--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:38 -0400
+Subject: bnxt_en: Fix VF anti-spoof filter setup.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit c71c4e49afe173823a2a85b0cabc9b3f1176ffa2 ]
+
+Fix the logic that sets the enable/disable flag for the source MAC
+filter according to firmware spec 1.7.1.
+
+In the original firmware spec. before 1.7.1, the VF spoof check flags
+were not latched after making the HWRM_FUNC_CFG call, so there was a
+need to keep the func_flags so that subsequent calls would perserve
+the VF spoof check setting. A change was made in the 1.7.1 spec
+so that the flags became latched. So we now set or clear the anti-
+spoof setting directly without retrieving the old settings in the
+stored vf->func_flags which are no longer valid. We also remove the
+unneeded vf->func_flags.
+
+Fixes: 8eb992e876a8 ("bnxt_en: Update firmware interface spec to 1.7.6.2.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 -
+ drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 10 ++--------
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -1064,7 +1064,6 @@ struct bnxt_vf_info {
+ #define BNXT_VF_LINK_FORCED 0x4
+ #define BNXT_VF_LINK_UP 0x8
+ #define BNXT_VF_TRUST 0x10
+- u32 func_flags; /* func cfg flags */
+ u32 min_tx_rate;
+ u32 max_tx_rate;
+ void *hwrm_cmd_req_addr;
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+@@ -85,11 +85,10 @@ int bnxt_set_vf_spoofchk(struct net_devi
+ if (old_setting == setting)
+ return 0;
+
+- func_flags = vf->func_flags;
+ if (setting)
+- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE;
++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE;
+ else
+- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE;
++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE;
+ /*TODO: if the driver supports VLAN filter on guest VLAN,
+ * the spoof check should also include vlan anti-spoofing
+ */
+@@ -98,7 +97,6 @@ int bnxt_set_vf_spoofchk(struct net_devi
+ req.flags = cpu_to_le32(func_flags);
+ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+ if (!rc) {
+- vf->func_flags = func_flags;
+ if (setting)
+ vf->flags |= BNXT_VF_SPOOFCHK;
+ else
+@@ -230,7 +228,6 @@ int bnxt_set_vf_mac(struct net_device *d
+ memcpy(vf->mac_addr, mac, ETH_ALEN);
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
+ memcpy(req.dflt_mac_addr, mac, ETH_ALEN);
+ return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+@@ -268,7 +265,6 @@ int bnxt_set_vf_vlan(struct net_device *
+
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.dflt_vlan = cpu_to_le16(vlan_tag);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_VLAN);
+ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+@@ -307,7 +303,6 @@ int bnxt_set_vf_bw(struct net_device *de
+ return 0;
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_MAX_BW);
+ req.max_bw = cpu_to_le32(max_tx_rate);
+ req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_MIN_BW);
+@@ -479,7 +474,6 @@ static void __bnxt_set_vf_params(struct
+ vf = &bp->pf.vf[vf_id];
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+
+ if (is_valid_ether_addr(vf->mac_addr)) {
+ req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:42 -0400
+Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ]
+
+The current logic in bnxt_fix_features() will inadvertently turn on both
+CTAG and STAG VLAN offload if the user tries to disable both. Fix it
+by checking that the user is trying to enable CTAG or STAG before
+enabling both. The logic is supposed to enable or disable both CTAG and
+STAG together.
+
+Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9794,6 +9794,7 @@ static netdev_features_t bnxt_fix_featur
+ netdev_features_t features)
+ {
+ struct bnxt *bp = netdev_priv(dev);
++ netdev_features_t vlan_features;
+
+ if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp))
+ features &= ~NETIF_F_NTUPLE;
+@@ -9810,12 +9811,14 @@ static netdev_features_t bnxt_fix_featur
+ /* Both CTAG and STAG VLAN accelaration on the RX side have to be
+ * turned on or off together.
+ */
+- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) !=
+- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) {
++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX);
++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX)) {
+ if (dev->features & NETIF_F_HW_VLAN_CTAG_RX)
+ features &= ~(NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX);
+- else
++ else if (vlan_features)
+ features |= NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:40 -0400
+Subject: bnxt_en: Improve AER slot reset.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ]
+
+Improve the slot reset sequence by disabling the device to prevent bad
+DMAs if slot reset fails. Return the proper result instead of always
+PCI_ERS_RESULT_RECOVERED to the caller.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -12173,12 +12173,15 @@ static pci_ers_result_t bnxt_io_slot_res
+ bnxt_ulp_start(bp, err);
+ }
+
+- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev))
+- dev_close(netdev);
++ if (result != PCI_ERS_RESULT_RECOVERED) {
++ if (netif_running(netdev))
++ dev_close(netdev);
++ pci_disable_device(pdev);
++ }
+
+ rtnl_unlock();
+
+- return PCI_ERS_RESULT_RECOVERED;
++ return result;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:39 -0400
+Subject: bnxt_en: Reduce BNXT_MSIX_VEC_MAX value to supported CQs per PF.
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 9e68cb0359b20f99c7b070f1d3305e5e0a9fae6d ]
+
+Broadcom adapters support only maximum of 512 CQs per PF. If user sets
+MSIx vectors more than supported CQs, firmware is setting incorrect value
+for msix_vec_per_pf_max parameter. Fix it by reducing the BNXT_MSIX_VEC_MAX
+value to 512, even though the maximum # of MSIx vectors supported by adapter
+are 1280.
+
+Fixes: f399e8497826 ("bnxt_en: Use msix_vec_per_pf_max and msix_vec_per_pf_min devlink params.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h
+@@ -43,7 +43,7 @@ static inline void bnxt_link_bp_to_dl(st
+ #define BNXT_NVM_CFG_VER_BITS 24
+ #define BNXT_NVM_CFG_VER_BYTES 4
+
+-#define BNXT_MSIX_VEC_MAX 1280
++#define BNXT_MSIX_VEC_MAX 512
+ #define BNXT_MSIX_VEC_MIN_MAX 128
+
+ enum bnxt_nvm_dir_type {
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:41 -0400
+Subject: bnxt_en: Return error when allocating zero size context memory.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit bbf211b1ecb891c7e0cc7888834504183fc8b534 ]
+
+bnxt_alloc_ctx_pg_tbls() should return error when the memory size of the
+context memory to set up is zero. By returning success (0), the caller
+may proceed normally and may crash later when it tries to set up the
+memory.
+
+Fixes: 08fe9d181606 ("bnxt_en: Add Level 2 context memory paging support.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -6662,7 +6662,7 @@ static int bnxt_alloc_ctx_pg_tbls(struct
+ int rc;
+
+ if (!mem_size)
+- return 0;
++ return -EINVAL;
+
+ ctx_pg->nr_pages = DIV_ROUND_UP(mem_size, BNXT_PAGE_SIZE);
+ if (ctx_pg->nr_pages > MAX_CTX_TOTAL_PAGES) {
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Date: Thu, 30 Apr 2020 00:22:19 +0530
+Subject: cxgb4: fix EOTID leak when disabling TC-MQPRIO offload
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit 69422a7e5d578aab277091f4ebb7c1b387f3e355 ]
+
+Under heavy load, the EOTID termination FLOWC request fails to get
+enqueued to the end of the Tx ring due to lack of credits. This
+results in EOTID leak.
+
+When disabling TC-MQPRIO offload, the link is already brought down
+to cleanup EOTIDs. So, flush any pending enqueued skbs that can't be
+sent outside the wire, to make room for FLOWC request. Also, move the
+FLOWC descriptor consumption logic closer to when the FLOWC request is
+actually posted to hardware.
+
+Fixes: 0e395b3cb1fb ("cxgb4: add FLOWC based QoS offload")
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/sge.c | 39 ++++++++++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/sge.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/sge.c
+@@ -2202,6 +2202,9 @@ static void ethofld_hard_xmit(struct net
+ if (unlikely(skip_eotx_wr)) {
+ start = (u64 *)wr;
+ eosw_txq->state = next_state;
++ eosw_txq->cred -= wrlen16;
++ eosw_txq->ncompl++;
++ eosw_txq->last_compl = 0;
+ goto write_wr_headers;
+ }
+
+@@ -2360,6 +2363,34 @@ netdev_tx_t t4_start_xmit(struct sk_buff
+ return cxgb4_eth_xmit(skb, dev);
+ }
+
++static void eosw_txq_flush_pending_skbs(struct sge_eosw_txq *eosw_txq)
++{
++ int pktcount = eosw_txq->pidx - eosw_txq->last_pidx;
++ int pidx = eosw_txq->pidx;
++ struct sk_buff *skb;
++
++ if (!pktcount)
++ return;
++
++ if (pktcount < 0)
++ pktcount += eosw_txq->ndesc;
++
++ while (pktcount--) {
++ pidx--;
++ if (pidx < 0)
++ pidx += eosw_txq->ndesc;
++
++ skb = eosw_txq->desc[pidx].skb;
++ if (skb) {
++ dev_consume_skb_any(skb);
++ eosw_txq->desc[pidx].skb = NULL;
++ eosw_txq->inuse--;
++ }
++ }
++
++ eosw_txq->pidx = eosw_txq->last_pidx + 1;
++}
++
+ /**
+ * cxgb4_ethofld_send_flowc - Send ETHOFLD flowc request to bind eotid to tc.
+ * @dev - netdevice
+@@ -2435,9 +2466,11 @@ int cxgb4_ethofld_send_flowc(struct net_
+ FW_FLOWC_MNEM_EOSTATE_CLOSING :
+ FW_FLOWC_MNEM_EOSTATE_ESTABLISHED);
+
+- eosw_txq->cred -= len16;
+- eosw_txq->ncompl++;
+- eosw_txq->last_compl = 0;
++ /* Free up any pending skbs to ensure there's room for
++ * termination FLOWC.
++ */
++ if (tc == FW_SCHED_CLS_NONE)
++ eosw_txq_flush_pending_skbs(eosw_txq);
+
+ ret = eosw_txq_enqueue(eosw_txq, skb);
+ if (ret) {
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Aya Levin <ayal@mellanox.com>
+Date: Mon, 4 May 2020 11:27:46 +0300
+Subject: devlink: Fix reporter's recovery condition
+
+From: Aya Levin <ayal@mellanox.com>
+
+[ Upstream commit bea0c5c942d3b4e9fb6ed45f6a7de74c6b112437 ]
+
+Devlink health core conditions the reporter's recovery with the
+expiration of the grace period. This is not relevant for the first
+recovery. Explicitly demand that the grace period will only apply to
+recoveries other than the first.
+
+Fixes: c8e1da0bf923 ("devlink: Add health report functionality")
+Signed-off-by: Aya Levin <ayal@mellanox.com>
+Reviewed-by: Moshe Shemesh <moshe@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -5029,6 +5029,7 @@ int devlink_health_report(struct devlink
+ {
+ enum devlink_health_reporter_state prev_health_state;
+ struct devlink *devlink = reporter->devlink;
++ unsigned long recover_ts_threshold;
+
+ /* write a log message of the current error */
+ WARN_ON(!msg);
+@@ -5039,10 +5040,12 @@ int devlink_health_report(struct devlink
+ devlink_recover_notify(reporter, DEVLINK_CMD_HEALTH_REPORTER_RECOVER);
+
+ /* abort if the previous error wasn't recovered */
++ recover_ts_threshold = reporter->last_recovery_ts +
++ msecs_to_jiffies(reporter->graceful_period);
+ if (reporter->auto_recover &&
+ (prev_health_state != DEVLINK_HEALTH_REPORTER_STATE_HEALTHY ||
+- jiffies - reporter->last_recovery_ts <
+- msecs_to_jiffies(reporter->graceful_period))) {
++ (reporter->last_recovery_ts && reporter->recovery_count &&
++ time_is_after_jiffies(recover_ts_threshold)))) {
+ trace_devlink_health_recover_aborted(devlink,
+ reporter->ops->name,
+ reporter->health_state,
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Jakub Kicinski <kuba@kernel.org>
+Date: Tue, 28 Apr 2020 19:01:58 -0700
+Subject: devlink: fix return value after hitting end in region read
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 610a9346c138b9c2c93d38bf5f3728e74ae9cbd5 ]
+
+Commit d5b90e99e1d5 ("devlink: report 0 after hitting end in region read")
+fixed region dump, but region read still returns a spurious error:
+
+$ devlink region read netdevsim/netdevsim1/dummy snapshot 0 addr 0 len 128
+0000000000000000 a6 f4 c4 1c 21 35 95 a6 9d 34 c3 5b 87 5b 35 79
+0000000000000010 f3 a0 d7 ee 4f 2f 82 7f c6 dd c4 f6 a5 c3 1b ae
+0000000000000020 a4 fd c8 62 07 59 48 03 70 3b c7 09 86 88 7f 68
+0000000000000030 6f 45 5d 6d 7d 0e 16 38 a9 d0 7a 4b 1e 1e 2e a6
+0000000000000040 e6 1d ae 06 d6 18 00 85 ca 62 e8 7e 11 7e f6 0f
+0000000000000050 79 7e f7 0f f3 94 68 bd e6 40 22 85 b6 be 6f b1
+0000000000000060 af db ef 5e 34 f0 98 4b 62 9a e3 1b 8b 93 fc 17
+devlink answers: Invalid argument
+0000000000000070 61 e8 11 11 66 10 a5 f7 b1 ea 8d 40 60 53 ed 12
+
+This is a minimal fix, I'll follow up with a restructuring
+so we don't have two checks for the same condition.
+
+Fixes: fdd41ec21e15 ("devlink: Return right error code in case of errors for region read")
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/devlink.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/core/devlink.c
++++ b/net/core/devlink.c
+@@ -4030,6 +4030,11 @@ static int devlink_nl_cmd_region_read_du
+ end_offset = nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_ADDR]);
+ end_offset += nla_get_u64(attrs[DEVLINK_ATTR_REGION_CHUNK_LEN]);
+ dump = false;
++
++ if (start_offset == end_offset) {
++ err = 0;
++ goto nla_put_failure;
++ }
+ }
+
+ err = devlink_nl_region_read_snapshot_fill(skb, devlink,
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Julia Lawall <Julia.Lawall@inria.fr>
+Date: Thu, 30 Apr 2020 21:51:32 +0200
+Subject: dp83640: reverse arguments to list_add_tail
+
+From: Julia Lawall <Julia.Lawall@inria.fr>
+
+[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ]
+
+In this code, it appears that phyter_clocks is a list head, based on
+the previous list_for_each, and that clock->list is intended to be a
+list element, given that it has just been initialized in
+dp83640_clock_init. Accordingly, switch the arguments to
+list_add_tail, which takes the list head as the second argument.
+
+Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1120,7 +1120,7 @@ static struct dp83640_clock *dp83640_clo
+ goto out;
+ }
+ dp83640_clock_init(clock, bus);
+- list_add_tail(&phyter_clocks, &clock->list);
++ list_add_tail(&clock->list, &phyter_clocks);
+ out:
+ mutex_unlock(&phyter_clocks_lock);
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 12:40:25 -0700
+Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ]
+
+My intent was to not let users set a zero drop_batch_size,
+it seems I once again messed with min()/max().
+
+Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_codel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -416,7 +416,7 @@ static int fq_codel_change(struct Qdisc
+ q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM]));
+
+ if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])
+- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
+
+ if (tb[TCA_FQ_CODEL_MEMORY_LIMIT])
+ q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT]));
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: David Ahern <dsahern@kernel.org>
+Date: Fri, 1 May 2020 08:53:08 -0600
+Subject: ipv6: Use global sernum for dst validation with nexthop objects
+
+From: David Ahern <dsahern@kernel.org>
+
+[ Upstream commit 8f34e53b60b337e559f1ea19e2780ff95ab2fa65 ]
+
+Nik reported a bug with pcpu dst cache when nexthop objects are
+used illustrated by the following:
+ $ ip netns add foo
+ $ ip -netns foo li set lo up
+ $ ip -netns foo addr add 2001:db8:11::1/128 dev lo
+ $ ip netns exec foo sysctl net.ipv6.conf.all.forwarding=1
+ $ ip li add veth1 type veth peer name veth2
+ $ ip li set veth1 up
+ $ ip addr add 2001:db8:10::1/64 dev veth1
+ $ ip li set dev veth2 netns foo
+ $ ip -netns foo li set veth2 up
+ $ ip -netns foo addr add 2001:db8:10::2/64 dev veth2
+ $ ip -6 nexthop add id 100 via 2001:db8:10::2 dev veth1
+ $ ip -6 route add 2001:db8:11::1/128 nhid 100
+
+ Create a pcpu entry on cpu 0:
+ $ taskset -a -c 0 ip -6 route get 2001:db8:11::1
+
+ Re-add the route entry:
+ $ ip -6 ro del 2001:db8:11::1
+ $ ip -6 route add 2001:db8:11::1/128 nhid 100
+
+ Route get on cpu 0 returns the stale pcpu:
+ $ taskset -a -c 0 ip -6 route get 2001:db8:11::1
+ RTNETLINK answers: Network is unreachable
+
+ While cpu 1 works:
+ $ taskset -a -c 1 ip -6 route get 2001:db8:11::1
+ 2001:db8:11::1 from :: via 2001:db8:10::2 dev veth1 src 2001:db8:10::1 metric 1024 pref medium
+
+Conversion of FIB entries to work with external nexthop objects
+missed an important difference between IPv4 and IPv6 - how dst
+entries are invalidated when the FIB changes. IPv4 has a per-network
+namespace generation id (rt_genid) that is bumped on changes to the FIB.
+Checking if a dst_entry is still valid means comparing rt_genid in the
+rtable to the current value of rt_genid for the namespace.
+
+IPv6 also has a per network namespace counter, fib6_sernum, but the
+count is saved per fib6_node. With the per-node counter only dst_entries
+based on fib entries under the node are invalidated when changes are
+made to the routes - limiting the scope of invalidations. IPv6 uses a
+reference in the rt6_info, 'from', to track the corresponding fib entry
+used to create the dst_entry. When validating a dst_entry, the 'from'
+is used to backtrack to the fib6_node and check the sernum of it to the
+cookie passed to the dst_check operation.
+
+With the inline format (nexthop definition inline with the fib6_info),
+dst_entries cached in the fib6_nh have a 1:1 correlation between fib
+entries, nexthop data and dst_entries. With external nexthops, IPv6
+looks more like IPv4 which means multiple fib entries across disparate
+fib6_nodes can all reference the same fib6_nh. That means validation
+of dst_entries based on external nexthops needs to use the IPv4 format
+- the per-network namespace counter.
+
+Add sernum to rt6_info and set it when creating a pcpu dst entry. Update
+rt6_get_cookie to return sernum if it is set and update dst_check for
+IPv6 to look for sernum set and based the check on it if so. Finally,
+rt6_get_pcpu_route needs to validate the cached entry before returning
+a pcpu entry (similar to the rt_cache_valid calls in __mkroute_input and
+__mkroute_output for IPv4).
+
+This problem only affects routes using the new, external nexthops.
+
+Thanks to the kbuild test robot for catching the IS_ENABLED needed
+around rt_genid_ipv6 before I sent this out.
+
+Fixes: 5b98324ebe29 ("ipv6: Allow routes to use nexthop objects")
+Reported-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Tested-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_fib.h | 4 ++++
+ include/net/net_namespace.h | 7 +++++++
+ net/ipv6/route.c | 25 +++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+
+--- a/include/net/ip6_fib.h
++++ b/include/net/ip6_fib.h
+@@ -204,6 +204,7 @@ struct fib6_info {
+ struct rt6_info {
+ struct dst_entry dst;
+ struct fib6_info __rcu *from;
++ int sernum;
+
+ struct rt6key rt6i_dst;
+ struct rt6key rt6i_src;
+@@ -292,6 +293,9 @@ static inline u32 rt6_get_cookie(const s
+ struct fib6_info *from;
+ u32 cookie = 0;
+
++ if (rt->sernum)
++ return rt->sernum;
++
+ rcu_read_lock();
+
+ from = rcu_dereference(rt->from);
+--- a/include/net/net_namespace.h
++++ b/include/net/net_namespace.h
+@@ -432,6 +432,13 @@ static inline int rt_genid_ipv4(const st
+ return atomic_read(&net->ipv4.rt_genid);
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
++static inline int rt_genid_ipv6(const struct net *net)
++{
++ return atomic_read(&net->ipv6.fib6_sernum);
++}
++#endif
++
+ static inline void rt_genid_bump_ipv4(struct net *net)
+ {
+ atomic_inc(&net->ipv4.rt_genid);
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1388,9 +1388,18 @@ static struct rt6_info *ip6_rt_pcpu_allo
+ }
+ ip6_rt_copy_init(pcpu_rt, res);
+ pcpu_rt->rt6i_flags |= RTF_PCPU;
++
++ if (f6i->nh)
++ pcpu_rt->sernum = rt_genid_ipv6(dev_net(dev));
++
+ return pcpu_rt;
+ }
+
++static bool rt6_is_valid(const struct rt6_info *rt6)
++{
++ return rt6->sernum == rt_genid_ipv6(dev_net(rt6->dst.dev));
++}
++
+ /* It should be called with rcu_read_lock() acquired */
+ static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res)
+ {
+@@ -1398,6 +1407,19 @@ static struct rt6_info *rt6_get_pcpu_rou
+
+ pcpu_rt = this_cpu_read(*res->nh->rt6i_pcpu);
+
++ if (pcpu_rt && pcpu_rt->sernum && !rt6_is_valid(pcpu_rt)) {
++ struct rt6_info *prev, **p;
++
++ p = this_cpu_ptr(res->nh->rt6i_pcpu);
++ prev = xchg(p, NULL);
++ if (prev) {
++ dst_dev_put(&prev->dst);
++ dst_release(&prev->dst);
++ }
++
++ pcpu_rt = NULL;
++ }
++
+ return pcpu_rt;
+ }
+
+@@ -2596,6 +2618,9 @@ static struct dst_entry *ip6_dst_check(s
+
+ rt = container_of(dst, struct rt6_info, dst);
+
++ if (rt->sernum)
++ return rt6_is_valid(rt) ? dst : NULL;
++
+ rcu_read_lock();
+
+ /* All IPV6 dsts are created with ->obsolete set to the value
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Jiri Pirko <jiri@mellanox.com>
+Date: Mon, 27 Apr 2020 18:05:47 +0300
+Subject: mlxsw: spectrum_acl_tcam: Position vchunk in a vregion list properly
+
+From: Jiri Pirko <jiri@mellanox.com>
+
+[ Upstream commit 6ef4889fc0b3aa6ab928e7565935ac6f762cee6e ]
+
+Vregion helpers to get min and max priority depend on the correct
+ordering of vchunks in the vregion list. However, the current code
+always adds new chunk to the end of the list, no matter what the
+priority is. Fix this by finding the correct place in the list and put
+vchunk there.
+
+Fixes: 22a677661f56 ("mlxsw: spectrum: Introduce ACL core with simple TCAM implementation")
+Signed-off-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+@@ -986,8 +986,9 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m
+ unsigned int priority,
+ struct mlxsw_afk_element_usage *elusage)
+ {
++ struct mlxsw_sp_acl_tcam_vchunk *vchunk, *vchunk2;
+ struct mlxsw_sp_acl_tcam_vregion *vregion;
+- struct mlxsw_sp_acl_tcam_vchunk *vchunk;
++ struct list_head *pos;
+ int err;
+
+ if (priority == MLXSW_SP_ACL_TCAM_CATCHALL_PRIO)
+@@ -1025,7 +1026,14 @@ mlxsw_sp_acl_tcam_vchunk_create(struct m
+ }
+
+ mlxsw_sp_acl_tcam_rehash_ctx_vregion_changed(vregion);
+- list_add_tail(&vchunk->list, &vregion->vchunk_list);
++
++ /* Position the vchunk inside the list according to priority */
++ list_for_each(pos, &vregion->vchunk_list) {
++ vchunk2 = list_entry(pos, typeof(*vchunk2), list);
++ if (vchunk2->priority > priority)
++ break;
++ }
++ list_add_tail(&vchunk->list, pos);
+ mutex_unlock(&vregion->lock);
+
+ return vchunk;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Roman Mashak <mrv@mojatatu.com>
+Date: Fri, 1 May 2020 21:34:18 -0400
+Subject: neigh: send protocol value in neighbor create notification
+
+From: Roman Mashak <mrv@mojatatu.com>
+
+[ Upstream commit 38212bb31fe923d0a2c6299bd2adfbb84cddef2a ]
+
+When a new neighbor entry has been added, event is generated but it does not
+include protocol, because its value is assigned after the event notification
+routine has run, so move protocol assignment code earlier.
+
+Fixes: df9b0e30d44c ("neighbor: Add protocol attribute")
+Cc: David Ahern <dsahern@gmail.com>
+Signed-off-by: Roman Mashak <mrv@mojatatu.com>
+Reviewed-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/neighbour.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -1954,6 +1954,9 @@ static int neigh_add(struct sk_buff *skb
+ NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
+ }
+
++ if (protocol)
++ neigh->protocol = protocol;
++
+ if (ndm->ndm_flags & NTF_EXT_LEARNED)
+ flags |= NEIGH_UPDATE_F_EXT_LEARNED;
+
+@@ -1967,9 +1970,6 @@ static int neigh_add(struct sk_buff *skb
+ err = __neigh_update(neigh, lladdr, ndm->ndm_state, flags,
+ NETLINK_CB(skb).portid, extack);
+
+- if (protocol)
+- neigh->protocol = protocol;
+-
+ neigh_release(neigh);
+
+ out:
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Thu, 30 Apr 2020 22:38:45 +0300
+Subject: net: bridge: vlan: Add a schedule point during VLAN processing
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 7979457b1d3a069cd857f5bd69e070e30223dd0c ]
+
+User space can request to delete a range of VLANs from a bridge slave in
+one netlink request. For each deleted VLAN the FDB needs to be traversed
+in order to flush all the affected entries.
+
+If a large range of VLANs is deleted and the number of FDB entries is
+large or the FDB lock is contented, it is possible for the kernel to
+loop through the deleted VLANs for a long time. In case preemption is
+disabled, this can result in a soft lockup.
+
+Fix this by adding a schedule point after each VLAN is deleted to yield
+the CPU, if needed. This is safe because the VLANs are traversed in
+process context.
+
+Fixes: bdced7ef7838 ("bridge: support for multiple vlans and vlan ranges in setlink and dellink requests")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reported-by: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
+Tested-by: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -612,6 +612,7 @@ int br_process_vlan_info(struct net_brid
+ v - 1, rtm_cmd);
+ v_change_start = 0;
+ }
++ cond_resched();
+ }
+ /* v_change_start is set only if the last/whole range changed */
+ if (v_change_start)
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 4 May 2020 13:18:06 -0700
+Subject: net: dsa: Do not leave DSA master with NULL netdev_ops
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 050569fc8384c8056bacefcc246bcb2dfe574936 ]
+
+When ndo_get_phys_port_name() for the CPU port was added we introduced
+an early check for when the DSA master network device in
+dsa_master_ndo_setup() already implements ndo_get_phys_port_name(). When
+we perform the teardown operation in dsa_master_ndo_teardown() we would
+not be checking that cpu_dp->orig_ndo_ops was successfully allocated and
+non-NULL initialized.
+
+With network device drivers such as virtio_net, this leads to a NPD as
+soon as the DSA switch hanging off of it gets torn down because we are
+now assigning the virtio_net device's netdev_ops a NULL pointer.
+
+Fixes: da7b9e9b00d4 ("net: dsa: Add ndo_get_phys_port_name() for CPU port")
+Reported-by: Allen Pais <allen.pais@oracle.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Tested-by: Allen Pais <allen.pais@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/master.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/dsa/master.c
++++ b/net/dsa/master.c
+@@ -289,7 +289,8 @@ static void dsa_master_ndo_teardown(stru
+ {
+ struct dsa_port *cpu_dp = dev->dsa_ptr;
+
+- dev->netdev_ops = cpu_dp->orig_ndo_ops;
++ if (cpu_dp->orig_ndo_ops)
++ dev->netdev_ops = cpu_dp->orig_ndo_ops;
+ cpu_dp->orig_ndo_ops = NULL;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 3 May 2020 20:50:57 -0700
+Subject: net: dsa: Do not make user port errors fatal
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 86f8b1c01a0a537a73d2996615133be63cdf75db ]
+
+Prior to 1d27732f411d ("net: dsa: setup and teardown ports"), we would
+not treat failures to set-up an user port as fatal, but after this
+commit we would, which is a regression for some systems where interfaces
+may be declared in the Device Tree, but the underlying hardware may not
+be present (pluggable daughter cards for instance).
+
+Fixes: 1d27732f411d ("net: dsa: setup and teardown ports")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/dsa2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/dsa/dsa2.c
++++ b/net/dsa/dsa2.c
+@@ -459,7 +459,7 @@ static int dsa_tree_setup_switches(struc
+ list_for_each_entry(dp, &dst->ports, list) {
+ err = dsa_port_setup(dp);
+ if (err)
+- goto teardown;
++ continue;
+ }
+
+ return 0;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Dejin Zheng <zhengdejin5@gmail.com>
+Date: Mon, 4 May 2020 20:01:27 +0800
+Subject: net: enetc: fix an issue about leak system resources
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8 ]
+
+the related system resources were not released when enetc_hw_alloc()
+return error in the enetc_pci_mdio_probe(), add iounmap() for error
+handling label "err_hw_alloc" to fix it.
+
+Fixes: 6517798dd3432a ("enetc: Make MDIO accessors more generic and export to include/linux/fsl")
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pci_mdio.c
+@@ -74,8 +74,8 @@ err_pci_mem_reg:
+ pci_disable_device(pdev);
+ err_pci_enable:
+ err_mdiobus_alloc:
+- iounmap(port_regs);
+ err_hw_alloc:
++ iounmap(port_regs);
+ err_ioremap:
+ return err;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Dejin Zheng <zhengdejin5@gmail.com>
+Date: Sun, 3 May 2020 20:32:26 +0800
+Subject: net: macb: fix an issue about leak related system resources
+
+From: Dejin Zheng <zhengdejin5@gmail.com>
+
+[ Upstream commit b959c77dac09348955f344104c6a921ebe104753 ]
+
+A call of the function macb_init() can fail in the function
+fu540_c000_init. The related system resources were not released
+then. use devm_platform_ioremap_resource() to replace ioremap()
+to fix it.
+
+Fixes: c218ad559020ff9 ("macb: Add support for SiFive FU540-C000")
+Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Yash Shah <yash.shah@sifive.com>
+Suggested-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Dejin Zheng <zhengdejin5@gmail.com>
+Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -4165,15 +4165,9 @@ static int fu540_c000_clk_init(struct pl
+
+ static int fu540_c000_init(struct platform_device *pdev)
+ {
+- struct resource *res;
+-
+- res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
+- if (!res)
+- return -ENODEV;
+-
+- mgmt->reg = ioremap(res->start, resource_size(res));
+- if (!mgmt->reg)
+- return -ENOMEM;
++ mgmt->reg = devm_platform_ioremap_resource(pdev, 1);
++ if (IS_ERR(mgmt->reg))
++ return PTR_ERR(mgmt->reg);
+
+ return macb_init(pdev);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Scott Dial <scott@scottdial.com>
+Date: Fri, 24 Apr 2020 18:51:08 -0400
+Subject: net: macsec: preserve ingress frame ordering
+
+From: Scott Dial <scott@scottdial.com>
+
+[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ]
+
+MACsec decryption always occurs in a softirq context. Since
+the FPU may not be usable in the softirq context, the call to
+decrypt may be scheduled on the cryptd work queue. The cryptd
+work queue does not provide ordering guarantees. Therefore,
+preserving order requires masking out ASYNC implementations
+of gcm(aes).
+
+For instance, an Intel CPU with AES-NI makes available the
+generic-gcm-aesni driver from the aesni_intel module to
+implement gcm(aes). However, this implementation requires
+the FPU, so it is not always available to use from a softirq
+context, and will fallback to the cryptd work queue, which
+does not preserve frame ordering. With this change, such a
+system would select gcm_base(ctr(aes-aesni),ghash-generic).
+While the aes-aesni implementation prefers to use the FPU, it
+will fallback to the aes-asm implementation if unavailable.
+
+By using a synchronous version of gcm(aes), the decryption
+will complete before returning from crypto_aead_decrypt().
+Therefore, the macsec_decrypt_done() callback will be called
+before returning from macsec_decrypt(). Thus, the order of
+calls to macsec_post_decrypt() for the frames is preserved.
+
+While it's presumable that the pure AES-NI version of gcm(aes)
+is more performant, the hybrid solution is capable of gigabit
+speeds on modest hardware. Regardless, preserving the order
+of frames is paramount for many network protocols (e.g.,
+triggering TCP retries). Within the MACsec driver itself, the
+replay protection is tripped by the out-of-order frames, and
+can cause frames to be dropped.
+
+This bug has been present in this code since it was added in
+v4.6, however it may not have been noticed since not all CPUs
+have FPU offload available. Additionally, the bug manifests
+as occasional out-of-order packets that are easily
+misattributed to other network phenomena.
+
+When this code was added in v4.6, the crypto/gcm.c code did
+not restrict selection of the ghash function based on the
+ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would
+select the ghash-clmulni driver instead of ghash-generic,
+which submits to the cryptd work queue if the FPU is busy.
+However, this bug was was corrected in v4.8 by commit
+b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported
+all the way back to the v3.14 stable branch, so this patch
+should be applicable back to the v4.6 stable branch.
+
+Signed-off-by: Scott Dial <scott@scottdial.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1226,7 +1226,8 @@ static struct crypto_aead *macsec_alloc_
+ struct crypto_aead *tfm;
+ int ret;
+
+- tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */
++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
+
+ if (IS_ERR(tfm))
+ return tfm;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 4 May 2020 11:36:02 +0300
+Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ]
+
+When ENOSPC is set the idx is still valid and gets set to the global
+MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that
+ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
+used uninitialized in this function [-Wmaybe-uninitialized]
+ 2552 | priv->def_counter[port] = idx;
+
+Also, when ENOSPC is returned mlx4_allocate_default_counters should not
+fail.
+
+Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2550,6 +2550,7 @@ static int mlx4_allocate_default_counter
+
+ if (!err || err == -ENOSPC) {
+ priv->def_counter[port] = idx;
++ err = 0;
+ } else if (err == -ENOENT) {
+ err = 0;
+ continue;
+@@ -2600,7 +2601,8 @@ int mlx4_counter_alloc(struct mlx4_dev *
+ MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED);
+ if (!err)
+ *idx = get_param_l(&out_param);
+-
++ if (WARN_ON(err == -ENOSPC))
++ err = -EINVAL;
+ return err;
+ }
+ return __mlx4_counter_alloc(dev, idx);
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Erez Shitrit <erezsh@mellanox.com>
+Date: Wed, 25 Mar 2020 17:19:43 +0200
+Subject: net/mlx5: DR, On creation set CQ's arm_db member to right value
+
+From: Erez Shitrit <erezsh@mellanox.com>
+
+[ Upstream commit 8075411d93b6efe143d9f606f6531077795b7fbf ]
+
+In polling mode, set arm_db member to a value that will avoid CQ
+event recovery by the HW.
+Otherwise we might get event without completion function.
+In addition,empty completion function to was added to protect from
+unexpected events.
+
+Fixes: 297cccebdc5a ("net/mlx5: DR, Expose an internal API to issue RDMA operations")
+Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
+Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
+Reviewed-by: Alex Vesker <valex@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c | 14 ++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_send.c
+@@ -689,6 +689,12 @@ static void dr_cq_event(struct mlx5_core
+ pr_info("CQ event %u on CQ #%u\n", event, mcq->cqn);
+ }
+
++static void dr_cq_complete(struct mlx5_core_cq *mcq,
++ struct mlx5_eqe *eqe)
++{
++ pr_err("CQ completion CQ: #%u\n", mcq->cqn);
++}
++
+ static struct mlx5dr_cq *dr_create_cq(struct mlx5_core_dev *mdev,
+ struct mlx5_uars_page *uar,
+ size_t ncqe)
+@@ -750,6 +756,7 @@ static struct mlx5dr_cq *dr_create_cq(st
+ mlx5_fill_page_frag_array(&cq->wq_ctrl.buf, pas);
+
+ cq->mcq.event = dr_cq_event;
++ cq->mcq.comp = dr_cq_complete;
+
+ err = mlx5_core_create_cq(mdev, &cq->mcq, in, inlen, out, sizeof(out));
+ kvfree(in);
+@@ -761,7 +768,12 @@ static struct mlx5dr_cq *dr_create_cq(st
+ cq->mcq.set_ci_db = cq->wq_ctrl.db.db;
+ cq->mcq.arm_db = cq->wq_ctrl.db.db + 1;
+ *cq->mcq.set_ci_db = 0;
+- *cq->mcq.arm_db = 0;
++
++ /* set no-zero value, in order to avoid the HW to run db-recovery on
++ * CQ that used in polling mode.
++ */
++ *cq->mcq.arm_db = cpu_to_be32(2 << 28);
++
+ cq->mcq.vector = 0;
+ cq->mcq.irqn = irqn;
+ cq->mcq.uar = uar;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 23 Feb 2020 03:27:41 +0200
+Subject: net/mlx5: Fix command entry leak in Internal Error State
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ]
+
+Processing commands by cmd_work_handler() while already in Internal
+Error State will result in entry leak, since the handler process force
+completion without doorbell. Forced completion doesn't release the entry
+and event completion will never arrive, so entry should be released.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -922,6 +922,10 @@ static void cmd_work_handler(struct work
+ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
+
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ /* no doorbell, no need to keep the entry */
++ free_ent(cmd, ent->idx);
++ if (ent->callback)
++ free_cmd(ent);
+ return;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 21 Jul 2019 08:40:13 +0300
+Subject: net/mlx5: Fix forced completion access non initialized command entry
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ]
+
+mlx5_cmd_flush() will trigger forced completions to all valid command
+entries. Triggered by an asynch event such as fast teardown it can
+happen at any stage of the command, including command initialization.
+It will trigger forced completion and that can lead to completion on an
+uninitialized command entry.
+
+Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is
+initialized will ensure force completion is treated only if command
+entry is initialized.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -888,7 +888,6 @@ static void cmd_work_handler(struct work
+ }
+
+ cmd->ent_arr[ent->idx] = ent;
+- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+ lay = get_inst(cmd, ent->idx);
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+@@ -910,6 +909,7 @@ static void cmd_work_handler(struct work
+
+ if (ent->callback)
+ schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+
+ /* Skip sending command to fw if internal error */
+ if (pci_channel_offline(dev->pdev) ||
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Roi Dayan <roid@mellanox.com>
+Date: Thu, 23 Apr 2020 12:37:21 +0300
+Subject: net/mlx5e: Fix q counters on uplink representors
+
+From: Roi Dayan <roid@mellanox.com>
+
+[ Upstream commit 67b38de646894c9a94fe4d6d17719e70cc6028eb ]
+
+Need to allocate the q counters before init_rx which needs them
+when creating the rq.
+
+Fixes: 8520fa57a4e9 ("net/mlx5e: Create q counters on uplink representors")
+Signed-off-by: Roi Dayan <roid@mellanox.com>
+Reviewed-by: Vlad Buslov <vladbu@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -1692,19 +1692,14 @@ static void mlx5e_cleanup_rep_rx(struct
+
+ static int mlx5e_init_ul_rep_rx(struct mlx5e_priv *priv)
+ {
+- int err = mlx5e_init_rep_rx(priv);
+-
+- if (err)
+- return err;
+-
+ mlx5e_create_q_counters(priv);
+- return 0;
++ return mlx5e_init_rep_rx(priv);
+ }
+
+ static void mlx5e_cleanup_ul_rep_rx(struct mlx5e_priv *priv)
+ {
+- mlx5e_destroy_q_counters(priv);
+ mlx5e_cleanup_rep_rx(priv);
++ mlx5e_destroy_q_counters(priv);
+ }
+
+ static int mlx5e_init_uplink_rep_tx(struct mlx5e_rep_priv *rpriv)
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 6 May 2020 13:16:56 +0300
+Subject: net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 722c0f00d4feea77475a5dc943b53d60824a1e4e ]
+
+The "info->fs.location" is a u32 that comes from the user via the
+ethtool_set_rxnfc() function. We need to check for invalid values to
+prevent a buffer overflow.
+
+I copy and pasted this check from the mvpp2_ethtool_cls_rule_ins()
+function.
+
+Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_cls.c
+@@ -1422,6 +1422,9 @@ int mvpp2_ethtool_cls_rule_del(struct mv
+ struct mvpp2_ethtool_fs *efs;
+ int ret;
+
++ if (info->fs.location >= MVPP2_N_RFS_ENTRIES_PER_FLOW)
++ return -EINVAL;
++
+ efs = port->rfs_rules[info->fs.location];
+ if (!efs)
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 6 May 2020 13:16:22 +0300
+Subject: net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 39bd16df7c31bb8cf5dfd0c88e42abd5ae10029d ]
+
+The "rss_context" variable comes from the user via ethtool_get_rxfh().
+It can be any u32 value except zero. Eventually it gets passed to
+mvpp22_rss_ctx() and if it is over MVPP22_N_RSS_TABLES (8) then it
+results in an array overflow.
+
+Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -4325,6 +4325,8 @@ static int mvpp2_ethtool_get_rxfh_contex
+
+ if (!mvpp22_rss_is_supported())
+ return -EOPNOTSUPP;
++ if (rss_context >= MVPP22_N_RSS_TABLES)
++ return -EINVAL;
+
+ if (hfunc)
+ *hfunc = ETH_RSS_HASH_CRC32;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Sun, 26 Apr 2020 09:22:06 +0300
+Subject: net: phy: marvell10g: fix temperature sensor on 2110
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit c3e302edca2457bbd0c958c445a7538fbf6a6ac8 ]
+
+Read the temperature sensor register from the correct location for the
+88E2110 PHY. There is no enable/disable bit on 2110, so make
+mv3310_hwmon_config() run on 88X3310 only.
+
+Fixes: 62d01535474b61 ("net: phy: marvell10g: add support for the 88x2110 PHY")
+Cc: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/marvell10g.c | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/marvell10g.c
++++ b/drivers/net/phy/marvell10g.c
+@@ -44,6 +44,9 @@ enum {
+ MV_PCS_PAIRSWAP_AB = 0x0002,
+ MV_PCS_PAIRSWAP_NONE = 0x0003,
+
++ /* Temperature read register (88E2110 only) */
++ MV_PCS_TEMP = 0x8042,
++
+ /* These registers appear at 0x800X and 0xa00X - the 0xa00X control
+ * registers appear to set themselves to the 0x800X when AN is
+ * restarted, but status registers appear readable from either.
+@@ -54,6 +57,7 @@ enum {
+ /* Vendor2 MMD registers */
+ MV_V2_PORT_CTRL = 0xf001,
+ MV_V2_PORT_CTRL_PWRDOWN = 0x0800,
++ /* Temperature control/read registers (88X3310 only) */
+ MV_V2_TEMP_CTRL = 0xf08a,
+ MV_V2_TEMP_CTRL_MASK = 0xc000,
+ MV_V2_TEMP_CTRL_SAMPLE = 0x0000,
+@@ -79,6 +83,24 @@ static umode_t mv3310_hwmon_is_visible(c
+ return 0;
+ }
+
++static int mv3310_hwmon_read_temp_reg(struct phy_device *phydev)
++{
++ return phy_read_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP);
++}
++
++static int mv2110_hwmon_read_temp_reg(struct phy_device *phydev)
++{
++ return phy_read_mmd(phydev, MDIO_MMD_PCS, MV_PCS_TEMP);
++}
++
++static int mv10g_hwmon_read_temp_reg(struct phy_device *phydev)
++{
++ if (phydev->drv->phy_id == MARVELL_PHY_ID_88X3310)
++ return mv3310_hwmon_read_temp_reg(phydev);
++ else /* MARVELL_PHY_ID_88E2110 */
++ return mv2110_hwmon_read_temp_reg(phydev);
++}
++
+ static int mv3310_hwmon_read(struct device *dev, enum hwmon_sensor_types type,
+ u32 attr, int channel, long *value)
+ {
+@@ -91,7 +113,7 @@ static int mv3310_hwmon_read(struct devi
+ }
+
+ if (type == hwmon_temp && attr == hwmon_temp_input) {
+- temp = phy_read_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP);
++ temp = mv10g_hwmon_read_temp_reg(phydev);
+ if (temp < 0)
+ return temp;
+
+@@ -144,6 +166,9 @@ static int mv3310_hwmon_config(struct ph
+ u16 val;
+ int ret;
+
++ if (phydev->drv->phy_id != MARVELL_PHY_ID_88X3310)
++ return 0;
++
+ ret = phy_write_mmd(phydev, MDIO_MMD_VEND2, MV_V2_TEMP,
+ MV_V2_TEMP_UNKNOWN);
+ if (ret < 0)
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 4 May 2020 12:48:54 -0400
+Subject: net: stricter validation of untrusted gso packets
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ]
+
+Syzkaller again found a path to a kernel crash through bad gso input:
+a packet with transport header extending beyond skb_headlen(skb).
+
+Tighten validation at kernel entry:
+
+- Verify that the transport header lies within the linear section.
+
+ To avoid pulling linux/tcp.h, verify just sizeof tcphdr.
+ tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use.
+
+- Match the gso_type against the ip_proto found by the flow dissector.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -3,6 +3,8 @@
+ #define _LINUX_VIRTIO_NET_H
+
+ #include <linux/if_vlan.h>
++#include <uapi/linux/tcp.h>
++#include <uapi/linux/udp.h>
+ #include <uapi/linux/virtio_net.h>
+
+ static inline int virtio_net_hdr_set_proto(struct sk_buff *skb,
+@@ -28,17 +30,25 @@ static inline int virtio_net_hdr_to_skb(
+ bool little_endian)
+ {
+ unsigned int gso_type = 0;
++ unsigned int thlen = 0;
++ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
+ case VIRTIO_NET_HDR_GSO_TCPV4:
+ gso_type = SKB_GSO_TCPV4;
++ ip_proto = IPPROTO_TCP;
++ thlen = sizeof(struct tcphdr);
+ break;
+ case VIRTIO_NET_HDR_GSO_TCPV6:
+ gso_type = SKB_GSO_TCPV6;
++ ip_proto = IPPROTO_TCP;
++ thlen = sizeof(struct tcphdr);
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+ gso_type = SKB_GSO_UDP;
++ ip_proto = IPPROTO_UDP;
++ thlen = sizeof(struct udphdr);
+ break;
+ default:
+ return -EINVAL;
+@@ -57,16 +67,22 @@ static inline int virtio_net_hdr_to_skb(
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
++
++ if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+ * probe and drop if does not match one of the above types.
+ */
+ if (gso_type && skb->network_header) {
++ struct flow_keys_basic keys;
++
+ if (!skb->protocol)
+ virtio_net_hdr_set_proto(skb, hdr);
+ retry:
+- skb_probe_transport_header(skb);
+- if (!skb_transport_header_was_set(skb)) {
++ if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys,
++ NULL, 0, 0, 0,
++ 0)) {
+ /* UFO does not specify ipv4 or 6: try both */
+ if (gso_type & SKB_GSO_UDP &&
+ skb->protocol == htons(ETH_P_IP)) {
+@@ -75,6 +91,12 @@ retry:
+ }
+ return -EINVAL;
+ }
++
++ if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ keys.basic.ip_proto != ip_proto)
++ return -EINVAL;
++
++ skb_set_transport_header(skb, keys.control.thoff);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Anthony Felice <tony.felice@timesys.com>
+Date: Sun, 26 Apr 2020 22:00:59 -0400
+Subject: net: tc35815: Fix phydev supported/advertising mask
+
+From: Anthony Felice <tony.felice@timesys.com>
+
+[ Upstream commit 4b5b71f770e2edefbfe74203777264bfe6a9927c ]
+
+Commit 3c1bcc8614db ("net: ethernet: Convert phydev advertize and
+supported from u32 to link mode") updated ethernet drivers to use a
+linkmode bitmap. It mistakenly dropped a bitwise negation in the
+tc35815 ethernet driver on a bitmask to set the supported/advertising
+flags.
+
+Found by Anthony via code inspection, not tested as I do not have the
+required hardware.
+
+Fixes: 3c1bcc8614db ("net: ethernet: Convert phydev advertize and supported from u32 to link mode")
+Signed-off-by: Anthony Felice <tony.felice@timesys.com>
+Reviewed-by: Akshay Bhat <akshay.bhat@timesys.com>
+Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/toshiba/tc35815.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/toshiba/tc35815.c
++++ b/drivers/net/ethernet/toshiba/tc35815.c
+@@ -643,7 +643,7 @@ static int tc_mii_probe(struct net_devic
+ linkmode_set_bit(ETHTOOL_LINK_MODE_10baseT_Half_BIT, mask);
+ linkmode_set_bit(ETHTOOL_LINK_MODE_100baseT_Half_BIT, mask);
+ }
+- linkmode_and(phydev->supported, phydev->supported, mask);
++ linkmode_andnot(phydev->supported, phydev->supported, mask);
+ linkmode_copy(phydev->advertising, phydev->supported);
+
+ lp->link = 0;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sat, 25 Apr 2020 20:54:37 +0800
+Subject: net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced ]
+
+bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference
+of the specified sk_psock object to "psock" with increased refcnt.
+
+When bpf_exec_tx_verdict() returns, local variable "psock" becomes
+invalid, so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not
+NULL, the function forgets to decrease the refcnt increased by
+sk_psock_get(), causing a refcnt leak.
+
+Fix this issue by calling sk_psock_put() on this error path before
+bpf_exec_tx_verdict() returns.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -800,6 +800,8 @@ static int bpf_exec_tx_verdict(struct sk
+ *copied -= sk_msg_free(sk, msg);
+ tls_free_open_rec(sk);
+ }
++ if (psock)
++ sk_psock_put(sk, psock);
+ return err;
+ }
+ more_data:
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sat, 25 Apr 2020 21:10:23 +0800
+Subject: net/tls: Fix sk_psock refcnt leak when in tls_data_ready()
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 62b4011fa7bef9fa00a6aeec26e69685dc1cc21e ]
+
+tls_data_ready() invokes sk_psock_get(), which returns a reference of
+the specified sk_psock object to "psock" with increased refcnt.
+
+When tls_data_ready() returns, local variable "psock" becomes invalid,
+so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+tls_data_ready(). When "psock->ingress_msg" is empty but "psock" is not
+NULL, the function forgets to decrease the refcnt increased by
+sk_psock_get(), causing a refcnt leak.
+
+Fix this issue by calling sk_psock_put() on all paths when "psock" is
+not NULL.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tls/tls_sw.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -2083,8 +2083,9 @@ static void tls_data_ready(struct sock *
+ strp_data_ready(&ctx->strp);
+
+ psock = sk_psock_get(sk);
+- if (psock && !list_empty(&psock->ingress_msg)) {
+- ctx->saved_data_ready(sk);
++ if (psock) {
++ if (!list_empty(&psock->ingress_msg))
++ ctx->saved_data_ready(sk);
+ sk_psock_put(sk, psock);
+ }
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Matt Jolly <Kangie@footclan.ninja>
+Date: Sun, 3 May 2020 01:52:28 +1000
+Subject: net: usb: qmi_wwan: add support for DW5816e
+
+From: Matt Jolly <Kangie@footclan.ninja>
+
+[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ]
+
+Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c
+
+Signed-off-by: Matt Jolly <Kangie@footclan.ninja>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1359,6 +1359,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */
+ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 2 May 2020 20:09:25 -0700
+Subject: net_sched: sch_skbprio: add message validation to skbprio_change()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ]
+
+Do not assume the attribute has the right size.
+
+Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_skbprio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/sch_skbprio.c
++++ b/net/sched/sch_skbprio.c
+@@ -169,6 +169,9 @@ static int skbprio_change(struct Qdisc *
+ {
+ struct tc_skbprio_qopt *ctl = nla_data(opt);
+
++ if (opt->nla_len != nla_attr_size(sizeof(*ctl)))
++ return -EINVAL;
++
+ sch->limit = ctl->limit;
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Sat, 2 May 2020 17:42:59 -0500
+Subject: nfp: abm: fix a memory leak bug
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit bd4af432cc71b5fbfe4833510359a6ad3ada250d ]
+
+In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open.
+But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released,
+which can lead to a memory leak bug. Fix this issue by adding
+nfp_nsp_close(nsp) in the error path.
+
+Fixes: f6e71efdf9fb1 ("nfp: abm: look up MAC addresses via management FW")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/abm/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/abm/main.c
++++ b/drivers/net/ethernet/netronome/nfp/abm/main.c
+@@ -283,6 +283,7 @@ nfp_abm_vnic_set_mac(struct nfp_pf *pf,
+ if (!nfp_nsp_has_hwinfo_lookup(nsp)) {
+ nfp_warn(pf->cpp, "NSP doesn't support PF MAC generation\n");
+ eth_hw_addr_random(nn->dp.netdev);
++ nfp_nsp_close(nsp);
+ return;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 15:19:51 -0700
+Subject: sch_choke: avoid potential panic in choke_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]
+
+If choke_init() could not allocate q->tab, we would crash later
+in choke_reset().
+
+BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
+BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
+
+CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ check_memory_region_inline mm/kasan/generic.c:187 [inline]
+ check_memory_region+0x141/0x190 mm/kasan/generic.c:193
+ memset+0x20/0x40 mm/kasan/common.c:85
+ memset include/linux/string.h:366 [inline]
+ choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+ qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
+ dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
+ netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
+ dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
+ dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
+ qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
+ tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2416
+ __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+
+Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_choke.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_choke.c
++++ b/net/sched/sch_choke.c
+@@ -323,7 +323,8 @@ static void choke_reset(struct Qdisc *sc
+
+ sch->q.qlen = 0;
+ sch->qstats.backlog = 0;
+- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
++ if (q->tab)
++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
+ q->head = q->tail = 0;
+ red_restart(&q->vars);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 26 Apr 2020 18:19:07 -0700
+Subject: sch_sfq: validate silly quantum values
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]
+
+syzbot managed to set up sfq so that q->scaled_quantum was zero,
+triggering an infinite loop in sfq_dequeue()
+
+More generally, we must only accept quantum between 1 and 2^18 - 7,
+meaning scaled_quantum must be in [1, 0x7FFF] range.
+
+Otherwise, we also could have a loop in sfq_dequeue()
+if scaled_quantum happens to be 0x8000, since slot->allot
+could indefinitely switch between 0 and 0x8000.
+
+Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -637,6 +637,15 @@ static int sfq_change(struct Qdisc *sch,
+ if (ctl->divisor &&
+ (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
+ return -EINVAL;
++
++ /* slot->allot is a short, make sure quantum is not too big. */
++ if (ctl->quantum) {
++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
++
++ if (scaled <= 0 || scaled > SHRT_MAX)
++ return -EINVAL;
++ }
++
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+ ctl_v1->Wlog))
+ return -EINVAL;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 5 May 2020 20:51:06 -0700
+Subject: selftests: net: tcp_mmap: clear whole tcp_zerocopy_receive struct
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit bf5525f3a8e3248be5aa5defe5aaadd60e1c1ba1 ]
+
+We added fields in tcp_zerocopy_receive structure,
+so make sure to clear all fields to not pass garbage to the kernel.
+
+We were lucky because recent additions added 'out' parameters,
+still we need to clean our reference implementation, before folks
+copy/paste it.
+
+Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.")
+Fixes: 33946518d493 ("tcp-zerocopy: Return sk_err (if set) along with tcp receive zerocopy.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Arjun Roy <arjunroy@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/tcp_mmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/tcp_mmap.c
++++ b/tools/testing/selftests/net/tcp_mmap.c
+@@ -165,9 +165,10 @@ void *child_thread(void *arg)
+ socklen_t zc_len = sizeof(zc);
+ int res;
+
++ memset(&zc, 0, sizeof(zc));
+ zc.address = (__u64)((unsigned long)addr);
+ zc.length = chunk_size;
+- zc.recv_skip_hint = 0;
++
+ res = getsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE,
+ &zc, &zc_len);
+ if (res == -1)
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 6 May 2020 09:21:15 -0700
+Subject: selftests: net: tcp_mmap: fix SO_RCVLOWAT setting
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a84724178bd7081cf3bd5b558616dd6a9a4ca63b ]
+
+Since chunk_size is no longer an integer, we can not
+use it directly as an argument of setsockopt().
+
+This patch should fix tcp_mmap for Big Endian kernels.
+
+Fixes: 597b01edafac ("selftests: net: avoid ptl lock contention in tcp_mmap")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Cc: Arjun Roy <arjunroy@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/tcp_mmap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/tcp_mmap.c
++++ b/tools/testing/selftests/net/tcp_mmap.c
+@@ -282,12 +282,14 @@ static void setup_sockaddr(int domain, c
+ static void do_accept(int fdlisten)
+ {
+ pthread_attr_t attr;
++ int rcvlowat;
+
+ pthread_attr_init(&attr);
+ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+
++ rcvlowat = chunk_size;
+ if (setsockopt(fdlisten, SOL_SOCKET, SO_RCVLOWAT,
+- &chunk_size, sizeof(chunk_size)) == -1) {
++ &rcvlowat, sizeof(rcvlowat)) == -1) {
+ perror("setsockopt SO_RCVLOWAT");
+ }
+
nvme-fix-possible-hang-when-ns-scanning-fails-during.patch
tracing-kprobes-fix-a-double-initialization-typo.patch
net-macb-fix-runtime-pm-refcounting.patch
+cxgb4-fix-eotid-leak-when-disabling-tc-mqprio-offload.patch
+devlink-fix-reporter-s-recovery-condition.patch
+devlink-fix-return-value-after-hitting-end-in-region-read.patch
+dp83640-reverse-arguments-to-list_add_tail.patch
+fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch
+ipv6-use-global-sernum-for-dst-validation-with-nexthop-objects.patch
+mlxsw-spectrum_acl_tcam-position-vchunk-in-a-vregion-list-properly.patch
+neigh-send-protocol-value-in-neighbor-create-notification.patch
+net-bridge-vlan-add-a-schedule-point-during-vlan-processing.patch
+net-dsa-do-not-leave-dsa-master-with-null-netdev_ops.patch
+net-dsa-do-not-make-user-port-errors-fatal.patch
+net-macb-fix-an-issue-about-leak-related-system-resources.patch
+net-macsec-preserve-ingress-frame-ordering.patch
+net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch
+net-phy-marvell10g-fix-temperature-sensor-on-2110.patch
+net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch
+net-stricter-validation-of-untrusted-gso-packets.patch
+net-tc35815-fix-phydev-supported-advertising-mask.patch
+net-tls-fix-sk_psock-refcnt-leak-in-bpf_exec_tx_verdict.patch
+net-tls-fix-sk_psock-refcnt-leak-when-in-tls_data_ready.patch
+net-usb-qmi_wwan-add-support-for-dw5816e.patch
+nfp-abm-fix-a-memory-leak-bug.patch
+sch_choke-avoid-potential-panic-in-choke_reset.patch
+sch_sfq-validate-silly-quantum-values.patch
+selftests-net-tcp_mmap-clear-whole-tcp_zerocopy_receive-struct.patch
+selftests-net-tcp_mmap-fix-so_rcvlowat-setting.patch
+tipc-fix-partial-topology-connection-closure.patch
+tunnel-propagate-ect-1-when-decapsulating-as-recommended-by-rfc6040.patch
+bnxt_en-fix-vf-anti-spoof-filter-setup.patch
+bnxt_en-reduce-bnxt_msix_vec_max-value-to-supported-cqs-per-pf.patch
+bnxt_en-improve-aer-slot-reset.patch
+bnxt_en-return-error-when-allocating-zero-size-context-memory.patch
+bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch
+net-mlx5-dr-on-creation-set-cq-s-arm_db-member-to-right-value.patch
+net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch
+net-mlx5-fix-command-entry-leak-in-internal-error-state.patch
+net-mlx5e-fix-q-counters-on-uplink-representors.patch
+net-mvpp2-prevent-buffer-overflow-in-mvpp22_rss_ctx.patch
+net-mvpp2-cls-prevent-buffer-overflow-in-mvpp2_ethtool_cls_rule_del.patch
+wireguard-queueing-cleanup-ptr_ring-in-error-path-of-packet_queue_init.patch
+wireguard-receive-use-tunnel-helpers-for-decapsulating-ecn-markings.patch
+net-enetc-fix-an-issue-about-leak-system-resources.patch
+wireguard-socket-remove-errant-restriction-on-looping-to-self.patch
+wireguard-send-receive-cond_resched-when-processing-worker-ringbuffers.patch
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+Date: Mon, 4 May 2020 11:15:54 +0700
+Subject: tipc: fix partial topology connection closure
+
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+
+[ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ]
+
+When an application connects to the TIPC topology server and subscribes
+to some services, a new connection is created along with some objects -
+'tipc_subscription' to store related data correspondingly...
+However, there is one omission in the connection handling that when the
+connection or application is orderly shutdown (e.g. via SIGQUIT, etc.),
+the connection is not closed in kernel, the 'tipc_subscription' objects
+are not freed too.
+This results in:
+- The maximum number of subscriptions (65535) will be reached soon, new
+subscriptions will be rejected;
+- TIPC module cannot be removed (unless the objects are somehow forced
+to release first);
+
+The commit fixes the issue by closing the connection if the 'recvmsg()'
+returns '0' i.e. when the peer is shutdown gracefully. It also includes
+the other unexpected cases.
+
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/topsrv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -402,10 +402,11 @@ static int tipc_conn_rcv_from_sock(struc
+ read_lock_bh(&sk->sk_callback_lock);
+ ret = tipc_conn_rcv_sub(srv, con, &s);
+ read_unlock_bh(&sk->sk_callback_lock);
++ if (!ret)
++ return 0;
+ }
+- if (ret < 0)
+- tipc_conn_close(con);
+
++ tipc_conn_close(con);
+ return ret;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Mon, 27 Apr 2020 16:11:05 +0200
+Subject: tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit b723748750ece7d844cdf2f52c01d37f83387208 ]
+
+RFC 6040 recommends propagating an ECT(1) mark from an outer tunnel header
+to the inner header if that inner header is already marked as ECT(0). When
+RFC 6040 decapsulation was implemented, this case of propagation was not
+added. This simply appears to be an oversight, so let's fix that.
+
+Fixes: eccc1bb8d4b4 ("tunnel: drop packet if ECN present with not-ECT")
+Reported-by: Bob Briscoe <ietf@bobbriscoe.net>
+Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
+Cc: Dave Taht <dave.taht@gmail.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/inet_ecn.h | 57 +++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 55 insertions(+), 2 deletions(-)
+
+--- a/include/net/inet_ecn.h
++++ b/include/net/inet_ecn.h
+@@ -99,6 +99,20 @@ static inline int IP_ECN_set_ce(struct i
+ return 1;
+ }
+
++static inline int IP_ECN_set_ect1(struct iphdr *iph)
++{
++ u32 check = (__force u32)iph->check;
++
++ if ((iph->tos & INET_ECN_MASK) != INET_ECN_ECT_0)
++ return 0;
++
++ check += (__force u16)htons(0x100);
++
++ iph->check = (__force __sum16)(check + (check>=0xFFFF));
++ iph->tos ^= INET_ECN_MASK;
++ return 1;
++}
++
+ static inline void IP_ECN_clear(struct iphdr *iph)
+ {
+ iph->tos &= ~INET_ECN_MASK;
+@@ -134,6 +148,22 @@ static inline int IP6_ECN_set_ce(struct
+ return 1;
+ }
+
++static inline int IP6_ECN_set_ect1(struct sk_buff *skb, struct ipv6hdr *iph)
++{
++ __be32 from, to;
++
++ if ((ipv6_get_dsfield(iph) & INET_ECN_MASK) != INET_ECN_ECT_0)
++ return 0;
++
++ from = *(__be32 *)iph;
++ to = from ^ htonl(INET_ECN_MASK << 20);
++ *(__be32 *)iph = to;
++ if (skb->ip_summed == CHECKSUM_COMPLETE)
++ skb->csum = csum_add(csum_sub(skb->csum, (__force __wsum)from),
++ (__force __wsum)to);
++ return 1;
++}
++
+ static inline void ipv6_copy_dscp(unsigned int dscp, struct ipv6hdr *inner)
+ {
+ dscp &= ~INET_ECN_MASK;
+@@ -159,6 +189,25 @@ static inline int INET_ECN_set_ce(struct
+ return 0;
+ }
+
++static inline int INET_ECN_set_ect1(struct sk_buff *skb)
++{
++ switch (skb->protocol) {
++ case cpu_to_be16(ETH_P_IP):
++ if (skb_network_header(skb) + sizeof(struct iphdr) <=
++ skb_tail_pointer(skb))
++ return IP_ECN_set_ect1(ip_hdr(skb));
++ break;
++
++ case cpu_to_be16(ETH_P_IPV6):
++ if (skb_network_header(skb) + sizeof(struct ipv6hdr) <=
++ skb_tail_pointer(skb))
++ return IP6_ECN_set_ect1(skb, ipv6_hdr(skb));
++ break;
++ }
++
++ return 0;
++}
++
+ /*
+ * RFC 6040 4.2
+ * To decapsulate the inner header at the tunnel egress, a compliant
+@@ -208,8 +257,12 @@ static inline int INET_ECN_decapsulate(s
+ int rc;
+
+ rc = __INET_ECN_decapsulate(outer, inner, &set_ce);
+- if (!rc && set_ce)
+- INET_ECN_set_ce(skb);
++ if (!rc) {
++ if (set_ce)
++ INET_ECN_set_ce(skb);
++ else if ((outer & INET_ECN_MASK) == INET_ECN_ECT_1)
++ INET_ECN_set_ect1(skb);
++ }
+
+ return rc;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 29 Apr 2020 14:59:21 -0600
+Subject: wireguard: queueing: cleanup ptr_ring in error path of packet_queue_init
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+[ Upstream commit 130c58606171326c81841a49cc913cd354113dd9 ]
+
+Prior, if the alloc_percpu of packet_percpu_multicore_worker_alloc
+failed, the previously allocated ptr_ring wouldn't be freed. This commit
+adds the missing call to ptr_ring_cleanup in the error case.
+
+Reported-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/queueing.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireguard/queueing.c
++++ b/drivers/net/wireguard/queueing.c
+@@ -35,8 +35,10 @@ int wg_packet_queue_init(struct crypt_qu
+ if (multicore) {
+ queue->worker = wg_packet_percpu_multicore_worker_alloc(
+ function, queue);
+- if (!queue->worker)
++ if (!queue->worker) {
++ ptr_ring_cleanup(&queue->ring, NULL);
+ return -ENOMEM;
++ }
+ } else {
+ INIT_WORK(&queue->work, function);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+Date: Wed, 29 Apr 2020 14:59:22 -0600
+Subject: wireguard: receive: use tunnel helpers for decapsulating ECN markings
+
+From: "Toke Høiland-Jørgensen" <toke@redhat.com>
+
+[ Upstream commit eebabcb26ea1e3295704477c6cd4e772c96a9559 ]
+
+WireGuard currently only propagates ECN markings on tunnel decap according
+to the old RFC3168 specification. However, the spec has since been updated
+in RFC6040 to recommend slightly different decapsulation semantics. This
+was implemented in the kernel as a set of common helpers for ECN
+decapsulation, so let's just switch over WireGuard to using those, so it
+can benefit from this enhancement and any future tweaks. We do not drop
+packets with invalid ECN marking combinations, because WireGuard is
+frequently used to work around broken ISPs, which could be doing that.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
+Cc: Dave Taht <dave.taht@gmail.com>
+Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/receive.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireguard/receive.c
++++ b/drivers/net/wireguard/receive.c
+@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
+ len = ntohs(ip_hdr(skb)->tot_len);
+ if (unlikely(len < sizeof(struct iphdr)))
+ goto dishonest_packet_size;
+- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
+- IP_ECN_set_ce(ip_hdr(skb));
++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
+ } else if (skb->protocol == htons(ETH_P_IPV6)) {
+ len = ntohs(ipv6_hdr(skb)->payload_len) +
+ sizeof(struct ipv6hdr);
+- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
+- IP6_ECN_set_ce(skb, ipv6_hdr(skb));
++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
+ } else {
+ goto dishonest_packet_type;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 6 May 2020 15:33:04 -0600
+Subject: wireguard: send/receive: cond_resched() when processing worker ringbuffers
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+[ Upstream commit 4005f5c3c9d006157ba716594e0d70c88a235c5e ]
+
+Users with pathological hardware reported CPU stalls on CONFIG_
+PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
+these workers would never terminate. That turned out not to be okay on
+systems without forced preemption, which Sultan observed. This commit
+adds a cond_resched() to the bottom of each loop iteration, so that
+these workers don't hog the core. Note that we don't need this on the
+napi poll worker, since that terminates after its budget is expended.
+
+Suggested-by: Sultan Alsawaf <sultan@kerneltoast.com>
+Reported-by: Wang Jian <larkwang@gmail.com>
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/receive.c | 2 ++
+ drivers/net/wireguard/send.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/net/wireguard/receive.c
++++ b/drivers/net/wireguard/receive.c
+@@ -516,6 +516,8 @@ void wg_packet_decrypt_worker(struct wor
+ &PACKET_CB(skb)->keypair->receiving)) ?
+ PACKET_STATE_CRYPTED : PACKET_STATE_DEAD;
+ wg_queue_enqueue_per_peer_napi(skb, state);
++ if (need_resched())
++ cond_resched();
+ }
+ }
+
+--- a/drivers/net/wireguard/send.c
++++ b/drivers/net/wireguard/send.c
+@@ -281,6 +281,8 @@ void wg_packet_tx_worker(struct work_str
+
+ wg_noise_keypair_put(keypair, false);
+ wg_peer_put(peer);
++ if (need_resched())
++ cond_resched();
+ }
+ }
+
+@@ -305,6 +307,8 @@ void wg_packet_encrypt_worker(struct wor
+ wg_queue_enqueue_per_peer(&PACKET_PEER(first)->tx_queue, first,
+ state);
+
++ if (need_resched())
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:54:57 AM CEST
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+Date: Wed, 6 May 2020 15:33:03 -0600
+Subject: wireguard: socket: remove errant restriction on looping to self
+
+From: "Jason A. Donenfeld" <Jason@zx2c4.com>
+
+[ Upstream commit b673e24aad36981f327a6570412ffa7754de8911 ]
+
+It's already possible to create two different interfaces and loop
+packets between them. This has always been possible with tunnels in the
+kernel, and isn't specific to wireguard. Therefore, the networking stack
+already needs to deal with that. At the very least, the packet winds up
+exceeding the MTU and is discarded at that point. So, since this is
+already something that happens, there's no need to forbid the not very
+exceptional case of routing a packet back to the same interface; this
+loop is no different than others, and we shouldn't special case it, but
+rather rely on generic handling of loops in general. This also makes it
+easier to do interesting things with wireguard such as onion routing.
+
+At the same time, we add a selftest for this, ensuring that both onion
+routing works and infinite routing loops do not crash the kernel. We
+also add a test case for wireguard interfaces nesting packets and
+sending traffic between each other, as well as the loop in this case
+too. We make sure to send some throughput-heavy traffic for this use
+case, to stress out any possible recursion issues with the locks around
+workqueues.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/socket.c | 12 ------
+ tools/testing/selftests/wireguard/netns.sh | 54 +++++++++++++++++++++++++++--
+ 2 files changed, 51 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireguard/socket.c
++++ b/drivers/net/wireguard/socket.c
+@@ -76,12 +76,6 @@ static int send4(struct wg_device *wg, s
+ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
+ wg->dev->name, &endpoint->addr, ret);
+ goto err;
+- } else if (unlikely(rt->dst.dev == skb->dev)) {
+- ip_rt_put(rt);
+- ret = -ELOOP;
+- net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n",
+- wg->dev->name, &endpoint->addr);
+- goto err;
+ }
+ if (cache)
+ dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
+@@ -149,12 +143,6 @@ static int send6(struct wg_device *wg, s
+ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
+ wg->dev->name, &endpoint->addr, ret);
+ goto err;
+- } else if (unlikely(dst->dev == skb->dev)) {
+- dst_release(dst);
+- ret = -ELOOP;
+- net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n",
+- wg->dev->name, &endpoint->addr);
+- goto err;
+ }
+ if (cache)
+ dst_cache_set_ip6(cache, dst, &fl.saddr);
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -48,8 +48,11 @@ cleanup() {
+ exec 2>/dev/null
+ printf "$orig_message_cost" > /proc/sys/net/core/message_cost
+ ip0 link del dev wg0
++ ip0 link del dev wg1
+ ip1 link del dev wg0
++ ip1 link del dev wg1
+ ip2 link del dev wg0
++ ip2 link del dev wg1
+ local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
+ [[ -n $to_kill ]] && kill $to_kill
+ pp ip netns del $netns1
+@@ -77,18 +80,20 @@ ip0 link set wg0 netns $netns2
+ key1="$(pp wg genkey)"
+ key2="$(pp wg genkey)"
+ key3="$(pp wg genkey)"
++key4="$(pp wg genkey)"
+ pub1="$(pp wg pubkey <<<"$key1")"
+ pub2="$(pp wg pubkey <<<"$key2")"
+ pub3="$(pp wg pubkey <<<"$key3")"
++pub4="$(pp wg pubkey <<<"$key4")"
+ psk="$(pp wg genpsk)"
+ [[ -n $key1 && -n $key2 && -n $psk ]]
+
+ configure_peers() {
+ ip1 addr add 192.168.241.1/24 dev wg0
+- ip1 addr add fd00::1/24 dev wg0
++ ip1 addr add fd00::1/112 dev wg0
+
+ ip2 addr add 192.168.241.2/24 dev wg0
+- ip2 addr add fd00::2/24 dev wg0
++ ip2 addr add fd00::2/112 dev wg0
+
+ n1 wg set wg0 \
+ private-key <(echo "$key1") \
+@@ -230,9 +235,38 @@ n1 ping -W 1 -c 1 192.168.241.2
+ n1 wg set wg0 private-key <(echo "$key3")
+ n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove
+ n1 ping -W 1 -c 1 192.168.241.2
++n2 wg set wg0 peer "$pub3" remove
+
+-ip1 link del wg0
++# Test that we can route wg through wg
++ip1 addr flush dev wg0
++ip2 addr flush dev wg0
++ip1 addr add fd00::5:1/112 dev wg0
++ip2 addr add fd00::5:2/112 dev wg0
++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2
++n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998
++ip1 link add wg1 type wireguard
++ip2 link add wg1 type wireguard
++ip1 addr add 192.168.241.1/24 dev wg1
++ip1 addr add fd00::1/112 dev wg1
++ip2 addr add 192.168.241.2/24 dev wg1
++ip2 addr add fd00::2/112 dev wg1
++ip1 link set mtu 1340 up dev wg1
++ip2 link set mtu 1340 up dev wg1
++n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5
++n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5
++tests
++# Try to set up a routing loop between the two namespaces
++ip1 link set netns $netns0 dev wg1
++ip0 addr add 192.168.241.1/24 dev wg1
++ip0 link set up dev wg1
++n0 ping -W 1 -c 1 192.168.241.2
++n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
+ ip2 link del wg0
++ip2 link del wg1
++! n0 ping -W 1 -c 10 -f 192.168.241.2 || false # Should not crash kernel
++
++ip0 link del wg1
++ip1 link del wg0
+
+ # Test using NAT. We now change the topology to this:
+ # ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐
+@@ -282,6 +316,20 @@ pp sleep 3
+ n2 ping -W 1 -c 1 192.168.241.1
+ n1 wg set wg0 peer "$pub2" persistent-keepalive 0
+
++# Test that onion routing works, even when it loops
++n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
++ip1 addr add 192.168.242.1/24 dev wg0
++ip2 link add wg1 type wireguard
++ip2 addr add 192.168.242.2/24 dev wg1
++n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
++ip2 link set wg1 up
++n1 ping -W 1 -c 1 192.168.242.2
++ip2 link del wg1
++n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
++! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
++n1 wg set wg0 peer "$pub3" remove
++ip1 addr del 192.168.242.1/24 dev wg0
++
+ # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs.
+ ip1 -6 addr add fc00::9/96 dev vethc
+ ip1 -6 route add default via fc00::1
projects / thirdparty / kernel / stable-queue.git / commitdiff
