From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 1 Oct 2019 14:02:14 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v4.4.195~73
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e3990fe8521411a71962ad79e9f2f15aecdd733;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	appletalk-enforce-cap_net_raw-for-raw-sockets.patch
	arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch
	ax25-enforce-cap_net_raw-for-raw-sockets.patch
	cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
	ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
	macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
	misdn-enforce-cap_net_raw-for-raw-sockets.patch
	net-mlx5-add-device-id-of-upcoming-bluefield-2.patch
	net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
	net-qrtr-stop-rx_worker-before-freeing-node.patch
	net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch
	net-sched-fix-possible-crash-in-tcf_action_destroy.patch
	net_sched-add-max-len-check-for-tca_kind.patch
	nfc-enforce-cap_net_raw-for-raw-sockets.patch
	nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch
	nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch
	openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
	ppp-fix-memory-leak-in-ppp_write.patch
	sch_netem-fix-a-divide-by-zero-in-tabledist.patch
	skge-fix-checksum-byte-order.patch
	tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch
	usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
	usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
---

diff --git a/queue-4.19/appletalk-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.19/appletalk-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 00000000000..aa3815efcf6
--- /dev/null
+++ b/queue-4.19/appletalk-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,34 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:46 +0200
+Subject: appletalk: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ]
+
+When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/appletalk/ddp.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1028,6 +1028,11 @@ static int atalk_create(struct net *net,
+ 	 */
+ 	if (sock->type != SOCK_RAW && sock->type != SOCK_DGRAM)
+ 		goto out;
++
++	rc = -EPERM;
++	if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
++		goto out;
++
+ 	rc = -ENOMEM;
+ 	sk = sk_alloc(net, PF_APPLETALK, GFP_KERNEL, &ddp_proto, kern);
+ 	if (!sk)
diff --git a/queue-4.19/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch b/queue-4.19/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch
new file mode 100644
index 00000000000..8035d1f9ad9
--- /dev/null
+++ b/queue-4.19/arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch
@@ -0,0 +1,101 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+Date: Fri, 20 Sep 2019 16:08:21 +0200
+Subject: arcnet: provide a buffer big enough to actually receive packets
+
+From: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 108639aac35eb57f1d0e8333f5fc8c7ff68df938 ]
+
+struct archdr is only big enough to hold the header of various types of
+arcnet packets. So to provide enough space to hold the data read from
+hardware provide a buffer large enough to hold a packet with maximal
+size.
+
+The problem was noticed by the stack protector which makes the kernel
+oops.
+
+Signed-off-by: Uwe Kleine-KÃ¶nig <u.kleine-koenig@pengutronix.de>
+Acked-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/arcnet/arcnet.c |   31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/arcnet/arcnet.c
++++ b/drivers/net/arcnet/arcnet.c
+@@ -1063,31 +1063,34 @@ EXPORT_SYMBOL(arcnet_interrupt);
+ static void arcnet_rx(struct net_device *dev, int bufnum)
+ {
+ 	struct arcnet_local *lp = netdev_priv(dev);
+-	struct archdr pkt;
++	union {
++		struct archdr pkt;
++		char buf[512];
++	} rxdata;
+ 	struct arc_rfc1201 *soft;
+ 	int length, ofs;
+ 
+-	soft = &pkt.soft.rfc1201;
++	soft = &rxdata.pkt.soft.rfc1201;
+ 
+-	lp->hw.copy_from_card(dev, bufnum, 0, &pkt, ARC_HDR_SIZE);
+-	if (pkt.hard.offset[0]) {
+-		ofs = pkt.hard.offset[0];
++	lp->hw.copy_from_card(dev, bufnum, 0, &rxdata.pkt, ARC_HDR_SIZE);
++	if (rxdata.pkt.hard.offset[0]) {
++		ofs = rxdata.pkt.hard.offset[0];
+ 		length = 256 - ofs;
+ 	} else {
+-		ofs = pkt.hard.offset[1];
++		ofs = rxdata.pkt.hard.offset[1];
+ 		length = 512 - ofs;
+ 	}
+ 
+ 	/* get the full header, if possible */
+-	if (sizeof(pkt.soft) <= length) {
+-		lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(pkt.soft));
++	if (sizeof(rxdata.pkt.soft) <= length) {
++		lp->hw.copy_from_card(dev, bufnum, ofs, soft, sizeof(rxdata.pkt.soft));
+ 	} else {
+-		memset(&pkt.soft, 0, sizeof(pkt.soft));
++		memset(&rxdata.pkt.soft, 0, sizeof(rxdata.pkt.soft));
+ 		lp->hw.copy_from_card(dev, bufnum, ofs, soft, length);
+ 	}
+ 
+ 	arc_printk(D_DURING, dev, "Buffer #%d: received packet from %02Xh to %02Xh (%d+4 bytes)\n",
+-		   bufnum, pkt.hard.source, pkt.hard.dest, length);
++		   bufnum, rxdata.pkt.hard.source, rxdata.pkt.hard.dest, length);
+ 
+ 	dev->stats.rx_packets++;
+ 	dev->stats.rx_bytes += length + ARC_HDR_SIZE;
+@@ -1096,13 +1099,13 @@ static void arcnet_rx(struct net_device
+ 	if (arc_proto_map[soft->proto]->is_ip) {
+ 		if (BUGLVL(D_PROTO)) {
+ 			struct ArcProto
+-			*oldp = arc_proto_map[lp->default_proto[pkt.hard.source]],
++			*oldp = arc_proto_map[lp->default_proto[rxdata.pkt.hard.source]],
+ 			*newp = arc_proto_map[soft->proto];
+ 
+ 			if (oldp != newp) {
+ 				arc_printk(D_PROTO, dev,
+ 					   "got protocol %02Xh; encap for host %02Xh is now '%c' (was '%c')\n",
+-					   soft->proto, pkt.hard.source,
++					   soft->proto, rxdata.pkt.hard.source,
+ 					   newp->suffix, oldp->suffix);
+ 			}
+ 		}
+@@ -1111,10 +1114,10 @@ static void arcnet_rx(struct net_device
+ 		lp->default_proto[0] = soft->proto;
+ 
+ 		/* in striking contrast, the following isn't a hack. */
+-		lp->default_proto[pkt.hard.source] = soft->proto;
++		lp->default_proto[rxdata.pkt.hard.source] = soft->proto;
+ 	}
+ 	/* call the protocol-specific receiver. */
+-	arc_proto_map[soft->proto]->rx(dev, bufnum, &pkt, length);
++	arc_proto_map[soft->proto]->rx(dev, bufnum, &rxdata.pkt, length);
+ }
+ 
+ static void null_rx(struct net_device *dev, int bufnum,
diff --git a/queue-4.19/ax25-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.19/ax25-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 00000000000..ffef77b3ffb
--- /dev/null
+++ b/queue-4.19/ax25-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,31 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:47 +0200
+Subject: ax25: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ]
+
+When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/af_ax25.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -858,6 +858,8 @@ static int ax25_create(struct net *net,
+ 		break;
+ 
+ 	case SOCK_RAW:
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		break;
+ 	default:
+ 		return -ESOCKTNOSUPPORT;
diff --git a/queue-4.19/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch b/queue-4.19/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
new file mode 100644
index 00000000000..790f2c402af
--- /dev/null
+++ b/queue-4.19/cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:01:46 +0200
+Subject: cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 3fe4b3351301660653a2bc73f2226da0ebd2b95e ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the driver more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of the out pipe is used as divisor. So this change
+fixes a divide-by-zero bug.
+
+Reported-by: syzbot+ce366e2b8296e25d84f5@syzkaller.appspotmail.com
+Signed-off-by: BjÃ¸rn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/cdc_ncm.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -681,8 +681,12 @@ cdc_ncm_find_endpoints(struct usbnet *de
+ 	u8 ep;
+ 
+ 	for (ep = 0; ep < intf->cur_altsetting->desc.bNumEndpoints; ep++) {
+-
+ 		e = intf->cur_altsetting->endpoint + ep;
++
++		/* ignore endpoints which cannot transfer data */
++		if (!usb_endpoint_maxp(&e->desc))
++			continue;
++
+ 		switch (e->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) {
+ 		case USB_ENDPOINT_XFER_INT:
+ 			if (usb_endpoint_dir_in(&e->desc)) {
diff --git a/queue-4.19/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.19/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 00000000000..0a8e3b39be3
--- /dev/null
+++ b/queue-4.19/ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:48 +0200
+Subject: ieee802154: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ]
+
+When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be
+checked first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ieee802154/socket.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1018,6 +1018,9 @@ static int ieee802154_create(struct net
+ 
+ 	switch (sock->type) {
+ 	case SOCK_RAW:
++		rc = -EPERM;
++		if (!capable(CAP_NET_RAW))
++			goto out;
+ 		proto = &ieee802154_raw_prot;
+ 		ops = &ieee802154_raw_ops;
+ 		break;
diff --git a/queue-4.19/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch b/queue-4.19/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
new file mode 100644
index 00000000000..6f6d178cc73
--- /dev/null
+++ b/queue-4.19/macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
@@ -0,0 +1,61 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 23 Sep 2019 17:02:46 +0800
+Subject: macsec: drop skb sk before calling gro_cells_receive
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit ba56d8ce38c8252fff5b745db3899cf092578ede ]
+
+Fei Liu reported a crash when doing netperf on a topo of macsec
+dev over veth:
+
+  [  448.919128] refcount_t: underflow; use-after-free.
+  [  449.090460] Call trace:
+  [  449.092895]  refcount_sub_and_test+0xb4/0xc0
+  [  449.097155]  tcp_wfree+0x2c/0x150
+  [  449.100460]  ip_rcv+0x1d4/0x3a8
+  [  449.103591]  __netif_receive_skb_core+0x554/0xae0
+  [  449.108282]  __netif_receive_skb+0x28/0x78
+  [  449.112366]  netif_receive_skb_internal+0x54/0x100
+  [  449.117144]  napi_gro_complete+0x70/0xc0
+  [  449.121054]  napi_gro_flush+0x6c/0x90
+  [  449.124703]  napi_complete_done+0x50/0x130
+  [  449.128788]  gro_cell_poll+0x8c/0xa8
+  [  449.132351]  net_rx_action+0x16c/0x3f8
+  [  449.136088]  __do_softirq+0x128/0x320
+
+The issue was caused by skb's true_size changed without its sk's
+sk_wmem_alloc increased in tcp/skb_gro_receive(). Later when the
+skb is being freed and the skb's truesize is subtracted from its
+sk's sk_wmem_alloc in tcp_wfree(), underflow occurs.
+
+macsec is calling gro_cells_receive() to receive a packet, which
+actually requires skb->sk to be NULL. However when macsec dev is
+over veth, it's possible the skb->sk is still set if the skb was
+not unshared or expanded from the peer veth.
+
+ip_rcv() is calling skb_orphan() to drop the skb's sk for tproxy,
+but it is too late for macsec's calling gro_cells_receive(). So
+fix it by dropping the skb's sk earlier on rx path of macsec.
+
+Fixes: 5491e7c6b1a9 ("macsec: enable GRO and RPS on macsec devices")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Reported-by: Fei Liu <feliu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1238,6 +1238,7 @@ deliver:
+ 		macsec_rxsa_put(rx_sa);
+ 	macsec_rxsc_put(rx_sc);
+ 
++	skb_orphan(skb);
+ 	ret = gro_cells_receive(&macsec->gro_cells, skb);
+ 	if (ret == NET_RX_SUCCESS)
+ 		count_rx(dev, skb->len);
diff --git a/queue-4.19/misdn-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.19/misdn-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 00000000000..bc382246b7c
--- /dev/null
+++ b/queue-4.19/misdn-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,31 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:45 +0200
+Subject: mISDN: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit b91ee4aa2a2199ba4d4650706c272985a5a32d80 ]
+
+When creating a raw AF_ISDN socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/isdn/mISDN/socket.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/isdn/mISDN/socket.c
++++ b/drivers/isdn/mISDN/socket.c
+@@ -764,6 +764,8 @@ base_sock_create(struct net *net, struct
+ 
+ 	if (sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
++	if (!capable(CAP_NET_RAW))
++		return -EPERM;
+ 
+ 	sk = sk_alloc(net, PF_ISDN, GFP_KERNEL, &mISDN_proto, kern);
+ 	if (!sk)
diff --git a/queue-4.19/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch b/queue-4.19/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch
new file mode 100644
index 00000000000..928eface6fb
--- /dev/null
+++ b/queue-4.19/net-mlx5-add-device-id-of-upcoming-bluefield-2.patch
@@ -0,0 +1,31 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Bodong Wang <bodong@mellanox.com>
+Date: Mon, 26 Aug 2019 16:34:12 -0500
+Subject: net/mlx5: Add device ID of upcoming BlueField-2
+
+From: Bodong Wang <bodong@mellanox.com>
+
+[ Upstream commit d19a79ee38c8fda6d297e4227e80db8bf51c71a6 ]
+
+Add the device ID of upcoming BlueField-2 integrated ConnectX-6 Dx
+network controller. Its VFs will be using the generic VF device ID:
+0x101e "ConnectX Family mlx5Gen Virtual Function".
+
+Fixes: 2e9d3e83ab82 ("net/mlx5: Update the list of the PCI supported devices")
+Signed-off-by: Bodong Wang <bodong@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/main.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -1642,6 +1642,7 @@ static const struct pci_device_id mlx5_c
+ 	{ PCI_VDEVICE(MELLANOX, 0x101c), MLX5_PCI_DEV_IS_VF},	/* ConnectX-6 VF */
+ 	{ PCI_VDEVICE(MELLANOX, 0xa2d2) },			/* BlueField integrated ConnectX-5 network controller */
+ 	{ PCI_VDEVICE(MELLANOX, 0xa2d3), MLX5_PCI_DEV_IS_VF},	/* BlueField integrated ConnectX-5 network controller VF */
++	{ PCI_VDEVICE(MELLANOX, 0xa2d6) },			/* BlueField-2 integrated ConnectX-6 Dx network controller */
+ 	{ 0, }
+ };
+ 
diff --git a/queue-4.19/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch b/queue-4.19/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
new file mode 100644
index 00000000000..d90fde349c9
--- /dev/null
+++ b/queue-4.19/net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
@@ -0,0 +1,45 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Peter Mamonov <pmamonov@gmail.com>
+Date: Wed, 18 Sep 2019 19:27:55 +0300
+Subject: net/phy: fix DP83865 10 Mbps HDX loopback disable function
+
+From: Peter Mamonov <pmamonov@gmail.com>
+
+[ Upstream commit e47488b2df7f9cb405789c7f5d4c27909fc597ae ]
+
+According to the DP83865 datasheet "the 10 Mbps HDX loopback can be
+disabled in the expanded memory register 0x1C0.1". The driver erroneously
+used bit 0 instead of bit 1.
+
+Fixes: 4621bf129856 ("phy: Add file missed in previous commit.")
+Signed-off-by: Peter Mamonov <pmamonov@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/national.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/phy/national.c
++++ b/drivers/net/phy/national.c
+@@ -110,14 +110,17 @@ static void ns_giga_speed_fallback(struc
+ 
+ static void ns_10_base_t_hdx_loopack(struct phy_device *phydev, int disable)
+ {
++	u16 lb_dis = BIT(1);
++
+ 	if (disable)
+-		ns_exp_write(phydev, 0x1c0, ns_exp_read(phydev, 0x1c0) | 1);
++		ns_exp_write(phydev, 0x1c0,
++			     ns_exp_read(phydev, 0x1c0) | lb_dis);
+ 	else
+ 		ns_exp_write(phydev, 0x1c0,
+-			     ns_exp_read(phydev, 0x1c0) & 0xfffe);
++			     ns_exp_read(phydev, 0x1c0) & ~lb_dis);
+ 
+ 	pr_debug("10BASE-T HDX loopback %s\n",
+-		 (ns_exp_read(phydev, 0x1c0) & 0x0001) ? "off" : "on");
++		 (ns_exp_read(phydev, 0x1c0) & lb_dis) ? "off" : "on");
+ }
+ 
+ static int ns_config_init(struct phy_device *phydev)
diff --git a/queue-4.19/net-qrtr-stop-rx_worker-before-freeing-node.patch b/queue-4.19/net-qrtr-stop-rx_worker-before-freeing-node.patch
new file mode 100644
index 00000000000..579f0ce0294
--- /dev/null
+++ b/queue-4.19/net-qrtr-stop-rx_worker-before-freeing-node.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+Date: Wed, 18 Sep 2019 10:21:17 -0700
+Subject: net: qrtr: Stop rx_worker before freeing node
+
+From: Bjorn Andersson <bjorn.andersson@linaro.org>
+
+[ Upstream commit 73f0c11d11329a0d6d205d4312b6e5d2512af7c5 ]
+
+As the endpoint is unregistered there might still be work pending to
+handle incoming messages, which will result in a use after free
+scenario. The plan is to remove the rx_worker, but until then (and for
+stable@) ensure that the work is stopped before the node is freed.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/qrtr/qrtr.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -157,6 +157,7 @@ static void __qrtr_node_release(struct k
+ 	list_del(&node->item);
+ 	mutex_unlock(&qrtr_node_lock);
+ 
++	cancel_work_sync(&node->work);
+ 	skb_queue_purge(&node->rx_queue);
+ 	kfree(node);
+ }
diff --git a/queue-4.19/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch b/queue-4.19/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch
new file mode 100644
index 00000000000..d22d2affc64
--- /dev/null
+++ b/queue-4.19/net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch
@@ -0,0 +1,40 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 17 Sep 2019 11:30:55 +0200
+Subject: net/sched: act_sample: don't push mac header on ip6gre ingress
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 92974a1d006ad8b30d53047c70974c9e065eb7df ]
+
+current 'sample' action doesn't push the mac header of ingress packets if
+they are received by a layer 3 tunnel (like gre or sit); but it forgot to
+check for gre over ipv6, so the following script:
+
+ # tc q a dev $d clsact
+ # tc f a dev $d ingress protocol ip flower ip_proto icmp action sample \
+ > group 100 rate 1
+ # psample -v -g 100
+
+dumps everything, including outer header and mac, when $d is a gre tunnel
+over ipv6. Fix this adding a missing label for ARPHRD_IP6GRE devices.
+
+Fixes: 5c5670fae430 ("net/sched: Introduce sample tc action")
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Yotam Gigi <yotam.gi@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_sample.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/act_sample.c
++++ b/net/sched/act_sample.c
+@@ -134,6 +134,7 @@ static bool tcf_sample_dev_ok_push(struc
+ 	case ARPHRD_TUNNEL6:
+ 	case ARPHRD_SIT:
+ 	case ARPHRD_IPGRE:
++	case ARPHRD_IP6GRE:
+ 	case ARPHRD_VOID:
+ 	case ARPHRD_NONE:
+ 		return false;
diff --git a/queue-4.19/net-sched-fix-possible-crash-in-tcf_action_destroy.patch b/queue-4.19/net-sched-fix-possible-crash-in-tcf_action_destroy.patch
new file mode 100644
index 00000000000..d2749ffedec
--- /dev/null
+++ b/queue-4.19/net-sched-fix-possible-crash-in-tcf_action_destroy.patch
@@ -0,0 +1,72 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Sep 2019 12:57:04 -0700
+Subject: net: sched: fix possible crash in tcf_action_destroy()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3d66b89c30f9220a72e92847768fc8ba4d027d88 ]
+
+If the allocation done in tcf_exts_init() failed,
+we end up with a NULL pointer in exts->actions.
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 8198 Comm: syz-executor.3 Not tainted 5.3.0-rc8+ #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:tcf_action_destroy+0x71/0x160 net/sched/act_api.c:705
+Code: c3 08 44 89 ee e8 4f cb bb fb 41 83 fd 20 0f 84 c9 00 00 00 e8 c0 c9 bb fb 48 89 d8 48 b9 00 00 00 00 00 fc ff df 48 c1 e8 03 <80> 3c 08 00 0f 85 c0 00 00 00 4c 8b 33 4d 85 f6 0f 84 9d 00 00 00
+RSP: 0018:ffff888096e16ff0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
+RDX: 0000000000040000 RSI: ffffffff85b6ab30 RDI: 0000000000000000
+RBP: ffff888096e17020 R08: ffff8880993f6140 R09: fffffbfff11cae67
+R10: fffffbfff11cae66 R11: ffffffff88e57333 R12: 0000000000000000
+R13: 0000000000000000 R14: ffff888096e177a0 R15: 0000000000000001
+FS:  00007f62bc84a700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000758040 CR3: 0000000088b64000 CR4: 00000000001426e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tcf_exts_destroy+0x38/0xb0 net/sched/cls_api.c:3030
+ tcindex_set_parms+0xf7f/0x1e50 net/sched/cls_tcindex.c:488
+ tcindex_change+0x230/0x318 net/sched/cls_tcindex.c:519
+ tc_new_tfilter+0xa4b/0x1c70 net/sched/cls_api.c:2152
+ rtnetlink_rcv_msg+0x838/0xb00 net/core/rtnetlink.c:5214
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241
+ netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
+ netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
+ netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+
+Fixes: 90b73b77d08e ("net: sched: change action API to use array of pointers to actions")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Vlad Buslov <vladbu@mellanox.com>
+Cc: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_api.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_api.c
++++ b/net/sched/cls_api.c
+@@ -2038,8 +2038,10 @@ out:
+ void tcf_exts_destroy(struct tcf_exts *exts)
+ {
+ #ifdef CONFIG_NET_CLS_ACT
+-	tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
+-	kfree(exts->actions);
++	if (exts->actions) {
++		tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
++		kfree(exts->actions);
++	}
+ 	exts->nr_actions = 0;
+ #endif
+ }
diff --git a/queue-4.19/net_sched-add-max-len-check-for-tca_kind.patch b/queue-4.19/net_sched-add-max-len-check-for-tca_kind.patch
new file mode 100644
index 00000000000..e0927cc58bc
--- /dev/null
+++ b/queue-4.19/net_sched-add-max-len-check-for-tca_kind.patch
@@ -0,0 +1,39 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 18 Sep 2019 16:24:12 -0700
+Subject: net_sched: add max len check for TCA_KIND
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 62794fc4fbf52f2209dc094ea255eaef760e7d01 ]
+
+The TCA_KIND attribute is of NLA_STRING which does not check
+the NUL char. KMSAN reported an uninit-value of TCA_KIND which
+is likely caused by the lack of NUL.
+
+Change it to NLA_NUL_STRING and add a max len too.
+
+Fixes: 8b4c3cdd9dd8 ("net: sched: Add policy validation for tc attributes")
+Reported-and-tested-by: syzbot+618aacd49e8c8b8486bd@syzkaller.appspotmail.com
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_api.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1308,7 +1308,8 @@ check_loop_fn(struct Qdisc *q, unsigned
+ }
+ 
+ const struct nla_policy rtm_tca_policy[TCA_MAX + 1] = {
+-	[TCA_KIND]		= { .type = NLA_STRING },
++	[TCA_KIND]		= { .type = NLA_NUL_STRING,
++				    .len = IFNAMSIZ - 1 },
+ 	[TCA_RATE]		= { .type = NLA_BINARY,
+ 				    .len = sizeof(struct tc_estimator) },
+ 	[TCA_STAB]		= { .type = NLA_NESTED },
diff --git a/queue-4.19/nfc-enforce-cap_net_raw-for-raw-sockets.patch b/queue-4.19/nfc-enforce-cap_net_raw-for-raw-sockets.patch
new file mode 100644
index 00000000000..db0099d3f99
--- /dev/null
+++ b/queue-4.19/nfc-enforce-cap_net_raw-for-raw-sockets.patch
@@ -0,0 +1,38 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Ori Nimron <orinimron123@gmail.com>
+Date: Fri, 20 Sep 2019 09:35:49 +0200
+Subject: nfc: enforce CAP_NET_RAW for raw sockets
+
+From: Ori Nimron <orinimron123@gmail.com>
+
+[ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ]
+
+When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked
+first.
+
+Signed-off-by: Ori Nimron <orinimron123@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -1011,10 +1011,13 @@ static int llcp_sock_create(struct net *
+ 	    sock->type != SOCK_RAW)
+ 		return -ESOCKTNOSUPPORT;
+ 
+-	if (sock->type == SOCK_RAW)
++	if (sock->type == SOCK_RAW) {
++		if (!capable(CAP_NET_RAW))
++			return -EPERM;
+ 		sock->ops = &llcp_rawsock_ops;
+-	else
++	} else {
+ 		sock->ops = &llcp_sock_ops;
++	}
+ 
+ 	sk = nfc_llcp_sock_alloc(sock, sock->type, GFP_ATOMIC, kern);
+ 	if (sk == NULL)
diff --git a/queue-4.19/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch b/queue-4.19/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch
new file mode 100644
index 00000000000..a3af4401e44
--- /dev/null
+++ b/queue-4.19/nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch
@@ -0,0 +1,47 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 25 Sep 2019 14:05:09 -0500
+Subject: nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 8ce39eb5a67aee25d9f05b40b673c95b23502e3e ]
+
+In nfp_flower_spawn_vnic_reprs in the loop if initialization or the
+allocations fail memory is leaked. Appropriate releases are added.
+
+Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -373,6 +373,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ 		repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL);
+ 		if (!repr_priv) {
+ 			err = -ENOMEM;
++			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
+ 		}
+ 
+@@ -382,6 +383,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ 		port = nfp_port_alloc(app, NFP_PORT_PHYS_PORT, repr);
+ 		if (IS_ERR(port)) {
+ 			err = PTR_ERR(port);
++			kfree(repr_priv);
+ 			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
+ 		}
+@@ -399,6 +401,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ 		err = nfp_repr_init(app, repr,
+ 				    cmsg_port_id, port, priv->nn->dp.netdev);
+ 		if (err) {
++			kfree(repr_priv);
+ 			nfp_port_free(port);
+ 			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
diff --git a/queue-4.19/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch b/queue-4.19/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch
new file mode 100644
index 00000000000..14aaba31ec5
--- /dev/null
+++ b/queue-4.19/nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch
@@ -0,0 +1,48 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 25 Sep 2019 13:24:02 -0500
+Subject: nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 8572cea1461a006bce1d06c0c4b0575869125fa4 ]
+
+In nfp_flower_spawn_phy_reprs, in the for loop over eth_tbl if any of
+intermediate allocations or initializations fail memory is leaked.
+requiered releases are added.
+
+Fixes: b94524529741 ("nfp: flower: add per repr private data for LAG offload")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/main.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/main.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/main.c
+@@ -259,6 +259,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a
+ 		repr_priv = kzalloc(sizeof(*repr_priv), GFP_KERNEL);
+ 		if (!repr_priv) {
+ 			err = -ENOMEM;
++			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
+ 		}
+ 
+@@ -291,6 +292,7 @@ nfp_flower_spawn_vnic_reprs(struct nfp_a
+ 		err = nfp_repr_init(app, repr,
+ 				    port_id, port, priv->nn->dp.netdev);
+ 		if (err) {
++			kfree(repr_priv);
+ 			nfp_port_free(port);
+ 			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
+@@ -389,6 +391,7 @@ nfp_flower_spawn_phy_reprs(struct nfp_ap
+ 		}
+ 		err = nfp_port_init_phy_port(app->pf, app, port, i);
+ 		if (err) {
++			kfree(repr_priv);
+ 			nfp_port_free(port);
+ 			nfp_repr_free(repr);
+ 			goto err_reprs_clean;
diff --git a/queue-4.19/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch b/queue-4.19/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
new file mode 100644
index 00000000000..ade3f1684a7
--- /dev/null
+++ b/queue-4.19/openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
@@ -0,0 +1,40 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Li RongQing <lirongqing@baidu.com>
+Date: Tue, 24 Sep 2019 19:11:52 +0800
+Subject: openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ]
+
+userspace openvswitch patch "(dpif-linux: Implement the API
+functions to allow multiple handler threads read upcall)"
+changes its type from U32 to UNSPEC, but leave the kernel
+unchanged
+
+and after kernel 6e237d099fac "(netlink: Relax attr validation
+for fixed length types)", this bug is exposed by the below
+warning
+
+	[   57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length.
+
+Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/datapath.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -2239,7 +2239,7 @@ static const struct nla_policy vport_pol
+ 	[OVS_VPORT_ATTR_STATS] = { .len = sizeof(struct ovs_vport_stats) },
+ 	[OVS_VPORT_ATTR_PORT_NO] = { .type = NLA_U32 },
+ 	[OVS_VPORT_ATTR_TYPE] = { .type = NLA_U32 },
+-	[OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_U32 },
++	[OVS_VPORT_ATTR_UPCALL_PID] = { .type = NLA_UNSPEC },
+ 	[OVS_VPORT_ATTR_OPTIONS] = { .type = NLA_NESTED },
+ 	[OVS_VPORT_ATTR_IFINDEX] = { .type = NLA_U32 },
+ 	[OVS_VPORT_ATTR_NETNSID] = { .type = NLA_S32 },
diff --git a/queue-4.19/ppp-fix-memory-leak-in-ppp_write.patch b/queue-4.19/ppp-fix-memory-leak-in-ppp_write.patch
new file mode 100644
index 00000000000..6b2376c637d
--- /dev/null
+++ b/queue-4.19/ppp-fix-memory-leak-in-ppp_write.patch
@@ -0,0 +1,61 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+Date: Sun, 22 Sep 2019 16:45:31 +0900
+Subject: ppp: Fix memory leak in ppp_write
+
+From: Takeshi Misawa <jeliantsurux@gmail.com>
+
+[ Upstream commit 4c247de564f1ff614d11b3bb5313fb70d7b9598b ]
+
+When ppp is closing, __ppp_xmit_process() failed to enqueue skb
+and skb allocated in ppp_write() is leaked.
+
+syzbot reported :
+BUG: memory leak
+unreferenced object 0xffff88812a17bc00 (size 224):
+  comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
+    [<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline]
+    [<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline]
+    [<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574
+    [<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197
+    [<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline]
+    [<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502
+    [<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494
+    [<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline]
+    [<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542
+    [<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611
+    [<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline]
+    [<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline]
+    [<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
+    [<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
+    [<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fix this by freeing skb, if ppp is closing.
+
+Fixes: 6d066734e9f0 ("ppp: avoid loop in xmit recursion detection code")
+Reported-and-tested-by: syzbot+d9c8bf24e56416d7ce2c@syzkaller.appspotmail.com
+Signed-off-by: Takeshi Misawa <jeliantsurux@gmail.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Tested-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ppp/ppp_generic.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ppp/ppp_generic.c
++++ b/drivers/net/ppp/ppp_generic.c
+@@ -1419,6 +1419,8 @@ static void __ppp_xmit_process(struct pp
+ 			netif_wake_queue(ppp->dev);
+ 		else
+ 			netif_stop_queue(ppp->dev);
++	} else {
++		kfree_skb(skb);
+ 	}
+ 	ppp_xmit_unlock(ppp);
+ }
diff --git a/queue-4.19/sch_netem-fix-a-divide-by-zero-in-tabledist.patch b/queue-4.19/sch_netem-fix-a-divide-by-zero-in-tabledist.patch
new file mode 100644
index 00000000000..a0990fca996
--- /dev/null
+++ b/queue-4.19/sch_netem-fix-a-divide-by-zero-in-tabledist.patch
@@ -0,0 +1,36 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Sep 2019 08:05:39 -0700
+Subject: sch_netem: fix a divide by zero in tabledist()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ]
+
+syzbot managed to crash the kernel in tabledist() loading
+an empty distribution table.
+
+	t = dist->table[rnd % dist->size];
+
+Simply return an error when such load is attempted.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_netem.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_netem.c
++++ b/net/sched/sch_netem.c
+@@ -749,7 +749,7 @@ static int get_dist_table(struct Qdisc *
+ 	struct disttable *d;
+ 	int i;
+ 
+-	if (n > NETEM_DIST_MAX)
++	if (!n || n > NETEM_DIST_MAX)
+ 		return -EINVAL;
+ 
+ 	d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644
index 00000000000..37612950e18
--- /dev/null
+++ b/queue-4.19/series
@@ -0,0 +1,23 @@
+arcnet-provide-a-buffer-big-enough-to-actually-receive-packets.patch
+cdc_ncm-fix-divide-by-zero-caused-by-invalid-wmaxpacketsize.patch
+macsec-drop-skb-sk-before-calling-gro_cells_receive.patch
+net-phy-fix-dp83865-10-mbps-hdx-loopback-disable-function.patch
+net-qrtr-stop-rx_worker-before-freeing-node.patch
+net-sched-act_sample-don-t-push-mac-header-on-ip6gre-ingress.patch
+net_sched-add-max-len-check-for-tca_kind.patch
+nfp-flower-fix-memory-leak-in-nfp_flower_spawn_vnic_reprs.patch
+openvswitch-change-type-of-upcall_pid-attribute-to-nla_unspec.patch
+ppp-fix-memory-leak-in-ppp_write.patch
+sch_netem-fix-a-divide-by-zero-in-tabledist.patch
+skge-fix-checksum-byte-order.patch
+usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
+usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
+net-sched-fix-possible-crash-in-tcf_action_destroy.patch
+tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch
+net-mlx5-add-device-id-of-upcoming-bluefield-2.patch
+misdn-enforce-cap_net_raw-for-raw-sockets.patch
+appletalk-enforce-cap_net_raw-for-raw-sockets.patch
+ax25-enforce-cap_net_raw-for-raw-sockets.patch
+ieee802154-enforce-cap_net_raw-for-raw-sockets.patch
+nfc-enforce-cap_net_raw-for-raw-sockets.patch
+nfp-flower-prevent-memory-leak-in-nfp_flower_spawn_phy_reprs.patch
diff --git a/queue-4.19/skge-fix-checksum-byte-order.patch b/queue-4.19/skge-fix-checksum-byte-order.patch
new file mode 100644
index 00000000000..00bc6630119
--- /dev/null
+++ b/queue-4.19/skge-fix-checksum-byte-order.patch
@@ -0,0 +1,32 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Stephen Hemminger <stephen@networkplumber.org>
+Date: Fri, 20 Sep 2019 18:18:26 +0200
+Subject: skge: fix checksum byte order
+
+From: Stephen Hemminger <stephen@networkplumber.org>
+
+[ Upstream commit 5aafeb74b5bb65b34cc87c7623f9fa163a34fa3b ]
+
+Running old skge driver on PowerPC causes checksum errors
+because hardware reported 1's complement checksum is in little-endian
+byte order.
+
+Reported-by: Benoit <benoit.sansoni@gmail.com>
+Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/skge.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/marvell/skge.c
++++ b/drivers/net/ethernet/marvell/skge.c
+@@ -3122,7 +3122,7 @@ static struct sk_buff *skge_rx_get(struc
+ 	skb_put(skb, len);
+ 
+ 	if (dev->features & NETIF_F_RXCSUM) {
+-		skb->csum = csum;
++		skb->csum = le16_to_cpu(csum);
+ 		skb->ip_summed = CHECKSUM_COMPLETE;
+ 	}
+ 
diff --git a/queue-4.19/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch b/queue-4.19/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch
new file mode 100644
index 00000000000..9f91e31cab3
--- /dev/null
+++ b/queue-4.19/tcp-better-handle-tcp_user_timeout-in-syn_sent-state.patch
@@ -0,0 +1,64 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 26 Sep 2019 15:42:51 -0700
+Subject: tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a66b10c05ee2d744189e9a2130394b070883d289 ]
+
+Yuchung Cheng and Marek Majkowski independently reported a weird
+behavior of TCP_USER_TIMEOUT option when used at connect() time.
+
+When the TCP_USER_TIMEOUT is reached, tcp_write_timeout()
+believes the flow should live, and the following condition
+in tcp_clamp_rto_to_user_timeout() programs one jiffie timers :
+
+    remaining = icsk->icsk_user_timeout - elapsed;
+    if (remaining <= 0)
+        return 1; /* user timeout has passed; fire ASAP */
+
+This silly situation ends when the max syn rtx count is reached.
+
+This patch makes sure we honor both TCP_SYNCNT and TCP_USER_TIMEOUT,
+avoiding these spurious SYN packets.
+
+Fixes: b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Yuchung Cheng <ycheng@google.com>
+Reported-by: Marek Majkowski <marek@cloudflare.com>
+Cc: Jon Maxwell <jmaxwell37@gmail.com>
+Link: https://marc.info/?l=linux-netdev&m=156940118307949&w=2
+Acked-by: Jon Maxwell <jmaxwell37@gmail.com>
+Tested-by: Marek Majkowski <marek@cloudflare.com>
+Signed-off-by: Marek Majkowski <marek@cloudflare.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_timer.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_timer.c
++++ b/net/ipv4/tcp_timer.c
+@@ -219,7 +219,7 @@ static int tcp_write_timeout(struct sock
+ 	struct inet_connection_sock *icsk = inet_csk(sk);
+ 	struct tcp_sock *tp = tcp_sk(sk);
+ 	struct net *net = sock_net(sk);
+-	bool expired, do_reset;
++	bool expired = false, do_reset;
+ 	int retry_until;
+ 
+ 	if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
+@@ -251,9 +251,10 @@ static int tcp_write_timeout(struct sock
+ 			if (tcp_out_of_resources(sk, do_reset))
+ 				return 1;
+ 		}
++	}
++	if (!expired)
+ 		expired = retransmits_timed_out(sk, retry_until,
+ 						icsk->icsk_user_timeout);
+-	}
+ 	tcp_fastopen_active_detect_blackhole(sk, expired);
+ 
+ 	if (BPF_SOCK_OPS_TEST_FLAG(tp, BPF_SOCK_OPS_RTO_CB_FLAG))
diff --git a/queue-4.19/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch b/queue-4.19/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
new file mode 100644
index 00000000000..0e3622974d1
--- /dev/null
+++ b/queue-4.19/usbnet-ignore-endpoints-with-invalid-wmaxpacketsize.patch
@@ -0,0 +1,39 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: "Bjørn Mork" <bjorn@mork.no>
+Date: Wed, 18 Sep 2019 14:17:38 +0200
+Subject: usbnet: ignore endpoints with invalid wMaxPacketSize
+
+From: "Bjørn Mork" <bjorn@mork.no>
+
+[ Upstream commit 8d3d7c2029c1b360f1a6b0a2fca470b57eb575c0 ]
+
+Endpoints with zero wMaxPacketSize are not usable for transferring
+data. Ignore such endpoints when looking for valid in, out and
+status pipes, to make the drivers more robust against invalid and
+meaningless descriptors.
+
+The wMaxPacketSize of these endpoints are used for memory allocations
+and as divisors in many usbnet minidrivers. Avoiding zero is therefore
+critical.
+
+Signed-off-by: BjÃ¸rn Mork <bjorn@mork.no>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -112,6 +112,11 @@ int usbnet_get_endpoints(struct usbnet *
+ 			int				intr = 0;
+ 
+ 			e = alt->endpoint + ep;
++
++			/* ignore endpoints which cannot transfer data */
++			if (!usb_endpoint_maxp(&e->desc))
++				continue;
++
+ 			switch (e->desc.bmAttributes) {
+ 			case USB_ENDPOINT_XFER_INT:
+ 				if (!usb_endpoint_dir_in(&e->desc))
diff --git a/queue-4.19/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch b/queue-4.19/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
new file mode 100644
index 00000000000..33efc073795
--- /dev/null
+++ b/queue-4.19/usbnet-sanity-checking-of-packet-sizes-and-device-mtu.patch
@@ -0,0 +1,41 @@
+From foo@baz Tue 01 Oct 2019 03:40:29 PM CEST
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 19 Sep 2019 10:23:08 +0200
+Subject: usbnet: sanity checking of packet sizes and device mtu
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 280ceaed79f18db930c0cc8bb21f6493490bf29c ]
+
+After a reset packet sizes and device mtu can change and need
+to be reevaluated to calculate queue sizes.
+Malicious devices can set this to zero and we divide by it.
+Introduce sanity checking.
+
+Reported-and-tested-by:  syzbot+6102c120be558c885f04@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -356,6 +356,8 @@ void usbnet_update_max_qlen(struct usbne
+ {
+ 	enum usb_device_speed speed = dev->udev->speed;
+ 
++	if (!dev->rx_urb_size || !dev->hard_mtu)
++		goto insanity;
+ 	switch (speed) {
+ 	case USB_SPEED_HIGH:
+ 		dev->rx_qlen = MAX_QUEUE_MEMORY / dev->rx_urb_size;
+@@ -372,6 +374,7 @@ void usbnet_update_max_qlen(struct usbne
+ 		dev->tx_qlen = 5 * MAX_QUEUE_MEMORY / dev->hard_mtu;
+ 		break;
+ 	default:
++insanity:
+ 		dev->rx_qlen = dev->tx_qlen = 4;
+ 	}
+ }