From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Aug 2019 02:40:35 +0000 (-0700)
Subject: 4.14-stable patches
X-Git-Tag: v4.19.68~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c360ed3194c2248844d57caffd747f5a8ffbfa69;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
	bonding-add-vlan-tx-offload-to-hw_enc_features.patch
	net-mlx4_en-fix-a-memory-leak-bug.patch
	net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
	net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
	net-packet-fix-race-in-tpacket_snd.patch
	sctp-fix-the-transport-error_count-check.patch
	team-add-vlan-tx-offload-to-hw_enc_features.patch
	xen-netback-reset-nr_frags-before-freeing-skb.patch
---

diff --git a/queue-4.14/bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch b/queue-4.14/bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
new file mode 100644
index 00000000000..68e0dcd3151
--- /dev/null
+++ b/queue-4.14/bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
@@ -0,0 +1,98 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Manish Chopra <manishc@marvell.com>
+Date: Sun, 18 Aug 2019 07:25:48 -0700
+Subject: bnx2x: Fix VF's VLAN reconfiguration in reload.
+
+From: Manish Chopra <manishc@marvell.com>
+
+[ Upstream commit 4a4d2d372fb9b9229327e2ed01d5d9572eddf4de ]
+
+Commit 04f05230c5c13 ("bnx2x: Remove configured vlans as
+part of unload sequence."), introduced a regression in driver
+that as a part of VF's reload flow, VLANs created on the VF
+doesn't get re-configured in hardware as vlan metadata/info
+was not getting cleared for the VFs which causes vlan PING to stop.
+
+This patch clears the vlan metadata/info so that VLANs gets
+re-configured back in the hardware in VF's reload flow and
+PING/traffic continues for VLANs created over the VFs.
+
+Fixes: 04f05230c5c13 ("bnx2x: Remove configured vlans as part of unload sequence.")
+Signed-off-by: Manish Chopra <manishc@marvell.com>
+Signed-off-by: Sudarsana Kalluru <skalluru@marvell.com>
+Signed-off-by: Shahed Shaikh <shshaikh@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c  |    7 ++++---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h  |    2 ++
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c |   17 ++++++++++++-----
+ 3 files changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -3057,12 +3057,13 @@ int bnx2x_nic_unload(struct bnx2x *bp, i
+ 	/* if VF indicate to PF this function is going down (PF will delete sp
+ 	 * elements and clear initializations
+ 	 */
+-	if (IS_VF(bp))
++	if (IS_VF(bp)) {
++		bnx2x_clear_vlan_info(bp);
+ 		bnx2x_vfpf_close_vf(bp);
+-	else if (unload_mode != UNLOAD_RECOVERY)
++	} else if (unload_mode != UNLOAD_RECOVERY) {
+ 		/* if this is a normal/close unload need to clean up chip*/
+ 		bnx2x_chip_cleanup(bp, unload_mode, keep_link);
+-	else {
++	} else {
+ 		/* Send the UNLOAD_REQUEST to the MCP */
+ 		bnx2x_send_unload_req(bp, unload_mode);
+ 
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
+@@ -425,6 +425,8 @@ void bnx2x_set_reset_global(struct bnx2x
+ void bnx2x_disable_close_the_gate(struct bnx2x *bp);
+ int bnx2x_init_hw_func_cnic(struct bnx2x *bp);
+ 
++void bnx2x_clear_vlan_info(struct bnx2x *bp);
++
+ /**
+  * bnx2x_sp_event - handle ramrods completion.
+  *
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+@@ -8488,11 +8488,21 @@ int bnx2x_set_vlan_one(struct bnx2x *bp,
+ 	return rc;
+ }
+ 
++void bnx2x_clear_vlan_info(struct bnx2x *bp)
++{
++	struct bnx2x_vlan_entry *vlan;
++
++	/* Mark that hw forgot all entries */
++	list_for_each_entry(vlan, &bp->vlan_reg, link)
++		vlan->hw = false;
++
++	bp->vlan_cnt = 0;
++}
++
+ static int bnx2x_del_all_vlans(struct bnx2x *bp)
+ {
+ 	struct bnx2x_vlan_mac_obj *vlan_obj = &bp->sp_objs[0].vlan_obj;
+ 	unsigned long ramrod_flags = 0, vlan_flags = 0;
+-	struct bnx2x_vlan_entry *vlan;
+ 	int rc;
+ 
+ 	__set_bit(RAMROD_COMP_WAIT, &ramrod_flags);
+@@ -8501,10 +8511,7 @@ static int bnx2x_del_all_vlans(struct bn
+ 	if (rc)
+ 		return rc;
+ 
+-	/* Mark that hw forgot all entries */
+-	list_for_each_entry(vlan, &bp->vlan_reg, link)
+-		vlan->hw = false;
+-	bp->vlan_cnt = 0;
++	bnx2x_clear_vlan_info(bp);
+ 
+ 	return 0;
+ }
diff --git a/queue-4.14/bonding-add-vlan-tx-offload-to-hw_enc_features.patch b/queue-4.14/bonding-add-vlan-tx-offload-to-hw_enc_features.patch
new file mode 100644
index 00000000000..a2baefad1bf
--- /dev/null
+++ b/queue-4.14/bonding-add-vlan-tx-offload-to-hw_enc_features.patch
@@ -0,0 +1,62 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Wed, 7 Aug 2019 10:19:59 +0800
+Subject: bonding: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit d595b03de2cb0bdf9bcdf35ff27840cc3a37158f ]
+
+As commit 30d8177e8ac7 ("bonding: Always enable vlan tx offload")
+said, we should always enable bonding's vlan tx offload, pass the
+vlan packets to the slave devices with vlan tci, let them to handle
+vlan implementation.
+
+Now if encapsulation protocols like VXLAN is used, skb->encapsulation
+may be set, then the packet is passed to vlan device which based on
+bonding device. However in netif_skb_features(), the check of
+hw_enc_features:
+
+	 if (skb->encapsulation)
+                 features &= dev->hw_enc_features;
+
+clears NETIF_F_HW_VLAN_CTAG_TX/NETIF_F_HW_VLAN_STAG_TX. This results
+in same issue in commit 30d8177e8ac7 like this:
+
+vlan_dev_hard_start_xmit
+  -->dev_queue_xmit
+    -->validate_xmit_skb
+      -->netif_skb_features //NETIF_F_HW_VLAN_CTAG_TX is cleared
+      -->validate_xmit_vlan
+        -->__vlan_hwaccel_push_inside //skb->tci is cleared
+...
+ --> bond_start_xmit
+   --> bond_xmit_hash //BOND_XMIT_POLICY_ENCAP34
+     --> __skb_flow_dissect // nhoff point to IP header
+        -->  case htons(ETH_P_8021Q)
+             // skb_vlan_tag_present is false, so
+             vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
+             //vlan point to ip header wrongly
+
+Fixes: b2a103e6d0af ("bonding: convert to ndo_fix_features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/bonding/bond_main.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1108,7 +1108,9 @@ static void bond_compute_features(struct
+ 
+ done:
+ 	bond_dev->vlan_features = vlan_features;
+-	bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
++	bond_dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++				    NETIF_F_HW_VLAN_CTAG_TX |
++				    NETIF_F_HW_VLAN_STAG_TX;
+ 	bond_dev->gso_max_segs = gso_max_segs;
+ 	netif_set_gso_max_size(bond_dev, gso_max_size);
+ 
diff --git a/queue-4.14/net-mlx4_en-fix-a-memory-leak-bug.patch b/queue-4.14/net-mlx4_en-fix-a-memory-leak-bug.patch
new file mode 100644
index 00000000000..5ea5b5f461c
--- /dev/null
+++ b/queue-4.14/net-mlx4_en-fix-a-memory-leak-bug.patch
@@ -0,0 +1,45 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Mon, 12 Aug 2019 14:11:35 -0500
+Subject: net/mlx4_en: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+[ Upstream commit 48ec7014c56e5eb2fbf6f479896143622d834f3b ]
+
+In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
+kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
+indirection. However, if mlx4_qp_alloc() fails, the allocated
+'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
+
+To fix the above issue, add the 'qp_alloc_err' label to free
+'rss_map->indir_qp'.
+
+Fixes: 4931c6ef04b4 ("net/mlx4_en: Optimized single ring steering")
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_rx.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+@@ -1193,7 +1193,7 @@ int mlx4_en_config_rss_steer(struct mlx4
+ 	err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
+ 	if (err) {
+ 		en_err(priv, "Failed to allocate RSS indirection QP\n");
+-		goto rss_err;
++		goto qp_alloc_err;
+ 	}
+ 
+ 	rss_map->indir_qp->event = mlx4_en_sqp_event;
+@@ -1247,6 +1247,7 @@ indir_err:
+ 		       MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
+ 	mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
+ 	mlx4_qp_free(mdev->dev, rss_map->indir_qp);
++qp_alloc_err:
+ 	kfree(rss_map->indir_qp);
+ 	rss_map->indir_qp = NULL;
+ rss_err:
diff --git a/queue-4.14/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch b/queue-4.14/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
new file mode 100644
index 00000000000..e9a251f4ddc
--- /dev/null
+++ b/queue-4.14/net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
@@ -0,0 +1,33 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Huy Nguyen <huyn@mellanox.com>
+Date: Thu, 1 Aug 2019 11:10:19 -0500
+Subject: net/mlx5e: Only support tx/rx pause setting for port owner
+
+From: Huy Nguyen <huyn@mellanox.com>
+
+[ Upstream commit 466df6eb4a9e813b3cfc674363316450c57a89c5 ]
+
+Only support changing tx/rx pause frame setting if the net device
+is the vport group manager.
+
+Fixes: 3c2d18ef22df ("net/mlx5e: Support ethtool get/set_pauseparam")
+Signed-off-by: Huy Nguyen <huyn@mellanox.com>
+Reviewed-by: Parav Pandit <parav@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -1400,6 +1400,9 @@ static int mlx5e_set_pauseparam(struct n
+ 	struct mlx5_core_dev *mdev = priv->mdev;
+ 	int err;
+ 
++	if (!MLX5_CAP_GEN(mdev, vport_group_manager))
++		return -EOPNOTSUPP;
++
+ 	if (pauseparam->autoneg)
+ 		return -EINVAL;
+ 
diff --git a/queue-4.14/net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch b/queue-4.14/net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
new file mode 100644
index 00000000000..eed8c66a68d
--- /dev/null
+++ b/queue-4.14/net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
@@ -0,0 +1,194 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+Date: Fri, 5 Jul 2019 17:59:28 +0300
+Subject: net/mlx5e: Use flow keys dissector to parse packets for ARFS
+
+From: Maxim Mikityanskiy <maximmi@mellanox.com>
+
+[ Upstream commit 405b93eb764367a670e729da18e54dc42db32620 ]
+
+The current ARFS code relies on certain fields to be set in the SKB
+(e.g. transport_header) and extracts IP addresses and ports by custom
+code that parses the packet. The necessary SKB fields, however, are not
+always set at that point, which leads to an out-of-bounds access. Use
+skb_flow_dissect_flow_keys() to get the necessary information reliably,
+fix the out-of-bounds access and reuse the code.
+
+Fixes: 18c908e477dc ("net/mlx5e: Add accelerated RFS support")
+Signed-off-by: Maxim Mikityanskiy <maximmi@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c |   97 +++++++---------------
+ 1 file changed, 34 insertions(+), 63 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_arfs.c
+@@ -439,12 +439,6 @@ arfs_hash_bucket(struct arfs_table *arfs
+ 	return &arfs_t->rules_hash[bucket_idx];
+ }
+ 
+-static u8 arfs_get_ip_proto(const struct sk_buff *skb)
+-{
+-	return (skb->protocol == htons(ETH_P_IP)) ?
+-		ip_hdr(skb)->protocol : ipv6_hdr(skb)->nexthdr;
+-}
+-
+ static struct arfs_table *arfs_get_table(struct mlx5e_arfs_tables *arfs,
+ 					 u8 ip_proto, __be16 etype)
+ {
+@@ -601,31 +595,9 @@ out:
+ 	arfs_may_expire_flow(priv);
+ }
+ 
+-/* return L4 destination port from ip4/6 packets */
+-static __be16 arfs_get_dst_port(const struct sk_buff *skb)
+-{
+-	char *transport_header;
+-
+-	transport_header = skb_transport_header(skb);
+-	if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+-		return ((struct tcphdr *)transport_header)->dest;
+-	return ((struct udphdr *)transport_header)->dest;
+-}
+-
+-/* return L4 source port from ip4/6 packets */
+-static __be16 arfs_get_src_port(const struct sk_buff *skb)
+-{
+-	char *transport_header;
+-
+-	transport_header = skb_transport_header(skb);
+-	if (arfs_get_ip_proto(skb) == IPPROTO_TCP)
+-		return ((struct tcphdr *)transport_header)->source;
+-	return ((struct udphdr *)transport_header)->source;
+-}
+-
+ static struct arfs_rule *arfs_alloc_rule(struct mlx5e_priv *priv,
+ 					 struct arfs_table *arfs_t,
+-					 const struct sk_buff *skb,
++					 const struct flow_keys *fk,
+ 					 u16 rxq, u32 flow_id)
+ {
+ 	struct arfs_rule *rule;
+@@ -640,19 +612,19 @@ static struct arfs_rule *arfs_alloc_rule
+ 	INIT_WORK(&rule->arfs_work, arfs_handle_work);
+ 
+ 	tuple = &rule->tuple;
+-	tuple->etype = skb->protocol;
++	tuple->etype = fk->basic.n_proto;
++	tuple->ip_proto = fk->basic.ip_proto;
+ 	if (tuple->etype == htons(ETH_P_IP)) {
+-		tuple->src_ipv4 = ip_hdr(skb)->saddr;
+-		tuple->dst_ipv4 = ip_hdr(skb)->daddr;
++		tuple->src_ipv4 = fk->addrs.v4addrs.src;
++		tuple->dst_ipv4 = fk->addrs.v4addrs.dst;
+ 	} else {
+-		memcpy(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
++		memcpy(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
+ 		       sizeof(struct in6_addr));
+-		memcpy(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
++		memcpy(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
+ 		       sizeof(struct in6_addr));
+ 	}
+-	tuple->ip_proto = arfs_get_ip_proto(skb);
+-	tuple->src_port = arfs_get_src_port(skb);
+-	tuple->dst_port = arfs_get_dst_port(skb);
++	tuple->src_port = fk->ports.src;
++	tuple->dst_port = fk->ports.dst;
+ 
+ 	rule->flow_id = flow_id;
+ 	rule->filter_id = priv->fs.arfs.last_filter_id++ % RPS_NO_FILTER;
+@@ -663,37 +635,33 @@ static struct arfs_rule *arfs_alloc_rule
+ 	return rule;
+ }
+ 
+-static bool arfs_cmp_ips(struct arfs_tuple *tuple,
+-			 const struct sk_buff *skb)
++static bool arfs_cmp(const struct arfs_tuple *tuple, const struct flow_keys *fk)
+ {
+-	if (tuple->etype == htons(ETH_P_IP) &&
+-	    tuple->src_ipv4 == ip_hdr(skb)->saddr &&
+-	    tuple->dst_ipv4 == ip_hdr(skb)->daddr)
+-		return true;
+-	if (tuple->etype == htons(ETH_P_IPV6) &&
+-	    (!memcmp(&tuple->src_ipv6, &ipv6_hdr(skb)->saddr,
+-		     sizeof(struct in6_addr))) &&
+-	    (!memcmp(&tuple->dst_ipv6, &ipv6_hdr(skb)->daddr,
+-		     sizeof(struct in6_addr))))
+-		return true;
++	if (tuple->src_port != fk->ports.src || tuple->dst_port != fk->ports.dst)
++		return false;
++	if (tuple->etype != fk->basic.n_proto)
++		return false;
++	if (tuple->etype == htons(ETH_P_IP))
++		return tuple->src_ipv4 == fk->addrs.v4addrs.src &&
++		       tuple->dst_ipv4 == fk->addrs.v4addrs.dst;
++	if (tuple->etype == htons(ETH_P_IPV6))
++		return !memcmp(&tuple->src_ipv6, &fk->addrs.v6addrs.src,
++			       sizeof(struct in6_addr)) &&
++		       !memcmp(&tuple->dst_ipv6, &fk->addrs.v6addrs.dst,
++			       sizeof(struct in6_addr));
+ 	return false;
+ }
+ 
+ static struct arfs_rule *arfs_find_rule(struct arfs_table *arfs_t,
+-					const struct sk_buff *skb)
++					const struct flow_keys *fk)
+ {
+ 	struct arfs_rule *arfs_rule;
+ 	struct hlist_head *head;
+-	__be16 src_port = arfs_get_src_port(skb);
+-	__be16 dst_port = arfs_get_dst_port(skb);
+ 
+-	head = arfs_hash_bucket(arfs_t, src_port, dst_port);
++	head = arfs_hash_bucket(arfs_t, fk->ports.src, fk->ports.dst);
+ 	hlist_for_each_entry(arfs_rule, head, hlist) {
+-		if (arfs_rule->tuple.src_port == src_port &&
+-		    arfs_rule->tuple.dst_port == dst_port &&
+-		    arfs_cmp_ips(&arfs_rule->tuple, skb)) {
++		if (arfs_cmp(&arfs_rule->tuple, fk))
+ 			return arfs_rule;
+-		}
+ 	}
+ 
+ 	return NULL;
+@@ -706,20 +674,24 @@ int mlx5e_rx_flow_steer(struct net_devic
+ 	struct mlx5e_arfs_tables *arfs = &priv->fs.arfs;
+ 	struct arfs_table *arfs_t;
+ 	struct arfs_rule *arfs_rule;
++	struct flow_keys fk;
++
++	if (!skb_flow_dissect_flow_keys(skb, &fk, 0))
++		return -EPROTONOSUPPORT;
+ 
+-	if (skb->protocol != htons(ETH_P_IP) &&
+-	    skb->protocol != htons(ETH_P_IPV6))
++	if (fk.basic.n_proto != htons(ETH_P_IP) &&
++	    fk.basic.n_proto != htons(ETH_P_IPV6))
+ 		return -EPROTONOSUPPORT;
+ 
+ 	if (skb->encapsulation)
+ 		return -EPROTONOSUPPORT;
+ 
+-	arfs_t = arfs_get_table(arfs, arfs_get_ip_proto(skb), skb->protocol);
++	arfs_t = arfs_get_table(arfs, fk.basic.ip_proto, fk.basic.n_proto);
+ 	if (!arfs_t)
+ 		return -EPROTONOSUPPORT;
+ 
+ 	spin_lock_bh(&arfs->arfs_lock);
+-	arfs_rule = arfs_find_rule(arfs_t, skb);
++	arfs_rule = arfs_find_rule(arfs_t, &fk);
+ 	if (arfs_rule) {
+ 		if (arfs_rule->rxq == rxq_index) {
+ 			spin_unlock_bh(&arfs->arfs_lock);
+@@ -727,8 +699,7 @@ int mlx5e_rx_flow_steer(struct net_devic
+ 		}
+ 		arfs_rule->rxq = rxq_index;
+ 	} else {
+-		arfs_rule = arfs_alloc_rule(priv, arfs_t, skb,
+-					    rxq_index, flow_id);
++		arfs_rule = arfs_alloc_rule(priv, arfs_t, &fk, rxq_index, flow_id);
+ 		if (!arfs_rule) {
+ 			spin_unlock_bh(&arfs->arfs_lock);
+ 			return -ENOMEM;
diff --git a/queue-4.14/net-packet-fix-race-in-tpacket_snd.patch b/queue-4.14/net-packet-fix-race-in-tpacket_snd.patch
new file mode 100644
index 00000000000..19679be4872
--- /dev/null
+++ b/queue-4.14/net-packet-fix-race-in-tpacket_snd.patch
@@ -0,0 +1,78 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 14 Aug 2019 02:11:57 -0700
+Subject: net/packet: fix race in tpacket_snd()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ]
+
+packet_sendmsg() checks tx_ring.pg_vec to decide
+if it must call tpacket_snd().
+
+Problem is that the check is lockless, meaning another thread
+can issue a concurrent setsockopt(PACKET_TX_RING ) to flip
+tx_ring.pg_vec back to NULL.
+
+Given that tpacket_snd() grabs pg_vec_lock mutex, we can
+perform the check again to solve the race.
+
+syzbot reported :
+
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474
+Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00
+RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246
+RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c
+RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50
+R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000
+R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000
+FS:  00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ packet_current_frame net/packet/af_packet.c:487 [inline]
+ tpacket_snd net/packet/af_packet.c:2667 [inline]
+ packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975
+ sock_sendmsg_nosec net/socket.c:637 [inline]
+ sock_sendmsg+0xd7/0x130 net/socket.c:657
+ ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
+ __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
+ __do_sys_sendmmsg net/socket.c:2442 [inline]
+ __se_sys_sendmmsg net/socket.c:2439 [inline]
+ __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
+ do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2654,6 +2654,13 @@ static int tpacket_snd(struct packet_soc
+ 
+ 	mutex_lock(&po->pg_vec_lock);
+ 
++	/* packet_sendmsg() check on tx_ring.pg_vec was lockless,
++	 * we need to confirm it under protection of pg_vec_lock.
++	 */
++	if (unlikely(!po->tx_ring.pg_vec)) {
++		err = -EBUSY;
++		goto out;
++	}
+ 	if (likely(saddr == NULL)) {
+ 		dev	= packet_cached_dev_get(po);
+ 		proto	= po->num;
diff --git a/queue-4.14/sctp-fix-the-transport-error_count-check.patch b/queue-4.14/sctp-fix-the-transport-error_count-check.patch
new file mode 100644
index 00000000000..2f0df7a8f6c
--- /dev/null
+++ b/queue-4.14/sctp-fix-the-transport-error_count-check.patch
@@ -0,0 +1,37 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 12 Aug 2019 20:49:12 +0800
+Subject: sctp: fix the transport error_count check
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit a1794de8b92ea6bc2037f445b296814ac826693e ]
+
+As the annotation says in sctp_do_8_2_transport_strike():
+
+  "If the transport error count is greater than the pf_retrans
+   threshold, and less than pathmaxrtx ..."
+
+It should be transport->error_count checked with pathmaxrxt,
+instead of asoc->pf_retrans.
+
+Fixes: 5aa93bcf66f4 ("sctp: Implement quick failover draft from tsvwg")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_sideeffect.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sctp/sm_sideeffect.c
++++ b/net/sctp/sm_sideeffect.c
+@@ -541,7 +541,7 @@ static void sctp_do_8_2_transport_strike
+ 	 */
+ 	if (net->sctp.pf_enable &&
+ 	   (transport->state == SCTP_ACTIVE) &&
+-	   (asoc->pf_retrans < transport->pathmaxrxt) &&
++	   (transport->error_count < transport->pathmaxrxt) &&
+ 	   (transport->error_count > asoc->pf_retrans)) {
+ 
+ 		sctp_assoc_control_transport(asoc, transport,
diff --git a/queue-4.14/series b/queue-4.14/series
index f1d5b22120a..84fe4a463e1 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -59,3 +59,12 @@ arm64-ftrace-ensure-module-ftrace-trampoline-is-coherent-with-i-side.patch
 netfilter-conntrack-use-consistent-ct-id-hash-calculation.patch
 input-psmouse-fix-build-error-of-multiple-definition.patch
 iommu-amd-move-iommu_init_pci-to-.init-section.patch
+bnx2x-fix-vf-s-vlan-reconfiguration-in-reload.patch
+net-mlx4_en-fix-a-memory-leak-bug.patch
+net-packet-fix-race-in-tpacket_snd.patch
+sctp-fix-the-transport-error_count-check.patch
+xen-netback-reset-nr_frags-before-freeing-skb.patch
+net-mlx5e-only-support-tx-rx-pause-setting-for-port-owner.patch
+net-mlx5e-use-flow-keys-dissector-to-parse-packets-for-arfs.patch
+team-add-vlan-tx-offload-to-hw_enc_features.patch
+bonding-add-vlan-tx-offload-to-hw_enc_features.patch
diff --git a/queue-4.14/team-add-vlan-tx-offload-to-hw_enc_features.patch b/queue-4.14/team-add-vlan-tx-offload-to-hw_enc_features.patch
new file mode 100644
index 00000000000..62fcdc6fad8
--- /dev/null
+++ b/queue-4.14/team-add-vlan-tx-offload-to-hw_enc_features.patch
@@ -0,0 +1,34 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 8 Aug 2019 14:22:47 +0800
+Subject: team: Add vlan tx offload to hw_enc_features
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+[ Upstream commit 227f2f030e28d8783c3d10ce70ff4ba79cad653f ]
+
+We should also enable team's vlan tx offload in hw_enc_features,
+pass the vlan packets to the slave devices with vlan tci, let the
+slave handle vlan tunneling offload implementation.
+
+Fixes: 3268e5cb494d ("team: Advertise tunneling offload features")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1014,7 +1014,9 @@ static void __team_compute_features(stru
+ 	}
+ 
+ 	team->dev->vlan_features = vlan_features;
+-	team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL;
++	team->dev->hw_enc_features = enc_features | NETIF_F_GSO_ENCAP_ALL |
++				     NETIF_F_HW_VLAN_CTAG_TX |
++				     NETIF_F_HW_VLAN_STAG_TX;
+ 	team->dev->hard_header_len = max_hard_header_len;
+ 
+ 	team->dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
diff --git a/queue-4.14/xen-netback-reset-nr_frags-before-freeing-skb.patch b/queue-4.14/xen-netback-reset-nr_frags-before-freeing-skb.patch
new file mode 100644
index 00000000000..cf3c4dd656b
--- /dev/null
+++ b/queue-4.14/xen-netback-reset-nr_frags-before-freeing-skb.patch
@@ -0,0 +1,38 @@
+From foo@baz Tue 20 Aug 2019 07:03:45 PM PDT
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+Date: Mon, 5 Aug 2019 16:34:34 +0100
+Subject: xen/netback: Reset nr_frags before freeing skb
+
+From: Ross Lagerwall <ross.lagerwall@citrix.com>
+
+[ Upstream commit 3a0233ddec554b886298de2428edb5c50a20e694 ]
+
+At this point nr_frags has been incremented but the frag does not yet
+have a page assigned so freeing the skb results in a crash. Reset
+nr_frags before freeing the skb to prevent this.
+
+Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netback/netback.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/xen-netback/netback.c
++++ b/drivers/net/xen-netback/netback.c
+@@ -927,6 +927,7 @@ static void xenvif_tx_build_gops(struct
+ 			skb_shinfo(skb)->nr_frags = MAX_SKB_FRAGS;
+ 			nskb = xenvif_alloc_skb(0);
+ 			if (unlikely(nskb == NULL)) {
++				skb_shinfo(skb)->nr_frags = 0;
+ 				kfree_skb(skb);
+ 				xenvif_tx_err(queue, &txreq, extra_count, idx);
+ 				if (net_ratelimit())
+@@ -942,6 +943,7 @@ static void xenvif_tx_build_gops(struct
+ 
+ 			if (xenvif_set_skb_gso(queue->vif, skb, gso)) {
+ 				/* Failure in xenvif_set_skb_gso is fatal. */
++				skb_shinfo(skb)->nr_frags = 0;
+ 				kfree_skb(skb);
+ 				kfree_skb(nskb);
+ 				break;