--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Edwin Peer <edwin.peer@broadcom.com>
+Date: Sun, 22 Mar 2020 16:40:02 -0400
+Subject: bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
+
+From: Edwin Peer <edwin.peer@broadcom.com>
+
+[ Upstream commit 62d4073e86e62e316bea2c53e77db10418fd5dd7 ]
+
+The allocated ieee_ets structure goes out of scope without being freed,
+leaking memory. Appropriate result codes should be returned so that
+callers do not rely on invalid data passed by reference.
+
+Also cache the ETS config retrieved from the device so that it doesn't
+need to be freed. The balance of the code was clearly written with the
+intent of having the results of querying the hardware cached in the
+device structure. The commensurate store was evidently missed though.
+
+Fixes: 7df4ae9fe855 ("bnxt_en: Implement DCBNL to support host-based DCBX.")
+Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
+@@ -479,24 +479,26 @@ static int bnxt_dcbnl_ieee_getets(struct
+ {
+ struct bnxt *bp = netdev_priv(dev);
+ struct ieee_ets *my_ets = bp->ieee_ets;
++ int rc;
+
+ ets->ets_cap = bp->max_tc;
+
+ if (!my_ets) {
+- int rc;
+-
+ if (bp->dcbx_cap & DCB_CAP_DCBX_HOST)
+ return 0;
+
+ my_ets = kzalloc(sizeof(*my_ets), GFP_KERNEL);
+ if (!my_ets)
+- return 0;
++ return -ENOMEM;
+ rc = bnxt_hwrm_queue_cos2bw_qcfg(bp, my_ets);
+ if (rc)
+- return 0;
++ goto error;
+ rc = bnxt_hwrm_queue_pri2cos_qcfg(bp, my_ets);
+ if (rc)
+- return 0;
++ goto error;
++
++ /* cache result */
++ bp->ieee_ets = my_ets;
+ }
+
+ ets->cbs = my_ets->cbs;
+@@ -505,6 +507,9 @@ static int bnxt_dcbnl_ieee_getets(struct
+ memcpy(ets->tc_tsa, my_ets->tc_tsa, sizeof(ets->tc_tsa));
+ memcpy(ets->prio_tc, my_ets->prio_tc, sizeof(ets->prio_tc));
+ return 0;
++error:
++ kfree(my_ets);
++ return rc;
+ }
+
+ static int bnxt_dcbnl_ieee_setets(struct net_device *dev, struct ieee_ets *ets)
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Date: Sun, 22 Mar 2020 16:40:05 -0400
+Subject: bnxt_en: Reset rings if ring reservation fails during open()
+
+From: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+
+[ Upstream commit 5d765a5e4bd7c368e564e11402bba74cf7f03ac1 ]
+
+If ring counts are not reset when ring reservation fails,
+bnxt_init_dflt_ring_mode() will not be called again to reinitialise
+IRQs when open() is called and results in system crash as napi will
+also be not initialised. This patch fixes it by resetting the ring
+counts.
+
+Fixes: 47558acd56a7 ("bnxt_en: Reserve rings at driver open if none was reserved at probe time.")
+Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -8822,6 +8822,10 @@ static int bnxt_set_dflt_rings(struct bn
+ bp->rx_nr_rings++;
+ bp->cp_nr_rings++;
+ }
++ if (rc) {
++ bp->tx_nr_rings = 0;
++ bp->rx_nr_rings = 0;
++ }
+ return rc;
+ }
+
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 14 Mar 2020 08:18:42 +0100
+Subject: geneve: move debug check after netdev unregister
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 0fda7600c2e174fe27e9cf02e78e345226e441fa ]
+
+The debug check must be done after unregister_netdevice_many() call --
+the list_del() for this is done inside .ndo_stop.
+
+Fixes: 2843a25348f8 ("geneve: speedup geneve tunnels dismantle")
+Reported-and-tested-by: <syzbot+68a8ed58e3d17c700de5@syzkaller.appspotmail.com>
+Cc: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/geneve.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -1725,8 +1725,6 @@ static void geneve_destroy_tunnels(struc
+ if (!net_eq(dev_net(geneve->dev), net))
+ unregister_netdevice_queue(geneve->dev, head);
+ }
+-
+- WARN_ON_ONCE(!list_empty(&gn->sock_list));
+ }
+
+ static void __net_exit geneve_exit_batch_net(struct list_head *net_list)
+@@ -1741,6 +1739,12 @@ static void __net_exit geneve_exit_batch
+ /* unregister the devices gathered above */
+ unregister_netdevice_many(&list);
+ rtnl_unlock();
++
++ list_for_each_entry(net, net_list, exit_list) {
++ const struct geneve_net *gn = net_generic(net, geneve_net_id);
++
++ WARN_ON_ONCE(!list_empty(&gn->sock_list));
++ }
+ }
+
+ static struct pernet_operations geneve_net_ops = {
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:55 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 13 Mar 2020 06:50:24 +0000
+Subject: hsr: add restart routine into hsr_get_node_list()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit ca19c70f5225771c05bcdcb832b4eb84d7271c5e ]
+
+The hsr_get_node_list() is to send node addresses to the userspace.
+If there are so many nodes, it could fail because of buffer size.
+In order to avoid this failure, the restart routine is added.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_netlink.c | 38 ++++++++++++++++++++++++--------------
+ 1 file changed, 24 insertions(+), 14 deletions(-)
+
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -366,16 +366,14 @@ fail:
+ */
+ static int hsr_get_node_list(struct sk_buff *skb_in, struct genl_info *info)
+ {
+- /* For receiving */
+- struct nlattr *na;
++ unsigned char addr[ETH_ALEN];
+ struct net_device *hsr_dev;
+-
+- /* For sending */
+ struct sk_buff *skb_out;
+- void *msg_head;
+ struct hsr_priv *hsr;
+- void *pos;
+- unsigned char addr[ETH_ALEN];
++ bool restart = false;
++ struct nlattr *na;
++ void *pos = NULL;
++ void *msg_head;
+ int res;
+
+ if (!info)
+@@ -393,8 +391,9 @@ static int hsr_get_node_list(struct sk_b
+ if (!is_hsr_master(hsr_dev))
+ goto rcu_unlock;
+
++restart:
+ /* Send reply */
+- skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
++ skb_out = genlmsg_new(GENLMSG_DEFAULT_SIZE, GFP_ATOMIC);
+ if (!skb_out) {
+ res = -ENOMEM;
+ goto fail;
+@@ -408,17 +407,28 @@ static int hsr_get_node_list(struct sk_b
+ goto nla_put_failure;
+ }
+
+- res = nla_put_u32(skb_out, HSR_A_IFINDEX, hsr_dev->ifindex);
+- if (res < 0)
+- goto nla_put_failure;
++ if (!restart) {
++ res = nla_put_u32(skb_out, HSR_A_IFINDEX, hsr_dev->ifindex);
++ if (res < 0)
++ goto nla_put_failure;
++ }
+
+ hsr = netdev_priv(hsr_dev);
+
+- pos = hsr_get_next_node(hsr, NULL, addr);
++ if (!pos)
++ pos = hsr_get_next_node(hsr, NULL, addr);
+ while (pos) {
+ res = nla_put(skb_out, HSR_A_NODE_ADDR, ETH_ALEN, addr);
+- if (res < 0)
++ if (res < 0) {
++ if (res == -EMSGSIZE) {
++ genlmsg_end(skb_out, msg_head);
++ genlmsg_unicast(genl_info_net(info), skb_out,
++ info->snd_portid);
++ restart = true;
++ goto restart;
++ }
+ goto nla_put_failure;
++ }
+ pos = hsr_get_next_node(hsr, pos, addr);
+ }
+ rcu_read_unlock();
+@@ -435,7 +445,7 @@ invalid:
+ return 0;
+
+ nla_put_failure:
+- kfree_skb(skb_out);
++ nlmsg_free(skb_out);
+ /* Fall through */
+
+ fail:
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Sat, 21 Mar 2020 06:46:50 +0000
+Subject: hsr: fix general protection fault in hsr_addr_is_self()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 3a303cfdd28d5f930a307c82e8a9d996394d5ebd ]
+
+The port->hsr is used in the hsr_handle_frame(), which is a
+callback of rx_handler.
+hsr master and slaves are initialized in hsr_add_port().
+This function initializes several pointers, which includes port->hsr after
+registering rx_handler.
+So, in the rx_handler routine, un-initialized pointer would be used.
+In order to fix this, pointers should be initialized before
+registering rx_handler.
+
+Test commands:
+ ip netns del left
+ ip netns del right
+ modprobe -rv veth
+ modprobe -rv hsr
+ killall ping
+ modprobe hsr
+ ip netns add left
+ ip netns add right
+ ip link add veth0 type veth peer name veth1
+ ip link add veth2 type veth peer name veth3
+ ip link add veth4 type veth peer name veth5
+ ip link set veth1 netns left
+ ip link set veth3 netns right
+ ip link set veth4 netns left
+ ip link set veth5 netns right
+ ip link set veth0 up
+ ip link set veth2 up
+ ip link set veth0 address fc:00:00:00:00:01
+ ip link set veth2 address fc:00:00:00:00:02
+ ip netns exec left ip link set veth1 up
+ ip netns exec left ip link set veth4 up
+ ip netns exec right ip link set veth3 up
+ ip netns exec right ip link set veth5 up
+ ip link add hsr0 type hsr slave1 veth0 slave2 veth2
+ ip a a 192.168.100.1/24 dev hsr0
+ ip link set hsr0 up
+ ip netns exec left ip link add hsr1 type hsr slave1 veth1 slave2 veth4
+ ip netns exec left ip a a 192.168.100.2/24 dev hsr1
+ ip netns exec left ip link set hsr1 up
+ ip netns exec left ip n a 192.168.100.1 dev hsr1 lladdr \
+ fc:00:00:00:00:01 nud permanent
+ ip netns exec left ip n r 192.168.100.1 dev hsr1 lladdr \
+ fc:00:00:00:00:01 nud permanent
+ for i in {1..100}
+ do
+ ip netns exec left ping 192.168.100.1 &
+ done
+ ip netns exec left hping3 192.168.100.1 -2 --flood &
+ ip netns exec right ip link add hsr2 type hsr slave1 veth3 slave2 veth5
+ ip netns exec right ip a a 192.168.100.3/24 dev hsr2
+ ip netns exec right ip link set hsr2 up
+ ip netns exec right ip n a 192.168.100.1 dev hsr2 lladdr \
+ fc:00:00:00:00:02 nud permanent
+ ip netns exec right ip n r 192.168.100.1 dev hsr2 lladdr \
+ fc:00:00:00:00:02 nud permanent
+ for i in {1..100}
+ do
+ ip netns exec right ping 192.168.100.1 &
+ done
+ ip netns exec right hping3 192.168.100.1 -2 --flood &
+ while :
+ do
+ ip link add hsr0 type hsr slave1 veth0 slave2 veth2
+ ip a a 192.168.100.1/24 dev hsr0
+ ip link set hsr0 up
+ ip link del hsr0
+ done
+
+Splat looks like:
+[ 120.954938][ C0] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1]I
+[ 120.957761][ C0] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+[ 120.959064][ C0] CPU: 0 PID: 1511 Comm: hping3 Not tainted 5.6.0-rc5+ #460
+[ 120.960054][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
+[ 120.962261][ C0] RIP: 0010:hsr_addr_is_self+0x65/0x2a0 [hsr]
+[ 120.963149][ C0] Code: 44 24 18 70 73 2f c0 48 c1 eb 03 48 8d 04 13 c7 00 f1 f1 f1 f1 c7 40 04 00 f2 f2 f2 4
+[ 120.966277][ C0] RSP: 0018:ffff8880d9c09af0 EFLAGS: 00010206
+[ 120.967293][ C0] RAX: 0000000000000006 RBX: 1ffff1101b38135f RCX: 0000000000000000
+[ 120.968516][ C0] RDX: dffffc0000000000 RSI: ffff8880d17cb208 RDI: 0000000000000000
+[ 120.969718][ C0] RBP: 0000000000000030 R08: ffffed101b3c0e3c R09: 0000000000000001
+[ 120.972203][ C0] R10: 0000000000000001 R11: ffffed101b3c0e3b R12: 0000000000000000
+[ 120.973379][ C0] R13: ffff8880aaf80100 R14: ffff8880aaf800f2 R15: ffff8880aaf80040
+[ 120.974410][ C0] FS: 00007f58e693f740(0000) GS:ffff8880d9c00000(0000) knlGS:0000000000000000
+[ 120.979794][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 120.980773][ C0] CR2: 00007ffcb8b38f29 CR3: 00000000afe8e001 CR4: 00000000000606f0
+[ 120.981945][ C0] Call Trace:
+[ 120.982411][ C0] <IRQ>
+[ 120.982848][ C0] ? hsr_add_node+0x8c0/0x8c0 [hsr]
+[ 120.983522][ C0] ? rcu_read_lock_held+0x90/0xa0
+[ 120.984159][ C0] ? rcu_read_lock_sched_held+0xc0/0xc0
+[ 120.984944][ C0] hsr_handle_frame+0x1db/0x4e0 [hsr]
+[ 120.985597][ C0] ? hsr_nl_nodedown+0x2b0/0x2b0 [hsr]
+[ 120.986289][ C0] __netif_receive_skb_core+0x6bf/0x3170
+[ 120.992513][ C0] ? check_chain_key+0x236/0x5d0
+[ 120.993223][ C0] ? do_xdp_generic+0x1460/0x1460
+[ 120.993875][ C0] ? register_lock_class+0x14d0/0x14d0
+[ 120.994609][ C0] ? __netif_receive_skb_one_core+0x8d/0x160
+[ 120.995377][ C0] __netif_receive_skb_one_core+0x8d/0x160
+[ 120.996204][ C0] ? __netif_receive_skb_core+0x3170/0x3170
+[ ... ]
+
+Reported-by: syzbot+fcf5dd39282ceb27108d@syzkaller.appspotmail.com
+Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_slave.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/hsr/hsr_slave.c
++++ b/net/hsr/hsr_slave.c
+@@ -152,16 +152,16 @@ int hsr_add_port(struct hsr_priv *hsr, s
+ if (port == NULL)
+ return -ENOMEM;
+
++ port->hsr = hsr;
++ port->dev = dev;
++ port->type = type;
++
+ if (type != HSR_PT_MASTER) {
+ res = hsr_portdev_setup(dev, port);
+ if (res)
+ goto fail_dev_setup;
+ }
+
+- port->hsr = hsr;
+- port->dev = dev;
+- port->type = type;
+-
+ list_add_tail_rcu(&port->port_list, &hsr->ports);
+ synchronize_rcu();
+
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:55 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 13 Mar 2020 06:50:33 +0000
+Subject: hsr: set .netnsok flag
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 09e91dbea0aa32be02d8877bd50490813de56b9a ]
+
+The hsr module has been supporting the list and status command.
+(HSR_C_GET_NODE_LIST and HSR_C_GET_NODE_STATUS)
+These commands send node information to the user-space via generic netlink.
+But, in the non-init_net namespace, these commands are not allowed
+because .netnsok flag is false.
+So, there is no way to get node information in the non-init_net namespace.
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_netlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -476,6 +476,7 @@ static struct genl_family hsr_genl_famil
+ .name = "HSR",
+ .version = 1,
+ .maxattr = HSR_A_MAX,
++ .netnsok = true,
+ .module = THIS_MODULE,
+ .ops = hsr_ops,
+ .n_ops = ARRAY_SIZE(hsr_ops),
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:55 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 13 Mar 2020 06:50:14 +0000
+Subject: hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 173756b86803655d70af7732079b3aa935e6ab68 ]
+
+hsr_get_node_{list/status}() are not under rtnl_lock() because
+they are callback functions of generic netlink.
+But they use __dev_get_by_index() without rtnl_lock().
+So, it would use unsafe data.
+In order to fix it, rcu_read_lock() and dev_get_by_index_rcu()
+are used instead of __dev_get_by_index().
+
+Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_framereg.c | 10 ++--------
+ net/hsr/hsr_netlink.c | 43 +++++++++++++++++++++----------------------
+ 2 files changed, 23 insertions(+), 30 deletions(-)
+
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -466,13 +466,9 @@ int hsr_get_node_data(struct hsr_priv *h
+ struct hsr_port *port;
+ unsigned long tdiff;
+
+-
+- rcu_read_lock();
+ node = find_node_by_AddrA(&hsr->node_db, addr);
+- if (!node) {
+- rcu_read_unlock();
+- return -ENOENT; /* No such entry */
+- }
++ if (!node)
++ return -ENOENT;
+
+ ether_addr_copy(addr_b, node->MacAddressB);
+
+@@ -507,7 +503,5 @@ int hsr_get_node_data(struct hsr_priv *h
+ *addr_b_ifindex = -1;
+ }
+
+- rcu_read_unlock();
+-
+ return 0;
+ }
+--- a/net/hsr/hsr_netlink.c
++++ b/net/hsr/hsr_netlink.c
+@@ -259,17 +259,16 @@ static int hsr_get_node_status(struct sk
+ if (!na)
+ goto invalid;
+
+- hsr_dev = __dev_get_by_index(genl_info_net(info),
+- nla_get_u32(info->attrs[HSR_A_IFINDEX]));
++ rcu_read_lock();
++ hsr_dev = dev_get_by_index_rcu(genl_info_net(info),
++ nla_get_u32(info->attrs[HSR_A_IFINDEX]));
+ if (!hsr_dev)
+- goto invalid;
++ goto rcu_unlock;
+ if (!is_hsr_master(hsr_dev))
+- goto invalid;
+-
++ goto rcu_unlock;
+
+ /* Send reply */
+-
+- skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
++ skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
+ if (!skb_out) {
+ res = -ENOMEM;
+ goto fail;
+@@ -321,12 +320,10 @@ static int hsr_get_node_status(struct sk
+ res = nla_put_u16(skb_out, HSR_A_IF1_SEQ, hsr_node_if1_seq);
+ if (res < 0)
+ goto nla_put_failure;
+- rcu_read_lock();
+ port = hsr_port_get_hsr(hsr, HSR_PT_SLAVE_A);
+ if (port)
+ res = nla_put_u32(skb_out, HSR_A_IF1_IFINDEX,
+ port->dev->ifindex);
+- rcu_read_unlock();
+ if (res < 0)
+ goto nla_put_failure;
+
+@@ -336,20 +333,22 @@ static int hsr_get_node_status(struct sk
+ res = nla_put_u16(skb_out, HSR_A_IF2_SEQ, hsr_node_if2_seq);
+ if (res < 0)
+ goto nla_put_failure;
+- rcu_read_lock();
+ port = hsr_port_get_hsr(hsr, HSR_PT_SLAVE_B);
+ if (port)
+ res = nla_put_u32(skb_out, HSR_A_IF2_IFINDEX,
+ port->dev->ifindex);
+- rcu_read_unlock();
+ if (res < 0)
+ goto nla_put_failure;
+
++ rcu_read_unlock();
++
+ genlmsg_end(skb_out, msg_head);
+ genlmsg_unicast(genl_info_net(info), skb_out, info->snd_portid);
+
+ return 0;
+
++rcu_unlock:
++ rcu_read_unlock();
+ invalid:
+ netlink_ack(skb_in, nlmsg_hdr(skb_in), -EINVAL, NULL);
+ return 0;
+@@ -359,6 +358,7 @@ nla_put_failure:
+ /* Fall through */
+
+ fail:
++ rcu_read_unlock();
+ return res;
+ }
+
+@@ -385,17 +385,16 @@ static int hsr_get_node_list(struct sk_b
+ if (!na)
+ goto invalid;
+
+- hsr_dev = __dev_get_by_index(genl_info_net(info),
+- nla_get_u32(info->attrs[HSR_A_IFINDEX]));
++ rcu_read_lock();
++ hsr_dev = dev_get_by_index_rcu(genl_info_net(info),
++ nla_get_u32(info->attrs[HSR_A_IFINDEX]));
+ if (!hsr_dev)
+- goto invalid;
++ goto rcu_unlock;
+ if (!is_hsr_master(hsr_dev))
+- goto invalid;
+-
++ goto rcu_unlock;
+
+ /* Send reply */
+-
+- skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
++ skb_out = genlmsg_new(NLMSG_GOODSIZE, GFP_ATOMIC);
+ if (!skb_out) {
+ res = -ENOMEM;
+ goto fail;
+@@ -415,14 +414,11 @@ static int hsr_get_node_list(struct sk_b
+
+ hsr = netdev_priv(hsr_dev);
+
+- rcu_read_lock();
+ pos = hsr_get_next_node(hsr, NULL, addr);
+ while (pos) {
+ res = nla_put(skb_out, HSR_A_NODE_ADDR, ETH_ALEN, addr);
+- if (res < 0) {
+- rcu_read_unlock();
++ if (res < 0)
+ goto nla_put_failure;
+- }
+ pos = hsr_get_next_node(hsr, pos, addr);
+ }
+ rcu_read_unlock();
+@@ -432,6 +428,8 @@ static int hsr_get_node_list(struct sk_b
+
+ return 0;
+
++rcu_unlock:
++ rcu_read_unlock();
+ invalid:
+ netlink_ack(skb_in, nlmsg_hdr(skb_in), -EINVAL, NULL);
+ return 0;
+@@ -441,6 +439,7 @@ nla_put_failure:
+ /* Fall through */
+
+ fail:
++ rcu_read_unlock();
+ return res;
+ }
+
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Sun, 22 Mar 2020 13:51:13 -0400
+Subject: macsec: restrict to ethernet devices
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit b06d072ccc4b1acd0147b17914b7ad1caa1818bb ]
+
+Only attach macsec to ethernet devices.
+
+Syzbot was able to trigger a KMSAN warning in macsec_handle_frame
+by attaching to a phonet device.
+
+Macvlan has a similar check in macvlan_port_create.
+
+v1->v2
+ - fix commit message typo
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/macsec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -20,6 +20,7 @@
+ #include <net/genetlink.h>
+ #include <net/sock.h>
+ #include <net/gro_cells.h>
++#include <linux/if_arp.h>
+
+ #include <uapi/linux/if_macsec.h>
+
+@@ -3248,6 +3249,8 @@ static int macsec_newlink(struct net *ne
+ real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
+ if (!real_dev)
+ return -ENODEV;
++ if (real_dev->type != ARPHRD_ETHER)
++ return -EINVAL;
+
+ dev->priv_flags |= IFF_MACSEC;
+
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Thu, 26 Mar 2020 16:17:33 +0200
+Subject: mlxsw: spectrum_mr: Fix list iteration in error path
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit f6bf1bafdc2152bb22aff3a4e947f2441a1d49e2 ]
+
+list_for_each_entry_from_reverse() iterates backwards over the list from
+the current position, but in the error path we should start from the
+previous position.
+
+Fix this by using list_for_each_entry_continue_reverse() instead.
+
+This suppresses the following error from coccinelle:
+
+drivers/net/ethernet/mellanox/mlxsw//spectrum_mr.c:655:34-38: ERROR:
+invalid reference to the index variable of the iterator on line 636
+
+Fixes: c011ec1bbfd6 ("mlxsw: spectrum: Add the multicast routing offloading logic")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Reviewed-by: Jiri Pirko <jiri@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
+@@ -637,12 +637,12 @@ static int mlxsw_sp_mr_vif_resolve(struc
+ return 0;
+
+ err_erif_unresolve:
+- list_for_each_entry_from_reverse(erve, &mr_vif->route_evif_list,
+- vif_node)
++ list_for_each_entry_continue_reverse(erve, &mr_vif->route_evif_list,
++ vif_node)
+ mlxsw_sp_mr_route_evif_unresolve(mr_table, erve);
+ err_irif_unresolve:
+- list_for_each_entry_from_reverse(irve, &mr_vif->route_ivif_list,
+- vif_node)
++ list_for_each_entry_continue_reverse(irve, &mr_vif->route_ivif_list,
++ vif_node)
+ mlxsw_sp_mr_route_ivif_unresolve(mr_table, irve);
+ mr_vif->rif = NULL;
+ return err;
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Zh-yuan Ye <ye.zh-yuan@socionext.com>
+Date: Tue, 24 Mar 2020 17:28:25 +0900
+Subject: net: cbs: Fix software cbs to consider packet sending time
+
+From: Zh-yuan Ye <ye.zh-yuan@socionext.com>
+
+[ Upstream commit 961d0e5b32946703125964f9f5b6321d60f4d706 ]
+
+Currently the software CBS does not consider the packet sending time
+when depleting the credits. It caused the throughput to be
+Idleslope[kbps] * (Port transmit rate[kbps] / |Sendslope[kbps]|) where
+Idleslope * (Port transmit rate / (Idleslope + |Sendslope|)) = Idleslope
+is expected. In order to fix the issue above, this patch takes the time
+when the packet sending completes into account by moving the anchor time
+variable "last" ahead to the send completion time upon transmission and
+adding wait when the next dequeue request comes before the send
+completion time of the previous packet.
+
+changelog:
+V2->V3:
+ - remove unnecessary whitespace cleanup
+ - add the checks if port_rate is 0 before division
+
+V1->V2:
+ - combine variable "send_completed" into "last"
+ - add the comment for estimate of the packet sending
+
+Fixes: 585d763af09c ("net/sched: Introduce Credit Based Shaper (CBS) qdisc")
+Signed-off-by: Zh-yuan Ye <ye.zh-yuan@socionext.com>
+Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_cbs.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/net/sched/sch_cbs.c
++++ b/net/sched/sch_cbs.c
+@@ -185,6 +185,11 @@ static struct sk_buff *cbs_dequeue_soft(
+ s64 credits;
+ int len;
+
++ /* The previous packet is still being sent */
++ if (now < q->last) {
++ qdisc_watchdog_schedule_ns(&q->watchdog, q->last);
++ return NULL;
++ }
+ if (q->credits < 0) {
+ credits = timediff_to_credits(now - q->last, q->idleslope);
+
+@@ -216,7 +221,12 @@ static struct sk_buff *cbs_dequeue_soft(
+ credits += q->credits;
+
+ q->credits = max_t(s64, credits, q->locredit);
+- q->last = now;
++ /* Estimate of the transmission of the last byte of the packet in ns */
++ if (unlikely(atomic64_read(&q->port_rate) == 0))
++ q->last = now;
++ else
++ q->last = now + div64_s64(len * NSEC_PER_SEC,
++ atomic64_read(&q->port_rate));
+
+ return skb;
+ }
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Sun, 22 Mar 2020 13:58:50 -0700
+Subject: net: dsa: Fix duplicate frames flooded by learning
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+[ Upstream commit 0e62f543bed03a64495bd2651d4fe1aa4bcb7fe5 ]
+
+When both the switch and the bridge are learning about new addresses,
+switch ports attached to the bridge would see duplicate ARP frames
+because both entities would attempt to send them.
+
+Fixes: 5037d532b83d ("net: dsa: add Broadcom tag RX/TX handler")
+Reported-by: Maxime Bizon <mbizon@freebox.fr>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dsa/tag_brcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/dsa/tag_brcm.c
++++ b/net/dsa/tag_brcm.c
+@@ -141,6 +141,8 @@ static struct sk_buff *brcm_tag_rcv_ll(s
+ /* Remove Broadcom tag and update checksum */
+ skb_pull_rcsum(skb, BRCM_TAG_LEN);
+
++ skb->offload_fwd_mark = 1;
++
+ return skb;
+ }
+
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: "René van Dorst" <opensource@vdorst.com>
+Date: Thu, 19 Mar 2020 14:47:56 +0100
+Subject: net: dsa: mt7530: Change the LINK bit to reflect the link status
+
+From: "René van Dorst" <opensource@vdorst.com>
+
+[ Upstream commit 22259471b51925353bd7b16f864c79fdd76e425e ]
+
+Andrew reported:
+
+After a number of network port link up/down changes, sometimes the switch
+port gets stuck in a state where it thinks it is still transmitting packets
+but the cpu port is not actually transmitting anymore. In this state you
+will see a message on the console
+"mtk_soc_eth 1e100000.ethernet eth0: transmit timed out" and the Tx counter
+in ifconfig will be incrementing on virtual port, but not incrementing on
+cpu port.
+
+The issue is that MAC TX/RX status has no impact on the link status or
+queue manager of the switch. So the queue manager just queues up packets
+of a disabled port and sends out pause frames when the queue is full.
+
+Change the LINK bit to reflect the link status.
+
+Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch")
+Reported-by: Andrew Smith <andrew.smith@digi.com>
+Signed-off-by: René van Dorst <opensource@vdorst.com>
+Reviewed-by: Vivien Didelot <vivien.didelot@gmail.com>
+Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mt7530.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/dsa/mt7530.c
++++ b/drivers/net/dsa/mt7530.c
+@@ -549,7 +549,7 @@ mt7530_mib_reset(struct dsa_switch *ds)
+ static void
+ mt7530_port_set_status(struct mt7530_priv *priv, int port, int enable)
+ {
+- u32 mask = PMCR_TX_EN | PMCR_RX_EN;
++ u32 mask = PMCR_TX_EN | PMCR_RX_EN | PMCR_FORCE_LNK;
+
+ if (enable)
+ mt7530_set(priv, MT7530_PMCR_P(port), mask);
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Petr Machata <petrm@mellanox.com>
+Date: Mon, 16 Mar 2020 19:53:00 +0200
+Subject: net: ip_gre: Accept IFLA_INFO_DATA-less configuration
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit 32ca98feab8c9076c89c0697c5a85e46fece809d ]
+
+The fix referenced below causes a crash when an ERSPAN tunnel is created
+without passing IFLA_INFO_DATA. Fix by validating passed-in data in the
+same way as ipgre does.
+
+Fixes: e1f8f78ffe98 ("net: ip_gre: Separate ERSPAN newlink / changelink callbacks")
+Reported-by: syzbot+1b4ebf4dae4e510dd219@syzkaller.appspotmail.com
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1241,6 +1241,8 @@ static int erspan_netlink_parms(struct n
+ err = ipgre_netlink_parms(dev, data, tb, parms, fwmark);
+ if (err)
+ return err;
++ if (!data)
++ return 0;
+
+ if (data[IFLA_GRE_ERSPAN_VER]) {
+ t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Petr Machata <petrm@mellanox.com>
+Date: Fri, 13 Mar 2020 13:39:36 +0200
+Subject: net: ip_gre: Separate ERSPAN newlink / changelink callbacks
+
+From: Petr Machata <petrm@mellanox.com>
+
+[ Upstream commit e1f8f78ffe9854308b9e12a73ebe4e909074fc33 ]
+
+ERSPAN shares most of the code path with GRE and gretap code. While that
+helps keep the code compact, it is also error prone. Currently a broken
+userspace can turn a gretap tunnel into a de facto ERSPAN one by passing
+IFLA_GRE_ERSPAN_VER. There has been a similar issue in ip6gretap in the
+past.
+
+To prevent these problems in future, split the newlink and changelink code
+paths. Split the ERSPAN code out of ipgre_netlink_parms() into a new
+function erspan_netlink_parms(). Extract a piece of common logic from
+ipgre_newlink() and ipgre_changelink() into ipgre_newlink_encap_setup().
+Add erspan_newlink() and erspan_changelink().
+
+Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
+Signed-off-by: Petr Machata <petrm@mellanox.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_gre.c | 103 ++++++++++++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 85 insertions(+), 18 deletions(-)
+
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1226,6 +1226,22 @@ static int ipgre_netlink_parms(struct ne
+ if (data[IFLA_GRE_FWMARK])
+ *fwmark = nla_get_u32(data[IFLA_GRE_FWMARK]);
+
++ return 0;
++}
++
++static int erspan_netlink_parms(struct net_device *dev,
++ struct nlattr *data[],
++ struct nlattr *tb[],
++ struct ip_tunnel_parm *parms,
++ __u32 *fwmark)
++{
++ struct ip_tunnel *t = netdev_priv(dev);
++ int err;
++
++ err = ipgre_netlink_parms(dev, data, tb, parms, fwmark);
++ if (err)
++ return err;
++
+ if (data[IFLA_GRE_ERSPAN_VER]) {
+ t->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+
+@@ -1355,45 +1371,70 @@ bool is_gretap_dev(const struct net_devi
+ }
+ EXPORT_SYMBOL_GPL(is_gretap_dev);
+
+-static int ipgre_newlink(struct net *src_net, struct net_device *dev,
+- struct nlattr *tb[], struct nlattr *data[],
+- struct netlink_ext_ack *extack)
++static int
++ipgre_newlink_encap_setup(struct net_device *dev, struct nlattr *data[])
+ {
+- struct ip_tunnel_parm p;
+ struct ip_tunnel_encap ipencap;
+- __u32 fwmark = 0;
+- int err;
+
+ if (ipgre_netlink_encap_parms(data, &ipencap)) {
+ struct ip_tunnel *t = netdev_priv(dev);
+- err = ip_tunnel_encap_setup(t, &ipencap);
++ int err = ip_tunnel_encap_setup(t, &ipencap);
+
+ if (err < 0)
+ return err;
+ }
+
++ return 0;
++}
++
++static int ipgre_newlink(struct net *src_net, struct net_device *dev,
++ struct nlattr *tb[], struct nlattr *data[],
++ struct netlink_ext_ack *extack)
++{
++ struct ip_tunnel_parm p;
++ __u32 fwmark = 0;
++ int err;
++
++ err = ipgre_newlink_encap_setup(dev, data);
++ if (err)
++ return err;
++
+ err = ipgre_netlink_parms(dev, data, tb, &p, &fwmark);
+ if (err < 0)
+ return err;
+ return ip_tunnel_newlink(dev, tb, &p, fwmark);
+ }
+
++static int erspan_newlink(struct net *src_net, struct net_device *dev,
++ struct nlattr *tb[], struct nlattr *data[],
++ struct netlink_ext_ack *extack)
++{
++ struct ip_tunnel_parm p;
++ __u32 fwmark = 0;
++ int err;
++
++ err = ipgre_newlink_encap_setup(dev, data);
++ if (err)
++ return err;
++
++ err = erspan_netlink_parms(dev, data, tb, &p, &fwmark);
++ if (err)
++ return err;
++ return ip_tunnel_newlink(dev, tb, &p, fwmark);
++}
++
+ static int ipgre_changelink(struct net_device *dev, struct nlattr *tb[],
+ struct nlattr *data[],
+ struct netlink_ext_ack *extack)
+ {
+ struct ip_tunnel *t = netdev_priv(dev);
+- struct ip_tunnel_encap ipencap;
+ __u32 fwmark = t->fwmark;
+ struct ip_tunnel_parm p;
+ int err;
+
+- if (ipgre_netlink_encap_parms(data, &ipencap)) {
+- err = ip_tunnel_encap_setup(t, &ipencap);
+-
+- if (err < 0)
+- return err;
+- }
++ err = ipgre_newlink_encap_setup(dev, data);
++ if (err)
++ return err;
+
+ err = ipgre_netlink_parms(dev, data, tb, &p, &fwmark);
+ if (err < 0)
+@@ -1406,8 +1447,34 @@ static int ipgre_changelink(struct net_d
+ t->parms.i_flags = p.i_flags;
+ t->parms.o_flags = p.o_flags;
+
+- if (strcmp(dev->rtnl_link_ops->kind, "erspan"))
+- ipgre_link_update(dev, !tb[IFLA_MTU]);
++ ipgre_link_update(dev, !tb[IFLA_MTU]);
++
++ return 0;
++}
++
++static int erspan_changelink(struct net_device *dev, struct nlattr *tb[],
++ struct nlattr *data[],
++ struct netlink_ext_ack *extack)
++{
++ struct ip_tunnel *t = netdev_priv(dev);
++ __u32 fwmark = t->fwmark;
++ struct ip_tunnel_parm p;
++ int err;
++
++ err = ipgre_newlink_encap_setup(dev, data);
++ if (err)
++ return err;
++
++ err = erspan_netlink_parms(dev, data, tb, &p, &fwmark);
++ if (err < 0)
++ return err;
++
++ err = ip_tunnel_changelink(dev, tb, &p, fwmark);
++ if (err < 0)
++ return err;
++
++ t->parms.i_flags = p.i_flags;
++ t->parms.o_flags = p.o_flags;
+
+ return 0;
+ }
+@@ -1598,8 +1665,8 @@ static struct rtnl_link_ops erspan_link_
+ .priv_size = sizeof(struct ip_tunnel),
+ .setup = erspan_setup,
+ .validate = erspan_validate,
+- .newlink = ipgre_newlink,
+- .changelink = ipgre_changelink,
++ .newlink = erspan_newlink,
++ .changelink = erspan_changelink,
+ .dellink = ip_tunnel_dellink,
+ .get_size = ipgre_get_size,
+ .fill_info = ipgre_fill_info,
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Date: Mon, 16 Mar 2020 22:56:36 +0800
+Subject: net: mvneta: Fix the case where the last poll did not process all rx
+
+From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+
+[ Upstream commit 065fd83e1be2e1ba0d446a257fd86a3cc7bddb51 ]
+
+For the case where the last mvneta_poll did not process all
+RX packets, we need to xor the pp->cause_rx_tx or port->cause_rx_tx
+before claculating the rx_queue.
+
+Fixes: 2dcf75e2793c ("net: mvneta: Associate RX queues with each CPU")
+Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/marvell/mvneta.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/marvell/mvneta.c
++++ b/drivers/net/ethernet/marvell/mvneta.c
+@@ -2801,11 +2801,10 @@ static int mvneta_poll(struct napi_struc
+ /* For the case where the last mvneta_poll did not process all
+ * RX packets
+ */
+- rx_queue = fls(((cause_rx_tx >> 8) & 0xff));
+-
+ cause_rx_tx |= pp->neta_armada3700 ? pp->cause_rx_tx :
+ port->cause_rx_tx;
+
++ rx_queue = fls(((cause_rx_tx >> 8) & 0xff));
+ if (rx_queue) {
+ rx_queue = rx_queue - 1;
+ if (pp->bm_priv)
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 13 Mar 2020 12:18:09 -0400
+Subject: net/packet: tpacket_rcv: avoid a producer race condition
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit 61fad6816fc10fb8793a925d5c1256d1c3db0cd2 ]
+
+PACKET_RX_RING can cause multiple writers to access the same slot if a
+fast writer wraps the ring while a slow writer is still copying. This
+is particularly likely with few, large, slots (e.g., GSO packets).
+
+Synchronize kernel thread ownership of rx ring slots with a bitmap.
+
+Writers acquire a slot race-free by testing tp_status TP_STATUS_KERNEL
+while holding the sk receive queue lock. They release this lock before
+copying and set tp_status to TP_STATUS_USER to release to userspace
+when done. During copying, another writer may take the lock, also see
+TP_STATUS_KERNEL, and start writing to the same slot.
+
+Introduce a new rx_owner_map bitmap with a bit per slot. To acquire a
+slot, test and set with the lock held. To release race-free, update
+tp_status and owner bit as a transaction, so take the lock again.
+
+This is the one of a variety of discussed options (see Link below):
+
+* instead of a shadow ring, embed the data in the slot itself, such as
+in tp_padding. But any test for this field may match a value left by
+userspace, causing deadlock.
+
+* avoid the lock on release. This leaves a small race if releasing the
+shadow slot before setting TP_STATUS_USER. The below reproducer showed
+that this race is not academic. If releasing the slot after tp_status,
+the race is more subtle. See the first link for details.
+
+* add a new tp_status TP_KERNEL_OWNED to avoid the transactional store
+of two fields. But, legacy applications may interpret all non-zero
+tp_status as owned by the user. As libpcap does. So this is possible
+only opt-in by newer processes. It can be added as an optional mode.
+
+* embed the struct at the tail of pg_vec to avoid extra allocation.
+The implementation proved no less complex than a separate field.
+
+The additional locking cost on release adds contention, no different
+than scaling on multicore or multiqueue h/w. In practice, below
+reproducer nor small packet tcpdump showed a noticeable change in
+perf report in cycles spent in spinlock. Where contention is
+problematic, packet sockets support mitigation through PACKET_FANOUT.
+And we can consider adding opt-in state TP_KERNEL_OWNED.
+
+Easy to reproduce by running multiple netperf or similar TCP_STREAM
+flows concurrently with `tcpdump -B 129 -n greater 60000`.
+
+Based on an earlier patchset by Jon Rosen. See links below.
+
+I believe this issue goes back to the introduction of tpacket_rcv,
+which predates git history.
+
+Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg237222.html
+Suggested-by: Jon Rosen <jrosen@cisco.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Jon Rosen <jrosen@cisco.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/packet/af_packet.c | 21 +++++++++++++++++++++
+ net/packet/internal.h | 5 ++++-
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2165,6 +2165,7 @@ static int tpacket_rcv(struct sk_buff *s
+ struct timespec ts;
+ __u32 ts_status;
+ bool is_drop_n_account = false;
++ unsigned int slot_id = 0;
+ bool do_vnet = false;
+
+ /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
+@@ -2261,6 +2262,13 @@ static int tpacket_rcv(struct sk_buff *s
+ if (!h.raw)
+ goto drop_n_account;
+
++ if (po->tp_version <= TPACKET_V2) {
++ slot_id = po->rx_ring.head;
++ if (test_bit(slot_id, po->rx_ring.rx_owner_map))
++ goto drop_n_account;
++ __set_bit(slot_id, po->rx_ring.rx_owner_map);
++ }
++
+ if (do_vnet &&
+ virtio_net_hdr_from_skb(skb, h.raw + macoff -
+ sizeof(struct virtio_net_hdr),
+@@ -2366,7 +2374,10 @@ static int tpacket_rcv(struct sk_buff *s
+ #endif
+
+ if (po->tp_version <= TPACKET_V2) {
++ spin_lock(&sk->sk_receive_queue.lock);
+ __packet_set_status(po, h.raw, status);
++ __clear_bit(slot_id, po->rx_ring.rx_owner_map);
++ spin_unlock(&sk->sk_receive_queue.lock);
+ sk->sk_data_ready(sk);
+ } else {
+ prb_clear_blk_fill_status(&po->rx_ring);
+@@ -4260,6 +4271,7 @@ static int packet_set_ring(struct sock *
+ {
+ struct pgv *pg_vec = NULL;
+ struct packet_sock *po = pkt_sk(sk);
++ unsigned long *rx_owner_map = NULL;
+ int was_running, order = 0;
+ struct packet_ring_buffer *rb;
+ struct sk_buff_head *rb_queue;
+@@ -4345,6 +4357,12 @@ static int packet_set_ring(struct sock *
+ }
+ break;
+ default:
++ if (!tx_ring) {
++ rx_owner_map = bitmap_alloc(req->tp_frame_nr,
++ GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO);
++ if (!rx_owner_map)
++ goto out_free_pg_vec;
++ }
+ break;
+ }
+ }
+@@ -4374,6 +4392,8 @@ static int packet_set_ring(struct sock *
+ err = 0;
+ spin_lock_bh(&rb_queue->lock);
+ swap(rb->pg_vec, pg_vec);
++ if (po->tp_version <= TPACKET_V2)
++ swap(rb->rx_owner_map, rx_owner_map);
+ rb->frame_max = (req->tp_frame_nr - 1);
+ rb->head = 0;
+ rb->frame_size = req->tp_frame_size;
+@@ -4405,6 +4425,7 @@ static int packet_set_ring(struct sock *
+ }
+
+ out_free_pg_vec:
++ bitmap_free(rx_owner_map);
+ if (pg_vec)
+ free_pg_vec(pg_vec, order, req->tp_block_nr);
+ out:
+--- a/net/packet/internal.h
++++ b/net/packet/internal.h
+@@ -70,7 +70,10 @@ struct packet_ring_buffer {
+
+ unsigned int __percpu *pending_refcnt;
+
+- struct tpacket_kbdq_core prb_bdqc;
++ union {
++ unsigned long *rx_owner_map;
++ struct tpacket_kbdq_core prb_bdqc;
++ };
+ };
+
+ extern struct mutex fanout_mutex;
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Date: Tue, 17 Mar 2020 10:24:35 +0530
+Subject: net: phy: mdio-mux-bcm-iproc: check clk_prepare_enable() return value
+
+From: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+
+[ Upstream commit 872307abbd0d9afd72171929806c2fa33dc34179 ]
+
+Check clk_prepare_enable() return value.
+
+Fixes: 2c7230446bc9 ("net: phy: Add pm support to Broadcom iProc mdio mux driver")
+Signed-off-by: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio-mux-bcm-iproc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/phy/mdio-mux-bcm-iproc.c
++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c
+@@ -301,8 +301,13 @@ static int mdio_mux_iproc_resume(struct
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+ struct iproc_mdiomux_desc *md = platform_get_drvdata(pdev);
++ int rc;
+
+- clk_prepare_enable(md->core_clk);
++ rc = clk_prepare_enable(md->core_clk);
++ if (rc) {
++ dev_err(md->dev, "failed to enable core clk\n");
++ return rc;
++ }
+ mdio_mux_iproc_config(md);
+
+ return 0;
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Pawel Dembicki <paweldembicki@gmail.com>
+Date: Fri, 20 Mar 2020 21:46:14 +0100
+Subject: net: qmi_wwan: add support for ASKEY WWHC050
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+[ Upstream commit 12a5ba5a1994568d4ceaff9e78c6b0329d953386 ]
+
+ASKEY WWHC050 is a mcie LTE modem.
+The oem configuration states:
+
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
+D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1690 ProdID=7588 Rev=ff.ff
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=813f0eef6e6e
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none)
+E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us
+
+Tested on openwrt distribution.
+
+Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1147,6 +1147,7 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x1435, 0xd182, 5)}, /* Wistron NeWeb D18 */
+ {QMI_FIXED_INTF(0x1435, 0xd191, 4)}, /* Wistron NeWeb D19Q1 */
+ {QMI_QUIRK_SET_DTR(0x1508, 0x1001, 4)}, /* Fibocom NL668 series */
++ {QMI_FIXED_INTF(0x1690, 0x7588, 4)}, /* ASKEY WWHC050 */
+ {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */
+ {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */
+ {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Emil Renner Berthing <kernel@esmil.dk>
+Date: Sat, 21 Mar 2020 15:36:19 +0100
+Subject: net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
+
+From: Emil Renner Berthing <kernel@esmil.dk>
+
+[ Upstream commit 9de9aa487daff7a5c73434c24269b44ed6a428e6 ]
+
+Make sure we clean up devicetree related configuration
+also when clock init fails.
+
+Fixes: fecd4d7eef8b ("net: stmmac: dwmac-rk: Add integrated PHY support")
+Signed-off-by: Emil Renner Berthing <kernel@esmil.dk>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+@@ -1420,7 +1420,7 @@ static int rk_gmac_probe(struct platform
+
+ ret = rk_gmac_clk_init(plat_dat);
+ if (ret)
+- return ret;
++ goto err_remove_config_dt;
+
+ ret = rk_gmac_powerup(plat_dat->bsp_priv);
+ if (ret)
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 13 Mar 2020 22:29:54 -0700
+Subject: net_sched: cls_route: remove the right filter from hashtable
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 ]
+
+route4_change() allocates a new filter and copies values from
+the old one. After the new filter is inserted into the hash
+table, the old filter should be removed and freed, as the final
+step of the update.
+
+However, the current code mistakenly removes the new one. This
+looks apparently wrong to me, and it causes double "free" and
+use-after-free too, as reported by syzbot.
+
+Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com
+Fixes: 1109c00547fc ("net: sched: RCU cls_route")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_route.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sched/cls_route.c
++++ b/net/sched/cls_route.c
+@@ -536,8 +536,8 @@ static int route4_change(struct net *net
+ fp = &b->ht[h];
+ for (pfp = rtnl_dereference(*fp); pfp;
+ fp = &pfp->next, pfp = rtnl_dereference(*fp)) {
+- if (pfp == f) {
+- *fp = f->next;
++ if (pfp == fold) {
++ rcu_assign_pointer(*fp, fold->next);
+ break;
+ }
+ }
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Wed, 11 Mar 2020 22:42:28 -0700
+Subject: net_sched: keep alloc_hash updated after hash allocation
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 0d1c3530e1bd38382edef72591b78e877e0edcd3 ]
+
+In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
+I moved cp->hash calculation before the first
+tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched.
+This difference could lead to another out of bound access.
+
+cp->alloc_hash should always be the size allocated, we should
+update it after this tcindex_alloc_perfect_hash().
+
+Reported-and-tested-by: syzbot+dcc34d54d68ef7d2d53d@syzkaller.appspotmail.com
+Reported-and-tested-by: syzbot+c72da7b9ed57cde6fca2@syzkaller.appspotmail.com
+Fixes: 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex")
+Cc: Jamal Hadi Salim <jhs@mojatatu.com>
+Cc: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_tcindex.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/sched/cls_tcindex.c
++++ b/net/sched/cls_tcindex.c
+@@ -357,6 +357,7 @@ tcindex_set_parms(struct net *net, struc
+
+ if (tcindex_alloc_perfect_hash(net, cp) < 0)
+ goto errout;
++ cp->alloc_hash = cp->hash;
+ for (i = 0; i < min(cp->hash, p->hash); i++)
+ cp->perfect[i].res = p->perfect[i].res;
+ balloc = 1;
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 20 Mar 2020 16:21:17 +0300
+Subject: NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 0dcdf9f64028ec3b75db6b691560f8286f3898bf ]
+
+The nci_conn_max_data_pkt_payload_size() function sometimes returns
+-EPROTO so "max_size" needs to be signed for the error handling to
+work. We can make "payload_size" an int as well.
+
+Fixes: a06347c04c13 ("NFC: Add Intel Fields Peak NFC solution driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/fdp/fdp.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/nfc/fdp/fdp.c
++++ b/drivers/nfc/fdp/fdp.c
+@@ -192,7 +192,7 @@ static int fdp_nci_send_patch(struct nci
+ const struct firmware *fw;
+ struct sk_buff *skb;
+ unsigned long len;
+- u8 max_size, payload_size;
++ int max_size, payload_size;
+ int rc = 0;
+
+ if ((type == NCI_PATCH_TYPE_OTP && !info->otp_patch) ||
+@@ -215,8 +215,7 @@ static int fdp_nci_send_patch(struct nci
+
+ while (len) {
+
+- payload_size = min_t(unsigned long, (unsigned long) max_size,
+- len);
++ payload_size = min_t(unsigned long, max_size, len);
+
+ skb = nci_skb_alloc(ndev, (NCI_CTRL_HDR_SIZE + payload_size),
+ GFP_KERNEL);
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Tue, 24 Mar 2020 20:58:29 +0100
+Subject: r8169: re-enable MSI on RTL8168c
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit f13bc68131b0c0d67a77fb43444e109828a983bf ]
+
+The original change fixed an issue on RTL8168b by mimicking the vendor
+driver behavior to disable MSI on chip versions before RTL8168d.
+This however now caused an issue on a system with RTL8168c, see [0].
+Therefore leave MSI disabled on RTL8168b, but re-enable it on RTL8168c.
+
+[0] https://bugzilla.redhat.com/show_bug.cgi?id=1792839
+
+Fixes: 003bd5b4a7b4 ("r8169: don't use MSI before RTL8168d")
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -7249,7 +7249,7 @@ static int rtl_alloc_irq(struct rtl8169_
+ RTL_W8(tp, Config2, RTL_R8(tp, Config2) & ~MSIEnable);
+ RTL_W8(tp, Cfg9346, Cfg9346_Lock);
+ /* fall through */
+- case RTL_GIGA_MAC_VER_07 ... RTL_GIGA_MAC_VER_24:
++ case RTL_GIGA_MAC_VER_07 ... RTL_GIGA_MAC_VER_17:
+ flags = PCI_IRQ_LEGACY;
+ break;
+ default:
mmc-sdhci-omap-fix-busy-detection-by-enabling-mmc_ca.patch
mmc-sdhci-tegra-fix-busy-detection-by-enabling-mmc_c.patch
revert-drm-dp_mst-skip-validating-ports-during-destruction-just-ref.patch
+geneve-move-debug-check-after-netdev-unregister.patch
+hsr-fix-general-protection-fault-in-hsr_addr_is_self.patch
+macsec-restrict-to-ethernet-devices.patch
+mlxsw-spectrum_mr-fix-list-iteration-in-error-path.patch
+net-cbs-fix-software-cbs-to-consider-packet-sending-time.patch
+net-dsa-fix-duplicate-frames-flooded-by-learning.patch
+net-mvneta-fix-the-case-where-the-last-poll-did-not-process-all-rx.patch
+net-packet-tpacket_rcv-avoid-a-producer-race-condition.patch
+net-qmi_wwan-add-support-for-askey-wwhc050.patch
+net_sched-cls_route-remove-the-right-filter-from-hashtable.patch
+net_sched-keep-alloc_hash-updated-after-hash-allocation.patch
+net-stmmac-dwmac-rk-fix-error-path-in-rk_gmac_probe.patch
+nfc-fdp-fix-a-signedness-bug-in-fdp_nci_send_patch.patch
+slcan-not-call-free_netdev-before-rtnl_unlock-in-slcan_open.patch
+bnxt_en-fix-memory-leaks-in-bnxt_dcbnl_ieee_getets.patch
+bnxt_en-reset-rings-if-ring-reservation-fails-during-open.patch
+net-ip_gre-separate-erspan-newlink-changelink-callbacks.patch
+net-ip_gre-accept-ifla_info_data-less-configuration.patch
+net-dsa-mt7530-change-the-link-bit-to-reflect-the-link-status.patch
+net-phy-mdio-mux-bcm-iproc-check-clk_prepare_enable-return-value.patch
+r8169-re-enable-msi-on-rtl8168c.patch
+tcp-repair-fix-tcp_queue_seq-implementation.patch
+vxlan-check-return-value-of-gro_cells_init.patch
+hsr-use-rcu_read_lock-in-hsr_get_node_-list-status.patch
+hsr-add-restart-routine-into-hsr_get_node_list.patch
+hsr-set-.netnsok-flag.patch
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Sat, 21 Mar 2020 14:08:29 +0100
+Subject: slcan: not call free_netdev before rtnl_unlock in slcan_open
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 2091a3d42b4f339eaeed11228e0cbe9d4f92f558 ]
+
+As the description before netdev_run_todo, we cannot call free_netdev
+before rtnl_unlock, fix it by reorder the code.
+
+This patch is a 1:1 copy of upstream slip.c commit f596c87005f7
+("slip: not call free_netdev before rtnl_unlock in slip_open").
+
+Reported-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -621,7 +621,10 @@ err_free_chan:
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
+ slc_free_netdev(sl->dev);
++ /* do not call free_netdev before rtnl_unlock */
++ rtnl_unlock();
+ free_netdev(sl->dev);
++ return err;
+
+ err_exit:
+ rtnl_unlock();
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 18 Mar 2020 19:21:02 -0700
+Subject: tcp: repair: fix TCP_QUEUE_SEQ implementation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6cd6cbf593bfa3ae6fc3ed34ac21da4d35045425 ]
+
+When application uses TCP_QUEUE_SEQ socket option to
+change tp->rcv_next, we must also update tp->copied_seq.
+
+Otherwise, stuff relying on tcp_inq() being precise can
+eventually be confused.
+
+For example, tcp_zerocopy_receive() might crash because
+it does not expect tcp_recv_skb() to return NULL.
+
+We could add tests in various places to fix the issue,
+or simply make sure tcp_inq() wont return a random value,
+and leave fast path as it is.
+
+Note that this fixes ioctl(fd, SIOCINQ, &val) at the same
+time.
+
+Fixes: ee9952831cfd ("tcp: Initial repair mode")
+Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2870,8 +2870,10 @@ static int do_tcp_setsockopt(struct sock
+ err = -EPERM;
+ else if (tp->repair_queue == TCP_SEND_QUEUE)
+ tp->write_seq = val;
+- else if (tp->repair_queue == TCP_RECV_QUEUE)
++ else if (tp->repair_queue == TCP_RECV_QUEUE) {
+ WRITE_ONCE(tp->rcv_nxt, val);
++ WRITE_ONCE(tp->copied_seq, val);
++ }
+ else
+ err = -EINVAL;
+ break;
--- /dev/null
+From foo@baz Sat 28 Mar 2020 10:29:54 AM CET
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Wed, 18 Mar 2020 13:28:09 +0000
+Subject: vxlan: check return value of gro_cells_init()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+[ Upstream commit 384d91c267e621e0926062cfb3f20cb72dc16928 ]
+
+gro_cells_init() returns error if memory allocation is failed.
+But the vxlan module doesn't check the return value of gro_cells_init().
+
+Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")`
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -2451,10 +2451,19 @@ static void vxlan_vs_add_dev(struct vxla
+ /* Setup stats when device is created */
+ static int vxlan_init(struct net_device *dev)
+ {
++ struct vxlan_dev *vxlan = netdev_priv(dev);
++ int err;
++
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats)
+ return -ENOMEM;
+
++ err = gro_cells_init(&vxlan->gro_cells, dev);
++ if (err) {
++ free_percpu(dev->tstats);
++ return err;
++ }
++
+ return 0;
+ }
+
+@@ -2712,8 +2721,6 @@ static void vxlan_setup(struct net_devic
+
+ vxlan->dev = dev;
+
+- gro_cells_init(&vxlan->gro_cells, dev);
+-
+ for (h = 0; h < FDB_HASH_SIZE; ++h)
+ INIT_HLIST_HEAD(&vxlan->fdb_head[h]);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
