--- /dev/null
+From a068aab42258e25094bc2c159948d263ed7d7a77 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Wed, 27 May 2020 22:10:29 -0500
+Subject: bonding: Fix reference count leak in bond_sysfs_slave_add.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit a068aab42258e25094bc2c159948d263ed7d7a77 upstream.
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object. Previous
+commit "b8eb718348b8" fixed a similar problem.
+
+Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/bonding/bond_sysfs_slave.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_sysfs_slave.c
++++ b/drivers/net/bonding/bond_sysfs_slave.c
+@@ -153,8 +153,10 @@ int bond_sysfs_slave_add(struct slave *s
+
+ err = kobject_init_and_add(&slave->kobj, &slave_ktype,
+ &(slave->dev->dev.kobj), "bonding_slave");
+- if (err)
++ if (err) {
++ kobject_put(&slave->kobj);
+ return err;
++ }
+
+ for (a = slave_attrs; *a; ++a) {
+ err = sysfs_create_file(&slave->kobj, &((*a)->attr));
--- /dev/null
+From 3c96ec56828922e3fe5477f75eb3fc02f98f98b5 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 10 Apr 2020 17:06:56 +0800
+Subject: esp6: get the right proto for transport mode in esp6_gso_encap
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 3c96ec56828922e3fe5477f75eb3fc02f98f98b5 upstream.
+
+For transport mode, when ipv6 nexthdr is set, the packet format might
+be like:
+
+ ----------------------------------------------------
+ | | dest | | | | ESP | ESP |
+ | IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV |
+ ----------------------------------------------------
+
+What it wants to get for x-proto in esp6_gso_encap() is the proto that
+will be set in ESP nexthdr. So it should skip all ipv6 nexthdrs and
+get the real transport protocol. Othersize, the wrong proto number
+will be set into ESP nexthdr.
+
+This patch is to skip all ipv6 nexthdrs by calling ipv6_skip_exthdr()
+in esp6_gso_encap().
+
+Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/esp6_offload.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/esp6_offload.c
++++ b/net/ipv6/esp6_offload.c
+@@ -121,9 +121,16 @@ static void esp6_gso_encap(struct xfrm_s
+ struct ip_esp_hdr *esph;
+ struct ipv6hdr *iph = ipv6_hdr(skb);
+ struct xfrm_offload *xo = xfrm_offload(skb);
+- int proto = iph->nexthdr;
++ u8 proto = iph->nexthdr;
+
+ skb_push(skb, -skb_network_offset(skb));
++
++ if (x->outer_mode.encap == XFRM_MODE_TRANSPORT) {
++ __be16 frag;
++
++ ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &proto, &frag);
++ }
++
+ esph = ip_esp_hdr(skb);
+ *skb_mac_header(skb) = IPPROTO_ESP;
+
--- /dev/null
+From 976eba8ab596bab94b9714cd46d38d5c6a2c660d Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 21 Apr 2020 20:46:11 +0800
+Subject: ip_vti: receive ipip packet by calling ip_tunnel_rcv
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 976eba8ab596bab94b9714cd46d38d5c6a2c660d upstream.
+
+In Commit dd9ee3444014 ("vti4: Fix a ipip packet processing bug in
+'IPCOMP' virtual tunnel"), it tries to receive IPIP packets in vti
+by calling xfrm_input(). This case happens when a small packet or
+frag sent by peer is too small to get compressed.
+
+However, xfrm_input() will still get to the IPCOMP path where skb
+sec_path is set, but never dropped while it should have been done
+in vti_ipcomp4_protocol.cb_handler(vti_rcv_cb), as it's not an
+ipcomp4 packet. This will cause that the packet can never pass
+xfrm4_policy_check() in the upper protocol rcv functions.
+
+So this patch is to call ip_tunnel_rcv() to process IPIP packets
+instead.
+
+Fixes: dd9ee3444014 ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_vti.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -98,7 +98,28 @@ static int vti_rcv_proto(struct sk_buff
+
+ static int vti_rcv_tunnel(struct sk_buff *skb)
+ {
+- return vti_rcv(skb, ip_hdr(skb)->saddr, true);
++ struct ip_tunnel_net *itn = net_generic(dev_net(skb->dev), vti_net_id);
++ const struct iphdr *iph = ip_hdr(skb);
++ struct ip_tunnel *tunnel;
++
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ if (tunnel) {
++ struct tnl_ptk_info tpi = {
++ .proto = htons(ETH_P_IP),
++ };
++
++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
++ goto drop;
++ if (iptunnel_pull_header(skb, 0, tpi.proto, false))
++ goto drop;
++ return ip_tunnel_rcv(tunnel, skb, &tpi, NULL, false);
++ }
++
++ return -EINVAL;
++drop:
++ kfree_skb(skb);
++ return 0;
+ }
+
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
--- /dev/null
+From a164b95ad6055c50612795882f35e0efda1f1390 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 14 May 2020 13:31:21 +0200
+Subject: netfilter: ipset: Fix subcounter update skip
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit a164b95ad6055c50612795882f35e0efda1f1390 upstream.
+
+If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
+update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
+must be set, not unset.
+
+Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_list_set.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -61,7 +61,7 @@ list_set_ktest(struct ip_set *set, const
+ /* Don't lookup sub-counters at all */
+ opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
+ if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
+- opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
++ opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE;
+ list_for_each_entry_rcu(e, &map->members, list) {
+ if (SET_WITH_TIMEOUT(set) &&
+ ip_set_timeout_expired(ext_timeout(e, set)))
--- /dev/null
+From 4c559f15efcc43b996f4da528cd7f9483aaca36d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 14 May 2020 14:14:23 +0200
+Subject: netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 4c559f15efcc43b996f4da528cd7f9483aaca36d upstream.
+
+Dan Carpenter says: "Smatch complains that the value for "cmd" comes
+from the network and can't be trusted."
+
+Add pptp_msg_name() helper function that checks for the array boundary.
+
+Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/nf_conntrack_pptp.h | 2
+ net/ipv4/netfilter/nf_nat_pptp.c | 7 ---
+ net/netfilter/nf_conntrack_pptp.c | 62 +++++++++++++++-------------
+ 3 files changed, 38 insertions(+), 33 deletions(-)
+
+--- a/include/linux/netfilter/nf_conntrack_pptp.h
++++ b/include/linux/netfilter/nf_conntrack_pptp.h
+@@ -5,7 +5,7 @@
+
+ #include <linux/netfilter/nf_conntrack_common.h>
+
+-extern const char *const pptp_msg_name[];
++extern const char *const pptp_msg_name(u_int16_t msg);
+
+ /* state of the control session */
+ enum pptp_ctrlsess_state {
+--- a/net/ipv4/netfilter/nf_nat_pptp.c
++++ b/net/ipv4/netfilter/nf_nat_pptp.c
+@@ -165,8 +165,7 @@ pptp_outbound_pkt(struct sk_buff *skb,
+ break;
+ default:
+ pr_debug("unknown outbound packet 0x%04x:%s\n", msg,
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
+- pptp_msg_name[0]);
++ pptp_msg_name(msg));
+ /* fall through */
+ case PPTP_SET_LINK_INFO:
+ /* only need to NAT in case PAC is behind NAT box */
+@@ -267,9 +266,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
+ pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
+ break;
+ default:
+- pr_debug("unknown inbound packet %s\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
+- pptp_msg_name[0]);
++ pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg));
+ /* fall through */
+ case PPTP_START_SESSION_REQUEST:
+ case PPTP_START_SESSION_REPLY:
+--- a/net/netfilter/nf_conntrack_pptp.c
++++ b/net/netfilter/nf_conntrack_pptp.c
+@@ -71,24 +71,32 @@ EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expec
+
+ #if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
+ /* PptpControlMessageType names */
+-const char *const pptp_msg_name[] = {
+- "UNKNOWN_MESSAGE",
+- "START_SESSION_REQUEST",
+- "START_SESSION_REPLY",
+- "STOP_SESSION_REQUEST",
+- "STOP_SESSION_REPLY",
+- "ECHO_REQUEST",
+- "ECHO_REPLY",
+- "OUT_CALL_REQUEST",
+- "OUT_CALL_REPLY",
+- "IN_CALL_REQUEST",
+- "IN_CALL_REPLY",
+- "IN_CALL_CONNECT",
+- "CALL_CLEAR_REQUEST",
+- "CALL_DISCONNECT_NOTIFY",
+- "WAN_ERROR_NOTIFY",
+- "SET_LINK_INFO"
++static const char *const pptp_msg_name_array[PPTP_MSG_MAX + 1] = {
++ [0] = "UNKNOWN_MESSAGE",
++ [PPTP_START_SESSION_REQUEST] = "START_SESSION_REQUEST",
++ [PPTP_START_SESSION_REPLY] = "START_SESSION_REPLY",
++ [PPTP_STOP_SESSION_REQUEST] = "STOP_SESSION_REQUEST",
++ [PPTP_STOP_SESSION_REPLY] = "STOP_SESSION_REPLY",
++ [PPTP_ECHO_REQUEST] = "ECHO_REQUEST",
++ [PPTP_ECHO_REPLY] = "ECHO_REPLY",
++ [PPTP_OUT_CALL_REQUEST] = "OUT_CALL_REQUEST",
++ [PPTP_OUT_CALL_REPLY] = "OUT_CALL_REPLY",
++ [PPTP_IN_CALL_REQUEST] = "IN_CALL_REQUEST",
++ [PPTP_IN_CALL_REPLY] = "IN_CALL_REPLY",
++ [PPTP_IN_CALL_CONNECT] = "IN_CALL_CONNECT",
++ [PPTP_CALL_CLEAR_REQUEST] = "CALL_CLEAR_REQUEST",
++ [PPTP_CALL_DISCONNECT_NOTIFY] = "CALL_DISCONNECT_NOTIFY",
++ [PPTP_WAN_ERROR_NOTIFY] = "WAN_ERROR_NOTIFY",
++ [PPTP_SET_LINK_INFO] = "SET_LINK_INFO"
+ };
++
++const char *const pptp_msg_name(u_int16_t msg)
++{
++ if (msg > PPTP_MSG_MAX)
++ return pptp_msg_name_array[0];
++
++ return pptp_msg_name_array[msg];
++}
+ EXPORT_SYMBOL(pptp_msg_name);
+ #endif
+
+@@ -275,7 +283,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound;
+
+ msg = ntohs(ctlh->messageType);
+- pr_debug("inbound control message %s\n", pptp_msg_name[msg]);
++ pr_debug("inbound control message %s\n", pptp_msg_name(msg));
+
+ switch (msg) {
+ case PPTP_START_SESSION_REPLY:
+@@ -310,7 +318,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ pcid = pptpReq->ocack.peersCallID;
+ if (info->pns_call_id != pcid)
+ goto invalid;
+- pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg],
++ pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name(msg),
+ ntohs(cid), ntohs(pcid));
+
+ if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) {
+@@ -327,7 +335,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ goto invalid;
+
+ cid = pptpReq->icreq.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->cstate = PPTP_CALL_IN_REQ;
+ info->pac_call_id = cid;
+ break;
+@@ -346,7 +354,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ if (info->pns_call_id != pcid)
+ goto invalid;
+
+- pr_debug("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid));
++ pr_debug("%s, PCID=%X\n", pptp_msg_name(msg), ntohs(pcid));
+ info->cstate = PPTP_CALL_IN_CONF;
+
+ /* we expect a GRE connection from PAC to PNS */
+@@ -356,7 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ case PPTP_CALL_DISCONNECT_NOTIFY:
+ /* server confirms disconnect */
+ cid = pptpReq->disc.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->cstate = PPTP_CALL_NONE;
+
+ /* untrack this call id, unexpect GRE packets */
+@@ -383,7 +391,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ invalid:
+ pr_debug("invalid %s: type=%d cid=%u pcid=%u "
+ "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
++ pptp_msg_name(msg),
+ msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
+ ntohs(info->pns_call_id), ntohs(info->pac_call_id));
+ return NF_ACCEPT;
+@@ -403,7 +411,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound;
+
+ msg = ntohs(ctlh->messageType);
+- pr_debug("outbound control message %s\n", pptp_msg_name[msg]);
++ pr_debug("outbound control message %s\n", pptp_msg_name(msg));
+
+ switch (msg) {
+ case PPTP_START_SESSION_REQUEST:
+@@ -425,7 +433,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ info->cstate = PPTP_CALL_OUT_REQ;
+ /* track PNS call id */
+ cid = pptpReq->ocreq.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->pns_call_id = cid;
+ break;
+
+@@ -439,7 +447,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ pcid = pptpReq->icack.peersCallID;
+ if (info->pac_call_id != pcid)
+ goto invalid;
+- pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name[msg],
++ pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name(msg),
+ ntohs(cid), ntohs(pcid));
+
+ if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) {
+@@ -479,7 +487,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ invalid:
+ pr_debug("invalid %s: type=%d cid=%u pcid=%u "
+ "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
++ pptp_msg_name(msg),
+ msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
+ ntohs(info->pns_call_id), ntohs(info->pac_call_id));
+ return NF_ACCEPT;
--- /dev/null
+From 703acd70f2496537457186211c2f03e792409e68 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 24 May 2020 21:04:42 +0200
+Subject: netfilter: nfnetlink_cthelper: unbreak userspace helper support
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 703acd70f2496537457186211c2f03e792409e68 upstream.
+
+Restore helper data size initialization and fix memcopy of the helper
+data size.
+
+Fixes: 157ffffeb5dc ("netfilter: nfnetlink_cthelper: reject too large userspace allocation requests")
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_cthelper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -106,7 +106,7 @@ nfnl_cthelper_from_nlattr(struct nlattr
+ if (help->helper->data_len == 0)
+ return -EINVAL;
+
+- nla_memcpy(help->data, nla_data(attr), sizeof(help->data));
++ nla_memcpy(help->data, attr, sizeof(help->data));
+ return 0;
+ }
+
+@@ -240,6 +240,7 @@ nfnl_cthelper_create(const struct nlattr
+ ret = -ENOMEM;
+ goto err2;
+ }
++ helper->data_len = size;
+
+ helper->flags |= NF_CT_HELPER_F_USERSPACE;
+ memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));
--- /dev/null
+From e9c284ec4b41c827f4369973d2792992849e4fa5 Mon Sep 17 00:00:00 2001
+From: Michael Braun <michael-dev@fami-braun.de>
+Date: Wed, 6 May 2020 11:46:25 +0200
+Subject: netfilter: nft_reject_bridge: enable reject with bridge vlan
+
+From: Michael Braun <michael-dev@fami-braun.de>
+
+commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream.
+
+Currently, using the bridge reject target with tagged packets
+results in untagged packets being sent back.
+
+Fix this by mirroring the vlan id as well.
+
+Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support")
+Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/netfilter/nft_reject_bridge.c
++++ b/net/bridge/netfilter/nft_reject_bridge.c
+@@ -34,6 +34,12 @@ static void nft_reject_br_push_etherhdr(
+ ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
+ eth->h_proto = eth_hdr(oldskb)->h_proto;
+ skb_pull(nskb, ETH_HLEN);
++
++ if (skb_vlan_tag_present(oldskb)) {
++ u16 vid = skb_vlan_tag_get(oldskb);
++
++ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
++ }
+ }
+
+ static int nft_bridge_iphdr_validate(struct sk_buff *skb)
--- /dev/null
+From 15c973858903009e995b2037683de29dfe968621 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Mon, 25 May 2020 03:24:39 -0500
+Subject: qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit 15c973858903009e995b2037683de29dfe968621 upstream.
+
+In function qlcnic_83xx_interrupt_test(), function
+qlcnic_83xx_diag_alloc_res() is not handled by function
+qlcnic_83xx_diag_free_res() after a call of the function
+qlcnic_alloc_mbx_args() failed. Fix this issue by adding
+a jump target "fail_mbx_args", and jump to this new target
+when qlcnic_alloc_mbx_args() failed.
+
+Fixes: b6b4316c8b2f ("qlcnic: Handle qlcnic_alloc_mbx_args() failure")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -3650,7 +3650,7 @@ int qlcnic_83xx_interrupt_test(struct ne
+ ahw->diag_cnt = 0;
+ ret = qlcnic_alloc_mbx_args(&cmd, adapter, QLCNIC_CMD_INTRPT_TEST);
+ if (ret)
+- goto fail_diag_irq;
++ goto fail_mbx_args;
+
+ if (adapter->flags & QLCNIC_MSIX_ENABLED)
+ intrpt_id = ahw->intr_tbl[0].id;
+@@ -3680,6 +3680,8 @@ int qlcnic_83xx_interrupt_test(struct ne
+
+ done:
+ qlcnic_free_mbx_args(&cmd);
++
++fail_mbx_args:
+ qlcnic_83xx_diag_free_res(netdev, drv_sds_rings);
+
+ fail_diag_irq:
mac80211-mesh-fix-discovery-timer-re-arming-issue-crash.patch
x86-dma-fix-max-pfn-arithmetic-overflow-on-32-bit-systems.patch
copy_xstate_to_kernel-don-t-leave-parts-of-destination-uninitialized.patch
+xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch
+xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch
+xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch
+xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch
+xfrm-fix-error-in-comment.patch
+vti4-eliminated-some-duplicate-code.patch
+ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch
+netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch
+netfilter-ipset-fix-subcounter-update-skip.patch
+netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch
+netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch
+esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch
+qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch
+bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch
--- /dev/null
+From f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 23 Mar 2019 14:43:02 +0000
+Subject: vti4: eliminated some duplicate code.
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+commit f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c upstream.
+
+The ipip tunnel introduced in commit dd9ee3444014 ("vti4: Fix a ipip
+packet processing bug in 'IPCOMP' virtual tunnel") largely duplicated
+the existing vti_input and vti_recv functions. Refactored to
+deduplicate the common code.
+
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_vti.c | 60 +++++++++++++++++++-----------------------------------
+ 1 file changed, 22 insertions(+), 38 deletions(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -50,7 +50,7 @@ static unsigned int vti_net_id __read_mo
+ static int vti_tunnel_init(struct net_device *dev);
+
+ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type)
++ int encap_type, bool update_skb_dev)
+ {
+ struct ip_tunnel *tunnel;
+ const struct iphdr *iph = ip_hdr(skb);
+@@ -65,6 +65,9 @@ static int vti_input(struct sk_buff *skb
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
++ if (update_skb_dev)
++ skb->dev = tunnel->dev;
++
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+
+@@ -74,47 +77,28 @@ drop:
+ return 0;
+ }
+
+-static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type)
++static int vti_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type)
+ {
+- struct ip_tunnel *tunnel;
+- const struct iphdr *iph = ip_hdr(skb);
+- struct net *net = dev_net(skb->dev);
+- struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+-
+- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+- iph->saddr, iph->daddr, 0);
+- if (tunnel) {
+- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+- goto drop;
+-
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+-
+- skb->dev = tunnel->dev;
+-
+- return xfrm_input(skb, nexthdr, spi, encap_type);
+- }
+-
+- return -EINVAL;
+-drop:
+- kfree_skb(skb);
+- return 0;
++ return vti_input(skb, nexthdr, spi, encap_type, false);
+ }
+
+-static int vti_rcv(struct sk_buff *skb)
++static int vti_rcv(struct sk_buff *skb, __be32 spi, bool update_skb_dev)
+ {
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+- return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
++ return vti_input(skb, ip_hdr(skb)->protocol, spi, 0, update_skb_dev);
+ }
+
+-static int vti_rcv_ipip(struct sk_buff *skb)
++static int vti_rcv_proto(struct sk_buff *skb)
+ {
+- XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++ return vti_rcv(skb, 0, false);
++}
+
+- return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
++static int vti_rcv_tunnel(struct sk_buff *skb)
++{
++ return vti_rcv(skb, ip_hdr(skb)->saddr, true);
+ }
+
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
+@@ -482,31 +466,31 @@ static void __net_init vti_fb_tunnel_ini
+ }
+
+ static struct xfrm4_protocol vti_esp4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm4_protocol vti_ah4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm_tunnel ipip_handler __read_mostly = {
+- .handler = vti_rcv_ipip,
++ .handler = vti_rcv_tunnel,
+ .err_handler = vti4_err,
+ .priority = 0,
+ };
--- /dev/null
+From afcaf61be9d1dbdee5ec186d1dcc67b6b692180f Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 10 Apr 2020 17:06:01 +0800
+Subject: xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream.
+
+For beet mode, when it's ipv6 inner address with nexthdrs set,
+the packet format might be:
+
+ ----------------------------------------------------
+ | outer | | dest | | | ESP | ESP |
+ | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
+ ----------------------------------------------------
+
+The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
+continue processing the packet when nexthdr returns 0 in
+xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
+packet will be dropped.
+
+I don't see any error cases that nexthdr may return 0. So
+fix it by removing the check for nexthdr == 0.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -402,7 +402,7 @@ resume:
+ dev_put(skb->dev);
+
+ spin_lock(&x->lock);
+- if (nexthdr <= 0) {
++ if (nexthdr < 0) {
+ if (nexthdr == -EBADMSG) {
+ xfrm_audit_state_icvfail(x, skb,
+ x->type->proto);
--- /dev/null
+From a204aef9fd77dce1efd9066ca4e44eede99cd858 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 20 Apr 2020 21:51:09 +0800
+Subject: xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit a204aef9fd77dce1efd9066ca4e44eede99cd858 upstream.
+
+An use-after-free crash can be triggered when sending big packets over
+vxlan over esp with esp offload enabled:
+
+ [] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
+ [] Call Trace:
+ [] dump_stack+0x75/0xa0
+ [] kasan_report+0x37/0x50
+ [] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
+ [] ipv6_gso_segment+0x2c8/0x13c0
+ [] skb_mac_gso_segment+0x1cb/0x420
+ [] skb_udp_tunnel_segment+0x6b5/0x1c90
+ [] inet_gso_segment+0x440/0x1380
+ [] skb_mac_gso_segment+0x1cb/0x420
+ [] esp4_gso_segment+0xae8/0x1709 [esp4_offload]
+ [] inet_gso_segment+0x440/0x1380
+ [] skb_mac_gso_segment+0x1cb/0x420
+ [] __skb_gso_segment+0x2d7/0x5f0
+ [] validate_xmit_skb+0x527/0xb10
+ [] __dev_queue_xmit+0x10f8/0x2320 <---
+ [] ip_finish_output2+0xa2e/0x1b50
+ [] ip_output+0x1a8/0x2f0
+ [] xfrm_output_resume+0x110e/0x15f0
+ [] __xfrm4_output+0xe1/0x1b0
+ [] xfrm4_output+0xa0/0x200
+ [] iptunnel_xmit+0x5a7/0x920
+ [] vxlan_xmit_one+0x1658/0x37a0 [vxlan]
+ [] vxlan_xmit+0x5e4/0x3ec8 [vxlan]
+ [] dev_hard_start_xmit+0x125/0x540
+ [] __dev_queue_xmit+0x17bd/0x2320 <---
+ [] ip6_finish_output2+0xb20/0x1b80
+ [] ip6_output+0x1b3/0x390
+ [] ip6_xmit+0xb82/0x17e0
+ [] inet6_csk_xmit+0x225/0x3d0
+ [] __tcp_transmit_skb+0x1763/0x3520
+ [] tcp_write_xmit+0xd64/0x5fe0
+ [] __tcp_push_pending_frames+0x8c/0x320
+ [] tcp_sendmsg_locked+0x2245/0x3500
+ [] tcp_sendmsg+0x27/0x40
+
+As on the tx path of vxlan over esp, skb->inner_network_header would be
+set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can
+overwrite the former one. It causes skb_udp_tunnel_segment() to use a
+wrong skb->inner_network_header, then the issue occurs.
+
+This patch is to fix it by calling xfrm_output_gso() instead when the
+inner_protocol is set, in which gso_segment of inner_protocol will be
+done first.
+
+While at it, also improve some code around.
+
+Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_output.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -236,18 +236,20 @@ int xfrm_output(struct sock *sk, struct
+ xfrm_state_hold(x);
+
+ if (skb_is_gso(skb)) {
+- skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
++ if (skb->inner_protocol)
++ return xfrm_output_gso(net, sk, skb);
+
+- return xfrm_output2(net, sk, skb);
++ skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
++ goto out;
+ }
+
+ if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM)
+ goto out;
++ } else {
++ if (skb_is_gso(skb))
++ return xfrm_output_gso(net, sk, skb);
+ }
+
+- if (skb_is_gso(skb))
+- return xfrm_output_gso(net, sk, skb);
+-
+ if (skb->ip_summed == CHECKSUM_PARTIAL) {
+ err = skb_checksum_help(skb);
+ if (err) {
--- /dev/null
+From f6a23d85d078c2ffde79c66ca81d0a1dde451649 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 26 May 2020 17:41:46 +0800
+Subject: xfrm: fix a NULL-ptr deref in xfrm_local_error
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream.
+
+This patch is to fix a crash:
+
+ [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access
+ [ ] general protection fault: 0000 [#1] SMP KASAN PTI
+ [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0
+ [ ] Call Trace:
+ [ ] xfrm6_local_error+0x1eb/0x300
+ [ ] xfrm_local_error+0x95/0x130
+ [ ] __xfrm6_output+0x65f/0xb50
+ [ ] xfrm6_output+0x106/0x46f
+ [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel]
+ [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan]
+ [ ] vxlan_xmit+0x6a0/0x4276 [vxlan]
+ [ ] dev_hard_start_xmit+0x165/0x820
+ [ ] __dev_queue_xmit+0x1ff0/0x2b90
+ [ ] ip_finish_output2+0xd3e/0x1480
+ [ ] ip_do_fragment+0x182d/0x2210
+ [ ] ip_output+0x1d0/0x510
+ [ ] ip_send_skb+0x37/0xa0
+ [ ] raw_sendmsg+0x1b4c/0x2b80
+ [ ] sock_sendmsg+0xc0/0x110
+
+This occurred when sending a v4 skb over vxlan6 over ipsec, in which case
+skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in
+xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries
+to get ipv6 info from a ipv4 sk.
+
+This issue was actually fixed by Commit 628e341f319f ("xfrm: make local
+error reporting more robust"), but brought back by Commit 844d48746e4b
+("xfrm: choose protocol family by skb protocol").
+
+So to fix it, we should call xfrm6_local_error() only when skb->protocol
+is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6.
+
+Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -286,7 +286,8 @@ void xfrm_local_error(struct sk_buff *sk
+
+ if (skb->protocol == htons(ETH_P_IP))
+ proto = AF_INET;
+- else if (skb->protocol == htons(ETH_P_IPV6))
++ else if (skb->protocol == htons(ETH_P_IPV6) &&
++ skb->sk->sk_family == AF_INET6)
+ proto = AF_INET6;
+ else
+ return;
--- /dev/null
+From ed17b8d377eaf6b4a01d46942b4c647378a79bdd Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 25 May 2020 13:53:37 +0800
+Subject: xfrm: fix a warning in xfrm_policy_insert_list
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream.
+
+This waring can be triggered simply by:
+
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 1 mark 0 mask 0x10 #[1]
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 2 mark 0 mask 0x1 #[2]
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 2 mark 0 mask 0x10 #[3]
+
+Then dmesg shows:
+
+ [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548
+ [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030
+ [ ] Call Trace:
+ [ ] xfrm_policy_inexact_insert+0x85/0xe50
+ [ ] xfrm_policy_insert+0x4ba/0x680
+ [ ] xfrm_add_policy+0x246/0x4d0
+ [ ] xfrm_user_rcv_msg+0x331/0x5c0
+ [ ] netlink_rcv_skb+0x121/0x350
+ [ ] xfrm_netlink_rcv+0x66/0x80
+ [ ] netlink_unicast+0x439/0x630
+ [ ] netlink_sendmsg+0x714/0xbf0
+ [ ] sock_sendmsg+0xe2/0x110
+
+The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting
+policies with matching mark and different priorities"). After that, the
+policies [1] and [2] would be able to be added with different priorities.
+
+However, policy [3] will actually match both [1] and [2]. Policy [1]
+was matched due to the 1st 'return true' in xfrm_policy_mark_match(),
+and policy [2] was matched due to the 2nd 'return true' in there. It
+caused WARN_ON() in xfrm_policy_insert_list().
+
+This patch is to fix it by only (the same value and priority) as the
+same policy in xfrm_policy_mark_match().
+
+Thanks to Yuehaibing, we could make this fix better.
+
+v1->v2:
+ - check policy->mark.v == pol->mark.v only without mask.
+
+Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -722,12 +722,7 @@ static void xfrm_policy_requeue(struct x
+ static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
+ struct xfrm_policy *pol)
+ {
+- u32 mark = policy->mark.v & policy->mark.m;
+-
+- if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m)
+- return true;
+-
+- if ((mark & pol->mark.m) == pol->mark.v &&
++ if (policy->mark.v == pol->mark.v &&
+ policy->priority == pol->priority)
+ return true;
+
--- /dev/null
+From 29e4276667e24ee6b91d9f91064d8fda9a210ea1 Mon Sep 17 00:00:00 2001
+From: Antony Antony <antony@phenome.org>
+Date: Wed, 15 Apr 2020 21:47:10 +0200
+Subject: xfrm: fix error in comment
+
+From: Antony Antony <antony@phenome.org>
+
+commit 29e4276667e24ee6b91d9f91064d8fda9a210ea1 upstream.
+
+s/xfrm_state_offload/xfrm_user_offload/
+
+Fixes: d77e38e612a ("xfrm: Add an IPsec hardware offloading API")
+Signed-off-by: Antony Antony <antony@phenome.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/xfrm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/xfrm.h
++++ b/include/uapi/linux/xfrm.h
+@@ -304,7 +304,7 @@ enum xfrm_attr_type_t {
+ XFRMA_PROTO, /* __u8 */
+ XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */
+ XFRMA_PAD,
+- XFRMA_OFFLOAD_DEV, /* struct xfrm_state_offload */
++ XFRMA_OFFLOAD_DEV, /* struct xfrm_user_offload */
+ XFRMA_OUTPUT_MARK, /* __u32 */
+ __XFRMA_MAX
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
