA_CH(#i)_TX_Control.TxPBL" and "DMA_CH(#i)_RX_Control.RxPBL".
+
+Fixes: 47f2a9ce527a ("net: stmmac: dma channel init prepared for multiple queues")
+Reviewed-by: Zhang, Baoli <baoli.zhang@intel.com>
+Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
+Signed-off-by: Weifeng Voon <weifeng.voon@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2190,6 +2190,10 @@ static int stmmac_init_dma_engine(struct
+ if (priv->plat->axi)
+ stmmac_axi(priv, priv->ioaddr, priv->plat->axi);
+
++ /* DMA CSR Channel configuration */
++ for (chan = 0; chan < dma_csr_ch; chan++)
++ stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan);
++
+ /* DMA RX Channel Configuration */
+ for (chan = 0; chan < rx_channels_count; chan++) {
+ rx_q = &priv->rx_queue[chan];
+@@ -2215,10 +2219,6 @@ static int stmmac_init_dma_engine(struct
+ tx_q->tx_tail_addr, chan);
+ }
+
+- /* DMA CSR Channel configuration */
+- for (chan = 0; chan < dma_csr_ch; chan++)
+- stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan);
+-
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: "Tan, Tee Min" <tee.min.tan@intel.com>
+Date: Tue, 21 May 2019 12:55:42 +0800
+Subject: net: stmmac: fix ethtool flow control not able to get/set
+
+From: "Tan, Tee Min" <tee.min.tan@intel.com>
+
+Currently ethtool was not able to get/set the flow control due to a
+missing "!". It will always return -EOPNOTSUPP even the device is
+flow control supported.
+
+This patch fixes the condition check for ethtool flow control get/set
+function for ETHTOOL_LINK_MODE_Asym_Pause_BIT.
+
+Fixes: 3c1bcc8614db (“net: ethernet: Convert phydev advertize and supported from u32 to link mode”)
+Signed-off-by: Tan, Tee Min <tee.min.tan@intel.com>
+Reviewed-by: Ong Boon Leong <boon.leong.ong@intel.com>
+Signed-off-by: Voon, Weifeng <weifeng.voon@intel.com@intel.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ethtool.c
+@@ -460,7 +460,7 @@ stmmac_get_pauseparam(struct net_device
+ } else {
+ if (!linkmode_test_bit(ETHTOOL_LINK_MODE_Pause_BIT,
+ netdev->phydev->supported) ||
+- linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT,
++ !linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT,
+ netdev->phydev->supported))
+ return;
+ }
+@@ -491,7 +491,7 @@ stmmac_set_pauseparam(struct net_device
+ } else {
+ if (!linkmode_test_bit(ETHTOOL_LINK_MODE_Pause_BIT,
+ phy->supported) ||
+- linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT,
++ !linkmode_test_bit(ETHTOOL_LINK_MODE_Asym_Pause_BIT,
+ phy->supported))
+ return -EOPNOTSUPP;
+ }
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Wed, 22 May 2019 10:05:09 +0000
+Subject: net: stmmac: fix reset gpio free missing
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ]
+
+Commit 984203ceff27 ("net: stmmac: mdio: remove reset gpio free")
+removed the reset gpio free, when the driver is unbinded or rmmod,
+we miss the gpio free.
+
+This patch uses managed API to request the reset gpio, so that the
+gpio could be freed properly.
+
+Fixes: 984203ceff27 ("net: stmmac: mdio: remove reset gpio free")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+@@ -267,7 +267,8 @@ int stmmac_mdio_reset(struct mii_bus *bu
+ of_property_read_u32_array(np,
+ "snps,reset-delays-us", data->delays, 3);
+
+- if (gpio_request(data->reset_gpio, "mdio-reset"))
++ if (devm_gpio_request(priv->device, data->reset_gpio,
++ "mdio-reset"))
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Tue, 21 May 2019 19:02:00 -0700
+Subject: net/tls: avoid NULL-deref on resync during device removal
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 38030d7cb77963ba84cdbe034806e2b81245339f ]
+
+When netdev with active kTLS sockets in unregistered
+notifier callback walks the offloaded sockets and
+cleans up offload state. RX data may still be processed,
+however, and if resync was requested prior to device
+removal we would hit a NULL pointer dereference on
+ctx->netdev use.
+
+Make sure resync is under the device offload lock
+and NULL-check the netdev pointer.
+
+This should be safe, because the pointer is set to
+NULL either in the netdev notifier (under said lock)
+or when socket is completely dead and no resync can
+happen.
+
+The other access to ctx->netdev in tls_validate_xmit_skb()
+does not dereference the pointer, it just checks it against
+other device pointer, so it should be pretty safe (perhaps
+we can add a READ_ONCE/WRITE_ONCE there, if paranoid).
+
+Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -555,8 +555,8 @@ static int tls_device_push_pending_recor
+ void handle_device_resync(struct sock *sk, u32 seq, u64 rcd_sn)
+ {
+ struct tls_context *tls_ctx = tls_get_ctx(sk);
+- struct net_device *netdev = tls_ctx->netdev;
+ struct tls_offload_context_rx *rx_ctx;
++ struct net_device *netdev;
+ u32 is_req_pending;
+ s64 resync_req;
+ u32 req_seq;
+@@ -570,10 +570,15 @@ void handle_device_resync(struct sock *s
+ is_req_pending = resync_req;
+
+ if (unlikely(is_req_pending) && req_seq == seq &&
+- atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0))
+- netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk,
+- seq + TLS_HEADER_SIZE - 1,
+- rcd_sn);
++ atomic64_try_cmpxchg(&rx_ctx->resync_req, &resync_req, 0)) {
++ seq += TLS_HEADER_SIZE - 1;
++ down_read(&device_offload_lock);
++ netdev = tls_ctx->netdev;
++ if (netdev)
++ netdev->tlsdev_ops->tls_dev_resync_rx(netdev, sk, seq,
++ rcd_sn);
++ up_read(&device_offload_lock);
++ }
+ }
+
+ static int tls_device_reencrypt(struct sock *sk, struct sk_buff *skb)
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Tue, 21 May 2019 19:02:02 -0700
+Subject: net/tls: don't ignore netdev notifications if no TLS features
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit c3f4a6c39cf269a40d45f813c05fa830318ad875 ]
+
+On device surprise removal path (the notifier) we can't
+bail just because the features are disabled. They may
+have been enabled during the lifetime of the device.
+This bug leads to leaking netdev references and
+use-after-frees if there are active connections while
+device features are cleared.
+
+Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -986,7 +986,8 @@ static int tls_dev_event(struct notifier
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+
+- if (!(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX)))
++ if (!dev->tlsdev_ops &&
++ !(dev->features & (NETIF_F_HW_TLS_RX | NETIF_F_HW_TLS_TX)))
+ return NOTIFY_DONE;
+
+ switch (event) {
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+Date: Tue, 21 May 2019 19:02:01 -0700
+Subject: net/tls: fix state removal with feature flags off
+
+From: Jakub Kicinski <jakub.kicinski@netronome.com>
+
+[ Upstream commit 3686637e507b48525fcea6fb91e1988bdbc14530 ]
+
+TLS offload drivers shouldn't (and currently don't) block
+the TLS offload feature changes based on whether there are
+active offloaded connections or not.
+
+This seems to be a good idea, because we want the admin to
+be able to disable the TLS offload at any time, and there
+is no clean way of disabling it for active connections
+(TX side is quite problematic). So if features are cleared
+existing connections will stay offloaded until they close,
+and new connections will not attempt offload to a given
+device.
+
+However, the offload state removal handling is currently
+broken if feature flags get cleared while there are
+active TLS offloads.
+
+RX side will completely bail from cleanup, even on normal
+remove path, leaving device state dangling, potentially
+causing issues when the 5-tuple is reused. It will also
+fail to release the netdev reference.
+
+Remove the RX-side warning message, in next release cycle
+it should be printed when features are disabled, rather
+than when connection dies, but for that we need a more
+efficient method of finding connection of a given netdev
+(a'la BPF offload code).
+
+Fixes: 4799ac81e52a ("tls: Add rx inline crypto offload")
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_device.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/net/tls/tls_device.c
++++ b/net/tls/tls_device.c
+@@ -928,12 +928,6 @@ void tls_device_offload_cleanup_rx(struc
+ if (!netdev)
+ goto out;
+
+- if (!(netdev->features & NETIF_F_HW_TLS_RX)) {
+- pr_err_ratelimited("%s: device is missing NETIF_F_HW_TLS_RX cap\n",
+- __func__);
+- goto out;
+- }
+-
+ netdev->tlsdev_ops->tls_dev_del(netdev, tls_ctx,
+ TLS_OFFLOAD_CTX_DIR_RX);
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Wed, 29 May 2019 07:44:01 +0200
+Subject: r8169: fix MAC address being lost in PCI D3
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 59715171fbd0172a579576f46821031800a63bc5 ]
+
+(At least) RTL8168e forgets its MAC address in PCI D3. To fix this set
+the MAC address when resuming. For resuming from runtime-suspend we
+had this in place already, for resuming from S3/S5 it was missing.
+
+The commit referenced as being fixed isn't wrong, it's just the first
+one where the patch applies cleanly.
+
+Fixes: 0f07bd850d36 ("r8169: use dev_get_drvdata where possible")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reported-by: Albert Astals Cid <aacid@kde.org>
+Tested-by: Albert Astals Cid <aacid@kde.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -6814,6 +6814,8 @@ static int rtl8169_resume(struct device
+ struct net_device *dev = dev_get_drvdata(device);
+ struct rtl8169_private *tp = netdev_priv(dev);
+
++ rtl_rar_set(tp, dev->dev_addr);
++
+ clk_prepare_enable(tp->clk);
+
+ if (netif_running(dev))
+@@ -6847,6 +6849,7 @@ static int rtl8169_runtime_resume(struct
+ {
+ struct net_device *dev = dev_get_drvdata(device);
+ struct rtl8169_private *tp = netdev_priv(dev);
++
+ rtl_rar_set(tp, dev->dev_addr);
+
+ if (!tp->TxDescArray)
--- /dev/null
+bonding-802.3ad-fix-slave-link-initialization-transition-states.patch
+cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch
+inet-switch-ip-id-generator-to-siphash.patch
+ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch
+ipv4-igmp-fix-build-error-if-config_ip_multicast.patch
+ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch
+ipv6-fix-redirect-with-vrf.patch
+llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch
+mlxsw-spectrum_acl-avoid-warning-after-identical-rules-insertion.patch
+net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch
+net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch
+net-gro-fix-use-after-free-read-in-napi_gro_frags.patch
+net-mvneta-fix-err-code-path-of-probe.patch
+net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch
+net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch
+net-sched-don-t-use-tc_action-order-during-action-dump.patch
+net-stmmac-fix-reset-gpio-free-missing.patch
+r8169-fix-mac-address-being-lost-in-pci-d3.patch
+usbnet-fix-kernel-crash-after-disconnect.patch
+net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch
+tipc-avoid-copying-bytes-beyond-the-supplied-data.patch
+net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch
+net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch
+net-stmmac-fix-ethtool-flow-control-not-able-to-get-set.patch
+net-stmmac-dma-channel-control-register-need-to-be-init-first.patch
+bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
+bnxt_en-fix-possible-bug-condition-when-calling-pci_disable_msix.patch
+bnxt_en-reduce-memory-usage-when-running-in-kdump-kernel.patch
+net-tls-avoid-null-deref-on-resync-during-device-removal.patch
+net-tls-fix-state-removal-with-feature-flags-off.patch
+net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
+cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch
+net-correct-zerocopy-refcnt-with-udp-msg_more.patch
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Date: Mon, 20 May 2019 15:45:36 +1200
+Subject: tipc: Avoid copying bytes beyond the supplied data
+
+From: Chris Packham <chris.packham@alliedtelesis.co.nz>
+
+TLV_SET is called with a data pointer and a len parameter that tells us
+how many bytes are pointed to by data. When invoking memcpy() we need
+to careful to only copy len bytes.
+
+Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
+4 bytes past the end of the data pointer which newer GCC versions
+complain about.
+
+ In file included from test.c:17:
+ In function 'TLV_SET',
+ inlined from 'test' at test.c:186:5:
+ /usr/include/linux/tipc_config.h:317:3:
+ warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
+ of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
+ memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
+ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ test.c: In function 'test':
+ test.c::161:10: note:
+ 'bearer_name' declared here
+ char bearer_name[TIPC_MAX_BEARER_NAME];
+ ^~~~~~~~~~~
+
+We still want to ensure any padding bytes at the end are initialised, do
+this with a explicit memset() rather than copy bytes past the end of
+data. Apply the same logic to TCM_SET.
+
+Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/tipc_config.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/uapi/linux/tipc_config.h
++++ b/include/uapi/linux/tipc_config.h
+@@ -307,8 +307,10 @@ static inline int TLV_SET(void *tlv, __u
+ tlv_ptr = (struct tlv_desc *)tlv;
+ tlv_ptr->tlv_type = htons(type);
+ tlv_ptr->tlv_len = htons(tlv_len);
+- if (len && data)
+- memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
++ if (len && data) {
++ memcpy(TLV_DATA(tlv_ptr), data, len);
++ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
++ }
+ return TLV_SPACE(len);
+ }
+
+@@ -405,8 +407,10 @@ static inline int TCM_SET(void *msg, __u
+ tcm_hdr->tcm_len = htonl(msg_len);
+ tcm_hdr->tcm_type = htons(cmd);
+ tcm_hdr->tcm_flags = htons(flags);
+- if (data_len && data)
++ if (data_len && data) {
+ memcpy(TCM_DATA(msg), data, data_len);
++ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
++ }
+ return TCM_SPACE(data_len);
+ }
+
--- /dev/null
+From foo@baz Fri 31 May 2019 03:16:57 PM PDT
+From: Kloetzke Jan <Jan.Kloetzke@preh.de>
+Date: Tue, 21 May 2019 13:18:40 +0000
+Subject: usbnet: fix kernel crash after disconnect
+
+From: Kloetzke Jan <Jan.Kloetzke@preh.de>
+
+[ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ]
+
+When disconnecting cdc_ncm the kernel sporadically crashes shortly
+after the disconnect:
+
+ [ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ ...
+ [ 58.006653] PC is at 0x0
+ [ 58.009202] LR is at call_timer_fn+0xec/0x1b4
+ [ 58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
+ [ 58.020976] sp : ffffff8008003da0
+ [ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001
+ [ 58.029618] x27: 000000000000000a x26: 0000000000000100
+ [ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68
+ [ 58.040263] x23: 0000000000000000 x22: 0000000000000000
+ [ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
+ [ 58.050910] x19: 0000000000000100 x18: 0000000000000000
+ [ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
+ [ 58.061556] x15: 0000000000000001 x14: 000000000000006e
+ [ 58.066878] x13: 0000000000000000 x12: 00000000000000ba
+ [ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
+ [ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001
+ [ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
+ [ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
+ [ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000
+ [ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000
+ ...
+ [ 58.205800] [< (null)>] (null)
+ [ 58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
+ [ 58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
+ [ 58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
+ [ 58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
+ [ 58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
+ [ 58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
+ ...
+
+The crash happens roughly 125..130ms after the disconnect. This
+correlates with the 'delay' timer that is started on certain USB tx/rx
+errors in the URB completion handler.
+
+The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
+usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
+flight. This only makes sense if no new URBs are submitted
+concurrently, though. But the usbnet_start_xmit() can run at the same
+time on another CPU which almost unconditionally submits an URB. The
+error callback of the new URB will then schedule the timer after it was
+already stopped.
+
+The fix adds a check if the tx queue is stopped after the tx list lock
+has been taken. This should reliably prevent the submission of new URBs
+while usbnet_terminate_urbs() does its job. The same thing is done on
+the rx side even though it might be safe due to other flags that are
+checked there.
+
+Signed-off-by: Jan Klötzke <Jan.Kloetzke@preh.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -506,6 +506,7 @@ static int rx_submit (struct usbnet *dev
+
+ if (netif_running (dev->net) &&
+ netif_device_present (dev->net) &&
++ test_bit(EVENT_DEV_OPEN, &dev->flags) &&
+ !test_bit (EVENT_RX_HALT, &dev->flags) &&
+ !test_bit (EVENT_DEV_ASLEEP, &dev->flags)) {
+ switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) {
+@@ -1431,6 +1432,11 @@ netdev_tx_t usbnet_start_xmit (struct sk
+ spin_unlock_irqrestore(&dev->txq.lock, flags);
+ goto drop;
+ }
++ if (netif_queue_stopped(net)) {
++ usb_autopm_put_interface_async(dev->intf);
++ spin_unlock_irqrestore(&dev->txq.lock, flags);
++ goto drop;
++ }
+
+ #ifdef CONFIG_PM
+ /* if this triggers the device is still a sleep */
--- /dev/null
+bonding-802.3ad-fix-slave-link-initialization-transition-states.patch
+cxgb4-offload-vlan-flows-regardless-of-vlan-ethtype.patch
+ethtool-check-for-vlan-etype-or-vlan-tci-when-parsing-flow_rule.patch
+inet-switch-ip-id-generator-to-siphash.patch
+ipv4-igmp-fix-another-memory-leak-in-igmpv3_del_delrec.patch
+ipv4-igmp-fix-build-error-if-config_ip_multicast.patch
+ipv6-consider-sk_bound_dev_if-when-binding-a-raw-socket-to-an-address.patch
+ipv6-fix-redirect-with-vrf.patch
+llc-fix-skb-leak-in-llc_build_and_send_ui_pkt.patch
+mlxsw-spectrum_acl-avoid-warning-after-identical-rules-insertion.patch
+net-dsa-mv88e6xxx-fix-handling-of-upper-half-of-stats_type_port.patch
+net-fec-fix-the-clk-mismatch-in-failed_reset-path.patch
+net-gro-fix-use-after-free-read-in-napi_gro_frags.patch
+net-mvneta-fix-err-code-path-of-probe.patch
+net-mvpp2-fix-bad-mvpp2_txq_sched_token_cntr_reg-queue-value.patch
+net-phy-marvell10g-report-if-the-phy-fails-to-boot-firmware.patch
+net-sched-don-t-use-tc_action-order-during-action-dump.patch
+net-stmmac-fix-reset-gpio-free-missing.patch
+r8169-fix-mac-address-being-lost-in-pci-d3.patch
+usbnet-fix-kernel-crash-after-disconnect.patch
+net-mlx5-avoid-double-free-in-fs-init-error-unwinding-path.patch
+tipc-avoid-copying-bytes-beyond-the-supplied-data.patch
+net-mlx5-allocate-root-ns-memory-using-kzalloc-to-match-kfree.patch
+net-mlx5e-disable-rxhash-when-cqe-compress-is-enabled.patch
+net-stmmac-fix-ethtool-flow-control-not-able-to-get-set.patch
+net-stmmac-dma-channel-control-register-need-to-be-init-first.patch
+bnxt_en-fix-aggregation-buffer-leak-under-oom-condition.patch
+bnxt_en-fix-possible-bug-condition-when-calling-pci_disable_msix.patch
+bnxt_en-reduce-memory-usage-when-running-in-kdump-kernel.patch
+net-tls-fix-lowat-calculation-if-some-data-came-from-previous-record.patch
+selftests-tls-test-for-lowat-overshoot-with-multiple-records.patch
+net-tls-fix-no-wakeup-on-partial-reads.patch
+selftests-tls-add-test-for-sleeping-even-though-there-is-data.patch
+net-tls-avoid-null-deref-on-resync-during-device-removal.patch
+net-tls-fix-state-removal-with-feature-flags-off.patch
+net-tls-don-t-ignore-netdev-notifications-if-no-tls-features.patch
+cxgb4-revert-cxgb4-remove-sge_host_page_size-dependency-on-page-size.patch
+net-correct-zerocopy-refcnt-with-udp-msg_more.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
