--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Tue, 25 Jun 2019 17:57:49 -0400
+Subject: af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit 89ed5b519004a7706f50b70f611edbd3aaacff2c ]
+
+When an application is run that:
+a) Sets its scheduler to be SCHED_FIFO
+and
+b) Opens a memory mapped AF_PACKET socket, and sends frames with the
+MSG_DONTWAIT flag cleared, its possible for the application to hang
+forever in the kernel. This occurs because when waiting, the code in
+tpacket_snd calls schedule, which under normal circumstances allows
+other tasks to run, including ksoftirqd, which in some cases is
+responsible for freeing the transmitted skb (which in AF_PACKET calls a
+destructor that flips the status bit of the transmitted frame back to
+available, allowing the transmitting task to complete).
+
+However, when the calling application is SCHED_FIFO, its priority is
+such that the schedule call immediately places the task back on the cpu,
+preventing ksoftirqd from freeing the skb, which in turn prevents the
+transmitting task from detecting that the transmission is complete.
+
+We can fix this by converting the schedule call to a completion
+mechanism. By using a completion queue, we force the calling task, when
+it detects there are no more frames to send, to schedule itself off the
+cpu until such time as the last transmitted skb is freed, allowing
+forward progress to be made.
+
+Tested by myself and the reporter, with good results
+
+Change Notes:
+
+V1->V2:
+ Enhance the sleep logic to support being interruptible and
+allowing for honoring to SK_SNDTIMEO (Willem de Bruijn)
+
+V2->V3:
+ Rearrage the point at which we wait for the completion queue, to
+avoid needing to check for ph/skb being null at the end of the loop.
+Also move the complete call to the skb destructor to avoid needing to
+modify __packet_set_status. Also gate calling complete on
+packet_read_pending returning zero to avoid multiple calls to complete.
+(Willem de Bruijn)
+
+ Move timeo computation within loop, to re-fetch the socket
+timeout since we also use the timeo variable to record the return code
+from the wait_for_complete call (Neil Horman)
+
+V3->V4:
+ Willem has requested that the control flow be restored to the
+previous state. Doing so lets us eliminate the need for the
+po->wait_on_complete flag variable, and lets us get rid of the
+packet_next_frame function, but introduces another complexity.
+Specifically, but using the packet pending count, we can, if an
+applications calls sendmsg multiple times with MSG_DONTWAIT set, each
+set of transmitted frames, when complete, will cause
+tpacket_destruct_skb to issue a complete call, for which there will
+never be a wait_on_completion call. This imbalance will lead to any
+future call to wait_for_completion here to return early, when the frames
+they sent may not have completed. To correct this, we need to re-init
+the completion queue on every call to tpacket_snd before we enter the
+loop so as to ensure we wait properly for the frames we send in this
+iteration.
+
+ Change the timeout and interrupted gotos to out_put rather than
+out_status so that we don't try to free a non-existant skb
+ Clean up some extra newlines (Willem de Bruijn)
+
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 20 +++++++++++++++++---
+ net/packet/internal.h | 1 +
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2399,6 +2399,9 @@ static void tpacket_destruct_skb(struct
+
+ ts = __packet_set_timestamp(po, ph, skb);
+ __packet_set_status(po, ph, TP_STATUS_AVAILABLE | ts);
++
++ if (!packet_read_pending(&po->tx_ring))
++ complete(&po->skb_completion);
+ }
+
+ sock_wfree(skb);
+@@ -2594,7 +2597,7 @@ static int tpacket_parse_header(struct p
+
+ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
+ {
+- struct sk_buff *skb;
++ struct sk_buff *skb = NULL;
+ struct net_device *dev;
+ struct virtio_net_hdr *vnet_hdr = NULL;
+ struct sockcm_cookie sockc;
+@@ -2609,6 +2612,7 @@ static int tpacket_snd(struct packet_soc
+ int len_sum = 0;
+ int status = TP_STATUS_AVAILABLE;
+ int hlen, tlen, copylen = 0;
++ long timeo = 0;
+
+ mutex_lock(&po->pg_vec_lock);
+
+@@ -2655,12 +2659,21 @@ static int tpacket_snd(struct packet_soc
+ if ((size_max > dev->mtu + reserve + VLAN_HLEN) && !po->has_vnet_hdr)
+ size_max = dev->mtu + reserve + VLAN_HLEN;
+
++ reinit_completion(&po->skb_completion);
++
+ do {
+ ph = packet_current_frame(po, &po->tx_ring,
+ TP_STATUS_SEND_REQUEST);
+ if (unlikely(ph == NULL)) {
+- if (need_wait && need_resched())
+- schedule();
++ if (need_wait && skb) {
++ timeo = sock_sndtimeo(&po->sk, msg->msg_flags & MSG_DONTWAIT);
++ timeo = wait_for_completion_interruptible_timeout(&po->skb_completion, timeo);
++ if (timeo <= 0) {
++ err = !timeo ? -ETIMEDOUT : -ERESTARTSYS;
++ goto out_put;
++ }
++ }
++ /* check for additional frames */
+ continue;
+ }
+
+@@ -3216,6 +3229,7 @@ static int packet_create(struct net *net
+ sock_init_data(sock, sk);
+
+ po = pkt_sk(sk);
++ init_completion(&po->skb_completion);
+ sk->sk_family = PF_PACKET;
+ po->num = proto;
+ po->xmit = dev_queue_xmit;
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -128,6 +128,7 @@ struct packet_sock {
+ unsigned int tp_hdrlen;
+ unsigned int tp_reserve;
+ unsigned int tp_tstamp;
++ struct completion skb_completion;
+ struct net_device __rcu *cached_dev;
+ int (*xmit)(struct sk_buff *skb);
+ struct packet_type prot_hook ____cacheline_aligned_in_smp;
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 26 Jun 2019 16:08:44 +0800
+Subject: bonding: Always enable vlan tx offload
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 30d8177e8ac776d89d387fad547af6a0f599210e ]
+
+We build vlan on top of bonding interface, which vlan offload
+is off, bond mode is 802.3ad (LACP) and xmit_hash_policy is
+BOND_XMIT_POLICY_ENCAP34.
+
+Because vlan tx offload is off, vlan tci is cleared and skb push
+the vlan header in validate_xmit_vlan() while sending from vlan
+devices. Then in bond_xmit_hash, __skb_flow_dissect() fails to
+get information from protocol headers encapsulated within vlan,
+because 'nhoff' is points to IP header, so bond hashing is based
+on layer 2 info, which fails to distribute packets across slaves.
+
+This patch always enable bonding's vlan tx offload, pass the vlan
+packets to the slave devices with vlan tci, let them to handle
+vlan implementation.
+
+Fixes: 278339a42a1b ("bonding: propogate vlan_features to bonding master")
+Suggested-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -4307,12 +4307,12 @@ void bond_setup(struct net_device *bond_
+ bond_dev->features |= NETIF_F_NETNS_LOCAL;
+
+ bond_dev->hw_features = BOND_VLAN_FEATURES |
+- NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_CTAG_FILTER;
+
+ bond_dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4;
+ bond_dev->features |= bond_dev->hw_features;
++ bond_dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX;
+ }
+
+ /* Destroy a bonding device.
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+Date: Mon, 24 Jun 2019 20:14:06 -0400
+Subject: ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
+
+From: Stephen Suryaputra <ssuryaextr@gmail.com>
+
+[ Upstream commit 38c73529de13e1e10914de7030b659a2f8b01c3b ]
+
+In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local
+traffic"), the dif argument to __raw_v4_lookup() is coming from the
+returned value of inet_iif() but the change was done only for the first
+lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex.
+
+Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic")
+Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/raw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -202,7 +202,7 @@ static int raw_v4_input(struct sk_buff *
+ }
+ sk = __raw_v4_lookup(net, sk_next(sk), iph->protocol,
+ iph->saddr, iph->daddr,
+- skb->dev->ifindex, sdif);
++ dif, sdif);
+ }
+ out:
+ read_unlock(&raw_v4_hashinfo.lock);
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 24 Jun 2019 02:38:20 -0700
+Subject: net/packet: fix memory leak in packet_set_ring()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 ]
+
+syzbot found we can leak memory in packet_set_ring(), if user application
+provides buggy parameters.
+
+Fixes: 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4316,7 +4316,7 @@ static int packet_set_ring(struct sock *
+ req3->tp_sizeof_priv ||
+ req3->tp_feature_req_word) {
+ err = -EINVAL;
+- goto out;
++ goto out_free_pg_vec;
+ }
+ }
+ break;
+@@ -4380,6 +4380,7 @@ static int packet_set_ring(struct sock *
+ prb_shutdown_retire_blk_timer(po, rb_queue);
+ }
+
++out_free_pg_vec:
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: JingYi Hou <houjingyi647@gmail.com>
+Date: Mon, 17 Jun 2019 14:56:05 +0800
+Subject: net: remove duplicate fetch in sock_getsockopt
+
+From: JingYi Hou <houjingyi647@gmail.com>
+
+[ Upstream commit d0bae4a0e3d8c5690a885204d7eb2341a5b4884d ]
+
+In sock_getsockopt(), 'optlen' is fetched the first time from userspace.
+'len < 0' is then checked. Then in condition 'SO_MEMINFO', 'optlen' is
+fetched the second time from userspace.
+
+If change it between two fetches may cause security problems or unexpected
+behaivor, and there is no reason to fetch it a second time.
+
+To fix this, we need to remove the second fetch.
+
+Signed-off-by: JingYi Hou <houjingyi647@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/sock.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -1348,9 +1348,6 @@ int sock_getsockopt(struct socket *sock,
+ {
+ u32 meminfo[SK_MEMINFO_VARS];
+
+- if (get_user(len, optlen))
+- return -EFAULT;
+-
+ sk_get_meminfo(sk, meminfo);
+
+ len = min_t(unsigned int, len, sizeof(meminfo));
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Roland Hii <roland.king.guan.hii@intel.com>
+Date: Wed, 19 Jun 2019 22:13:48 +0800
+Subject: net: stmmac: fixed new system time seconds value calculation
+
+From: Roland Hii <roland.king.guan.hii@intel.com>
+
+[ Upstream commit a1e5388b4d5fc78688e5e9ee6641f779721d6291 ]
+
+When ADDSUB bit is set, the system time seconds field is calculated as
+the complement of the seconds part of the update value.
+
+For example, if 3.000000001 seconds need to be subtracted from the
+system time, this field is calculated as
+2^32 - 3 = 4294967296 - 3 = 0x100000000 - 3 = 0xFFFFFFFD
+
+Previously, the 0x100000000 is mistakenly written as 100000000.
+
+This is further simplified from
+ sec = (0x100000000ULL - sec);
+to
+ sec = -sec;
+
+Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4")
+Signed-off-by: Roland Hii <roland.king.guan.hii@intel.com>
+Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+@@ -122,7 +122,7 @@ static int adjust_systime(void __iomem *
+ * programmed with (2^32 – <new_sec_value>)
+ */
+ if (gmac4)
+- sec = (100000000ULL - sec);
++ sec = -sec;
+
+ value = readl(ioaddr + PTP_TCR);
+ if (value & PTP_TCR_TSCTRLSSR)
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Roland Hii <roland.king.guan.hii@intel.com>
+Date: Wed, 19 Jun 2019 22:41:48 +0800
+Subject: net: stmmac: set IC bit when transmitting frames with HW timestamp
+
+From: Roland Hii <roland.king.guan.hii@intel.com>
+
+[ Upstream commit d0bb82fd60183868f46c8ccc595a3d61c3334a18 ]
+
+When transmitting certain PTP frames, e.g. SYNC and DELAY_REQ, the
+PTP daemon, e.g. ptp4l, is polling the driver for the frame transmit
+hardware timestamp. The polling will most likely timeout if the tx
+coalesce is enabled due to the Interrupt-on-Completion (IC) bit is
+not set in tx descriptor for those frames.
+
+This patch will ignore the tx coalesce parameter and set the IC bit
+when transmitting PTP frames which need to report out the frame
+transmit hardware timestamp to user space.
+
+Fixes: f748be531d70 ("net: stmmac: Rework coalesce timer and fix multi-queue races")
+Signed-off-by: Roland Hii <roland.king.guan.hii@intel.com>
+Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
+Signed-off-by: Voon Weifeng <weifeng.voon@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -2938,12 +2938,15 @@ static netdev_tx_t stmmac_tso_xmit(struc
+
+ /* Manage tx mitigation */
+ tx_q->tx_count_frames += nfrags + 1;
+- if (priv->tx_coal_frames <= tx_q->tx_count_frames) {
++ if (likely(priv->tx_coal_frames > tx_q->tx_count_frames) &&
++ !(priv->synopsys_id >= DWMAC_CORE_4_00 &&
++ (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
++ priv->hwts_tx_en)) {
++ stmmac_tx_timer_arm(priv, queue);
++ } else {
++ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, desc);
+ priv->xstats.tx_set_ic_bit++;
+- tx_q->tx_count_frames = 0;
+- } else {
+- stmmac_tx_timer_arm(priv, queue);
+ }
+
+ skb_tx_timestamp(skb);
+@@ -3157,12 +3160,15 @@ static netdev_tx_t stmmac_xmit(struct sk
+ * element in case of no SG.
+ */
+ tx_q->tx_count_frames += nfrags + 1;
+- if (priv->tx_coal_frames <= tx_q->tx_count_frames) {
++ if (likely(priv->tx_coal_frames > tx_q->tx_count_frames) &&
++ !(priv->synopsys_id >= DWMAC_CORE_4_00 &&
++ (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
++ priv->hwts_tx_en)) {
++ stmmac_tx_timer_arm(priv, queue);
++ } else {
++ tx_q->tx_count_frames = 0;
+ stmmac_set_tx_ic(priv, desc);
+ priv->xstats.tx_set_ic_bit++;
+- tx_q->tx_count_frames = 0;
+- } else {
+- stmmac_tx_timer_arm(priv, queue);
+ }
+
+ skb_tx_timestamp(skb);
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 25 Jun 2019 00:21:45 +0800
+Subject: sctp: change to hold sk after auth shkey is created successfully
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 25bff6d5478b2a02368097015b7d8eb727c87e16 ]
+
+Now in sctp_endpoint_init(), it holds the sk then creates auth
+shkey. But when the creation fails, it doesn't release the sk,
+which causes a sk defcnf leak,
+
+Here to fix it by only holding the sk when auth shkey is created
+successfully.
+
+Fixes: a29a5bd4f5c3 ("[SCTP]: Implement SCTP-AUTH initializations.")
+Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com
+Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Neil Horman <nhorman@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/endpointola.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/sctp/endpointola.c
++++ b/net/sctp/endpointola.c
+@@ -126,10 +126,6 @@ static struct sctp_endpoint *sctp_endpoi
+ /* Initialize the bind addr area */
+ sctp_bind_addr_init(&ep->base.bind_addr, 0);
+
+- /* Remember who we are attached to. */
+- ep->base.sk = sk;
+- sock_hold(ep->base.sk);
+-
+ /* Create the lists of associations. */
+ INIT_LIST_HEAD(&ep->asocs);
+
+@@ -167,6 +163,10 @@ static struct sctp_endpoint *sctp_endpoi
+ ep->prsctp_enable = net->sctp.prsctp_enable;
+ ep->reconf_enable = net->sctp.reconf_enable;
+
++ /* Remember who we are attached to. */
++ ep->base.sk = sk;
++ sock_hold(ep->base.sk);
++
+ return ep;
+
+ nomem_hmacs:
sunrpc-clean-up-initialisation-of-the-struct-rpc_rqst.patch
irqchip-mips-gic-use-the-correct-local-interrupt-map-registers.patch
eeprom-at24-fix-unexpected-timeout-under-high-load.patch
+af_packet-block-execution-of-tasks-waiting-for-transmit-to-complete-in-af_packet.patch
+bonding-always-enable-vlan-tx-offload.patch
+ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch
+net-packet-fix-memory-leak-in-packet_set_ring.patch
+net-remove-duplicate-fetch-in-sock_getsockopt.patch
+net-stmmac-fixed-new-system-time-seconds-value-calculation.patch
+net-stmmac-set-ic-bit-when-transmitting-frames-with-hw-timestamp.patch
+sctp-change-to-hold-sk-after-auth-shkey-is-created-successfully.patch
+team-always-enable-vlan-tx-offload.patch
+tipc-change-to-use-register_pernet_device.patch
+tipc-check-msg-req-data-len-in-tipc_nl_compat_bearer_disable.patch
+tun-wake-up-waitqueues-after-iff_up-is-set.patch
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 27 Jun 2019 00:03:39 +0800
+Subject: team: Always enable vlan tx offload
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit ee4297420d56a0033a8593e80b33fcc93fda8509 ]
+
+We should rather have vlan_tci filled all the way down
+to the transmitting netdevice and let it do the hw/sw
+vlan implementation.
+
+Suggested-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2139,12 +2139,12 @@ static void team_setup(struct net_device
+ dev->features |= NETIF_F_NETNS_LOCAL;
+
+ dev->hw_features = TEAM_VLAN_FEATURES |
+- NETIF_F_HW_VLAN_CTAG_TX |
+ NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_CTAG_FILTER;
+
+ dev->hw_features |= NETIF_F_GSO_ENCAP_ALL | NETIF_F_GSO_UDP_L4;
+ dev->features |= dev->hw_features;
++ dev->features |= NETIF_F_HW_VLAN_CTAG_TX | NETIF_F_HW_VLAN_STAG_TX;
+ }
+
+ static int team_newlink(struct net *src_net, struct net_device *dev,
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Thu, 20 Jun 2019 18:39:28 +0800
+Subject: tipc: change to use register_pernet_device
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit c492d4c74dd3f87559883ffa0f94a8f1ae3fe5f5 ]
+
+This patch is to fix a dst defcnt leak, which can be reproduced by doing:
+
+ # ip net a c; ip net a s; modprobe tipc
+ # ip net e s ip l a n eth1 type veth peer n eth1 netns c
+ # ip net e c ip l s lo up; ip net e c ip l s eth1 up
+ # ip net e s ip l s lo up; ip net e s ip l s eth1 up
+ # ip net e c ip a a 1.1.1.2/8 dev eth1
+ # ip net e s ip a a 1.1.1.1/8 dev eth1
+ # ip net e c tipc b e m udp n u1 localip 1.1.1.2
+ # ip net e s tipc b e m udp n u1 localip 1.1.1.1
+ # ip net d c; ip net d s; rmmod tipc
+
+and it will get stuck and keep logging the error:
+
+ unregister_netdevice: waiting for lo to become free. Usage count = 1
+
+The cause is that a dst is held by the udp sock's sk_rx_dst set on udp rx
+path with udp_early_demux == 1, and this dst (eventually holding lo dev)
+can't be released as bearer's removal in tipc pernet .exit happens after
+lo dev's removal, default_device pernet .exit.
+
+ "There are two distinct types of pernet_operations recognized: subsys and
+ device. At creation all subsys init functions are called before device
+ init functions, and at destruction all device exit functions are called
+ before subsys exit function."
+
+So by calling register_pernet_device instead to register tipc_net_ops, the
+pernet .exit() will be invoked earlier than loopback dev's removal when a
+netns is being destroyed, as fou/gue does.
+
+Note that vxlan and geneve udp tunnels don't have this issue, as the udp
+sock is released in their device ndo_stop().
+
+This fix is also necessary for tipc dst_cache, which will hold dsts on tx
+path and I will introduce in my next patch.
+
+Reported-by: Li Shuang <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Jon Maloy <jon.maloy@ericsson.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/tipc/core.c
++++ b/net/tipc/core.c
+@@ -132,7 +132,7 @@ static int __init tipc_init(void)
+ if (err)
+ goto out_sysctl;
+
+- err = register_pernet_subsys(&tipc_net_ops);
++ err = register_pernet_device(&tipc_net_ops);
+ if (err)
+ goto out_pernet;
+
+@@ -140,7 +140,7 @@ static int __init tipc_init(void)
+ if (err)
+ goto out_socket;
+
+- err = register_pernet_subsys(&tipc_topsrv_net_ops);
++ err = register_pernet_device(&tipc_topsrv_net_ops);
+ if (err)
+ goto out_pernet_topsrv;
+
+@@ -151,11 +151,11 @@ static int __init tipc_init(void)
+ pr_info("Started in single node mode\n");
+ return 0;
+ out_bearer:
+- unregister_pernet_subsys(&tipc_topsrv_net_ops);
++ unregister_pernet_device(&tipc_topsrv_net_ops);
+ out_pernet_topsrv:
+ tipc_socket_stop();
+ out_socket:
+- unregister_pernet_subsys(&tipc_net_ops);
++ unregister_pernet_device(&tipc_net_ops);
+ out_pernet:
+ tipc_unregister_sysctl();
+ out_sysctl:
+@@ -170,9 +170,9 @@ out_netlink:
+ static void __exit tipc_exit(void)
+ {
+ tipc_bearer_cleanup();
+- unregister_pernet_subsys(&tipc_topsrv_net_ops);
++ unregister_pernet_device(&tipc_topsrv_net_ops);
+ tipc_socket_stop();
+- unregister_pernet_subsys(&tipc_net_ops);
++ unregister_pernet_device(&tipc_net_ops);
+ tipc_netlink_stop();
+ tipc_netlink_compat_stop();
+ tipc_unregister_sysctl();
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 25 Jun 2019 00:28:19 +0800
+Subject: tipc: check msg->req data len in tipc_nl_compat_bearer_disable
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 ]
+
+This patch is to fix an uninit-value issue, reported by syzbot:
+
+ BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
+ Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x191/0x1f0 lib/dump_stack.c:113
+ kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
+ __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
+ memchr+0xce/0x110 lib/string.c:981
+ string_is_valid net/tipc/netlink_compat.c:176 [inline]
+ tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
+ __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
+ tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
+ tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
+ tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
+
+TLV_GET_DATA_LEN() may return a negtive int value, which will be
+used as size_t (becoming a big unsigned long) passed into memchr,
+cause this issue.
+
+Similar to what it does in tipc_nl_compat_bearer_enable(), this
+fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
+tipc_nl_compat_bearer_disable(), as well as in
+tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
+
+v1->v2:
+ - add the missing Fixes tags per Eric's request.
+
+Fixes: 0762216c0ad2 ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
+Fixes: 8b66fee7f8ee ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
+Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/netlink_compat.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -445,7 +445,11 @@ static int tipc_nl_compat_bearer_disable
+ if (!bearer)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -537,7 +541,11 @@ static int tipc_nl_compat_link_stat_dump
+
+ name = (char *)TLV_DATA(msg->req);
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
+@@ -815,7 +823,11 @@ static int tipc_nl_compat_link_reset_sta
+ if (!link)
+ return -EMSGSIZE;
+
+- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
++ len = TLV_GET_DATA_LEN(msg->req);
++ if (len <= 0)
++ return -EINVAL;
++
++ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
+ if (!string_is_valid(name, len))
+ return -EINVAL;
+
--- /dev/null
+From foo@baz Tue 02 Jul 2019 06:09:26 AM CEST
+From: Fei Li <lifei.shirley@bytedance.com>
+Date: Mon, 17 Jun 2019 21:26:36 +0800
+Subject: tun: wake up waitqueues after IFF_UP is set
+
+From: Fei Li <lifei.shirley@bytedance.com>
+
+[ Upstream commit 72b319dc08b4924a29f5e2560ef6d966fa54c429 ]
+
+Currently after setting tap0 link up, the tun code wakes tx/rx waited
+queues up in tun_net_open() when .ndo_open() is called, however the
+IFF_UP flag has not been set yet. If there's already a wait queue, it
+would fail to transmit when checking the IFF_UP flag in tun_sendmsg().
+Then the saving vhost_poll_start() will add the wq into wqh until it
+is waken up again. Although this works when IFF_UP flag has been set
+when tun_chr_poll detects; this is not true if IFF_UP flag has not
+been set at that time. Sadly the latter case is a fatal error, as
+the wq will never be waken up in future unless later manually
+setting link up on purpose.
+
+Fix this by moving the wakeup process into the NETDEV_UP event
+notifying process, this makes sure IFF_UP has been set before all
+waited queues been waken up.
+
+Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/tun.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -1024,18 +1024,8 @@ static void tun_net_uninit(struct net_de
+ /* Net device open. */
+ static int tun_net_open(struct net_device *dev)
+ {
+- struct tun_struct *tun = netdev_priv(dev);
+- int i;
+-
+ netif_tx_start_all_queues(dev);
+
+- for (i = 0; i < tun->numqueues; i++) {
+- struct tun_file *tfile;
+-
+- tfile = rtnl_dereference(tun->tfiles[i]);
+- tfile->socket.sk->sk_write_space(tfile->socket.sk);
+- }
+-
+ return 0;
+ }
+
+@@ -3443,6 +3433,7 @@ static int tun_device_event(struct notif
+ {
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct tun_struct *tun = netdev_priv(dev);
++ int i;
+
+ if (dev->rtnl_link_ops != &tun_link_ops)
+ return NOTIFY_DONE;
+@@ -3452,6 +3443,14 @@ static int tun_device_event(struct notif
+ if (tun_queue_resize(tun))
+ return NOTIFY_BAD;
+ break;
++ case NETDEV_UP:
++ for (i = 0; i < tun->numqueues; i++) {
++ struct tun_file *tfile;
++
++ tfile = rtnl_dereference(tun->tfiles[i]);
++ tfile->socket.sk->sk_write_space(tfile->socket.sk);
++ }
++ break;
+ default:
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
