--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Vishal Kulkarni <vishal@chelsio.com>
+Date: Wed, 22 Apr 2020 21:20:07 +0530
+Subject: cxgb4: fix adapter crash due to wrong MC size
+
+From: Vishal Kulkarni <vishal@chelsio.com>
+
+[ Upstream commit ce222748078592afb51b810dc154531aeba4f512 ]
+
+In the absence of MC1, the size calculation function
+cudbg_mem_region_size() was returing wrong MC size and
+resulted in adapter crash. This patch adds new argument
+to cudbg_mem_region_size() which will have actual size
+and returns error to caller in the absence of MC1.
+
+Fixes: a1c69520f785 ("cxgb4: collect MC memory dump")
+Signed-off-by: Vishal Kulkarni <vishal@chelsio.com>"
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c | 27 ++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cudbg_lib.c
+@@ -1049,9 +1049,9 @@ static void cudbg_t4_fwcache(struct cudb
+ }
+ }
+
+-static unsigned long cudbg_mem_region_size(struct cudbg_init *pdbg_init,
+- struct cudbg_error *cudbg_err,
+- u8 mem_type)
++static int cudbg_mem_region_size(struct cudbg_init *pdbg_init,
++ struct cudbg_error *cudbg_err,
++ u8 mem_type, unsigned long *region_size)
+ {
+ struct adapter *padap = pdbg_init->adap;
+ struct cudbg_meminfo mem_info;
+@@ -1060,15 +1060,23 @@ static unsigned long cudbg_mem_region_si
+
+ memset(&mem_info, 0, sizeof(struct cudbg_meminfo));
+ rc = cudbg_fill_meminfo(padap, &mem_info);
+- if (rc)
++ if (rc) {
++ cudbg_err->sys_err = rc;
+ return rc;
++ }
+
+ cudbg_t4_fwcache(pdbg_init, cudbg_err);
+ rc = cudbg_meminfo_get_mem_index(padap, &mem_info, mem_type, &mc_idx);
+- if (rc)
++ if (rc) {
++ cudbg_err->sys_err = rc;
+ return rc;
++ }
++
++ if (region_size)
++ *region_size = mem_info.avail[mc_idx].limit -
++ mem_info.avail[mc_idx].base;
+
+- return mem_info.avail[mc_idx].limit - mem_info.avail[mc_idx].base;
++ return 0;
+ }
+
+ static int cudbg_collect_mem_region(struct cudbg_init *pdbg_init,
+@@ -1076,7 +1084,12 @@ static int cudbg_collect_mem_region(stru
+ struct cudbg_error *cudbg_err,
+ u8 mem_type)
+ {
+- unsigned long size = cudbg_mem_region_size(pdbg_init, cudbg_err, mem_type);
++ unsigned long size = 0;
++ int rc;
++
++ rc = cudbg_mem_region_size(pdbg_init, cudbg_err, mem_type, &size);
++ if (rc)
++ return rc;
+
+ return cudbg_read_fw_mem(pdbg_init, dbg_buff, mem_type, size,
+ cudbg_err);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Date: Mon, 20 Apr 2020 15:26:54 +0530
+Subject: cxgb4: fix large delays in PTP synchronization
+
+From: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+
+[ Upstream commit bd019427bf3623ee3c7d2845cf921bbf4c14846c ]
+
+Fetching PTP sync information from mailbox is slow and can take
+up to 10 milliseconds. Reduce this unnecessary delay by directly
+reading the information from the corresponding registers.
+
+Fixes: 9c33e4208bce ("cxgb4: Add PTP Hardware Clock (PHC) support")
+Signed-off-by: Manoj Malviya <manojmalviya@chelsio.com>
+Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c | 27 +++++--------------------
+ drivers/net/ethernet/chelsio/cxgb4/t4_regs.h | 3 ++
+ 2 files changed, 9 insertions(+), 21 deletions(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ptp.c
+@@ -311,32 +311,17 @@ static int cxgb4_ptp_adjtime(struct ptp_
+ */
+ static int cxgb4_ptp_gettime(struct ptp_clock_info *ptp, struct timespec64 *ts)
+ {
+- struct adapter *adapter = (struct adapter *)container_of(ptp,
+- struct adapter, ptp_clock_info);
+- struct fw_ptp_cmd c;
++ struct adapter *adapter = container_of(ptp, struct adapter,
++ ptp_clock_info);
+ u64 ns;
+- int err;
+
+- memset(&c, 0, sizeof(c));
+- c.op_to_portid = cpu_to_be32(FW_CMD_OP_V(FW_PTP_CMD) |
+- FW_CMD_REQUEST_F |
+- FW_CMD_READ_F |
+- FW_PTP_CMD_PORTID_V(0));
+- c.retval_len16 = cpu_to_be32(FW_CMD_LEN16_V(sizeof(c) / 16));
+- c.u.ts.sc = FW_PTP_SC_GET_TIME;
+-
+- err = t4_wr_mbox(adapter, adapter->mbox, &c, sizeof(c), &c);
+- if (err < 0) {
+- dev_err(adapter->pdev_dev,
+- "PTP: %s error %d\n", __func__, -err);
+- return err;
+- }
++ ns = t4_read_reg(adapter, T5_PORT_REG(0, MAC_PORT_PTP_SUM_LO_A));
++ ns |= (u64)t4_read_reg(adapter,
++ T5_PORT_REG(0, MAC_PORT_PTP_SUM_HI_A)) << 32;
+
+ /* convert to timespec*/
+- ns = be64_to_cpu(c.u.ts.tm);
+ *ts = ns_to_timespec64(ns);
+-
+- return err;
++ return 0;
+ }
+
+ /**
+--- a/drivers/net/ethernet/chelsio/cxgb4/t4_regs.h
++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_regs.h
+@@ -1900,6 +1900,9 @@
+
+ #define MAC_PORT_CFG2_A 0x818
+
++#define MAC_PORT_PTP_SUM_LO_A 0x990
++#define MAC_PORT_PTP_SUM_HI_A 0x994
++
+ #define MPS_CMN_CTL_A 0x9000
+
+ #define COUNTPAUSEMCRX_S 5
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 22 Apr 2020 17:29:51 +0200
+Subject: geneve: use the correct nlattr array in NL_SET_ERR_MSG_ATTR
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit 9a7b5b50de8a764671ba1800fe4c52d3b7013901 ]
+
+IFLA_GENEVE_* attributes are in the data array, which is correctly
+used when fetching the value, but not when setting the extended
+ack. Because IFLA_GENEVE_MAX < IFLA_MAX, we avoid out of bounds
+array accesses, but we don't provide a pointer to the invalid
+attribute to userspace.
+
+Fixes: a025fb5f49ad ("geneve: Allow configuration of DF behaviour")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -1207,7 +1207,7 @@ static int geneve_validate(struct nlattr
+ enum ifla_geneve_df df = nla_get_u8(data[IFLA_GENEVE_DF]);
+
+ if (df < 0 || df > GENEVE_DF_MAX) {
+- NL_SET_ERR_MSG_ATTR(extack, tb[IFLA_GENEVE_DF],
++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_GENEVE_DF],
+ "Invalid DF attribute");
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Wed, 22 Apr 2020 15:40:20 -0600
+Subject: ipv4: Update fib_select_default to handle nexthop objects
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 7c74b0bec918c1e0ca0b4208038c156eacf8f13f ]
+
+A user reported [0] hitting the WARN_ON in fib_info_nh:
+
+ [ 8633.839816] ------------[ cut here ]------------
+ [ 8633.839819] WARNING: CPU: 0 PID: 1719 at include/net/nexthop.h:251 fib_select_path+0x303/0x381
+ ...
+ [ 8633.839846] RIP: 0010:fib_select_path+0x303/0x381
+ ...
+ [ 8633.839848] RSP: 0018:ffffb04d407f7d00 EFLAGS: 00010286
+ [ 8633.839850] RAX: 0000000000000000 RBX: ffff9460b9897ee8 RCX: 00000000000000fe
+ [ 8633.839851] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
+ [ 8633.839852] RBP: ffff946076049850 R08: 0000000059263a83 R09: ffff9460840e4000
+ [ 8633.839853] R10: 0000000000000014 R11: 0000000000000000 R12: ffffb04d407f7dc0
+ [ 8633.839854] R13: ffffffffa4ce3240 R14: 0000000000000000 R15: ffff9460b7681f60
+ [ 8633.839857] FS: 00007fcac2e02700(0000) GS:ffff9460bdc00000(0000) knlGS:0000000000000000
+ [ 8633.839858] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 8633.839859] CR2: 00007f27beb77e28 CR3: 0000000077734000 CR4: 00000000000006f0
+ [ 8633.839867] Call Trace:
+ [ 8633.839871] ip_route_output_key_hash_rcu+0x421/0x890
+ [ 8633.839873] ip_route_output_key_hash+0x5e/0x80
+ [ 8633.839876] ip_route_output_flow+0x1a/0x50
+ [ 8633.839878] __ip4_datagram_connect+0x154/0x310
+ [ 8633.839880] ip4_datagram_connect+0x28/0x40
+ [ 8633.839882] __sys_connect+0xd6/0x100
+ ...
+
+The WARN_ON is triggered in fib_select_default which is invoked when
+there are multiple default routes. Update the function to use
+fib_info_nhc and convert the nexthop checks to use fib_nh_common.
+
+Add test case that covers the affected code path.
+
+[0] https://github.com/FRRouting/frr/issues/6089
+
+Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/fib_semantics.c | 6 +++---
+ tools/testing/selftests/net/fib_nexthops.sh | 23 +++++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -2012,7 +2012,7 @@ static void fib_select_default(const str
+
+ hlist_for_each_entry_rcu(fa, fa_head, fa_list) {
+ struct fib_info *next_fi = fa->fa_info;
+- struct fib_nh *nh;
++ struct fib_nh_common *nhc;
+
+ if (fa->fa_slen != slen)
+ continue;
+@@ -2035,8 +2035,8 @@ static void fib_select_default(const str
+ fa->fa_type != RTN_UNICAST)
+ continue;
+
+- nh = fib_info_nh(next_fi, 0);
+- if (!nh->fib_nh_gw4 || nh->fib_nh_scope != RT_SCOPE_LINK)
++ nhc = fib_info_nhc(next_fi, 0);
++ if (!nhc->nhc_gw_family || nhc->nhc_scope != RT_SCOPE_LINK)
+ continue;
+
+ fib_alias_accessed(fa);
+--- a/tools/testing/selftests/net/fib_nexthops.sh
++++ b/tools/testing/selftests/net/fib_nexthops.sh
+@@ -749,6 +749,29 @@ ipv4_fcnal_runtime()
+ run_cmd "ip netns exec me ping -c1 -w1 172.16.101.1"
+ log_test $? 0 "Ping - multipath"
+
++ run_cmd "$IP ro delete 172.16.101.1/32 nhid 122"
++
++ #
++ # multiple default routes
++ # - tests fib_select_default
++ run_cmd "$IP nexthop add id 501 via 172.16.1.2 dev veth1"
++ run_cmd "$IP ro add default nhid 501"
++ run_cmd "$IP ro add default via 172.16.1.3 dev veth1 metric 20"
++ run_cmd "ip netns exec me ping -c1 -w1 172.16.101.1"
++ log_test $? 0 "Ping - multiple default routes, nh first"
++
++ # flip the order
++ run_cmd "$IP ro del default nhid 501"
++ run_cmd "$IP ro del default via 172.16.1.3 dev veth1 metric 20"
++ run_cmd "$IP ro add default via 172.16.1.2 dev veth1 metric 20"
++ run_cmd "$IP nexthop replace id 501 via 172.16.1.3 dev veth1"
++ run_cmd "$IP ro add default nhid 501 metric 20"
++ run_cmd "ip netns exec me ping -c1 -w1 172.16.101.1"
++ log_test $? 0 "Ping - multiple default routes, nh second"
++
++ run_cmd "$IP nexthop delete nhid 501"
++ run_cmd "$IP ro del default"
++
+ #
+ # IPv4 with blackhole nexthops
+ #
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: John Haxby <john.haxby@oracle.com>
+Date: Sat, 18 Apr 2020 16:30:49 +0100
+Subject: ipv6: fix restrict IPV6_ADDRFORM operation
+
+From: John Haxby <john.haxby@oracle.com>
+
+[ Upstream commit 82c9ae440857840c56e05d4fb1427ee032531346 ]
+
+Commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation") fixed a
+problem found by syzbot an unfortunate logic error meant that it
+also broke IPV6_ADDRFORM.
+
+Rearrange the checks so that the earlier test is just one of the series
+of checks made before moving the socket from IPv6 to IPv4.
+
+Fixes: b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation")
+Signed-off-by: John Haxby <john.haxby@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ipv6_sockglue.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -183,15 +183,14 @@ static int do_ipv6_setsockopt(struct soc
+ retv = -EBUSY;
+ break;
+ }
+- } else if (sk->sk_protocol == IPPROTO_TCP) {
+- if (sk->sk_prot != &tcpv6_prot) {
+- retv = -EBUSY;
+- break;
+- }
+- break;
+- } else {
++ }
++ if (sk->sk_protocol == IPPROTO_TCP &&
++ sk->sk_prot != &tcpv6_prot) {
++ retv = -EBUSY;
+ break;
+ }
++ if (sk->sk_protocol != IPPROTO_TCP)
++ break;
+ if (sk->sk_state != TCP_ESTABLISHED) {
+ retv = -ENOTCONN;
+ break;
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Thu, 23 Apr 2020 13:40:47 +0000
+Subject: macsec: avoid to set wrong mtu
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 7f327080364abccf923fa5a5b24e038eb0ba1407 ]
+
+When a macsec interface is created, the mtu is calculated with the lower
+interface's mtu value.
+If the mtu of lower interface is lower than the length, which is needed
+by macsec interface, macsec's mtu value will be overflowed.
+So, if the lower interface's mtu is too low, macsec interface's mtu
+should be set to 0.
+
+Test commands:
+ ip link add dummy0 mtu 10 type dummy
+ ip link add macsec0 link dummy0 type macsec
+ ip link show macsec0
+
+Before:
+ 11: macsec0@dummy0: <BROADCAST,MULTICAST,M-DOWN> mtu 4294967274
+After:
+ 11: macsec0@dummy0: <BROADCAST,MULTICAST,M-DOWN> mtu 0
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -3658,11 +3658,11 @@ static int macsec_newlink(struct net *ne
+ struct netlink_ext_ack *extack)
+ {
+ struct macsec_dev *macsec = macsec_priv(dev);
++ rx_handler_func_t *rx_handler;
++ u8 icv_len = DEFAULT_ICV_LEN;
+ struct net_device *real_dev;
+- int err;
++ int err, mtu;
+ sci_t sci;
+- u8 icv_len = DEFAULT_ICV_LEN;
+- rx_handler_func_t *rx_handler;
+
+ if (!tb[IFLA_LINK])
+ return -EINVAL;
+@@ -3681,7 +3681,11 @@ static int macsec_newlink(struct net *ne
+
+ if (data && data[IFLA_MACSEC_ICV_LEN])
+ icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
+- dev->mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
++ mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
++ if (mtu < 0)
++ dev->mtu = 0;
++ else
++ dev->mtu = mtu;
+
+ rx_handler = rtnl_dereference(real_dev->rx_handler);
+ if (rx_handler && rx_handler != macsec_handle_frame)
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 20 Apr 2020 13:29:40 +0000
+Subject: macvlan: fix null dereference in macvlan_device_event()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 4dee15b4fd0d61ec6bbd179238191e959d34cf7a ]
+
+In the macvlan_device_event(), the list_first_entry_or_null() is used.
+This function could return null pointer if there is no node.
+But, the macvlan module doesn't check the null pointer.
+So, null-ptr-deref would occur.
+
+ bond0
+ |
+ +----+-----+
+ | |
+macvlan0 macvlan1
+ | |
+ dummy0 dummy1
+
+The problem scenario.
+If dummy1 is removed,
+1. ->dellink() of dummy1 is called.
+2. NETDEV_UNREGISTER of dummy1 notification is sent to macvlan module.
+3. ->dellink() of macvlan1 is called.
+4. NETDEV_UNREGISTER of macvlan1 notification is sent to bond module.
+5. __bond_release_one() is called and it internally calls
+ dev_set_mac_address().
+6. dev_set_mac_address() calls the ->ndo_set_mac_address() of macvlan1,
+ which is macvlan_set_mac_address().
+7. macvlan_set_mac_address() calls the dev_set_mac_address() with dummy1.
+8. NETDEV_CHANGEADDR of dummy1 is sent to macvlan module.
+9. In the macvlan_device_event(), it calls list_first_entry_or_null().
+At this point, dummy1 and macvlan1 were removed.
+So, list_first_entry_or_null() will return NULL.
+
+Test commands:
+ ip netns add nst
+ ip netns exec nst ip link add bond0 type bond
+ for i in {0..10}
+ do
+ ip netns exec nst ip link add dummy$i type dummy
+ ip netns exec nst ip link add macvlan$i link dummy$i \
+ type macvlan mode passthru
+ ip netns exec nst ip link set macvlan$i master bond0
+ done
+ ip netns del nst
+
+Splat looks like:
+[ 40.585687][ T146] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEI
+[ 40.587249][ T146] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+[ 40.588342][ T146] CPU: 1 PID: 146 Comm: kworker/u8:2 Not tainted 5.7.0-rc1+ #532
+[ 40.589299][ T146] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 40.590469][ T146] Workqueue: netns cleanup_net
+[ 40.591045][ T146] RIP: 0010:macvlan_device_event+0x4e2/0x900 [macvlan]
+[ 40.591905][ T146] Code: 00 00 00 00 00 fc ff df 80 3c 06 00 0f 85 45 02 00 00 48 89 da 48 b8 00 00 00 00 00 fc ff d2
+[ 40.594126][ T146] RSP: 0018:ffff88806116f4a0 EFLAGS: 00010246
+[ 40.594783][ T146] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 40.595653][ T146] RDX: 0000000000000000 RSI: ffff88806547ddd8 RDI: ffff8880540f1360
+[ 40.596495][ T146] RBP: ffff88804011a808 R08: fffffbfff4fb8421 R09: fffffbfff4fb8421
+[ 40.597377][ T146] R10: ffffffffa7dc2107 R11: 0000000000000000 R12: 0000000000000008
+[ 40.598186][ T146] R13: ffff88804011a000 R14: ffff8880540f1000 R15: 1ffff1100c22de9a
+[ 40.599012][ T146] FS: 0000000000000000(0000) GS:ffff888067800000(0000) knlGS:0000000000000000
+[ 40.600004][ T146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 40.600665][ T146] CR2: 00005572d3a807b8 CR3: 000000005fcf4003 CR4: 00000000000606e0
+[ 40.601485][ T146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 40.602461][ T146] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 40.603443][ T146] Call Trace:
+[ 40.603871][ T146] ? nf_tables_dump_setelem+0xa0/0xa0 [nf_tables]
+[ 40.604587][ T146] ? macvlan_uninit+0x100/0x100 [macvlan]
+[ 40.605212][ T146] ? __module_text_address+0x13/0x140
+[ 40.605842][ T146] notifier_call_chain+0x90/0x160
+[ 40.606477][ T146] dev_set_mac_address+0x28e/0x3f0
+[ 40.607117][ T146] ? netdev_notify_peers+0xc0/0xc0
+[ 40.607762][ T146] ? __module_text_address+0x13/0x140
+[ 40.608440][ T146] ? notifier_call_chain+0x90/0x160
+[ 40.609097][ T146] ? dev_set_mac_address+0x1f0/0x3f0
+[ 40.609758][ T146] dev_set_mac_address+0x1f0/0x3f0
+[ 40.610402][ T146] ? __local_bh_enable_ip+0xe9/0x1b0
+[ 40.611071][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
+[ 40.611823][ T146] ? netdev_notify_peers+0xc0/0xc0
+[ 40.612461][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
+[ 40.613213][ T146] ? bond_hw_addr_flush+0x77/0x100 [bonding]
+[ 40.613963][ T146] ? __local_bh_enable_ip+0xe9/0x1b0
+[ 40.614631][ T146] ? bond_time_in_interval.isra.31+0x90/0x90 [bonding]
+[ 40.615484][ T146] ? __bond_release_one+0x9f0/0x12c0 [bonding]
+[ 40.616230][ T146] __bond_release_one+0x9f0/0x12c0 [bonding]
+[ 40.616949][ T146] ? bond_enslave+0x47c0/0x47c0 [bonding]
+[ 40.617642][ T146] ? lock_downgrade+0x730/0x730
+[ 40.618218][ T146] ? check_flags.part.42+0x450/0x450
+[ 40.618850][ T146] ? __mutex_unlock_slowpath+0xd0/0x670
+[ 40.619519][ T146] ? trace_hardirqs_on+0x30/0x180
+[ 40.620117][ T146] ? wait_for_completion+0x250/0x250
+[ 40.620754][ T146] bond_netdev_event+0x822/0x970 [bonding]
+[ 40.621460][ T146] ? __module_text_address+0x13/0x140
+[ 40.622097][ T146] notifier_call_chain+0x90/0x160
+[ 40.622806][ T146] rollback_registered_many+0x660/0xcf0
+[ 40.623522][ T146] ? netif_set_real_num_tx_queues+0x780/0x780
+[ 40.624290][ T146] ? notifier_call_chain+0x90/0x160
+[ 40.624957][ T146] ? netdev_upper_dev_unlink+0x114/0x180
+[ 40.625686][ T146] ? __netdev_adjacent_dev_unlink_neighbour+0x30/0x30
+[ 40.626421][ T146] ? mutex_is_locked+0x13/0x50
+[ 40.627016][ T146] ? unregister_netdevice_queue+0xf2/0x240
+[ 40.627663][ T146] unregister_netdevice_many.part.134+0x13/0x1b0
+[ 40.628362][ T146] default_device_exit_batch+0x2d9/0x390
+[ 40.628987][ T146] ? unregister_netdevice_many+0x40/0x40
+[ 40.629615][ T146] ? dev_change_net_namespace+0xcb0/0xcb0
+[ 40.630279][ T146] ? prepare_to_wait_exclusive+0x2e0/0x2e0
+[ 40.630943][ T146] ? ops_exit_list.isra.9+0x97/0x140
+[ 40.631554][ T146] cleanup_net+0x441/0x890
+[ ... ]
+
+Fixes: e289fd28176b ("macvlan: fix the problem when mac address changes for passthru mode")
+Reported-by: syzbot+5035b1f9dc7ea4558d5a@syzkaller.appspotmail.com
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -1704,7 +1704,7 @@ static int macvlan_device_event(struct n
+ struct macvlan_dev,
+ list);
+
+- if (macvlan_sync_address(vlan->dev, dev->dev_addr))
++ if (vlan && macvlan_sync_address(vlan->dev, dev->dev_addr))
+ return NOTIFY_BAD;
+
+ break;
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 22 Apr 2020 12:36:41 +0300
+Subject: mlxsw: Fix some IS_ERR() vs NULL bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit c391eb8366ae052d571bb2841f1ccb4d39f3ceb8 ]
+
+The mlxsw_sp_acl_rulei_create() function is supposed to return an error
+pointer from mlxsw_afa_block_create(). The problem is that these
+functions both return NULL instead of error pointers. Half the callers
+expect NULL and half expect error pointers so it could lead to a NULL
+dereference on failure.
+
+This patch changes both of them to return error pointers and changes all
+the callers which checked for NULL to check for IS_ERR() instead.
+
+Fixes: 4cda7d8d7098 ("mlxsw: core: Introduce flexible actions support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ido Schimmel <idosch@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c | 4 ++--
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c | 2 +-
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c | 4 ++--
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c
+@@ -316,7 +316,7 @@ struct mlxsw_afa_block *mlxsw_afa_block_
+
+ block = kzalloc(sizeof(*block), GFP_KERNEL);
+ if (!block)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ INIT_LIST_HEAD(&block->resource_list);
+ block->afa = mlxsw_afa;
+
+@@ -344,7 +344,7 @@ err_second_set_create:
+ mlxsw_afa_set_destroy(block->first_set);
+ err_first_set_create:
+ kfree(block);
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+ }
+ EXPORT_SYMBOL(mlxsw_afa_block_create);
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum2_acl_tcam.c
+@@ -88,8 +88,8 @@ static int mlxsw_sp2_acl_tcam_init(struc
+ * to be written using PEFA register to all indexes for all regions.
+ */
+ afa_block = mlxsw_afa_block_create(mlxsw_sp->afa);
+- if (!afa_block) {
+- err = -ENOMEM;
++ if (IS_ERR(afa_block)) {
++ err = PTR_ERR(afa_block);
+ goto err_afa_block;
+ }
+ err = mlxsw_afa_block_continue(afa_block);
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c
+@@ -444,7 +444,7 @@ mlxsw_sp_acl_rulei_create(struct mlxsw_s
+
+ rulei = kzalloc(sizeof(*rulei), GFP_KERNEL);
+ if (!rulei)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ if (afa_block) {
+ rulei->act_block = afa_block;
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr_tcam.c
+@@ -199,8 +199,8 @@ mlxsw_sp_mr_tcam_afa_block_create(struct
+ int err;
+
+ afa_block = mlxsw_afa_block_create(mlxsw_sp->afa);
+- if (!afa_block)
+- return ERR_PTR(-ENOMEM);
++ if (IS_ERR(afa_block))
++ return afa_block;
+
+ err = mlxsw_afa_block_append_allocated_counter(afa_block,
+ counter_index);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Doug Berger <opendmb@gmail.com>
+Date: Thu, 23 Apr 2020 15:44:17 -0700
+Subject: net: bcmgenet: correct per TX/RX ring statistics
+
+From: Doug Berger <opendmb@gmail.com>
+
+[ Upstream commit a6d0b83f25073bdf08b8547aeff961a62c6ab229 ]
+
+The change to track net_device_stats per ring to better support SMP
+missed updating the rx_dropped member.
+
+The ndo_get_stats method is also needed to combine the results for
+ethtool statistics (-S) before filling in the ethtool structure.
+
+Fixes: 37a30b435b92 ("net: bcmgenet: Track per TX/RX rings statistics")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Acked-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -938,6 +938,8 @@ static void bcmgenet_get_ethtool_stats(s
+ if (netif_running(dev))
+ bcmgenet_update_mib_counters(priv);
+
++ dev->netdev_ops->ndo_get_stats(dev);
++
+ for (i = 0; i < BCMGENET_STATS_LEN; i++) {
+ const struct bcmgenet_stats *s;
+ char *p;
+@@ -3142,6 +3144,7 @@ static struct net_device_stats *bcmgenet
+ dev->stats.rx_packets = rx_packets;
+ dev->stats.rx_errors = rx_errors;
+ dev->stats.rx_missed_errors = rx_errors;
++ dev->stats.rx_dropped = rx_dropped;
+ return &dev->stats;
+ }
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 20 Apr 2020 20:26:55 -0700
+Subject: net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 64fec9493f7dc9bdd7233bcfe98985c45bd0e3c1 ]
+
+Flip the IVL_SVL_SELECT bit correctly based on the VLAN enable status,
+the default is to perform Shared VLAN learning instead of Individual
+learning.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 4 ++++
+ drivers/net/dsa/b53/b53_regs.h | 1 +
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1454,6 +1454,10 @@ static int b53_arl_rw_op(struct b53_devi
+ reg |= ARLTBL_RW;
+ else
+ reg &= ~ARLTBL_RW;
++ if (dev->vlan_enabled)
++ reg &= ~ARLTBL_IVL_SVL_SELECT;
++ else
++ reg |= ARLTBL_IVL_SVL_SELECT;
+ b53_write8(dev, B53_ARLIO_PAGE, B53_ARLTBL_RW_CTRL, reg);
+
+ return b53_arl_op_wait(dev);
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -292,6 +292,7 @@
+ /* ARL Table Read/Write Register (8 bit) */
+ #define B53_ARLTBL_RW_CTRL 0x00
+ #define ARLTBL_RW BIT(0)
++#define ARLTBL_IVL_SVL_SELECT BIT(6)
+ #define ARLTBL_START_DONE BIT(7)
+
+ /* MAC Address Index Register (48 bit) */
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 20 Apr 2020 20:26:53 -0700
+Subject: net: dsa: b53: Fix ARL register definitions
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit c2e77a18a7ed65eb48f6e389b6a59a0fd753646a ]
+
+The ARL {MAC,VID} tuple and the forward entry were off by 0x10 bytes,
+which means that when we read/wrote from/to ARL bin index 0, we were
+actually accessing the ARLA_RWCTRL register.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_regs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -304,7 +304,7 @@
+ *
+ * BCM5325 and BCM5365 share most definitions below
+ */
+-#define B53_ARLTBL_MAC_VID_ENTRY(n) (0x10 * (n))
++#define B53_ARLTBL_MAC_VID_ENTRY(n) ((0x10 * (n)) + 0x10)
+ #define ARLTBL_MAC_MASK 0xffffffffffffULL
+ #define ARLTBL_VID_S 48
+ #define ARLTBL_VID_MASK_25 0xff
+@@ -316,7 +316,7 @@
+ #define ARLTBL_VALID_25 BIT(63)
+
+ /* ARL Table Data Entry N Registers (32 bit) */
+-#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x08)
++#define B53_ARLTBL_DATA_ENTRY(n) ((0x10 * (n)) + 0x18)
+ #define ARLTBL_DATA_PORT_ID_MASK 0x1ff
+ #define ARLTBL_TC(tc) ((3 & tc) << 11)
+ #define ARLTBL_AGE BIT(14)
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 20 Apr 2020 20:26:52 -0700
+Subject: net: dsa: b53: Fix valid setting for MDB entries
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit eab167f4851a19c514469dfa81147f77e17b5b20 ]
+
+When support for the MDB entries was added, the valid bit was correctly
+changed to be assigned depending on the remaining port bitmask, that is,
+if there were no more ports added to the entry's port bitmask, the entry
+now becomes invalid. There was another assignment a few lines below that
+would override this which would invalidate entries even when there were
+still multiple ports left in the MDB entry.
+
+Fixes: 5d65b64a3d97 ("net: dsa: b53: Add support for MDB")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1541,7 +1541,6 @@ static int b53_arl_op(struct b53_device
+ ent.is_valid = !!(ent.port);
+ }
+
+- ent.is_valid = is_valid;
+ ent.vid = vid;
+ ent.is_static = true;
+ ent.is_age = false;
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 20 Apr 2020 20:26:51 -0700
+Subject: net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 2e97b0cd1651a270f3a3fcf42115c51f3284c049 ]
+
+When VLAN is enabled, and an ARL search is issued, we also need to
+compare the full {MAC,VID} tuple before returning a successful search
+result.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1485,6 +1485,9 @@ static int b53_arl_read(struct b53_devic
+ continue;
+ if ((mac_vid & ARLTBL_MAC_MASK) != mac)
+ continue;
++ if (dev->vlan_enabled &&
++ ((mac_vid >> ARLTBL_VID_S) & ARLTBL_VID_MASK) != vid)
++ continue;
+ *idx = i;
+ }
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Mon, 20 Apr 2020 20:26:54 -0700
+Subject: net: dsa: b53: Rework ARL bin logic
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 6344dbde6a27d10d16246d734b968f84887841e2 ]
+
+When asking the ARL to read a MAC address, we will get a number of bins
+returned in a single read. Out of those bins, there can essentially be 3
+states:
+
+- all bins are full, we have no space left, and we can either replace an
+ existing address or return that full condition
+
+- the MAC address was found, then we need to return its bin index and
+ modify that one, and only that one
+
+- the MAC address was not found and we have a least one bin free, we use
+ that bin index location then
+
+The code would unfortunately fail on all counts.
+
+Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 30 ++++++++++++++++++++++++++----
+ drivers/net/dsa/b53/b53_regs.h | 3 +++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1463,6 +1463,7 @@ static int b53_arl_read(struct b53_devic
+ u16 vid, struct b53_arl_entry *ent, u8 *idx,
+ bool is_valid)
+ {
++ DECLARE_BITMAP(free_bins, B53_ARLTBL_MAX_BIN_ENTRIES);
+ unsigned int i;
+ int ret;
+
+@@ -1470,6 +1471,8 @@ static int b53_arl_read(struct b53_devic
+ if (ret)
+ return ret;
+
++ bitmap_zero(free_bins, dev->num_arl_entries);
++
+ /* Read the bins */
+ for (i = 0; i < dev->num_arl_entries; i++) {
+ u64 mac_vid;
+@@ -1481,16 +1484,24 @@ static int b53_arl_read(struct b53_devic
+ B53_ARLTBL_DATA_ENTRY(i), &fwd_entry);
+ b53_arl_to_entry(ent, mac_vid, fwd_entry);
+
+- if (!(fwd_entry & ARLTBL_VALID))
++ if (!(fwd_entry & ARLTBL_VALID)) {
++ set_bit(i, free_bins);
+ continue;
++ }
+ if ((mac_vid & ARLTBL_MAC_MASK) != mac)
+ continue;
+ if (dev->vlan_enabled &&
+ ((mac_vid >> ARLTBL_VID_S) & ARLTBL_VID_MASK) != vid)
+ continue;
+ *idx = i;
++ return 0;
+ }
+
++ if (bitmap_weight(free_bins, dev->num_arl_entries) == 0)
++ return -ENOSPC;
++
++ *idx = find_first_bit(free_bins, dev->num_arl_entries);
++
+ return -ENOENT;
+ }
+
+@@ -1520,10 +1531,21 @@ static int b53_arl_op(struct b53_device
+ if (op)
+ return ret;
+
+- /* We could not find a matching MAC, so reset to a new entry */
+- if (ret) {
++ switch (ret) {
++ case -ENOSPC:
++ dev_dbg(dev->dev, "{%pM,%.4d} no space left in ARL\n",
++ addr, vid);
++ return is_valid ? ret : 0;
++ case -ENOENT:
++ /* We could not find a matching MAC, so reset to a new entry */
++ dev_dbg(dev->dev, "{%pM,%.4d} not found, using idx: %d\n",
++ addr, vid, idx);
+ fwd_entry = 0;
+- idx = 1;
++ break;
++ default:
++ dev_dbg(dev->dev, "{%pM,%.4d} found, using idx: %d\n",
++ addr, vid, idx);
++ break;
+ }
+
+ /* For multicast address, the port is a bitmask and the validity
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -323,6 +323,9 @@
+ #define ARLTBL_STATIC BIT(15)
+ #define ARLTBL_VALID BIT(16)
+
++/* Maximum number of bin entries in the ARL for all switches */
++#define B53_ARLTBL_MAX_BIN_ENTRIES 4
++
+ /* ARL Search Control Register (8 bit) */
+ #define B53_ARL_SRCH_CTL 0x50
+ #define B53_ARL_SRCH_CTL_25 0x20
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+Date: Thu, 23 Apr 2020 10:16:31 +0800
+Subject: net: ethernet: ixp4xx: Add error handling in ixp4xx_eth_probe()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+[ Upstream commit 6ed79cec3ced6e346a10a70120fcee5f03591bab ]
+
+The function ixp4xx_eth_probe() does not perform sufficient error
+checking after executing devm_ioremap_resource(), which can result
+in crashes if a critical error path is encountered.
+
+Fixes: f458ac479777 ("ARM/net: ixp4xx: Pass ethernet physical base as resource")
+Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c
++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c
+@@ -1387,6 +1387,8 @@ static int ixp4xx_eth_probe(struct platf
+ return -ENODEV;
+ regs_phys = res->start;
+ port->regs = devm_ioremap_resource(dev, res);
++ if (IS_ERR(port->regs))
++ return PTR_ERR(port->regs);
+
+ switch (port->id) {
+ case IXP4XX_ETH_NPEA:
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 15 Apr 2020 09:46:52 -0700
+Subject: net/mlx4_en: avoid indirect call in TX completion
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 310660a14b74c380b0ef5c12b66933d6a3d1b59f ]
+
+Commit 9ecc2d86171a ("net/mlx4_en: add xdp forwarding and data write support")
+brought another indirect call in fast path.
+
+Use INDIRECT_CALL_2() helper to avoid the cost of the indirect call
+when/if CONFIG_RETPOLINE=y
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Tariq Toukan <tariqt@mellanox.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_tx.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
+@@ -43,6 +43,7 @@
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
+ #include <linux/moduleparam.h>
++#include <linux/indirect_call_wrapper.h>
+
+ #include "mlx4_en.h"
+
+@@ -261,6 +262,10 @@ static void mlx4_en_stamp_wqe(struct mlx
+ }
+ }
+
++INDIRECT_CALLABLE_DECLARE(u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv,
++ struct mlx4_en_tx_ring *ring,
++ int index, u64 timestamp,
++ int napi_mode));
+
+ u32 mlx4_en_free_tx_desc(struct mlx4_en_priv *priv,
+ struct mlx4_en_tx_ring *ring,
+@@ -329,6 +334,11 @@ u32 mlx4_en_free_tx_desc(struct mlx4_en_
+ return tx_info->nr_txbb;
+ }
+
++INDIRECT_CALLABLE_DECLARE(u32 mlx4_en_recycle_tx_desc(struct mlx4_en_priv *priv,
++ struct mlx4_en_tx_ring *ring,
++ int index, u64 timestamp,
++ int napi_mode));
++
+ u32 mlx4_en_recycle_tx_desc(struct mlx4_en_priv *priv,
+ struct mlx4_en_tx_ring *ring,
+ int index, u64 timestamp,
+@@ -449,7 +459,9 @@ bool mlx4_en_process_tx_cq(struct net_de
+ timestamp = mlx4_en_get_cqe_ts(cqe);
+
+ /* free next descriptor */
+- last_nr_txbb = ring->free_tx_desc(
++ last_nr_txbb = INDIRECT_CALL_2(ring->free_tx_desc,
++ mlx4_en_free_tx_desc,
++ mlx4_en_recycle_tx_desc,
+ priv, ring, ring_index,
+ timestamp, napi_budget);
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Wed, 15 Apr 2020 16:36:19 +0800
+Subject: net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit d03f228470a8c0a22b774d1f8d47071e0de4f6dd ]
+
+nr_add_node() invokes nr_neigh_get_dev(), which returns a local
+reference of the nr_neigh object to "nr_neigh" with increased refcnt.
+
+When nr_add_node() returns, "nr_neigh" becomes invalid, so the refcount
+should be decreased to keep refcount balanced.
+
+The issue happens in one normal path of nr_add_node(), which forgets to
+decrease the refcnt increased by nr_neigh_get_dev() and causes a refcnt
+leak. It should decrease the refcnt before the function returns like
+other normal paths do.
+
+Fix this issue by calling nr_neigh_put() before the nr_add_node()
+returns.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netrom/nr_route.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netrom/nr_route.c
++++ b/net/netrom/nr_route.c
+@@ -208,6 +208,7 @@ static int __must_check nr_add_node(ax25
+ /* refcount initialized at 1 */
+ spin_unlock_bh(&nr_node_list_lock);
+
++ nr_neigh_put(nr_neigh);
+ return 0;
+ }
+ nr_node_lock(nr_node);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
+Date: Fri, 17 Apr 2020 02:57:31 +0800
+Subject: net: openvswitch: ovs_ct_exit to be done under ovs_lock
+
+From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
+
+[ Upstream commit 27de77cec985233bdf6546437b9761853265c505 ]
+
+syzbot wrote:
+| =============================
+| WARNING: suspicious RCU usage
+| 5.7.0-rc1+ #45 Not tainted
+| -----------------------------
+| net/openvswitch/conntrack.c:1898 RCU-list traversed in non-reader section!!
+|
+| other info that might help us debug this:
+| rcu_scheduler_active = 2, debug_locks = 1
+| ...
+|
+| stack backtrace:
+| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
+| Workqueue: netns cleanup_net
+| Call Trace:
+| ...
+| ovs_ct_exit
+| ovs_exit_net
+| ops_exit_list.isra.7
+| cleanup_net
+| process_one_work
+| worker_thread
+
+To avoid that warning, invoke the ovs_ct_exit under ovs_lock and add
+lockdep_ovsl_is_held as optional lockdep expression.
+
+Link: https://lore.kernel.org/lkml/000000000000e642a905a0cbee6e@google.com
+Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit")
+Cc: Pravin B Shelar <pshelar@ovn.org>
+Cc: Yi-Hung Wei <yihung.wei@gmail.com>
+Reported-by: syzbot+7ef50afd3a211f879112@syzkaller.appspotmail.com
+Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
+Acked-by: Pravin B Shelar <pshelar@ovn.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/openvswitch/conntrack.c | 3 ++-
+ net/openvswitch/datapath.c | 4 +++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -1895,7 +1895,8 @@ static void ovs_ct_limit_exit(struct net
+ struct hlist_head *head = &info->limits[i];
+ struct ovs_ct_limit *ct_limit;
+
+- hlist_for_each_entry_rcu(ct_limit, head, hlist_node)
++ hlist_for_each_entry_rcu(ct_limit, head, hlist_node,
++ lockdep_ovsl_is_held())
+ kfree_rcu(ct_limit, rcu);
+ }
+ kfree(ovs_net->ct_limit_info->limits);
+--- a/net/openvswitch/datapath.c
++++ b/net/openvswitch/datapath.c
+@@ -2466,8 +2466,10 @@ static void __net_exit ovs_exit_net(stru
+ struct net *net;
+ LIST_HEAD(head);
+
+- ovs_ct_exit(dnet);
+ ovs_lock();
++
++ ovs_ct_exit(dnet);
++
+ list_for_each_entry_safe(dp, dp_next, &ovs_net->dps, list_node)
+ __dp_destroy(dp);
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 18 Apr 2020 19:14:57 +0100
+Subject: net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit f0212a5ebfa6cd789ab47666b9cc169e6e688732 ]
+
+Running with KASAN on a VIM3L systems leads to the following splat
+when probing the Ethernet device:
+
+==================================================================
+BUG: KASAN: global-out-of-bounds in _get_maxdiv+0x74/0xd8
+Read of size 4 at addr ffffa000090615f4 by task systemd-udevd/139
+CPU: 1 PID: 139 Comm: systemd-udevd Tainted: G E 5.7.0-rc1-00101-g8624b7577b9c #781
+Hardware name: amlogic w400/w400, BIOS 2020.01-rc5 03/12/2020
+Call trace:
+ dump_backtrace+0x0/0x2a0
+ show_stack+0x20/0x30
+ dump_stack+0xec/0x148
+ print_address_description.isra.12+0x70/0x35c
+ __kasan_report+0xfc/0x1d4
+ kasan_report+0x4c/0x68
+ __asan_load4+0x9c/0xd8
+ _get_maxdiv+0x74/0xd8
+ clk_divider_bestdiv+0x74/0x5e0
+ clk_divider_round_rate+0x80/0x1a8
+ clk_core_determine_round_nolock.part.9+0x9c/0xd0
+ clk_core_round_rate_nolock+0xf0/0x108
+ clk_hw_round_rate+0xac/0xf0
+ clk_factor_round_rate+0xb8/0xd0
+ clk_core_determine_round_nolock.part.9+0x9c/0xd0
+ clk_core_round_rate_nolock+0xf0/0x108
+ clk_core_round_rate_nolock+0xbc/0x108
+ clk_core_set_rate_nolock+0xc4/0x2e8
+ clk_set_rate+0x58/0xe0
+ meson8b_dwmac_probe+0x588/0x72c [dwmac_meson8b]
+ platform_drv_probe+0x78/0xd8
+ really_probe+0x158/0x610
+ driver_probe_device+0x140/0x1b0
+ device_driver_attach+0xa4/0xb0
+ __driver_attach+0xcc/0x1c8
+ bus_for_each_dev+0xf4/0x168
+ driver_attach+0x3c/0x50
+ bus_add_driver+0x238/0x2e8
+ driver_register+0xc8/0x1e8
+ __platform_driver_register+0x88/0x98
+ meson8b_dwmac_driver_init+0x28/0x1000 [dwmac_meson8b]
+ do_one_initcall+0xa8/0x328
+ do_init_module+0xe8/0x368
+ load_module+0x3300/0x36b0
+ __do_sys_finit_module+0x120/0x1a8
+ __arm64_sys_finit_module+0x4c/0x60
+ el0_svc_common.constprop.2+0xe4/0x268
+ do_el0_svc+0x98/0xa8
+ el0_svc+0x24/0x68
+ el0_sync_handler+0x12c/0x318
+ el0_sync+0x158/0x180
+
+The buggy address belongs to the variable:
+ div_table.63646+0x34/0xfffffffffffffa40 [dwmac_meson8b]
+
+Memory state around the buggy address:
+ ffffa00009061480: fa fa fa fa 00 00 00 01 fa fa fa fa 00 00 00 00
+ ffffa00009061500: 05 fa fa fa fa fa fa fa 00 04 fa fa fa fa fa fa
+>ffffa00009061580: 00 03 fa fa fa fa fa fa 00 00 00 00 00 00 fa fa
+ ^
+ ffffa00009061600: fa fa fa fa 00 01 fa fa fa fa fa fa 01 fa fa fa
+ ffffa00009061680: fa fa fa fa 00 01 fa fa fa fa fa fa 04 fa fa fa
+==================================================================
+
+Digging into this indeed shows that the clock divider array is
+lacking a final fence, and that the clock subsystems goes in the
+weeds. Oh well.
+
+Let's add the empty structure that indicates the end of the array.
+
+Fixes: bd6f48546b9c ("net: stmmac: dwmac-meson8b: Fix the RGMII TX delay on Meson8b/8m2 SoCs")
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c
+@@ -119,6 +119,7 @@ static int meson8b_init_rgmii_tx_clk(str
+ { .div = 5, .val = 5, },
+ { .div = 6, .val = 6, },
+ { .div = 7, .val = 7, },
++ { /* end of array */ }
+ };
+
+ clk_configs = devm_kzalloc(dev, sizeof(*clk_configs), GFP_KERNEL);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Thu, 23 Apr 2020 13:13:03 +0800
+Subject: net/x25: Fix x25_neigh refcnt leak when receiving frame
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit f35d12971b4d814cdb2f659d76b42f0c545270b6 ]
+
+x25_lapb_receive_frame() invokes x25_get_neigh(), which returns a
+reference of the specified x25_neigh object to "nb" with increased
+refcnt.
+
+When x25_lapb_receive_frame() returns, local variable "nb" becomes
+invalid, so the refcount should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one path of
+x25_lapb_receive_frame(). When pskb_may_pull() returns false, the
+function forgets to decrease the refcnt increased by x25_get_neigh(),
+causing a refcnt leak.
+
+Fix this issue by calling x25_neigh_put() when pskb_may_pull() returns
+false.
+
+Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/x25/x25_dev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/x25/x25_dev.c
++++ b/net/x25/x25_dev.c
+@@ -115,8 +115,10 @@ int x25_lapb_receive_frame(struct sk_buf
+ goto drop;
+ }
+
+- if (!pskb_may_pull(skb, 1))
++ if (!pskb_may_pull(skb, 1)) {
++ x25_neigh_put(nb);
+ return 0;
++ }
+
+ switch (skb->data[0]) {
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 21 Apr 2020 10:00:28 -0700
+Subject: sched: etf: do not assume all sockets are full blown
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit a1211bf9a7774706722ba3b18c6157d980319f79 ]
+
+skb->sk does not always point to a full blown socket,
+we need to use sk_fullsock() before accessing fields which
+only make sense on full socket.
+
+BUG: KASAN: use-after-free in report_sock_error+0x286/0x300 net/sched/sch_etf.c:141
+Read of size 1 at addr ffff88805eb9b245 by task syz-executor.5/9630
+
+CPU: 1 PID: 9630 Comm: syz-executor.5 Not tainted 5.7.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x188/0x20d lib/dump_stack.c:118
+ print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
+ __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
+ kasan_report+0x33/0x50 mm/kasan/common.c:625
+ report_sock_error+0x286/0x300 net/sched/sch_etf.c:141
+ etf_enqueue_timesortedlist+0x389/0x740 net/sched/sch_etf.c:170
+ __dev_xmit_skb net/core/dev.c:3710 [inline]
+ __dev_queue_xmit+0x154a/0x30a0 net/core/dev.c:4021
+ neigh_hh_output include/net/neighbour.h:499 [inline]
+ neigh_output include/net/neighbour.h:508 [inline]
+ ip6_finish_output2+0xfb5/0x25b0 net/ipv6/ip6_output.c:117
+ __ip6_finish_output+0x442/0xab0 net/ipv6/ip6_output.c:143
+ ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
+ NF_HOOK_COND include/linux/netfilter.h:296 [inline]
+ ip6_output+0x239/0x810 net/ipv6/ip6_output.c:176
+ dst_output include/net/dst.h:435 [inline]
+ NF_HOOK include/linux/netfilter.h:307 [inline]
+ NF_HOOK include/linux/netfilter.h:301 [inline]
+ ip6_xmit+0xe1a/0x2090 net/ipv6/ip6_output.c:280
+ tcp_v6_send_synack+0x4e7/0x960 net/ipv6/tcp_ipv6.c:521
+ tcp_rtx_synack+0x10d/0x1a0 net/ipv4/tcp_output.c:3916
+ inet_rtx_syn_ack net/ipv4/inet_connection_sock.c:669 [inline]
+ reqsk_timer_handler+0x4c2/0xb40 net/ipv4/inet_connection_sock.c:763
+ call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1405
+ expire_timers kernel/time/timer.c:1450 [inline]
+ __run_timers kernel/time/timer.c:1774 [inline]
+ __run_timers kernel/time/timer.c:1741 [inline]
+ run_timer_softirq+0x623/0x1600 kernel/time/timer.c:1787
+ __do_softirq+0x26c/0x9f7 kernel/softirq.c:292
+ invoke_softirq kernel/softirq.c:373 [inline]
+ irq_exit+0x192/0x1d0 kernel/softirq.c:413
+ exiting_irq arch/x86/include/asm/apic.h:546 [inline]
+ smp_apic_timer_interrupt+0x19e/0x600 arch/x86/kernel/apic/apic.c:1140
+ apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
+ </IRQ>
+RIP: 0010:des_encrypt+0x157/0x9c0 lib/crypto/des.c:792
+Code: 85 22 06 00 00 41 31 dc 41 8b 4d 04 44 89 e2 41 83 e4 3f 4a 8d 3c a5 60 72 72 88 81 e2 3f 3f 3f 3f 48 89 f8 48 c1 e8 03 31 d9 <0f> b6 34 28 48 89 f8 c1 c9 04 83 e0 07 83 c0 03 40 38 f0 7c 09 40
+RSP: 0018:ffffc90003b5f6c0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
+RAX: 1ffffffff10e4e55 RBX: 00000000d2f846d0 RCX: 00000000d2f846d0
+RDX: 0000000012380612 RSI: ffffffff839863ca RDI: ffffffff887272a8
+RBP: dffffc0000000000 R08: ffff888091d0a380 R09: 0000000000800081
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000012
+R13: ffff8880a8ae8078 R14: 00000000c545c93e R15: 0000000000000006
+ cipher_crypt_one crypto/cipher.c:75 [inline]
+ crypto_cipher_encrypt_one+0x124/0x210 crypto/cipher.c:82
+ crypto_cbcmac_digest_update+0x1b5/0x250 crypto/ccm.c:830
+ crypto_shash_update+0xc4/0x120 crypto/shash.c:119
+ shash_ahash_update+0xa3/0x110 crypto/shash.c:246
+ crypto_ahash_update include/crypto/hash.h:547 [inline]
+ hash_sendmsg+0x518/0xad0 crypto/algif_hash.c:102
+ sock_sendmsg_nosec net/socket.c:652 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:672
+ ____sys_sendmsg+0x308/0x7e0 net/socket.c:2362
+ ___sys_sendmsg+0x100/0x170 net/socket.c:2416
+ __sys_sendmmsg+0x195/0x480 net/socket.c:2506
+ __do_sys_sendmmsg net/socket.c:2535 [inline]
+ __se_sys_sendmmsg net/socket.c:2532 [inline]
+ __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2532
+ do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
+ entry_SYSCALL_64_after_hwframe+0x49/0xb3
+RIP: 0033:0x45c829
+Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f6d9528ec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
+RAX: ffffffffffffffda RBX: 00000000004fc080 RCX: 000000000045c829
+RDX: 0000000000000001 RSI: 0000000020002640 RDI: 0000000000000004
+RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 00000000000008d7 R14: 00000000004cb7aa R15: 00007f6d9528f6d4
+
+Fixes: 4b15c7075352 ("net/sched: Make etf report drops on error_queue")
+Fixes: 25db26a91364 ("net/sched: Introduce the ETF Qdisc")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_etf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_etf.c
++++ b/net/sched/sch_etf.c
+@@ -82,7 +82,7 @@ static bool is_packet_valid(struct Qdisc
+ if (q->skip_sock_check)
+ goto skip;
+
+- if (!sk)
++ if (!sk || !sk_fullsock(sk))
+ return false;
+
+ if (!sock_flag(sk, SOCK_TXTIME))
+@@ -137,8 +137,9 @@ static void report_sock_error(struct sk_
+ struct sock_exterr_skb *serr;
+ struct sk_buff *clone;
+ ktime_t txtime = skb->tstamp;
++ struct sock *sk = skb->sk;
+
+- if (!skb->sk || !(skb->sk->sk_txtime_report_errors))
++ if (!sk || !sk_fullsock(sk) || !(sk->sk_txtime_report_errors))
+ return;
+
+ clone = skb_clone(skb, GFP_ATOMIC);
+@@ -154,7 +155,7 @@ static void report_sock_error(struct sk_
+ serr->ee.ee_data = (txtime >> 32); /* high part of tstamp */
+ serr->ee.ee_info = txtime; /* low part of tstamp */
+
+- if (sock_queue_err_skb(skb->sk, clone))
++ if (sock_queue_err_skb(sk, clone))
+ kfree_skb(clone);
+ }
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 21 Apr 2020 08:47:24 -0600
+Subject: selftests: Fix suppress test in fib_tests.sh
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 2c1dd4c110627c2a4f006643f074119205cfcff4 ]
+
+fib_tests is spewing errors:
+ ...
+ Cannot open network namespace "ns1": No such file or directory
+ Cannot open network namespace "ns1": No such file or directory
+ Cannot open network namespace "ns1": No such file or directory
+ Cannot open network namespace "ns1": No such file or directory
+ ping: connect: Network is unreachable
+ Cannot open network namespace "ns1": No such file or directory
+ Cannot open network namespace "ns1": No such file or directory
+ ...
+
+Each test entry in fib_tests is supposed to do its own setup and
+cleanup. Right now the $IP commands in fib_suppress_test are
+failing because there is no ns1. Add the setup/cleanup and logging
+expected for each test.
+
+Fixes: ca7a03c41753 ("ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Cc: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/fib_tests.sh | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/fib_tests.sh
++++ b/tools/testing/selftests/net/fib_tests.sh
+@@ -618,16 +618,22 @@ fib_nexthop_test()
+
+ fib_suppress_test()
+ {
++ echo
++ echo "FIB rule with suppress_prefixlength"
++ setup
++
+ $IP link add dummy1 type dummy
+ $IP link set dummy1 up
+ $IP -6 route add default dev dummy1
+ $IP -6 rule add table main suppress_prefixlength 0
+- ping -f -c 1000 -W 1 1234::1 || true
++ ping -f -c 1000 -W 1 1234::1 >/dev/null 2>&1
+ $IP -6 rule del table main suppress_prefixlength 0
+ $IP link del dummy1
+
+ # If we got here without crashing, we're good.
+- return 0
++ log_test 0 0 "FIB rule suppress test"
++
++ cleanup
+ }
+
+ ################################################################################
xhci-wait-until-link-state-trainsits-to-u0-after-set.patch
xhci-finetune-host-initiated-usb3-rootport-link-susp.patch
block-fix-busy-device-checking-in-blk_drop_partition.patch-8691
+cxgb4-fix-adapter-crash-due-to-wrong-mc-size.patch
+cxgb4-fix-large-delays-in-ptp-synchronization.patch
+ipv4-update-fib_select_default-to-handle-nexthop-objects.patch
+ipv6-fix-restrict-ipv6_addrform-operation.patch
+macsec-avoid-to-set-wrong-mtu.patch
+macvlan-fix-null-dereference-in-macvlan_device_event.patch
+mlxsw-fix-some-is_err-vs-null-bugs.patch
+net-bcmgenet-correct-per-tx-rx-ring-statistics.patch
+net-mlx4_en-avoid-indirect-call-in-tx-completion.patch
+net-netrom-fix-potential-nr_neigh-refcnt-leak-in-nr_add_node.patch
+net-openvswitch-ovs_ct_exit-to-be-done-under-ovs_lock.patch
+net-stmmac-dwmac-meson8b-add-missing-boundary-to-rgmii-tx-clock-array.patch
+net-x25-fix-x25_neigh-refcnt-leak-when-receiving-frame.patch
+sched-etf-do-not-assume-all-sockets-are-full-blown.patch
+selftests-fix-suppress-test-in-fib_tests.sh.patch
+tcp-cache-line-align-max_tcp_header.patch
+team-fix-hang-in-team_mode_get.patch
+tipc-fix-potential-tipc_aead-refcnt-leak-in-tipc_crypto_rcv.patch
+tipc-fix-potential-tipc_node-refcnt-leak-in-tipc_rcv.patch
+vrf-fix-ipv6-with-qdisc-and-xfrm.patch
+net-dsa-b53-lookup-vid-in-arl-searches-when-vlan-is-enabled.patch
+net-dsa-b53-fix-valid-setting-for-mdb-entries.patch
+net-dsa-b53-fix-arl-register-definitions.patch
+net-dsa-b53-rework-arl-bin-logic.patch
+net-dsa-b53-b53_arl_rw_op-needs-to-select-ivl-or-svl.patch
+vxlan-use-the-correct-nlattr-array-in-nl_set_err_msg_attr.patch
+geneve-use-the-correct-nlattr-array-in-nl_set_err_msg_attr.patch
+xfrm-always-set-xfrm_transformed-in-xfrm-4-6-_output_finish.patch
+vrf-check-skb-for-xfrm_transformed-flag.patch
+net-ethernet-ixp4xx-add-error-handling-in-ixp4xx_eth_probe.patch
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 17 Apr 2020 07:10:23 -0700
+Subject: tcp: cache line align MAX_TCP_HEADER
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9bacd256f1354883d3c1402655153367982bba49 ]
+
+TCP stack is dumb in how it cooks its output packets.
+
+Depending on MAX_HEADER value, we might chose a bad ending point
+for the headers.
+
+If we align the end of TCP headers to cache line boundary, we
+make sure to always use the smallest number of cache lines,
+which always help.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Soheil Hassas Yeganeh <soheil@google.com>
+Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tcp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -51,7 +51,7 @@ extern struct inet_hashinfo tcp_hashinfo
+ extern struct percpu_counter tcp_orphan_count;
+ void tcp_time_wait(struct sock *sk, int state, int timeo);
+
+-#define MAX_TCP_HEADER (128 + MAX_HEADER)
++#define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER)
+ #define MAX_TCP_OPTION_SPACE 40
+ #define TCP_MIN_SND_MSS 48
+ #define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE)
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 20 Apr 2020 15:01:33 +0000
+Subject: team: fix hang in team_mode_get()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 1c30fbc76b8f0c07c92a8ca4cd7c456612e17eb5 ]
+
+When team mode is changed or set, the team_mode_get() is called to check
+whether the mode module is inserted or not. If the mode module is not
+inserted, it calls the request_module().
+In the request_module(), it creates a child process, which is
+the "modprobe" process and waits for the done of the child process.
+At this point, the following locks were used.
+down_read(&cb_lock()); by genl_rcv()
+ genl_lock(); by genl_rcv_msc()
+ rtnl_lock(); by team_nl_cmd_options_set()
+ mutex_lock(&team->lock); by team_nl_team_get()
+
+Concurrently, the team module could be removed by rmmod or "modprobe -r"
+The __exit function of team module is team_module_exit(), which calls
+team_nl_fini() and it tries to acquire following locks.
+down_write(&cb_lock);
+ genl_lock();
+Because of the genl_lock() and cb_lock, this process can't be finished
+earlier than request_module() routine.
+
+The problem secenario.
+CPU0 CPU1
+team_mode_get
+ request_module()
+ modprobe -r team_mode_roundrobin
+ team <--(B)
+ modprobe team <--(A)
+ team_mode_roundrobin
+
+By request_module(), the "modprobe team_mode_roundrobin" command
+will be executed. At this point, the modprobe process will decide
+that the team module should be inserted before team_mode_roundrobin.
+Because the team module is being removed.
+
+By the module infrastructure, the same module insert/remove operations
+can't be executed concurrently.
+So, (A) waits for (B) but (B) also waits for (A) because of locks.
+So that the hang occurs at this point.
+
+Test commands:
+ while :
+ do
+ teamd -d &
+ killall teamd &
+ modprobe -rv team_mode_roundrobin &
+ done
+
+The approach of this patch is to hold the reference count of the team
+module if the team module is compiled as a module. If the reference count
+of the team module is not zero while request_module() is being called,
+the team module will not be removed at that moment.
+So that the above scenario could not occur.
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/team/team.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -468,6 +468,9 @@ static const struct team_mode *team_mode
+ struct team_mode_item *mitem;
+ const struct team_mode *mode = NULL;
+
++ if (!try_module_get(THIS_MODULE))
++ return NULL;
++
+ spin_lock(&mode_list_lock);
+ mitem = __find_mode(kind);
+ if (!mitem) {
+@@ -483,6 +486,7 @@ static const struct team_mode *team_mode
+ }
+
+ spin_unlock(&mode_list_lock);
++ module_put(THIS_MODULE);
+ return mode;
+ }
+
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Wed, 15 Apr 2020 16:39:56 +0800
+Subject: tipc: Fix potential tipc_aead refcnt leak in tipc_crypto_rcv
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit 441870ee4240cf67b5d3ab8e16216a9ff42eb5d6 ]
+
+tipc_crypto_rcv() invokes tipc_aead_get(), which returns a reference of
+the tipc_aead object to "aead" with increased refcnt.
+
+When tipc_crypto_rcv() returns, the original local reference of "aead"
+becomes invalid, so the refcount should be decreased to keep refcount
+balanced.
+
+The issue happens in one error path of tipc_crypto_rcv(). When TIPC
+message decryption status is EINPROGRESS or EBUSY, the function forgets
+to decrease the refcnt increased by tipc_aead_get() and causes a refcnt
+leak.
+
+Fix this issue by calling tipc_aead_put() on the error path when TIPC
+message decryption status is EINPROGRESS or EBUSY.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/crypto.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -1712,6 +1712,7 @@ exit:
+ case -EBUSY:
+ this_cpu_inc(stats->stat[STAT_ASYNC]);
+ *skb = NULL;
++ tipc_aead_put(aead);
+ return rc;
+ default:
+ this_cpu_inc(stats->stat[STAT_NOK]);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Wed, 15 Apr 2020 16:40:28 +0800
+Subject: tipc: Fix potential tipc_node refcnt leak in tipc_rcv
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+[ Upstream commit de058420767df21e2b6b0f3bb36d1616fb962032 ]
+
+tipc_rcv() invokes tipc_node_find() twice, which returns a reference of
+the specified tipc_node object to "n" with increased refcnt.
+
+When tipc_rcv() returns or a new object is assigned to "n", the original
+local reference of "n" becomes invalid, so the refcount should be
+decreased to keep refcount balanced.
+
+The issue happens in some paths of tipc_rcv(), which forget to decrease
+the refcnt increased by tipc_node_find() and will cause a refcnt leak.
+
+Fix this issue by calling tipc_node_put() before the original object
+pointed by "n" becomes invalid.
+
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/node.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/tipc/node.c
++++ b/net/tipc/node.c
+@@ -2037,6 +2037,7 @@ void tipc_rcv(struct net *net, struct sk
+ n = tipc_node_find_by_id(net, ehdr->id);
+ }
+ tipc_crypto_rcv(net, (n) ? n->crypto_rx : NULL, &skb, b);
++ tipc_node_put(n);
+ if (!skb)
+ return;
+
+@@ -2089,7 +2090,7 @@ rcv:
+ /* Check/update node state before receiving */
+ if (unlikely(skb)) {
+ if (unlikely(skb_linearize(skb)))
+- goto discard;
++ goto out_node_put;
+ tipc_node_write_lock(n);
+ if (tipc_node_check_state(n, skb, bearer_id, &xmitq)) {
+ if (le->link) {
+@@ -2118,6 +2119,7 @@ rcv:
+ if (!skb_queue_empty(&xmitq))
+ tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr, n);
+
++out_node_put:
+ tipc_node_put(n);
+ discard:
+ kfree_skb(skb);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 20 Apr 2020 17:13:52 -0600
+Subject: vrf: Check skb for XFRM_TRANSFORMED flag
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 16b9db1ce34ff00d6c18e82825125cfef0cdfb13 ]
+
+To avoid a loop with qdiscs and xfrms, check if the skb has already gone
+through the qdisc attached to the VRF device and then to the xfrm layer.
+If so, no need for a second redirect.
+
+Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
+Reported-by: Trev Larock <trev@larock.ca>
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -474,7 +474,8 @@ static struct sk_buff *vrf_ip6_out(struc
+ if (rt6_need_strict(&ipv6_hdr(skb)->daddr))
+ return skb;
+
+- if (qdisc_tx_is_default(vrf_dev))
++ if (qdisc_tx_is_default(vrf_dev) ||
++ IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
+ return vrf_ip6_out_direct(vrf_dev, sk, skb);
+
+ return vrf_ip6_out_redirect(vrf_dev, skb);
+@@ -686,7 +687,8 @@ static struct sk_buff *vrf_ip_out(struct
+ ipv4_is_lbcast(ip_hdr(skb)->daddr))
+ return skb;
+
+- if (qdisc_tx_is_default(vrf_dev))
++ if (qdisc_tx_is_default(vrf_dev) ||
++ IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
+ return vrf_ip_out_direct(vrf_dev, sk, skb);
+
+ return vrf_ip_out_redirect(vrf_dev, skb);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Tue, 21 Apr 2020 17:48:27 -0600
+Subject: vrf: Fix IPv6 with qdisc and xfrm
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit a53c102872ad6e34e1518e25899dc9498c27f8b1 ]
+
+When a qdisc is attached to the VRF device, the packet goes down the ndo
+xmit function which is setup to send the packet back to the VRF driver
+which does a lookup to send the packet out. The lookup in the VRF driver
+is not considering xfrm policies. Change it to use ip6_dst_lookup_flow
+rather than ip6_route_output.
+
+Fixes: 35402e313663 ("net: Add IPv6 support to VRF device")
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vrf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vrf.c
++++ b/drivers/net/vrf.c
+@@ -188,8 +188,8 @@ static netdev_tx_t vrf_process_v6_outbou
+ fl6.flowi6_proto = iph->nexthdr;
+ fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
+
+- dst = ip6_route_output(net, NULL, &fl6);
+- if (dst == dst_null)
++ dst = ip6_dst_lookup_flow(net, NULL, &fl6, NULL);
++ if (IS_ERR(dst) || dst == dst_null)
+ goto err;
+
+ skb_dst_drop(skb);
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 22 Apr 2020 17:29:50 +0200
+Subject: vxlan: use the correct nlattr array in NL_SET_ERR_MSG_ATTR
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit cc8e7c69db4dcc565ed3020f97ddd6debab6cbe8 ]
+
+IFLA_VXLAN_* attributes are in the data array, which is correctly
+used when fetching the value, but not when setting the extended
+ack. Because IFLA_VXLAN_MAX < IFLA_MAX, we avoid out of bounds
+array accesses, but we don't provide a pointer to the invalid
+attribute to userspace.
+
+Fixes: 653ef6a3e4af ("vxlan: change vxlan_[config_]validate() to use netlink_ext_ack for error reporting")
+Fixes: b4d3069783bc ("vxlan: Allow configuration of DF behaviour")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -3144,7 +3144,7 @@ static int vxlan_validate(struct nlattr
+ u32 id = nla_get_u32(data[IFLA_VXLAN_ID]);
+
+ if (id >= VXLAN_N_VID) {
+- NL_SET_ERR_MSG_ATTR(extack, tb[IFLA_VXLAN_ID],
++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_VXLAN_ID],
+ "VXLAN ID must be lower than 16777216");
+ return -ERANGE;
+ }
+@@ -3155,7 +3155,7 @@ static int vxlan_validate(struct nlattr
+ = nla_data(data[IFLA_VXLAN_PORT_RANGE]);
+
+ if (ntohs(p->high) < ntohs(p->low)) {
+- NL_SET_ERR_MSG_ATTR(extack, tb[IFLA_VXLAN_PORT_RANGE],
++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_VXLAN_PORT_RANGE],
+ "Invalid source port range");
+ return -EINVAL;
+ }
+@@ -3165,7 +3165,7 @@ static int vxlan_validate(struct nlattr
+ enum ifla_vxlan_df df = nla_get_u8(data[IFLA_VXLAN_DF]);
+
+ if (df < 0 || df > VXLAN_DF_MAX) {
+- NL_SET_ERR_MSG_ATTR(extack, tb[IFLA_VXLAN_DF],
++ NL_SET_ERR_MSG_ATTR(extack, data[IFLA_VXLAN_DF],
+ "Invalid DF attribute");
+ return -EINVAL;
+ }
--- /dev/null
+From foo@baz Mon 27 Apr 2020 01:22:55 PM CEST
+From: David Ahern <dsahern@gmail.com>
+Date: Mon, 20 Apr 2020 17:13:51 -0600
+Subject: xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish
+
+From: David Ahern <dsahern@gmail.com>
+
+[ Upstream commit 0c922a4850eba2e668f73a3f1153196e09abb251 ]
+
+IPSKB_XFRM_TRANSFORMED and IP6SKB_XFRM_TRANSFORMED are skb flags set by
+xfrm code to tell other skb handlers that the packet has been passed
+through the xfrm output functions. Simplify the code and just always
+set them rather than conditionally based on netfilter enabled thus
+making the flag available for other users.
+
+Signed-off-by: David Ahern <dsahern@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/xfrm4_output.c | 2 --
+ net/ipv6/xfrm6_output.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+--- a/net/ipv4/xfrm4_output.c
++++ b/net/ipv4/xfrm4_output.c
+@@ -58,9 +58,7 @@ int xfrm4_output_finish(struct sock *sk,
+ {
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+
+-#ifdef CONFIG_NETFILTER
+ IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
+-#endif
+
+ return xfrm_output(sk, skb);
+ }
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -111,9 +111,7 @@ int xfrm6_output_finish(struct sock *sk,
+ {
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+
+-#ifdef CONFIG_NETFILTER
+ IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
+-#endif
+
+ return xfrm_output(sk, skb);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
