--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 16:40:52 -0700
+Subject: ax25: fix inconsistent lock state in ax25_destroy_timer
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 ]
+
+Before thread in process context uses bh_lock_sock()
+we must disable bh.
+
+sysbot reported :
+
+WARNING: inconsistent lock state
+5.2.0-rc3+ #32 Not tainted
+
+inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
+blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes:
+00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline]
+00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
+{SOFTIRQ-ON-W} state was registered at:
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429
+ ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221
+ __sys_connect+0x264/0x330 net/socket.c:1834
+ __do_sys_connect net/socket.c:1845 [inline]
+ __se_sys_connect net/socket.c:1842 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:1842
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+irq event stamp: 2272
+hardirqs last enabled at (2272): [<ffffffff810065f3>] trace_hardirqs_on_thunk+0x1a/0x1c
+hardirqs last disabled at (2271): [<ffffffff8100660f>] trace_hardirqs_off_thunk+0x1a/0x1c
+softirqs last enabled at (1522): [<ffffffff87400654>] __do_softirq+0x654/0x94c kernel/softirq.c:320
+softirqs last disabled at (2267): [<ffffffff81449010>] invoke_softirq kernel/softirq.c:374 [inline]
+softirqs last disabled at (2267): [<ffffffff81449010>] irq_exit+0x180/0x1d0 kernel/softirq.c:414
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(slock-AF_AX25);
+ <Interrupt>
+ lock(slock-AF_AX25);
+
+ *** DEADLOCK ***
+
+1 lock held by blkid/26581:
+ #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline]
+ #0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312
+
+stack backtrace:
+CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935
+ valid_state kernel/locking/lockdep.c:2948 [inline]
+ mark_lock_irq kernel/locking/lockdep.c:3138 [inline]
+ mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513
+ mark_irqflags kernel/locking/lockdep.c:3391 [inline]
+ __lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745
+ lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
+ __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
+ _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
+ spin_lock include/linux/spinlock.h:338 [inline]
+ ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
+ call_timer_fn+0x193/0x720 kernel/time/timer.c:1322
+ expire_timers kernel/time/timer.c:1366 [inline]
+ __run_timers kernel/time/timer.c:1685 [inline]
+ __run_timers kernel/time/timer.c:1653 [inline]
+ run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698
+ __do_softirq+0x25c/0x94c kernel/softirq.c:293
+ invoke_softirq kernel/softirq.c:374 [inline]
+ irq_exit+0x180/0x1d0 kernel/softirq.c:414
+ exiting_irq arch/x86/include/asm/apic.h:536 [inline]
+ smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
+ </IRQ>
+RIP: 0033:0x7f858d5c3232
+Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24
+RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
+RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8
+RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee
+RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480
+R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005
+R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ax25/ax25_route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ax25/ax25_route.c
++++ b/net/ax25/ax25_route.c
+@@ -429,9 +429,11 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25
+ }
+
+ if (ax25->sk != NULL) {
++ local_bh_disable();
+ bh_lock_sock(ax25->sk);
+ sock_reset_flag(ax25->sk, SOCK_ZAPPED);
+ bh_unlock_sock(ax25->sk);
++ local_bh_enable();
+ }
+
+ put:
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Ivan Vecera <ivecera@redhat.com>
+Date: Fri, 14 Jun 2019 17:48:36 +0200
+Subject: be2net: Fix number of Rx queues used for flow hashing
+
+From: Ivan Vecera <ivecera@redhat.com>
+
+[ Upstream commit 718f4a2537089ea41903bf357071306163bc7c04 ]
+
+Number of Rx queues used for flow hashing returned by the driver is
+incorrect and this bug prevents user to use the last Rx queue in
+indirection table.
+
+Let's say we have a NIC with 6 combined queues:
+
+[root@sm-03 ~]# ethtool -l enp4s0f0
+Channel parameters for enp4s0f0:
+Pre-set maximums:
+RX: 5
+TX: 5
+Other: 0
+Combined: 6
+Current hardware settings:
+RX: 0
+TX: 0
+Other: 0
+Combined: 6
+
+Default indirection table maps all (6) queues equally but the driver
+reports only 5 rings available.
+
+[root@sm-03 ~]# ethtool -x enp4s0f0
+RX flow hash indirection table for enp4s0f0 with 5 RX ring(s):
+ 0: 0 1 2 3 4 5 0 1
+ 8: 2 3 4 5 0 1 2 3
+ 16: 4 5 0 1 2 3 4 5
+ 24: 0 1 2 3 4 5 0 1
+...
+
+Now change indirection table somehow:
+
+[root@sm-03 ~]# ethtool -X enp4s0f0 weight 1 1
+[root@sm-03 ~]# ethtool -x enp4s0f0
+RX flow hash indirection table for enp4s0f0 with 6 RX ring(s):
+ 0: 0 0 0 0 0 0 0 0
+...
+ 64: 1 1 1 1 1 1 1 1
+...
+
+Now it is not possible to change mapping back to equal (default) state:
+
+[root@sm-03 ~]# ethtool -X enp4s0f0 equal 6
+Cannot set RX flow hash configuration: Invalid argument
+
+Fixes: 594ad54a2c3b ("be2net: Add support for setting and getting rx flow hash options")
+Reported-by: Tianhao <tizhao@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/emulex/benet/be_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/emulex/benet/be_ethtool.c
++++ b/drivers/net/ethernet/emulex/benet/be_ethtool.c
+@@ -1105,7 +1105,7 @@ static int be_get_rxnfc(struct net_devic
+ cmd->data = be_get_rss_hash_opts(adapter, cmd->flow_type);
+ break;
+ case ETHTOOL_GRXRINGS:
+- cmd->data = adapter->num_rx_qs - 1;
++ cmd->data = adapter->num_rx_qs;
+ break;
+ default:
+ return -EINVAL;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 11 Jun 2019 00:27:06 +0200
+Subject: geneve: Don't assume linear buffers in error handler
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit eccc73a6b2cb6c04bfbc40a0769f3c428dfba232 ]
+
+In commit a07966447f39 ("geneve: ICMP error lookup handler") I wrongly
+assumed buffers from icmp_socket_deliver() would be linear. This is not
+the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear
+data.
+
+Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac
+("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6:
+avoid uninit-value in gue_err() and gue6_err()").
+
+Use pskb_may_pull() instead of checking skb->len, and take into account
+the fact we later access the GENEVE header with udp_hdr(), so we also
+need to sum skb_transport_header() here.
+
+Reported-by: Guillaume Nault <gnault@redhat.com>
+Fixes: a07966447f39 ("geneve: ICMP error lookup handler")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -396,7 +396,7 @@ static int geneve_udp_encap_err_lookup(s
+ u8 zero_vni[3] = { 0 };
+ u8 *vni = zero_vni;
+
+- if (skb->len < GENEVE_BASE_HLEN)
++ if (!pskb_may_pull(skb, skb_transport_offset(skb) + GENEVE_BASE_HLEN))
+ return -EINVAL;
+
+ geneveh = geneve_hdr(skb);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Thu, 13 Jun 2019 21:06:53 +0000
+Subject: hv_netvsc: Set probe mode to sync
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 9a33629ba6b26caebd73e3c581ba1e6068c696a7 ]
+
+For better consistency of synthetic NIC names, we set the probe mode to
+PROBE_FORCE_SYNCHRONOUS. So the names can be aligned with the vmbus
+channel offer sequence.
+
+Fixes: af0a5646cb8d ("use the new async probing feature for the hyperv drivers")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2414,7 +2414,7 @@ static struct hv_driver netvsc_drv = {
+ .probe = netvsc_probe,
+ .remove = netvsc_remove,
+ .driver = {
+- .probe_type = PROBE_PREFER_ASYNCHRONOUS,
++ .probe_type = PROBE_FORCE_SYNCHRONOUS,
+ },
+ };
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 6 Jun 2019 14:32:34 -0700
+Subject: ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ]
+
+Before taking a refcount, make sure the object is not already
+scheduled for deletion.
+
+Same fix is needed in ipv6_flowlabel_opt()
+
+Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_flowlabel.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/ipv6/ip6_flowlabel.c
++++ b/net/ipv6/ip6_flowlabel.c
+@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(st
+ rcu_read_lock_bh();
+ for_each_sk_fl_rcu(np, sfl) {
+ struct ip6_flowlabel *fl = sfl->fl;
+- if (fl->label == label) {
++
++ if (fl->label == label && atomic_inc_not_zero(&fl->users)) {
+ fl->lastuse = jiffies;
+- atomic_inc(&fl->users);
+ rcu_read_unlock_bh();
+ return fl;
+ }
+@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk,
+ goto done;
+ }
+ fl1 = sfl->fl;
+- atomic_inc(&fl1->users);
++ if (!atomic_inc_not_zero(&fl1->users))
++ fl1 = NULL;
+ break;
+ }
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sun, 16 Jun 2019 16:54:37 +0100
+Subject: lapb: fixed leak of control-blocks.
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ]
+
+lapb_register calls lapb_create_cb, which initializes the control-
+block's ref-count to one, and __lapb_insert_cb, which increments it when
+adding the new block to the list of blocks.
+
+lapb_unregister calls __lapb_remove_cb, which decrements the ref-count
+when removing control-block from the list of blocks, and calls lapb_put
+itself to decrement the ref-count before returning.
+
+However, lapb_unregister also calls __lapb_devtostruct to look up the
+right control-block for the given net_device, and __lapb_devtostruct
+also bumps the ref-count, which means that when lapb_unregister returns
+the ref-count is still 1 and the control-block is leaked.
+
+Call lapb_put after __lapb_devtostruct to fix leak.
+
+Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/lapb/lapb_iface.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/lapb/lapb_iface.c
++++ b/net/lapb/lapb_iface.c
+@@ -182,6 +182,7 @@ int lapb_unregister(struct net_device *d
+ lapb = __lapb_devtostruct(dev);
+ if (!lapb)
+ goto out;
++ lapb_put(lapb);
+
+ lapb_stop_t1timer(lapb);
+ lapb_stop_t2timer(lapb);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Petr Machata <petrm@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:45 +0300
+Subject: mlxsw: spectrum_buffers: Reduce pool size on Spectrum-2
+
+From: Petr Machata <petrm@mellanox.com>
+
+Due to an issue on Spectrum-2, in front-panel ports split four ways, 2 out
+of 32 port buffers cannot be used. To work around this, the next FW release
+will mark them as unused, and will report correspondingly lower total
+shared buffer size. mlxsw will pick up the new value through a query to
+cap_total_buffer_size resource. However the initial size for shared buffer
+pool 0 is hard-coded and therefore needs to be updated.
+
+Thus reduce the pool size by 2.7 MiB (which corresponds to 2/32 of the
+total size of 42 MiB), and round down to the whole number of cells.
+
+Fixes: fe099bf682ab ("mlxsw: spectrum_buffers: Add Spectrum-2 shared buffer configuration")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c
+@@ -411,9 +411,9 @@ static const struct mlxsw_sp_sb_pr mlxsw
+ MLXSW_SP_SB_PR(MLXSW_REG_SBPR_MODE_STATIC, MLXSW_SP_SB_INFI),
+ };
+
+-#define MLXSW_SP2_SB_PR_INGRESS_SIZE 40960000
++#define MLXSW_SP2_SB_PR_INGRESS_SIZE 38128752
++#define MLXSW_SP2_SB_PR_EGRESS_SIZE 38128752
+ #define MLXSW_SP2_SB_PR_INGRESS_MNG_SIZE (200 * 1000)
+-#define MLXSW_SP2_SB_PR_EGRESS_SIZE 40960000
+
+ static const struct mlxsw_sp_sb_pr mlxsw_sp2_sb_prs[] = {
+ /* Ingress pools. */
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:43 +0300
+Subject: mlxsw: spectrum_flower: Fix TOS matching
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+The TOS value was not extracted correctly. Fix it.
+
+Fixes: 87996f91f739 ("mlxsw: spectrum_flower: Add support for ip tos")
+Reported-by: Alexander Petrovskiy <alexpe@mellanox.com>
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c
+@@ -247,8 +247,8 @@ static int mlxsw_sp_flower_parse_ip(stru
+ match.mask->tos & 0x3);
+
+ mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_IP_DSCP,
+- match.key->tos >> 6,
+- match.mask->tos >> 6);
++ match.key->tos >> 2,
++ match.mask->tos >> 2);
+
+ return 0;
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Tue, 11 Jun 2019 10:19:41 +0300
+Subject: mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+The driver tries to periodically refresh neighbours that are used to
+reach nexthops. This is done by periodically calling neigh_event_send().
+
+However, if the neighbour becomes dead, there is nothing we can do to
+return it to a connected state and the above function call is basically
+a NOP.
+
+This results in the nexthop never being written to the device's
+adjacency table and therefore never used to forward packets.
+
+Fix this by dropping our reference from the dead neighbour and
+associating the nexthop with a new neigbhour which we will try to
+refresh.
+
+Fixes: a7ff87acd995 ("mlxsw: spectrum_router: Implement next-hop routing")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Alex Veber <alexve@mellanox.com>
+Tested-by: Alex Veber <alexve@mellanox.com>
+Acked-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 73 +++++++++++++++++-
+ 1 file changed, 70 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -2363,7 +2363,7 @@ static void mlxsw_sp_router_probe_unreso
+ static void
+ mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp,
+ struct mlxsw_sp_neigh_entry *neigh_entry,
+- bool removing);
++ bool removing, bool dead);
+
+ static enum mlxsw_reg_rauht_op mlxsw_sp_rauht_op(bool adding)
+ {
+@@ -2494,7 +2494,8 @@ static void mlxsw_sp_router_neigh_event_
+
+ memcpy(neigh_entry->ha, ha, ETH_ALEN);
+ mlxsw_sp_neigh_entry_update(mlxsw_sp, neigh_entry, entry_connected);
+- mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected);
++ mlxsw_sp_nexthop_neigh_update(mlxsw_sp, neigh_entry, !entry_connected,
++ dead);
+
+ if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list))
+ mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
+@@ -3458,13 +3459,79 @@ static void __mlxsw_sp_nexthop_neigh_upd
+ nh->update = 1;
+ }
+
++static int
++mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
++ struct mlxsw_sp_neigh_entry *neigh_entry)
++{
++ struct neighbour *n, *old_n = neigh_entry->key.n;
++ struct mlxsw_sp_nexthop *nh;
++ bool entry_connected;
++ u8 nud_state, dead;
++ int err;
++
++ nh = list_first_entry(&neigh_entry->nexthop_list,
++ struct mlxsw_sp_nexthop, neigh_list_node);
++
++ n = neigh_lookup(nh->nh_grp->neigh_tbl, &nh->gw_addr, nh->rif->dev);
++ if (!n) {
++ n = neigh_create(nh->nh_grp->neigh_tbl, &nh->gw_addr,
++ nh->rif->dev);
++ if (IS_ERR(n))
++ return PTR_ERR(n);
++ neigh_event_send(n, NULL);
++ }
++
++ mlxsw_sp_neigh_entry_remove(mlxsw_sp, neigh_entry);
++ neigh_entry->key.n = n;
++ err = mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry);
++ if (err)
++ goto err_neigh_entry_insert;
++
++ read_lock_bh(&n->lock);
++ nud_state = n->nud_state;
++ dead = n->dead;
++ read_unlock_bh(&n->lock);
++ entry_connected = nud_state & NUD_VALID && !dead;
++
++ list_for_each_entry(nh, &neigh_entry->nexthop_list,
++ neigh_list_node) {
++ neigh_release(old_n);
++ neigh_clone(n);
++ __mlxsw_sp_nexthop_neigh_update(nh, !entry_connected);
++ mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nh_grp);
++ }
++
++ neigh_release(n);
++
++ return 0;
++
++err_neigh_entry_insert:
++ neigh_entry->key.n = old_n;
++ mlxsw_sp_neigh_entry_insert(mlxsw_sp, neigh_entry);
++ neigh_release(n);
++ return err;
++}
++
+ static void
+ mlxsw_sp_nexthop_neigh_update(struct mlxsw_sp *mlxsw_sp,
+ struct mlxsw_sp_neigh_entry *neigh_entry,
+- bool removing)
++ bool removing, bool dead)
+ {
+ struct mlxsw_sp_nexthop *nh;
+
++ if (list_empty(&neigh_entry->nexthop_list))
++ return;
++
++ if (dead) {
++ int err;
++
++ err = mlxsw_sp_nexthop_dead_neigh_replace(mlxsw_sp,
++ neigh_entry);
++ if (err)
++ dev_err(mlxsw_sp->bus_info->dev, "Failed to replace dead neigh\n");
++ return;
++ }
++
+ list_for_each_entry(nh, &neigh_entry->nexthop_list,
+ neigh_list_node) {
+ __mlxsw_sp_nexthop_neigh_update(nh, removing);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 15 Jun 2019 16:28:48 -0700
+Subject: neigh: fix use-after-free read in pneigh_get_next
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ]
+
+Nine years ago, I added RCU handling to neighbours, not pneighbours.
+(pneigh are not commonly used)
+
+Unfortunately I missed that /proc dump operations would use a
+common entry and exit point : neigh_seq_start() and neigh_seq_stop()
+
+We need to read_lock(tbl->lock) or risk use-after-free while
+iterating the pneigh structures.
+
+We might later convert pneigh to RCU and revert this patch.
+
+sysbot reported :
+
+BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
+Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825
+
+CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x172/0x1f0 lib/dump_stack.c:113
+ print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
+ __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
+ kasan_report+0x12/0x20 mm/kasan/common.c:614
+ __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
+ pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
+ neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240
+ seq_read+0x9cf/0x1110 fs/seq_file.c:258
+ proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221
+ do_loop_readv_writev fs/read_write.c:714 [inline]
+ do_loop_readv_writev fs/read_write.c:701 [inline]
+ do_iter_read+0x4a4/0x660 fs/read_write.c:935
+ vfs_readv+0xf0/0x160 fs/read_write.c:997
+ kernel_readv fs/splice.c:359 [inline]
+ default_file_splice_read+0x475/0x890 fs/splice.c:414
+ do_splice_to+0x127/0x180 fs/splice.c:877
+ splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954
+ do_splice_direct+0x1da/0x2a0 fs/splice.c:1063
+ do_sendfile+0x597/0xd00 fs/read_write.c:1464
+ __do_sys_sendfile64 fs/read_write.c:1525 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1511 [inline]
+ __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x4592c9
+Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
+RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4
+R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
+
+Allocated by task 9827:
+ save_stack+0x23/0x90 mm/kasan/common.c:71
+ set_track mm/kasan/common.c:79 [inline]
+ __kasan_kmalloc mm/kasan/common.c:489 [inline]
+ __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
+ kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
+ __do_kmalloc mm/slab.c:3660 [inline]
+ __kmalloc+0x15c/0x740 mm/slab.c:3669
+ kmalloc include/linux/slab.h:552 [inline]
+ pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731
+ arp_req_set_public net/ipv4/arp.c:1010 [inline]
+ arp_req_set+0x613/0x720 net/ipv4/arp.c:1026
+ arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226
+ inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926
+ sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043
+ sock_ioctl+0x3ed/0x780 net/socket.c:1194
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
+ ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+Freed by task 9824:
+ save_stack+0x23/0x90 mm/kasan/common.c:71
+ set_track mm/kasan/common.c:79 [inline]
+ __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
+ kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
+ __cache_free mm/slab.c:3432 [inline]
+ kfree+0xcf/0x220 mm/slab.c:3755
+ pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline]
+ __neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356
+ neigh_ifdown+0x20/0x30 net/core/neighbour.c:372
+ arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274
+ inetdev_destroy net/ipv4/devinet.c:319 [inline]
+ inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544
+ notifier_call_chain+0xc2/0x230 kernel/notifier.c:95
+ __raw_notifier_call_chain kernel/notifier.c:396 [inline]
+ raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403
+ call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749
+ call_netdevice_notifiers_extack net/core/dev.c:1761 [inline]
+ call_netdevice_notifiers net/core/dev.c:1775 [inline]
+ rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178
+ rollback_registered+0x109/0x1d0 net/core/dev.c:8220
+ unregister_netdevice_queue net/core/dev.c:9267 [inline]
+ unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260
+ unregister_netdevice include/linux/netdevice.h:2631 [inline]
+ __tun_detach+0xd8a/0x1040 drivers/net/tun.c:724
+ tun_detach drivers/net/tun.c:741 [inline]
+ tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451
+ __fput+0x2ff/0x890 fs/file_table.c:280
+ ____fput+0x16/0x20 fs/file_table.c:313
+ task_work_run+0x145/0x1c0 kernel/task_work.c:113
+ tracehook_notify_resume include/linux/tracehook.h:185 [inline]
+ exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168
+ prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
+ syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
+ do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The buggy address belongs to the object at ffff888097f2a700
+ which belongs to the cache kmalloc-64 of size 64
+The buggy address is located 0 bytes inside of
+ 64-byte region [ffff888097f2a700, ffff888097f2a740)
+The buggy address belongs to the page:
+page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
+flags: 0x1fffc0000000200(slab)
+raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340
+raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+ ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+
+Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -3199,6 +3199,7 @@ static void *neigh_get_idx_any(struct se
+ }
+
+ void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
++ __acquires(tbl->lock)
+ __acquires(rcu_bh)
+ {
+ struct neigh_seq_state *state = seq->private;
+@@ -3209,6 +3210,7 @@ void *neigh_seq_start(struct seq_file *s
+
+ rcu_read_lock_bh();
+ state->nht = rcu_dereference_bh(tbl->nht);
++ read_lock(&tbl->lock);
+
+ return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
+ }
+@@ -3242,8 +3244,13 @@ out:
+ EXPORT_SYMBOL(neigh_seq_next);
+
+ void neigh_seq_stop(struct seq_file *seq, void *v)
++ __releases(tbl->lock)
+ __releases(rcu_bh)
+ {
++ struct neigh_seq_state *state = seq->private;
++ struct neigh_table *tbl = state->tbl;
++
++ read_unlock(&tbl->lock);
+ rcu_read_unlock_bh();
+ }
+ EXPORT_SYMBOL(neigh_seq_stop);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 7 Jun 2019 17:57:48 -0400
+Subject: net: correct udp zerocopy refcnt also when zerocopy only on append
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 522924b583082f51b8a2406624a2f27c22119b20 ]
+
+The below patch fixes an incorrect zerocopy refcnt increment when
+appending with MSG_MORE to an existing zerocopy udp skb.
+
+ send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt 1
+ send(.., MSG_ZEROCOPY | MSG_MORE); // refcnt still 1 (bar frags)
+
+But it missed that zerocopy need not be passed at the first send. The
+right test whether the uarg is newly allocated and thus has extra
+refcnt 1 is not !skb, but !skb_zcopy.
+
+ send(.., MSG_MORE); // <no uarg>
+ send(.., MSG_ZEROCOPY); // refcnt 1
+
+Fixes: 100f6d8e09905 ("net: correct zerocopy refcnt with udp MSG_MORE")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 2 +-
+ net/ipv6/ip6_output.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -923,7 +923,7 @@ static int __ip_append_data(struct sock
+ uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
+ if (!uarg)
+ return -ENOBUFS;
+- extra_uref = !skb; /* only extra ref if !MSG_MORE */
++ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
+ if (rt->dst.dev->features & NETIF_F_SG &&
+ csummode == CHECKSUM_PARTIAL) {
+ paged = true;
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1344,7 +1344,7 @@ emsgsize:
+ uarg = sock_zerocopy_realloc(sk, length, skb_zcopy(skb));
+ if (!uarg)
+ return -ENOBUFS;
+- extra_uref = !skb; /* only extra ref if !MSG_MORE */
++ extra_uref = !skb_zcopy(skb); /* only ref on new uarg */
+ if (rt->dst.dev->features & NETIF_F_SG &&
+ csummode == CHECKSUM_PARTIAL) {
+ paged = true;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Robert Hancock <hancock@sedsystems.ca>
+Date: Wed, 12 Jun 2019 14:33:32 -0600
+Subject: net: dsa: microchip: Don't try to read stats for unused ports
+
+From: Robert Hancock <hancock@sedsystems.ca>
+
+[ Upstream commit 6bb9e376c2a4cc5120c3bf5fd3048b9a0a6ec1f8 ]
+
+If some of the switch ports were not listed in the device tree, due to
+being unused, the ksz_mib_read_work function ended up accessing a NULL
+dp->slave pointer and causing an oops. Skip checking statistics for any
+unused ports.
+
+Fixes: 7c6ff470aa867f53 ("net: dsa: microchip: add MIB counter reading support")
+Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/microchip/ksz_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/dsa/microchip/ksz_common.c
++++ b/drivers/net/dsa/microchip/ksz_common.c
+@@ -83,6 +83,9 @@ static void ksz_mib_read_work(struct wor
+ int i;
+
+ for (i = 0; i < dev->mib_port_cnt; i++) {
++ if (dsa_is_unused_port(dev->ds, i))
++ continue;
++
+ p = &dev->ports[i];
+ mib = &p->mib;
+ mutex_lock(&mib->cnt_mutex);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Fri, 14 Jun 2019 00:25:20 +0200
+Subject: net: dsa: rtl8366: Fix up VLAN filtering
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 760c80b70bed2cd01630e8595d1bbde910339f31 ]
+
+We get this regression when using RTL8366RB as part of a bridge
+with OpenWrt:
+
+WARNING: CPU: 0 PID: 1347 at net/switchdev/switchdev.c:291
+ switchdev_port_attr_set_now+0x80/0xa4
+lan0: Commit of attribute (id=7) failed.
+(...)
+realtek-smi switch lan0: failed to initialize vlan filtering on this port
+
+This is because it is trying to disable VLAN filtering
+on VLAN0, as we have forgot to add 1 to the port number
+to get the right VLAN in rtl8366_vlan_filtering(): when
+we initialize the VLAN we associate VLAN1 with port 0,
+VLAN2 with port 1 etc, so we need to add 1 to the port
+offset.
+
+Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/rtl8366.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/dsa/rtl8366.c
++++ b/drivers/net/dsa/rtl8366.c
+@@ -307,7 +307,8 @@ int rtl8366_vlan_filtering(struct dsa_sw
+ struct rtl8366_vlan_4k vlan4k;
+ int ret;
+
+- if (!smi->ops->is_vlan_valid(smi, port))
++ /* Use VLAN nr port + 1 since VLAN0 is not valid */
++ if (!smi->ops->is_vlan_valid(smi, port + 1))
+ return -EINVAL;
+
+ dev_info(smi->dev, "%s filtering on port %d\n",
+@@ -318,12 +319,12 @@ int rtl8366_vlan_filtering(struct dsa_sw
+ * The hardware support filter ID (FID) 0..7, I have no clue how to
+ * support this in the driver when the callback only says on/off.
+ */
+- ret = smi->ops->get_vlan_4k(smi, port, &vlan4k);
++ ret = smi->ops->get_vlan_4k(smi, port + 1, &vlan4k);
+ if (ret)
+ return ret;
+
+ /* Just set the filter to FID 1 for now then */
+- ret = rtl8366_set_vlan(smi, port,
++ ret = rtl8366_set_vlan(smi, port + 1,
+ vlan4k.member,
+ vlan4k.untag,
+ 1);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Wed, 12 Jun 2019 17:18:38 +0200
+Subject: net: ethtool: Allow matching on vlan DEI bit
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit f0d2ca1531377e7da888913e277eefac05a59b6f ]
+
+Using ethtool, users can specify a classification action matching on the
+full vlan tag, which includes the DEI bit (also previously called CFI).
+
+However, when converting the ethool_flow_spec to a flow_rule, we use
+dissector keys to represent the matching patterns.
+
+Since the vlan dissector key doesn't include the DEI bit, this
+information was silently discarded when translating the ethtool
+flow spec in to a flow_rule.
+
+This commit adds the DEI bit into the vlan dissector key, and allows
+propagating the information to the driver when parsing the ethtool flow
+spec.
+
+Fixes: eca4205f9ec3 ("ethtool: add ethtool_rx_flow_spec to flow_rule structure translator")
+Reported-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/flow_dissector.h | 1 +
+ net/core/ethtool.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/include/net/flow_dissector.h
++++ b/include/net/flow_dissector.h
+@@ -46,6 +46,7 @@ struct flow_dissector_key_tags {
+
+ struct flow_dissector_key_vlan {
+ u16 vlan_id:12,
++ vlan_dei:1,
+ vlan_priority:3;
+ __be16 vlan_tpid;
+ };
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -3022,6 +3022,11 @@ ethtool_rx_flow_rule_create(const struct
+ match->mask.vlan.vlan_id =
+ ntohs(ext_m_spec->vlan_tci) & 0x0fff;
+
++ match->key.vlan.vlan_dei =
++ !!(ext_h_spec->vlan_tci & htons(0x1000));
++ match->mask.vlan.vlan_dei =
++ !!(ext_m_spec->vlan_tci & htons(0x1000));
++
+ match->key.vlan.vlan_priority =
+ (ntohs(ext_h_spec->vlan_tci) & 0xe000) >> 13;
+ match->mask.vlan.vlan_priority =
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Sun, 19 May 2019 11:11:49 +0300
+Subject: net/mlx5: Avoid reloading already removed devices
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+Prior to reloading a device we must first verify that it was not already
+removed. Otherwise, the attempt to remove the device will do nothing, and
+in that case we will end up proceeding with adding an new device that no
+one was expecting to remove, leaving behind used resources such as EQs that
+causes a failure to destroy comp EQs and syndrome (0x30f433).
+
+Fix that by making sure that we try to remove and add a device (based on a
+protocol) only if the device is already added.
+
+Fixes: c5447c70594b ("net/mlx5: E-Switch, Reload IB interface when switching devlink modes")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/dev.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c
+@@ -248,11 +248,32 @@ void mlx5_unregister_interface(struct ml
+ }
+ EXPORT_SYMBOL(mlx5_unregister_interface);
+
++/* Must be called with intf_mutex held */
++static bool mlx5_has_added_dev_by_protocol(struct mlx5_core_dev *mdev, int protocol)
++{
++ struct mlx5_device_context *dev_ctx;
++ struct mlx5_interface *intf;
++ bool found = false;
++
++ list_for_each_entry(intf, &intf_list, list) {
++ if (intf->protocol == protocol) {
++ dev_ctx = mlx5_get_device(intf, &mdev->priv);
++ if (dev_ctx && test_bit(MLX5_INTERFACE_ADDED, &dev_ctx->state))
++ found = true;
++ break;
++ }
++ }
++
++ return found;
++}
++
+ void mlx5_reload_interface(struct mlx5_core_dev *mdev, int protocol)
+ {
+ mutex_lock(&mlx5_intf_mutex);
+- mlx5_remove_dev_by_protocol(mdev, protocol);
+- mlx5_add_dev_by_protocol(mdev, protocol);
++ if (mlx5_has_added_dev_by_protocol(mdev, protocol)) {
++ mlx5_remove_dev_by_protocol(mdev, protocol);
++ mlx5_add_dev_by_protocol(mdev, protocol);
++ }
+ mutex_unlock(&mlx5_intf_mutex);
+ }
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Edward Srouji <edwards@mellanox.com>
+Date: Thu, 23 May 2019 19:45:38 +0300
+Subject: net/mlx5: Update pci error handler entries and command translation
+
+From: Edward Srouji <edwards@mellanox.com>
+
+Add missing entries for create/destroy UCTX and UMEM commands.
+This could get us wrong "unknown FW command" error in flows
+where we unbind the device or reset the driver.
+
+Also the translation of these commands from opcodes to string
+was missing.
+
+Fixes: 6e3722baac04 ("IB/mlx5: Use the correct commands for UMEM and UCTX allocation")
+Signed-off-by: Edward Srouji <edwards@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -441,6 +441,10 @@ static int mlx5_internal_err_ret_value(s
+ case MLX5_CMD_OP_CREATE_GENERAL_OBJECT:
+ case MLX5_CMD_OP_MODIFY_GENERAL_OBJECT:
+ case MLX5_CMD_OP_QUERY_GENERAL_OBJECT:
++ case MLX5_CMD_OP_CREATE_UCTX:
++ case MLX5_CMD_OP_DESTROY_UCTX:
++ case MLX5_CMD_OP_CREATE_UMEM:
++ case MLX5_CMD_OP_DESTROY_UMEM:
+ case MLX5_CMD_OP_ALLOC_MEMIC:
+ *status = MLX5_DRIVER_STATUS_ABORTED;
+ *synd = MLX5_DRIVER_SYND;
+@@ -629,6 +633,10 @@ const char *mlx5_command_str(int command
+ MLX5_COMMAND_STR_CASE(ALLOC_MEMIC);
+ MLX5_COMMAND_STR_CASE(DEALLOC_MEMIC);
+ MLX5_COMMAND_STR_CASE(QUERY_HOST_PARAMS);
++ MLX5_COMMAND_STR_CASE(CREATE_UCTX);
++ MLX5_COMMAND_STR_CASE(DESTROY_UCTX);
++ MLX5_COMMAND_STR_CASE(CREATE_UMEM);
++ MLX5_COMMAND_STR_CASE(DESTROY_UMEM);
+ default: return "unknown command opcode";
+ }
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Chris Mi <chrism@mellanox.com>
+Date: Thu, 16 May 2019 17:36:43 +0800
+Subject: net/mlx5e: Add ndo_set_feature for uplink representor
+
+From: Chris Mi <chrism@mellanox.com>
+
+After we have a dedicated uplink representor, the new netdev ops
+doesn't support ndo_set_feature. Because of that, we can't change
+some features, eg. rxvlan. Now add it back.
+
+In this patch, I also do a cleanup for the features flag handling,
+eg. remove duplicate NETIF_F_HW_TC flag setting.
+
+Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode")
+Signed-off-by: Chris Mi <chrism@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en.h | 1 +
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +--
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 10 ++++++----
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
+@@ -1059,6 +1059,7 @@ void mlx5e_del_vxlan_port(struct net_dev
+ netdev_features_t mlx5e_features_check(struct sk_buff *skb,
+ struct net_device *netdev,
+ netdev_features_t features);
++int mlx5e_set_features(struct net_device *netdev, netdev_features_t features);
+ #ifdef CONFIG_MLX5_ESWITCH
+ int mlx5e_set_vf_mac(struct net_device *dev, int vf, u8 *mac);
+ int mlx5e_set_vf_rate(struct net_device *dev, int vf, int min_tx_rate, int max_tx_rate);
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -3698,8 +3698,7 @@ static int mlx5e_handle_feature(struct n
+ return 0;
+ }
+
+-static int mlx5e_set_features(struct net_device *netdev,
+- netdev_features_t features)
++int mlx5e_set_features(struct net_device *netdev, netdev_features_t features)
+ {
+ netdev_features_t oper_features = netdev->features;
+ int err = 0;
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1350,6 +1350,7 @@ static const struct net_device_ops mlx5e
+ .ndo_get_vf_stats = mlx5e_get_vf_stats,
+ .ndo_set_vf_vlan = mlx5e_uplink_rep_set_vf_vlan,
+ .ndo_get_port_parent_id = mlx5e_rep_get_port_parent_id,
++ .ndo_set_features = mlx5e_set_features,
+ };
+
+ bool mlx5e_eswitch_rep(struct net_device *netdev)
+@@ -1423,10 +1424,9 @@ static void mlx5e_build_rep_netdev(struc
+
+ netdev->watchdog_timeo = 15 * HZ;
+
++ netdev->features |= NETIF_F_NETNS_LOCAL;
+
+- netdev->features |= NETIF_F_HW_TC | NETIF_F_NETNS_LOCAL;
+- netdev->hw_features |= NETIF_F_HW_TC;
+-
++ netdev->hw_features |= NETIF_F_HW_TC;
+ netdev->hw_features |= NETIF_F_SG;
+ netdev->hw_features |= NETIF_F_IP_CSUM;
+ netdev->hw_features |= NETIF_F_IPV6_CSUM;
+@@ -1435,7 +1435,9 @@ static void mlx5e_build_rep_netdev(struc
+ netdev->hw_features |= NETIF_F_TSO6;
+ netdev->hw_features |= NETIF_F_RXCSUM;
+
+- if (rep->vport != MLX5_VPORT_UPLINK)
++ if (rep->vport == MLX5_VPORT_UPLINK)
++ netdev->hw_features |= NETIF_F_HW_VLAN_CTAG_RX;
++ else
+ netdev->features |= NETIF_F_VLAN_CHALLENGED;
+
+ netdev->features |= netdev->hw_features;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Alaa Hleihel <alaa@mellanox.com>
+Date: Sun, 26 May 2019 11:56:27 +0300
+Subject: net/mlx5e: Avoid detaching non-existing netdev under switchdev mode
+
+From: Alaa Hleihel <alaa@mellanox.com>
+
+After introducing dedicated uplink representor, the netdev instance
+set over the esw manager vport (PF) became no longer in use, so it was
+removed in the cited commit once we're on switchdev mode.
+However, the mlx5e_detach function was not updated accordingly, and it
+still tries to detach a non-existing netdev, causing a kernel crash.
+
+This patch fixes this issue.
+
+Fixes: aec002f6f82c ("net/mlx5e: Uninstantiate esw manager vport netdev on switchdev mode")
+Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -5165,6 +5165,11 @@ static void mlx5e_detach(struct mlx5_cor
+ struct mlx5e_priv *priv = vpriv;
+ struct net_device *netdev = priv->netdev;
+
++#ifdef CONFIG_MLX5_ESWITCH
++ if (MLX5_ESWITCH_MANAGER(mdev) && vpriv == mdev)
++ return;
++#endif
++
+ if (!netif_device_present(netdev))
+ return;
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Raed Salem <raeds@mellanox.com>
+Date: Sun, 2 Jun 2019 12:04:08 +0300
+Subject: net/mlx5e: Fix source port matching in fdb peer flow rule
+
+From: Raed Salem <raeds@mellanox.com>
+
+The cited commit changed the initialization placement of the eswitch
+attributes so it is done prior to parse tc actions function call,
+including among others the in_rep and in_mdev fields which are mistakenly
+reassigned inside the parse actions function.
+
+This breaks the source port matching criteria of the peer redirect rule.
+
+Fix by removing the now redundant reassignment of the already initialized
+fields.
+
+Fixes: 988ab9c7363a ("net/mlx5e: Introduce mlx5e_flow_esw_attr_init() helper")
+Signed-off-by: Raed Salem <raeds@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2572,9 +2572,6 @@ static int parse_tc_fdb_actions(struct m
+ if (!flow_action_has_entries(flow_action))
+ return -EINVAL;
+
+- attr->in_rep = rpriv->rep;
+- attr->in_mdev = priv->mdev;
+-
+ flow_action_for_each(i, act, flow_action) {
+ switch (act->id) {
+ case FLOW_ACTION_DROP:
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Eli Britstein <elibr@mellanox.com>
+Date: Sun, 2 Jun 2019 13:47:59 +0000
+Subject: net/mlx5e: Support tagged tunnel over bond
+
+From: Eli Britstein <elibr@mellanox.com>
+
+Stacked devices like bond interface may have a VLAN device on top of
+them. Detect lag state correctly under this condition, and return the
+correct routed net device, according to it the encap header is built.
+
+Fixes: e32ee6c78efa ("net/mlx5e: Support tunnel encap over tagged Ethernet")
+Signed-off-by: Eli Britstein <elibr@mellanox.com>
+Reviewed-by: Roi Dayan <roid@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -11,24 +11,25 @@ static int get_route_and_out_devs(struct
+ struct net_device **route_dev,
+ struct net_device **out_dev)
+ {
++ struct net_device *uplink_dev, *uplink_upper, *real_dev;
+ struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
+- struct net_device *uplink_dev, *uplink_upper;
+ bool dst_is_lag_dev;
+
++ real_dev = is_vlan_dev(dev) ? vlan_dev_real_dev(dev) : dev;
+ uplink_dev = mlx5_eswitch_uplink_get_proto_dev(esw, REP_ETH);
+ uplink_upper = netdev_master_upper_dev_get(uplink_dev);
+ dst_is_lag_dev = (uplink_upper &&
+ netif_is_lag_master(uplink_upper) &&
+- dev == uplink_upper &&
++ real_dev == uplink_upper &&
+ mlx5_lag_is_sriov(priv->mdev));
+
+ /* if the egress device isn't on the same HW e-switch or
+ * it's a LAG device, use the uplink
+ */
+- if (!netdev_port_same_parent_id(priv->netdev, dev) ||
++ if (!netdev_port_same_parent_id(priv->netdev, real_dev) ||
+ dst_is_lag_dev) {
+- *route_dev = uplink_dev;
+- *out_dev = *route_dev;
++ *route_dev = dev;
++ *out_dev = uplink_dev;
+ } else {
+ *route_dev = dev;
+ if (is_vlan_dev(*route_dev))
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Tue, 11 Jun 2019 11:51:42 +0200
+Subject: net: mvpp2: prs: Fix parser range for VID filtering
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 46b0090a6636cf34c0e856f15dd03e15ba4cdda6 ]
+
+VID filtering is implemented in the Header Parser, with one range of 11
+vids being assigned for each no-loopback port.
+
+Make sure we use the per-port range when looking for existing entries in
+the Parser.
+
+Since we used a global range instead of a per-port one, this causes VIDs
+to be removed from the whitelist from all ports of the same PPv2
+instance.
+
+Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering")
+Suggested-by: Yuri Chipchev <yuric@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -1905,8 +1905,7 @@ static int mvpp2_prs_ip6_init(struct mvp
+ }
+
+ /* Find tcam entry with matched pair <vid,port> */
+-static int mvpp2_prs_vid_range_find(struct mvpp2 *priv, int pmap, u16 vid,
+- u16 mask)
++static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask)
+ {
+ unsigned char byte[2], enable[2];
+ struct mvpp2_prs_entry pe;
+@@ -1914,13 +1913,13 @@ static int mvpp2_prs_vid_range_find(stru
+ int tid;
+
+ /* Go through the all entries with MVPP2_PRS_LU_VID */
+- for (tid = MVPP2_PE_VID_FILT_RANGE_START;
+- tid <= MVPP2_PE_VID_FILT_RANGE_END; tid++) {
+- if (!priv->prs_shadow[tid].valid ||
+- priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
++ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
++ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
++ if (!port->priv->prs_shadow[tid].valid ||
++ port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+
+ mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]);
+ mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]);
+@@ -1950,7 +1949,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2
+ memset(&pe, 0, sizeof(pe));
+
+ /* Scan TCAM and see if entry with this <vid,port> already exist */
+- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, mask);
++ tid = mvpp2_prs_vid_range_find(port, vid, mask);
+
+ reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id));
+ if (reg_val & MVPP2_DSA_EXTENDED)
+@@ -2008,7 +2007,7 @@ void mvpp2_prs_vid_entry_remove(struct m
+ int tid;
+
+ /* Scan TCAM and see if entry with this <vid,port> already exist */
+- tid = mvpp2_prs_vid_range_find(priv, (1 << port->id), vid, 0xfff);
++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
+
+ /* No such entry */
+ if (tid < 0)
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Date: Tue, 11 Jun 2019 11:51:43 +0200
+Subject: net: mvpp2: prs: Use the correct helpers when removing all VID filters
+
+From: Maxime Chevallier <maxime.chevallier@bootlin.com>
+
+[ Upstream commit 6b7a3430c163455cf8a514d636bda52b04654972 ]
+
+When removing all VID filters, the mvpp2_prs_vid_entry_remove would be
+called with the TCAM id incorrectly used as a VID, causing the wrong
+TCAM entries to be invalidated.
+
+Fix this by directly invalidating entries in the VID range.
+
+Fixes: 56beda3db602 ("net: mvpp2: Add hardware offloading for VLAN filtering")
+Suggested-by: Yuri Chipchev <yuric@marvell.com>
+Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -2025,8 +2025,10 @@ void mvpp2_prs_vid_remove_all(struct mvp
+
+ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
+ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
+- if (priv->prs_shadow[tid].valid)
+- mvpp2_prs_vid_entry_remove(port, tid);
++ if (priv->prs_shadow[tid].valid) {
++ mvpp2_prs_hw_inv(priv, tid);
++ priv->prs_shadow[tid].valid = false;
++ }
+ }
+ }
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sun, 9 Jun 2019 23:26:21 +0900
+Subject: net: openvswitch: do not free vport if register_netdevice() is failed.
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 309b66970ee2abf721ecd0876a48940fa0b99a35 ]
+
+In order to create an internal vport, internal_dev_create() is used and
+that calls register_netdevice() internally.
+If register_netdevice() fails, it calls dev->priv_destructor() to free
+private data of netdev. actually, a private data of this is a vport.
+
+Hence internal_dev_create() should not free and use a vport after failure
+of register_netdevice().
+
+Test command
+ ovs-dpctl add-dp bonding_masters
+
+Splat looks like:
+[ 1035.667767] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 1035.675958] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
+[ 1035.676916] CPU: 1 PID: 1028 Comm: ovs-vswitchd Tainted: G B 5.2.0-rc3+ #240
+[ 1035.676916] RIP: 0010:internal_dev_create+0x2e5/0x4e0 [openvswitch]
+[ 1035.676916] Code: 48 c1 ea 03 80 3c 02 00 0f 85 9f 01 00 00 4c 8b 23 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 60 05 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 86 01 00 00 49 8b bc 24 60 05 00 00 e8 e4 68 f4
+[ 1035.713720] RSP: 0018:ffff88810dcb7578 EFLAGS: 00010206
+[ 1035.713720] RAX: dffffc0000000000 RBX: ffff88810d13fe08 RCX: ffffffff84297704
+[ 1035.713720] RDX: 00000000000000ac RSI: 0000000000000000 RDI: 0000000000000560
+[ 1035.713720] RBP: 00000000ffffffef R08: fffffbfff0d3b881 R09: fffffbfff0d3b881
+[ 1035.713720] R10: 0000000000000001 R11: fffffbfff0d3b880 R12: 0000000000000000
+[ 1035.768776] R13: 0000607ee460b900 R14: ffff88810dcb7690 R15: ffff88810dcb7698
+[ 1035.777709] FS: 00007f02095fc980(0000) GS:ffff88811b400000(0000) knlGS:0000000000000000
+[ 1035.777709] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1035.777709] CR2: 00007ffdf01d2f28 CR3: 0000000108258000 CR4: 00000000001006e0
+[ 1035.777709] Call Trace:
+[ 1035.777709] ovs_vport_add+0x267/0x4f0 [openvswitch]
+[ 1035.777709] new_vport+0x15/0x1e0 [openvswitch]
+[ 1035.777709] ovs_vport_cmd_new+0x567/0xd10 [openvswitch]
+[ 1035.777709] ? ovs_dp_cmd_dump+0x490/0x490 [openvswitch]
+[ 1035.777709] ? __kmalloc+0x131/0x2e0
+[ 1035.777709] ? genl_family_rcv_msg+0xa54/0x1030
+[ 1035.777709] genl_family_rcv_msg+0x63a/0x1030
+[ 1035.777709] ? genl_unregister_family+0x630/0x630
+[ 1035.841681] ? debug_show_all_locks+0x2d0/0x2d0
+[ ... ]
+
+Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Reviewed-by: Greg Rose <gvrose8192@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/vport-internal_dev.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/net/openvswitch/vport-internal_dev.c
++++ b/net/openvswitch/vport-internal_dev.c
+@@ -170,7 +170,9 @@ static struct vport *internal_dev_create
+ {
+ struct vport *vport;
+ struct internal_dev *internal_dev;
++ struct net_device *dev;
+ int err;
++ bool free_vport = true;
+
+ vport = ovs_vport_alloc(0, &ovs_internal_vport_ops, parms);
+ if (IS_ERR(vport)) {
+@@ -178,8 +180,9 @@ static struct vport *internal_dev_create
+ goto error;
+ }
+
+- vport->dev = alloc_netdev(sizeof(struct internal_dev),
+- parms->name, NET_NAME_USER, do_setup);
++ dev = alloc_netdev(sizeof(struct internal_dev),
++ parms->name, NET_NAME_USER, do_setup);
++ vport->dev = dev;
+ if (!vport->dev) {
+ err = -ENOMEM;
+ goto error_free_vport;
+@@ -200,8 +203,10 @@ static struct vport *internal_dev_create
+
+ rtnl_lock();
+ err = register_netdevice(vport->dev);
+- if (err)
++ if (err) {
++ free_vport = false;
+ goto error_unlock;
++ }
+
+ dev_set_promiscuity(vport->dev, 1);
+ rtnl_unlock();
+@@ -211,11 +216,12 @@ static struct vport *internal_dev_create
+
+ error_unlock:
+ rtnl_unlock();
+- free_percpu(vport->dev->tstats);
++ free_percpu(dev->tstats);
+ error_free_netdev:
+- free_netdev(vport->dev);
++ free_netdev(dev);
+ error_free_vport:
+- ovs_vport_free(vport);
++ if (free_vport)
++ ovs_vport_free(vport);
+ error:
+ return ERR_PTR(err);
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+Date: Thu, 13 Jun 2019 09:37:51 +0300
+Subject: net: phylink: set the autoneg state in phylink_phy_change
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit ef7bfa84725d891bbdb88707ed55b2cbf94942bb ]
+
+The phy_state field of phylink should carry only valid information
+especially when this can be passed to the .mac_config callback.
+Update the an_enabled field with the autoneg state in the
+phylink_phy_change function.
+
+Fixes: 9525ae83959b ("phylink: add phylink infrastructure")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phylink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -638,6 +638,7 @@ static void phylink_phy_change(struct ph
+ pl->phy_state.pause |= MLO_PAUSE_ASYM;
+ pl->phy_state.interface = phydev->interface;
+ pl->phy_state.link = up;
++ pl->phy_state.an_enabled = phydev->autoneg;
+ mutex_unlock(&pl->state_mutex);
+
+ phylink_run_resolve(pl);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: John Fastabend <john.fastabend@gmail.com>
+Date: Wed, 12 Jun 2019 17:23:57 +0000
+Subject: net: tls, correctly account for copied bytes with multiple sk_msgs
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 648ee6cea7dde4a5cdf817e5d964fd60b22006a4 ]
+
+tls_sw_do_sendpage needs to return the total number of bytes sent
+regardless of how many sk_msgs are allocated. Unfortunately, copied
+(the value we return up the stack) is zero'd before each new sk_msg
+is allocated so we only return the copied size of the last sk_msg used.
+
+The caller (splice, etc.) of sendpage will then believe only part
+of its data was sent and send the missing chunks again. However,
+because the data actually was sent the receiver will get multiple
+copies of the same data.
+
+To reproduce this do multiple sendfile calls with a length close to
+the max record size. This will in turn call splice/sendpage, sendpage
+may use multiple sk_msg in this case and then returns the incorrect
+number of bytes. This will cause splice to resend creating duplicate
+data on the receiver. Andre created a C program that can easily
+generate this case so we will push a similar selftest for this to
+bpf-next shortly.
+
+The fix is to _not_ zero the copied field so that the total sent
+bytes is returned.
+
+Reported-by: Steinar H. Gunderson <steinar+kernel@gunderson.no>
+Reported-by: Andre Tomt <andre@tomt.net>
+Tested-by: Andre Tomt <andre@tomt.net>
+Fixes: d829e9c4112b ("tls: convert to generic sk_msg interface")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1128,7 +1128,6 @@ static int tls_sw_do_sendpage(struct soc
+
+ full_record = false;
+ record_room = TLS_MAX_PAYLOAD_SIZE - msg_pl->sg.size;
+- copied = 0;
+ copy = size;
+ if (copy >= record_room) {
+ copy = record_room;
--- /dev/null
+From 6bac76db1da3cb162c425d58ae421486f8e43955 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 20 May 2019 13:48:10 +0200
+Subject: netfilter: nat: fix udp checksum corruption
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 6bac76db1da3cb162c425d58ae421486f8e43955 upstream.
+
+Due to copy&paste error nf_nat_mangle_udp_packet passes IPPROTO_TCP,
+resulting in incorrect udp checksum when payload had to be mangled.
+
+Fixes: dac3fe72596f9 ("netfilter: nat: remove csum_recalc hook")
+Reported-by: Marc Haber <mh+netdev@zugschlus.de>
+Tested-by: Marc Haber <mh+netdev@zugschlus.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_nat_helper.c
++++ b/net/netfilter/nf_nat_helper.c
+@@ -170,7 +170,7 @@ nf_nat_mangle_udp_packet(struct sk_buff
+ if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL)
+ return true;
+
+- nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
++ nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_UDP,
+ udph, &udph->check, datalen, oldlen);
+
+ return true;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Young Xiao <92siuyang@gmail.com>
+Date: Fri, 14 Jun 2019 15:13:02 +0800
+Subject: nfc: Ensure presence of required attributes in the deactivate_target handler
+
+From: Young Xiao <92siuyang@gmail.com>
+
+[ Upstream commit 385097a3675749cbc9e97c085c0e5dfe4269ca51 ]
+
+Check that the NFC_ATTR_TARGET_INDEX attributes (in addition to
+NFC_ATTR_DEVICE_INDEX) are provided by the netlink client prior to
+accessing them. This prevents potential unhandled NULL pointer dereference
+exceptions which can be triggered by malicious user-mode programs,
+if they omit one or both of these attributes.
+
+Signed-off-by: Young Xiao <92siuyang@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -922,7 +922,8 @@ static int nfc_genl_deactivate_target(st
+ u32 device_idx, target_idx;
+ int rc;
+
+- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++ !info->attrs[NFC_ATTR_TARGET_INDEX])
+ return -EINVAL;
+
+ device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Neil Horman <nhorman@tuxdriver.com>
+Date: Thu, 13 Jun 2019 06:35:59 -0400
+Subject: sctp: Free cookie before we memdup a new one
+
+From: Neil Horman <nhorman@tuxdriver.com>
+
+[ Upstream commit ce950f1050cece5e406a5cde723c69bba60e1b26 ]
+
+Based on comments from Xin, even after fixes for our recent syzbot
+report of cookie memory leaks, its possible to get a resend of an INIT
+chunk which would lead to us leaking cookie memory.
+
+To ensure that we don't leak cookie memory, free any previously
+allocated cookie first.
+
+Change notes
+v1->v2
+update subsystem tag in subject (davem)
+repeat kfree check for peer_random and peer_hmacs (xin)
+
+v2->v3
+net->sctp
+also free peer_chunks
+
+v3->v4
+fix subject tags
+
+v4->v5
+remove cut line
+
+Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
+Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
+CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+CC: Xin Long <lucien.xin@gmail.com>
+CC: "David S. Miller" <davem@davemloft.net>
+CC: netdev@vger.kernel.org
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2600,6 +2600,8 @@ do_addr_param:
+ case SCTP_PARAM_STATE_COOKIE:
+ asoc->peer.cookie_len =
+ ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
++ if (asoc->peer.cookie)
++ kfree(asoc->peer.cookie);
+ asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
+ if (!asoc->peer.cookie)
+ retval = 0;
+@@ -2664,6 +2666,8 @@ do_addr_param:
+ goto fall_through;
+
+ /* Save peer's random parameter */
++ if (asoc->peer.peer_random)
++ kfree(asoc->peer.peer_random);
+ asoc->peer.peer_random = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_random) {
+@@ -2677,6 +2681,8 @@ do_addr_param:
+ goto fall_through;
+
+ /* Save peer's HMAC list */
++ if (asoc->peer.peer_hmacs)
++ kfree(asoc->peer.peer_hmacs);
+ asoc->peer.peer_hmacs = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_hmacs) {
+@@ -2692,6 +2698,8 @@ do_addr_param:
+ if (!ep->auth_enable)
+ goto fall_through;
+
++ if (asoc->peer.peer_chunks)
++ kfree(asoc->peer.peer_chunks);
+ asoc->peer.peer_chunks = kmemdup(param.p,
+ ntohs(param.p->length), gfp);
+ if (!asoc->peer.peer_chunks)
--- /dev/null
+netfilter-nat-fix-udp-checksum-corruption.patch
+ax25-fix-inconsistent-lock-state-in-ax25_destroy_timer.patch
+be2net-fix-number-of-rx-queues-used-for-flow-hashing.patch
+hv_netvsc-set-probe-mode-to-sync.patch
+ipv6-flowlabel-fl6_sock_lookup-must-use-atomic_inc_not_zero.patch
+lapb-fixed-leak-of-control-blocks.patch
+neigh-fix-use-after-free-read-in-pneigh_get_next.patch
+net-dsa-rtl8366-fix-up-vlan-filtering.patch
+net-openvswitch-do-not-free-vport-if-register_netdevice-is-failed.patch
+net-phylink-set-the-autoneg-state-in-phylink_phy_change.patch
+net-tls-correctly-account-for-copied-bytes-with-multiple-sk_msgs.patch
+nfc-ensure-presence-of-required-attributes-in-the-deactivate_target-handler.patch
+sctp-free-cookie-before-we-memdup-a-new-one.patch
+sunhv-fix-device-naming-inconsistency-between-sunhv_console-and-sunhv_reg.patch
+tipc-purge-deferredq-list-for-each-grp-member-in-tipc_group_delete.patch
+vsock-virtio-set-sock_done-on-peer-shutdown.patch
+net-mlx5-avoid-reloading-already-removed-devices.patch
+vxlan-don-t-assume-linear-buffers-in-error-handler.patch
+geneve-don-t-assume-linear-buffers-in-error-handler.patch
+net-mvpp2-prs-fix-parser-range-for-vid-filtering.patch
+net-mvpp2-prs-use-the-correct-helpers-when-removing-all-vid-filters.patch
+net-dsa-microchip-don-t-try-to-read-stats-for-unused-ports.patch
+net-ethtool-allow-matching-on-vlan-dei-bit.patch
+net-mlx5-update-pci-error-handler-entries-and-command-translation.patch
+mlxsw-spectrum_router-refresh-nexthop-neighbour-when-it-becomes-dead.patch
+net-mlx5e-add-ndo_set_feature-for-uplink-representor.patch
+mlxsw-spectrum_flower-fix-tos-matching.patch
+net-mlx5e-fix-source-port-matching-in-fdb-peer-flow-rule.patch
+mlxsw-spectrum_buffers-reduce-pool-size-on-spectrum-2.patch
+net-mlx5e-support-tagged-tunnel-over-bond.patch
+net-correct-udp-zerocopy-refcnt-also-when-zerocopy-only-on-append.patch
+net-mlx5e-avoid-detaching-non-existing-netdev-under-switchdev-mode.patch
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Date: Tue, 11 Jun 2019 17:38:37 +0200
+Subject: sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
+
+From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+
+[ Upstream commit 07a6d63eb1b54b5fb38092780fe618dfe1d96e23 ]
+
+In d5a2aa24, the name in struct console sunhv_console was changed from "ttyS"
+to "ttyHV" while the name in struct uart_ops sunhv_pops remained unchanged.
+
+This results in the hypervisor console device to be listed as "ttyHV0" under
+/proc/consoles while the device node is still named "ttyS0":
+
+root@osaka:~# cat /proc/consoles
+ttyHV0 -W- (EC p ) 4:64
+tty0 -WU (E ) 4:1
+root@osaka:~# readlink /sys/dev/char/4:64
+../../devices/root/f02836f0/f0285690/tty/ttyS0
+root@osaka:~#
+
+This means that any userland code which tries to determine the name of the
+device file of the hypervisor console device can not rely on the information
+provided by /proc/consoles. In particular, booting current versions of debian-
+installer inside a SPARC LDOM will fail with the installer unable to determine
+the console device.
+
+After renaming the device in struct uart_ops sunhv_pops to "ttyHV" as well,
+the inconsistency is fixed and it is possible again to determine the name
+of the device file of the hypervisor console device by reading the contents
+of /proc/console:
+
+root@osaka:~# cat /proc/consoles
+ttyHV0 -W- (EC p ) 4:64
+tty0 -WU (E ) 4:1
+root@osaka:~# readlink /sys/dev/char/4:64
+../../devices/root/f02836f0/f0285690/tty/ttyHV0
+root@osaka:~#
+
+With this change, debian-installer works correctly when installing inside
+a SPARC LDOM.
+
+Signed-off-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sunhv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sunhv.c
++++ b/drivers/tty/serial/sunhv.c
+@@ -397,7 +397,7 @@ static const struct uart_ops sunhv_pops
+ static struct uart_driver sunhv_reg = {
+ .owner = THIS_MODULE,
+ .driver_name = "sunhv",
+- .dev_name = "ttyS",
++ .dev_name = "ttyHV",
+ .major = TTY_MAJOR,
+ };
+
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Xin Long <lucien.xin@gmail.com>
+Date: Sun, 16 Jun 2019 17:24:07 +0800
+Subject: tipc: purge deferredq list for each grp member in tipc_group_delete
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 5cf02612b33f104fe1015b2dfaf1758ad3675588 ]
+
+Syzbot reported a memleak caused by grp members' deferredq list not
+purged when the grp is be deleted.
+
+The issue occurs when more(msg_grp_bc_seqno(hdr), m->bc_rcv_nxt) in
+tipc_group_filter_msg() and the skb will stay in deferredq.
+
+So fix it by calling __skb_queue_purge for each member's deferredq
+in tipc_group_delete() when a tipc sk leaves the grp.
+
+Fixes: b87a5ea31c93 ("tipc: guarantee group unicast doesn't bypass group broadcast")
+Reported-by: syzbot+78fbe679c8ca8d264a8d@syzkaller.appspotmail.com
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/group.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/group.c
++++ b/net/tipc/group.c
+@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net,
+
+ rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
+ tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
++ __skb_queue_purge(&m->deferredq);
+ list_del(&m->list);
+ kfree(m);
+ }
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Stephen Barber <smbarber@chromium.org>
+Date: Fri, 14 Jun 2019 23:42:37 -0700
+Subject: vsock/virtio: set SOCK_DONE on peer shutdown
+
+From: Stephen Barber <smbarber@chromium.org>
+
+[ Upstream commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c ]
+
+Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has
+shut down and there is nothing left to read.
+
+This fixes the following bug:
+1) Peer sends SHUTDOWN(RDWR).
+2) Socket enters TCP_CLOSING but SOCK_DONE is not set.
+3) read() returns -ENOTCONN until close() is called, then returns 0.
+
+Signed-off-by: Stephen Barber <smbarber@chromium.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -871,8 +871,10 @@ virtio_transport_recv_connected(struct s
+ if (le32_to_cpu(pkt->hdr.flags) & VIRTIO_VSOCK_SHUTDOWN_SEND)
+ vsk->peer_shutdown |= SEND_SHUTDOWN;
+ if (vsk->peer_shutdown == SHUTDOWN_MASK &&
+- vsock_stream_has_data(vsk) <= 0)
++ vsock_stream_has_data(vsk) <= 0) {
++ sock_set_flag(sk, SOCK_DONE);
+ sk->sk_state = TCP_CLOSING;
++ }
+ if (le32_to_cpu(pkt->hdr.flags))
+ sk->sk_state_change(sk);
+ break;
--- /dev/null
+From foo@baz Wed 19 Jun 2019 02:33:45 PM CEST
+From: Stefano Brivio <sbrivio@redhat.com>
+Date: Tue, 11 Jun 2019 00:27:05 +0200
+Subject: vxlan: Don't assume linear buffers in error handler
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit 8399a6930d12f5965230f4ff058228a4cc80c0b9 ]
+
+In commit c3a43b9fec8a ("vxlan: ICMP error lookup handler") I wrongly
+assumed buffers from icmp_socket_deliver() would be linear. This is not
+the case: icmp_socket_deliver() only guarantees we have 8 bytes of linear
+data.
+
+Eric fixed this same issue for fou and fou6 in commits 26fc181e6cac
+("fou, fou6: do not assume linear skbs") and 5355ed6388e2 ("fou, fou6:
+avoid uninit-value in gue_err() and gue6_err()").
+
+Use pskb_may_pull() instead of checking skb->len, and take into account
+the fact we later access the VXLAN header with udp_hdr(), so we also
+need to sum skb_transport_header() here.
+
+Reported-by: Guillaume Nault <gnault@redhat.com>
+Fixes: c3a43b9fec8a ("vxlan: ICMP error lookup handler")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1765,7 +1765,7 @@ static int vxlan_err_lookup(struct sock
+ struct vxlanhdr *hdr;
+ __be32 vni;
+
+- if (skb->len < VXLAN_HLEN)
++ if (!pskb_may_pull(skb, skb_transport_offset(skb) + VXLAN_HLEN))
+ return -EINVAL;
+
+ hdr = vxlan_hdr(skb);
projects / thirdparty / kernel / stable-queue.git / commitdiff
