--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Tue, 30 Jul 2019 22:21:41 -0500
+Subject: atm: iphase: Fix Spectre v1 vulnerability
+
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+
+[ Upstream commit ea443e5e98b5b74e317ef3d26bcaea54931ccdee ]
+
+board is controlled by user-space, hence leading to a potential
+exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+drivers/atm/iphase.c:2765 ia_ioctl() warn: potential spectre issue 'ia_dev' [r] (local cap)
+drivers/atm/iphase.c:2774 ia_ioctl() warn: possible spectre second half. 'iadev'
+drivers/atm/iphase.c:2782 ia_ioctl() warn: possible spectre second half. 'iadev'
+drivers/atm/iphase.c:2816 ia_ioctl() warn: possible spectre second half. 'iadev'
+drivers/atm/iphase.c:2823 ia_ioctl() warn: possible spectre second half. 'iadev'
+drivers/atm/iphase.c:2830 ia_ioctl() warn: potential spectre issue '_ia_dev' [r] (local cap)
+drivers/atm/iphase.c:2845 ia_ioctl() warn: possible spectre second half. 'iadev'
+drivers/atm/iphase.c:2856 ia_ioctl() warn: possible spectre second half. 'iadev'
+
+Fix this by sanitizing board before using it to index ia_dev and _ia_dev
+
+Notice that given that speculation windows are large, the policy is
+to kill the speculation on the first load and not worry if it can be
+completed with a dependent load/store [1].
+
+[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/atm/iphase.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/atm/iphase.c
++++ b/drivers/atm/iphase.c
+@@ -63,6 +63,7 @@
+ #include <asm/byteorder.h>
+ #include <linux/vmalloc.h>
+ #include <linux/jiffies.h>
++#include <linux/nospec.h>
+ #include "iphase.h"
+ #include "suni.h"
+ #define swap_byte_order(x) (((x & 0xff) << 8) | ((x & 0xff00) >> 8))
+@@ -2760,8 +2761,11 @@ static int ia_ioctl(struct atm_dev *dev,
+ }
+ if (copy_from_user(&ia_cmds, arg, sizeof ia_cmds)) return -EFAULT;
+ board = ia_cmds.status;
+- if ((board < 0) || (board > iadev_count))
+- board = 0;
++
++ if ((board < 0) || (board > iadev_count))
++ board = 0;
++ board = array_index_nospec(board, iadev_count + 1);
++
+ iadev = ia_dev[board];
+ switch (ia_cmds.cmd) {
+ case MEMDUMP:
--- /dev/null
+From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Date: Tue, 23 Jul 2019 19:32:41 -0700
+Subject: bnx2x: Disable multi-cos feature.
+
+From: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+
+[ Upstream commit d1f0b5dce8fda09a7f5f04c1878f181d548e42f5 ]
+
+Commit 3968d38917eb ("bnx2x: Fix Multi-Cos.") which enabled multi-cos
+feature after prolonged time in driver added some regression causing
+numerous issues (sudden reboots, tx timeout etc.) reported by customers.
+We plan to backout this commit and submit proper fix once we have root
+cause of issues reported with this feature enabled.
+
+Fixes: 3968d38917eb ("bnx2x: Fix Multi-Cos.")
+Signed-off-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -1939,7 +1939,7 @@ u16 bnx2x_select_queue(struct net_device
+ }
+
+ /* select a non-FCoE queue */
+- return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp) * bp->max_cos);
++ return fallback(dev, skb) % (BNX2X_NUM_ETH_QUEUES(bp));
+ }
+
+ void bnx2x_set_num_queues(struct bnx2x *bp)
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 30 Jul 2019 21:25:20 +0200
+Subject: compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 055d88242a6046a1ceac3167290f054c72571cd9 ]
+
+Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in
+linux-2.5.69 along with hundreds of other commands, but was always broken
+sincen only the structure is compatible, but the command number is not,
+due to the size being sizeof(size_t), or at first sizeof(sizeof((struct
+sockaddr_pppox)), which is different on 64-bit architectures.
+
+Guillaume Nault adds:
+
+ And the implementation was broken until 2016 (see 29e73269aa4d ("pppoe:
+ fix reference counting in PPPoE proxy")), and nobody ever noticed. I
+ should probably have removed this ioctl entirely instead of fixing it.
+ Clearly, it has never been used.
+
+Fix it by adding a compat_ioctl handler for all pppoe variants that
+translates the command number and then calls the regular ioctl function.
+
+All other ioctl commands handled by pppoe are compatible between 32-bit
+and 64-bit, and require compat_ptr() conversion.
+
+This should apply to all stable kernels.
+
+Acked-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 3 +++
+ drivers/net/ppp/pppox.c | 13 +++++++++++++
+ drivers/net/ppp/pptp.c | 3 +++
+ fs/compat_ioctl.c | 3 ---
+ include/linux/if_pppox.h | 3 +++
+ net/l2tp/l2tp_ppp.c | 3 +++
+ 6 files changed, 25 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -1134,6 +1134,9 @@ static const struct proto_ops pppoe_ops
+ .recvmsg = pppoe_recvmsg,
+ .mmap = sock_no_mmap,
+ .ioctl = pppox_ioctl,
++#ifdef CONFIG_COMPAT
++ .compat_ioctl = pppox_compat_ioctl,
++#endif
+ };
+
+ static const struct pppox_proto pppoe_proto = {
+--- a/drivers/net/ppp/pppox.c
++++ b/drivers/net/ppp/pppox.c
+@@ -22,6 +22,7 @@
+ #include <linux/string.h>
+ #include <linux/module.h>
+ #include <linux/kernel.h>
++#include <linux/compat.h>
+ #include <linux/errno.h>
+ #include <linux/netdevice.h>
+ #include <linux/net.h>
+@@ -103,6 +104,18 @@ int pppox_ioctl(struct socket *sock, uns
+
+ EXPORT_SYMBOL(pppox_ioctl);
+
++#ifdef CONFIG_COMPAT
++int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
++{
++ if (cmd == PPPOEIOCSFWD32)
++ cmd = PPPOEIOCSFWD;
++
++ return pppox_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
++}
++
++EXPORT_SYMBOL(pppox_compat_ioctl);
++#endif
++
+ static int pppox_create(struct net *net, struct socket *sock, int protocol,
+ int kern)
+ {
+--- a/drivers/net/ppp/pptp.c
++++ b/drivers/net/ppp/pptp.c
+@@ -638,6 +638,9 @@ static const struct proto_ops pptp_ops =
+ .recvmsg = sock_no_recvmsg,
+ .mmap = sock_no_mmap,
+ .ioctl = pppox_ioctl,
++#ifdef CONFIG_COMPAT
++ .compat_ioctl = pppox_compat_ioctl,
++#endif
+ };
+
+ static const struct pppox_proto pppox_pptp_proto = {
+--- a/fs/compat_ioctl.c
++++ b/fs/compat_ioctl.c
+@@ -1038,9 +1038,6 @@ COMPATIBLE_IOCTL(PPPIOCDISCONN)
+ COMPATIBLE_IOCTL(PPPIOCATTCHAN)
+ COMPATIBLE_IOCTL(PPPIOCGCHAN)
+ COMPATIBLE_IOCTL(PPPIOCGL2TPSTATS)
+-/* PPPOX */
+-COMPATIBLE_IOCTL(PPPOEIOCSFWD)
+-COMPATIBLE_IOCTL(PPPOEIOCDFWD)
+ /* Big A */
+ /* sparc only */
+ /* Big Q for sound/OSS */
+--- a/include/linux/if_pppox.h
++++ b/include/linux/if_pppox.h
+@@ -84,6 +84,9 @@ extern int register_pppox_proto(int prot
+ extern void unregister_pppox_proto(int proto_num);
+ extern void pppox_unbind_sock(struct sock *sk);/* delete ppp-channel binding */
+ extern int pppox_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
++extern int pppox_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
++
++#define PPPOEIOCSFWD32 _IOW(0xB1 ,0, compat_size_t)
+
+ /* PPPoX socket states */
+ enum {
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1790,6 +1790,9 @@ static const struct proto_ops pppol2tp_o
+ .recvmsg = pppol2tp_recvmsg,
+ .mmap = sock_no_mmap,
+ .ioctl = pppox_ioctl,
++#ifdef CONFIG_COMPAT
++ .compat_ioctl = pppox_compat_ioctl,
++#endif
+ };
+
+ static const struct pppox_proto pppol2tp_proto = {
--- /dev/null
+From foo@baz Thu 08 Aug 2019 08:59:04 AM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Mon, 22 Jul 2019 21:43:00 -0700
+Subject: ife: error out when nla attributes are empty
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit c8ec4632c6ac9cda0e8c3d51aa41eeab66585bd5 ]
+
+act_ife at least requires TCA_IFE_PARMS, so we have to bail out
+when there is no attribute passed in.
+
+Reported-by: syzbot+fbb5b288c9cb6a2eeac4@syzkaller.appspotmail.com
+Fixes: ef6980b6becb ("introduce IFE action")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -477,6 +477,9 @@ static int tcf_ife_init(struct net *net,
+ int ret = 0;
+ int err;
+
++ if (!nla)
++ return -EINVAL;
++
+ err = nla_parse_nested(tb, TCA_IFE_MAX, nla, ife_policy);
+ if (err < 0)
+ return err;
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Date: Fri, 26 Jul 2019 00:40:17 +0800
+Subject: ip6_tunnel: fix possible use-after-free on xmit
+
+From: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+
+[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ]
+
+ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
+can cause a possible use-after-free accessing iph/ipv6h pointer
+since the packet will be 'uncloned' running pskb_expand_head if
+it is a cloned gso skb.
+
+Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
+Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_tunnel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1275,11 +1275,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, str
+ fl6.flowi6_mark = skb->mark;
+ }
+
++ dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
++
+ if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
+ return -1;
+
+- dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
+-
+ skb_set_inner_ipproto(skb, IPPROTO_IPIP);
+
+ err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
+@@ -1362,11 +1362,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, str
+ fl6.flowi6_mark = skb->mark;
+ }
+
++ dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
++
+ if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
+ return -1;
+
+- dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
+-
+ skb_set_inner_ipproto(skb, IPPROTO_IPV6);
+
+ err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Mon, 29 Jul 2019 12:28:41 +0300
+Subject: net: bridge: delete local fdb on device init failure
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit d7bae09fa008c6c9a489580db0a5a12063b97f97 ]
+
+On initialization failure we have to delete the local fdb which was
+inserted due to the default pvid creation. This problem has been present
+since the inception of default_pvid. Note that currently there are 2 cases:
+1) in br_dev_init() when br_multicast_init() fails
+2) if register_netdevice() fails after calling ndo_init()
+
+This patch takes care of both since br_vlan_flush() is called on both
+occasions. Also the new fdb delete would be a no-op on normal bridge
+device destruction since the local fdb would've been already flushed by
+br_dev_delete(). This is not an issue for ports since nbp_vlan_init() is
+called last when adding a port thus nothing can fail after it.
+
+Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com
+Fixes: 5be5a2df40f0 ("bridge: Add filtering support for default_pvid")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_vlan.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -622,6 +622,11 @@ void br_vlan_flush(struct net_bridge *br
+
+ ASSERT_RTNL();
+
++ /* delete auto-added default pvid local fdb before flushing vlans
++ * otherwise it will be leaked on bridge device init failure
++ */
++ br_fdb_delete_by_port(br, NULL, 0, 1);
++
+ vg = br_vlan_group(br);
+ __vlan_flush(vg);
+ RCU_INIT_POINTER(br->vlgrp, NULL);
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Date: Tue, 30 Jul 2019 14:21:00 +0300
+Subject: net: bridge: mcast: don't delete permanent entries when fast leave is enabled
+
+From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+
+[ Upstream commit 5c725b6b65067909548ac9ca9bc777098ec9883d ]
+
+When permanent entries were introduced by the commit below, they were
+exempt from timing out and thus igmp leave wouldn't affect them unless
+fast leave was enabled on the port which was added before permanent
+entries existed. It shouldn't matter if fast leave is enabled or not
+if the user added a permanent entry it shouldn't be deleted on igmp
+leave.
+
+Before:
+$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave
+$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent
+$ bridge mdb show
+dev br0 port eth4 grp 229.1.1.1 permanent
+
+< join and leave 229.1.1.1 on eth4 >
+
+$ bridge mdb show
+$
+
+After:
+$ echo 1 > /sys/class/net/eth4/brport/multicast_fast_leave
+$ bridge mdb add dev br0 port eth4 grp 229.1.1.1 permanent
+$ bridge mdb show
+dev br0 port eth4 grp 229.1.1.1 permanent
+
+< join and leave 229.1.1.1 on eth4 >
+
+$ bridge mdb show
+dev br0 port eth4 grp 229.1.1.1 permanent
+
+Fixes: ccb1c31a7a87 ("bridge: add flags to distinguish permanent mdb entires")
+Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_multicast.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1489,6 +1489,9 @@ br_multicast_leave_group(struct net_brid
+ if (p->port != port)
+ continue;
+
++ if (p->flags & MDB_PG_FLAGS_PERMANENT)
++ break;
++
+ rcu_assign_pointer(*pp, p->next);
+ hlist_del_init(&p->mglist);
+ del_timer(&p->timer);
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Sun, 28 Jul 2019 14:56:36 +0200
+Subject: net: fix ifindex collision during namespace removal
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 55b40dbf0e76b4bfb9d8b3a16a0208640a9a45df ]
+
+Commit aca51397d014 ("netns: Fix arbitrary net_device-s corruptions
+on net_ns stop.") introduced a possibility to hit a BUG in case device
+is returning back to init_net and two following conditions are met:
+1) dev->ifindex value is used in a name of another "dev%d"
+ device in init_net.
+2) dev->name is used by another device in init_net.
+
+Under real life circumstances this is hard to get. Therefore this has
+been present happily for over 10 years. To reproduce:
+
+$ ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet 127.0.0.1/8 scope host lo
+ valid_lft forever preferred_lft forever
+ inet6 ::1/128 scope host
+ valid_lft forever preferred_lft forever
+2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
+3: enp0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
+$ ip netns add ns1
+$ ip -n ns1 link add dummy1ns1 type dummy
+$ ip -n ns1 link add dummy2ns1 type dummy
+$ ip link set enp0s2 netns ns1
+$ ip -n ns1 link set enp0s2 name dummy0
+[ 100.858894] virtio_net virtio0 dummy0: renamed from enp0s2
+$ ip link add dev4 type dummy
+$ ip -n ns1 a
+1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+2: dummy1ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 16:63:4c:38:3e:ff brd ff:ff:ff:ff:ff:ff
+3: dummy2ns1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether aa:9e:86:dd:6b:5d brd ff:ff:ff:ff:ff:ff
+4: dummy0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
+$ ip a
+1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+ link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+ inet 127.0.0.1/8 scope host lo
+ valid_lft forever preferred_lft forever
+ inet6 ::1/128 scope host
+ valid_lft forever preferred_lft forever
+2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 86:89:3f:86:61:29 brd ff:ff:ff:ff:ff:ff
+4: dev4: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
+ link/ether 5a:e1:4a:b6:ec:f8 brd ff:ff:ff:ff:ff:ff
+$ ip netns del ns1
+[ 158.717795] default_device_exit: failed to move dummy0 to init_net: -17
+[ 158.719316] ------------[ cut here ]------------
+[ 158.720591] kernel BUG at net/core/dev.c:9824!
+[ 158.722260] invalid opcode: 0000 [#1] SMP KASAN PTI
+[ 158.723728] CPU: 0 PID: 56 Comm: kworker/u2:1 Not tainted 5.3.0-rc1+ #18
+[ 158.725422] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-2.fc30 04/01/2014
+[ 158.727508] Workqueue: netns cleanup_net
+[ 158.728915] RIP: 0010:default_device_exit.cold+0x1d/0x1f
+[ 158.730683] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
+[ 158.736854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
+[ 158.738752] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
+[ 158.741369] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
+[ 158.743418] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
+[ 158.745626] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
+[ 158.748405] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
+[ 158.750638] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
+[ 158.752944] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 158.755245] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
+[ 158.757654] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 158.760012] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 158.762758] Call Trace:
+[ 158.763882] ? dev_change_net_namespace+0xbb0/0xbb0
+[ 158.766148] ? devlink_nl_cmd_set_doit+0x520/0x520
+[ 158.768034] ? dev_change_net_namespace+0xbb0/0xbb0
+[ 158.769870] ops_exit_list.isra.0+0xa8/0x150
+[ 158.771544] cleanup_net+0x446/0x8f0
+[ 158.772945] ? unregister_pernet_operations+0x4a0/0x4a0
+[ 158.775294] process_one_work+0xa1a/0x1740
+[ 158.776896] ? pwq_dec_nr_in_flight+0x310/0x310
+[ 158.779143] ? do_raw_spin_lock+0x11b/0x280
+[ 158.780848] worker_thread+0x9e/0x1060
+[ 158.782500] ? process_one_work+0x1740/0x1740
+[ 158.784454] kthread+0x31b/0x420
+[ 158.786082] ? __kthread_create_on_node+0x3f0/0x3f0
+[ 158.788286] ret_from_fork+0x3a/0x50
+[ 158.789871] ---[ end trace defd6c657c71f936 ]---
+[ 158.792273] RIP: 0010:default_device_exit.cold+0x1d/0x1f
+[ 158.795478] Code: 84 e8 18 c9 3e fe 0f 0b e9 70 90 ff ff e8 36 e4 52 fe 89 d9 4c 89 e2 48 c7 c6 80 d6 25 84 48 c7 c7 20 c0 25 84 e8 f4 c8 3e
+[ 158.804854] RSP: 0018:ffff8880347e7b90 EFLAGS: 00010282
+[ 158.807865] RAX: 000000000000003b RBX: 00000000ffffffef RCX: 0000000000000000
+[ 158.811794] RDX: 0000000000000000 RSI: ffffffff8128013d RDI: ffffed10068fcf64
+[ 158.816652] RBP: ffff888033550170 R08: 000000000000003b R09: fffffbfff0b94b9c
+[ 158.820930] R10: fffffbfff0b94b9b R11: ffffffff85ca5cdf R12: ffff888032f28000
+[ 158.825113] R13: dffffc0000000000 R14: ffff8880335501b8 R15: 1ffff110068fcf72
+[ 158.829899] FS: 0000000000000000(0000) GS:ffff888036000000(0000) knlGS:0000000000000000
+[ 158.834923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 158.838164] CR2: 00007fe8b45d21d0 CR3: 00000000340b4005 CR4: 0000000000360ef0
+[ 158.841917] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 158.845149] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fix this by checking if a device with the same name exists in init_net
+and fallback to original code - dev%d to allocate name - in case it does.
+
+This was found using syzkaller.
+
+Fixes: aca51397d014 ("netns: Fix arbitrary net_device-s corruptions on net_ns stop.")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -8296,6 +8296,8 @@ static void __net_exit default_device_ex
+
+ /* Push remaining network devices to init_net */
+ snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
++ if (__dev_get_by_name(&init_net, fb_name))
++ snprintf(fb_name, IFNAMSIZ, "dev%%d");
+ err = dev_change_net_namespace(dev, &init_net, fb_name);
+ if (err) {
+ pr_emerg("%s: failed to move %s to init_net: %d\n",
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Mark Zhang <markz@mellanox.com>
+Date: Tue, 9 Jul 2019 05:37:12 +0300
+Subject: net/mlx5: Use reversed order when unregister devices
+
+From: Mark Zhang <markz@mellanox.com>
+
+[ Upstream commit 08aa5e7da6bce1a1963f63cf32c2e7ad434ad578 ]
+
+When lag is active, which is controlled by the bonded mlx5e netdev, mlx5
+interface unregestering must happen in the reverse order where rdma is
+unregistered (unloaded) first, to guarantee all references to the lag
+context in hardware is removed, then remove mlx5e netdev interface which
+will cleanup the lag context from hardware.
+
+Without this fix during destroy of LAG interface, we observed following
+errors:
+ * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed,
+ status bad parameter(0x3), syndrome (0xe4ac33)
+ * mlx5_cmd_check:752:(pid 12556): DESTROY_LAG(0x843) op_mod(0x0) failed,
+ status bad parameter(0x3), syndrome (0xa5aee8).
+
+Fixes: a31208b1e11d ("net/mlx5_core: New init and exit flow for mlx5_core")
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Mark Zhang <markz@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -207,7 +207,7 @@ void mlx5_unregister_device(struct mlx5_
+ struct mlx5_interface *intf;
+
+ mutex_lock(&mlx5_intf_mutex);
+- list_for_each_entry(intf, &intf_list, list)
++ list_for_each_entry_reverse(intf, &intf_list, list)
+ mlx5_remove_device(intf, priv);
+ list_del(&priv->dev_list);
+ mutex_unlock(&mlx5_intf_mutex);
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+Date: Mon, 29 Jul 2019 16:24:33 +0800
+Subject: net: sched: Fix a possible null-pointer dereference in dequeue_func()
+
+From: Jia-Ju Bai <baijiaju1990@gmail.com>
+
+[ Upstream commit 051c7b39be4a91f6b7d8c4548444e4b850f1f56c ]
+
+In dequeue_func(), there is an if statement on line 74 to check whether
+skb is NULL:
+ if (skb)
+
+When skb is NULL, it is used on line 77:
+ prefetch(&skb->end);
+
+Thus, a possible null-pointer dereference may occur.
+
+To fix this bug, skb->end is used when skb is not NULL.
+
+This bug is found by a static analysis tool STCheck written by us.
+
+Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
+Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_codel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_codel.c
++++ b/net/sched/sch_codel.c
+@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(stru
+ struct Qdisc *sch = ctx;
+ struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
+
+- if (skb)
++ if (skb) {
+ sch->qstats.backlog -= qdisc_pkt_len(skb);
+-
+- prefetch(&skb->end); /* we'll need skb_shinfo() */
++ prefetch(&skb->end); /* we'll need skb_shinfo() */
++ }
+ return skb;
+ }
+
objtool-add-machine_real_restart-to-the-noreturn-list.patch
objtool-add-rewind_stack_do_exit-to-the-noreturn-list.patch
libceph-use-kbasename-and-kill-ceph_file_part.patch
+atm-iphase-fix-spectre-v1-vulnerability.patch
+net-bridge-delete-local-fdb-on-device-init-failure.patch
+net-bridge-mcast-don-t-delete-permanent-entries-when-fast-leave-is-enabled.patch
+net-fix-ifindex-collision-during-namespace-removal.patch
+net-mlx5-use-reversed-order-when-unregister-devices.patch
+net-sched-fix-a-possible-null-pointer-dereference-in-dequeue_func.patch
+tipc-compat-allow-tipc-commands-without-arguments.patch
+compat_ioctl-pppoe-fix-pppoeiocsfwd-handling.patch
+ip6_tunnel-fix-possible-use-after-free-on-xmit.patch
+ife-error-out-when-nla-attributes-are-empty.patch
+bnx2x-disable-multi-cos-feature.patch
--- /dev/null
+From foo@baz Thu 08 Aug 2019 09:33:37 AM CEST
+From: Taras Kondratiuk <takondra@cisco.com>
+Date: Mon, 29 Jul 2019 22:15:07 +0000
+Subject: tipc: compat: allow tipc commands without arguments
+
+From: Taras Kondratiuk <takondra@cisco.com>
+
+[ Upstream commit 4da5f0018eef4c0de31675b670c80e82e13e99d1 ]
+
+Commit 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
+broke older tipc tools that use compat interface (e.g. tipc-config from
+tipcutils package):
+
+% tipc-config -p
+operation not supported
+
+The commit started to reject TIPC netlink compat messages that do not
+have attributes. It is too restrictive because some of such messages are
+valid (they don't need any arguments):
+
+% grep 'tx none' include/uapi/linux/tipc_config.h
+#define TIPC_CMD_NOOP 0x0000 /* tx none, rx none */
+#define TIPC_CMD_GET_MEDIA_NAMES 0x0002 /* tx none, rx media_name(s) */
+#define TIPC_CMD_GET_BEARER_NAMES 0x0003 /* tx none, rx bearer_name(s) */
+#define TIPC_CMD_SHOW_PORTS 0x0006 /* tx none, rx ultra_string */
+#define TIPC_CMD_GET_REMOTE_MNG 0x4003 /* tx none, rx unsigned */
+#define TIPC_CMD_GET_MAX_PORTS 0x4004 /* tx none, rx unsigned */
+#define TIPC_CMD_GET_NETID 0x400B /* tx none, rx unsigned */
+#define TIPC_CMD_NOT_NET_ADMIN 0xC001 /* tx none, rx none */
+
+This patch relaxes the original fix and rejects messages without
+arguments only if such arguments are expected by a command (reg_type is
+non zero).
+
+Fixes: 2753ca5d9009 ("tipc: fix uninit-value in tipc_nl_compat_doit")
+Cc: stable@vger.kernel.org
+Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg {
+ int rep_type;
+ int rep_size;
+ int req_type;
++ int req_size;
+ struct net *net;
+ struct sk_buff *rep;
+ struct tlv_desc *req;
+@@ -252,7 +253,8 @@ static int tipc_nl_compat_dumpit(struct
+ int err;
+ struct sk_buff *arg;
+
+- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
++ if (msg->req_type && (!msg->req_size ||
++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+ return -EINVAL;
+
+ msg->rep = tipc_tlv_alloc(msg->rep_size);
+@@ -345,7 +347,8 @@ static int tipc_nl_compat_doit(struct ti
+ {
+ int err;
+
+- if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
++ if (msg->req_type && (!msg->req_size ||
++ !TLV_CHECK_TYPE(msg->req, msg->req_type)))
+ return -EINVAL;
+
+ err = __tipc_nl_compat_doit(cmd, msg);
+@@ -1267,8 +1270,8 @@ static int tipc_nl_compat_recv(struct sk
+ goto send;
+ }
+
+- len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
+- if (!len || !TLV_OK(msg.req, len)) {
++ msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
++ if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) {
+ msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
+ err = -EOPNOTSUPP;
+ goto send;
projects / thirdparty / kernel / stable-queue.git / commitdiff
