--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:08 -0500
+Subject: amd-xgbe: Add pre/post auto-negotiation phy hooks
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 4d945663a6a0acf3cbe45940503f2eb9584bfee7 ]
+
+Add hooks to the driver auto-negotiation (AN) flow to allow the different
+phy implementations to perform any steps necessary to improve AN.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 16 ++++++++++++++--
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 5 +++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -437,6 +437,9 @@ static void xgbe_an73_disable(struct xgb
+
+ static void xgbe_an_restart(struct xgbe_prv_data *pdata)
+ {
++ if (pdata->phy_if.phy_impl.an_pre)
++ pdata->phy_if.phy_impl.an_pre(pdata);
++
+ switch (pdata->an_mode) {
+ case XGBE_AN_MODE_CL73:
+ case XGBE_AN_MODE_CL73_REDRV:
+@@ -453,6 +456,9 @@ static void xgbe_an_restart(struct xgbe_
+
+ static void xgbe_an_disable(struct xgbe_prv_data *pdata)
+ {
++ if (pdata->phy_if.phy_impl.an_post)
++ pdata->phy_if.phy_impl.an_post(pdata);
++
+ switch (pdata->an_mode) {
+ case XGBE_AN_MODE_CL73:
+ case XGBE_AN_MODE_CL73_REDRV:
+@@ -637,11 +643,11 @@ static enum xgbe_an xgbe_an73_incompat_l
+ return XGBE_AN_NO_LINK;
+ }
+
+- xgbe_an73_disable(pdata);
++ xgbe_an_disable(pdata);
+
+ xgbe_switch_mode(pdata);
+
+- xgbe_an73_restart(pdata);
++ xgbe_an_restart(pdata);
+
+ return XGBE_AN_INCOMPAT_LINK;
+ }
+@@ -820,6 +826,9 @@ static void xgbe_an37_state_machine(stru
+ pdata->an_result = pdata->an_state;
+ pdata->an_state = XGBE_AN_READY;
+
++ if (pdata->phy_if.phy_impl.an_post)
++ pdata->phy_if.phy_impl.an_post(pdata);
++
+ netif_dbg(pdata, link, pdata->netdev, "CL37 AN result: %s\n",
+ xgbe_state_as_string(pdata->an_result));
+ }
+@@ -903,6 +912,9 @@ again:
+ pdata->kx_state = XGBE_RX_BPA;
+ pdata->an_start = 0;
+
++ if (pdata->phy_if.phy_impl.an_post)
++ pdata->phy_if.phy_impl.an_post(pdata);
++
+ netif_dbg(pdata, link, pdata->netdev, "CL73 AN result: %s\n",
+ xgbe_state_as_string(pdata->an_result));
+ }
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -833,6 +833,7 @@ struct xgbe_hw_if {
+ /* This structure represents implementation specific routines for an
+ * implementation of a PHY. All routines are required unless noted below.
+ * Optional routines:
++ * an_pre, an_post
+ * kr_training_pre, kr_training_post
+ */
+ struct xgbe_phy_impl_if {
+@@ -875,6 +876,10 @@ struct xgbe_phy_impl_if {
+ /* Process results of auto-negotiation */
+ enum xgbe_mode (*an_outcome)(struct xgbe_prv_data *);
+
++ /* Pre/Post auto-negotiation support */
++ void (*an_pre)(struct xgbe_prv_data *);
++ void (*an_post)(struct xgbe_prv_data *);
++
+ /* Pre/Post KR training enablement support */
+ void (*kr_training_pre)(struct xgbe_prv_data *);
+ void (*kr_training_post)(struct xgbe_prv_data *);
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:17 -0500
+Subject: amd-xgbe: Improve KR auto-negotiation and training
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 96f4d430c507ed4856048c2dc9c1a2ea5b5e74e4 ]
+
+Update xgbe-phy-v2.c to make use of the auto-negotiation (AN) phy hooks
+to improve the ability to successfully complete Clause 73 AN when running
+at 10gbps. Hardware can sometimes have issues with CDR lock when the
+AN DME page exchange is being performed.
+
+The AN and KR training hooks are used as follows:
+- The pre AN hook is used to disable CDR tracking in the PHY so that the
+ DME page exchange can be successfully and consistently completed.
+- The post KR training hook is used to re-enable the CDR tracking so that
+ KR training can successfully complete.
+- The post AN hook is used to check for an unsuccessful AN which will
+ increase a CDR tracking enablement delay (up to a maximum value).
+
+Add two debugfs entries to allow control over use of the CDR tracking
+workaround. The debugfs entries allow the CDR tracking workaround to
+be disabled and determine whether to re-enable CDR tracking before or
+after link training has been initiated.
+
+Also, with these changes the receiver reset cycle that is performed during
+the link status check can be performed less often.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 +
+ drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c | 16 +++
+ drivers/net/ethernet/amd/xgbe/xgbe-main.c | 1
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 8 +
+ drivers/net/ethernet/amd/xgbe/xgbe-pci.c | 2
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 125 ++++++++++++++++++++++++++-
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 4
+ 7 files changed, 160 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1321,6 +1321,10 @@
+ #define MDIO_VEND2_AN_STAT 0x8002
+ #endif
+
++#ifndef MDIO_VEND2_PMA_CDR_CONTROL
++#define MDIO_VEND2_PMA_CDR_CONTROL 0x8056
++#endif
++
+ #ifndef MDIO_CTRL1_SPEED1G
+ #define MDIO_CTRL1_SPEED1G (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100)
+ #endif
+@@ -1369,6 +1373,10 @@
+ #define XGBE_AN_CL37_TX_CONFIG_MASK 0x08
+ #define XGBE_AN_CL37_MII_CTRL_8BIT 0x0100
+
++#define XGBE_PMA_CDR_TRACK_EN_MASK 0x01
++#define XGBE_PMA_CDR_TRACK_EN_OFF 0x00
++#define XGBE_PMA_CDR_TRACK_EN_ON 0x01
++
+ /* Bit setting and getting macros
+ * The get macro will extract the current bit field value from within
+ * the variable
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-debugfs.c
+@@ -519,6 +519,22 @@ void xgbe_debugfs_init(struct xgbe_prv_d
+ "debugfs_create_file failed\n");
+ }
+
++ if (pdata->vdata->an_cdr_workaround) {
++ pfile = debugfs_create_bool("an_cdr_workaround", 0600,
++ pdata->xgbe_debugfs,
++ &pdata->debugfs_an_cdr_workaround);
++ if (!pfile)
++ netdev_err(pdata->netdev,
++ "debugfs_create_bool failed\n");
++
++ pfile = debugfs_create_bool("an_cdr_track_early", 0600,
++ pdata->xgbe_debugfs,
++ &pdata->debugfs_an_cdr_track_early);
++ if (!pfile)
++ netdev_err(pdata->netdev,
++ "debugfs_create_bool failed\n");
++ }
++
+ kfree(buf);
+ }
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
+@@ -349,6 +349,7 @@ int xgbe_config_netdev(struct xgbe_prv_d
+ XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1);
+
+ /* Call MDIO/PHY initialization routine */
++ pdata->debugfs_an_cdr_workaround = pdata->vdata->an_cdr_workaround;
+ ret = pdata->phy_if.phy_init(pdata);
+ if (ret)
+ return ret;
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -432,6 +432,8 @@ static void xgbe_an73_disable(struct xgb
+ xgbe_an73_set(pdata, false, false);
+ xgbe_an73_disable_interrupts(pdata);
+
++ pdata->an_start = 0;
++
+ netif_dbg(pdata, link, pdata->netdev, "CL73 AN disabled\n");
+ }
+
+@@ -511,11 +513,11 @@ static enum xgbe_an xgbe_an73_tx_trainin
+ XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL,
+ reg);
+
+- if (pdata->phy_if.phy_impl.kr_training_post)
+- pdata->phy_if.phy_impl.kr_training_post(pdata);
+-
+ netif_dbg(pdata, link, pdata->netdev,
+ "KR training initiated\n");
++
++ if (pdata->phy_if.phy_impl.kr_training_post)
++ pdata->phy_if.phy_impl.kr_training_post(pdata);
+ }
+
+ return XGBE_AN_PAGE_RECEIVED;
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-pci.c
+@@ -456,6 +456,7 @@ static const struct xgbe_version_data xg
+ .irq_reissue_support = 1,
+ .tx_desc_prefetch = 5,
+ .rx_desc_prefetch = 5,
++ .an_cdr_workaround = 1,
+ };
+
+ static const struct xgbe_version_data xgbe_v2b = {
+@@ -470,6 +471,7 @@ static const struct xgbe_version_data xg
+ .irq_reissue_support = 1,
+ .tx_desc_prefetch = 5,
+ .rx_desc_prefetch = 5,
++ .an_cdr_workaround = 1,
+ };
+
+ static const struct pci_device_id xgbe_pci_table[] = {
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -147,6 +147,14 @@
+ /* Rate-change complete wait/retry count */
+ #define XGBE_RATECHANGE_COUNT 500
+
++/* CDR delay values for KR support (in usec) */
++#define XGBE_CDR_DELAY_INIT 10000
++#define XGBE_CDR_DELAY_INC 10000
++#define XGBE_CDR_DELAY_MAX 100000
++
++/* RRC frequency during link status check */
++#define XGBE_RRC_FREQUENCY 10
++
+ enum xgbe_port_mode {
+ XGBE_PORT_MODE_RSVD = 0,
+ XGBE_PORT_MODE_BACKPLANE,
+@@ -355,6 +363,10 @@ struct xgbe_phy_data {
+ unsigned int redrv_addr;
+ unsigned int redrv_lane;
+ unsigned int redrv_model;
++
++ /* KR AN support */
++ unsigned int phy_cdr_notrack;
++ unsigned int phy_cdr_delay;
+ };
+
+ /* I2C, MDIO and GPIO lines are muxed, so only one device at a time */
+@@ -2361,7 +2373,7 @@ static int xgbe_phy_link_status(struct x
+ return 1;
+
+ /* No link, attempt a receiver reset cycle */
+- if (phy_data->rrc_count++) {
++ if (phy_data->rrc_count++ > XGBE_RRC_FREQUENCY) {
+ phy_data->rrc_count = 0;
+ xgbe_phy_rrc(pdata);
+ }
+@@ -2669,6 +2681,103 @@ static bool xgbe_phy_port_enabled(struct
+ return true;
+ }
+
++static void xgbe_phy_cdr_track(struct xgbe_prv_data *pdata)
++{
++ struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++ if (!pdata->debugfs_an_cdr_workaround)
++ return;
++
++ if (!phy_data->phy_cdr_notrack)
++ return;
++
++ usleep_range(phy_data->phy_cdr_delay,
++ phy_data->phy_cdr_delay + 500);
++
++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL,
++ XGBE_PMA_CDR_TRACK_EN_MASK,
++ XGBE_PMA_CDR_TRACK_EN_ON);
++
++ phy_data->phy_cdr_notrack = 0;
++}
++
++static void xgbe_phy_cdr_notrack(struct xgbe_prv_data *pdata)
++{
++ struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++ if (!pdata->debugfs_an_cdr_workaround)
++ return;
++
++ if (phy_data->phy_cdr_notrack)
++ return;
++
++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_CDR_CONTROL,
++ XGBE_PMA_CDR_TRACK_EN_MASK,
++ XGBE_PMA_CDR_TRACK_EN_OFF);
++
++ xgbe_phy_rrc(pdata);
++
++ phy_data->phy_cdr_notrack = 1;
++}
++
++static void xgbe_phy_kr_training_post(struct xgbe_prv_data *pdata)
++{
++ if (!pdata->debugfs_an_cdr_track_early)
++ xgbe_phy_cdr_track(pdata);
++}
++
++static void xgbe_phy_kr_training_pre(struct xgbe_prv_data *pdata)
++{
++ if (pdata->debugfs_an_cdr_track_early)
++ xgbe_phy_cdr_track(pdata);
++}
++
++static void xgbe_phy_an_post(struct xgbe_prv_data *pdata)
++{
++ struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++ switch (pdata->an_mode) {
++ case XGBE_AN_MODE_CL73:
++ case XGBE_AN_MODE_CL73_REDRV:
++ if (phy_data->cur_mode != XGBE_MODE_KR)
++ break;
++
++ xgbe_phy_cdr_track(pdata);
++
++ switch (pdata->an_result) {
++ case XGBE_AN_READY:
++ case XGBE_AN_COMPLETE:
++ break;
++ default:
++ if (phy_data->phy_cdr_delay < XGBE_CDR_DELAY_MAX)
++ phy_data->phy_cdr_delay += XGBE_CDR_DELAY_INC;
++ else
++ phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT;
++ break;
++ }
++ break;
++ default:
++ break;
++ }
++}
++
++static void xgbe_phy_an_pre(struct xgbe_prv_data *pdata)
++{
++ struct xgbe_phy_data *phy_data = pdata->phy_data;
++
++ switch (pdata->an_mode) {
++ case XGBE_AN_MODE_CL73:
++ case XGBE_AN_MODE_CL73_REDRV:
++ if (phy_data->cur_mode != XGBE_MODE_KR)
++ break;
++
++ xgbe_phy_cdr_notrack(pdata);
++ break;
++ default:
++ break;
++ }
++}
++
+ static void xgbe_phy_stop(struct xgbe_prv_data *pdata)
+ {
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+@@ -2680,6 +2789,9 @@ static void xgbe_phy_stop(struct xgbe_pr
+ xgbe_phy_sfp_reset(phy_data);
+ xgbe_phy_sfp_mod_absent(pdata);
+
++ /* Reset CDR support */
++ xgbe_phy_cdr_track(pdata);
++
+ /* Power off the PHY */
+ xgbe_phy_power_off(pdata);
+
+@@ -2712,6 +2824,9 @@ static int xgbe_phy_start(struct xgbe_pr
+ /* Start in highest supported mode */
+ xgbe_phy_set_mode(pdata, phy_data->start_mode);
+
++ /* Reset CDR support */
++ xgbe_phy_cdr_track(pdata);
++
+ /* After starting the I2C controller, we can check for an SFP */
+ switch (phy_data->port_mode) {
+ case XGBE_PORT_MODE_SFP:
+@@ -3019,6 +3134,8 @@ static int xgbe_phy_init(struct xgbe_prv
+ }
+ }
+
++ phy_data->phy_cdr_delay = XGBE_CDR_DELAY_INIT;
++
+ /* Register for driving external PHYs */
+ mii = devm_mdiobus_alloc(pdata->dev);
+ if (!mii) {
+@@ -3071,4 +3188,10 @@ void xgbe_init_function_ptrs_phy_v2(stru
+ phy_impl->an_advertising = xgbe_phy_an_advertising;
+
+ phy_impl->an_outcome = xgbe_phy_an_outcome;
++
++ phy_impl->an_pre = xgbe_phy_an_pre;
++ phy_impl->an_post = xgbe_phy_an_post;
++
++ phy_impl->kr_training_pre = xgbe_phy_kr_training_pre;
++ phy_impl->kr_training_post = xgbe_phy_kr_training_post;
+ }
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -994,6 +994,7 @@ struct xgbe_version_data {
+ unsigned int irq_reissue_support;
+ unsigned int tx_desc_prefetch;
+ unsigned int rx_desc_prefetch;
++ unsigned int an_cdr_workaround;
+ };
+
+ struct xgbe_vxlan_data {
+@@ -1262,6 +1263,9 @@ struct xgbe_prv_data {
+ unsigned int debugfs_xprop_reg;
+
+ unsigned int debugfs_xi2c_reg;
++
++ bool debugfs_an_cdr_workaround;
++ bool debugfs_an_cdr_track_early;
+ };
+
+ /* Function prototypes*/
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Mon, 23 Apr 2018 11:43:34 -0500
+Subject: amd-xgbe: Only use the SFP supported transceiver signals
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+
+[ Upstream commit 117df655f8ed51adb6e6b163812a06ebeae9f453 ]
+
+The SFP eeprom indicates the transceiver signals (Rx LOS, Tx Fault, etc.)
+that it supports. Update the driver to include checking the eeprom data
+when deciding whether to use a transceiver signal.
+
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 71 +++++++++++++++++++++-------
+ 1 file changed, 54 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -253,6 +253,10 @@ enum xgbe_sfp_speed {
+ #define XGBE_SFP_BASE_VENDOR_SN 4
+ #define XGBE_SFP_BASE_VENDOR_SN_LEN 16
+
++#define XGBE_SFP_EXTD_OPT1 1
++#define XGBE_SFP_EXTD_OPT1_RX_LOS BIT(1)
++#define XGBE_SFP_EXTD_OPT1_TX_FAULT BIT(3)
++
+ #define XGBE_SFP_EXTD_DIAG 28
+ #define XGBE_SFP_EXTD_DIAG_ADDR_CHANGE BIT(2)
+
+@@ -332,6 +336,7 @@ struct xgbe_phy_data {
+
+ unsigned int sfp_gpio_address;
+ unsigned int sfp_gpio_mask;
++ unsigned int sfp_gpio_inputs;
+ unsigned int sfp_gpio_rx_los;
+ unsigned int sfp_gpio_tx_fault;
+ unsigned int sfp_gpio_mod_absent;
+@@ -986,6 +991,49 @@ static void xgbe_phy_sfp_external_phy(st
+ phy_data->sfp_phy_avail = 1;
+ }
+
++static bool xgbe_phy_check_sfp_rx_los(struct xgbe_phy_data *phy_data)
++{
++ u8 *sfp_extd = phy_data->sfp_eeprom.extd;
++
++ if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_RX_LOS))
++ return false;
++
++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS)
++ return false;
++
++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_rx_los))
++ return true;
++
++ return false;
++}
++
++static bool xgbe_phy_check_sfp_tx_fault(struct xgbe_phy_data *phy_data)
++{
++ u8 *sfp_extd = phy_data->sfp_eeprom.extd;
++
++ if (!(sfp_extd[XGBE_SFP_EXTD_OPT1] & XGBE_SFP_EXTD_OPT1_TX_FAULT))
++ return false;
++
++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT)
++ return false;
++
++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_tx_fault))
++ return true;
++
++ return false;
++}
++
++static bool xgbe_phy_check_sfp_mod_absent(struct xgbe_phy_data *phy_data)
++{
++ if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT)
++ return false;
++
++ if (phy_data->sfp_gpio_inputs & (1 << phy_data->sfp_gpio_mod_absent))
++ return true;
++
++ return false;
++}
++
+ static bool xgbe_phy_belfuse_parse_quirks(struct xgbe_prv_data *pdata)
+ {
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+@@ -1031,6 +1079,10 @@ static void xgbe_phy_sfp_parse_eeprom(st
+ if (sfp_base[XGBE_SFP_BASE_EXT_ID] != XGBE_SFP_EXT_ID_SFP)
+ return;
+
++ /* Update transceiver signals (eeprom extd/options) */
++ phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data);
++ phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data);
++
+ if (xgbe_phy_sfp_parse_quirks(pdata))
+ return;
+
+@@ -1196,7 +1248,6 @@ put:
+ static void xgbe_phy_sfp_signals(struct xgbe_prv_data *pdata)
+ {
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+- unsigned int gpio_input;
+ u8 gpio_reg, gpio_ports[2];
+ int ret;
+
+@@ -1211,23 +1262,9 @@ static void xgbe_phy_sfp_signals(struct
+ return;
+ }
+
+- gpio_input = (gpio_ports[1] << 8) | gpio_ports[0];
+-
+- if (phy_data->sfp_gpio_mask & XGBE_GPIO_NO_MOD_ABSENT) {
+- /* No GPIO, just assume the module is present for now */
+- phy_data->sfp_mod_absent = 0;
+- } else {
+- if (!(gpio_input & (1 << phy_data->sfp_gpio_mod_absent)))
+- phy_data->sfp_mod_absent = 0;
+- }
+-
+- if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_RX_LOS) &&
+- (gpio_input & (1 << phy_data->sfp_gpio_rx_los)))
+- phy_data->sfp_rx_los = 1;
++ phy_data->sfp_gpio_inputs = (gpio_ports[1] << 8) | gpio_ports[0];
+
+- if (!(phy_data->sfp_gpio_mask & XGBE_GPIO_NO_TX_FAULT) &&
+- (gpio_input & (1 << phy_data->sfp_gpio_tx_fault)))
+- phy_data->sfp_tx_fault = 1;
++ phy_data->sfp_mod_absent = xgbe_phy_check_sfp_mod_absent(phy_data);
+ }
+
+ static void xgbe_phy_sfp_mod_absent(struct xgbe_prv_data *pdata)
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Thu, 19 Apr 2018 03:16:16 -0400
+Subject: bnxt_en: Fix memory fault in bnxt_ethtool_init()
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+
+[ Upstream commit a60faa60da891e311e19fd3e88d611863f431130 ]
+
+In some firmware images, the length of BNX_DIR_TYPE_PKG_LOG nvram type
+could be greater than the fixed buffer length of 4096 bytes allocated by
+the driver. This was causing HWRM_NVM_READ to copy more data to the buffer
+than the allocated size, causing general protection fault.
+
+Fix the issue by allocating the exact buffer length returned by
+HWRM_NVM_FIND_DIR_ENTRY, instead of 4096. Move the kzalloc() call
+into the bnxt_get_pkgver() function.
+
+Fixes: 3ebf6f0a09a2 ("bnxt_en: Add installed-package firmware version reporting via Ethtool GDRVINFO")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 51 +++++++++++----------
+ drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h | 2
+ 2 files changed, 28 insertions(+), 25 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+@@ -1874,22 +1874,39 @@ static char *bnxt_parse_pkglog(int desir
+ return retval;
+ }
+
+-static char *bnxt_get_pkgver(struct net_device *dev, char *buf, size_t buflen)
++static void bnxt_get_pkgver(struct net_device *dev)
+ {
++ struct bnxt *bp = netdev_priv(dev);
+ u16 index = 0;
+- u32 datalen;
++ char *pkgver;
++ u32 pkglen;
++ u8 *pkgbuf;
++ int len;
+
+ if (bnxt_find_nvram_item(dev, BNX_DIR_TYPE_PKG_LOG,
+ BNX_DIR_ORDINAL_FIRST, BNX_DIR_EXT_NONE,
+- &index, NULL, &datalen) != 0)
+- return NULL;
++ &index, NULL, &pkglen) != 0)
++ return;
++
++ pkgbuf = kzalloc(pkglen, GFP_KERNEL);
++ if (!pkgbuf) {
++ dev_err(&bp->pdev->dev, "Unable to allocate memory for pkg version, length = %u\n",
++ pkglen);
++ return;
++ }
+
+- memset(buf, 0, buflen);
+- if (bnxt_get_nvram_item(dev, index, 0, datalen, buf) != 0)
+- return NULL;
++ if (bnxt_get_nvram_item(dev, index, 0, pkglen, pkgbuf))
++ goto err;
+
+- return bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, buf,
+- datalen);
++ pkgver = bnxt_parse_pkglog(BNX_PKG_LOG_FIELD_IDX_PKG_VERSION, pkgbuf,
++ pkglen);
++ if (pkgver && *pkgver != 0 && isdigit(*pkgver)) {
++ len = strlen(bp->fw_ver_str);
++ snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1,
++ "/pkg %s", pkgver);
++ }
++err:
++ kfree(pkgbuf);
+ }
+
+ static int bnxt_get_eeprom(struct net_device *dev,
+@@ -2558,22 +2575,10 @@ void bnxt_ethtool_init(struct bnxt *bp)
+ struct hwrm_selftest_qlist_input req = {0};
+ struct bnxt_test_info *test_info;
+ struct net_device *dev = bp->dev;
+- char *pkglog;
+ int i, rc;
+
+- pkglog = kzalloc(BNX_PKG_LOG_MAX_LENGTH, GFP_KERNEL);
+- if (pkglog) {
+- char *pkgver;
+- int len;
+-
+- pkgver = bnxt_get_pkgver(dev, pkglog, BNX_PKG_LOG_MAX_LENGTH);
+- if (pkgver && *pkgver != 0 && isdigit(*pkgver)) {
+- len = strlen(bp->fw_ver_str);
+- snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1,
+- "/pkg %s", pkgver);
+- }
+- kfree(pkglog);
+- }
++ bnxt_get_pkgver(dev);
++
+ if (bp->hwrm_spec_code < 0x10704 || !BNXT_SINGLE_PF(bp))
+ return;
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_nvm_defs.h
+@@ -59,8 +59,6 @@ enum bnxt_nvm_directory_type {
+ #define BNX_DIR_ATTR_NO_CHKSUM (1 << 0)
+ #define BNX_DIR_ATTR_PROP_STREAM (1 << 1)
+
+-#define BNX_PKG_LOG_MAX_LENGTH 4096
+-
+ enum bnxnvm_pkglog_field_index {
+ BNX_PKG_LOG_FIELD_IDX_INSTALLED_TIMESTAMP = 0,
+ BNX_PKG_LOG_FIELD_IDX_PKG_DESCRIPTION = 1,
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 22 Apr 2018 19:11:50 +0800
+Subject: bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit ddea788c63094f7c483783265563dd5b50052e28 ]
+
+After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it
+would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev
+if bond->dev->npinfo was set.
+
+However now slave_dev npinfo is set with bond->dev->npinfo before calling
+slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called
+in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup().
+It causes that the lower dev of this slave dev can't set its npinfo.
+
+One way to reproduce it:
+
+ # modprobe bonding
+ # brctl addbr br0
+ # brctl addif br0 eth1
+ # ifconfig bond0 192.168.122.1/24 up
+ # ifenslave bond0 eth2
+ # systemctl restart netconsole
+ # ifenslave bond0 br0
+ # ifconfig eth2 down
+ # systemctl restart netconsole
+
+The netpoll won't really work.
+
+This patch is to remove that slave_dev npinfo setting in bond_enslave().
+
+Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1660,8 +1660,7 @@ int bond_enslave(struct net_device *bond
+ } /* switch(bond_mode) */
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+- slave_dev->npinfo = bond->dev->npinfo;
+- if (slave_dev->npinfo) {
++ if (bond->dev->npinfo) {
+ if (slave_enable_netpoll(new_slave)) {
+ netdev_info(bond_dev, "master_dev is using netpoll, but new slave device does not support netpoll\n");
+ res = -EBUSY;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Olivier Gayot <olivier.gayot@sigexec.com>
+Date: Wed, 18 Apr 2018 22:03:06 +0200
+Subject: docs: ip-sysctl.txt: fix name of some ipv6 variables
+
+From: Olivier Gayot <olivier.gayot@sigexec.com>
+
+
+[ Upstream commit ab913455dd59b81204b6a0d387a44697b0e0bd85 ]
+
+The name of the following proc/sysctl entries were incorrectly
+documented:
+
+ /proc/sys/net/ipv6/conf/<interface>/max_dst_opts_number
+ /proc/sys/net/ipv6/conf/<interface>/max_hbt_opts_number
+ /proc/sys/net/ipv6/conf/<interface>/max_dst_opts_length
+ /proc/sys/net/ipv6/conf/<interface>/max_hbt_length
+
+Their name was set to the name of the symbol in the .data field of the
+control table instead of their .proc name.
+
+Signed-off-by: Olivier Gayot <olivier.gayot@sigexec.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/ip-sysctl.txt | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -1386,26 +1386,26 @@ mld_qrv - INTEGER
+ Default: 2 (as specified by RFC3810 9.1)
+ Minimum: 1 (as specified by RFC6636 4.5)
+
+-max_dst_opts_cnt - INTEGER
++max_dst_opts_number - INTEGER
+ Maximum number of non-padding TLVs allowed in a Destination
+ options extension header. If this value is less than zero
+ then unknown options are disallowed and the number of known
+ TLVs allowed is the absolute value of this number.
+ Default: 8
+
+-max_hbh_opts_cnt - INTEGER
++max_hbh_opts_number - INTEGER
+ Maximum number of non-padding TLVs allowed in a Hop-by-Hop
+ options extension header. If this value is less than zero
+ then unknown options are disallowed and the number of known
+ TLVs allowed is the absolute value of this number.
+ Default: 8
+
+-max dst_opts_len - INTEGER
++max_dst_opts_length - INTEGER
+ Maximum length allowed for a Destination options extension
+ header.
+ Default: INT_MAX (unlimited)
+
+-max hbh_opts_len - INTEGER
++max_hbh_length - INTEGER
+ Maximum length allowed for a Hop-by-Hop options extension
+ header.
+ Default: INT_MAX (unlimited)
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 22 Apr 2018 18:29:23 -0700
+Subject: ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 ]
+
+KMSAN reported use of uninit-value that I tracked to lack
+of proper size check on RTA_TABLE attribute.
+
+I also believe RTA_PREFSRC lacks a similar check.
+
+Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config")
+Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -3862,6 +3862,7 @@ void rt6_mtu_change(struct net_device *d
+
+ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
+ [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) },
++ [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) },
+ [RTA_OIF] = { .type = NLA_U32 },
+ [RTA_IIF] = { .type = NLA_U32 },
+ [RTA_PRIORITY] = { .type = NLA_U32 },
+@@ -3873,6 +3874,7 @@ static const struct nla_policy rtm_ipv6_
+ [RTA_EXPIRES] = { .type = NLA_U32 },
+ [RTA_UID] = { .type = NLA_U32 },
+ [RTA_MARK] = { .type = NLA_U32 },
++ [RTA_TABLE] = { .type = NLA_U32 },
+ };
+
+ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Ahmed Abdelsalam <amsalam20@gmail.com>
+Date: Fri, 20 Apr 2018 15:58:05 +0200
+Subject: ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
+
+From: Ahmed Abdelsalam <amsalam20@gmail.com>
+
+
+[ Upstream commit a957fa190aa9d9168b33d460a5241a6d088c6265 ]
+
+In case of seg6 in encap mode, seg6_do_srh_encap() calls set_tun_src()
+in order to set the src addr of outer IPv6 header.
+
+The net_device is required for set_tun_src(). However calling ip6_dst_idev()
+on dst_entry in case of IPv4 traffic results on the following bug.
+
+Using just dst->dev should fix this BUG.
+
+[ 196.242461] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
+[ 196.242975] PGD 800000010f076067 P4D 800000010f076067 PUD 10f060067 PMD 0
+[ 196.243329] Oops: 0000 [#1] SMP PTI
+[ 196.243468] Modules linked in: nfsd auth_rpcgss nfs_acl nfs lockd grace fscache sunrpc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd input_leds glue_helper led_class pcspkr serio_raw mac_hid video autofs4 hid_generic usbhid hid e1000 i2c_piix4 ahci pata_acpi libahci
+[ 196.244362] CPU: 2 PID: 1089 Comm: ping Not tainted 4.16.0+ #1
+[ 196.244606] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 196.244968] RIP: 0010:seg6_do_srh_encap+0x1ac/0x300
+[ 196.245236] RSP: 0018:ffffb2ce00b23a60 EFLAGS: 00010202
+[ 196.245464] RAX: 0000000000000000 RBX: ffff8c7f53eea300 RCX: 0000000000000000
+[ 196.245742] RDX: 0000f10000000000 RSI: ffff8c7f52085a6c RDI: ffff8c7f41166850
+[ 196.246018] RBP: ffffb2ce00b23aa8 R08: 00000000000261e0 R09: ffff8c7f41166800
+[ 196.246294] R10: ffffdce5040ac780 R11: ffff8c7f41166828 R12: ffff8c7f41166808
+[ 196.246570] R13: ffff8c7f52085a44 R14: ffffffffb73211c0 R15: ffff8c7e69e44200
+[ 196.246846] FS: 00007fc448789700(0000) GS:ffff8c7f59d00000(0000) knlGS:0000000000000000
+[ 196.247286] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 196.247526] CR2: 0000000000000000 CR3: 000000010f05a000 CR4: 00000000000406e0
+[ 196.247804] Call Trace:
+[ 196.247972] seg6_do_srh+0x15b/0x1c0
+[ 196.248156] seg6_output+0x3c/0x220
+[ 196.248341] ? prandom_u32+0x14/0x20
+[ 196.248526] ? ip_idents_reserve+0x6c/0x80
+[ 196.248723] ? __ip_select_ident+0x90/0x100
+[ 196.248923] ? ip_append_data.part.50+0x6c/0xd0
+[ 196.249133] lwtunnel_output+0x44/0x70
+[ 196.249328] ip_send_skb+0x15/0x40
+[ 196.249515] raw_sendmsg+0x8c3/0xac0
+[ 196.249701] ? _copy_from_user+0x2e/0x60
+[ 196.249897] ? rw_copy_check_uvector+0x53/0x110
+[ 196.250106] ? _copy_from_user+0x2e/0x60
+[ 196.250299] ? copy_msghdr_from_user+0xce/0x140
+[ 196.250508] sock_sendmsg+0x36/0x40
+[ 196.250690] ___sys_sendmsg+0x292/0x2a0
+[ 196.250881] ? _cond_resched+0x15/0x30
+[ 196.251074] ? copy_termios+0x1e/0x70
+[ 196.251261] ? _copy_to_user+0x22/0x30
+[ 196.251575] ? tty_mode_ioctl+0x1c3/0x4e0
+[ 196.251782] ? _cond_resched+0x15/0x30
+[ 196.251972] ? mutex_lock+0xe/0x30
+[ 196.252152] ? vvar_fault+0xd2/0x110
+[ 196.252337] ? __do_fault+0x1f/0xc0
+[ 196.252521] ? __handle_mm_fault+0xc1f/0x12d0
+[ 196.252727] ? __sys_sendmsg+0x63/0xa0
+[ 196.252919] __sys_sendmsg+0x63/0xa0
+[ 196.253107] do_syscall_64+0x72/0x200
+[ 196.253305] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[ 196.253530] RIP: 0033:0x7fc4480b0690
+[ 196.253715] RSP: 002b:00007ffde9f252f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 196.254053] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007fc4480b0690
+[ 196.254331] RDX: 0000000000000000 RSI: 000000000060a360 RDI: 0000000000000003
+[ 196.254608] RBP: 00007ffde9f253f0 R08: 00000000002d1e81 R09: 0000000000000002
+[ 196.254884] R10: 00007ffde9f250c0 R11: 0000000000000246 R12: 0000000000b22070
+[ 196.255205] R13: 20c49ba5e353f7cf R14: 431bde82d7b634db R15: 00007ffde9f278fe
+[ 196.255484] Code: a5 0f b6 45 c0 41 88 41 28 41 0f b6 41 2c 48 c1 e0 04 49 8b 54 01 38 49 8b 44 01 30 49 89 51 20 49 89 41 18 48 8b 83 b0 00 00 00 <48> 8b 30 49 8b 86 08 0b 00 00 48 8b 40 20 48 8b 50 08 48 0b 10
+[ 196.256190] RIP: seg6_do_srh_encap+0x1ac/0x300 RSP: ffffb2ce00b23a60
+[ 196.256445] CR2: 0000000000000000
+[ 196.256676] ---[ end trace 71af7d093603885c ]---
+
+Fixes: 8936ef7604c11 ("ipv6: sr: fix NULL pointer dereference when setting encap source address")
+Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
+Acked-by: David Lebrun <dlebrun@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/seg6_iptunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -136,7 +136,7 @@ int seg6_do_srh_encap(struct sk_buff *sk
+ isrh->nexthdr = proto;
+
+ hdr->daddr = isrh->segments[isrh->first_segment];
+- set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
++ set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr);
+
+ #ifdef CONFIG_IPV6_SEG6_HMAC
+ if (sr_has_hmac(isrh)) {
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 17 Apr 2018 12:07:06 -0700
+Subject: KEYS: DNS: limit the length of option strings
+
+From: Eric Biggers <ebiggers@google.com>
+
+
+[ Upstream commit 9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60 ]
+
+Adding a dns_resolver key whose payload contains a very long option name
+resulted in that string being printed in full. This hit the WARN_ONCE()
+in set_precision() during the printk(), because printk() only supports a
+precision of up to 32767 bytes:
+
+ precision 1000000 too large
+ WARNING: CPU: 0 PID: 752 at lib/vsprintf.c:2189 vsnprintf+0x4bc/0x5b0
+
+Fix it by limiting option strings (combined name + value) to a much more
+reasonable 128 bytes. The exact limit is arbitrary, but currently the
+only recognized option is formatted as "dnserror=%lu" which fits well
+within this limit.
+
+Also ratelimit the printks.
+
+Reproducer:
+
+ perl -e 'print "#", "A" x 1000000, "\x00"' | keyctl padd dns_resolver desc @s
+
+This bug was found using syzkaller.
+
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Fixes: 4a2d789267e0 ("DNS: If the DNS server returns an error, allow that to be cached [ver #2]")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dns_resolver/dns_key.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/net/dns_resolver/dns_key.c
++++ b/net/dns_resolver/dns_key.c
+@@ -91,9 +91,9 @@ dns_resolver_preparse(struct key_prepars
+
+ next_opt = memchr(opt, '#', end - opt) ?: end;
+ opt_len = next_opt - opt;
+- if (!opt_len) {
+- printk(KERN_WARNING
+- "Empty option to dns_resolver key\n");
++ if (opt_len <= 0 || opt_len > 128) {
++ pr_warn_ratelimited("Invalid option length (%d) for dns_resolver key\n",
++ opt_len);
+ return -EINVAL;
+ }
+
+@@ -127,10 +127,8 @@ dns_resolver_preparse(struct key_prepars
+ }
+
+ bad_option_value:
+- printk(KERN_WARNING
+- "Option '%*.*s' to dns_resolver key:"
+- " bad/missing value\n",
+- opt_nlen, opt_nlen, opt);
++ pr_warn_ratelimited("Option '%*.*s' to dns_resolver key: bad/missing value\n",
++ opt_nlen, opt_nlen, opt);
+ return -EINVAL;
+ } while (opt = next_opt + 1, opt < end);
+ }
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:15:14 +0200
+Subject: l2tp: check sockaddr length in pppol2tp_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit eb1c28c05894a4b1f6b56c5bf072205e64cfa280 ]
+
+Check sockaddr_len before dereferencing sp->sa_protocol, to ensure that
+it actually points to valid data.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Reported-by: syzbot+a70ac890b23b1bf29f5c@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -619,6 +619,13 @@ static int pppol2tp_connect(struct socke
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppol2tp) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpin6) &&
++ sockaddr_len != sizeof(struct sockaddr_pppol2tpv3in6))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OL2TP)
+ goto end;
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 19 Apr 2018 16:20:48 +0200
+Subject: l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit 5411b6187adf62909e3b998ac782e722904c7487 ]
+
+Commit 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file")
+assumed that if pppol2tp_seq_stop() was called with non-NULL private
+data (the 'v' pointer), then pppol2tp_seq_start() would not be called
+again. It turns out that this isn't guaranteed, and overflowing the
+seq_file's buffer in pppol2tp_seq_show() is a way to get into this
+situation.
+
+Therefore, pppol2tp_seq_stop() needs to reset pd->tunnel, so that
+pppol2tp_seq_start() won't drop a reference again if it gets called.
+We also have to clear pd->session, because the rest of the code expects
+a non-NULL tunnel when pd->session is set.
+
+The l2tp_debugfs module has the same issue. Fix it in the same way.
+
+Fixes: 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file")
+Fixes: f726214d9b23 ("l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_debugfs.c | 5 ++++-
+ net/l2tp/l2tp_ppp.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_debugfs.c
++++ b/net/l2tp/l2tp_debugfs.c
+@@ -106,8 +106,11 @@ static void l2tp_dfs_seq_stop(struct seq
+ return;
+
+ /* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */
+- if (pd->tunnel)
++ if (pd->tunnel) {
+ l2tp_tunnel_dec_refcount(pd->tunnel);
++ pd->tunnel = NULL;
++ pd->session = NULL;
++ }
+ }
+
+ static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v)
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1626,8 +1626,11 @@ static void pppol2tp_seq_stop(struct seq
+ return;
+
+ /* Drop reference taken by last invocation of pppol2tp_next_tunnel() */
+- if (pd->tunnel)
++ if (pd->tunnel) {
+ l2tp_tunnel_dec_refcount(pd->tunnel);
++ pd->tunnel = NULL;
++ pd->session = NULL;
++ }
+ }
+
+ static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 12 Apr 2018 20:50:33 +0200
+Subject: l2tp: hold reference on tunnels in netlink dumps
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit 5846c131c39b6d0add36ec19dc8650700690f930 ]
+
+l2tp_tunnel_find_nth() is unsafe: no reference is held on the returned
+tunnel, therefore it can be freed whenever the caller uses it.
+This patch defines l2tp_tunnel_get_nth() which works similarly, but
+also takes a reference on the returned tunnel. The caller then has to
+drop it after it stops using the tunnel.
+
+Convert netlink dumps to make them safe against concurrent tunnel
+deletion.
+
+Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 20 ++++++++++++++++++++
+ net/l2tp/l2tp_core.h | 2 ++
+ net/l2tp/l2tp_netlink.c | 11 ++++++++---
+ 3 files changed, 30 insertions(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -183,6 +183,26 @@ struct l2tp_tunnel *l2tp_tunnel_get(cons
+ }
+ EXPORT_SYMBOL_GPL(l2tp_tunnel_get);
+
++struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth)
++{
++ const struct l2tp_net *pn = l2tp_pernet(net);
++ struct l2tp_tunnel *tunnel;
++ int count = 0;
++
++ rcu_read_lock_bh();
++ list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
++ if (++count > nth) {
++ l2tp_tunnel_inc_refcount(tunnel);
++ rcu_read_unlock_bh();
++ return tunnel;
++ }
++ }
++ rcu_read_unlock_bh();
++
++ return NULL;
++}
++EXPORT_SYMBOL_GPL(l2tp_tunnel_get_nth);
++
+ /* Lookup a session. A new reference is held on the returned session. */
+ struct l2tp_session *l2tp_session_get(const struct net *net,
+ struct l2tp_tunnel *tunnel,
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -212,6 +212,8 @@ static inline void *l2tp_session_priv(st
+ }
+
+ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
++struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth);
++
+ void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
+
+ struct l2tp_session *l2tp_session_get(const struct net *net,
+--- a/net/l2tp/l2tp_netlink.c
++++ b/net/l2tp/l2tp_netlink.c
+@@ -487,14 +487,17 @@ static int l2tp_nl_cmd_tunnel_dump(struc
+ struct net *net = sock_net(skb->sk);
+
+ for (;;) {
+- tunnel = l2tp_tunnel_find_nth(net, ti);
++ tunnel = l2tp_tunnel_get_nth(net, ti);
+ if (tunnel == NULL)
+ goto out;
+
+ if (l2tp_nl_tunnel_send(skb, NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, NLM_F_MULTI,
+- tunnel, L2TP_CMD_TUNNEL_GET) < 0)
++ tunnel, L2TP_CMD_TUNNEL_GET) < 0) {
++ l2tp_tunnel_dec_refcount(tunnel);
+ goto out;
++ }
++ l2tp_tunnel_dec_refcount(tunnel);
+
+ ti++;
+ }
+@@ -848,7 +851,7 @@ static int l2tp_nl_cmd_session_dump(stru
+
+ for (;;) {
+ if (tunnel == NULL) {
+- tunnel = l2tp_tunnel_find_nth(net, ti);
++ tunnel = l2tp_tunnel_get_nth(net, ti);
+ if (tunnel == NULL)
+ goto out;
+ }
+@@ -856,6 +859,7 @@ static int l2tp_nl_cmd_session_dump(stru
+ session = l2tp_session_get_nth(tunnel, si);
+ if (session == NULL) {
+ ti++;
++ l2tp_tunnel_dec_refcount(tunnel);
+ tunnel = NULL;
+ si = 0;
+ continue;
+@@ -865,6 +869,7 @@ static int l2tp_nl_cmd_session_dump(stru
+ cb->nlh->nlmsg_seq, NLM_F_MULTI,
+ session, L2TP_CMD_SESSION_GET) < 0) {
+ l2tp_session_dec_refcount(session);
++ l2tp_tunnel_dec_refcount(tunnel);
+ break;
+ }
+ l2tp_session_dec_refcount(session);
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 12 Apr 2018 20:50:35 +0200
+Subject: l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit f726214d9b23e5fce8c11937577a289a3202498f ]
+
+Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe
+against concurrent tunnel deletion.
+
+Use the same mechanism as in l2tp_ppp.c for dropping the reference
+taken by l2tp_tunnel_get_nth(). That is, drop the reference just
+before looking up the next tunnel. In case of error, drop the last
+accessed tunnel in l2tp_dfs_seq_stop().
+
+That was the last use of l2tp_tunnel_find_nth().
+
+Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_core.c | 20 --------------------
+ net/l2tp/l2tp_core.h | 1 -
+ net/l2tp/l2tp_debugfs.c | 15 +++++++++++++--
+ 3 files changed, 13 insertions(+), 23 deletions(-)
+
+--- a/net/l2tp/l2tp_core.c
++++ b/net/l2tp/l2tp_core.c
+@@ -355,26 +355,6 @@ err_tlock:
+ }
+ EXPORT_SYMBOL_GPL(l2tp_session_register);
+
+-struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth)
+-{
+- struct l2tp_net *pn = l2tp_pernet(net);
+- struct l2tp_tunnel *tunnel;
+- int count = 0;
+-
+- rcu_read_lock_bh();
+- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) {
+- if (++count > nth) {
+- rcu_read_unlock_bh();
+- return tunnel;
+- }
+- }
+-
+- rcu_read_unlock_bh();
+-
+- return NULL;
+-}
+-EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth);
+-
+ /*****************************************************************************
+ * Receive data handling
+ *****************************************************************************/
+--- a/net/l2tp/l2tp_core.h
++++ b/net/l2tp/l2tp_core.h
+@@ -222,7 +222,6 @@ struct l2tp_session *l2tp_session_get(co
+ struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth);
+ struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net,
+ const char *ifname);
+-struct l2tp_tunnel *l2tp_tunnel_find_nth(const struct net *net, int nth);
+
+ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id,
+ u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg,
+--- a/net/l2tp/l2tp_debugfs.c
++++ b/net/l2tp/l2tp_debugfs.c
+@@ -47,7 +47,11 @@ struct l2tp_dfs_seq_data {
+
+ static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd)
+ {
+- pd->tunnel = l2tp_tunnel_find_nth(pd->net, pd->tunnel_idx);
++ /* Drop reference taken during previous invocation */
++ if (pd->tunnel)
++ l2tp_tunnel_dec_refcount(pd->tunnel);
++
++ pd->tunnel = l2tp_tunnel_get_nth(pd->net, pd->tunnel_idx);
+ pd->tunnel_idx++;
+ }
+
+@@ -96,7 +100,14 @@ static void *l2tp_dfs_seq_next(struct se
+
+ static void l2tp_dfs_seq_stop(struct seq_file *p, void *v)
+ {
+- /* nothing to do */
++ struct l2tp_dfs_seq_data *pd = v;
++
++ if (!pd || pd == SEQ_START_TOKEN)
++ return;
++
++ /* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */
++ if (pd->tunnel)
++ l2tp_tunnel_dec_refcount(pd->tunnel);
+ }
+
+ static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v)
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Thu, 12 Apr 2018 20:50:34 +0200
+Subject: l2tp: hold reference on tunnels printed in pppol2tp proc file
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit 0e0c3fee3a59a387aeecc4fca6f3a2e9615a5443 ]
+
+Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe
+against concurrent tunnel deletion.
+
+Unlike sessions, we can't drop the reference held on tunnels in
+pppol2tp_seq_show(). Tunnels are reused across several calls to
+pppol2tp_seq_start() when iterating over sessions. These iterations
+need the tunnel for accessing the next session. Therefore the only safe
+moment for dropping the reference is just before searching for the next
+tunnel.
+
+Normally, the last invocation of pppol2tp_next_tunnel() doesn't find
+any new tunnel, so it drops the last tunnel without taking any new
+reference. However, in case of error, pppol2tp_seq_stop() is called
+directly, so we have to drop the reference there.
+
+Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1559,16 +1559,19 @@ struct pppol2tp_seq_data {
+
+ static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
+ {
++ /* Drop reference taken during previous invocation */
++ if (pd->tunnel)
++ l2tp_tunnel_dec_refcount(pd->tunnel);
++
+ for (;;) {
+- pd->tunnel = l2tp_tunnel_find_nth(net, pd->tunnel_idx);
++ pd->tunnel = l2tp_tunnel_get_nth(net, pd->tunnel_idx);
+ pd->tunnel_idx++;
+
+- if (pd->tunnel == NULL)
+- break;
++ /* Only accept L2TPv2 tunnels */
++ if (!pd->tunnel || pd->tunnel->version == 2)
++ return;
+
+- /* Ignore L2TPv3 tunnels */
+- if (pd->tunnel->version < 3)
+- break;
++ l2tp_tunnel_dec_refcount(pd->tunnel);
+ }
+ }
+
+@@ -1617,7 +1620,14 @@ static void *pppol2tp_seq_next(struct se
+
+ static void pppol2tp_seq_stop(struct seq_file *p, void *v)
+ {
+- /* nothing to do */
++ struct pppol2tp_seq_data *pd = v;
++
++ if (!pd || pd == SEQ_START_TOKEN)
++ return;
++
++ /* Drop reference taken by last invocation of pppol2tp_next_tunnel() */
++ if (pd->tunnel)
++ l2tp_tunnel_dec_refcount(pd->tunnel);
+ }
+
+ static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 12:25:38 -0700
+Subject: llc: delete timers synchronously in llc_sk_free()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit b905ef9ab90115d001c1658259af4b1c65088779 ]
+
+The connection timers of an llc sock could be still flying
+after we delete them in llc_sk_free(), and even possibly
+after we free the sock. We could just wait synchronously
+here in case of troubles.
+
+Note, I leave other call paths as they are, since they may
+not have to wait, at least we can change them to synchronously
+when needed.
+
+Also, move the code to net/llc/llc_conn.c, which is apparently
+a better place.
+
+Reported-by: <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/llc_conn.h | 1 +
+ net/llc/llc_c_ac.c | 9 +--------
+ net/llc/llc_conn.c | 22 +++++++++++++++++++++-
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+--- a/include/net/llc_conn.h
++++ b/include/net/llc_conn.h
+@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(
+
+ struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,
+ struct proto *prot, int kern);
++void llc_sk_stop_all_timers(struct sock *sk, bool sync);
+ void llc_sk_free(struct sock *sk);
+
+ void llc_sk_reset(struct sock *sk);
+--- a/net/llc/llc_c_ac.c
++++ b/net/llc/llc_c_ac.c
+@@ -1099,14 +1099,7 @@ int llc_conn_ac_inc_tx_win_size(struct s
+
+ int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)
+ {
+- struct llc_sock *llc = llc_sk(sk);
+-
+- del_timer(&llc->pf_cycle_timer.timer);
+- del_timer(&llc->ack_timer.timer);
+- del_timer(&llc->rej_sent_timer.timer);
+- del_timer(&llc->busy_state_timer.timer);
+- llc->ack_must_be_send = 0;
+- llc->ack_pf = 0;
++ llc_sk_stop_all_timers(sk, false);
+ return 0;
+ }
+
+--- a/net/llc/llc_conn.c
++++ b/net/llc/llc_conn.c
+@@ -961,6 +961,26 @@ out:
+ return sk;
+ }
+
++void llc_sk_stop_all_timers(struct sock *sk, bool sync)
++{
++ struct llc_sock *llc = llc_sk(sk);
++
++ if (sync) {
++ del_timer_sync(&llc->pf_cycle_timer.timer);
++ del_timer_sync(&llc->ack_timer.timer);
++ del_timer_sync(&llc->rej_sent_timer.timer);
++ del_timer_sync(&llc->busy_state_timer.timer);
++ } else {
++ del_timer(&llc->pf_cycle_timer.timer);
++ del_timer(&llc->ack_timer.timer);
++ del_timer(&llc->rej_sent_timer.timer);
++ del_timer(&llc->busy_state_timer.timer);
++ }
++
++ llc->ack_must_be_send = 0;
++ llc->ack_pf = 0;
++}
++
+ /**
+ * llc_sk_free - Frees a LLC socket
+ * @sk - socket to free
+@@ -973,7 +993,7 @@ void llc_sk_free(struct sock *sk)
+
+ llc->state = LLC_CONN_OUT_OF_SVC;
+ /* Stop all (possibly) running timers */
+- llc_conn_ac_stop_all_timers(sk, NULL);
++ llc_sk_stop_all_timers(sk, true);
+ #ifdef DEBUG_LLC_CONN_ALLOC
+ printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,
+ skb_queue_len(&llc->pdu_unack_q),
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 19 Apr 2018 21:54:34 -0700
+Subject: llc: fix NULL pointer deref for SOCK_ZAPPED
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
+
+For SOCK_ZAPPED socket, we don't need to care about llc->sap,
+so we should just skip these refcount functions in this case.
+
+Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -189,7 +189,6 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
+- struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -200,15 +199,19 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
+- sap = llc->sap;
+- /* Hold this for release_sock(), so that llc_backlog_rcv() could still
+- * use it.
+- */
+- llc_sap_hold(sap);
+- if (!sock_flag(sk, SOCK_ZAPPED))
++ if (!sock_flag(sk, SOCK_ZAPPED)) {
++ struct llc_sap *sap = llc->sap;
++
++ /* Hold this for release_sock(), so that llc_backlog_rcv()
++ * could still use it.
++ */
++ llc_sap_hold(sap);
+ llc_sap_remove_socket(llc->sap, sk);
+- release_sock(sk);
+- llc_sap_put(sap);
++ release_sock(sk);
++ llc_sap_put(sap);
++ } else {
++ release_sock(sk);
++ }
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Apr 2018 11:51:56 -0700
+Subject: llc: hold llc_sap before release_sock()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+
+[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ]
+
+syzbot reported we still access llc->sap in llc_backlog_rcv()
+after it is freed in llc_sap_remove_socket():
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1b9/0x294 lib/dump_stack.c:113
+ print_address_description+0x6c/0x20b mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
+ __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
+ llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785
+ llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
+ llc_conn_service net/llc/llc_conn.c:400 [inline]
+ llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75
+ llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891
+ sk_backlog_rcv include/net/sock.h:909 [inline]
+ __release_sock+0x12f/0x3a0 net/core/sock.c:2335
+ release_sock+0xa4/0x2b0 net/core/sock.c:2850
+ llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204
+
+llc->sap is refcount'ed and llc_sap_remove_socket() is paired
+with llc_sap_add_socket(). This can be amended by holding its refcount
+before llc_sap_remove_socket() and releasing it after release_sock().
+
+Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/llc/af_llc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -189,6 +189,7 @@ static int llc_ui_release(struct socket
+ {
+ struct sock *sk = sock->sk;
+ struct llc_sock *llc;
++ struct llc_sap *sap;
+
+ if (unlikely(sk == NULL))
+ goto out;
+@@ -199,9 +200,15 @@ static int llc_ui_release(struct socket
+ llc->laddr.lsap, llc->daddr.lsap);
+ if (!llc_send_disc(sk))
+ llc_ui_wait_for_disc(sk, sk->sk_rcvtimeo);
++ sap = llc->sap;
++ /* Hold this for release_sock(), so that llc_backlog_rcv() could still
++ * use it.
++ */
++ llc_sap_hold(sap);
+ if (!sock_flag(sk, SOCK_ZAPPED))
+ llc_sap_remove_socket(llc->sap, sk);
+ release_sock(sk);
++ llc_sap_put(sap);
+ if (llc->dev)
+ dev_put(llc->dev);
+ sock_put(sk);
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 15 Apr 2018 17:52:04 -0700
+Subject: net: af_packet: fix race in PACKET_{R|T}X_RING
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ]
+
+In order to remove the race caught by syzbot [1], we need
+to lock the socket before using po->tp_version as this could
+change under us otherwise.
+
+This means lock_sock() and release_sock() must be done by
+packet_set_ring() callers.
+
+[1] :
+BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249
+ packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+ SyS_setsockopt+0x76/0xa0 net/socket.c:1828
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x449099
+RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
+RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099
+RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003
+RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000
+R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001
+
+Local variable description: ----req_u@packet_setsockopt
+Variable was created at:
+ packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612
+ SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849
+
+Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3008,6 +3008,7 @@ static int packet_release(struct socket
+
+ packet_flush_mclist(sk);
+
++ lock_sock(sk);
+ if (po->rx_ring.pg_vec) {
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 0);
+@@ -3017,6 +3018,7 @@ static int packet_release(struct socket
+ memset(&req_u, 0, sizeof(req_u));
+ packet_set_ring(sk, &req_u, 1, 1);
+ }
++ release_sock(sk);
+
+ f = fanout_release(sk);
+
+@@ -3645,6 +3647,7 @@ packet_setsockopt(struct socket *sock, i
+ union tpacket_req_u req_u;
+ int len;
+
++ lock_sock(sk);
+ switch (po->tp_version) {
+ case TPACKET_V1:
+ case TPACKET_V2:
+@@ -3655,12 +3658,17 @@ packet_setsockopt(struct socket *sock, i
+ len = sizeof(req_u.req3);
+ break;
+ }
+- if (optlen < len)
+- return -EINVAL;
+- if (copy_from_user(&req_u.req, optval, len))
+- return -EFAULT;
+- return packet_set_ring(sk, &req_u, 0,
+- optname == PACKET_TX_RING);
++ if (optlen < len) {
++ ret = -EINVAL;
++ } else {
++ if (copy_from_user(&req_u.req, optval, len))
++ ret = -EFAULT;
++ else
++ ret = packet_set_ring(sk, &req_u, 0,
++ optname == PACKET_TX_RING);
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_COPY_THRESH:
+ {
+@@ -4210,8 +4218,6 @@ static int packet_set_ring(struct sock *
+ /* Added to avoid minimal code churn */
+ struct tpacket_req *req = &req_u->req;
+
+- lock_sock(sk);
+-
+ rb = tx_ring ? &po->tx_ring : &po->rx_ring;
+ rb_queue = tx_ring ? &sk->sk_write_queue : &sk->sk_receive_queue;
+
+@@ -4349,7 +4355,6 @@ static int packet_set_ring(struct sock *
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
+- release_sock(sk);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+Date: Wed, 11 Apr 2018 15:23:25 +0300
+Subject: net: aquantia: oops when shutdown on already stopped device
+
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+
+
+[ Upstream commit 9a11aff25fd43d5bd2660ababdc9f564b0ba183a ]
+
+In case netdev is closed at the moment of pci shutdown, aq_nic_stop
+gets called second time. napi_disable in that case hangs indefinitely.
+In other case, if device was never opened at all, we get oops because
+of null pointer access.
+
+We should invoke aq_nic_stop conditionally, only if device is running
+at the moment of shutdown.
+
+Reported-by: David Arcari <darcari@redhat.com>
+Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback")
+Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+@@ -951,9 +951,11 @@ void aq_nic_shutdown(struct aq_nic_s *se
+
+ netif_device_detach(self->ndev);
+
+- err = aq_nic_stop(self);
+- if (err < 0)
+- goto err_exit;
++ if (netif_running(self->ndev)) {
++ err = aq_nic_stop(self);
++ if (err < 0)
++ goto err_exit;
++ }
+ aq_nic_deinit(self);
+
+ err_exit:
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+Date: Wed, 11 Apr 2018 15:23:24 +0300
+Subject: net: aquantia: Regression on reset with 1.x firmware
+
+From: Igor Russkikh <igor.russkikh@aquantia.com>
+
+
+[ Upstream commit cce96d1883dae4b79f44890e5118243d806da286 ]
+
+On ASUS XG-C100C with 1.5.44 firmware a special mode called "dirty wake"
+is active. With this mode when motherboard gets powered (but no poweron
+happens yet), NIC automatically enables powersave link and watches
+for WOL packet.
+This normally allows to powerup the PC after AC power failures.
+
+Not all motherboards or bios settings gives power to PCI slots,
+so this mode is not enabled on all the hardware.
+
+4.16 linux driver introduced full hardware reset sequence
+This is required since before that we had no NIC hardware
+reset implemented and there were side effects of "not clean start".
+
+But this full reset is incompatible with "dirty wake" WOL feature
+it keeps the PHY link in a special mode forever. As a consequence,
+driver sees no link and no traffic.
+
+To fix this we forcibly change FW state to idle state before doing
+the full reset. This makes FW to restore link state.
+
+Fixes: c8c82eb net: aquantia: Introduce global AQC hardware reset sequence
+Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c | 16 +++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+@@ -48,6 +48,8 @@
+ #define FORCE_FLASHLESS 0
+
+ static int hw_atl_utils_ver_match(u32 ver_expected, u32 ver_actual);
++static int hw_atl_utils_mpi_set_state(struct aq_hw_s *self,
++ enum hal_atl_utils_fw_state_e state);
+
+ int hw_atl_utils_initfw(struct aq_hw_s *self, const struct aq_fw_ops **fw_ops)
+ {
+@@ -247,6 +249,20 @@ int hw_atl_utils_soft_reset(struct aq_hw
+
+ self->rbl_enabled = (boot_exit_code != 0);
+
++ /* FW 1.x may bootup in an invalid POWER state (WOL feature).
++ * We should work around this by forcing its state back to DEINIT
++ */
++ if (!hw_atl_utils_ver_match(HW_ATL_FW_VER_1X,
++ aq_hw_read_reg(self,
++ HW_ATL_MPI_FW_VERSION))) {
++ int err = 0;
++
++ hw_atl_utils_mpi_set_state(self, MPI_DEINIT);
++ AQ_HW_WAIT_FOR((aq_hw_read_reg(self, HW_ATL_MPI_STATE_ADR) &
++ HW_ATL_MPI_STATE_MSK) == MPI_DEINIT,
++ 10, 1000U);
++ }
++
+ if (self->rbl_enabled)
+ return hw_atl_utils_soft_reset_rbl(self);
+ else
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Date: Thu, 19 Apr 2018 22:49:09 +0300
+Subject: net: ethernet: ti: cpsw: fix tx vlan priority mapping
+
+From: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+
+
+[ Upstream commit 5e391dc5a8d801a2410d0032ad4a428d1d61800c ]
+
+The CPDMA_TX_PRIORITY_MAP in real is vlan pcp field priority mapping
+register and basically replaces vlan pcp field for tagged packets.
+So, set it to be 1:1 mapping. Otherwise, it will cause unexpected
+change of egress vlan tagged packets, like prio 2 -> prio 5.
+
+Fixes: e05107e6b747 ("net: ethernet: ti: cpsw: add multi queue support")
+Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
+Signed-off-by: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -125,7 +125,7 @@ do { \
+
+ #define RX_PRIORITY_MAPPING 0x76543210
+ #define TX_PRIORITY_MAPPING 0x33221100
+-#define CPDMA_TX_PRIORITY_MAP 0x01234567
++#define CPDMA_TX_PRIORITY_MAP 0x76543210
+
+ #define CPSW_VLAN_AWARE BIT(1)
+ #define CPSW_ALE_VLAN_AWARE 1
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Thu, 12 Apr 2018 10:46:55 +0200
+Subject: net: fix deadlock while clearing neighbor proxy table
+
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+
+
+[ Upstream commit 53b76cdf7e8fecec1d09e38aad2f8579882591a8 ]
+
+When coming from ndisc_netdev_event() in net/ipv6/ndisc.c,
+neigh_ifdown() is called with &nd_tbl, locking this while
+clearing the proxy neighbor entries when eg. deleting an
+interface. Calling the table's pndisc_destructor() with the
+lock still held, however, can cause a deadlock: When a
+multicast listener is available an IGMP packet of type
+ICMPV6_MGM_REDUCTION may be sent out. When reaching
+ip6_finish_output2(), if no neighbor entry for the target
+address is found, __neigh_create() is called with &nd_tbl,
+which it'll want to lock.
+
+Move the elements into their own list, then unlock the table
+and perform the destruction.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199289
+Fixes: 6fd6ce2056de ("ipv6: Do not depend on rt->n in ip6_finish_output2().")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -55,7 +55,8 @@ static void neigh_timer_handler(struct t
+ static void __neigh_notify(struct neighbour *n, int type, int flags,
+ u32 pid);
+ static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev);
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++ struct net_device *dev);
+
+ #ifdef CONFIG_PROC_FS
+ static const struct file_operations neigh_stat_seq_fops;
+@@ -291,8 +292,7 @@ int neigh_ifdown(struct neigh_table *tbl
+ {
+ write_lock_bh(&tbl->lock);
+ neigh_flush_dev(tbl, dev);
+- pneigh_ifdown(tbl, dev);
+- write_unlock_bh(&tbl->lock);
++ pneigh_ifdown_and_unlock(tbl, dev);
+
+ del_timer_sync(&tbl->proxy_timer);
+ pneigh_queue_purge(&tbl->proxy_queue);
+@@ -681,9 +681,10 @@ int pneigh_delete(struct neigh_table *tb
+ return -ENOENT;
+ }
+
+-static int pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
++static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
++ struct net_device *dev)
+ {
+- struct pneigh_entry *n, **np;
++ struct pneigh_entry *n, **np, *freelist = NULL;
+ u32 h;
+
+ for (h = 0; h <= PNEIGH_HASHMASK; h++) {
+@@ -691,16 +692,23 @@ static int pneigh_ifdown(struct neigh_ta
+ while ((n = *np) != NULL) {
+ if (!dev || n->dev == dev) {
+ *np = n->next;
+- if (tbl->pdestructor)
+- tbl->pdestructor(n);
+- if (n->dev)
+- dev_put(n->dev);
+- kfree(n);
++ n->next = freelist;
++ freelist = n;
+ continue;
+ }
+ np = &n->next;
+ }
+ }
++ write_unlock_bh(&tbl->lock);
++ while ((n = freelist)) {
++ freelist = n->next;
++ n->next = NULL;
++ if (tbl->pdestructor)
++ tbl->pdestructor(n);
++ if (n->dev)
++ dev_put(n->dev);
++ kfree(n);
++ }
+ return -ENOENT;
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Wed, 18 Apr 2018 11:14:44 +0200
+Subject: net: mvpp2: Fix DMA address mask size
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+
+[ Upstream commit da42bb271305d68df6cbf99eed90542f1f1ee1c9 ]
+
+PPv2 TX/RX descriptors uses 40bits DMA addresses, but 41 bits masks were
+used (GENMASK_ULL(40, 0)).
+
+This commit fixes that by using the correct mask.
+
+Fixes: e7c5359f2eed ("net: mvpp2: introduce PPv2.2 HW descriptors and adapt accessors")
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2.c
++++ b/drivers/net/ethernet/marvell/mvpp2.c
+@@ -838,6 +838,8 @@ enum mvpp2_bm_type {
+
+ #define MVPP2_MIB_COUNTERS_STATS_DELAY (1 * HZ)
+
++#define MVPP2_DESC_DMA_MASK DMA_BIT_MASK(40)
++
+ /* Definitions */
+
+ /* Shared Packet Processor resources */
+@@ -1336,7 +1338,7 @@ static dma_addr_t mvpp2_txdesc_dma_addr_
+ if (port->priv->hw_version == MVPP21)
+ return tx_desc->pp21.buf_dma_addr;
+ else
+- return tx_desc->pp22.buf_dma_addr_ptp & GENMASK_ULL(40, 0);
++ return tx_desc->pp22.buf_dma_addr_ptp & MVPP2_DESC_DMA_MASK;
+ }
+
+ static void mvpp2_txdesc_dma_addr_set(struct mvpp2_port *port,
+@@ -1354,7 +1356,7 @@ static void mvpp2_txdesc_dma_addr_set(st
+ } else {
+ u64 val = (u64)addr;
+
+- tx_desc->pp22.buf_dma_addr_ptp &= ~GENMASK_ULL(40, 0);
++ tx_desc->pp22.buf_dma_addr_ptp &= ~MVPP2_DESC_DMA_MASK;
+ tx_desc->pp22.buf_dma_addr_ptp |= val;
+ tx_desc->pp22.packet_offset = offset;
+ }
+@@ -1414,7 +1416,7 @@ static dma_addr_t mvpp2_rxdesc_dma_addr_
+ if (port->priv->hw_version == MVPP21)
+ return rx_desc->pp21.buf_dma_addr;
+ else
+- return rx_desc->pp22.buf_dma_addr_key_hash & GENMASK_ULL(40, 0);
++ return rx_desc->pp22.buf_dma_addr_key_hash & MVPP2_DESC_DMA_MASK;
+ }
+
+ static unsigned long mvpp2_rxdesc_cookie_get(struct mvpp2_port *port,
+@@ -1423,7 +1425,7 @@ static unsigned long mvpp2_rxdesc_cookie
+ if (port->priv->hw_version == MVPP21)
+ return rx_desc->pp21.buf_cookie;
+ else
+- return rx_desc->pp22.buf_cookie_misc & GENMASK_ULL(40, 0);
++ return rx_desc->pp22.buf_cookie_misc & MVPP2_DESC_DMA_MASK;
+ }
+
+ static size_t mvpp2_rxdesc_size_get(struct mvpp2_port *port,
+@@ -8347,7 +8349,7 @@ static int mvpp2_probe(struct platform_d
+ }
+
+ if (priv->hw_version == MVPP22) {
+- err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(40));
++ err = dma_set_mask(&pdev->dev, MVPP2_DESC_DMA_MASK);
+ if (err)
+ goto err_mg_clk;
+ /* Sadly, the BM pools all share the same register to
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Pawel Dembicki <paweldembicki@gmail.com>
+Date: Wed, 18 Apr 2018 16:03:24 +0200
+Subject: net: qmi_wwan: add Wistron Neweb D19Q1
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+
+[ Upstream commit 4ec7eb3ff6eb5c9af3a84288a8d808a857fbc22b ]
+
+This modem is embedded on dlink dwr-960 router.
+The oem configuration states:
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1435 ProdID=d191 Rev=ff.ff
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=0123456789ABCDEF
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
+
+Tested on openwrt distribution
+
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1107,6 +1107,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */
+ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */
++ {QMI_FIXED_INTF(0x1435, 0xd191, 4)}, /* Wistron NeWeb D19Q1 */
+ {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
+ {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
+ {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:05 -0400
+Subject: net: sched: ife: check on metadata length
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit d57493d6d1be26c8ac8516a4463bfe24956978eb ]
+
+This patch checks if sk buffer is available to dererence ife header. If
+not then NULL will returned to signal an malformed ife packet. This
+avoids to crashing the kernel from outside.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ife/ife.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -69,6 +69,9 @@ void *ife_decode(struct sk_buff *skb, u1
+ int total_pull;
+ u16 ifehdrln;
+
++ if (!pskb_may_pull(skb, skb->dev->hard_header_len + IFE_METAHDRLEN))
++ return NULL;
++
+ ifehdr = (struct ifeheadr *) (skb->data + skb->dev->hard_header_len);
+ ifehdrln = ntohs(ifehdr->metalen);
+ total_pull = skb->dev->hard_header_len + ifehdrln;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:04 -0400
+Subject: net: sched: ife: handle malformed tlv length
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ]
+
+There is currently no handling to check on a invalid tlv length. This
+patch adds such handling to avoid killing the kernel with a malformed
+ife packet.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ife.h | 3 ++-
+ net/ife/ife.c | 35 +++++++++++++++++++++++++++++++++--
+ net/sched/act_ife.c | 7 ++++++-
+ 3 files changed, 41 insertions(+), 4 deletions(-)
+
+--- a/include/net/ife.h
++++ b/include/net/ife.h
+@@ -12,7 +12,8 @@
+ void *ife_encode(struct sk_buff *skb, u16 metalen);
+ void *ife_decode(struct sk_buff *skb, u16 *metalen);
+
+-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen);
++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
++ u16 *dlen, u16 *totlen);
+ int ife_tlv_meta_encode(void *skbdata, u16 attrtype, u16 dlen,
+ const void *dval);
+
+--- a/net/ife/ife.c
++++ b/net/ife/ife.c
+@@ -92,12 +92,43 @@ struct meta_tlvhdr {
+ __be16 len;
+ };
+
++static bool __ife_tlv_meta_valid(const unsigned char *skbdata,
++ const unsigned char *ifehdr_end)
++{
++ const struct meta_tlvhdr *tlv;
++ u16 tlvlen;
++
++ if (unlikely(skbdata + sizeof(*tlv) > ifehdr_end))
++ return false;
++
++ tlv = (const struct meta_tlvhdr *)skbdata;
++ tlvlen = ntohs(tlv->len);
++
++ /* tlv length field is inc header, check on minimum */
++ if (tlvlen < NLA_HDRLEN)
++ return false;
++
++ /* overflow by NLA_ALIGN check */
++ if (NLA_ALIGN(tlvlen) < tlvlen)
++ return false;
++
++ if (unlikely(skbdata + NLA_ALIGN(tlvlen) > ifehdr_end))
++ return false;
++
++ return true;
++}
++
+ /* Caller takes care of presenting data in network order
+ */
+-void *ife_tlv_meta_decode(void *skbdata, u16 *attrtype, u16 *dlen, u16 *totlen)
++void *ife_tlv_meta_decode(void *skbdata, const void *ifehdr_end, u16 *attrtype,
++ u16 *dlen, u16 *totlen)
+ {
+- struct meta_tlvhdr *tlv = (struct meta_tlvhdr *) skbdata;
++ struct meta_tlvhdr *tlv;
++
++ if (!__ife_tlv_meta_valid(skbdata, ifehdr_end))
++ return NULL;
+
++ tlv = (struct meta_tlvhdr *)skbdata;
+ *dlen = ntohs(tlv->len) - NLA_HDRLEN;
+ *attrtype = ntohs(tlv->type);
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -682,7 +682,12 @@ static int tcf_ife_decode(struct sk_buff
+ u16 mtype;
+ u16 dlen;
+
+- curr_data = ife_tlv_meta_decode(tlv_data, &mtype, &dlen, NULL);
++ curr_data = ife_tlv_meta_decode(tlv_data, ifehdr_end, &mtype,
++ &dlen, NULL);
++ if (!curr_data) {
++ qstats_drop_inc(this_cpu_ptr(ife->common.cpu_qstats));
++ return TC_ACT_SHOT;
++ }
+
+ if (find_decode_metaid(skb, ife, mtype, dlen, curr_data)) {
+ /* abuse overlimits to count when we receive metadata
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Alexander Aring <aring@mojatatu.com>
+Date: Fri, 20 Apr 2018 15:15:03 -0400
+Subject: net: sched: ife: signal not finding metaid
+
+From: Alexander Aring <aring@mojatatu.com>
+
+
+[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ]
+
+We need to record stats for received metadata that we dont know how
+to process. Have find_decode_metaid() return -ENOENT to capture this.
+
+Signed-off-by: Alexander Aring <aring@mojatatu.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -652,7 +652,7 @@ static int find_decode_metaid(struct sk_
+ }
+ }
+
+- return 0;
++ return -ENOENT;
+ }
+
+ static int tcf_ife_decode(struct sk_buff *skb, const struct tc_action *a,
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 15:56:40 +0200
+Subject: net/smc: fix shutdown in state SMC_LISTEN
+
+From: Ursula Braun <ubraun@linux.vnet.ibm.com>
+
+
+[ Upstream commit 1255fcb2a655f05e02f3a74675a6d6525f187afd ]
+
+Calling shutdown with SHUT_RD and SHUT_RDWR for a listening SMC socket
+crashes, because
+ commit 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
+releases the internal clcsock in smc_close_active() and sets smc->clcsock
+to NULL.
+For SHUT_RD the smc_close_active() call is removed.
+For SHUT_RDWR the kernel_sock_shutdown() call is omitted, since the
+clcsock is already released.
+
+Fixes: 127f49705823 ("net/smc: release clcsock from tcp_listen_worker")
+Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com>
+Reported-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1254,14 +1254,12 @@ static int smc_shutdown(struct socket *s
+ rc = smc_close_shutdown_write(smc);
+ break;
+ case SHUT_RD:
+- if (sk->sk_state == SMC_LISTEN)
+- rc = smc_close_active(smc);
+- else
+- rc = 0;
+- /* nothing more to do because peer is not involved */
++ rc = 0;
++ /* nothing more to do because peer is not involved */
+ break;
+ }
+- rc1 = kernel_sock_shutdown(smc->clcsock, how);
++ if (smc->clcsock)
++ rc1 = kernel_sock_shutdown(smc->clcsock, how);
+ /* map sock_shutdown_cmd constants to sk_shutdown value range */
+ sk->sk_shutdown |= how + 1;
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+Date: Wed, 18 Apr 2018 10:57:55 +0100
+Subject: net: stmmac: Disable ACS Feature for GMAC >= 4
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+
+[ Upstream commit 565020aaeebfa7c8b3ec077bee38f4c15acc9905 ]
+
+ACS Feature is currently enabled for GMAC >= 4 but the llc_snap status
+is never checked in descriptor rx_status callback. This will cause
+stmmac to always strip packets even that ACS feature is already
+stripping them.
+
+Lets be safe and disable the ACS feature for GMAC >= 4 and always strip
+the packets for this GMAC version.
+
+Fixes: 477286b53f55 ("stmmac: add GMAC4 core support")
+Signed-off-by: Jose Abreu <joabreu@synopsys.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Joao Pinto <jpinto@synopsys.com>
+Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
+Cc: Alexandre Torgue <alexandre.torgue@st.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac4.h | 2 +-
+ drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 7 -------
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++++-
+ 3 files changed, 7 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4.h
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4.h
+@@ -343,7 +343,7 @@ enum power_event {
+ #define MTL_RX_OVERFLOW_INT BIT(16)
+
+ /* Default operating mode of the MAC */
+-#define GMAC_CORE_INIT (GMAC_CONFIG_JD | GMAC_CONFIG_PS | GMAC_CONFIG_ACS | \
++#define GMAC_CORE_INIT (GMAC_CONFIG_JD | GMAC_CONFIG_PS | \
+ GMAC_CONFIG_BE | GMAC_CONFIG_DCRS)
+
+ /* To dump the core regs excluding the Address Registers */
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+@@ -30,13 +30,6 @@ static void dwmac4_core_init(struct mac_
+
+ value |= GMAC_CORE_INIT;
+
+- /* Clear ACS bit because Ethernet switch tagging formats such as
+- * Broadcom tags can look like invalid LLC/SNAP packets and cause the
+- * hardware to truncate packets on reception.
+- */
+- if (netdev_uses_dsa(dev))
+- value &= ~GMAC_CONFIG_ACS;
+-
+ if (mtu > 1500)
+ value |= GMAC_CONFIG_2K;
+ if (mtu > 2000)
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3435,8 +3435,13 @@ static int stmmac_rx(struct stmmac_priv
+
+ /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3
+ * Type frames (LLC/LLC-SNAP)
++ *
++ * llc_snap is never checked in GMAC >= 4, so this ACS
++ * feature is always disabled and packets need to be
++ * stripped manually.
+ */
+- if (unlikely(status != llc_snap))
++ if (unlikely(priv->synopsys_id >= DWMAC_CORE_4_00) ||
++ unlikely(status != llc_snap))
+ frame_len -= ETH_FCS_LEN;
+
+ if (netif_msg_rx_status(priv)) {
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:46:00 -0700
+Subject: net: validate attribute sizes in neigh_dump_table()
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7dd07c143a4b54d050e748bee4b4b9e94a7b1744 ]
+
+Since neigh_dump_table() calls nlmsg_parse() without giving policy
+constraints, attributes can have arbirary size that we must validate
+
+Reported by syzbot/KMSAN :
+
+BUG: KMSAN: uninit-value in neigh_master_filtered net/core/neighbour.c:2292 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_table net/core/neighbour.c:2348 [inline]
+BUG: KMSAN: uninit-value in neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+CPU: 1 PID: 3575 Comm: syzkaller268891 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ neigh_master_filtered net/core/neighbour.c:2292 [inline]
+ neigh_dump_table net/core/neighbour.c:2348 [inline]
+ neigh_dump_info+0x1af0/0x2250 net/core/neighbour.c:2438
+ netlink_dump+0x9ad/0x1540 net/netlink/af_netlink.c:2225
+ __netlink_dump_start+0x1167/0x12a0 net/netlink/af_netlink.c:2322
+ netlink_dump_start include/linux/netlink.h:214 [inline]
+ rtnetlink_rcv_msg+0x1435/0x1560 net/core/rtnetlink.c:4598
+ netlink_rcv_skb+0x355/0x5f0 net/netlink/af_netlink.c:2447
+ rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4653
+ netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
+ netlink_unicast+0x1672/0x1750 net/netlink/af_netlink.c:1337
+ netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43fed9
+RSP: 002b:00007ffddbee2798 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fed9
+RDX: 0000000000000000 RSI: 0000000020005000 RDI: 0000000000000003
+RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
+R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401800
+R13: 0000000000401890 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
+ netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
+ __sys_sendmsg net/socket.c:2080 [inline]
+ SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
+ SyS_sendmsg+0x54/0x80 net/socket.c:2087
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 21fdd092acc7 ("net: Add support for filtering neigh dump by master device")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: David Ahern <dsa@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2331,12 +2331,16 @@ static int neigh_dump_table(struct neigh
+
+ err = nlmsg_parse(nlh, sizeof(struct ndmsg), tb, NDA_MAX, NULL, NULL);
+ if (!err) {
+- if (tb[NDA_IFINDEX])
++ if (tb[NDA_IFINDEX]) {
++ if (nla_len(tb[NDA_IFINDEX]) != sizeof(u32))
++ return -EINVAL;
+ filter_idx = nla_get_u32(tb[NDA_IFINDEX]);
+-
+- if (tb[NDA_MASTER])
++ }
++ if (tb[NDA_MASTER]) {
++ if (nla_len(tb[NDA_MASTER]) != sizeof(u32))
++ return -EINVAL;
+ filter_master_idx = nla_get_u32(tb[NDA_MASTER]);
+-
++ }
+ if (filter_idx || filter_master_idx)
+ flags |= NLM_F_DUMP_FILTERED;
+ }
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 23 Apr 2018 17:37:03 -0400
+Subject: packet: fix bitfield update race
+
+From: Willem de Bruijn <willemb@google.com>
+
+
+[ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ]
+
+Updates to the bitfields in struct packet_sock are not atomic.
+Serialize these read-modify-write cycles.
+
+Move po->running into a separate variable. Its writes are protected by
+po->bind_lock (except for one startup case at packet_create). Also
+replace a textual precondition warning with lockdep annotation.
+
+All others are set only in packet_setsockopt. Serialize these
+updates by holding the socket lock. Analogous to other field updates,
+also hold the lock when testing whether a ring is active (pg_vec).
+
+Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg")
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 60 +++++++++++++++++++++++++++++++++++--------------
+ net/packet/internal.h | 10 ++++----
+ 2 files changed, 49 insertions(+), 21 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -329,11 +329,11 @@ static void packet_pick_tx_queue(struct
+ skb_set_queue_mapping(skb, queue_index);
+ }
+
+-/* register_prot_hook must be invoked with the po->bind_lock held,
++/* __register_prot_hook must be invoked through register_prot_hook
+ * or from a context in which asynchronous accesses to the packet
+ * socket is not possible (packet_create()).
+ */
+-static void register_prot_hook(struct sock *sk)
++static void __register_prot_hook(struct sock *sk)
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
+@@ -348,8 +348,13 @@ static void register_prot_hook(struct so
+ }
+ }
+
+-/* {,__}unregister_prot_hook() must be invoked with the po->bind_lock
+- * held. If the sync parameter is true, we will temporarily drop
++static void register_prot_hook(struct sock *sk)
++{
++ lockdep_assert_held_once(&pkt_sk(sk)->bind_lock);
++ __register_prot_hook(sk);
++}
++
++/* If the sync parameter is true, we will temporarily drop
+ * the po->bind_lock and do a synchronize_net to make sure no
+ * asynchronous packet processing paths still refer to the elements
+ * of po->prot_hook. If the sync parameter is false, it is the
+@@ -359,6 +364,8 @@ static void __unregister_prot_hook(struc
+ {
+ struct packet_sock *po = pkt_sk(sk);
+
++ lockdep_assert_held_once(&po->bind_lock);
++
+ po->running = 0;
+
+ if (po->fanout)
+@@ -3252,7 +3259,7 @@ static int packet_create(struct net *net
+
+ if (proto) {
+ po->prot_hook.type = proto;
+- register_prot_hook(sk);
++ __register_prot_hook(sk);
+ }
+
+ mutex_lock(&net->packet.sklist_lock);
+@@ -3734,12 +3741,18 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_loss = !!val;
+- return 0;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_loss = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_AUXDATA:
+ {
+@@ -3750,7 +3763,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->auxdata = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_ORIGDEV:
+@@ -3762,7 +3777,9 @@ packet_setsockopt(struct socket *sock, i
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
++ lock_sock(sk);
+ po->origdev = !!val;
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_VNET_HDR:
+@@ -3771,15 +3788,20 @@ packet_setsockopt(struct socket *sock, i
+
+ if (sock->type != SOCK_RAW)
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (optlen < sizeof(val))
+ return -EINVAL;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+
+- po->has_vnet_hdr = !!val;
+- return 0;
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->has_vnet_hdr = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
++ return ret;
+ }
+ case PACKET_TIMESTAMP:
+ {
+@@ -3817,11 +3839,17 @@ packet_setsockopt(struct socket *sock, i
+
+ if (optlen != sizeof(val))
+ return -EINVAL;
+- if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)
+- return -EBUSY;
+ if (copy_from_user(&val, optval, sizeof(val)))
+ return -EFAULT;
+- po->tp_tx_has_off = !!val;
++
++ lock_sock(sk);
++ if (po->rx_ring.pg_vec || po->tx_ring.pg_vec) {
++ ret = -EBUSY;
++ } else {
++ po->tp_tx_has_off = !!val;
++ ret = 0;
++ }
++ release_sock(sk);
+ return 0;
+ }
+ case PACKET_QDISC_BYPASS:
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -112,10 +112,12 @@ struct packet_sock {
+ int copy_thresh;
+ spinlock_t bind_lock;
+ struct mutex pg_vec_lock;
+- unsigned int running:1, /* prot_hook is attached*/
+- auxdata:1,
++ unsigned int running; /* bind_lock must be held */
++ unsigned int auxdata:1, /* writer must hold sock lock */
+ origdev:1,
+- has_vnet_hdr:1;
++ has_vnet_hdr:1,
++ tp_loss:1,
++ tp_tx_has_off:1;
+ int pressure;
+ int ifindex; /* bound device */
+ __be16 num;
+@@ -125,8 +127,6 @@ struct packet_sock {
+ enum tpacket_versions tp_version;
+ unsigned int tp_hdrlen;
+ unsigned int tp_reserve;
+- unsigned int tp_loss:1;
+- unsigned int tp_tx_has_off:1;
+ unsigned int tp_tstamp;
+ struct net_device __rcu *cached_dev;
+ int (*xmit)(struct sk_buff *skb);
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Guillaume Nault <g.nault@alphalink.fr>
+Date: Mon, 23 Apr 2018 16:38:27 +0200
+Subject: pppoe: check sockaddr length in pppoe_connect()
+
+From: Guillaume Nault <g.nault@alphalink.fr>
+
+
+[ Upstream commit a49e2f5d5fb141884452ddb428f551b123d436b5 ]
+
+We must validate sockaddr_len, otherwise userspace can pass fewer data
+than we expect and we end up accessing invalid data.
+
+Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers")
+Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com
+Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/pppoe.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ppp/pppoe.c
++++ b/drivers/net/ppp/pppoe.c
+@@ -620,6 +620,10 @@ static int pppoe_connect(struct socket *
+ lock_sock(sk);
+
+ error = -EINVAL;
++
++ if (sockaddr_len != sizeof(struct sockaddr_pppox))
++ goto end;
++
+ if (sp->sa_protocol != PX_PROTO_OE)
+ goto end;
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 16 Apr 2018 13:17:50 +0300
+Subject: Revert "macsec: missing dev_put() on error in macsec_newlink()"
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+
+[ Upstream commit bd28899dd34f9283c567f7eeb31bb546f10820b5 ]
+
+This patch is just wrong, sorry. I was trying to fix a static checker
+warning and misread the code. The reference taken in macsec_newlink()
+is released in macsec_free_netdev() when the netdevice is destroyed.
+
+This reverts commit 5dcd8400884cc4a043a6d4617e042489e5d566a9.
+
+Reported-by: Laura Abbott <labbott@redhat.com>
+Fixes: 5dcd8400884c ("macsec: missing dev_put() on error in macsec_newlink()")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3277,7 +3277,7 @@ static int macsec_newlink(struct net *ne
+
+ err = netdev_upper_dev_link(real_dev, dev, extack);
+ if (err < 0)
+- goto put_dev;
++ goto unregister;
+
+ /* need to be already registered so that ->init has run and
+ * the MAC addr is set
+@@ -3316,8 +3316,7 @@ del_dev:
+ macsec_del_dev(macsec);
+ unlink:
+ netdev_upper_dev_unlink(real_dev, dev);
+-put_dev:
+- dev_put(real_dev);
++unregister:
+ unregister_netdevice(dev);
+ return err;
+ }
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:07 +0200
+Subject: s390/qeth: avoid control IO completion stalls
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 901e3f49facbd31b2b3d1786637b4a35e1022e9b ]
+
+For control IO, qeth currently tracks the index of the buffer that it
+expects to complete the next IO on each qeth_channel. If the channel
+presents an IRQ while this buffer has not yet completed, no completion
+processing for _any_ completed buffer takes place.
+So if the 'next buffer' is skipped for any sort of reason* (eg. when it
+is released due to error conditions, before the IO is started), the
+buffer obviously won't switch to PROCESSED until it is eventually
+allocated for a _different_ IO and completes.
+Until this happens, all completion processing on that channel stalls
+and pending requests possibly time out.
+
+As a fix, remove the whole 'next buffer' logic and simply process any
+IO buffer right when it completes. A channel will never have more than
+one IO pending, so there's no risk of processing out-of-sequence.
+
+*Note: currently just one location in the code really handles this problem,
+ by advancing the 'next' index manually.
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core.h | 2 --
+ drivers/s390/net/qeth_core_main.c | 22 +++++-----------------
+ 2 files changed, 5 insertions(+), 19 deletions(-)
+
+--- a/drivers/s390/net/qeth_core.h
++++ b/drivers/s390/net/qeth_core.h
+@@ -565,7 +565,6 @@ enum qeth_ip_types {
+ enum qeth_cmd_buffer_state {
+ BUF_STATE_FREE,
+ BUF_STATE_LOCKED,
+- BUF_STATE_PROCESSED,
+ };
+
+ enum qeth_cq {
+@@ -609,7 +608,6 @@ struct qeth_channel {
+ struct qeth_cmd_buffer iob[QETH_CMD_BUFFER_NO];
+ atomic_t irq_pending;
+ int io_buf_no;
+- int buf_no;
+ };
+
+ /**
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -821,7 +821,6 @@ void qeth_clear_cmd_buffers(struct qeth_
+
+ for (cnt = 0; cnt < QETH_CMD_BUFFER_NO; cnt++)
+ qeth_release_buffer(channel, &channel->iob[cnt]);
+- channel->buf_no = 0;
+ channel->io_buf_no = 0;
+ }
+ EXPORT_SYMBOL_GPL(qeth_clear_cmd_buffers);
+@@ -927,7 +926,6 @@ static int qeth_setup_channel(struct qet
+ kfree(channel->iob[cnt].data);
+ return -ENOMEM;
+ }
+- channel->buf_no = 0;
+ channel->io_buf_no = 0;
+ atomic_set(&channel->irq_pending, 0);
+ spin_lock_init(&channel->iob_lock);
+@@ -1103,11 +1101,9 @@ static void qeth_irq(struct ccw_device *
+ {
+ int rc;
+ int cstat, dstat;
+- struct qeth_cmd_buffer *buffer;
+ struct qeth_channel *channel;
+ struct qeth_card *card;
+ struct qeth_cmd_buffer *iob;
+- __u8 index;
+
+ if (__qeth_check_irb_error(cdev, intparm, irb))
+ return;
+@@ -1185,25 +1181,18 @@ static void qeth_irq(struct ccw_device *
+ channel->state = CH_STATE_RCD_DONE;
+ goto out;
+ }
+- if (intparm) {
+- buffer = (struct qeth_cmd_buffer *) __va((addr_t)intparm);
+- buffer->state = BUF_STATE_PROCESSED;
+- }
+ if (channel == &card->data)
+ return;
+ if (channel == &card->read &&
+ channel->state == CH_STATE_UP)
+ __qeth_issue_next_read(card);
+
+- iob = channel->iob;
+- index = channel->buf_no;
+- while (iob[index].state == BUF_STATE_PROCESSED) {
+- if (iob[index].callback != NULL)
+- iob[index].callback(channel, iob + index);
+-
+- index = (index + 1) % QETH_CMD_BUFFER_NO;
++ if (intparm) {
++ iob = (struct qeth_cmd_buffer *) __va((addr_t)intparm);
++ if (iob->callback)
++ iob->callback(iob->channel, iob);
+ }
+- channel->buf_no = index;
++
+ out:
+ wake_up(&card->wait_q);
+ return;
+@@ -2217,7 +2206,6 @@ time_err:
+ error:
+ atomic_set(&card->write.irq_pending, 0);
+ qeth_release_buffer(iob->channel, iob);
+- card->write.buf_no = (card->write.buf_no + 1) % QETH_CMD_BUFFER_NO;
+ rc = reply->rc;
+ qeth_put_reply(reply);
+ return rc;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:06 +0200
+Subject: s390/qeth: fix error handling in adapter command callbacks
+
+From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+
+
+[ Upstream commit 686c97ee29c886ee07d17987d0059874c5c3b5af ]
+
+Make sure to check both return code fields before(!) processing the
+command response. Otherwise we risk operating on invalid data.
+
+This matches an earlier fix for SETASSPARMS commands, see
+commit ad3cbf613329 ("s390/qeth: fix error handling in checksum cmd callback").
+
+Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 85 ++++++++++++++++----------------------
+ 1 file changed, 37 insertions(+), 48 deletions(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -3037,28 +3037,23 @@ static int qeth_send_startlan(struct qet
+ return rc;
+ }
+
+-static int qeth_default_setadapterparms_cb(struct qeth_card *card,
+- struct qeth_reply *reply, unsigned long data)
++static int qeth_setadpparms_inspect_rc(struct qeth_ipa_cmd *cmd)
+ {
+- struct qeth_ipa_cmd *cmd;
+-
+- QETH_CARD_TEXT(card, 4, "defadpcb");
+-
+- cmd = (struct qeth_ipa_cmd *) data;
+- if (cmd->hdr.return_code == 0)
++ if (!cmd->hdr.return_code)
+ cmd->hdr.return_code =
+ cmd->data.setadapterparms.hdr.return_code;
+- return 0;
++ return cmd->hdr.return_code;
+ }
+
+ static int qeth_query_setadapterparms_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+
+ QETH_CARD_TEXT(card, 3, "quyadpcb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ if (cmd->data.setadapterparms.data.query_cmds_supp.lan_type & 0x7f) {
+ card->info.link_type =
+ cmd->data.setadapterparms.data.query_cmds_supp.lan_type;
+@@ -3066,7 +3061,7 @@ static int qeth_query_setadapterparms_cb
+ }
+ card->options.adp.supported_funcs =
+ cmd->data.setadapterparms.data.query_cmds_supp.supported_cmds;
+- return qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
++ return 0;
+ }
+
+ static struct qeth_cmd_buffer *qeth_get_adapter_cmd(struct qeth_card *card,
+@@ -3158,22 +3153,20 @@ EXPORT_SYMBOL_GPL(qeth_query_ipassists);
+ static int qeth_query_switch_attributes_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
+- struct qeth_switch_info *sw_info;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_query_switch_attributes *attrs;
++ struct qeth_switch_info *sw_info;
+
+ QETH_CARD_TEXT(card, 2, "qswiatcb");
+- cmd = (struct qeth_ipa_cmd *) data;
+- sw_info = (struct qeth_switch_info *)reply->param;
+- if (cmd->data.setadapterparms.hdr.return_code == 0) {
+- attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
+- sw_info->capabilities = attrs->capabilities;
+- sw_info->settings = attrs->settings;
+- QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
+- sw_info->settings);
+- }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
++ sw_info = (struct qeth_switch_info *)reply->param;
++ attrs = &cmd->data.setadapterparms.data.query_switch_attributes;
++ sw_info->capabilities = attrs->capabilities;
++ sw_info->settings = attrs->settings;
++ QETH_CARD_TEXT_(card, 2, "%04x%04x", sw_info->capabilities,
++ sw_info->settings);
+ return 0;
+ }
+
+@@ -4211,16 +4204,13 @@ EXPORT_SYMBOL_GPL(qeth_do_send_packet);
+ static int qeth_setadp_promisc_mode_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_ipacmd_setadpparms *setparms;
+
+ QETH_CARD_TEXT(card, 4, "prmadpcb");
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ setparms = &(cmd->data.setadapterparms);
+-
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long)cmd);
+- if (cmd->hdr.return_code) {
++ if (qeth_setadpparms_inspect_rc(cmd)) {
+ QETH_CARD_TEXT_(card, 4, "prmrc%x", cmd->hdr.return_code);
+ setparms->data.mode = SET_PROMISC_MODE_OFF;
+ }
+@@ -4290,18 +4280,18 @@ EXPORT_SYMBOL_GPL(qeth_get_stats);
+ static int qeth_setadpparms_change_macaddr_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+
+ QETH_CARD_TEXT(card, 4, "chgmaccb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ if (!card->options.layer2 ||
+ !(card->info.mac_bits & QETH_LAYER2_MAC_READ)) {
+ ether_addr_copy(card->dev->dev_addr,
+ cmd->data.setadapterparms.data.change_addr.addr);
+ card->info.mac_bits |= QETH_LAYER2_MAC_READ;
+ }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+ return 0;
+ }
+
+@@ -4332,13 +4322,15 @@ EXPORT_SYMBOL_GPL(qeth_setadpparms_chang
+ static int qeth_setadpparms_set_access_ctrl_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *) data;
+ struct qeth_set_access_ctrl *access_ctrl_req;
+ int fallback = *(int *)reply->param;
+
+ QETH_CARD_TEXT(card, 4, "setaccb");
++ if (cmd->hdr.return_code)
++ return 0;
++ qeth_setadpparms_inspect_rc(cmd);
+
+- cmd = (struct qeth_ipa_cmd *) data;
+ access_ctrl_req = &cmd->data.setadapterparms.data.set_access_ctrl;
+ QETH_DBF_TEXT_(SETUP, 2, "setaccb");
+ QETH_DBF_TEXT_(SETUP, 2, "%s", card->gdev->dev.kobj.name);
+@@ -4411,7 +4403,6 @@ static int qeth_setadpparms_set_access_c
+ card->options.isolation = card->options.prev_isolation;
+ break;
+ }
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
+ return 0;
+ }
+
+@@ -4699,14 +4690,15 @@ out:
+ static int qeth_setadpparms_query_oat_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
+ struct qeth_qoat_priv *priv;
+ char *resdata;
+ int resdatalen;
+
+ QETH_CARD_TEXT(card, 3, "qoatcb");
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- cmd = (struct qeth_ipa_cmd *)data;
+ priv = (struct qeth_qoat_priv *)reply->param;
+ resdatalen = cmd->data.setadapterparms.hdr.cmdlength;
+ resdata = (char *)data + 28;
+@@ -4800,21 +4792,18 @@ out:
+ static int qeth_query_card_info_cb(struct qeth_card *card,
+ struct qeth_reply *reply, unsigned long data)
+ {
+- struct qeth_ipa_cmd *cmd;
++ struct carrier_info *carrier_info = (struct carrier_info *)reply->param;
++ struct qeth_ipa_cmd *cmd = (struct qeth_ipa_cmd *)data;
+ struct qeth_query_card_info *card_info;
+- struct carrier_info *carrier_info;
+
+ QETH_CARD_TEXT(card, 2, "qcrdincb");
+- carrier_info = (struct carrier_info *)reply->param;
+- cmd = (struct qeth_ipa_cmd *)data;
+- card_info = &cmd->data.setadapterparms.data.card_info;
+- if (cmd->data.setadapterparms.hdr.return_code == 0) {
+- carrier_info->card_type = card_info->card_type;
+- carrier_info->port_mode = card_info->port_mode;
+- carrier_info->port_speed = card_info->port_speed;
+- }
++ if (qeth_setadpparms_inspect_rc(cmd))
++ return 0;
+
+- qeth_default_setadapterparms_cb(card, reply, (unsigned long) cmd);
++ card_info = &cmd->data.setadapterparms.data.card_info;
++ carrier_info->card_type = card_info->card_type;
++ carrier_info->port_mode = card_info->port_mode;
++ carrier_info->port_speed = card_info->port_speed;
+ return 0;
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Julian Wiedmann <jwi@linux.ibm.com>
+Date: Thu, 19 Apr 2018 12:52:08 +0200
+Subject: s390/qeth: handle failure on workqueue creation
+
+From: Julian Wiedmann <jwi@linux.ibm.com>
+
+
+[ Upstream commit a936b1ef37ce1e996533878f4b23944f9444dcdf ]
+
+Creating the global workqueue during driver init may fail, deal with it.
+Also, destroy the created workqueue on any subsequent error.
+
+Fixes: 0f54761d167f ("qeth: Support VEPA mode")
+Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_core_main.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/s390/net/qeth_core_main.c
++++ b/drivers/s390/net/qeth_core_main.c
+@@ -6544,10 +6544,14 @@ static int __init qeth_core_init(void)
+ mutex_init(&qeth_mod_mutex);
+
+ qeth_wq = create_singlethread_workqueue("qeth_wq");
++ if (!qeth_wq) {
++ rc = -ENOMEM;
++ goto out_err;
++ }
+
+ rc = qeth_register_dbf_views();
+ if (rc)
+- goto out_err;
++ goto dbf_err;
+ qeth_core_root_dev = root_device_register("qeth");
+ rc = PTR_ERR_OR_ZERO(qeth_core_root_dev);
+ if (rc)
+@@ -6584,6 +6588,8 @@ slab_err:
+ root_device_unregister(qeth_core_root_dev);
+ register_err:
+ qeth_unregister_dbf_views();
++dbf_err:
++ destroy_workqueue(qeth_wq);
+ out_err:
+ pr_err("Initializing the qeth device driver failed\n");
+ return rc;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 12 Apr 2018 14:24:31 +0800
+Subject: sctp: do not check port in sctp_inet6_cmp_addr
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 1071ec9d453a38023579714b64a951a2fb982071 ]
+
+pf->cmp_addr() is called before binding a v6 address to the sock. It
+should not check ports, like in sctp_inet_cmp_addr.
+
+But sctp_inet6_cmp_addr checks the addr by invoking af(6)->cmp_addr,
+sctp_v6_cmp_addr where it also compares the ports.
+
+This would cause that setsockopt(SCTP_SOCKOPT_BINDX_ADD) could bind
+multiple duplicated IPv6 addresses after Commit 40b4f0fd74e4 ("sctp:
+lack the check for ports in sctp_v6_cmp_addr").
+
+This patch is to remove af->cmp_addr called in sctp_inet6_cmp_addr,
+but do the proper check for both v6 addrs and v4mapped addrs.
+
+v1->v2:
+ - define __sctp_v6_cmp_addr to do the common address comparison
+ used for both pf and af v6 cmp_addr.
+
+Fixes: 40b4f0fd74e4 ("sctp: lack the check for ports in sctp_v6_cmp_addr")
+Reported-by: Jianwen Ji <jiji@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/ipv6.c | 60 ++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 30 insertions(+), 30 deletions(-)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -521,46 +521,49 @@ static void sctp_v6_to_addr(union sctp_a
+ addr->v6.sin6_scope_id = 0;
+ }
+
+-/* Compare addresses exactly.
+- * v4-mapped-v6 is also in consideration.
+- */
+-static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+- const union sctp_addr *addr2)
++static int __sctp_v6_cmp_addr(const union sctp_addr *addr1,
++ const union sctp_addr *addr2)
+ {
+ if (addr1->sa.sa_family != addr2->sa.sa_family) {
+ if (addr1->sa.sa_family == AF_INET &&
+ addr2->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr2->v6.sin6_addr)) {
+- if (addr2->v6.sin6_port == addr1->v4.sin_port &&
+- addr2->v6.sin6_addr.s6_addr32[3] ==
+- addr1->v4.sin_addr.s_addr)
+- return 1;
+- }
++ ipv6_addr_v4mapped(&addr2->v6.sin6_addr) &&
++ addr2->v6.sin6_addr.s6_addr32[3] ==
++ addr1->v4.sin_addr.s_addr)
++ return 1;
++
+ if (addr2->sa.sa_family == AF_INET &&
+ addr1->sa.sa_family == AF_INET6 &&
+- ipv6_addr_v4mapped(&addr1->v6.sin6_addr)) {
+- if (addr1->v6.sin6_port == addr2->v4.sin_port &&
+- addr1->v6.sin6_addr.s6_addr32[3] ==
+- addr2->v4.sin_addr.s_addr)
+- return 1;
+- }
++ ipv6_addr_v4mapped(&addr1->v6.sin6_addr) &&
++ addr1->v6.sin6_addr.s6_addr32[3] ==
++ addr2->v4.sin_addr.s_addr)
++ return 1;
++
+ return 0;
+ }
+- if (addr1->v6.sin6_port != addr2->v6.sin6_port)
+- return 0;
++
+ if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr))
+ return 0;
++
+ /* If this is a linklocal address, compare the scope_id. */
+- if (ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
+- if (addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
+- (addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)) {
+- return 0;
+- }
+- }
++ if ((ipv6_addr_type(&addr1->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) &&
++ addr1->v6.sin6_scope_id && addr2->v6.sin6_scope_id &&
++ addr1->v6.sin6_scope_id != addr2->v6.sin6_scope_id)
++ return 0;
+
+ return 1;
+ }
+
++/* Compare addresses exactly.
++ * v4-mapped-v6 is also in consideration.
++ */
++static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
++ const union sctp_addr *addr2)
++{
++ return __sctp_v6_cmp_addr(addr1, addr2) &&
++ addr1->v6.sin6_port == addr2->v6.sin6_port;
++}
++
+ /* Initialize addr struct to INADDR_ANY. */
+ static void sctp_v6_inaddr_any(union sctp_addr *addr, __be16 port)
+ {
+@@ -846,8 +849,8 @@ static int sctp_inet6_cmp_addr(const uni
+ const union sctp_addr *addr2,
+ struct sctp_sock *opt)
+ {
+- struct sctp_af *af1, *af2;
+ struct sock *sk = sctp_opt2sk(opt);
++ struct sctp_af *af1, *af2;
+
+ af1 = sctp_get_af_specific(addr1->sa.sa_family);
+ af2 = sctp_get_af_specific(addr2->sa.sa_family);
+@@ -863,10 +866,7 @@ static int sctp_inet6_cmp_addr(const uni
+ if (sctp_is_any(sk, addr1) || sctp_is_any(sk, addr2))
+ return 1;
+
+- if (addr1->sa.sa_family != addr2->sa.sa_family)
+- return 0;
+-
+- return af1->cmp_addr(addr1, addr2);
++ return __sctp_v6_cmp_addr(addr1, addr2);
+ }
+
+ /* Verify that the provided sockaddr looks bindable. Common verification,
tpm-tpm-interface-fix-tpm_transmit-_cmd-kdoc.patch
tpm-add-retry-logic.patch
revert-ath10k-send-re-assoc-peer-command-when-nss-changed.patch
+bonding-do-not-set-slave_dev-npinfo-before-slave_enable_netpoll-in-bond_enslave.patch
+docs-ip-sysctl.txt-fix-name-of-some-ipv6-variables.patch
+ipv6-add-rta_table-and-rta_prefsrc-to-rtm_ipv6_policy.patch
+ipv6-sr-fix-null-pointer-dereference-in-seg6_do_srh_encap-v4-pkts.patch
+keys-dns-limit-the-length-of-option-strings.patch
+l2tp-check-sockaddr-length-in-pppol2tp_connect.patch
+llc-delete-timers-synchronously-in-llc_sk_free.patch
+net-af_packet-fix-race-in-packet_-r-t-x_ring.patch
+net-fix-deadlock-while-clearing-neighbor-proxy-table.patch
+net-mvpp2-fix-dma-address-mask-size.patch
+net-qmi_wwan-add-wistron-neweb-d19q1.patch
+net-smc-fix-shutdown-in-state-smc_listen.patch
+net-stmmac-disable-acs-feature-for-gmac-4.patch
+packet-fix-bitfield-update-race.patch
+pppoe-check-sockaddr-length-in-pppoe_connect.patch
+revert-macsec-missing-dev_put-on-error-in-macsec_newlink.patch
+sctp-do-not-check-port-in-sctp_inet6_cmp_addr.patch
+strparser-do-not-call-mod_delayed_work-with-a-timeout-of-long_max.patch
+strparser-fix-incorrect-strp-need_bytes-value.patch
+tcp-clear-tp-packets_out-when-purging-write-queue.patch
+tcp-don-t-read-out-of-bounds-opsize.patch
+tcp-md5-reject-tcp_md5sig-or-tcp_md5sig_ext-on-established-sockets.patch
+team-avoid-adding-twice-the-same-option-to-the-event-list.patch
+team-fix-netconsole-setup-over-team.patch
+tipc-add-policy-for-tipc_nla_net_addr.patch
+vlan-fix-reading-memory-beyond-skb-tail-in-skb_vlan_tagged_multi.patch
+vmxnet3-fix-incorrect-dereference-when-rxvlan-is-disabled.patch
+amd-xgbe-add-pre-post-auto-negotiation-phy-hooks.patch
+amd-xgbe-improve-kr-auto-negotiation-and-training.patch
+amd-xgbe-only-use-the-sfp-supported-transceiver-signals.patch
+net-sched-ife-signal-not-finding-metaid.patch
+net-sched-ife-handle-malformed-tlv-length.patch
+net-sched-ife-check-on-metadata-length.patch
+l2tp-hold-reference-on-tunnels-in-netlink-dumps.patch
+l2tp-hold-reference-on-tunnels-printed-in-pppol2tp-proc-file.patch
+l2tp-hold-reference-on-tunnels-printed-in-l2tp-tunnels-debugfs-file.patch
+l2tp-fix-pppol2tp-l2tp_dfs-_seq_stop-in-case-of-seq_file-overflow.patch
+llc-hold-llc_sap-before-release_sock.patch
+llc-fix-null-pointer-deref-for-sock_zapped.patch
+s390-qeth-fix-error-handling-in-adapter-command-callbacks.patch
+s390-qeth-avoid-control-io-completion-stalls.patch
+s390-qeth-handle-failure-on-workqueue-creation.patch
+net-ethernet-ti-cpsw-fix-tx-vlan-priority-mapping.patch
+net-validate-attribute-sizes-in-neigh_dump_table.patch
+bnxt_en-fix-memory-fault-in-bnxt_ethtool_init.patch
+virtio-net-add-missing-virtqueue-kick-when-flushing-packets.patch
+vsock-make-af_vsock.ko-removable-again.patch
+net-aquantia-regression-on-reset-with-1.x-firmware.patch
+tun-fix-vlan-packet-truncation.patch
+net-aquantia-oops-when-shutdown-on-already-stopped-device.patch
+virtio_net-split-out-ctrl-buffer.patch
+virtio_net-fix-adding-vids-on-big-endian.patch
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Fri, 20 Apr 2018 12:11:11 -0700
+Subject: strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
+
+From: Doron Roberts-Kedes <doronrk@fb.com>
+
+
+[ Upstream commit 7c5aba211dd61f41d737a2c51729eb9fdcd3edf4 ]
+
+struct sock's sk_rcvtimeo is initialized to
+LONG_MAX/MAX_SCHEDULE_TIMEOUT in sock_init_data. Calling
+mod_delayed_work with a timeout of LONG_MAX causes spurious execution of
+the work function. timer->expires is set equal to jiffies + LONG_MAX.
+When timer_base->clk falls behind the current value of jiffies,
+the delta between timer_base->clk and jiffies + LONG_MAX causes the
+expiration to be in the past. Returning early from strp_start_timer if
+timeo == LONG_MAX solves this problem.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Reviewed-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -67,7 +67,7 @@ static void strp_abort_strp(struct strpa
+
+ static void strp_start_timer(struct strparser *strp, long timeo)
+ {
+- if (timeo)
++ if (timeo && timeo != LONG_MAX)
+ mod_delayed_work(strp_wq, &strp->msg_timer_work, timeo);
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Doron Roberts-Kedes <doronrk@fb.com>
+Date: Wed, 11 Apr 2018 15:05:16 -0700
+Subject: strparser: Fix incorrect strp->need_bytes value.
+
+From: Doron Roberts-Kedes <doronrk@fb.com>
+
+
+[ Upstream commit 9d0c75bf6e03d9bf80c55b0f677dc9b982958fd5 ]
+
+strp_data_ready resets strp->need_bytes to 0 if strp_peek_len indicates
+that the remainder of the message has been received. However,
+do_strp_work does not reset strp->need_bytes to 0. If do_strp_work
+completes a partial message, the value of strp->need_bytes will continue
+to reflect the needed bytes of the previous message, causing
+future invocations of strp_data_ready to return early if
+strp->need_bytes is less than strp_peek_len. Resetting strp->need_bytes
+to 0 in __strp_recv on handing a full message to the upper layer solves
+this problem.
+
+__strp_recv also calculates strp->need_bytes using stm->accum_len before
+stm->accum_len has been incremented by cand_len. This can cause
+strp->need_bytes to be equal to the full length of the message instead
+of the full length minus the accumulated length. This, in turn, causes
+strp_data_ready to return early, even when there is sufficient data to
+complete the partial message. Incrementing stm->accum_len before using
+it to calculate strp->need_bytes solves this problem.
+
+Found while testing net/tls_sw recv path.
+
+Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
+Signed-off-by: Doron Roberts-Kedes <doronrk@fb.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/strparser/strparser.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/net/strparser/strparser.c
++++ b/net/strparser/strparser.c
+@@ -296,9 +296,9 @@ static int __strp_recv(read_descriptor_t
+ strp_start_timer(strp, timeo);
+ }
+
++ stm->accum_len += cand_len;
+ strp->need_bytes = stm->strp.full_len -
+ stm->accum_len;
+- stm->accum_len += cand_len;
+ stm->early_eaten = cand_len;
+ STRP_STATS_ADD(strp->stats.bytes, cand_len);
+ desc->count = 0; /* Stop reading socket */
+@@ -321,6 +321,7 @@ static int __strp_recv(read_descriptor_t
+ /* Hurray, we have a new message! */
+ cancel_delayed_work(&strp->msg_timer_work);
+ strp->skb_head = NULL;
++ strp->need_bytes = 0;
+ STRP_STATS_INCR(strp->stats.msgs);
+
+ /* Give skb to upper layer */
+@@ -410,9 +411,7 @@ void strp_data_ready(struct strparser *s
+ return;
+
+ if (strp->need_bytes) {
+- if (strp_peek_len(strp) >= strp->need_bytes)
+- strp->need_bytes = 0;
+- else
++ if (strp_peek_len(strp) < strp->need_bytes)
+ return;
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Soheil Hassas Yeganeh <soheil@google.com>
+Date: Sat, 14 Apr 2018 20:44:46 -0400
+Subject: tcp: clear tp->packets_out when purging write queue
+
+From: Soheil Hassas Yeganeh <soheil@google.com>
+
+
+[ Upstream commit bffd168c3fc5cc7d2bad4c668fa90e7a9010db4b ]
+
+Clear tp->packets_out when purging the write queue, otherwise
+tcp_rearm_rto() mistakenly assumes TCP write queue is not empty.
+This results in NULL pointer dereference.
+
+Also, remove the redundant `tp->packets_out = 0` from
+tcp_disconnect(), since tcp_disconnect() calls
+tcp_write_queue_purge().
+
+Fixes: a27fd7a8ed38 (tcp: purge write queue upon RST)
+Reported-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Reported-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Tested-by: Sami Farin <hvtaifwkbgefbaei@gmail.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2385,6 +2385,7 @@ void tcp_write_queue_purge(struct sock *
+ INIT_LIST_HEAD(&tcp_sk(sk)->tsorted_sent_queue);
+ sk_mem_reclaim(sk);
+ tcp_clear_all_retrans_hints(tcp_sk(sk));
++ tcp_sk(sk)->packets_out = 0;
+ }
+
+ int tcp_disconnect(struct sock *sk, int flags)
+@@ -2434,7 +2435,6 @@ int tcp_disconnect(struct sock *sk, int
+ icsk->icsk_backoff = 0;
+ tp->snd_cwnd = 2;
+ icsk->icsk_probes_out = 0;
+- tp->packets_out = 0;
+ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
+ tp->snd_cwnd_cnt = 0;
+ tp->window_clamp = 0;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Jann Horn <jannh@google.com>
+Date: Fri, 20 Apr 2018 15:57:30 +0200
+Subject: tcp: don't read out-of-bounds opsize
+
+From: Jann Horn <jannh@google.com>
+
+
+[ Upstream commit 7e5a206ab686f098367b61aca989f5cdfa8114a3 ]
+
+The old code reads the "opsize" variable from out-of-bounds memory (first
+byte behind the segment) if a broken TCP segment ends directly after an
+opcode that is neither EOL nor NOP.
+
+The result of the read isn't used for anything, so the worst thing that
+could theoretically happen is a pagefault; and since the physmap is usually
+mostly contiguous, even that seems pretty unlikely.
+
+The following C reproducer triggers the uninitialized read - however, you
+can't actually see anything happen unless you put something like a
+pr_warn() in tcp_parse_md5sig_option() to print the opsize.
+
+====================================
+#define _GNU_SOURCE
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <net/if.h>
+#include <linux/if.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/in.h>
+#include <linux/if_tun.h>
+#include <err.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <assert.h>
+
+void systemf(const char *command, ...) {
+ char *full_command;
+ va_list ap;
+ va_start(ap, command);
+ if (vasprintf(&full_command, command, ap) == -1)
+ err(1, "vasprintf");
+ va_end(ap);
+ printf("systemf: <<<%s>>>\n", full_command);
+ system(full_command);
+}
+
+char *devname;
+
+int tun_alloc(char *name) {
+ int fd = open("/dev/net/tun", O_RDWR);
+ if (fd == -1)
+ err(1, "open tun dev");
+ static struct ifreq req = { .ifr_flags = IFF_TUN|IFF_NO_PI };
+ strcpy(req.ifr_name, name);
+ if (ioctl(fd, TUNSETIFF, &req))
+ err(1, "TUNSETIFF");
+ devname = req.ifr_name;
+ printf("device name: %s\n", devname);
+ return fd;
+}
+
+#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))
+
+void sum_accumulate(unsigned int *sum, void *data, int len) {
+ assert((len&2)==0);
+ for (int i=0; i<len/2; i++) {
+ *sum += ntohs(((unsigned short *)data)[i]);
+ }
+}
+
+unsigned short sum_final(unsigned int sum) {
+ sum = (sum >> 16) + (sum & 0xffff);
+ sum = (sum >> 16) + (sum & 0xffff);
+ return htons(~sum);
+}
+
+void fix_ip_sum(struct iphdr *ip) {
+ unsigned int sum = 0;
+ sum_accumulate(&sum, ip, sizeof(*ip));
+ ip->check = sum_final(sum);
+}
+
+void fix_tcp_sum(struct iphdr *ip, struct tcphdr *tcp) {
+ unsigned int sum = 0;
+ struct {
+ unsigned int saddr;
+ unsigned int daddr;
+ unsigned char pad;
+ unsigned char proto_num;
+ unsigned short tcp_len;
+ } fakehdr = {
+ .saddr = ip->saddr,
+ .daddr = ip->daddr,
+ .proto_num = ip->protocol,
+ .tcp_len = htons(ntohs(ip->tot_len) - ip->ihl*4)
+ };
+ sum_accumulate(&sum, &fakehdr, sizeof(fakehdr));
+ sum_accumulate(&sum, tcp, tcp->doff*4);
+ tcp->check = sum_final(sum);
+}
+
+int main(void) {
+ int tun_fd = tun_alloc("inject_dev%d");
+ systemf("ip link set %s up", devname);
+ systemf("ip addr add 192.168.42.1/24 dev %s", devname);
+
+ struct {
+ struct iphdr ip;
+ struct tcphdr tcp;
+ unsigned char tcp_opts[20];
+ } __attribute__((packed)) syn_packet = {
+ .ip = {
+ .ihl = sizeof(struct iphdr)/4,
+ .version = 4,
+ .tot_len = htons(sizeof(syn_packet)),
+ .ttl = 30,
+ .protocol = IPPROTO_TCP,
+ /* FIXUP check */
+ .saddr = IPADDR(192,168,42,2),
+ .daddr = IPADDR(192,168,42,1)
+ },
+ .tcp = {
+ .source = htons(1),
+ .dest = htons(1337),
+ .seq = 0x12345678,
+ .doff = (sizeof(syn_packet.tcp)+sizeof(syn_packet.tcp_opts))/4,
+ .syn = 1,
+ .window = htons(64),
+ .check = 0 /*FIXUP*/
+ },
+ .tcp_opts = {
+ /* INVALID: trailing MD5SIG opcode after NOPs */
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 19
+ }
+ };
+ fix_ip_sum(&syn_packet.ip);
+ fix_tcp_sum(&syn_packet.ip, &syn_packet.tcp);
+ while (1) {
+ int write_res = write(tun_fd, &syn_packet, sizeof(syn_packet));
+ if (write_res != sizeof(syn_packet))
+ err(1, "packet write failed");
+ }
+}
+====================================
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -3871,11 +3871,8 @@ const u8 *tcp_parse_md5sig_option(const
+ int length = (th->doff << 2) - sizeof(*th);
+ const u8 *ptr = (const u8 *)(th + 1);
+
+- /* If the TCP option is too short, we can short cut */
+- if (length < TCPOLEN_MD5SIG)
+- return NULL;
+-
+- while (length > 0) {
++ /* If not enough data remaining, we can short cut */
++ while (length >= TCPOLEN_MD5SIG) {
+ int opcode = *ptr++;
+ int opsize;
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 11 Apr 2018 14:36:28 -0700
+Subject: tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit 7212303268918b9a203aebeacfdbd83b5e87b20d ]
+
+syzbot/KMSAN reported an uninit-value in tcp_parse_options() [1]
+
+I believe this was caused by a TCP_MD5SIG being set on live
+flow.
+
+This is highly unexpected, since TCP option space is limited.
+
+For instance, presence of TCP MD5 option automatically disables
+TCP TimeStamp option at SYN/SYNACK time, which we can not do
+once flow has been established.
+
+Really, adding/deleting an MD5 key only makes sense on sockets
+in CLOSE or LISTEN state.
+
+[1]
+BUG: KMSAN: uninit-value in tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+CPU: 1 PID: 6177 Comm: syzkaller192004 Not tainted 4.16.0+ #83
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ tcp_parse_options+0xd74/0x1a30 net/ipv4/tcp_input.c:3720
+ tcp_fast_parse_options net/ipv4/tcp_input.c:3858 [inline]
+ tcp_validate_incoming+0x4f1/0x2790 net/ipv4/tcp_input.c:5184
+ tcp_rcv_established+0xf60/0x2bb0 net/ipv4/tcp_input.c:5453
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x448fe9
+RSP: 002b:00007fd472c64d38 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
+RAX: ffffffffffffffda RBX: 00000000006e5a30 RCX: 0000000000448fe9
+RDX: 000000000000029f RSI: 0000000020a88f88 RDI: 0000000000000004
+RBP: 00000000006e5a34 R08: 0000000020e68000 R09: 0000000000000010
+R10: 00000000200007fd R11: 0000000000000216 R12: 0000000000000000
+R13: 00007fff074899ef R14: 00007fd472c659c0 R15: 0000000000000009
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ tcp_send_ack+0x18c/0x910 net/ipv4/tcp_output.c:3624
+ __tcp_ack_snd_check net/ipv4/tcp_input.c:5040 [inline]
+ tcp_ack_snd_check net/ipv4/tcp_input.c:5053 [inline]
+ tcp_rcv_established+0x2103/0x2bb0 net/ipv4/tcp_input.c:5469
+ tcp_v4_do_rcv+0x6cd/0xd90 net/ipv4/tcp_ipv4.c:1469
+ sk_backlog_rcv include/net/sock.h:908 [inline]
+ __release_sock+0x2d6/0x680 net/core/sock.c:2271
+ release_sock+0x97/0x2a0 net/core/sock.c:2786
+ tcp_sendmsg+0xd6/0x100 net/ipv4/tcp.c:1464
+ inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747
+ SyS_sendto+0x8a/0xb0 net/socket.c:1715
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2830,8 +2830,10 @@ static int do_tcp_setsockopt(struct sock
+ #ifdef CONFIG_TCP_MD5SIG
+ case TCP_MD5SIG:
+ case TCP_MD5SIG_EXT:
+- /* Read the IP->Key mappings from userspace */
+- err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
++ if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
++ err = tp->af_specific->md5_parse(sk, optname, optval, optlen);
++ else
++ err = -EINVAL;
+ break;
+ #endif
+ case TCP_USER_TIMEOUT:
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 13 Apr 2018 13:59:25 +0200
+Subject: team: avoid adding twice the same option to the event list
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+
+[ Upstream commit 4fb0534fb7bbc2346ba7d3a072b538007f4135a5 ]
+
+When parsing the options provided by the user space,
+team_nl_cmd_options_set() insert them in a temporary list to send
+multiple events with a single message.
+While each option's attribute is correctly validated, the code does
+not check for duplicate entries before inserting into the event
+list.
+
+Exploiting the above, the syzbot was able to trigger the following
+splat:
+
+kernel BUG at lib/list_debug.c:31!
+invalid opcode: 0000 [#1] SMP KASAN
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+Modules linked in:
+CPU: 0 PID: 4466 Comm: syzkaller556835 Not tainted 4.16.0+ #17
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+RIP: 0010:__list_add_valid+0xaa/0xb0 lib/list_debug.c:29
+RSP: 0018:ffff8801b04bf248 EFLAGS: 00010286
+RAX: 0000000000000058 RBX: ffff8801c8fc7a90 RCX: 0000000000000000
+RDX: 0000000000000058 RSI: ffffffff815fbf41 RDI: ffffed0036097e3f
+RBP: ffff8801b04bf260 R08: ffff8801b0b2a700 R09: ffffed003b604f90
+R10: ffffed003b604f90 R11: ffff8801db027c87 R12: ffff8801c8fc7a90
+R13: ffff8801c8fc7a90 R14: dffffc0000000000 R15: 0000000000000000
+FS: 0000000000b98880(0000) GS:ffff8801db000000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000043fc30 CR3: 00000001afe8e000 CR4: 00000000001406f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ __list_add include/linux/list.h:60 [inline]
+ list_add include/linux/list.h:79 [inline]
+ team_nl_cmd_options_set+0x9ff/0x12b0 drivers/net/team/team.c:2571
+ genl_family_rcv_msg+0x889/0x1120 net/netlink/genetlink.c:599
+ genl_rcv_msg+0xc6/0x170 net/netlink/genetlink.c:624
+ netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2448
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:635
+ netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
+ netlink_unicast+0x58b/0x740 net/netlink/af_netlink.c:1336
+ netlink_sendmsg+0x9f0/0xfa0 net/netlink/af_netlink.c:1901
+ sock_sendmsg_nosec net/socket.c:629 [inline]
+ sock_sendmsg+0xd5/0x120 net/socket.c:639
+ ___sys_sendmsg+0x805/0x940 net/socket.c:2117
+ __sys_sendmsg+0x115/0x270 net/socket.c:2155
+ SYSC_sendmsg net/socket.c:2164 [inline]
+ SyS_sendmsg+0x29/0x30 net/socket.c:2162
+ do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x42/0xb7
+RIP: 0033:0x4458b9
+RSP: 002b:00007ffd1d4a7278 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00000000004458b9
+RDX: 0000000000000010 RSI: 0000000020000d00 RDI: 0000000000000004
+RBP: 00000000004a74ed R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000213 R12: 00007ffd1d4a7348
+R13: 0000000000402a60 R14: 0000000000000000 R15: 0000000000000000
+Code: 75 e8 eb a9 48 89 f7 48 89 75 e8 e8 d1 85 7b fe 48 8b 75 e8 eb bb 48
+89 f2 48 89 d9 4c 89 e6 48 c7 c7 a0 84 d8 87 e8 ea 67 28 fe <0f> 0b 0f 1f
+40 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 41
+RIP: __list_add_valid+0xaa/0xb0 lib/list_debug.c:29 RSP: ffff8801b04bf248
+
+This changeset addresses the avoiding list_add() if the current
+option is already present in the event list.
+
+Reported-and-tested-by: syzbot+4d4af685432dc0e56c91@syzkaller.appspotmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Fixes: 2fcdb2c9e659 ("team: allow to send multiple set events in one message")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -261,6 +261,17 @@ static void __team_option_inst_mark_remo
+ }
+ }
+
++static bool __team_option_inst_tmp_find(const struct list_head *opts,
++ const struct team_option_inst *needle)
++{
++ struct team_option_inst *opt_inst;
++
++ list_for_each_entry(opt_inst, opts, tmp_list)
++ if (opt_inst == needle)
++ return true;
++ return false;
++}
++
+ static int __team_options_register(struct team *team,
+ const struct team_option *option,
+ size_t option_count)
+@@ -2562,6 +2573,14 @@ static int team_nl_cmd_options_set(struc
+ if (err)
+ goto team_put;
+ opt_inst->changed = true;
++
++ /* dumb/evil user-space can send us duplicate opt,
++ * keep only the last one
++ */
++ if (__team_option_inst_tmp_find(&opt_inst_list,
++ opt_inst))
++ continue;
++
+ list_add(&opt_inst->tmp_list, &opt_inst_list);
+ }
+ if (!opt_found) {
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 24 Apr 2018 14:33:37 +0800
+Subject: team: fix netconsole setup over team
+
+From: Xin Long <lucien.xin@gmail.com>
+
+
+[ Upstream commit 9cf2f437ca5b39828984064fad213e68fc17ef11 ]
+
+The same fix in Commit dbe173079ab5 ("bridge: fix netconsole
+setup over bridge") is also needed for team driver.
+
+While at it, remove the unnecessary parameter *team from
+team_port_enable_netpoll().
+
+v1->v2:
+ - fix it in a better way, as does bridge.
+
+Fixes: 0fb52a27a04a ("team: cleanup netpoll clode")
+Reported-by: João Avelino Bellomo Filho <jbellomo@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1072,14 +1072,11 @@ static void team_port_leave(struct team
+ }
+
+ #ifdef CONFIG_NET_POLL_CONTROLLER
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int __team_port_enable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np;
+ int err;
+
+- if (!team->dev->npinfo)
+- return 0;
+-
+ np = kzalloc(sizeof(*np), GFP_KERNEL);
+ if (!np)
+ return -ENOMEM;
+@@ -1093,6 +1090,14 @@ static int team_port_enable_netpoll(stru
+ return err;
+ }
+
++static int team_port_enable_netpoll(struct team_port *port)
++{
++ if (!port->team->dev->npinfo)
++ return 0;
++
++ return __team_port_enable_netpoll(port);
++}
++
+ static void team_port_disable_netpoll(struct team_port *port)
+ {
+ struct netpoll *np = port->np;
+@@ -1107,7 +1112,7 @@ static void team_port_disable_netpoll(st
+ kfree(np);
+ }
+ #else
+-static int team_port_enable_netpoll(struct team *team, struct team_port *port)
++static int team_port_enable_netpoll(struct team_port *port)
+ {
+ return 0;
+ }
+@@ -1215,7 +1220,7 @@ static int team_port_add(struct team *te
+ goto err_vids_add;
+ }
+
+- err = team_port_enable_netpoll(team, port);
++ err = team_port_enable_netpoll(port);
+ if (err) {
+ netdev_err(dev, "Failed to enable netpoll on device %s\n",
+ portname);
+@@ -1912,7 +1917,7 @@ static int team_netpoll_setup(struct net
+
+ mutex_lock(&team->lock);
+ list_for_each_entry(port, &team->port_list, list) {
+- err = team_port_enable_netpoll(team, port);
++ err = __team_port_enable_netpoll(port);
+ if (err) {
+ __team_netpoll_cleanup(team);
+ break;
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 16 Apr 2018 08:29:42 -0700
+Subject: tipc: add policy for TIPC_NLA_NET_ADDR
+
+From: Eric Dumazet <edumazet@google.com>
+
+
+[ Upstream commit ec518f21cb1a1b1f8a516499ea05c60299e04963 ]
+
+Before syzbot/KMSAN bites, add the missing policy for TIPC_NLA_NET_ADDR
+
+Fixes: 27c21416727a ("tipc: add net set to new netlink api")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Jon Maloy <jon.maloy@ericsson.com>
+Cc: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/netlink.c
++++ b/net/tipc/netlink.c
+@@ -79,7 +79,8 @@ const struct nla_policy tipc_nl_sock_pol
+
+ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
+ [TIPC_NLA_NET_UNSPEC] = { .type = NLA_UNSPEC },
+- [TIPC_NLA_NET_ID] = { .type = NLA_U32 }
++ [TIPC_NLA_NET_ID] = { .type = NLA_U32 },
++ [TIPC_NLA_NET_ADDR] = { .type = NLA_U32 },
+ };
+
+ const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Tue, 17 Apr 2018 22:46:38 +0200
+Subject: tun: fix vlan packet truncation
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+
+[ Upstream commit 81c895072d29cd70eea5be1a8587cd6461c3715a ]
+
+Bogus trimming in tun_net_xmit() causes truncated vlan packets.
+
+skb->len is correct whether or not skb_vlan_tag_present() is true. There
+is no more reason to adjust the skb length on xmit in this driver than
+any other driver. tun_put_user() adds 4 bytes to the total for tagged
+packets because it transmits the tag inline to userspace. This is
+similar to a nic transmitting the tag inline on the wire.
+
+Reproducing the bug by sending any tagged packet through back-to-back
+connected tap interfaces:
+
+ socat TUN,tun-type=tap,iff-up,tun-name=in TUN,tun-type=tap,iff-up,tun-name=out &
+ ip link add link in name in.20 type vlan id 20
+ ip addr add 10.9.9.9/24 dev in.20
+ ip link set in.20 up
+ tshark -nxxi in -f arp -c1 2>/dev/null &
+ tshark -nxxi out -f arp -c1 2>/dev/null &
+ ping -c 1 10.9.9.5 >/dev/null 2>&1
+
+The output from the 'in' and 'out' interfaces are different when the
+bug is present:
+
+ Capturing on 'in'
+ 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7......
+ 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7..
+ 0020 0a 09 09 09 00 00 00 00 00 00 0a 09 09 05 ..............
+
+ Capturing on 'out'
+ 0000 ff ff ff ff ff ff 76 cf 76 37 d5 0a 81 00 00 14 ......v.v7......
+ 0010 08 06 00 01 08 00 06 04 00 01 76 cf 76 37 d5 0a ..........v.v7..
+ 0020 0a 09 09 09 00 00 00 00 00 00 ..........
+
+Fixes: aff3d70a07ff ("tun: allow to attach ebpf socket filter")
+Cc: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1094,12 +1094,7 @@ static netdev_tx_t tun_net_xmit(struct s
+ goto drop;
+
+ len = run_ebpf_filter(tun, skb, len);
+-
+- /* Trim extra bytes since we may insert vlan proto & TCI
+- * in tun_put_user().
+- */
+- len -= skb_vlan_tag_present(skb) ? sizeof(struct veth) : 0;
+- if (len <= 0 || pskb_trim(skb, len))
++ if (len == 0 || pskb_trim(skb, len))
+ goto drop;
+
+ if (unlikely(skb_orphan_frags_rx(skb, GFP_ATOMIC)))
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Jason Wang <jasowang@redhat.com>
+Date: Fri, 13 Apr 2018 14:58:25 +0800
+Subject: virtio-net: add missing virtqueue kick when flushing packets
+
+From: Jason Wang <jasowang@redhat.com>
+
+
+[ Upstream commit 9267c430c6b6f4c0120e3c6bb847313d633f02a6 ]
+
+We tends to batch submitting packets during XDP_TX. This requires to
+kick virtqueue after a batch, we tried to do it through
+xdp_do_flush_map() which only makes sense for devmap not XDP_TX. So
+explicitly kick the virtqueue in this case.
+
+Reported-by: Kimitoshi Takahashi <ktaka@nii.ac.jp>
+Tested-by: Kimitoshi Takahashi <ktaka@nii.ac.jp>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT")
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1269,7 +1269,9 @@ static int virtnet_poll(struct napi_stru
+ {
+ struct receive_queue *rq =
+ container_of(napi, struct receive_queue, napi);
+- unsigned int received;
++ struct virtnet_info *vi = rq->vq->vdev->priv;
++ struct send_queue *sq;
++ unsigned int received, qp;
+ bool xdp_xmit = false;
+
+ virtnet_poll_cleantx(rq);
+@@ -1280,8 +1282,13 @@ static int virtnet_poll(struct napi_stru
+ if (received < budget)
+ virtqueue_napi_complete(napi, rq->vq, received);
+
+- if (xdp_xmit)
++ if (xdp_xmit) {
++ qp = vi->curr_queue_pairs - vi->xdp_queue_pairs +
++ smp_processor_id();
++ sq = &vi->sq[qp];
++ virtqueue_kick(sq->vq);
+ xdp_do_flush_map();
++ }
+
+ return received;
+ }
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 19 Apr 2018 08:30:49 +0300
+Subject: virtio_net: fix adding vids on big-endian
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+
+[ Upstream commit d7fad4c840f33a6bd333dd7fbb3006edbcf0017a ]
+
+Programming vids (adding or removing them) still passes
+guest-endian values in the DMA buffer. That's wrong
+if guest is big-endian and when virtio 1 is enabled.
+
+Note: this is on top of a previous patch:
+ virtio_net: split out ctrl buffer
+
+Fixes: 9465a7a6f ("virtio_net: enable v1.0 support")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -154,7 +154,7 @@ struct control_buf {
+ struct virtio_net_ctrl_mq mq;
+ u8 promisc;
+ u8 allmulti;
+- u16 vid;
++ __virtio16 vid;
+ u64 offloads;
+ };
+
+@@ -1725,7 +1725,7 @@ static int virtnet_vlan_rx_add_vid(struc
+ struct virtnet_info *vi = netdev_priv(dev);
+ struct scatterlist sg;
+
+- vi->ctrl->vid = vid;
++ vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid);
+ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+@@ -1740,7 +1740,7 @@ static int virtnet_vlan_rx_kill_vid(stru
+ struct virtnet_info *vi = netdev_priv(dev);
+ struct scatterlist sg;
+
+- vi->ctrl->vid = vid;
++ vi->ctrl->vid = cpu_to_virtio16(vi->vdev, vid);
+ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 19 Apr 2018 08:30:48 +0300
+Subject: virtio_net: split out ctrl buffer
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+
+[ Upstream commit 12e571693837d6164bda61e316b1944972ee0d97 ]
+
+When sending control commands, virtio net sets up several buffers for
+DMA. The buffers are all part of the net device which means it's
+actually allocated by kvmalloc so it's in theory (on extreme memory
+pressure) possible to get a vmalloc'ed buffer which on some platforms
+means we can't DMA there.
+
+Fix up by moving the DMA buffers into a separate structure.
+
+Reported-by: Mikulas Patocka <mpatocka@redhat.com>
+Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 68 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 39 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -147,6 +147,17 @@ struct receive_queue {
+ struct xdp_rxq_info xdp_rxq;
+ };
+
++/* Control VQ buffers: protected by the rtnl lock */
++struct control_buf {
++ struct virtio_net_ctrl_hdr hdr;
++ virtio_net_ctrl_ack status;
++ struct virtio_net_ctrl_mq mq;
++ u8 promisc;
++ u8 allmulti;
++ u16 vid;
++ u64 offloads;
++};
++
+ struct virtnet_info {
+ struct virtio_device *vdev;
+ struct virtqueue *cvq;
+@@ -192,14 +203,7 @@ struct virtnet_info {
+ struct hlist_node node;
+ struct hlist_node node_dead;
+
+- /* Control VQ buffers: protected by the rtnl lock */
+- struct virtio_net_ctrl_hdr ctrl_hdr;
+- virtio_net_ctrl_ack ctrl_status;
+- struct virtio_net_ctrl_mq ctrl_mq;
+- u8 ctrl_promisc;
+- u8 ctrl_allmulti;
+- u16 ctrl_vid;
+- u64 ctrl_offloads;
++ struct control_buf *ctrl;
+
+ /* Ethtool settings */
+ u8 duplex;
+@@ -1461,25 +1465,25 @@ static bool virtnet_send_command(struct
+ /* Caller should know better */
+ BUG_ON(!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_VQ));
+
+- vi->ctrl_status = ~0;
+- vi->ctrl_hdr.class = class;
+- vi->ctrl_hdr.cmd = cmd;
++ vi->ctrl->status = ~0;
++ vi->ctrl->hdr.class = class;
++ vi->ctrl->hdr.cmd = cmd;
+ /* Add header */
+- sg_init_one(&hdr, &vi->ctrl_hdr, sizeof(vi->ctrl_hdr));
++ sg_init_one(&hdr, &vi->ctrl->hdr, sizeof(vi->ctrl->hdr));
+ sgs[out_num++] = &hdr;
+
+ if (out)
+ sgs[out_num++] = out;
+
+ /* Add return status. */
+- sg_init_one(&stat, &vi->ctrl_status, sizeof(vi->ctrl_status));
++ sg_init_one(&stat, &vi->ctrl->status, sizeof(vi->ctrl->status));
+ sgs[out_num] = &stat;
+
+ BUG_ON(out_num + 1 > ARRAY_SIZE(sgs));
+ virtqueue_add_sgs(vi->cvq, sgs, out_num, 1, vi, GFP_ATOMIC);
+
+ if (unlikely(!virtqueue_kick(vi->cvq)))
+- return vi->ctrl_status == VIRTIO_NET_OK;
++ return vi->ctrl->status == VIRTIO_NET_OK;
+
+ /* Spin for a response, the kick causes an ioport write, trapping
+ * into the hypervisor, so the request should be handled immediately.
+@@ -1488,7 +1492,7 @@ static bool virtnet_send_command(struct
+ !virtqueue_is_broken(vi->cvq))
+ cpu_relax();
+
+- return vi->ctrl_status == VIRTIO_NET_OK;
++ return vi->ctrl->status == VIRTIO_NET_OK;
+ }
+
+ static int virtnet_set_mac_address(struct net_device *dev, void *p)
+@@ -1600,8 +1604,8 @@ static int _virtnet_set_queues(struct vi
+ if (!vi->has_cvq || !virtio_has_feature(vi->vdev, VIRTIO_NET_F_MQ))
+ return 0;
+
+- vi->ctrl_mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs);
+- sg_init_one(&sg, &vi->ctrl_mq, sizeof(vi->ctrl_mq));
++ vi->ctrl->mq.virtqueue_pairs = cpu_to_virtio16(vi->vdev, queue_pairs);
++ sg_init_one(&sg, &vi->ctrl->mq, sizeof(vi->ctrl->mq));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_MQ,
+ VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET, &sg)) {
+@@ -1660,22 +1664,22 @@ static void virtnet_set_rx_mode(struct n
+ if (!virtio_has_feature(vi->vdev, VIRTIO_NET_F_CTRL_RX))
+ return;
+
+- vi->ctrl_promisc = ((dev->flags & IFF_PROMISC) != 0);
+- vi->ctrl_allmulti = ((dev->flags & IFF_ALLMULTI) != 0);
++ vi->ctrl->promisc = ((dev->flags & IFF_PROMISC) != 0);
++ vi->ctrl->allmulti = ((dev->flags & IFF_ALLMULTI) != 0);
+
+- sg_init_one(sg, &vi->ctrl_promisc, sizeof(vi->ctrl_promisc));
++ sg_init_one(sg, &vi->ctrl->promisc, sizeof(vi->ctrl->promisc));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX,
+ VIRTIO_NET_CTRL_RX_PROMISC, sg))
+ dev_warn(&dev->dev, "Failed to %sable promisc mode.\n",
+- vi->ctrl_promisc ? "en" : "dis");
++ vi->ctrl->promisc ? "en" : "dis");
+
+- sg_init_one(sg, &vi->ctrl_allmulti, sizeof(vi->ctrl_allmulti));
++ sg_init_one(sg, &vi->ctrl->allmulti, sizeof(vi->ctrl->allmulti));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_RX,
+ VIRTIO_NET_CTRL_RX_ALLMULTI, sg))
+ dev_warn(&dev->dev, "Failed to %sable allmulti mode.\n",
+- vi->ctrl_allmulti ? "en" : "dis");
++ vi->ctrl->allmulti ? "en" : "dis");
+
+ uc_count = netdev_uc_count(dev);
+ mc_count = netdev_mc_count(dev);
+@@ -1721,8 +1725,8 @@ static int virtnet_vlan_rx_add_vid(struc
+ struct virtnet_info *vi = netdev_priv(dev);
+ struct scatterlist sg;
+
+- vi->ctrl_vid = vid;
+- sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid));
++ vi->ctrl->vid = vid;
++ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+ VIRTIO_NET_CTRL_VLAN_ADD, &sg))
+@@ -1736,8 +1740,8 @@ static int virtnet_vlan_rx_kill_vid(stru
+ struct virtnet_info *vi = netdev_priv(dev);
+ struct scatterlist sg;
+
+- vi->ctrl_vid = vid;
+- sg_init_one(&sg, &vi->ctrl_vid, sizeof(vi->ctrl_vid));
++ vi->ctrl->vid = vid;
++ sg_init_one(&sg, &vi->ctrl->vid, sizeof(vi->ctrl->vid));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_VLAN,
+ VIRTIO_NET_CTRL_VLAN_DEL, &sg))
+@@ -2133,9 +2137,9 @@ static int virtnet_restore_up(struct vir
+ static int virtnet_set_guest_offloads(struct virtnet_info *vi, u64 offloads)
+ {
+ struct scatterlist sg;
+- vi->ctrl_offloads = cpu_to_virtio64(vi->vdev, offloads);
++ vi->ctrl->offloads = cpu_to_virtio64(vi->vdev, offloads);
+
+- sg_init_one(&sg, &vi->ctrl_offloads, sizeof(vi->ctrl_offloads));
++ sg_init_one(&sg, &vi->ctrl->offloads, sizeof(vi->ctrl->offloads));
+
+ if (!virtnet_send_command(vi, VIRTIO_NET_CTRL_GUEST_OFFLOADS,
+ VIRTIO_NET_CTRL_GUEST_OFFLOADS_SET, &sg)) {
+@@ -2358,6 +2362,7 @@ static void virtnet_free_queues(struct v
+
+ kfree(vi->rq);
+ kfree(vi->sq);
++ kfree(vi->ctrl);
+ }
+
+ static void _free_receive_bufs(struct virtnet_info *vi)
+@@ -2550,6 +2555,9 @@ static int virtnet_alloc_queues(struct v
+ {
+ int i;
+
++ vi->ctrl = kzalloc(sizeof(*vi->ctrl), GFP_KERNEL);
++ if (!vi->ctrl)
++ goto err_ctrl;
+ vi->sq = kzalloc(sizeof(*vi->sq) * vi->max_queue_pairs, GFP_KERNEL);
+ if (!vi->sq)
+ goto err_sq;
+@@ -2578,6 +2586,8 @@ static int virtnet_alloc_queues(struct v
+ err_rq:
+ kfree(vi->sq);
+ err_sq:
++ kfree(vi->ctrl);
++err_ctrl:
+ return -ENOMEM;
+ }
+
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Date: Tue, 17 Apr 2018 18:46:14 +0900
+Subject: vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
+
+From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+
+
+[ Upstream commit 7ce2367254e84753bceb07327aaf5c953cfce117 ]
+
+Syzkaller spotted an old bug which leads to reading skb beyond tail by 4
+bytes on vlan tagged packets.
+This is caused because skb_vlan_tagged_multi() did not check
+skb_headlen.
+
+BUG: KMSAN: uninit-value in eth_type_vlan include/linux/if_vlan.h:283 [inline]
+BUG: KMSAN: uninit-value in skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+BUG: KMSAN: uninit-value in vlan_features_check include/linux/if_vlan.h:672 [inline]
+BUG: KMSAN: uninit-value in dflt_features_check net/core/dev.c:2949 [inline]
+BUG: KMSAN: uninit-value in netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+CPU: 1 PID: 3582 Comm: syzkaller435149 Not tainted 4.16.0+ #82
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x185/0x1d0 lib/dump_stack.c:53
+ kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
+ __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
+ eth_type_vlan include/linux/if_vlan.h:283 [inline]
+ skb_vlan_tagged_multi include/linux/if_vlan.h:656 [inline]
+ vlan_features_check include/linux/if_vlan.h:672 [inline]
+ dflt_features_check net/core/dev.c:2949 [inline]
+ netif_skb_features+0xd1b/0xdc0 net/core/dev.c:3009
+ validate_xmit_skb+0x89/0x1320 net/core/dev.c:3084
+ __dev_queue_xmit+0x1cb2/0x2b60 net/core/dev.c:3549
+ dev_queue_xmit+0x4b/0x60 net/core/dev.c:3590
+ packet_snd net/packet/af_packet.c:2944 [inline]
+ packet_sendmsg+0x7c57/0x8a10 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ sock_write_iter+0x3b9/0x470 net/socket.c:909
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+RIP: 0033:0x43ffa9
+RSP: 002b:00007fff2cff3948 EFLAGS: 00000217 ORIG_RAX: 0000000000000014
+RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ffa9
+RDX: 0000000000000001 RSI: 0000000020000080 RDI: 0000000000000003
+RBP: 00000000006cb018 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018d0
+R13: 0000000000401960 R14: 0000000000000000 R15: 0000000000000000
+
+Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
+ kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
+ slab_post_alloc_hook mm/slab.h:445 [inline]
+ slab_alloc_node mm/slub.c:2737 [inline]
+ __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
+ __kmalloc_reserve net/core/skbuff.c:138 [inline]
+ __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
+ alloc_skb include/linux/skbuff.h:984 [inline]
+ alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
+ sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
+ packet_alloc_skb net/packet/af_packet.c:2803 [inline]
+ packet_snd net/packet/af_packet.c:2894 [inline]
+ packet_sendmsg+0x6444/0x8a10 net/packet/af_packet.c:2969
+ sock_sendmsg_nosec net/socket.c:630 [inline]
+ sock_sendmsg net/socket.c:640 [inline]
+ sock_write_iter+0x3b9/0x470 net/socket.c:909
+ do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776
+ do_iter_write+0x30d/0xd40 fs/read_write.c:932
+ vfs_writev fs/read_write.c:977 [inline]
+ do_writev+0x3c9/0x830 fs/read_write.c:1012
+ SYSC_writev+0x9b/0xb0 fs/read_write.c:1085
+ SyS_writev+0x56/0x80 fs/read_write.c:1082
+ do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
+ entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+
+Fixes: 58e998c6d239 ("offloading: Force software GSO for multiple vlan tags.")
+Reported-and-tested-by: syzbot+0bbe42c764feafa82c5a@syzkaller.appspotmail.com
+Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/if_vlan.h | 7 +++++--
+ net/core/dev.c | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -639,7 +639,7 @@ static inline bool skb_vlan_tagged(const
+ * Returns true if the skb is tagged with multiple vlan headers, regardless
+ * of whether it is hardware accelerated or not.
+ */
+-static inline bool skb_vlan_tagged_multi(const struct sk_buff *skb)
++static inline bool skb_vlan_tagged_multi(struct sk_buff *skb)
+ {
+ __be16 protocol = skb->protocol;
+
+@@ -649,6 +649,9 @@ static inline bool skb_vlan_tagged_multi
+ if (likely(!eth_type_vlan(protocol)))
+ return false;
+
++ if (unlikely(!pskb_may_pull(skb, VLAN_ETH_HLEN)))
++ return false;
++
+ veh = (struct vlan_ethhdr *)skb->data;
+ protocol = veh->h_vlan_encapsulated_proto;
+ }
+@@ -666,7 +669,7 @@ static inline bool skb_vlan_tagged_multi
+ *
+ * Returns features without unsafe ones if the skb has multiple tags.
+ */
+-static inline netdev_features_t vlan_features_check(const struct sk_buff *skb,
++static inline netdev_features_t vlan_features_check(struct sk_buff *skb,
+ netdev_features_t features)
+ {
+ if (skb_vlan_tagged_multi(skb)) {
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -2942,7 +2942,7 @@ netdev_features_t passthru_features_chec
+ }
+ EXPORT_SYMBOL(passthru_features_check);
+
+-static netdev_features_t dflt_features_check(const struct sk_buff *skb,
++static netdev_features_t dflt_features_check(struct sk_buff *skb,
+ struct net_device *dev,
+ netdev_features_t features)
+ {
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Ronak Doshi <doshir@vmware.com>
+Date: Wed, 18 Apr 2018 12:48:04 -0700
+Subject: vmxnet3: fix incorrect dereference when rxvlan is disabled
+
+From: Ronak Doshi <doshir@vmware.com>
+
+
+[ Upstream commit 65ec0bd1c7c14522670a5294de35710fb577a7fd ]
+
+vmxnet3_get_hdr_len() is used to calculate the header length which in
+turn is used to calculate the gso_size for skb. When rxvlan offload is
+disabled, vlan tag is present in the header and the function references
+ip header from sizeof(ethhdr) and leads to incorrect pointer reference.
+
+This patch fixes this issue by taking sizeof(vlan_ethhdr) into account
+if vlan tag is present and correctly references the ip hdr.
+
+Signed-off-by: Ronak Doshi <doshir@vmware.com>
+Acked-by: Guolin Yang <gyang@vmware.com>
+Acked-by: Louis Luo <llouis@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 17 +++++++++++++----
+ drivers/net/vmxnet3/vmxnet3_int.h | 4 ++--
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1218,6 +1218,7 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapt
+ union {
+ void *ptr;
+ struct ethhdr *eth;
++ struct vlan_ethhdr *veth;
+ struct iphdr *ipv4;
+ struct ipv6hdr *ipv6;
+ struct tcphdr *tcp;
+@@ -1228,16 +1229,24 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapt
+ if (unlikely(sizeof(struct iphdr) + sizeof(struct tcphdr) > maplen))
+ return 0;
+
++ if (skb->protocol == cpu_to_be16(ETH_P_8021Q) ||
++ skb->protocol == cpu_to_be16(ETH_P_8021AD))
++ hlen = sizeof(struct vlan_ethhdr);
++ else
++ hlen = sizeof(struct ethhdr);
++
+ hdr.eth = eth_hdr(skb);
+ if (gdesc->rcd.v4) {
+- BUG_ON(hdr.eth->h_proto != htons(ETH_P_IP));
+- hdr.ptr += sizeof(struct ethhdr);
++ BUG_ON(hdr.eth->h_proto != htons(ETH_P_IP) &&
++ hdr.veth->h_vlan_encapsulated_proto != htons(ETH_P_IP));
++ hdr.ptr += hlen;
+ BUG_ON(hdr.ipv4->protocol != IPPROTO_TCP);
+ hlen = hdr.ipv4->ihl << 2;
+ hdr.ptr += hdr.ipv4->ihl << 2;
+ } else if (gdesc->rcd.v6) {
+- BUG_ON(hdr.eth->h_proto != htons(ETH_P_IPV6));
+- hdr.ptr += sizeof(struct ethhdr);
++ BUG_ON(hdr.eth->h_proto != htons(ETH_P_IPV6) &&
++ hdr.veth->h_vlan_encapsulated_proto != htons(ETH_P_IPV6));
++ hdr.ptr += hlen;
+ /* Use an estimated value, since we also need to handle
+ * TSO case.
+ */
+--- a/drivers/net/vmxnet3/vmxnet3_int.h
++++ b/drivers/net/vmxnet3/vmxnet3_int.h
+@@ -69,10 +69,10 @@
+ /*
+ * Version numbers
+ */
+-#define VMXNET3_DRIVER_VERSION_STRING "1.4.13.0-k"
++#define VMXNET3_DRIVER_VERSION_STRING "1.4.14.0-k"
+
+ /* a 32-bit int, each byte encode a verion number in VMXNET3_DRIVER_VERSION */
+-#define VMXNET3_DRIVER_VERSION_NUM 0x01040d00
++#define VMXNET3_DRIVER_VERSION_NUM 0x01040e00
+
+ #if defined(CONFIG_PCI_MSI)
+ /* RSS only makes sense if MSI-X is supported. */
--- /dev/null
+From foo@baz Thu Apr 26 20:46:44 CEST 2018
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Date: Tue, 17 Apr 2018 14:25:58 +0800
+Subject: VSOCK: make af_vsock.ko removable again
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+
+[ Upstream commit 05e489b1596f0aa1025a1fa572676631cd9665da ]
+
+Commit c1eef220c1760762753b602c382127bfccee226d ("vsock: always call
+vsock_init_tables()") introduced a module_init() function without a
+corresponding module_exit() function.
+
+Modules with an init function can only be removed if they also have an
+exit function. Therefore the vsock module was considered "permanent"
+and could not be removed.
+
+This patch adds an empty module_exit() function so that "rmmod vsock"
+works. No explicit cleanup is required because:
+
+1. Transports call vsock_core_exit() upon exit and cannot be removed
+ while sockets are still alive.
+2. vsock_diag.ko does not perform any action that requires cleanup by
+ vsock.ko.
+
+Fixes: c1eef220c176 ("vsock: always call vsock_init_tables()")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Cc: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -2018,7 +2018,13 @@ const struct vsock_transport *vsock_core
+ }
+ EXPORT_SYMBOL_GPL(vsock_core_get_transport);
+
++static void __exit vsock_exit(void)
++{
++ /* Do nothing. This function makes this module removable. */
++}
++
+ module_init(vsock_init_tables);
++module_exit(vsock_exit);
+
+ MODULE_AUTHOR("VMware, Inc.");
+ MODULE_DESCRIPTION("VMware Virtual Socket Family");
projects / thirdparty / kernel / stable-queue.git / commitdiff
