--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:38 -0400
+Subject: bnxt_en: Fix VF anti-spoof filter setup.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit c71c4e49afe173823a2a85b0cabc9b3f1176ffa2 ]
+
+Fix the logic that sets the enable/disable flag for the source MAC
+filter according to firmware spec 1.7.1.
+
+In the original firmware spec. before 1.7.1, the VF spoof check flags
+were not latched after making the HWRM_FUNC_CFG call, so there was a
+need to keep the func_flags so that subsequent calls would perserve
+the VF spoof check setting. A change was made in the 1.7.1 spec
+so that the flags became latched. So we now set or clear the anti-
+spoof setting directly without retrieving the old settings in the
+stored vf->func_flags which are no longer valid. We also remove the
+unneeded vf->func_flags.
+
+Fixes: 8eb992e876a8 ("bnxt_en: Update firmware interface spec to 1.7.6.2.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.h | 1 -
+ drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c | 9 ++-------
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+@@ -839,7 +839,6 @@ struct bnxt_vf_info {
+ #define BNXT_VF_LINK_FORCED 0x4
+ #define BNXT_VF_LINK_UP 0x8
+ #define BNXT_VF_TRUST 0x10
+- u32 func_flags; /* func cfg flags */
+ u32 min_tx_rate;
+ u32 max_tx_rate;
+ void *hwrm_cmd_req_addr;
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c
+@@ -99,11 +99,10 @@ int bnxt_set_vf_spoofchk(struct net_devi
+ if (old_setting == setting)
+ return 0;
+
+- func_flags = vf->func_flags;
+ if (setting)
+- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE;
++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_ENABLE;
+ else
+- func_flags |= FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE;
++ func_flags = FUNC_CFG_REQ_FLAGS_SRC_MAC_ADDR_CHECK_DISABLE;
+ /*TODO: if the driver supports VLAN filter on guest VLAN,
+ * the spoof check should also include vlan anti-spoofing
+ */
+@@ -112,7 +111,6 @@ int bnxt_set_vf_spoofchk(struct net_devi
+ req.flags = cpu_to_le32(func_flags);
+ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+ if (!rc) {
+- vf->func_flags = func_flags;
+ if (setting)
+ vf->flags |= BNXT_VF_SPOOFCHK;
+ else
+@@ -197,7 +195,6 @@ int bnxt_set_vf_mac(struct net_device *d
+ memcpy(vf->mac_addr, mac, ETH_ALEN);
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_MAC_ADDR);
+ memcpy(req.dflt_mac_addr, mac, ETH_ALEN);
+ return hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+@@ -235,7 +232,6 @@ int bnxt_set_vf_vlan(struct net_device *
+
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.dflt_vlan = cpu_to_le16(vlan_tag);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_DFLT_VLAN);
+ rc = hwrm_send_message(bp, &req, sizeof(req), HWRM_CMD_TIMEOUT);
+@@ -274,7 +270,6 @@ int bnxt_set_vf_bw(struct net_device *de
+ return 0;
+ bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_FUNC_CFG, -1, -1);
+ req.fid = cpu_to_le16(vf->fw_fid);
+- req.flags = cpu_to_le32(vf->func_flags);
+ req.enables = cpu_to_le32(FUNC_CFG_REQ_ENABLES_MAX_BW);
+ req.max_bw = cpu_to_le32(max_tx_rate);
+ req.enables |= cpu_to_le32(FUNC_CFG_REQ_ENABLES_MIN_BW);
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:42 -0400
+Subject: bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features().
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit c72cb303aa6c2ae7e4184f0081c6d11bf03fb96b ]
+
+The current logic in bnxt_fix_features() will inadvertently turn on both
+CTAG and STAG VLAN offload if the user tries to disable both. Fix it
+by checking that the user is trying to enable CTAG or STAG before
+enabling both. The logic is supposed to enable or disable both CTAG and
+STAG together.
+
+Fixes: 5a9f6b238e59 ("bnxt_en: Enable and disable RX CTAG and RX STAG VLAN acceleration together.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -7562,6 +7562,7 @@ static netdev_features_t bnxt_fix_featur
+ netdev_features_t features)
+ {
+ struct bnxt *bp = netdev_priv(dev);
++ netdev_features_t vlan_features;
+
+ if ((features & NETIF_F_NTUPLE) && !bnxt_rfs_capable(bp))
+ features &= ~NETIF_F_NTUPLE;
+@@ -7578,12 +7579,14 @@ static netdev_features_t bnxt_fix_featur
+ /* Both CTAG and STAG VLAN accelaration on the RX side have to be
+ * turned on or off together.
+ */
+- if ((features & (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) !=
+- (NETIF_F_HW_VLAN_CTAG_RX | NETIF_F_HW_VLAN_STAG_RX)) {
++ vlan_features = features & (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX);
++ if (vlan_features != (NETIF_F_HW_VLAN_CTAG_RX |
++ NETIF_F_HW_VLAN_STAG_RX)) {
+ if (dev->features & NETIF_F_HW_VLAN_CTAG_RX)
+ features &= ~(NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX);
+- else
++ else if (vlan_features)
+ features |= NETIF_F_HW_VLAN_CTAG_RX |
+ NETIF_F_HW_VLAN_STAG_RX;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Michael Chan <michael.chan@broadcom.com>
+Date: Sun, 26 Apr 2020 16:24:40 -0400
+Subject: bnxt_en: Improve AER slot reset.
+
+From: Michael Chan <michael.chan@broadcom.com>
+
+[ Upstream commit bae361c54fb6ac6eba3b4762f49ce14beb73ef13 ]
+
+Improve the slot reset sequence by disabling the device to prevent bad
+DMAs if slot reset fails. Return the proper result instead of always
+PCI_ERS_RESULT_RECOVERED to the caller.
+
+Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.")
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -9300,8 +9300,11 @@ static pci_ers_result_t bnxt_io_slot_res
+ }
+ }
+
+- if (result != PCI_ERS_RESULT_RECOVERED && netif_running(netdev))
+- dev_close(netdev);
++ if (result != PCI_ERS_RESULT_RECOVERED) {
++ if (netif_running(netdev))
++ dev_close(netdev);
++ pci_disable_device(pdev);
++ }
+
+ rtnl_unlock();
+
+@@ -9312,7 +9315,7 @@ static pci_ers_result_t bnxt_io_slot_res
+ err); /* non-fatal, continue */
+ }
+
+- return PCI_ERS_RESULT_RECOVERED;
++ return result;
+ }
+
+ /**
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Julia Lawall <Julia.Lawall@inria.fr>
+Date: Thu, 30 Apr 2020 21:51:32 +0200
+Subject: dp83640: reverse arguments to list_add_tail
+
+From: Julia Lawall <Julia.Lawall@inria.fr>
+
+[ Upstream commit 865308373ed49c9fb05720d14cbf1315349b32a9 ]
+
+In this code, it appears that phyter_clocks is a list head, based on
+the previous list_for_each, and that clock->list is intended to be a
+list element, given that it has just been initialized in
+dp83640_clock_init. Accordingly, switch the arguments to
+list_add_tail, which takes the list head as the second argument.
+
+Fixes: cb646e2b02b27 ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
+Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/dp83640.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/phy/dp83640.c
++++ b/drivers/net/phy/dp83640.c
+@@ -1114,7 +1114,7 @@ static struct dp83640_clock *dp83640_clo
+ goto out;
+ }
+ dp83640_clock_init(clock, bus);
+- list_add_tail(&phyter_clocks, &clock->list);
++ list_add_tail(&clock->list, &phyter_clocks);
+ out:
+ mutex_unlock(&phyter_clocks_lock);
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 12:40:25 -0700
+Subject: fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 14695212d4cd8b0c997f6121b6df8520038ce076 ]
+
+My intent was to not let users set a zero drop_batch_size,
+it seems I once again messed with min()/max().
+
+Fixes: 9d18562a2278 ("fq_codel: add batch ability to fq_codel_drop()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_fq_codel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -429,7 +429,7 @@ static int fq_codel_change(struct Qdisc
+ q->quantum = max(256U, nla_get_u32(tb[TCA_FQ_CODEL_QUANTUM]));
+
+ if (tb[TCA_FQ_CODEL_DROP_BATCH_SIZE])
+- q->drop_batch_size = min(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
++ q->drop_batch_size = max(1U, nla_get_u32(tb[TCA_FQ_CODEL_DROP_BATCH_SIZE]));
+
+ if (tb[TCA_FQ_CODEL_MEMORY_LIMIT])
+ q->memory_limit = min(1U << 31, nla_get_u32(tb[TCA_FQ_CODEL_MEMORY_LIMIT]));
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Scott Dial <scott@scottdial.com>
+Date: Fri, 24 Apr 2020 18:51:08 -0400
+Subject: net: macsec: preserve ingress frame ordering
+
+From: Scott Dial <scott@scottdial.com>
+
+[ Upstream commit ab046a5d4be4c90a3952a0eae75617b49c0cb01b ]
+
+MACsec decryption always occurs in a softirq context. Since
+the FPU may not be usable in the softirq context, the call to
+decrypt may be scheduled on the cryptd work queue. The cryptd
+work queue does not provide ordering guarantees. Therefore,
+preserving order requires masking out ASYNC implementations
+of gcm(aes).
+
+For instance, an Intel CPU with AES-NI makes available the
+generic-gcm-aesni driver from the aesni_intel module to
+implement gcm(aes). However, this implementation requires
+the FPU, so it is not always available to use from a softirq
+context, and will fallback to the cryptd work queue, which
+does not preserve frame ordering. With this change, such a
+system would select gcm_base(ctr(aes-aesni),ghash-generic).
+While the aes-aesni implementation prefers to use the FPU, it
+will fallback to the aes-asm implementation if unavailable.
+
+By using a synchronous version of gcm(aes), the decryption
+will complete before returning from crypto_aead_decrypt().
+Therefore, the macsec_decrypt_done() callback will be called
+before returning from macsec_decrypt(). Thus, the order of
+calls to macsec_post_decrypt() for the frames is preserved.
+
+While it's presumable that the pure AES-NI version of gcm(aes)
+is more performant, the hybrid solution is capable of gigabit
+speeds on modest hardware. Regardless, preserving the order
+of frames is paramount for many network protocols (e.g.,
+triggering TCP retries). Within the MACsec driver itself, the
+replay protection is tripped by the out-of-order frames, and
+can cause frames to be dropped.
+
+This bug has been present in this code since it was added in
+v4.6, however it may not have been noticed since not all CPUs
+have FPU offload available. Additionally, the bug manifests
+as occasional out-of-order packets that are easily
+misattributed to other network phenomena.
+
+When this code was added in v4.6, the crypto/gcm.c code did
+not restrict selection of the ghash function based on the
+ASYNC flag. For instance, x86 CPUs with PCLMULQDQ would
+select the ghash-clmulni driver instead of ghash-generic,
+which submits to the cryptd work queue if the FPU is busy.
+However, this bug was was corrected in v4.8 by commit
+b30bdfa86431afbafe15284a3ad5ac19b49b88e3, and was backported
+all the way back to the v3.14 stable branch, so this patch
+should be applicable back to the v4.6 stable branch.
+
+Signed-off-by: Scott Dial <scott@scottdial.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -1313,7 +1313,8 @@ static struct crypto_aead *macsec_alloc_
+ struct crypto_aead *tfm;
+ int ret;
+
+- tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
++ /* Pick a sync gcm(aes) cipher to ensure order is preserved. */
++ tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
+
+ if (IS_ERR(tfm))
+ return tfm;
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Tariq Toukan <tariqt@mellanox.com>
+Date: Mon, 4 May 2020 11:36:02 +0300
+Subject: net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
+
+From: Tariq Toukan <tariqt@mellanox.com>
+
+[ Upstream commit 40e473071dbad04316ddc3613c3a3d1c75458299 ]
+
+When ENOSPC is set the idx is still valid and gets set to the global
+MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that
+ENOSPC is impossible from mlx4_cmd_imm() and gives this warning:
+
+drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be
+used uninitialized in this function [-Wmaybe-uninitialized]
+ 2552 | priv->def_counter[port] = idx;
+
+Also, when ENOSPC is returned mlx4_allocate_default_counters should not
+fail.
+
+Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port")
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/main.c
++++ b/drivers/net/ethernet/mellanox/mlx4/main.c
+@@ -2539,6 +2539,7 @@ static int mlx4_allocate_default_counter
+
+ if (!err || err == -ENOSPC) {
+ priv->def_counter[port] = idx;
++ err = 0;
+ } else if (err == -ENOENT) {
+ err = 0;
+ continue;
+@@ -2589,7 +2590,8 @@ int mlx4_counter_alloc(struct mlx4_dev *
+ MLX4_CMD_TIME_CLASS_A, MLX4_CMD_WRAPPED);
+ if (!err)
+ *idx = get_param_l(&out_param);
+-
++ if (WARN_ON(err == -ENOSPC))
++ err = -EINVAL;
+ return err;
+ }
+ return __mlx4_counter_alloc(dev, idx);
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 23 Feb 2020 03:27:41 +0200
+Subject: net/mlx5: Fix command entry leak in Internal Error State
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit cece6f432cca9f18900463ed01b97a152a03600a ]
+
+Processing commands by cmd_work_handler() while already in Internal
+Error State will result in entry leak, since the handler process force
+completion without doorbell. Forced completion doesn't release the entry
+and event completion will never arrive, so entry should be released.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -896,6 +896,10 @@ static void cmd_work_handler(struct work
+ MLX5_SET(mbox_out, ent->out, syndrome, drv_synd);
+
+ mlx5_cmd_comp_handler(dev, 1UL << ent->idx, true);
++ /* no doorbell, no need to keep the entry */
++ free_ent(cmd, ent->idx);
++ if (ent->callback)
++ free_cmd(ent);
+ return;
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Moshe Shemesh <moshe@mellanox.com>
+Date: Sun, 21 Jul 2019 08:40:13 +0300
+Subject: net/mlx5: Fix forced completion access non initialized command entry
+
+From: Moshe Shemesh <moshe@mellanox.com>
+
+[ Upstream commit f3cb3cebe26ed4c8036adbd9448b372129d3c371 ]
+
+mlx5_cmd_flush() will trigger forced completions to all valid command
+entries. Triggered by an asynch event such as fast teardown it can
+happen at any stage of the command, including command initialization.
+It will trigger forced completion and that can lead to completion on an
+uninitialized command entry.
+
+Setting MLX5_CMD_ENT_STATE_PENDING_COMP only after command entry is
+initialized will ensure force completion is treated only if command
+entry is initialized.
+
+Fixes: 73dd3a4839c1 ("net/mlx5: Avoid using pending command interface slots")
+Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
+Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
+Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c
+@@ -862,7 +862,6 @@ static void cmd_work_handler(struct work
+ }
+
+ cmd->ent_arr[ent->idx] = ent;
+- set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+ lay = get_inst(cmd, ent->idx);
+ ent->lay = lay;
+ memset(lay, 0, sizeof(*lay));
+@@ -884,6 +883,7 @@ static void cmd_work_handler(struct work
+
+ if (ent->callback)
+ schedule_delayed_work(&ent->cb_timeout_work, cb_timeout);
++ set_bit(MLX5_CMD_ENT_STATE_PENDING_COMP, &ent->state);
+
+ /* Skip sending command to fw if internal error */
+ if (pci_channel_offline(dev->pdev) ||
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 4 May 2020 12:48:54 -0400
+Subject: net: stricter validation of untrusted gso packets
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 9274124f023b5c56dc4326637d4f787968b03607 ]
+
+Syzkaller again found a path to a kernel crash through bad gso input:
+a packet with transport header extending beyond skb_headlen(skb).
+
+Tighten validation at kernel entry:
+
+- Verify that the transport header lies within the linear section.
+
+ To avoid pulling linux/tcp.h, verify just sizeof tcphdr.
+ tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use.
+
+- Match the gso_type against the ip_proto found by the flow dissector.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -3,6 +3,8 @@
+ #define _LINUX_VIRTIO_NET_H
+
+ #include <linux/if_vlan.h>
++#include <uapi/linux/tcp.h>
++#include <uapi/linux/udp.h>
+ #include <uapi/linux/virtio_net.h>
+
+ static inline int virtio_net_hdr_set_proto(struct sk_buff *skb,
+@@ -28,17 +30,25 @@ static inline int virtio_net_hdr_to_skb(
+ bool little_endian)
+ {
+ unsigned int gso_type = 0;
++ unsigned int thlen = 0;
++ unsigned int ip_proto;
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
+ switch (hdr->gso_type & ~VIRTIO_NET_HDR_GSO_ECN) {
+ case VIRTIO_NET_HDR_GSO_TCPV4:
+ gso_type = SKB_GSO_TCPV4;
++ ip_proto = IPPROTO_TCP;
++ thlen = sizeof(struct tcphdr);
+ break;
+ case VIRTIO_NET_HDR_GSO_TCPV6:
+ gso_type = SKB_GSO_TCPV6;
++ ip_proto = IPPROTO_TCP;
++ thlen = sizeof(struct tcphdr);
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+ gso_type = SKB_GSO_UDP;
++ ip_proto = IPPROTO_UDP;
++ thlen = sizeof(struct udphdr);
+ break;
+ default:
+ return -EINVAL;
+@@ -57,16 +67,22 @@ static inline int virtio_net_hdr_to_skb(
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
++
++ if (skb_transport_offset(skb) + thlen > skb_headlen(skb))
++ return -EINVAL;
+ } else {
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+ * probe and drop if does not match one of the above types.
+ */
+ if (gso_type && skb->network_header) {
++ struct flow_keys_basic keys;
++
+ if (!skb->protocol)
+ virtio_net_hdr_set_proto(skb, hdr);
+ retry:
+- skb_probe_transport_header(skb, -1);
+- if (!skb_transport_header_was_set(skb)) {
++ if (!skb_flow_dissect_flow_keys_basic(skb, &keys,
++ NULL, 0, 0, 0,
++ 0)) {
+ /* UFO does not specify ipv4 or 6: try both */
+ if (gso_type & SKB_GSO_UDP &&
+ skb->protocol == htons(ETH_P_IP)) {
+@@ -75,6 +91,12 @@ retry:
+ }
+ return -EINVAL;
+ }
++
++ if (keys.control.thoff + thlen > skb_headlen(skb) ||
++ keys.basic.ip_proto != ip_proto)
++ return -EINVAL;
++
++ skb_set_transport_header(skb, keys.control.thoff);
+ }
+ }
+
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Matt Jolly <Kangie@footclan.ninja>
+Date: Sun, 3 May 2020 01:52:28 +1000
+Subject: net: usb: qmi_wwan: add support for DW5816e
+
+From: Matt Jolly <Kangie@footclan.ninja>
+
+[ Upstream commit 57c7f2bd758eed867295c81d3527fff4fab1ed74 ]
+
+Add support for Dell Wireless 5816e to drivers/net/usb/qmi_wwan.c
+
+Signed-off-by: Matt Jolly <Kangie@footclan.ninja>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1294,6 +1294,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x413c, 0x81b3, 8)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */
+ {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */
++ {QMI_FIXED_INTF(0x413c, 0x81cc, 8)}, /* Dell Wireless 5816e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 0)}, /* Dell Wireless 5821e */
+ {QMI_FIXED_INTF(0x413c, 0x81d7, 1)}, /* Dell Wireless 5821e preproduction config */
+ {QMI_FIXED_INTF(0x413c, 0x81e0, 0)}, /* Dell Wireless 5821e with eSIM support*/
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 2 May 2020 20:09:25 -0700
+Subject: net_sched: sch_skbprio: add message validation to skbprio_change()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2761121af87de45951989a0adada917837d8fa82 ]
+
+Do not assume the attribute has the right size.
+
+Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_skbprio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sched/sch_skbprio.c
++++ b/net/sched/sch_skbprio.c
+@@ -173,6 +173,9 @@ static int skbprio_change(struct Qdisc *
+ {
+ struct tc_skbprio_qopt *ctl = nla_data(opt);
+
++ if (opt->nla_len != nla_attr_size(sizeof(*ctl)))
++ return -EINVAL;
++
+ sch->limit = ctl->limit;
+ return 0;
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sat, 25 Apr 2020 15:19:51 -0700
+Subject: sch_choke: avoid potential panic in choke_reset()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 8738c85c72b3108c9b9a369a39868ba5f8e10ae0 ]
+
+If choke_init() could not allocate q->tab, we would crash later
+in choke_reset().
+
+BUG: KASAN: null-ptr-deref in memset include/linux/string.h:366 [inline]
+BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+Write of size 8 at addr 0000000000000000 by task syz-executor822/7022
+
+CPU: 1 PID: 7022 Comm: syz-executor822 Not tainted 5.7.0-rc1-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ __kasan_report.cold+0x5/0x4d mm/kasan/report.c:515
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ check_memory_region_inline mm/kasan/generic.c:187 [inline]
+ check_memory_region+0x141/0x190 mm/kasan/generic.c:193
+ memset+0x20/0x40 mm/kasan/common.c:85
+ memset include/linux/string.h:366 [inline]
+ choke_reset+0x208/0x340 net/sched/sch_choke.c:326
+ qdisc_reset+0x6b/0x520 net/sched/sch_generic.c:910
+ dev_deactivate_queue.constprop.0+0x13c/0x240 net/sched/sch_generic.c:1138
+ netdev_for_each_tx_queue include/linux/netdevice.h:2197 [inline]
+ dev_deactivate_many+0xe2/0xba0 net/sched/sch_generic.c:1195
+ dev_deactivate+0xf8/0x1c0 net/sched/sch_generic.c:1233
+ qdisc_graft+0xd25/0x1120 net/sched/sch_api.c:1051
+ tc_modify_qdisc+0xbab/0x1a00 net/sched/sch_api.c:1670
+ rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5454
+ netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
+ netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
+ netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
+ netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2416
+ __sys_sendmsg+0xec/0x1b0 net/socket.c:2449
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+
+Fixes: 77e62da6e60c ("sch_choke: drop all packets in queue during reset")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_choke.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_choke.c
++++ b/net/sched/sch_choke.c
+@@ -327,7 +327,8 @@ static void choke_reset(struct Qdisc *sc
+
+ sch->q.qlen = 0;
+ sch->qstats.backlog = 0;
+- memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
++ if (q->tab)
++ memset(q->tab, 0, (q->tab_mask + 1) * sizeof(struct sk_buff *));
+ q->head = q->tail = 0;
+ red_restart(&q->vars);
+ }
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 26 Apr 2020 18:19:07 -0700
+Subject: sch_sfq: validate silly quantum values
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit df4953e4e997e273501339f607b77953772e3559 ]
+
+syzbot managed to set up sfq so that q->scaled_quantum was zero,
+triggering an infinite loop in sfq_dequeue()
+
+More generally, we must only accept quantum between 1 and 2^18 - 7,
+meaning scaled_quantum must be in [1, 0x7FFF] range.
+
+Otherwise, we also could have a loop in sfq_dequeue()
+if scaled_quantum happens to be 0x8000, since slot->allot
+could indefinitely switch between 0 and 0x8000.
+
+Fixes: eeaeb068f139 ("sch_sfq: allow big packets and be fair")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot+0251e883fe39e7a0cb0a@syzkaller.appspotmail.com
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_sfq.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sched/sch_sfq.c
++++ b/net/sched/sch_sfq.c
+@@ -641,6 +641,15 @@ static int sfq_change(struct Qdisc *sch,
+ if (ctl->divisor &&
+ (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
+ return -EINVAL;
++
++ /* slot->allot is a short, make sure quantum is not too big. */
++ if (ctl->quantum) {
++ unsigned int scaled = SFQ_ALLOT_SIZE(ctl->quantum);
++
++ if (scaled <= 0 || scaled > SHRT_MAX)
++ return -EINVAL;
++ }
++
+ if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+ ctl_v1->Wlog))
+ return -EINVAL;
usb-serial-qcserial-add-dw5816e-support.patch
tracing-kprobes-fix-a-double-initialization-typo.patch
vt-fix-unicode-console-freeing-with-a-common-interfa.patch
+dp83640-reverse-arguments-to-list_add_tail.patch
+fq_codel-fix-tca_fq_codel_drop_batch_size-sanity-checks.patch
+net-macsec-preserve-ingress-frame-ordering.patch
+net-mlx4_core-fix-use-of-enospc-around-mlx4_counter_alloc.patch
+net_sched-sch_skbprio-add-message-validation-to-skbprio_change.patch
+net-usb-qmi_wwan-add-support-for-dw5816e.patch
+sch_choke-avoid-potential-panic-in-choke_reset.patch
+sch_sfq-validate-silly-quantum-values.patch
+tipc-fix-partial-topology-connection-closure.patch
+bnxt_en-fix-vlan-acceleration-handling-in-bnxt_fix_features.patch
+net-mlx5-fix-forced-completion-access-non-initialized-command-entry.patch
+net-mlx5-fix-command-entry-leak-in-internal-error-state.patch
+bnxt_en-improve-aer-slot-reset.patch
+bnxt_en-fix-vf-anti-spoof-filter-setup.patch
+net-stricter-validation-of-untrusted-gso-packets.patch
--- /dev/null
+From foo@baz Tue 12 May 2020 10:57:53 AM CEST
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+Date: Mon, 4 May 2020 11:15:54 +0700
+Subject: tipc: fix partial topology connection closure
+
+From: Tuong Lien <tuong.t.lien@dektech.com.au>
+
+[ Upstream commit 980d69276f3048af43a045be2925dacfb898a7be ]
+
+When an application connects to the TIPC topology server and subscribes
+to some services, a new connection is created along with some objects -
+'tipc_subscription' to store related data correspondingly...
+However, there is one omission in the connection handling that when the
+connection or application is orderly shutdown (e.g. via SIGQUIT, etc.),
+the connection is not closed in kernel, the 'tipc_subscription' objects
+are not freed too.
+This results in:
+- The maximum number of subscriptions (65535) will be reached soon, new
+subscriptions will be rejected;
+- TIPC module cannot be removed (unless the objects are somehow forced
+to release first);
+
+The commit fixes the issue by closing the connection if the 'recvmsg()'
+returns '0' i.e. when the peer is shutdown gracefully. It also includes
+the other unexpected cases.
+
+Acked-by: Jon Maloy <jmaloy@redhat.com>
+Acked-by: Ying Xue <ying.xue@windriver.com>
+Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/topsrv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -409,10 +409,11 @@ static int tipc_conn_rcv_from_sock(struc
+ read_lock_bh(&sk->sk_callback_lock);
+ ret = tipc_conn_rcv_sub(srv, con, &s);
+ read_unlock_bh(&sk->sk_callback_lock);
++ if (!ret)
++ return 0;
+ }
+- if (ret < 0)
+- tipc_conn_close(con);
+
++ tipc_conn_close(con);
+ return ret;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
